Read the whole event log.
If you were behind Cloudflare and it was proxying sensitive data (the contents of HTTP POSTs, &c), they've potentially been spraying it into caches all across the Internet; it was so bad that Tavis found it by accident just looking through Google search results.
The crazy thing here is that the Project Zero people were joking last night about a disclosure that was going to keep everyone at work late today. And, this morning, Google announced the SHA-1 collision, which everyone (including the insiders who leaked that the SHA-1 collision was coming) thought was the big announcement.
Nope. A SHA-1 collision, it turns out, is the minor security news of the day.
This is approximately as bad as it ever gets. A significant number of companies probably need to compose customer notifications; it's, at this point, very difficult to rule out unauthorized disclosure of anything that traversed Cloudflare.
Step 2) leak cleartext from said MITM'd connections to the entire Internet
I recently noted that in some ways Cloudflare are probably the only entity to have ever managed to cause more damage to popular cryptography since the 2008 Debian OpenSSL bug (thanks to their "flexible" ""SSL"" """feature"""), but now I'm certain of it.
"Trust us" doesn't fly any more, this simply isn't good enough. Sorry, you lost my vote. Not even once
edit: why the revulsion? This bug would have been caught with valgrind, and by the sounds of it, using nothing more complex than feeding their httpd a random sampling of live inputs for an hour or two
Where would you even start to address this? Everything you've been serving is potentially compromised, API keys, sessions, personal information, user passwords, the works.
You've got no idea what has been leaked. Should you reset all your user passwords, cycle all or your keys, notify all your customers that there data may have been stolen?
My second thought after relief was the realization that even as a consumer I'm affected by this, my password manager has > 100 entries what percentage of them are using CloudFlare? Should I change all my passwords?
What an epic mess. This is the problem with centralization, the system is broken.
> The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.
This is huge.
I mean, seriously, this is REALLY HUGE.
1) From the metrics I recalled when I interviewed there, and assuming the given probability is correct, that means a potential of 100k-200k paged with private data leaked every day.
2) What's the probably that a page is served to a cache engine? Not a clue. Let's assume 1/1000.
3) That puts a bound around a hundred leaked pages saved per day into caches.
4) Do the cache only provide the latest version of a page? I think most do but not all. Let's ignore that aspect.
5) What's the probably that a page contains private user information like auth tokens? Maybe 1/10?
6) So, that's 10 pages saved per day into the internet search caches.
7) That's on par with their announcement: "With the help of Google, Yahoo, Bing and others, we found 770 unique URIs that had been cached and which contained leaked memory. Those 770 unique URIs covered 161 unique domains." Well, not that we know for how long this was running.
8) Now, I don't want to downplay the issue, but leaking an dozen tokens per day is not that much of a disaster. Sure it's bad, but it's not remotely close to the leak of the millennia and it's certainly not internet scale leak.
9) For the record, CloudFlare serves over one BILLION human beings. Given the tone and the drama I expected way more data from this leak. This is a huge disappointment.
Happy Ending: You were probably not affected.
However, I really want to say I am absolutely impressed with both Project Zero AND Cloudflare on so many fronts, from clarity of communication, to collaboration, and rapid response. So many other organizations would have absolutely tanked when presented with this problem. Huge kudos for CF guys understanding the severity and aligning resources to make the fixes.
In terms of P0 and Tavis though, holy crap. Where the heck would we be without these guys? Truly inspiring !
"@taviso their post-mortem indicates this would've been exploitable only 4 days prior to your initial contact. Is that info invalid?" - https://twitter.com/pmoust/status/834916647873961984
"@pmoust Yes, they worded it confusingly. It was exploitable for months, we have the cached data." - https://twitter.com/taviso/status/834918182640996353
Great, that makes me feel so much better! I'm sorry, don't try to put a cherry on the top when you've just leaked PII and encrypted communications.
Additionally, most vendors in the industry aren't deployed in front of quite as much traffic as CloudFlare is. It's a miracle that ProjectZero managed to find the issue.
Considering the amount and sensitivity of the data they handle, I'm not sure a t-shirt is an appropriate top-tier reward.
Run WHOIS on them, it's almost 100% behind Cloudflare: https://www.google.com/#q=ddos+booter
I would be less concerned about the fact that Cloudflare is spraying private data all over the internet if people weren't being coerced into it by a racket.
We won't have a decentralized web anymore if this keeps going. The entire internet will sit behind a few big CDNs and spray private data through bugs and FISA court wire taps. God help us all if this happens.
The full list is available for download here (23mb) https://github.com/pirate/sites-using-cloudflare/raw/master/...
I will be updating it as I find more domains.
Sorry I hate to just be a coach commentator. Obviously hindsight is 20/20. Still I think there's a lesson here.
If you wanted to pay to DDoS a site, search for "booter" and you'll get a list of sites that will take another site off the internet for money with a flood of traffic.
etc. etc. - from the first 30 results I could find 2 booter sites that weren't hosted by Cloudflare.
But hey, pay Cloudflare and your site too can be safe from DDoS attacks...
Not sure what to make of it - the low number of domains affected.
In our review of these third party caches, we discovered data that had been exposed from approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.
Fortunately, your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found.
There's an argument for changing secrets (user passwords, API keys, etc.) for potentially affected sites, plus of course investigating logs for any anomalous activity. It would be nice if there were a guide for affected users, maybe a supplemental blog post.
(and yet again: thank you Google for Project Zero!)
It's also a bit sad that travis has to contact cloudflare by twitter. Seriousy?
Edit: https://twitter.com/taviso/status/832744397800214528 is the tweet in question
An experienced Ragel programmer would know that when you start setting the EOF pointer you are enabling code paths that never executed before. Like, potentially buggy ones. Eek!
The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything. Cloudflare pointed out their bug bounty program, but I noticed it has a top-tier reward of a t-shirt. Cloudflare did finally send me a draft. It contains an excellent postmortem, but severely downplays the risk to customers.
"We were working to disclose the bug as quickly as possible, but wanted to clean up search engine caches before it became public because we felt we had a duty of care to ensure that this private information was removed from public view. We were comfortable that we had time as Google Project Zero initially gave us a 90 day disclosure window (as can still be seen in their incident tracker), however after a couple of days, they informed us that they felt that 7 days was more appropriate. Google Project Zero ended up disclosing this information after only 6 days."
This is precisely why. The only thing that surprises me about this, is that it was an accidental disclosure rather than a breach. Other than that, this was completely to be expected.
EDIT: Also, this can't be repeated enough: EVERYBODY IS AFFECTED. Change your passwords, everywhere, right now. Don't wait for vendors to notify you.
Anything could have irrevocably leaked, and you have no way of knowing for sure, so assume the worst.
I guess this confirms a few things.
- The complete query strings are logged,
- They don't appear to be too concerned with who accesses the logs internally or have a process that limits the access, and
- They're willing to send those logs out to a random person.
I will refrain from any criticism of Cloudflare and what I think about this because they're going through hell as it is. But everyone else is fair game. The higher a level of service you centralize, the more you stand to lose.
We're definitely doomed to repeat the same mistakes over and over.
 https://www.rust-lang.org/en-US/ Self declared rust fanboy
/* generated code */ if ( ++p == pe ) goto _test_eof;
The examples in the report shows Uber, okcupid , etc. It would be good to know the full list, to know what password might have been compromised.
Had this proxy been written in nearly any other language it wouldn't have had this vulnerability, like so many similar vulnerabilities.
Using ML or Rust or Java or whatever doesn't magically make all vulnerabilities disappear but it sure makes those that are intrinsic to C disappear. And that's not just a few.
There is just no excuse.
The modern web requires a paranoid attitude.
Hosters like Hetzner, OVH have for a year now offered DDOS protection (I'm guessing it's heuristic rate limiting, but they won't tell details b/c that would make it trivial to workaround it, so they say). Could someone characterize their offering and tell me if it's any good?
To those spinning a story against C programming here: it is entirely possible (trivial, even) to isolate address spaces between requests, and has been for like 25 years (CGI programming) and more. When you absolutely must use a long running, single-address space service container, OpenBSD's httpd shows how to do it right (goes to great lengths to randomize/re-initialize memory etc.). I agree, though, that using straight C isn't a good choice for the latter.
> could you tell us why a lot of people had to re-authenticate their Google accounts on their devices all of the sudden? It may not have been related, but Google definitely did something that had us all re-authenticate.
I too had to reauthenticate and was very worried because it was first time I had to do this, I thought something bad happened with my account and it was very suspicious.
CloudFlare has multiple SSL configurations:
> Flexible SSL: There is an encrypted connection between your website visitors and Cloudflare, but not from Cloudflare to your server.
> Full SSL: Encrypts the connection between your website visitors and Cloudflare, and from Cloudflare to your server
(I'll add Full SSL mode still involves CloudFlare terminating SSL (decrypting) before re-encrypting to communicate to your server)
If I am running in Full SSL mode, is (or was) my data vulnerable to being leaked?
Unless I'm mistaken, CloudFlare's services necessarily require they act as a MITM. Would it be possible or practical change the DDoS protection service such that it uses an agent on the customer's end (the CF customer) that relays relevant data to CF, instead of having CF MITM all data?
As it is now, we have:
End user <-> CF MITM to inspect packet data <-> CF Customer site
What if we, instead, had something like:
End user <-> CF TCP proxy <-> CF Customer site ^ | | v CF decision agent <-- CF metadata ingest
The first principle was security: The principle that every syntactically incorrect program should be rejected by the compiler and that every syntactically correct program should give a result or an error message that was predictable and comprehensible in terms of the source language program itself. Thus no core dumps should ever be necessary. It was logically impossible for any source language program to cause the computer to run wild, either at compile time or at run time. A consequence of this principle is that every occurrence of every subscript of every subscripted variable was on every occasion checked at run time against both the upper and the lower declared bounds of the array. Many years later we asked our customers whether they wished us to provide an option to switch off these checks in the interests of efficiency on production runs. Unanimously, they urged us not to - they already knew how frequently subscript errors occur on production runs where failure to detect them could be disastrous. I note with fear and horror that even in 1980, language designers and users have not learned this lesson. In any respectable branch of engineering, failure to observe such elementary precautions would have long been against the law.
-- Turing Award lecture 1981
When I was evaluating CF for a small personal app, I really thought hard about using a public reverse proxy and decided that it wasn't worth it for the scale I was dealing with. No one can predict these security issues, but I sure am glad I didn't go with them!
Cloudflare is MitM by design. Chrome and others must not tolerate it. This vulnerability is just another reason to do it asap.
Found my bank's site on it. :(
lpass ls | egrep -o '[a-z]+\.[a-z]+' | sort > mydomains.sorted sort sorted_unique_cf.txt > cf_really_sorted comm -12 mydomains.sorted cf_really_sorted
1. Recognition on our Hall of Fame.
2. A limited edition CloudFlare bug hunter t-shirt. CloudFlare employees don't even have this shirt. It's only for you all. Wear it with pride: you're part of an exclusive group.
3. 12 months of CloudFlare's Pro or 1 month of Business service on us.
4. Monetary compensation is not currently offered under this program.
Guessing they're gonna reconsider #4 at this point.
But was the leaked data similarly limited to only the sites with the features enabled? Or could it have come from any request - even an entirely unrelated site?
Some possible queries: "CF-Int-Brand-ID", nginx-cache "Certisign Certificadora Digital",
Once you find one, you can look through the results for unusual strings/headers which you can use to find more results.
Many results have clearly been removed from Google's cache, but.. many also have not.
At least change the cookie name so the token stops working. For example, in ASP.NET - change the "forms-auth" name in the web.config file. etc etc.
In the wider world the word "leak" doesn't mean memory access patterns, it means deliberate sabotage.
The headline in "The Verge" is "Password and dating site messages leaked by internet giant Cloudflare". That's technically correct too, but also gives completely the wrong message.
Simpler, proactive messaging from Cloudfront might have helped here.
What is the optimal solution???
Hopefully people will learn something from today.
> About a year ago we decided that the Ragel-based parser had become too complex to maintain and we started to write a new parser, named cf-html, to replace it. This streaming parser works correctly with HTML5 and is much, much faster and easier to maintain.
I'd assume that at this point, customers would like to have a little more than a vague promise.
Can someone explain in simpler terms what happened here and how it a) affects sites using Cloudflare and b) Users accessing sites with Cloudflare?
And now off to resetting a lots of password and checking where OTPs are possible.
I looked on the lastpass blog (s/www/blog/), nothing about this. Is it just too early?
I'm trying to figure out how bad this is; and a part from the exchanges I'm using which other sensitive sites are concerned.
Will Cloudflare be explicitly notifying customers about whether data from their site could have been leaked by this bug?
So, I clicked on that - and I get a 500 error from NGINX.
My guess is that a lot of services are going to be overwhelmed by the sheer volume of password reset requests, thus preventing users from resetting their passwords.
This is what CloudBleed looks like, in the wild: https://gfycat.com/ElatedJoyousDanishswedishfarmdog
A random HTTP request's data and other data injected into an HTTP response from Cloudflare.
Guessing a lot of credit card details are ripe for picking in the data they leaked.
I'm assuming I need to change my passwords on a significant number of sites. So far none of them have alerted me to a potential breach. Would love to have a head start.
> and even plaintext API requests from a popular password manager that were sent over https (!!).
I'm not lazy, it's just overwhelming trying to figure out what's actually going on with all these comments...
Also, mono-cultures have always been a very bad idea, not just in agriculture.
and some chap did it anyways. yay, i guess.
That's a crapton of keys.
people claiming 1Password, can't find
Montecito Bank and Trust
This will put the final lid on cloudflare anyhow. Sticking with AWS.
Add the following to your hosts file to bypass Cloudflare and access HN directly:
Because you're correct: if CF's info sec team is "very very good at their jobs", how did this incident happen?
Every time I see a dev trying to parse HTML with a custom solution or regex or anything other than a proven OSS library designed to parse HTML I recoil reflexively. Sure, maybe you don't need a parser to see if that strong tag is properly closed but the alternative is ...
This is why I'm skeptical of Uber's promise to investigate these allegations. When I heard that they had retained Eric Holder to investigate, my knee-jerk reaction was petty and cynical: "Great, retain a Chicago politician so you know you'll get the answer you're paying for."
I was a little disappointed in myself at the time, but damn. With this company, I'm starting to think that impression might have been on the money.
What I really want to see is the other 20 men on her team tell their bosses to cut that shit out.
We cannot rely on the abused to stand up for themselves; for every one who does there are thousands who cannot. It is on every one of us to report abhorrent behaviour, even if we think someone else has/will.
Change comes from those in power, from people who could very rationally not care, but who go out of their way to do the right thing. It isn't an economic decision, a business decision, or a political decision. It is a personal decision on the world one wants to live in.
We can do better. We must do better. Enough is enough.
These types of posts are worrying to me. Why could this post not have been crafted by someone at Lyft? Or one of Uber's many other detractors? Given the PR nightmare that Uber is in why not pile on while the public seems primed for that type of information and stretch out the negative news cycle?
Just thought I'd throw out a word of caution: we know literally nothing about the credibility of this person.
I wonder (doubt) if they've ever been abused. It's hard for someone who has been abused to come forward, let alone stand up to an abuser.
Besides, men outnumber women in tech by a very large margin. It's on our shoulders to help women fight back. Strength in numbers is a thing, and having men who speak up on their own, and who support and reinforce women who come forward can only a be a good thing.
I had a person on my team once who I did not hire but who had a reputation for being one of the smartest and most capable engineers. As his new manager, I expected that I'd soon promote him. But then I saw that he treated others on the team very poorly and often said highly inappropriate sexual things.
I talked to the founder and was told that he's really a great guy, etc. As it got worse I mentioned the pattern to HR, and HR was initially concerned, but then after HR met with the founder it was as if I was imagining the problem.
I tell this story simply to point out that the same culture that tolerates bullies and harassment can happen even when there is a female founder.
I know it's a cliche that bullies are always deeply insecure. I think that is the case for workplace bullies too. The brash, over-confident, aggressive act that these people put on works to help them find out who they can victimize.
Others who interact less closely often perceive people (particularly engineers) who have a brash, confident attitude as being smart and capable. Just because someone quickly points the finger and shoots down other peoples' ideas doesn't mean his/her ideas are smart :)
I don't think bullies can thrive in a healthy workplace culture. There should not be any question that certain behavior is inappropriate and is grounds for a stern warning (or worse). But once this doesn't happen, a sort of law of the jungle emerges and bullies and exploiters can take over.
The more information that comes out about Uber's culture, I think Travis probably needs to go.
On the off-chance Amy or Susan is reading this, thanks for sharing your stories.
Having spent years working at multiple SV tech companies, where even the slightest tinge of a racist or sexist affront would land you in an office in front of HR and a company lawyer, I find this account to be very difficult to believe. Slanty eye joe? Please.
We don't know if this is a (poorly written) attempt to sink Uber (which I don't happen to care for) by someone with a short position and an evening to spare, or if it has been penned by an employee with a grudge.
Please have some credulity before parading your #deleteuber hashtags and morally superior posturing so the world can marvel at how virtuous you are. There has never been a more evil force in the world than an outraged, self-righteous mob inflamed by twisted anecdotes.
And yes, I've resorted to creating a throwaway account, fully expecting the flagging and down-voting groupthink brigade to be in force. If there's a shameful story here, it's more likely this disturbing human phenomenon, not an anonymous blog post, the veracity of which we know nothing about.
Sexual harassment cases inevitably end in one of two people leaving, and bullying an employee out is cheaper than firing an executive. In corporate hierarchies, managers are valued about half an order of magnitude higher than their employees. And unfortunately it's entirely possible to be both ruthlessly effective and a complete pig. Yet this is bad for Uber in the long term. Fewer women will work there. Fewer quiet, thoughtful people will work there. #DeleteUber sufficiently hurt Uber that they're willing to humiliate themselves by pleading with users at the delete screen. The public strategy should be to get this penalty to backpropagate faster.
On that note, some thoughts:
* The internet was supposed to democratize this stuff. We have people like Balaji Srinivasan saying the FDA should be replaced with Yelp for drugs. Why isn't Glassdoor more effective? Why wasn't Uber's toxic work culture public knowledge, gorgeously pinned to the top of Google's search results, long before Susan or Amy started interviewing?
* When people like Mike interrupt meetings to tell his subordinates not to be a "whiny little bitch," presumably it makes all the quiet, thoughtful people in the room teem with unease. Ideally every instance of this would add a quantum of incentive for them to stand up and leave the company. How can that be encouraged? Is there a good, easy website a la VotePlz that tells employees precisely what their rights and options are? Can we end the stereotype that leaving your job signals weakness? Susan joined Stripe a week after resigning from Uber; can switching jobs become less painless?
* I don't know anything about this, but weren't unions supposed to be designed for this kind of thing? What protections would unions offer to a group of valiant Uber engineers who today decided to walk out in a group?
1) A woman in her late 20s 2) Who used to work at Uber in Engineering working on database and networking scalability 3) Went to a top private college 4) has a Masters in Information Systems 5) previous to Uber worked as a Data Analyst in a tech company in the Midwest and left when it was acquired by a Chinese firm 6) Is 5 foot 7 Caucasian with dark hair
Is there any way you can verify the authenticity of your story without losing your anonymity to the public? For example, would Susan be able to verify you as an ex-employee?
I don't know if this is real or not, but given how Uber acts publicly about everything else (breaking the laws until governments are forced to amend the laws for Uber), I'm not surprised at all if this really is the overall attitude that they have for everything.
What the fuck? I'd walk and never entertain an offer from a company that spent the interview insulting and provoking me. Who would be stoked to get an offer after an experience like that, much less accept it??
I'm glad the author is sharing her story.
> Therefore, it hurts me to say that despite my grit, I was not prepared to deal with the abuse and dehumanizing treatment I received from my supervisors and colleagues at Uber.
Nobody should expect to be so prepared. Nobody volunteers to become the equivalent of a prisoner of war.
Say it over and over, say it loud, and say it to every single person entering the US workforce from day one:
H/R ACTS AND WILL ALWAYS ACT IN THE COMPANY'S BEST INTERESTS. NOT YOURS.
Amy's situation was grave, and kudos to her for getting out. But everyone should read these stories and burn this line into their heads permanently.
This feels so unreal, just incredible! Amy Anon, time to sue Uber and get yourself a piece of the Uber VC. What kind of cretins work at Uber?
From an article I wrote a couple years ago:
"My two cents for the conversation is pretty simple: there are only two different kinds of humans in the world: Those who actively exploit women, and those who actively speak out against the exploitation of women. Keeping your mouth shut for fear of rocking the boat -- this is a form of apathy all its own." http://ink.hackeress.com/2015/01/why-im-boat-rocker.html
p.s. I've had one opportunity in the past that I declined due to lower pay package. Current one seems good, but I'm not going forward.
I know I'm a horrible person to say this, but if I were an Uber competitor, these posts would be part of my marketing arsenal. If unaccountable journalism produces results, it's going to be used. If it isn't already, it will. There's too much money and not enough risk in it.
And the only way to fight against this is to not let yourself be part of outrage culture. We have evidence-based courts for dealing with these things.
Obviously that's anecdata (although it has the benefit of me knowing that it's true, as opposed to Amy's story), but I think people are jumping to conclusions here.
It seems that there is some kind of problem at Uber. The scope and size of it remains to be seen.
Kudos to the tech community, the majority of whom, don't accept this type of reprehensible behavior.
I know this is not the main point to take home from this situation, and I also know I'll be attacked from making it, but I felt it was important nonetheless.
It seems like a lot people are about to leave Uber and that's a business opportunity!
Here's a list of Uber employees that can be recruited away with little to moderate effort: https://www.linkedin.com/search/results/people/?facetCurrent...
I'm a man, and reading this plus Susan's story shared recently makes my stomach turn. It truly is sickening. I deleted Uber off my phone, I refuse to support a company that runs like a gentlemens club operating in 1955.
The sad thing about all of this is, when women report this kind of behaviour they get told to "report it", but it seems in the case of Uber (and who knows where else) these claims come with a huge cloud of being fired hanging over your head or they're just ignored.
I think Uber needs to be investigated by an impartial third-party and to be honest, the only way this will happen is if the investors step in and do something about it.
There are so many more me in tech than women that they really do need us to be part of the fight against this shit. It is crazy to me that this kind of behavior really exists.
Edit: Triggered Uber employee just sent his downvote. Pretty affirming. Good job, Uber :):P
I am 12 years away from the valley, but was at half a dozen startups in 20 years prior and I can't remember ever being on a team that would have put up with a manager saying something like that to a coworker.
I'm aware of multiple issues at Google and issues at Docker (although not the full details of that one). HR being useless and protecting company and senior management is common although they may be less blatant about it than Uber. Google is obviously huge so many areas may be OK.
Those are just issues I'm aware of following a few women on Twitter, they are the tip of the iceberg, some issues never come out at all, others are privately shard between women and others that might be vulnerable (I'm not in that loop).
Speaking unsarcasticly, the women who are starting to come out and reveal this are very brave.
Would not it be better if HR of your company can be managed by some third party with 100% transparency?
I told them "shut the fuck up. You debase yourself by saying shit like that." Look them in the eye, say it with the confidence of the truth you know it is. If HR wants to debate me on cursing my co-workers, I'd be happy to oblige. What are they going to say? Don't tell your coworkers it's wrong to demean women?
It is never in their interest to say "You're right, let's go get that guy!" They are institutionally there to deflect and play things down and prevent law suits.
If you are abused, harassed, or mistreated, see a lawyer, not your company's HR team, who are only going to be advising their own lawyers later.
"Visibly angry, Mike#2 covered the microphone ofthe conference phone, he reached over tohold my hand tightly and told me to stopbeing a whiny little bitch."
I can't imagine that because someone performs well at their jobs they'd be entitled to treat another person in such a demeaning manner.
Sometimes you don't have the opportunity to pull your phone and open a recording app. It needs to be like siri and friends where once it recognizes a voice it starts recording.
- would i stand up to a pig in the room
- would i stand up to a pig in the room that is way up the ladder
Our media is super powerful, and I love getting more of this out. 1984 can't happen with a free press.
I stopped reading here.
The United States voters just decided similar behavior is not disqualifying for the office of President. So how can we possibly convince other men this kind of behavior is not conducive to attaining the money, power, and influence they may desire?
Yep, sounds like a bad place to work.
Just a reminder that you can change jobs after 6 months in the valley, there is really no need to put up with that or wait for evil managers to make the place hell.
This type of thing should ruin the guy's career.
Fair or not I'm just going to assume Travis and anyone working for him is just like this disgusting mike#2 fellow.
It looks like the HR department at Uber exists purely to manage employee pay and nothing else. They are severely defanged and pander to star hires. At this point they could may be replace them all with some API and be done with it.
Is the author's credibility hurt significantly by choosing to use a pseudonym, or is the power of the message not greatly impinged?
I have a huge amount of respect for anybody that has the courage to write about these kind of experiences, regardless of if a pseudonym is used or not.
Oh right, we can't because Republicans. They weren't allowed to reach quorum under Obama and now they're fucked under Trump. This is the reality of the war on regulation.
You can't make this up.
"Oh, we are doing pet names for our coworkers now? From now on I will refer to you as 'dickhead'".
Future Amy's should always be prepared to start recording at a moment's notice. Think Roger Ailes
If you ignore a verbal wrong said to someone else and you don't say something, then it is like you said it yourself.
Time for this Travis dude to resign, right?
The pointless hyperbole makes it easy for those who would want so (subconsciously or not) to discard the real story here, of the toxic company culture.
Man, I really wish the internet hadn't decided that "trigger" means to anger or upset someone instead of the original meaning: provoke an anxiety or panic attack, like lighting firecrackers around war veterans.
Not that what Uber is doing here to "Amy" isn't despicable. I'm just a little bothered by this relatively frivolous usage of the word "trigger" compared to the original purpose for using it: to highlight the experiences of those suffering from PTSD. PTSD can come in many forms, not just from wartime trauma. That's what "triggering" someone was about.
> It was normal for guys to refer to other guys as fags when they didnt participate in private parties where sex and drugs were involved. It was normal for guys to openly refer to attractive female colleagues as sluts when they refused to go out with them.
For those young enough to be thinking about approaching HR for issues as nefarious as this, well, now you know.
Full of dramatic cliches and irrelevant details. (New Balance really?)
WARNING: this comment is not a safe place and contains my opinions.
Victim praising will do nothing to change Uber's behavior. Expecting Uber to change anything as the result of your words is a fools errand. The more likely outcome is Uber will only harden it's shell. Do you expect one of the most highly praised startups of the last decade to suddenly find religion and say, "oh we were wrong, you are all right? (and actually mean it)"?
People vote with their feet (Milton Friedman). Talk is cheap (Fat Tony). If you want to start a revolution, don't try to change others, change yourself (Jordan Peterson).
Uber is suffering for its transgressions in the form of talent loss. Susan Fowler indicated the number of female engineers at Uber significantly reduced during her time there. The nice thing about employment at will is that it works both ways. It's scary to leave a high-profile high-status job and go into the unknown; it's also a very powerful action.
Not okay. Fire him.
2. Sexist behavior
Not okay. Warn and then fire him.
3. Working people hard
That's okay. I was made to work hard. Long days no breaks hard deadlines. That's the world we live in.
4. How this affected her
I'm sorry she went through this and it's not okay. How she chooses to feel and deal with this are under her control. She shouldn't have perpetuated her pain by staying in the situation.
My default is "show me the evidence", but I believe Susan Fowler's account because she put her reputation on the line and I was willing to trust that she left, opposed to got fired, due to non-performance reasons based on being able to somewhat approximate/confirm her technical abilities.
This submission is just anonymous accusations. Absurd, unrealistic-sounding accusations. If the culture at Uber was as rampantly ridiculous as described in this blogpost, men and women would be falling over themselves to tell their stories.
> My paycheck is 18% less than my less qualified male colleagues.
If this was true, and the anonymous writer, who claims to be a skilled data analyst, was able to make a case that this was due to gender and not ability, she should be telling this story to a lawyer, not a blog site.
Some things to consider, China has been working up to getting a space capability to send people to the Moon with the full backing of the government funding, by 2035. They started in 2003. SpaceX was founded in 2002 and they are saying they will fly someone around the moon next year? Dragon has the deltaV to land on the moon (not sure if it has enough to get off again though) and SpaceX certainly has the expertise in building spacecraft that land.
The next person to take a picture of the Earth from moon may not be on a government funded mission. That one really blows my mind. For so long it was only countries that could do something like that, now it is nearly within reach of individuals.
The UN has treaties about claiming (or not) the moon by a nation state, but there isn't anything about a privately funded and established outpost that wants to declare independence. All this time I imagined that some country would establish a base there, and grudgingly offer up some space for non-state use, and now there is this possibility of a private facility that states have to ask permission to visit? That is priceless.
1. In a comment about the announcement alluded to it as a "recurring dream"
2. 5 years ago, described a moon orbit as "when I plan to fly in space. I have two specific missions in mind"
3. SpaceX Board Member and investor
4. Has the money
5. Knows Elon "Mr Musk declined to reveal their identities, only saying that they knew each other"
6. Is "nobody from Hollywood"
7. Liked this comment on his FB wall "Can I tag along?!? Ahhhhh!!!"
Can't wait to hear who booked this trip! Definitely one of the coolest ways to spend a lot of superfluous money :)
I like how they have avoided committing to the much harder "landing on the Moon and then return" scenario.
However it is worth noting that there hasn't been a single crewed Dragon flight yet. There are demonstator flights scheduled for this year though with the first NASA crewed mission slated for May 2018. That's an incredibly aggressive timeline but if anyone can achieve it, SpaceX can.
The long duration flight beyond the moon will be a fantastic proving ground, however.
Last month I was again at the KSC and LCC as a tourist, and the energy was just a minute fraction of what I'd seen 20 years before. We need this kind of vision [from SpaceX and others, e.g., like this other NASA-based article today with the young engineer comments, who did the hydroponics in microgravity at https://news.ycombinator.com/item?id=13743196 ] to push science and technology beyond the video game and entertainment markets. Congratulations to SpaceX, the microgravity hydroponics engineer, and the others with vision who are once-again elevating the bright eyes of brilliant youth, scientists and engineers.
Is Musk still maintaining a relationship with Trump? When Uber founder Travis Kalanick left Trump's business council, Musk was still on it AFAIK. I wonder if Musk is doing this or announcing it for related reasons. Certainly Trump has a history, even in his short tenure, of pressuring businesses into announcements that suit his agenda. And the announcement seems to fit Trump's pattern: Impossible, brazen bravado. (Musk gives the impossible some credibility, but that's what is meant by lending someone your credibility.)
It's speculative, but it's also sad and a bad sign when we must look for government interference in the free market at this level, to provide propaganda for the President.
Does anyone have a rough estimate how much a manned mission to the ISS currently costs?
I'm cheering for SpaceX for doing more towards spacefaring, but I'm very skeptical and think this will, at least, end up being negative PR to them, and, at worst, a lot more.
Shocking that it's been this long. There is an entire generation that hasn't seen man make it into deep space.
Also, if this succeeds, what happens to Google's moonshot projects? Is rebranding in the works?
Seems to me like the cost of taking in another person will be negligible in comparison to the funding they could contribute. This is literally a one-in-a-lifetime experience
SpaceX at its usual :) . By which criteria Energiya is less powerful vehicle to reach orbit than Falcon Heavy?
Except that these two private citizens are presumably absurdly wealthy. Whereas the nationalize space program which brought forth the Apollo mission gave all private citizens, as well as schoolchildren for generations, hope and aspirational outlooks.
Whereas the current national situation in the US, with respect to primary-school education and government-supported science is quite dire. So things are not at all hopeful right now, and many of us suffer nightmares of violence and deportation.
So, there's that.
A massive crowd will be assembled to attempt a Guinness book of world records, to moon the stars with bare asses all in unison in a soccer stadium just as they blast off into space, yelling out like the Romans did at the coliseum: "We salute you those who are about to DIE !" then post it on YouTube !
It's amazing that private companies are now doing things that were previously only one by governments and nations.
I don't know how this will work out but congratulations to Musk, Spacex and NASA.
I imagine that would be a pretty easy record to break, if you're doing a translunar flight anyway then getting a bit higher doesn't take much more energy (source: played a lot of Kerbal).
On the other hand the passengers might prefer a close-up view of the Moon to a record.
Sergey Brin and Larry Page
Two of his freind rich enough, geeky enough, to go first.
> As you may be aware, Cloudflare incurred a security breach where user data from 3,400 websites was leaked and cached by search engines as a result of a bug. Sites affected included major ones like Uber, Fitbit, and OKCupid.
> Cloudflare has admitted that the breach occurred, but Ormandy and other security researchers believe the company is underplaying the severity of the incident
> This incident sheds light and underlines the vulnerability of Cloudflare's network. Right now you could be at continued risk for security and network problems. Here at Dyn, we would like to extend a helpful hand in the event that your network infrastructure has been impacted by today's security breach or if the latest news has you rethinking your relationship with Cloudflare.
> Let me know if you would be interested in having a conversation about Dyn's DNS & Internet performance solutions.
> I look forward to hearing back from you.
"I am not changing any of my passwords. I think the probability that somebody saw something is so low it's not something I am concerned about."
Original post: https://news.ycombinator.com/item?id=13720199
For example, https://coinbase.com is on that list! If they haven't immediately invalidated every single HTTP session after hearing this news this is going to be bad. Ditto for forcing password resets.
A hijacked account that can irrevocably send digital currency to an anonymous bad guy's account would be target number one for using data like this.
And the disclaimer right at the top:
This list contains all domains that use cloudflare DNS, not just the cloudflare SSL proxy (the affected service that leaked data). It's a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised.
At least change the cookie name so the token stops working. For example, in ASP.NET - change the "forms-auth" name in the web.config file
> In our review of these third party caches, we discovered data that had been exposed from approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.
Does this jive at all with the Google or Cloudflare disclosures? They are claiming that across all caches they only found and wiped data from ~150 domains, can that be true?
There probably aren't many but with something this serious it could be important. I'm not sure how one would go about finding the sites that use the CNAME option. If it helps, they use a pattern like:
www.example.com --> www.example.com.cdn.cloudflare.net
Were the 2 things running on the same process? If they were not, there's no way that the buffer overrun could read an other process memory, right? it would have failed with a segfault type of error.
If so, shouldn't Cloudfare consider running the sensitive stuff on a different process, so that no matter how buggy their caching engine is, it would never inadvertently read sensitive information?
I question Pirates (https://github.com/pirate) motives for even doing this? Karma? Reputation?
/* generated code */if ( ++p == pe ) goto _test_eof;
"The root cause of the bug was that reaching the end of a buffer was checked using the equality operator and a pointer was able to step past the end of the buffer. This is known as a buffer overrun. Had the check been done using >= instead of == jumping over the buffer end would have been caught."
"2017-02-18 0011 Tweet from Tavis Ormandy asking for Cloudflare contact information
2017-02-18 0032 Cloudflare receives details of bug from Google
2017-02-18 0040 Cross functional team assembles in San Francisco
2017-02-18 0119 Email Obfuscation disabled worldwide
2017-02-18 0122 London team joins
2017-02-18 0424 Automatic HTTPS Rewrites disabled worldwide
2017-02-18 0722 Patch implementing kill switch for cf-html parser deployed worldwide
2017-02-20 2159 SAFE_CHAR fix deployed globally
2017-02-21 1803 Automatic HTTPS Rewrites, Server-Side Excludes and Email Obfuscation re-enabled worldwide"
Seems like a pretty good response by cloudflare to me.
One interesting thing: the raw dump that's linked from the list's README doesn't seem to include a couple of notable domains from the README itself, like news.ycombinator.com or reddit.com. I may be mangling the dump or incorrectly downloading it in some way.
EDIT: disclaimer, be responsible, audit how the dump is generated, etc etc etc
Sorry for the index.html, trying to figure out how to get index file to work on cloudfront.
You can also run the python script on the website anonymously on your computer to dig sites out of your email, which is a good indicator that you have an account with them.
Anyway, I'm OK with them being on this list, as I believe understanding the scope of the problem is important to figuring out how we prevent these kinda problems in the future.. (For example, answering this question requires understanding who uses CloudFlare: Why are so many sites concentrated on a single infrastructure?)
Welp, time to change all my passwords.
> When the parser was used in combination with three Cloudflare featurese-mail obfuscation, server-side excludes, and Automatic HTTPS Rewritesit caused Cloudflare edge servers to leak pseudo random memory contents into certain HTTP responses.https://arstechnica.com/security/2017/02/serious-cloudflare-...
> Hi [Username],
> A bug was recently discovered with Cloudflare, which Glidera and many other websites use for DoS protection and other services. Due to the nature of the bug, we recommend as a precaution that you change your Glidera security credentials:
> Change your password> Change your two-factor authentication
> You should similarly change your security credentials for other websites that use Cloudflare (see the link below for a list of possibly affected sites). If you are using the same password for multiple sites, you should change this immediately so that you have a unique password for each site. And you should enable two-factor authentication for every site that supports it.
> The Cloudflare bug has now been fixed, but it caused sensitive data like passwords to be leaked during a very small percentage of HTTP requests. The peak period of leakage is thought to have occurred between Feb 13 and Feb 18 when about 0.00003% of HTTP requests were affected. Although the rate of leakage was low, the information that might have been leaked could be very sensitive, so its important that you take appropriate precautions to protect yourself.
> The actual leaks are thought to have only started about 6 months ago, so two-factor authentication generated before that time are probably safe, but we recommend changing them anyway because the vulnerability potentially existed for years.
> Please note that this bug does NOT mean that Glidera itself has been hacked or breached, but since individual security credentials may have been leaked some individual accounts could be vulnerable and everyone should change their credentials as a safeguard.
> Here are some links for further reading on the Cloudflare bug:
> TechCrunch article: https://techcrunch.com/2017/02/23/major-cloudflare-bug-leake...> List of sites possibly affected by the bug: https://github.com/pirate/sites-using-cloudflare/blob/master...
> If you have any questions or concerns in response to this email, please contact support at: firstname.lastname@example.org
this is despite (or maybe because) of my best efforts to secure systems as a major part of my job.
Sites using Cloudflare, really. However, Cloudflare say that only sites using three page rules were affected - email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites. 
Is this over-estimating the impact, perhaps?
> According to a lawsuit filed today in federal court in California, Waymo accuses Anthony Levandowski, an engineer who left Google to found Otto and now serves as a top ranking Uber executive, stole 14,000 highly confidential documents from Google before departing to start his own company. Among the documents were schematics of a circuit board and details about radar and LIDAR technology, Waymo says
> The lawsuit claims that a team of ex-Google engineers used critical technology, including the Lidar laser sensors, in the autonomous trucking startup they founded, and which Uber later acquired
I was confused as to what stealing a patent actually meant:)
Waymo has also posted this....
From this post...
> Recently, we received an unexpected email. One of our suppliers specializing in LiDAR components sent us an attachment (apparently inadvertently) of machine drawings of what was purported to be Ubers LiDAR circuit boardexcept its design bore a striking resemblance to Waymos unique LiDAR design.
> We found that six weeks before his resignation this former employee, Anthony Levandowski, downloaded over 14,000 highly confidential and proprietary design files for Waymos various hardware systems, including designs of Waymos LiDAR and circuit board. To gain access to Waymos design server, Mr. Levandowski searched for and installed specialized software onto his company-issued laptop. Once inside, he downloaded 9.7 GB of Waymos highly confidential files and trade secrets, including blueprints, design files and testing documentation. Then he connected an external drive to the laptop. Mr. Levandowski then wiped and reformatted the laptop in an attempt to erase forensic fingerprints.
Ooops, that does sound bad after a first read.
The implication in the filing is that Uber planned this with Levandowski, and he only created Otto as a plausible corporate vehicle for developing the LiDAR technology before Uber acquired them. Given what we know about Uber and the assertions in the complaint, this sounds entirely plausible, maybe even likely.
That could mean he downloaded an SFTP client like Cyberduck. He could have searched the internet for a client and then installed it. It doesn't say he did not have auth.
Imagine a Google security engineer being deposed for this lawsuit.
Lawyer: "Show me on the MacBook how he downloaded the files"
Engineer: "Well, he used Cyberduck"
Lawyer: "Is that part of the Mac?"
Engineer: "No, he'd have to download it separately"
Lawyer: "So, he searched for and installed specialized software onto his company-issued laptop?"
Engineer: "Um, sure"
Lawyer: "Thank you, that's all the questions I had"
I think you can follow the money trail here and find some answers for sure. Now if Uber/Otto has a clause that prohibits employees from bringing in confidential data from previous companies, how can they be held liable? Does Google have to prove that those stolen documents were actually used in Uber designs?
>Waymo was recently and apparently inadvertently copied on an email from one of its LiDAR component vendors.
Is this going to be a legal test of that annoying lawyer email footer language?
>This message contains information from xxxxxx that may be confidential and privileged. If you are not an intended recipient, please refrain from any disclosure, copying, distribution, or use of this information and note that such actions are prohibited. If you have received this information in error, please notify the sender immediately by telephone or by replying to this transmission.
Ha! More legalese BS that never holds up.
> Otto launched publicly in May 2016, and was quickly acquired by Uber in August 2016 for $680 million.
The fact pattern here is going to be absolutely brutal for Uber. A non-technical judge is going to see the allegation: ex-google employee downloads technical documents in December 2015, launches a company 5 months later in May 2016, and is bought for $680M (later speculated to be $1B+) for all its technical accomplishments. How much fundamental research did they do in the 3 months between May-16 and August-16?!?!? Or was it just to buy the stolen IP that google had developed over 7 years?!? Brutal for Uber!
A public company recently settled a similar lawsuit (competitor hires exec, exec is proven to have downloaded documents) for $130M on much smaller numbers. And the defendant was run through the legal wringer first.
Expect Uber spankage, bigly.
> shortly after Mr. Levandowski received his final multi-million dollar payment from Google
Funny because of all the recent press that Google paid autonomous driving talent too much that they left!
>Infringement of Patent No. 9,368,936 (Against All Defendants)
Real nasty. If a trade secrets lawsuit is an arrow, throwing in a patent infringement claim too, is poison tipped and barbed!
This is some good "old skool Google" where they used to show broad competence across many domains; in this case legal.
We'll take a moment to remember the salad days, when you were just a crazy college kid who showed up at the Darpa Grand Challenge with a self driving motorcycle:
- went nuclear on Uber/Otto
- revealed what they track internally to all their employees
Edit: A guy downloads 9.7GB of other people's work, walks off with it, and sells it. Flushing years of work from hundreds of engineers down the toilet. You down voters really support that? Amazing.
Anyway, several companies are developing automotive LIDAR units which are better than Google's rotating things. Quantergy and Velodyne claim to be close to low-cost solid state LIDARs, and ASC has good ones now at a high price point. (An ASC unit just docked the Dragon spacecraft with the ISS.) By the time this gets to court, Google's secret technology will be obsolete.
The question is whether Uber will defend Levandowski or leave him to twist slowly, slowly in the wind and go to jail.
Are there any lawyers here who could make an educated guess how they could?
Doesn't sound plausible. At a minimum, this would have to be the "dumbed down" version of how they uncovered this.
The first thing that caught my attention after reading the whole lawsuit! https://drive.google.com/file/d/0B7dzPLynxaXuQjY3dkllZ2ZKb0k... [Item 42- 49] itself is some of the timings regarding Otto's inception and Uber's acquisition.
* Levandowski first registered the domain for his then(now Otto) company on Nov'15
* The suit says on 3rd of Dec'15 he searched for the LIDAR docs and on 11th of Dec'15, he downloaded 14,000 docs from Google's servers.
* Google alleges that on Jan'16, Levandowski told his colleagues that he plans to replicate the Waymo tech at one of Waymo's competitor.
* One of the damning allegation from Waymo is that he met with top execs at Uber at their HQ in SF on Jan 14th 2016.
* Just a day later on 15th he officially formed one of his company(280 Systems, now part of Otto), later on Feb 1st he also registered his other company(Otto Trucking) Feb 1st.
* Strangely after working at Google for about 7 years, he quit Google without a notice(from suit) on Jan 27th.
This is from the interview Bloomberg's did after Uber acquired Otto: 'Kalanick began courting Levandowski this spring, broaching the possibility of an acquisition during a series of 10-mile night walks from the Soma neighborhood where Uber is also headquartered to the Golden Gate Bridge. The two men would leave their offices separatelyto avoid being seen by employees, the press, or competitors. Theyd grab takeout food, then rendezvous near the citys Ferry Building. Levandowski says he saw a union as a way to bring the companys trucks to market faster.'
From the above details, it can imply any of these three things might have happened,
* Scenario 1: He or Uber didn't do anything different from the official story so far.
* Scenario 2: Levandowski went to Uber saying he has custom LIDAR tech but ended up starting his own company the next day and 8 months later Uber just bought them for $680M for the team and tech he alleged stole from Waymo.
* Scenario 3: Levandowski went to Uber in Jan'16, said he has the tech for custom LIDAR, Uber wants it, but there is non-suspicious way for taking the tech directly to Uber since Levandowski alone can't build it. Instead Uber suggests to spin off his own company, hire a team (mostly from Waymo), put together a demo in Nevada desert. This brings in all the press and validity that Otto has the self-driving tech and team. So at this point Otto and Levandowski is a Self-driving tech startup not a LIDAR startup. Now Uber can come in, acquire this hot startup and team, in a market that's worth Trillions. Now Uber is suddenly in the trucking business, gets a huge PR and valuation bump. In this process they also get the LIDAR tech that's build in just 9 months.
What it means is that if the 3rd theory is true, Uber was always buying the LIDAR tech from Levandowski even before he left Waymo. Otto and other components are just a proxy so that it gives them a great story without any suspicions.
To put things into perspective, a single Velodyne HDL-64E LIDAR that almost all self-driving companies use costs around $75,000. Waymo says their equivalent custom alternative costs less than 10% (<$7000). This is a huge cost saving for a tech that is going to go in 100,000+ cars Uber hopes to have in the market in the future. So yea, this can be a bullshit Lawsuit (based on the evidence, less likely) or a well executed corporate espionage!
edit: 0:48 in the video
Wish I were kidding.
If there's anyway to short Uber or any of the other unicorns kept afloat by low interest venture capital, please let me know.
Does Google force you to use specific version of OS?
Do they have pre-installed software?
Is it not-okay to format and install any OS you want?
I work in startups, they provide only laptops and doesnt care about OS or software. There is no mandatory software requirement from company side.
For how long did Google know Levandowski had swiped its secrets?
This is how PR war is waged.
Correct me if I am wrong, but does that mean Alphabet is suing itself since Alphabet owns both Google Venture, Waymo and has an investment in Uber...?
Correction. So he's not really a junior engineer. But how can he not think that everything he access on the Google's network is monitored?
Infringing on patents?
The caches other than Google were quick to clear and we've not been able to find active data on them any longer. ... I agree it's troubling that Google is taking so long.
The leaked information is hard to pinpoint in general, let alone amongst indexes containing billions of pages.
I can understand the frustration - this is a major issue for Cloudflare and it's in everyone's best interests for the cached data to disappear - but it's not easy, and they shouldn't say as such (or incorrectly claim that "The leaked memory has been purged with the help of the search engines" on their blog post).
This is a burden that Cloudflare has placed on the internet community.Each of those indexes - Google, Microsoft Bing, Yahoo, DDG, Baidu, Yandex, ... - have to fix a complicated problem not of their creation.They don't really have a choice either given that the leak contains personally identifiable information - it really is a special sort of hell they've unleashed.
Having previously been part of Common Crawl and knowing many people at Internet Archive, I'm personally slighted. I'm sure it's hellish for the commercial indexes above to properly handle this let alone for non-profits with limited resources.
Flushing everything from a domain isn't a solution - that'd mean deleting history. For Common Crawl or Internet Archive, that's directly against their fundamental purpose.
But their response here is embarassingly bad. They're blaming Google? And totally downplaying the issue. I really didn't expect this from them. Zero self awareness- or they believe they can just pretend it's not real and it'll go away.
I kind of understand what CF is doing here: they've screwed up, there's no way for them to clean it up, so all they can do now is deflect attention from the magnitude of their screw up by blaming others for not working fast enough in the hope that their fake paper multibillion dollar valuation doesn't take too big a hit.
Still a dick move though. Maybe next time don't use a language without memory safety to parse untrusted input.
At this point if you don't consider all data that was sent or received by CloudFlare during the "weaponized" window compromised, you're lying to yourself.
There is a bit of tension between cloudflare and taviso over the timing of notification, but that is vanishingly insignificant overall.
If they can't tell, someone may now be sitting on a lot of very juicy data, far beyond what may be left in these caches.
One causes swapping. The other causes a month of extra work.
If you find some samples with domain names / unique identifiers of domains (e.g. X-Uber-...) you are welcome to contribute to the list: https://github.com/Dorian/doma/blob/master/_data/cloudbleed....
- there is a smaller number of sites that used some of the special features of Cloudflare that allowed leakage for some months, according to what Cloudflare said.
- it seems the number of the sites was much bigger for some days, according to what Cloudflare said.
- the data leaked are the data passed through the Cloudflare TLS man-in-the-middle servers -- specifically not only the data from the companies, but the data from the users, and not only the data related to the sites through which the leak happened, but also other sites that just happened to pass through these servers. Again, also the visitor's data, both directions are leaked. From the visitors, their location data, their login data etc. As an example: if you imagine the bank which used Cloudflare TLS, in the caches could be both the reports of the money in the accounts (sent from the bank to the customers) and the login data of the customers (sent by the customers to the bank), even if the bank site hasn't had the "special features" turned on. That's what I was able to see myself in the caches (not for any bank, at least, but the equivalent traffic).
Either we can search for obvious strings like X-Uber-* and try to scrub them one by one, or we can just nuke the caches for all the domains that turned on the problematic features (Scrape Shield, etc.) anytime between last September and last weekend. Cloudflare should supply the full list to all the known search engines including the Internet Archive. Anything less than that is gross negligence.
If Cloudflare doesn't want to (or cannot) supply the full list of affected domains, an alternative would be to nuke the caches for all the domains that resolved to a Cloudflare IP  anytime between last September and last weekend. I'm pretty sure that Google and Bing can compile this information from their records. They might also be able to tell, even without Cloudflare's cooperation, which of those websites used the problematic features.
If this is how 2017 is pacing, we've got a long year ahead. This is an insanely interesting time to be alive, let alone at the forefront of the INTERNET.
Fellow Hackers, I wish you all the best 2017 possible.
>Google, Microsoft Bing, Yahoo, DDG, Baidu, Yandex, and more. The caches other than Google were quick to clear and we've not been able to find active data on them any longer. We have a team that is continuing to search these and other potential caches online and our support team has been briefed to forward any reports immediately to this team.
>I agree it's troubling that Google is taking so long. We were working with them to coordinate disclosure after their caches were cleared. While I am thankful to the Project Zero team for their informing us of the issue quickly, I'm troubled that they went ahead with disclosure before Google crawl team could complete the refresh of their own cache. We have continued to escalate this within Google to get the crawl team to prioritize the clearing of their caches as that is the highest priority remaining remediation step. reply
taviso 6 hours ago [-] Tavis Ormandy
>Matthew, with all due respect, you don't know what you're talking about.
>[Bunch of Bing Links]
>Not as simple as you thought?
My personal favorites are:
What happens for sites using Full SSL (a certificate between cloudflare and the user and a certificate between cloudflare and the server), could any information from ssl pages have been leaked?
Is there some sort of information extraction feature service or something they offer? I don't get it.
If I were google I would hit back hard. They prob won't just stop, but I would not bother trying to even clean up the data unless under legal pressure. It out there, it's too late.
From their blog: https://blog.cloudflare.com/incident-report-on-memory-leak-c...
Is it possible to find if anything leaked from my site behind Cloudflare is in the caches?
It lets you run domains quickly without downloading and grepping.
Not exactly breaking news. At some point, maybe people will realise that CF is actively making internet worse and less secure, and that it should be treated as nothing more than a wart to be removed.
Mozilla doesn't have the resources to continue with Thunderbird.
I am increasingly baffled by their decisions and how they relate to the strategic plans  they've been producing for a while. Despite the worthy words in their plan they seem to have no sense of direction. That saddens me.
That said I'm happier having Pocket as an open source part of Mozilla/Firefox than a surprise integration of a commercial app.
In a story that began two years ago with Pocket's integration by Mozilla  in Firefox , large segments of the userbase spoke out with scathing criticism.
This, at first blush, appears unrelated: Mozilla previously announced its Context Graph initiative, which was a bold undertaking to be built partially upon a new and emerging set of W3C standards to take back some of the control over linkage, metadata, and the consumption and annotation of web content  from big incumbent providers who run content portals, content silos, or content aggregators (largely the usual suspects, including Google, Facebook , Apple, Microsoft, and Yahoo ).
To understand this play, temporarily forget about Mozilla the Foundation, and think about Mozilla as a strategic competitor to the above. In the case of Pocket, a hard-to-deny side effect is that Pocket's presence in Firefox, despite the exact nature of the integration, is likely here to stay. While this is bound to frustrate many, Mozilla's competitors routinely ship software or entire platforms with tight captive integrations, against which competition has proven difficult to mount solely on the merits of values and philosophical purity.
 https://hn.algolia.com/?query=firefox%20pocket https://hn.algolia.com/?query=mozilla%20pocket https://news.ycombinator.com/item?id=13729525#13740110 https://news.ycombinator.com/item?id=13375451#13375917 https://news.ycombinator.com/item?id=12863565#12867493
Now that Mozilla is promising to open-source this, I eagerly await adding this feature to my own fork :)
I consider this a great move for a better bookmarking experience in Firefox as well as a better pocket service.
Allegedly, you can read things offline, but that feature never works for me. It seems the feature for offline reading doesn't exist at all in Firefox (which I'd assumed was the point of its integration, but my assumption was wrong), and I've tried the Chrome desktop app and the Android mobile app..nothing I save to pocket is ever readable without a data connection. It must work for some content for some people because I see people talking about it like it does. But, without that feature I see literally no utility in Pocket...it's just a clunky bolted-on bookmark manager, and so I end up going back to bookmarks with tags. I use Sync and I have Firefox on all of my devices. So, my bookmarks go with me.
So, I guess it's good that it's going open source. I wasn't comfortable with the way integration was presented back when they added it...it wasn't at all apparent, to me, that Pocket was a third party for-profit entity when the "setup your pocket" process launched in Firefox, since I'd never heard of it before that. But, it still seems like a solution looking for a problem. I'll give it another look. Maybe I was just unlucky with my choices of what to save...but it seems like if offline reading is not going to work on a page (for whatever reason) it should warn you. It'd suck to get on a train/plane or get lost in the woods, with plans to catch up on some reading, only to find there's nothing there.
But, maybe that's not even the primary purpose of Pocket? I dunno, it's still pretty fuzzy to me wtf it's for, if not that.
Very early app, features are rolling out daily. My end goal is to build a recommendation engine out of user data, while keeping things anonymous.
Although social bookmarking has been done plenty times before, I think execution has been sub-par in previous solutions. My aim is to make things streamlined and fast for the user to go from 'what was that link?' to 'there it is' (sidenote: check out slushi.es opensearch, and how it behaves when there's one result (only works for signed-in users)).
A complaint I hear often from Pocket users (and other save-for-later users alike) is that they will save 100s of links without ever going back to reading them. I, too, shared the same sentiment until one day I experienced a 'what was that link again?' moment. It was rare and fleeting at the time, but since using slushi.es more and more, those moments have appeared with increasing frequency.
I believe the best save-for-later app will transform the regular web browsing individual's habits of reading an article and forgetting about it, to reading an article and remembering it later; either a day later, a month later, or perhaps years. The thing is remembering. I think a good save-for-later app works as a memory reinforcer; something that augments your ability to build and recall knowledge.
Pocket used to have a feature aimed at surfacing high-quality content from the collection of things a user had already pocketed. They removed that feature. I was paying for their premium service before that change. After they removed it, I stopped the premium subscription because I wasn't sure what pocket's value to me was anymore.
Now they have a recommender that recommends things you haven't pocketed yet. But that just encourages the user to accumulate an ever larger collection of pocketed things, not surface the best things in that collection.
Ever since, I've reflexively kept saving things to pocket, hoping they would bring that feature back. But the only practical thing I have done with it is pull up something I just saved recently, because it will be near the top of the list.
Pocket's CEO also writes, In fact, we have a few major updates up our sleeves that we are really excited to get into your hands in the coming months. I hope they will bring that feature, or something with a similar aim, back.
As a concerned user, I even wrote this a few months ago http://constantbetasoftware.com/2016/09/02/pocket.html
How can I apply?
I'm excited though, since the reason I hadn't used Pocket in the past was because I didn't want to be part of yet another walled garden (YAWG?).
A quick look at Crunchbase shows that they'd raised $14.5M from investors. Given Mozilla's ~$300M of annual revenue, I wonder whether this leans towards an acquihire or a technology/product acquisition (definitely not a business acquisition). Difficult for me to assess the significance of 10M users for a company like Mozilla.
I didn't really trust my saved article data to a random startup. Being under Mozilla means now I'll actually use it.
Now that would be a strategic acquisition.
My only complaint is that a large portion of the Recommended content is junk from Business Insider. Hopefully this will wane as Mozilla's priorities are implemented.
A question: what advantages privacy-wise does Firefox have over Safari on iPad and macOS? I frequently delete all cookies on Safari and set strong privacy options. I ask because I have transitioned in the last year or so to working on my iPad and MacBook, largely letting my Linux boxes collect dust. On Linux, using Firefox was an easy decision. On iPad and MacBook, Safari is more convenient.
Otherwise, you have to click on a FB link to get the unmangled URL, thus counting against your number of free views every month.
I wonder if Pocket will be completely free now or if mozilla counts on this to fund more of its efforts. Beyond that. I also wonder if this means a read it later service will finally properly support RSS. Forgive me I don't know the features of pocket but as i understand it is does not correct?
I been using the built in firefox RSS feeder for years. with pocket integration it'd be a lot more useful.
Hope they build in some Context Graph projects into Pocket, as there is some great ideas their.
The possibility of adding them myself without rebuilding the whole app is exciting!
Every time I read about something Mozilla does, I am reminded of this xkcd comic from 2013:
...by buying a crappy, proprietary app?
The actual statements are available here https://www.fcc.gov/document/fcc-addresses-unnecessary-accou...
The sad fact is, this is yet another grim attack on net neutrality by nefarious agents who see the web as something to be dominated and bent to their will exclusivley for political and economic gain.
Like it or not, the work we do is going to become highly politicised. Are we ready for this? Do we have the moral fortitude to resist the influence that fuzzy, sloppy, and emotive politics seeks to have on our discussions?
I think back to how we handled the Brendan Eich debacle. I (regretfully) came down on the punitive side of that argument. And I participated in that debate with a level of anger and vitriol that embarrasses me now. But whichever side you took, there's no doubt that for a brief moment we were deeply divided. The Brendan Eich story was a flash in the pan compared to what is about to happen.
Should we engage in political debate, or should we avoid it? Can we buck the trend and participate in political debate in way that doesn't tear us apart, or should we ignore it as it happens around us and impacts upon our lives and work? Or is there a path between the extremes, where we can be neither ignorant to our political leanings nor beholden to them?
I don't dare offer any advice on how we should prepare ourselves for what is about to come, I just hope we can all think about how we hope to respond before it happens.
One thing I will say though, being someone prone to highly emotional reactions in all aspects of my life; developing software in teams has taught me the value of "strong opinions, weakly held".
In the tech community I see people rising up against any kind of movement against net neutrality. And I do not want to see it erode. But I worry that by becoming averse to any reversal, any compromise, the communities stance will eventually be so politicized that it is just another part of the unreasonable and ultra biased political landscape that grinds progress to a halt.
Isn't more competition among providers what we want? Shouldn't we be doing everything we can even if it's saving 6.8 hours per year in regulatory compliance to help these smaller guys be able to take on these horrible behemoths like AT&T and Comcast?
ERROR: TechCrunch is not part of your Internet Service Basic Web pack. For an extra $29.99 a month you can upgrade to Internet Service Extreme, offering access to over 50 more web sites!
Deregulation of access to consumers will result in cheaper internet and most likely faster internet speeds. However, it will concentrate power to those who already have it. Large ISPs will charge heavy bandwidth companies and only the largest heavy bandwidth companies will be able to afford the fees.
Those heavy bandwidth companies paying the fees will recoup the money through advertising. Remember newspapers and large TV media companies make the majority of their money through advertising. When companies rely on advertising, the users are no longer the customers. They are the product.
Further protecting the companies which rely on advertising will allow those companies to focus less on the customers and more on the advertisers. Companies relying on the allegiance of advertising will naturally shape their political standing to views of the advertisers. Remember also that advertisers are not paying for just eyeballs, but they are all paying for control. If a company starts moving away from their advertisers' political ideology they will lose revenue. Net Neutrality will ultimately give more control to companies that already hold power.
Just my two cents...
I'm left hoping that's close enough to branch out wireless service in short order.
Otherwise, I'm left screwed, between an AT&T that refuses to upgrade its local network (and it's a dense, accessible, suburban neighborhood -- hardly the boonies), and a Comcast that has doubled its rates for basically the same service. Both with caps that will quickly look increasingly ridiculous in the face of the wider world of data transfer.
We'll be back to them insisting on big bucks for assymmetric streaming of big-brand content, with increasing pressure to make that their content (a la data-cap exemptions, etc.)
If provider A starts providing terrible bandwidth, incredibly high prices, and terrible service, it means that that provider X has a lucrative opportunity to provide better bandwidth, better prices, and great service.
I hope these rules aren't used to help entrenched monopolies, but provide an ripe opportunity for the space to innovate.
I hope these rules will be on the wrong side of history, but there is little stopping anyone from using the free market to their advantage.
Mine connects to yours which connects to his which connects to hers. Eventually we'll have formed a network.
1) Git doesn't rely on SHA-1 for security. It relies on HTTPS, and a web of trust.
2) Even if git did rely on SHA-1, there's no imminent threat. What happened today was a SHA-1 collision, not a preimage attack. If a collision costs 2^n, a preimage attack costs 2^(2n).
3) Even if someone managed to pull off a preimage attack, creating a "poisonous" version of one your git repository's objects, they'd still have to convince you pull from their repo. This requires trust.
4) Even if you pulled it in, your git client would simply ignore their "poison" object, because it would say, "oh, no thanks, I already have that object". At worst, the code simply wouldn't work. No harm would be done.
When it comes to git, an attacker's time is better spent creating a secret buffer overflow than wasting millions of dollars on a SHA-1 collision.
> You are _literally_ arguing for the equivalent of "what if a meteorite hitmy plane while it was in flight - maybe I should add three inches ofhigh-tension armored steel around the plane, so that my passengers wouldbe protected".
> That's not engineering. That's five-year-olds discussing building theirimaginary forts ("I want gun-turrets and a mechanical horse one mile high,and my command center is 5 miles under-ground and totally encased in 5meters of lead").
> If we want to have any kind of confidence that the hash is reallyunbreakable, we should make it not just longer than 160 bits, we shouldmake sure that it's two or more hashes, and that they are based on totallydifferent principles.
> And we should all digitally sign every single object too, and we shoulduse 4096-bit PGP keys and unguessable passphrases that are at least 20words in length. And we should then build a bunker 5 miles underground,encased in lead, so that somebody cannot flip a few bits with a ray-gun, and make us believe that the sha1's match when they don't. Oh, and we need to all wear aluminum propeller beanies to make sure that they don't use that ray-gun to make us do the modification _outselves_.
> So please stop with the theoretical sha1 attacks. It is simply NOT TRUEthat you can generate an object that looks halfway sane and still gets youthe sha1 you want. Even the "breakage" doesn't actually do that. And ifit ever _does_ become true, it will quite possibly be thanks to sometechnology that breaks other hashes too.
> I worry about accidental hashes, and in 160bits of good hashing, that just isn't an issue.
Now to be fair, he also keeps repeating that he hasn't seen the attack yet. Which leads me to question why is this post interesting to HN? Is it to show how Linus aimlessly speculates and gets his guesses wrong?
The product was cancelled. I always wondered if the patch would be of any use to anyone.
> Do we want to migrate to another hash? Yes.
Wouldn't all that time trying to explain away the SHA-1 issues be better spent on developing a safe transition plan?Work on this could have started long ago, and if it would have started, going from SHA-256 to SHA-512 to SHA-3 to ... would be a no-brainer by now.
In the simplest case, ensure that all newly created git repositories work woth SHA-256 by default (or SHA-512, or whatever), and switch back to SHA-1 for old repositories.
In the more advanced case, provide the possibility for existing repositories to have multiple hash values (SHA-1, SHA-256) for every blob/commit, then phasing out client support for old hashes as time goes on. When some SHA-1 collision happens, those who use newer git versions would notice and keep having a consistent repository.
If all those different browsers and web servers were able to coordinate a SSL/TLS hash transition SHA-1 to SHA-256, then a protocol like git with roughly 2 widespread implementations should be able to do that, too.
Git sees them as different despite them having the same hash. You can test with:
mkdir shattered && cd shattered git init wget https://shattered.it/static/shattered-1.pdf git add shattered-1.pdf git commit -am "First shattered pdf" git status wget https://shattered.it/static/shattered-2.pdf sha1sum * md5sum * mv shattered-2.pdf shattered-1.pdf git status
Apologies for those on mobile (please fix this HN!): the commands are:mkdir shattered && cd shattered && git init && wget https://shattered.it/static/shattered-1.pdf && git add shattered-1.pdf && git commit -am "First shattered pdf" && git status && wget https://shattered.it/static/shattered-2.pdf && sha1sum * && md5sum * && mv shattered-2.pdf shattered-1.pdf && git status
EDIT: Ah, of course! git adds a header and takes the sha1sum of the header+content, which breaks the identical SHA1 trick. You can add a footer on and they keep the same SHA1 though. Don't have time to play about with this more just now, but try it with `cat`ing some identical headers and footers onto the pdfs.
EDIT2: Actually, this is discussed more extensively in the other thread which I hadn't read yet. Go there for more details: https://news.ycombinator.com/item?id=13713480
> pdf's don't have that issue, they have a fixed header and you can fairly arbitrarily add silent data to the middle that just doesn't get shown.
This doesn't seem like much of an obstacle, since you can add silent data to all kinds of files, like
- With HTML, JS, etc. you can just add whitespace.
- Some formats like GIF89a have variable-length comments.
- With any media format that uses palettes, you can add extra, unused colors.
- Just about any compression algorithm can be tuned to manipulate the compressed size. E.g. with DEFLATE (which is used by PNG in addition to some archive formats), you can use a suboptimal static coding rather than the correct Huffman tree.
- With most human-readable document formats, you can add zero-width spaces or something similar.
Given a case where someone with permission to push gets compromised and a malicious actor can pull this sha-1 attack off, aren't there bigger problems at hand? The history will be there and detectable or if they're rewriting history, usually that's pretty noticeable too.
I may be totally missing a situation where this could totally screw someone, but it just seems highly unlikely to me that people will get burned by this unless the stars align and they're totally oblivious to their repo history. So I guess I agree with the "the sky isn't falling" assessment.
I don't know much about git internals, so forgive me if that is a bad idea, but what does everyone think about it working like this:
If future versions of git were updated to support multiple hash functions with the 'old legacy default' being sha1. In this mode of operation you could add or remove active hashes through a configuration, so that you could perform any integrity checks using possibly more than one hash at the same time (sha1 and sha256). If the performance gets bad, you could turn off the one that you didn't care about.
This way by the time the same problem rolls around with the next hash function being weakened, someone will probably have already added support for various new hash functions. Once old hash functions become outdated you can just remove them from your config like you would remove insecure hash functions from HTTPS configurations or ssh config files.Also, you could namespace commit hashes with sha1 beging the default:
git checkout sha256:7f83b1657ff1fc53b92dc18148a1d...
git checkout sha512:861844d6704e8573fec34d967e20bcfef3...
Enabling/disabling active hash functions would probably an expensive operation, but you wouldn't be doing it every day so it probably wouldn't be a huge problem.
These claims are wrong as long as it uses SHA-1. Full stop.
It'd be really nice if git had cryptographic integrity. Not just because it'd prevent some attacks on git repos, but because it'd make git essentially a secure append only log. Which would be interesting, as it'd more or less automatically give some kind of software transparency for many projects.
Just some context - git calculates an object's name by his content in the following way. Say we have a blob that represent a file who's content is 'Here be dragons', then the file name would be:
printf "blob 17\0Here be dragons\!\n" | openssl sha1 # => a54eff8e0fa05c40cca0ab3851be5aa8058f20ea
To me it feels like this would just be a small hurdle? But I don't really know this stuff that well. Can someone with more knowledge share their thoughts?
I think Linus also argued that SHA-1 is not a security feature for git (https://youtu.be/4XpnKHJAok8?t=57m44s). Has that been changed?
Git can implement checking for easily collided data and warn the user, potentially even look to implement the safer hash countermeasures too. The fact that this isn't a second preimage, or that SHA1 isn't used to auth a repo doesn't really factor in to it.
Another possibility, but this is a hack to keep key length to 40 chars, would be to change key encoding from hex encoding to base64. In 40 chars you could encode 240 bits instead of 160. It is preferable to get rid of the hard coded 40 char limit. It shouldn't be that hard.
> Git has opaque data in some places(we hide things in commit objects intentionally...
Kapor Capital has a strong focus on social impact companies that benefit the disadvantaged.
Travis is a phenomenal salesman and fundraiser. Travis convinced Kapor that, amongst other things, Uber was a platform for democratizing transportation, citing things like racism amongst taxi cabs to spin Uber as social good.
So now you have a company that isn't actually what it pitched itself to be. For many investors, hyper-growth and skyrocketing valuation will wipe out other concerns around culture, impact, etc.
The Kapors are showing (awesomely, in my personal opinion) that they are serious about their social mission. They're doing what they can to influence a portfolio company to live up to their expectations. Travis probably doesn't like thatit sucks to be called out!but that's why you take investment based on aligned interests and not just awesome salesmanship.
(The sad part is I agree Uber has a problem and needs to change; Susan Fowler's blog post was remarkable.)
We've likely read Susan Fowler's blog post. If true, it's awful behavior on the part of HR and management at Uber, and action should be taken.
But that's the thing: a blog post does not establish truth. We've heard from only one side of the story. No one ever asks about the other side, or about whether we are being misled. We only talk about the bravery of the author and condemn the other side.
I think the saddest part of our collective behavior is how quickly we come with pitchforks to a witch trial. We must remember that justice is not decided on Twitter, or on blogs. Justice is not decided by the voice of the accuser.
Did you see evidence besides Susan Flower's putting phrases in quotation marks? She mentions screenshots of improper behavior but provides none. What if tomorrow new evidence comes out that this whole thing was exaggerated or flat out wrong. How would it feel, to being so easily manipulated into drawing a conclusion, into retweeting a fiction, into writing an open letter?
In early rounds, founders are looking for investors who will trust management to make decisions in the best interest of the company. EVEN if they don't agree with those decisions, it's expected that they'll be a team player and provide support in whatever way possible.
I'm sure Mitch thinks what he's doing is in the best interest of the company (and it probabily is!). But, he surely doesn't have perfect information on what's going on (only management has a full picture).
Lot of people have suggest these problems stem from the culture. Culture of companies and people is similar to the culture of, say, bread. The starter really matters and sets the tone. I'd be interested in hearing from people who have seen a drastic change in culture at a big place or better yet, have been behind that change.
The other idea is it could just be a few rotten apples giving everyone a bad name. I don't know the answer.
The author seems to be claiming that Eric Holder is not suited to run such an investigation. Seems reasonable to me. Uber should find someone else.
My problem with the author is that it's pretty apparent conclusions are being drawn without actual evidence.
Silicon Valley is no different than any other place in the World. Just because people think they are "changing" the world doesn't mean ethics need to be on the line.
Right now, Uber is very clearly following the playbook that historically leads to dead companies.
It needs a truly credible response, not one that happens to use some celebrities they have on hand.
I'm not excusing the behavior, but I think this definitely rubbed off on them. It's an ends justify the means mentality, and it might not have been necessary under a different power structure. I suppose there's a chance that Lyft could have done it right, but who knows how they would have handled the other PR battles. Hopefully a new crop of managers at Uber, eventually dealing with a much more diverse group of drivers, one that includes machines, will be much less chauvinistic.
Looking for any investor with enough integrity and conviction to send a stronger message... I know, dream on, plus who would buy anyone out at this ridiculous level of overvaluation?
If they keep scaring away engineers and getting bad publicity, will be scare away customers too?
Or will the trail of engineers eventually catch up with the quality of the experience?
Uber has started a revolution. I do not require them to survive it.
You are completely right.
The problem of poor, dirty, violent, urban-youth infested communities is not fully solved.
It's a minor thing compared to all that which happened to her and I'm mostly thinking about it in terms of own career strategy.
-- Sure, but Uber is already a mission-driven company whose success is inversely proportional to horrible things like DUI deaths -- statements like these impede their progress
Publicly condemning the internal culture the post depicted would be reasonable, even helpful, but trying to "expose" Uber's leadership for showmanship and posturing ('hiring' Holder who was ostensibly involved long-before the Fowler post) to mitigate the pr fallout is counterproductive. Don't kick your founder when he's down.
Historically, web standards where a committee gets together and decides how a feature is going to look without the buy-in of users or browser vendors have a very poor track record of adoption. The way actually-successful web features get standardized is that users start clamoring for it, which leads someone to build a hacked-up JS implementation of it, which leads to a company founded around that hacked-up JS implementation, which leads to competition, which leads to browser vendors building it into the browser, which leads to an open standard.
Trying to skip steps doesn't seem to work. If you build the feature without users who want it, nobody will use it. If you build the company without the prototype, you won't get a working implementation. If you build it into the browser when there's a dominant monopoly company, people will continue to use the company rather than the browser's version (this is the story of Google vs. IE+Bing & Facebook vs. RSS & semantic web). If you standardize it before it's been adopted by multiple browsers, people will ignore the standard (this is the story of RDF, the semantic web, and countless other W3C features that have fallen into the dustbin of history).
And if any one of those parties are not at the table when the standard is written, they'll ignore the standard anyway.
It was very easy to pass the tests the W3C working group used to verify that they had two working implementations of the data model and protocol. Most of the test default to passing if the specified tag is not present. Basically, it's not clear whether a serious, real attempt to use this has been made. I'm unconvinced that the specification is robust enough to be useful without ending up with a lot of vendor lock-in.
The toy extension was playing around with using these annotations to alert publishers and potentially other users of typos in their articles and pages. It would be nice to have a side channel to report typos other than just using the comment section or trying to find an email address. Will the "meta web" ever catch on?
I never published it but I still might add a page about my experience on my website. I have posted about the idea there before.
What happens if the content changes? Random example: Someone highlights a picture of salad and notes "my favorite food!" and then the publisher changes the image to show roadkill instead of salad.
Services like hypothes.is can do some filtering automatically, but this is missing the level above that - editorial privileges on comments on your own domain.
You'd think we'd have learned our lesson by now. Free speech, by awful people, is overrated and can result in disasters.
In my opinion this will open up the web immensely and make the web much more democratic, will be interesting to see how major players react.
* About a year and a half ago, I thought about getting into this field. I built http://lederboard.com as a result - it works pretty well, actually (plenty of bugs behind the curtain) but the idea was to try and open it up as a standard.
* If I do pick lederboard up again, I will likely convert it to use this open standard.
* My goal was always to have the 'features' of lederboard not be in the annotations themselves, but in the moderator controls, the ability to follow sites and specific users, etc., and to basically act like reddit-enhancement-suite for an internet-wide commenting system.
* However, I realized this was a truly tremendous mountain to climb. Like, crazily huge. So I wound up going in a different direction.
In any event, I think that the guys at Genius should take note of this and consider it very seriously. They raised a whole lot of money and, as far as I can tell, this is a direct shot across their bow and it has the backing of W3C, which is huge. I am pretty happy I didn't wind up in the middle of that fight. Though maybe I might get back into at some point.
In the meantime, I am focusing on easy-to-use encryption: http://gibber.it . I think that is probably a little more important right now. For background, I am a practicing attorney with a pretty substantial practice in software, startups, corporate finance and information law.
then you could annotate legal documents, code, and other high-density texts as well.
I've long felt that existing solutions fall down in a few ways:
1. UX -- this is a HARD UX problem because you are potentially managing a lot of information on screen at once. Anybody staring at a blizzard of comments in Word or Acrobat knows how bad this can get.
2. One-to-one -- Most existing exegesis solutions like genius.com only let you mark of one portion of text for threaded commentary, which is not ideal because complex text like the above example can have multiple patterns working in it at the same time:
http://imgur.com/x6BKKQW(a crude attempt to map assonance and consonance)
Really, what a robust commentary system needs is to map many comments to many units of text, so that the same portion of text can be annotated multiply (as this solution attempts) but also so that the same comment can be used to describe multiple portions of text as well.
3. Relationships between comments -- It's great that this solution gives threaded comments as a first-class feature, but you also want to be able to group comments together in arbitrary ways and be able to show and hide them. In my examples above, there are two systems at work: the ideational similarities between words, and the patterns of assonance / consonance. You could also add additional systems on top of this: glossing what words or phrases mean (and in Shakespeare, these are often multiple), or providing meta-commentary on textual content relative to other content, or even social commentary on the commentaries. You need a way to manage hierarchies or groups of content to do this effectively. No existing solution that I am aware of attempts this.
I literally just hired somebody yesterday to start work on a text editor that attempts to resolve some of this, but it's an exceedingly hard problem to solve with technology.
I have been working with the hypothes.is folks for almost 2 years and have been using hypothes.is for manual tagging and automated annotation so I'm a bit biased. I have seen criticism that the standardization process was premature but given how hard it is to get browser vendors to implement things I think this could make a difference. That said, the way Microsoft did their annotation in Edge was just to take pictures of sites.
Is this really how long it takes to realize something like this? Sort of boggles my mind.
 sample chapter, http://book.realworldhaskell.org/read/programming-with-monad...
P.S. This url - https://hypothes.is/register - accessible from most pages by clicking "sign up" in the top-right corner, presents an error and doesn't redirect anywhere. https://hypothes.is/signup works fine, however.
An easy prediction: with wide usage of this, any page that generates a non-trivial amount of traffic will be in such a state as to make reading the annotations pointless at best.
Currently, negative information (even if true) isn't as easily discoverable. This ties it all to every one of your pages. With, as far as I can tell, no direct control over moderation.
I suspect many website owners are more concerned about legit complaints that aren't easily discovered than they are about spam.
And, once reputation mgmt creeps in, that good (but negative) information will be buried with astroturfed annotations.
However, this thing is just completely illegible without reading glasses and 150% zoom... and it's still uncomfortable even then.
I would be surprised if this company has anyone age 40 or up who actually looks at their own website on a regular basis.
I think that proper installation instructions,perhaps with docker compose, are more important than blog posts about annotation importance.
How much private data about my browser and my host am I leaving when an annotation is created?
Is there a practical way to delete these both from the page and the public record, or would they be stored in perpetuity?
Somebody will post a slanderous comment on a company's website, the company will be very unhappy, and sue the comment provider for blending the comment into the company's website.
Is that free speech? Or is the comment not protected, because it's shown on the company's website, and thus should be under the company's control?
Aside: That interactive SVG slide-show is pretty impressive in itself.
First, the core concept of associative indexing:
Our ineptitude in getting at the record is largely caused by the artificiality of systems of indexing. When data of any sort are placed in storage, they are filed alphabetically or numerically, and information is found (when it is) by tracing it down from subclass to subclass... The human mind does not work that way. It operates by association. With one item in its grasp, it snaps instantly to the next that is suggested by the association of thoughts, in accordance with some intricate web of trails carried by the cells of the brain.
Introducing the memex:
Consider a future device for individual use, which is a sort of mechanized private file and library. It needs a name, and, to coin one at random, "memex" will do. A memex is a device in which an individual stores all his books, records, and communications, and which is mechanized so that it may be consulted with exceeding speed and flexibility. It is an enlarged intimate supplement to his memory.
Associating one item with another is the essence of the memex:
This is the essential feature of the memex. The process of tying two items together is the important thing.
When the user is building a trail, he names it, inserts the name in his code book, and taps it out on his keyboard. Before him are the two items to be joined, projected onto adjacent viewing positions. At the bottom of each there are a number of blank code spaces, and a pointer is set to indicate one of these on each item.
Adding one's own annotations and links, and then sharing them to colleagues, is the vision:
First he runs through an encyclopedia, finds an interesting but sketchy article, leaves it projected. Next, in a history, he finds another pertinent item, and ties the two together. Thus he goes, building a trail of many items. Occasionally he inserts a comment of his own, either linking it into the main trail or joining it by a side trail to a particular item. When it becomes evident that the elastic properties of available materials had a great deal to do with the bow, he branches off on a side trail which takes him through textbooks on elasticity and tables of physical constants. He inserts a page of longhand analysis of his own. Thus he builds a trail of his interest through the maze of materials available to him.
And his trails do not fade. Several years later, his talk with a friend turns to the queer ways in which a people resist innovations, even of vital interest. He has an example, in the fact that the outraged Europeans still failed to adopt the Turkish bow. In fact he has a trail on it. A touch brings up the code book. Tapping a few keys projects the head of the trail. A lever runs through it at will, stopping at interesting items, going off on side excursions. It is an interesting trail, pertinent to the discussion. So he sets a reproducer in action, photographs the whole trail out, and passes it to his friend for insertion in his own memex, there to be linked into the more general trail.
Arguably we still do not have a satisfactory realization of the memex. The Web is not quite it; nor the personal Wiki, nor the personal mind-mapper, though each comes close. Perhaps the web with annotations will realize the dream? Though note that Tim Berners-Lee recognized in 1995 that even with a Memex, we might fail to organize our larger technical and social structures: "We have access to information: but have we been solving problems?"
Adoption is always the question that matters most to the public; arguably TBL's mid-2000s vision for the web as a Giant Global Graph  has been neatly cloned and co-opted by Facebook's concrete, incompatible, and inward-flowing Hotel California implementation , but if a new wave of startups and bigcorps can create a rich ecosystem using community-designed standards, the outcome may be different this time. Or maybe not, but I applaud and support them in trying, and I will evangelize the same.
What's different from the mid-2000s, you ask? For one, the ideas behind REST, despite often imperfectly or incompletely applied, have nonetheless entered community consciousness. Hard-fail-if-invalid attitudes have been replaced by a tolerance for imperfections, both in the community's rejection of XML-derived data formats, and an acceptance of the web's often haphazard, something-is-better-than-nothing nature. APIs implemented using HTTP over the Web are a mainstay instead of experimental integratons, and a new wave of commercial players is eager to exploit whatever competitive advantage against the incumbents.
The big content gardens have all pushed incompatible "protocols" (we call them APIs, but they behave like protocols) , which gives them network effects but also locks them (deliberately) out of the open web (i.e. a Facebook comment on a Facebook post that was spawned by sharing a web link is not a comment on the link; it's a comment on that Facebook post). Meanwhile, systems that can build on top of these standards to implement two-way data flow -- both inward and out -- can present richer experiences, while not precluding the usual business models and monetization schemes that are in use today. And even if commercially this all flops, we'll have nice specs and vocabularies to use where metadata is paramount: science, research, government, and the like.
 https://www.w3.org/TR/ldp/ https://www.w3.org/DesignIssues/LinkedData.html http://dig.csail.mit.edu/breadcrumbs/node/215 https://developers.facebook.com/docs/graph-api/overview/ https://news.ycombinator.com/item?id=12893852
See for example: https://www.johndcook.com/blog/2010/01/19/dont-invert-that-m...
I don't think I'll be implementing as many algorithms as you though, I should force myself to work on more projects outside my comfort zone.
Don't get me wrong, having working code to play with is key, but when you don't fully grasp the concepts behind it, an explanation can become so valuable.
That being said, you've included names, so research can be done. Great work and I hope you're enjoying it!
One vital improvement suggestion to make that path attractive would be if the Jupyter notebook format were used. It would be easier to add more documentation and references.
But in any case, thanks for sharing!
idx = np.random.choice(range(n_features), size=self.max_features, replace=False)
this is for people who don't just want to tune parameters but build the whole thing from scratch
I can buy buy a pie all the fix-ins from a bakery, or I can buy the ingredients myself, and make it to exactly my liking. it may not be a professional.
One comment I have. in kNN, it is best to ensure that the neighbors list occupies O(k) space.
Delivering value trumps painting every day
* The press secretary (or President, or whoever) makes a statement
* He or she chooses a journalist to ask a question
* Journalist asks question
* Press secretary answers question in as much or as little detail as he/she wants
* Press secretary calls another journalist
* This goes on for maybe 20-30 minutes, and it's over.
How does this even help at all? It's not like the press secretary is going to answer a question that he/she doesn't want to answer anyway.
For me, I see these organizations as not treating him poorly, but actually willing to call out things he is not being factual on.
But at the same time, maybe I'm being biased against him.
I want the discourse, but I'm just struggling to understand how the views can be so strongly split from one extreme to the other, and what that means moving forward.
Right now it has 466 points, 229 comments, is 1 hour old, and ranked at #32.
For comparision, https://news.ycombinator.com/item?id=13725093 has 197 points, 39 comments, is 4 hours old, and ranked at #13.
Does anyone know why the ranking algorithm demoted this article and not the other (even though this one is younger and more popular)? I know it applies penalties for certain sites and if an article is deemed "controversial" (more comments than votes), but I don't think either would trigger here.
This is a mostly symbolic gesture (these organizations still have their assigned seats in the room) but is very much against WH press tradition. Coupled with Trump's strong words at the Convention this is a sign for these organizations to tune down their criticism of the President.
Firstly, Trump needs to be understood in context as the outsider who none of the establishment took seriously, who disrespected everyone and touched every third rail of US politics, who railed against a corrupt system and argued to burn it all down. And 46% of voters bought that and won him 85% of US counties and the presidency.
And ever since, a vast "bipartisan" swath of US media and civic institutions, the deep state and many members of the elites of both political parties have been edging towards outright hysteria, active #Resistance, bureaucratic mutiny and widespread media/celebrity/talking-head delegitimization of Trump's presidency on a level that is utterly unprecedented in modern US history. The level of abject, contemptful hostility from ostensibly "objective" media outlets like the NYT has been breathtaking.
Many, many stories have been exaggerated, slanted and framed in ways that cast Trump as some comic-book villain/Manchurian candidate/Hiter-in-wait beyond any basis in fact or contextualization within existing/recent US policy.
I want to just be clear that I don't support Trump or his policies, I've voted and volunteered for Obama/Bernie and other Democrats, but what I see occurring is a ratcheting up of tensions towards outright war between Trump and the existing establishment of this country. And that in fact is exactly the way Trump actually can justify cutting off media access and purging the ranks of the IC after all the leaks. Bannon and Trump want a war against the establishment, because they know how much of the country is disgusted by the establishment and wants someone to use them as a punching bag.
Trump himself should be like a relatively harmless pathogen within our government's co-equal constitutional immune system - perhaps even an excuse to strengthen legislative and judicial oversight that's been badly lacking in recent years of executive overreach. Instead we're witnessing the fourth estate and military/spook bureaucracy go to war with Trump, which is exactly the sort of non-credible/illegitimate opposition that can enable him to actually consolidate more public support and power.
Can someone change the title so it's less sensationalized?
Edit: thanks to the moderator for removing the "s" and making the word "Briefing" singular to accurately reflect the article.
Why even pretend we have a democracy anymore? Trump and his WH are busy eroding and suprressing every form of free speech and I can't think of a single thing him or the Republicans stand for that actually helps people.
The sentence is misleading and normalizes something that is very dangerous: The WSJ and Fox absolutely have conservative leanings. IMHO, WSJ, at least their editorial page, and Fox are propaganda outlets. (To be clear, I despise propaganda of all stripes; the conservative side is far more powerful these days - there is no left-wing propaganda outlet with a fraction of the power of Fox and the WSJ (or Rush Limbaugh and the rest of conservative talk). Huffington Post is maybe the biggest, but I don't read them enough to know if they qualify as propaganda. Publications like Common Dreams or Tom Paine are laughable as competition.)
What does this accomplish that ignoring the reporters in question would not?
You might still be able to see Russia from parts of the U.S., but it's getting harder and harder to see the moral high ground from here.
"Organizations allowed in included Breitbart News, the One America News Network and The Washington Times, all with conservative leanings. Journalists from ABC, CBS, The Wall Street Journal, Bloomberg, and Fox News also attended."
So, we're the only outlets allowed in the "conservative leaning" ones or the not-so conservative ABC and CBS as well?
I wonder if the message conveyed would be different if we rephrase it another way:
> Organizations allowed in included ABC, CBS, The Wall Street Journal, and Bloomberg. Journalists from Breitbart News, the One America News Network, The Washington Times and Fox News, all with conservative leanings, also attended.
Also, I think NYT is playing with the word "allow" here. By saying "Organizations allowed in included X, Y, Z. ... A, B, C also attended", this gives the false impression that A, B, C are somewhat "not allowed" by separating the list into "allowed" and "also attended". This is obviously false since they attended it.
I hope the resources put in limbo by this can be devoted to investigating and reporting some independent and accurate accounts of what's happening.
Such as, say, refuting every false statement that is coming from the press room podium.
I'd pay for that paper.
What would we miss? Another story about spin?
Of course the GOP is going to contract voting rights as much as possible in the interim, so it's going to be a battle.
Liberals don't vote. Will that change?
Edit: apparently this is already happening. Time and AP among those who chose not to attend.
"Obama shuts Fox out of press briefings related to Benghazi" 
"The Obama White House went to war against Fox News": Jake Tapper. 
"Fishbowl DC has been keeping tabs of which media outlets have been allowed to ask a question at President-elect Barack Obamas five press conferences so far. They report Fox News is 05. Questions instead went to such outlets as ABC, New York Times, CBS, Reuters and the Associated Press." 
"In 2010, President Obama said that Fox News had a point of view which was ultimately destructive for America...The University of Minnesotas Eric Ostermeier tallied up the number of questions each member of the White House press corp had been able to ask during all of Obamas first term press conferences. ABC, CBS, the Associated Press and NBC led the pack, with ABC having been selected for questioning 29 times over 36 solo press conferences. (Overall, reporters have had fewer chances to ask questions than any White House press corps since Ronald Reagans.)...Fox News, though it has a reach that far outstrips its competitors and sometimes rivals the broadcast networks, was in ninth place on the list, having been called on 14 times...NBCs Chuck Todd and ABCs Jake Tapper (now at CNN) were called on the most of any reporters they each got 23 chances to question Obama." 
"Mr. Axelrod said it was the view of the White House that Fox News had blurred the line between news and anti-Obama advocacy...By the following weekend, officials at the White House had decided that if anything, it was time to take the relationship to an even more confrontational level. The spur: Executives at other news organizations, including The New York Times, had publicly said that their newsrooms had not been fast enough in following stories that Fox News, to the administrations chagrin, had been heavily covering through the summer and early fall namely, past statements and affiliations of the White House adviser Van Jones that ultimately led to his resignation and questions surrounding the community activist group Acorn...Those reports included a critical segment on the schools safety official Kevin Jennings, with the on-screen headline School Czars Past May Be Too Radical; urgent news coverage of a video showing schoolchildren singing the praises, quite literally, of the president, which the Fox News contributor Tucker Carlson later called pure Khmer Rouge stuff...There followed, beginning in earnest more than two weeks ago, an intensified volley of White House comments describing Fox as not a news network....Then, in an interview with NBC News on Wednesday, the president went public. What our advisers have simply said is that we are going to take media as it comes, he said. And if media is operating, basically, as a talk radio format, then thats one thing. And if its operating as a news outlet, then thats another....We simply decided to stop abiding by the fiction, which is aided and abetted by the mainstream press, that Fox is a traditional news organization, said Dan Pfeiffer, the deputy White House communications director." 
December 2012: Several journalists reported that MSNBC hosts were meeting privately with President Obama to discuss the impending fiscal cliff fight. 
March 2015: Politicos media reporter, Hadas Gold, reported that a group of journalists and columnists, all on the left, met privately with President Obama, but the White House refused to say who else was at the meeting or what was discussed. 
This has been a relatively slow news week, I get the feeling someone needs a little attention?
Sooner or later there will be a real issue and most of us are going to tune it out because CNN/NYT/Others have treated every day since he took office as the 2nd coming of Hitler and beginning of WW3.
I'm not saying that's not true (I'm not a Trump supporter), but what sticks out to you as an instance of him doubling down on a lie?
Edit: It's disappointing to be down voted rather than being directly engaged. If you have a beef with what I said, please tell me where I've erred. I would love to change my mind on this topic. This is Hacker News after all, not Reddit.
The difference between what Trump has done here and what prior administrations did is the publicity and brazen transparency around it. I find it amusing that people think this is somehow a terrible, ominous event. This is a trifling thing compared to the egregious ethical violations and corruption, especially around information dissemination through the press, that has existed in this institution for decades.
The most interesting and concerning thing about it is the apparent weight given to these briefings. Except in very rare circumstances (e.g. killing of OBL, some attack like 9/11), these things are basically just PR displays by the administration. They serve no newsworthy purpose.
You might not like Trump, and you might have good reasons but the above is true all the same. And, he is sitting president of the USA right now, irrespective of how you feel about him, his platforms and his supporters.
The amount of vitriol involving Trump is ridiculous. It really is. I'm not saying Trump has good manners (because he doesn't) but the press hasn't been many steps behind in utter nastiness. And they have, in most cases, stopped even pretending to be objective. It's gotten where I can't even watch or read the news anymore. It's just irrational nastiness from one side or the other with zero nuance.
I don't know where this all ends if we stay on the trajectory. Gang warfare and cutting off heads maybe. Seems the veneer of civilization indeed might be pretty thin. Maybe we might have to relearn the hard way about the things we take for granted in the social order.
While Apple is focusing on trying to create the thinnest notebook on every generation, other companies are actually making useful computers, laptops or otherwise.
Right now, I've decided to take the money I'd spend on the cheapest Macbook to buy a desktop system, plus a chromebook. I can have mobility and a lot of performance, for a fraction of the price.
Even Windows is becoming more viable again, ubuntu core and all.
I saw a lot of video professionals jumping to the Adobe Ecosystem or to things like DaVinci for the GPU rendering.
In my case I ended up selling my mac, and with the money build good PC for the price. I feel stupid of not building one from the beginning. Good bye external disks and weird perif; hello SSD, RAID Storage, expandable RAM, and a GPU with CUDA that I can upgrade in two years, without trashing the rest of the system.
This is not a debate of Mac vs PC (that can go forever), or a PC Master Race propaganda, but the Mac Pro it's a bad taste joke. I get the idea of the "apple tax", but it's ridiculous here. The CPUs, SSD, and RAM are old, but specially the fact that the GPU it's soldered in the Motherboard it's just stupid. GPU are one of those rare things were you can still see the double of performance in each new iteration.
I love my Macbook Pro because reasons, but in Desktops, the PC it's the King.
Once these people start working on Windows machines, the benefit on an iPhone is reduced. It's still a great phone, but they might go for an alternative. Same applies to iPads.
Apple should wake up quick. The extraordinary sales numbers of the iPhone seem to have made the company live in a bubble where there is just the phones that matter. But who knows for how long smartphones are going to stay relevant and if a new piece of technology is going to replace them...
I wonder what thinking lead to that product. Did they think the pro market would be worth it to them to keep investing in keeping the product up to date and then it turned out not to be worth the investment? Although, even before then the Mac Pro was only updated sporadically... Was it all just Jony Ive design hubris? Who is the Mac Pro designed for?
I've purchased Apple products for 12 years (and for my entire company for 7 years).
It always seemed to be the obvious choice; it just worked, reliably and with a better user/developer experience than alternatives.
This year both me and my team have started moving away. My next phone will be an Android device and we're now not buying Macbook laptops for new recruits.
Windows, Ubuntu or Elementary OS offer a better experience. I personally can't take the restrictions I'm getting from MacOS and iOS. I'm also infuriated to see my machine being close to unusable a couple times a week while "kernel_task" eat up 120% of my CPU.
The only reason I was still sticking with Apple was the hardware, but that too went downhill. The iPhone's screen is brittle. The battery is capricious. My latest 2 visits to the Apple store resulted in a unusable track pad and a damaged screen on my Macbook (which were then claimed to not be covered by Apple Care).
Others around me share my frustrations.
It may be anecdotal, but 3 years ago I would never have considered buying anything but Apple. I've reached the tipping point and I'm not the only one it seems.
Stack Overflow surveyed that 20% of developers use a Mac.
So lets say there are 4 million developers using a Mac. And lets say they buy a new Mac every 3 years. Then 1.3 million developers buy a Mac each year.
Apple sold 20 million Macs last year. So lets say 6.5% were developers and 10% of those developers are complaining about the new Mac series. If I am right that means that 130 thousand developers are complaining. That's 0.65% of Apple's customers.
Now I don't believe Apple is stupid. They are in business longer than some people here are alive.
So I can very much imagine that Apple decided to go for 2% more customers while losing 0.65% of them while making even more profit.
Introducing OS X as the mobile Unix platform of choice on top of the first ever drop dead gorgeous notebook (The Powerbook G4 Titanium) declared Apple as the platform for discerning power users. Those power users could confidently brag about their systems, giving free advertising to non-power users. The halo effect of which can still be seen today, trickling down to Joe Coffee in your local cafe. How much longer that lasts in the wake of mis-steps like the touch bar is questionable though, even in the wake of massive unit sales to the broader public.
This article is about high end video / graphics users, and workstations are a slightly different use case. But not much. Once these users move off Mac, who is going to be left to champion the desktops?
I'm an iOS developer. I'm sure if Apple were making decent machines I would be more optimistic about my job. But the current situation is making me prepare for an escape route. I'm sure there are many others who feel the same, and that will have a knock on effect on the iOS world.
Apple machines are now appliances that cannot be modified. They are throw away, so spend your dollars wisely.
Indeed in our household it works they other way around: My completely non-technical wife has prohibited me from buying non-Apple products. ("You know how whiney you get every time you buy a non-Apple product.")
It's interesting that in some ways Microsoft may be doing the same. They cut support for older CPUs, they cut a lot of their workforce for QA, and seem to be focusing too.
It'd honestly kind of cool if they margins reaching specialty users became so small that they stopped getting supported so Linux fills in the gap. I mean, the transition is bad, but the end opportunity for Linux and diversity in general seems good.
Even the editors I know that cut on Adobe Premiere which is available for both PC and Mac aren't switching from Mac, which honestly has surprised me a bit because of the greater choice in hardware. But for most video editors at this level, you're just trading speed in one area for problems in another. Editors whine and complain every time there is a tiny change in the interfaces they use, they hate change. They have been forced to embrace FCP and Premiere over the years (and complain about it incessantly). Very few will choose to make the jump to Windows for the same reason.
As you step down the ladder, the move will make sense for some. Your all-in-one facilities or one man bands (production and all aspects of post handled by one or two people). But in my experience, this group has already been heavily invested in the Windows side because of the cheaper initial costs (that money you save early will be spent later and the Windows post-house will cost as much or more than a comparable Mac post-house, at least it did when I was an engineer).
And the other aspects of video post production, the CG, 3D and compositing sectors already heavily lean toward Windows or Linux and have for over a decade.
There just isn't a huge need for massive speed increases in the hardware side for most video editors. We've gone from needing very fast, high end systems with fast (and expensive) SAN storage to laptops and SSDs that allow us to do more, faster than ever. iMacs or MacBook Pros are all the average editor needs, with more and more working remotely from home. I cut a project for the NBA over the holidays on the first gen USB-C MacBook and years ago cut a project for REEBOK on the just released MacBook Air. Both these projects came up unexpectedly while I was traveling but went off without a hitch on underpowered hardware (that I bought for web surfing and writing).
That's not to say that I wouldn't appreciate (and most likely purchase) a new and expandable Mac workstation. But for the most part, I'd be spending money to just spend money. It wouldn't speed up 98% of my job. And that other 2 percent isn't slow enough to cause me any issues.
It seems like all of their priorities are related to everyday consumers (beats headphones, air buds, several new phone models every N months, etc.).
Why would apple waste their engineering man-hours building products for any market except the common consumer who aspires to be part of the wealthy crowd?
So most likely it's simply better business to cater to the consumer/prosumer part of the market and ignore "true pro" gear.
Windows has always been the majority of video editing till about 2009 when Final Cut was the buzz word. I HATE Final Cut and just its vocabulary was so frustrating. Most were either Premier or some special Linux farm for HUGE projects. Apple won due to the idea that creatives used Apple and nerds used Windows. I always was the Amiga guy then the Linux nerd (Light Works is great but the plug ins are limited)and now I just am happy to not have to use Final Cut for anything.
As a former developer now Project Manager, I don't code much anymore, but I tinker with stuff every now and then. I got into gaming for the first time since I built a custom PC back in 2004, and you know what? I love it! I thought I was "past that" phase in my life, but I enjoy my Windows 10 Desktop PC.
I still miss the Mac, and man do I miss the retina screens! But I feel macOS is simply now a legacy product to Apple that they simply cannot afford to ditch, not so much for business - obviously that would be bad - but I think it would be much worse from a PR perspective more than anything. And the whole thing bothers me. I feel like macOS is now an obligation for Apple to string along, but its real focus is now iOS. We all know iOS is the future, who are we kidding? At least with Windows 10 I feel Microsoft is trying to add neat features and updates annually now, and since mobile passed them by in the dust they have to scramble desperately to get Windows 10 in the forefront of tech enthusiasts again. I think for developers it's working (or at least they're trying very hard). I'm kind of excited for built in VR functionality, ubuntu core (WSL) seems really promising for developers.
Not only do I wish they could rethink the Mac Pro trash can, I wish they could design the Mac Pro with Server Rack in mind.
As it stands now, when someone asks me what computer to buy I have to interrogate them on their exact usage pattern and then spend a couple of hours looking at all the different Apple products to see which one might serve them best. 10 years ago it was simple; you just want to send email, browse Facebook from home, get an iMac. If you wanted to compile code at Starbucks, get a MBP. Goofing off at the library, get a MB. Simple.
Adobe Premiere Pro? Avid? something else?
The hard truth is that we pro folks aren't that lucrative. Pro users probably sit in the bottom of a smiling curve with high-volume consumer products on the one side, and high-revenue Enterprise on the other. To a company like Apple, pro users represent the worst of both worlds.
That's why you also see "media storage" companies like G-Technologies, who introduced pro products (like the late G-Speed) only to abandon that market for high-volume, low-touch consumer products like LaCie Rugged.
I want a new MBP with an nVidia GTX 1080 as much as the next guy, but I'm not holding my breath.
- A Mac Pro owner that is seriously considering getting something else.
To this day, I have a negative opinion of Microsoft for their questionable practices in the past and god knows they've been lambasted in the past for their general attitude (though it feels like this is starting to change). Apple on the other hand can totally afford to rehash their products from a few years ago, sit on a stash of gold, disappoint designer and programmers alike for years, leave Mac OS on a sidetrack and never has to face any kind of serious backlash.
It really says a lot about their marketing genius.
I feel like an idiot. I multibox videogames and my $1,000 entry-level alienware frequently out performs this $5,500 art piece.
I need a machine that is large, powerful, and expandable. The Mac Pro isn't this.
I don't like Windows, but the only programs I'm going to use are Protools and Ableton Live. Just like on my gaming computer, which essentially just runs Steam (and games) I can deal with it.
For live sets, I'll keep using a Macbook Pro, because if one breaks I can buy another in any city in 5 minutes and I will know it will work almost immediately for what I need.
Been a mac user for 15 years. It was hard to make the jump but I came to the realisation Apple just doesn't care about my work and therefore my money anymore.
99% of us developers don't. Even if you have a lot of VMs.
I guess no one cares at Apple: if the hugest slice of revenue comes from phones and tablets...
due to the inherent bandwidth limits that Thunderbolt has as compared to the buss speeds of these GPU cards
There probably are applications that need every single GBps of the x16 connector, but just saying "bandwidth limitations" isn't sufficient - see also the common SLI setup which switches to x8/x8 if two cards are installed.
Why would they continue dumping money into refreshing Intel-based systems when they screwed them on 32GB of ram in the LPDDR4 thing on the new rMBP?
Can you imagine how annoyed the Apple people are that they can't sell you a $499 32gb ram upgrade along with your $1299 1500gb SSD upgrade on your $4299 computer?
Apple's future is ARM and to expect any more powerhouse Intel systems from them was folly even a year ago.
- Truncating to 160-bits still has a birthday bound at 80-bits. That would still require a lot more brute force than the 2^63 computations involved to find this collision, but it is much weaker than is generally considered secure
- Post-quantum, this means there will only be 80-bits of preimage resistance
(Also: if he's going to truncate a hash, he use SHA-512, which will be faster on 64-bit platforms)
Do either of these weak security levels impact Git?
Preimage resistance does matter if we're worried about attackers reversing commit hashes back into their contents. Linus doesn't seem to care about this one, but I think he should.
Collision resistance absolutely matters for the commit signing case, and once again Linus is downplaying this. He starts off talking about how they're not doing that, then halfway through adding a "oh wait but some people do that", then trying to downplay it again by talking about how an attacker would need to influence the original commit.
Of course, this happens all the time: it's called a pull request. Linus insists that prior proper source code review will prevent an attacker who sends you a malicious pull request from being able to pull off a chosen prefix collision. I have doubts about that, especially in any repos containing binary blobs (and especially if those binary blobs are executables)
Linus just doesn't take this stuff seriously. I really wish he would, though.
With regards to market price for a successful attack, I don't think any hash function stands close to SHA-256. And for that reason I think it would be the right choice.
The first paper from Wang et al, which should've put SHA1 to rest, was published in 2004, the year before the first ever Git version was released. It could have been easy: Just take a secure hash from the beginning.
If he believes that, why does git allow signing tags and commits and why does Linus himself sign kernel release tags? Isn't that the very definition of "using a hash for security"?
``Other SCM's have used things like CRC's for error detection, although honestly the most common error handling method in most SCM's tends to be "tough luck, maybe your data is there, maybe it isn't, I don't care".''
BitKeeper has an error detection (CRC per block) and error correction (XOR block at the end) system. Any single block loss is correctable. Block sizes vary with file size so large files have to lose a large amount of data to be non-correctable.
* The end of SHA-1 on the Public Web
As announced last fall, weve been disabling SHA-1 for increasing numbers of Firefox users since the release of Firefox 51 using a gradual phase-in technique. Tomorrow [Feb 24th], this deprecation policy will reach all Firefox users. It is enabled by default in Firefox 52.
(Yeah, I know this will be read as a plea for monarchy and downvoted. It simply proves my point: people are WAY too subject to errors in the classes (1) "I hate him because he said something 'bad' about something 'good'." and (2) "I hate him because he said something 'good' about something The Tribe now knows is 'bad.')
SHA1 is busted. That impacts some git users. The fix is not invasive. Fix the bug. Make the transition. Move on.
Eventually, we moved on to my background, and I mentioned I had done a masters in computational neuroscience. He said something like "oh neuroscience, my great aunt had that", I think he thought it was an illness? Was sort of expecting the reality TV cameras to be busted out at that point...
He let me through though! Usually I clear immigration in Ireland (one of the few places you can do the immigration before you leave), and those folks are always much more pleasant.
I don't understand why host countries don't try to make themselves the most favorite country in the world for their guests. I believe, "not allowing terrorists/drug dealers/illegal workers etc. etc. inside" is just the marketing as I seriously doubt people who slip through the cracks of a saner screening process would be a significant problem. Therefore, I wonder the real reason but can't think of any.
All of this could be backed by the personal data has been collected before hand.
The old (and often linked?) article about airport security in Israel describes how the actually rely a lot on people being able to spot strange behavior.
So the policeman looks at it and says "Oh, the database department. Which databases do you guys use?" Basically I was able to identify myself with some Oracle and knowing who Scott Tiger was.
The policeman appeared to be an IT drop-out who switched to police.
What's sad is that in this climate it's not completely unbelievable that something like this could happen.
In other words, this does not seem to me like anything new.
"Attending a conference on computational geometry."
Pause for thought -- several seconds.
"Applying computers to solving problems in geometry."
This got me waved in. Co-workers told of the encounter later on proposed an alternative reply: "You wouldn't understand." Given the tone of the agent, those might have been very costly words.
I asked him how come he knew about that stuff and he told me that in a former career he was working in IT as well. I thought it was funny.
However, if it's really true, it is depressing. He was actually given an A4 sheet to balance a BST. Wow.
What if he failed the test? I assume that CBP cannot deny you entry because you didn't brush up on your algorithms and data-structures during your flight. But, they can still keep you detained for secondary screening.
Part of their job is simply to determine that you are who you say you are. They do this every day - within reason I expect they can ask you any arbitrary question related to you and your life to observe how you respond. They just want to catch those out that aren't, for whatever reason, being genuine about their story. I think there's a false assumption here that somehow @cyberomin's ability to actually _solve_ a BST was in some way tied to his likelihood of entry. That's obviously ridiculous. I imagine his response was still genuine enough that they believed him. Frankly as another commenter joked, I think they could have asked him to prove P=NP. It's when you reply confidently with an 'obvious' solution that they might raise an eyebrow.
Yes it would be unreasonable if their ignorance actually lead to you being denied entry. But in not one of the experiences here, or with @cyberomin, was that actually the case. The thing is, of course, that they're aware of their ignorance and the absurdity of their questions. You see, they know that they're bluffing. That's kind of the point.
It is, perhaps rather unfortunately, part of their job to make you feel uncomfortable, ask probing questions and weed out inconsistencies in your responses. Isn't that part of professional questioning? I can understand the frustration at the abruptness of the questioning, and it's hardly a friendly welcome. I've been angered leaving immigration before and I have to remind myself that ruffling my feathers is all part of the act. When first complaining to a friend she asked, "what did they insult you or something?" Actually, no. They just asked me lots of questions.
Clearly I'd like to think some questions are off-limits - I know there have been justified concerns about this - especially recently. And I understand this is hot topic right now - precisely why I think we should be careful - more careful than ever - not to overreact. From what I observe: The guy arrived, he was asked questions about his profession, his answers were evidently sufficient and he was let in. It happens to thousands of people every day. Honestly? I don't think there's a story here.
But I kindly doubt this guy's binary search claim.
Looks like people are studying up?
"At the airport, When I said I am Japanese, the officer handed me a Japanese newspaper and asked me to read it aloud. The newspaper had really rare name of the place I couldn't read it. The officer suspected me."
whiteboarding, it's the new waterboarding? Furious /@AnnieTheObscure
but i think they should have asked him to spend a bit of time writing cool oss code (maybe before his flight)
Show your piece to a number of peopleten, let us say. Listen carefully to what they tell you. Smile and nod a lot. Then review what was said very carefully. If your critics are all telling you the same thing about some facet of your storya plot twist that doesnt work, a character who rings false, stilted narrative, or half a dozen other possibleschange that facet.
It doesnt matter if you really liked that twist of that character; if a lot of people are telling you something is wrong with your piece, it is. If seven or eight of them are hitting on that same thing, Id still suggest changing it. But if everyoneor even most everyoneis criticizing something different, you can safely disregard what all of them say.
In the same piece, King advises if its bad, kill it. (When it comes to people, mercy killing is against the law. When it comes to fiction, it is the law.)
I know this isn't very DIY, but it's probably worth knowing it's an option: I simply hired someone who works at a book publishing company to edit and typeset the book for me on the side. The person I hired does it for a living and is incredibly good at it. Let's just say it's not the most lucrative career choice, so I had the entire book (198 pages) edited and typeset by a professional for about $400.
This also had the added benefit of letting me write and get feedback from early readers using google docs, which was incredibly important.
I ended up paying her a pretty big bonus on top of that (as we pre-sold $110,000 worth and since publishing a couple days ago have brought in another $2,000 - all straight profit since we're ebook only so far and not on Amazon) but for my time and sanity it was very, very worth it.
1. To write the best book you possibly can
2. To print, market and sell that book
Far and away the most important thing is No. 1, because No. 2 cannot happen effectively without that. And the bar is high - very high. So in many ways the battle is lost or won by the time you've put down your pen. Yes marketing and distribution are incredibly important. Design too. But none of it is going to do much good unless the book really works. And making a book work is not hit and miss. It's the product of a very exact type of knowledge and skill - this is especially true of genre work. Of course, there have been a few tremendous exceptions - but you'll know if you're one of those.
So with self-publishing, as with ordinary publishing: first write a great book.
For that the tools you need are:
1. Someone who can give you tough feedback and who knows what they're talking about
2. A writing group for softer, more regular feedback
3. Long practice in writing shorter work
4. Long practice in critical reading of other people's work, especially unpublished work. You'll never make a mistake once you see that mistake and understand it in someone else's work.
1. journey to the end of the universe
2. the fate of the universe hands in the balance
3. voyage to the end of time
I put the book back on the shelf.
For my use case (self-publishing a digital-only book):
I wrote "Learn Java the Hard Way" using Leanpub and I was pleased with the experience, but their build tools are closed-source and sort-of creaky and the tweak-compile-preview cycle is WAY too slow for my workflow.
I intend to use Softcover for my next one.
Recently I switched to Gumroad for fulfillment and I have been incredibly happy with them. Highly recommended.
While my press paid for the cover art, printing, ISBN, and other stuff, and they've done some advertising, a lot of the promotional work is left up to me...and in a lot of ways I think marketing is a much harder problem to solve. My novel came out of an intensive workshop led by a Nebula, Hugo and World Fantasy Award winner (Kij Johnson), has a blurb from a recent Nebula novel nominee (Lawrence Schoen, author of BARSK), was available for pre-order, and I've done what I could to promote it...and it turns out all those people saying it's tough to get your book noticed are, surprise, absolutely right.
tl;dr: while I'm interested in how Mr. Hubert produced his book, I'm more interested in how he finds an audience for it. (Beyond writing an article about it that gets linked on the front page of Hacker News!)
- 99% of all drafts sent to literary agents are objectively non-publishable. Simple lack of quality, lack of maturity, or other quantifiable factors. One or two drafts is not enough, even for experienced established novelists. Sadly, you can often tell within the first 5 pages, and even within the first paragraph.
- Out of the 1% that have the potential to be publishable, at least 4 drafts, and often much more, are required to reach the quality desired to actually be publishable.
- Good novels that are simply not what the agent/publisher is looking for at that time is also a factor, but a very distant one relative to just quality of work.
- In fact, if your novel is "good" but the agent/publisher is not inclined to pick it up, they are more inclined to ask for a full draft, to give great editorial notes, or to give referrals to other agents/publishers.
- If an agent thinks that they cannot take a specific "Good" book to market, they will frequently give pertinent feedback and often suggest specific revisions in order to make such a book marketable.
- At PNWA and other literary conferences vast majority of attendees bring single or maybe two-draft.
I should note that "number of drafts" is not an absolute requirement. Different folks write differently, and having a high number of iterations on your novel is not an indication of quality, rather than indication of prerequisite work required to produce a good product.
So while the publishing world is far from perfect, and both publishers and agents tend to gravitate towards what's fashionable, the reality is that the vast majority of aspiring work is simply far from finished, despite the authors' claims (this doesn't preclude garbage like "50 shades" from seeing the light of day, mind you).
Self-publishing gives those 99% a window to self-publish with only marginal quality controls. This in a way has the potential to overwhelm the system, and the objectively higher quality works can get drowned out in the noise.
Not to mention that, once self-published, a book is highly unlikely to be re-published by a traditional publisher, especially for a first-time author.
I'll close this tirade on a positive message. If you're a writer, you've already succeeded. The inner battles fought every single day for months and years on end alone make you a winner.
Here's the LS pricing guide: https://myaccount.lightningsource.com/documents/LSI/files/pr... and here's the CS pricing: https://www.createspace.com/Products/Book/Royalties.jsp
For example, I sell a very short book via LS. The MSRP is $2.99, I set a 20% Ingram discount, and the print charge is only $1.56 (though the pricing guide now says $1.72; I think it's increasing soon). So I make $0.84 per book. With CreateSpace the lowest possible print charge is $2.15 per book, and given their fixed 40%/60% sales channel fees, it wouldn't be possible to sell the book for as low as $2.99.
LS isn't always cheaper though; you should do the calculation for your particular book size and page count.
Working with LS does make things a bit harder. You have to buy your own ISBNs, spend time waiting for certain manual processes (like for them to review your account application or a new book), and deal with their clunky website. But for me, it's worth the effort to be able to publish short books much more cheaply.
Time for my annual rant on KDP and Amazon not caring about writers in non-English.
The list of supported languages is incredibly limited:https://kdp.amazon.com/help?topicId=A9FDO0A3V0119
Finnish is allowed but Estonian is not... it is ridiculous.Latvian and Lithuanian is not allowed, Russian is not allowed etc etc.
It took a shaming campaign by the British press to get Welsch added.
This restriction is so silly when the book comes out perfectly on Createspace paper version.
It looks fine doing my own conversion for the Kindle but Amazon will not let me publish the books in unsupported languages.
I do editing and typesetting for a non-profit as a hobby/volunteer effort and end up publishing the paper books on Createspace but ebooks have to go through Kobo and other non Amazon venues.
If you just want to release an ebook or even in paper, you can do that easily. If you want to release an ebook and have it be a success, that's really hard. It's hard even for traditional publishers, and it's certainly not any easier for self-published authors.
Anecdote: I helped my grandmother release her first book (here: http://carolynnslaughter.com/book/). The technical aspects are frankly not that hard. For anyone with halfway reasonable technical skills, launching a book is simply a matter of following various instructions online.
How much did we sell? Pretty close to rounding error of zero. Honestly, we were never expecting much success, because the book is fairly academic.
Edit: Less anecdotally: "Ninety percent of your books success will be determined by the quality of your book. The other ten percent is distribution, marketing and luck." (From Mark Coker, founder of Smashwords: https://www.smashwords.com/books/view/145431)
I understand that as HN readers we gravitate towards technical solutions. But the sibling comment by scandox is on the nose here. The hardest problem by far is writing a book that people will be willing to pay money for. The second hardest problem is marketing it, and all these other technical aspects come somewhere after that.
For those who have never written a novel, writer is being sarcastic here. The equivalent in terms of reference more familiar to the regulars on HN might well be: "Step 2: study for a CS degree, then decide which industry you intend to disrupt, learn how it works, and come up with a strategy. Oh, and write the killer app."
This is just the framework for the business plan: it's helpful, but it's insufficient on its own.
Disclaimer: I used to work for Lulu, but no longer do, and have no financial stake in them. Just wanted to point out the existence of another option.
Also, it might be helful to note tha the likelihood of making a living from writing is dependent on how fast an author can complete each novel.
Disclosure: I'm the developer/engineer.
* I used XeTeX plus my editor of choice.
* I sent it to a few friends, listened to what they said, and read and re-read until my eyes bled.
* I avoided Amazon like the plague, instead using a small print-on-demand shop with reasonable prices.
* I sold via pre-sales, my personal website, and consignment at small bookstores.
My experience was through Smashwords and I was pleased with the platform. Never even recouped the $10 or so fee to get the ISBN number hah. It's a nice opportunity - self publishing, that is - and I think lots of amateur writers should feel compelled to give it a try. Nothing is quite like the artistic experience of working very hard on a piece, getting it out into the world, and almost nobody paying any attention to it. Except a couple purchases by relatives.
Not everybody gets to be Chuck Tingle, which, while fiscally successful, is the literary equivalent of the contents of a mop bucket at a seedy peep show joint. Ugh.
I have an idea for an informal Chemistry 101 notebook. I might end up making comparissons between cartoon characters and periodic table elements: Hydrogen ~= Tinkerbell, Hellium ~= Master Yoda, Lithium ~= Philoctetes (from Hercules movie), etc.
It is not reassuring that most references in that list are owned by Disney Co.
I don't understand why something as ubiquitous as writing necessitates spending $100 on software from Microsoft. A plain text editor works out of the box. If you have a need for more complex formatting you could use LibreOffice, OpenOffice, Pages (comes free with a new Mac/iPad), WPS Office, etc. I get that Word has is the standard and all, I just don't understand why the agreeded upon standard needs to cost upward of $100, especially for something as simple as word processing.
I imagine it would end up working along the shareware model, x chapters here for free and purchase access to the full story, or something along those lines - though if there is a market for it you could use it as a streamlining process for publishing houses I suppose
Is anybody aware of a site like that in the wild already?
Scrivener is US$40, Vellum is Mac-only and US$200, the other two are unnecessary/replaceable and IMHO should be a list of equivalent options -- once you have a manuscript, which can be created using any number of free tools.
Someone who imagines writing the Great American Novel, but who also expects to have to pay a premium for each step along the way, may not grasp the essence of novel writing -- how it fits into the big picture.
There are any number of free word processors able to organize a book project into chapters and sections. Self-publishing is also free or should be.
My favorite story about novel creation is that of Andy Weir and The Martian. Weir started the project as a series of blog posts, got very useful feedback from his readers, improved his content on that basis, and the project grew nearly on its own. By the time Weir wanted to talk to publishers, they already wanted to talk to him.
Lately I've been carrying a notebook everywhere I go and I'm starting to write much more.
- use proprietary tool 1
- enslave yourself to Amazon
- use proprietary tool 2 from Amazon
He then goes on to show how that's been true, and that a standard index fund outperforms almost every hedge funds even before extra fees to the hedge funds are taken into account.
It's not the first time this has been pointed out, and it suggests that for non-multimillionaires, an index fund is always the most rational choice.
You get close to the return you'd get by investing in real estate, with the added benefit of index funds being much more easily liquifiable.
Our efforts to materially increase the normalized earnings of Berkshire will be aided as they have been throughout our managerial tenure by Americas economic dynamism. One word sums up our countrys achievements: miraculous. From a standing start 240 years ago a span of time less than triple my days on earth Americans have combined human ingenuity, a market system, a tide of talented and ambitious immigrants, and the rule of law to deliver abundance beyond any dreams of our forefathers.You need not be an economist to understand how well our system has worked. Just look around you. See the 75 million owner-occupied homes, the bountiful farmland, the 260 million vehicles, the hyper-productive factories, the great medical centers, the talent-filled universities, you name it they all represent a net gain for Americans from the barren lands, primitive structures and meager output of 1776. Starting from scratch, America has amassed wealth totaling $90 trillion.
I don't often see this sort of pride in America. Normally the flavors I do observe are hyper-nationalistic and filled with bravado, while the tone here is lauding yet reserved. There's a sense of authenticity delivered in the way Warren Buffett - an extremely humble, yet successful man - talks about the way his country has helped him succeed. It's austere.
This isn't part of the regularly scheduled programming for threads about his letters (mostly we like to champion index funds or debate the utility of active investing), but it's what really struck me this time around. Juxtapose his words here with the same category of conversation about America in many other contexts and contrast the integrity involved. In a time when America appears to be experiencing quite a bit of social and political volatility, it is refreshing to hear optimism from a source that does not appear to use it as an instrument of control.
EDIT: Well this has since ignited a debate about America's cultural identity and history of imperialism...not really the spirit of what I was going for but here we are I guess...
"Unfortunately, I followed the GEICO purchase by foolishly using Berkshire stock"
"It was, nevertheless, a terrible mistake on my part"
"Despite that cautious approach, I made one particularly egregious error"
I bet you don't find that sort of thing in many other annual shareholder letters.
I.e., I agree with Buffett's general premise, and have since the 1980s.
30,450 pages holy crap
Is he basically saying that the insurance business is structured in such a way to never payout catastrophic amounts? Is this a harmful thing for the insurance claimants?
So stop by for a quote. In most cases, GEICO will be able to give you a shareholder discount (usually8%). This special offer is permitted by 44 of the 51 jurisdictions in which we operate. (One supplemental point:The discount is not additive if you qualify for another discount, such as that available to certain groups.) Bringthe details of your existing insurance and check out our price. We can save many of you real money. Spend thesavings on other Berkshire products.
I need to get hooked up with my shareholder discount!
He's smart, honest, humble, generous, witty and a great communicator. And he's the best investor in the world.
buffett profited off the housing bubble and should not betrusted. he owned huge stakes in the ratings agencies thatwere giving AAA+ ratings to these awful mortgage products,even as publically he was decrying the financial productsinvolved as 'mass destruction' he was making money on it.
he is doing the same with his stock market push. ifa million people listen to him and go buy stocks, whatdo you think happens to his index funds? They go up of course.
absolutely hilarious and sad to watch people worship thisguy. if his secret is really to buy index funds, thenwhy do people listen to his speeches and newsletters?you could just go buy index funds and be done with it.
like every other con artist, his genius is to get peopleto buy in to his story.
Normally these letters have some new brilliant insight or dive into a business I know nothing about. This one feels shorter and more peremptory. I see the financials for the major sectors and the same boilerplate explanation of insurance and railroads that's in every letter.
What's up? It's not like nothing happened with Berkshire Hathaway this year.
"See around me," indeed.
Stan is amazing in that you can fit pretty much any model you can describe in an equation (given enough time and compute, of course)!
More on Stan here: http://mc-stan.org/
The wikipediatrend R package relies on http://stats.grok.se/, which in turn relies on https://dumps.wikimedia.org/other/pagecounts-raw/ which has been deprecated.
The new dump is located at https://dumps.wikimedia.org/other/pageviews/
Data is available in hourly intervals.
en Peyton_Manning 58 0
That being said this claim in point #1 baffles me:
> Prophet makes it much more straightforward to create a reasonable, accurate forecast. The forecast package includes many different forecasting techniques (ARIMA, exponential smoothing, etc), each with their own strengths, weaknesses, and tuning parameters. We have found that choosing the wrong model or parameters can often yield poor results, and it is unlikely that even experienced analysts can choose the correct model and parameters efficiently given this array of choices.
The forecast package contains an auto.arima function which does full parameter optimization using AIC which is just as hands free as is claimed of Prophet. I have been using it commercially and successfully for years now. Maybe prophet produces better models (I'll definitely take a look myself), but to claim that it's not possible to get good results without experience seems a bit disingenuous.
As an aside, anybody interested in a great introductory book on time series forecasting should check out Rob Hyndman's book which is freely available online. https://www.otexts.org/fpp
A few days ago I was asked to do some forecasting with a daily revenue series for a client. Due to her business' nature the series was really tricky with weekdays and months/semesters having some specific effects on the data. I as many use Hyndman's forecast package, but I threw this data at prophet and it delivered a nice plot with the (correct) overall trend and seasonalities. Very cool and easy to do something.
I've been using CasualImpact by Google  for months. This seems pretty straightforward.
Its a completely managed solution. No need to setup anything yourself.Just upload the data and predict next week's data, today itself. There is a free trial and if anyone here is looking for an extended trial, they can reach out to me.
It's major benefit is that it figures out relationship to the target time series by itself, so you can just throw in all time series and see what comes out.
Language is Clojure, 20kloc, incanter, encog. If anyone is interested in working for/with it, let me know. I currently develop a Rest Api for it and plan to release it as open source once the major code smells are dealt with.
Very cool though --- I would be interested to dive into the methods they've implemented sometime in the near future!
Some feedback: it'd be nice to see you actually quantify how accurate Prophet's forecasts are on the landing page for the project. In the Wikipedia page view example, you go as far as showing a Prophet forecast, but it'd be nice to have you take it one step further and quantify its performance. Maybe withhold some of the data you use to fit the model and see how it performs on that out of sample data. It's nice that you show qualitatively that it captures seasonality, but you make bold claims about its accuracy and the data to back those claims up is conspicuously absent. Related, it might be worth benchmarking its performance against existing automated forecasting tools.
I'll definitely be checking it out!
I got really excited for a second. Actually, I'm still pretty excited about this even if it was something else entirely.
You talk about having to choose the best algorithm but it seems like Prophet is just another algorithm to choose from. Is there some kind of built in grid-search or are you just stating that results from your AM have been more accurate than ARIMA?
I see this being applicable to analysts when deciding on on a company's credit worthiness.
We're planning to add forecasting to our SaaS analytics product (https://chartmogul.com) later this year, I'm going to look and see if we can use this in our product now.
Between this and Stan I think my free time for the next week is gone.
See also the R vignette, which shows that the data is returned per-column which gives it a lot of flexibility if you only want certain values: https://cran.r-project.org/web/packages/prophet/vignettes/qu...
> df['y'] = np.log(df['y'])
One huge obstacle to open-source anything in DoD is the attitudes of their information assurance professionals. I have been told by numerous DoD IA people that "Open Source is bad because anyone can put anything in it" and "We'd rather have someone to call." I understand the second point -- we honestly don't have the time to run every last issue to ground and it's probably better if we do have some professional support for some of our most important tools. But the first just boggles my mind.
But the IA pros are, as a group, schizophrenic, because somehow people are getting things by them anyway. The system I'm working on has Python as a build dependency. The devs are creating reports using Jupyter notebooks.
Basically the DoD needs to stop being so damn obstinate about open source.
* There is no copyright and plagiarism doesn't exist. Internally to the military everything is libre to the most maximum extreme. While people do get credit for their work they have no control over that work and anybody else in the military can use their work without permission.
* Service members and employees of the military are not allowed to sue the military. As a result software written by the military has no need to disclaim a warranty or protect itself from other civil actions.
* Information Assurance protections are draconian. This is half way valid in that there are good monitoring capabilities and military information operations are constantly under attack like you couldn't imagine. The military gets criminal and script-kiddie attacks just like everybody else, but they also get sophisticated multi-paradigm attacks from nation states. Everything is always locked down all the time. This makes using any open source software really hard unless it is written yourself or you work for some advanced cyber security organization.
Is there an explanation about why Unlicense is not appropriate? Or what it would take for an Unlicense derivative to meet the legal requirements? Could the laws be changed in small ways to allow US Government employees to more fully participate in open source?
"The Unlicense is a template for disclaiming copyright monopoly interest in software you've written; in other words, it is a template for dedicating your software to the public domain. It combines a copyright waiver patterned after the very successful public domain SQLite project with the no-warranty statement from the widely-used MIT/X11 license." http://unlicense.org/
I like how other commenters have included other successfully US.gov and specifically DoD open source such as BRL-CAD and NSA's Apache Accumulo.And the DoD Open Source FAQ is interesting and something I haven't seen before: http://dodcio.defense.gov/Open-Source-Software-FAQ/
Open source and US.gov participation reminds me of what happened with NASA Nova. It was pretty sad that when OpenStack became relevant in the industry that seemed to cause a panic at NASA and they pulled completely out of OpenStack development. Instead of NASA being to help the project stay focused on being opinionated enough to be generally useful (out of the box), NASA was too afraid about the perception of competing with proprietary commercial interests. (It was nice to see last year, all these years later, that NASAs Jet Propulsion Laboratory is now a user again having purchased RedHat OpenStack.)
The DoD, though, is still trying to feel its way around. There seem to be some lawyers there who are very hard to convince. For years, they've been asking to have various licenses and CLAs modified and we've been telling them no.
Here's their latest request for the Apache License 2.1:
Hopefully this helps push things in the right direction, although I'm not optimistic.
It highlights a unique aspect of Federal Government developed software: it's public domain rather than licensed based on copyright law. This facilitates reuse but complicates contribution by outside developers.
It's not clear to me why this is necessary/desired. Is it because of contribution to existing works protected by copyright or something else?
From the OSI's FAQ :
> What about software in the "public domain"? Is that Open Source?
> There are certain circumstances, such as with U.S. government works ... we think it is accurate to say that such software is effectively open source, or open source for most practical purposes
What problem does this license aim to solve?
EDIT: ok this comment  clears things up a bit. AFAICT It's specifically regarding a mechanism to permit foreign contributors while allowing them to disclaim liability.
> When You copy, contribute to, or use this Work, You are agreeing to the terms and conditions in this Agreement and the License.
I do not see how this is enforceable, or that it even makes sense, any more than it would make sense for me to take, say, a NASA photo and slap my own terms on it. If it's in the public domain, there's no ownership and no 'or else' to back a contract setting licensing terms.
The alternative is that I'm misunderstanding this license, of course. Where am I going wrong?
Just think back to why you studied computer science or coding. I hope it wasn't to help build spy tools on your friends & families. I hope it wasn't to help engineer destructive weapons that is dropped on innocent civilians.
Fuck code.mil, fuck lockheed martin.
edit: I've turned down VC money a while ago because I discovered they had previously sold a company to Lockheed Martin affiliate. Downvote all you want but I'm not some spinless piece of shit that will throw out principles and morals for it. I love making money but it's not worth losing your compass or soul over.
Is there any DoD code that is both interesting and suitable for public consumption?
The danger comes if you are not aware of the risks inherent in your own income. Sometimes it does make sense to let your income have some instability in it, and let someone else control it -- maybe it is a case like mine where it is small enough to not matter. Or maybe it is large enough that it is worth the risk. Just don't let yourself get in a situation where it is large enough that you are living on it, but not so large that the risks are acceptable. Because that is when changes like this will bite you.
It's a massive loss (~50%) for affiliates like Wirecutter that do mostly tech/electronics, and a huge boost for the luxury beauty category.
Current fees: https://web.archive.org/web/20170106214444im_/https://images...
They're there now. They have critical mass. They're the first place organic search for new stuff.
There's no sense in throwing money after sales they'd already get. They're better off using it as discount to get sales they wouldn't.
and not seeing what is cut in half.
(Also I notice that the new chart says musical instruments are 6%. For electronic musical instruments -- digital keyboards, for instance -- does this mean the fee has gone up from 4%?)
If they are going from a volume based approach to a margin based approach that is rational, and good for everyone.
(i.e. why payout more for 1000 rubber bands that makes them uncompetitive to sell, and you should pay out more for that high end tv).
But... if I'm being honest with myself, it also seems kind of reasonable. I think their original plan was pretty generous. I was kind of expecting this to happen at some point.
I have been running onlineshops before (not electronics though) and we happily spent all of the profit margins of an order on trackable advertising. Because a) the lifetime value of the customer b) the word of mouth value of a customer and c) the untracked sales generated by the advertising.
2.5% of revenue sounds unbelievably cheap to generate an actual trackable order.
I stopped by the local Microcenter (which is, incidentally, has a nice assortment of hobby-oriented electronics items for sale) and they beat Amazon's price on a Samsung EVO SSD by over $20. Since they price match, I got a $3 discount on one of the other pieces of hardware I bought that day.
All in all, the time I spent driving there likely make the savings irrelevant, but I was surprised that they were so much more aggressive on the SSD pricing.
I could see a site like the WireCutter getting lots of clicks to Amazon and then the person not buying that product buy remembering later "hey, I forgot that I need dog food." Well dog food happens to be a 10% commission now, so maybe it isn't as bad as it would seem.
Also, the WireCutter's sister site is the Sweet Home, and I think home goods are now up to a flat 8% rate, so they may not be any worse off.
Affiliate programs are a good way to get market quotas. If they're #1 in sales, then there's no need to spend marketing bucks on it.
My strategy is this: At these commissions in the Health niche, Amazon will no be in our "preferred" tier of stores. On March 1, their products will no longer show up on our blog (unless they are the only store with it in stock) -- and the blog gets the vast majority of our traffic.
They will still show up in our main site (where I need to decide whether or not to keep their exclusive buttons), and they'll still be involved in our hot deals and price drop alerts.
Stores need to earn our best visitors, and Amazon is no longer deserving. Surprisingly, they're most often not the best deal on our site anyway, so I don't think anyone will be too upset.
I may try to negotiate my own rates, but I don't think we're big enough for that (not yet, at least). Everything is negotiable when you have legit traffic and other options.
Meanwhile, we've been diversifying our revenue with various industry SAAS services that can be scaled globally. This has been a big focus of mine, knowing that these kinds of things can happen at the drop of a hat.
But at the end of the day, this is still a paycut, and it still hurts. Amazon will ultimately lose more of our traffic for it, and I really don't think they'll even notice this on their bottom line compared to the explosive profits they get from AWS.
Seems like bad PR more than anything.
Reading the Associates discussion forum is the definition of depression. People running sites for many years talking about earning $200 in a month. please, enlighten us as to your thoughts on the new rate structure!
And related question, is there an affiliate scheme for Amazon India? I had checked a few times earlier for the US-based Amazon affiliate scheme, and IIRC, each time it said that it was only for the US, or not for India.
Since some GCP engineers are watching: Presumably we'll see some new zones to provide these processors, or will it be a limited release within existing zones? And if so, will you be moving away from homogenous zones in the future?
The cache is also a whopping 56 MB.
Disclosure: I work on Google Cloud (and helped a bit in our Skylake work).
Disclosure: I work on Google Cloud.
Great job GCP team!
It's something that I've wanted to play with for sometime. It's cool that GCE has them available as a service.
Your calculator page is unusable on mobile due to fancy "material" form filling.
It hints there's Individual Accounts, but I see no way how to set it to that?
this post would have been interesting if they had included those tests.
Another commenter already brought that issue up, but thanks for pointing it out again. I still think that it's quite silly to claim that Ryzen Rev. A may end up being a paperweight based on a mistake that took place a decade ago. Whatever floats your boat, I guess.
And from what I read, it seems like it was an extreme edge case, so the TLB error was triggered only during specific workloads. Sucks to be AMD back then.
Beyond VX, there exist a plethora of other analogous chemicals, namely the G-Series, VE, VG, VM, VR and VP. A notable commonality among these compounds is that very little is known about their effects outside of military research (ie not shared).
Given the military nature of these compounds, there is a reason to believe that this was a military assassination.
 Sarin is a G-series agent https://en.wikipedia.org/wiki/Sarin
Edit: Program available here until mid March: https://tv.nrk.no/program/KOID23002916/mosley-og-de-kjemiske... If you can VPN to Norway.
In fiscal year 2008, the US Department of Defense released a study finding that the U.S. had dumped at least 124 tons of VX into the Atlantic Ocean off the coasts of New York/New Jersey and Florida, between 1969 and 1970. This material consisted of nearly 22,000 M55 rockets, 19 bulk containers holding 1,400 pounds (640 kg) each, and one M23 chemical landmine. 
I absolutely thought VX Nerve Agent was fictional until today.
A missile full of VX agent is scary to me. The most North KOrea can fit on a missile is a warhead as powerful as Hiroshima's but a missile full of VX could potentially kill everyone in Washington DC
Plus think of all the implications of transporting VX through international borders. Did China accept having North Korean agents transporting VX in China? Did they smuggle it through fish boats?
Why kill people exotically? Why not just use a simple garrote with a thin wire? 10 seconds done, the head would be practically off. I am sure you could get a weird pair of head phones past security. If you poison someone with polonium/exotic nerve agent doesn't it narrow down the suspect pool?
Seeing it light up and say "destroy all humans" was pretty funny, moreso because there is pretty much zero authentication on them so you could do it from anywhere from your mobile, and the mic can turn on and record without any authentication at all.
sigh internet of things
Not only was a huge amount of information exposed through a public, unauthenticated MongoDB instance, and not only did CloudPets ignore multiple security researchers' attempts to alert them to the problem, but the database was actually held for ransom multiple times without customers being alerted to the breach.
It's a bit paradoxical. There are way less things a kid can say that can get him in trouble than an adult. Even the most oppressive regime will not hold what a 4yo toddler says against him. The need for privacy should rather be less for a kid than for an adult.
What it means is that violations of privacy are creepy, period. We try to rationalise it by arguing that we get something out of it, but when dealing with our kids, we stop believing our own bullshit and it is just becomes purely creepy...
If you want one, they're now available for the low, low price of only $3. Including WiFi.
 https://cloudpets.com/ https://www.hollar.com/products/as-seen-on-tv-cloudpet-dog
>the average parent.. is technically literate enough to know the wifi password but not savvy enough to understand how the "magic" of daddy talking to the kids through the bear (and vice versa) actually works [or] that every one of those recordings... is stored as an audio file on the web.
If it is not considered amazingly stupid, or at least ignorant to not understand that the magic talking bear has a computer in it, and that if the computer wants the wifi password it probably uses the internet, and that if the entire purpose of the device is to make recordings available to you over the internet... then I despair. My sympathy for people who buy these sorts of products is wearing thin. But, in this particular instance...
>our tolerances are very different when kids are involved
Interesting. Why? The data is much less valuable:
>One little girl who sounded about the same age as my own 4-year old daughter left a message to her parents: "Hello mommy and daddy, I love you so much." Another one has her singing a short song, others have precisely the sorts of messages you'd expect a young child to share with her parents.
Hardly identity thief material.
Alas, that wont happen.
Internet-of-Shit will remain exactly that until neglecting security is a substantial threat to the bottom line of a company.
They ignored multiple warnings? Got hacked multiple times? This is negligence, and this company should be fined out of business.
How else would you do it?
You just cannot expect everyone to "earn" money while expecting technological progress to continue unabated.
Don't want so many people? Mandate reversible sterilization at birth.
Don't want so many disgruntled and unemployed people? Endorse some form of guaranteed income, or incorporate basic housing, meals, healthcare and internet into the list of undeniable human rights.
We often do not realize how many layers of wealth we had to stand on to possess our current wealth.
It's not like i don't believe in UBI. There are few other visible solutions to the automation problem (other may be economic incentivizing - like through tax breaks - and cultural promotion of resurrection of personal servants as a mass occupation) - but it can't work as good as this example simply because it doesn't scale so well.
This will go on for a few decades until there is an uprising of sorts, then those with the money will return to giving everyone else crumbs, or just enough to quell the uprisings. This will probably go on perpetually.
If anything they need to get to work developing their country; those shacks are not going to be built by robots.
Fully developed countries on the other hand may face the situation where their country is so well run and have such a high level of automation and specialisation that there is too little work left for the population to be fully employed.
And thus they may lower their pension age, experiment with 30 hour work weeks, sabbaticals, maternity leaves, basic income and so on.
The countries that are closest to this are probably the Scandinavian countries. However at the moment they are all moving towards lower social transfers and higher pension age.
Public policy whether implemented by governments or by organizations should test, innovate, change, not just pick an approach and run with it as seems to happen with the largest programs here in the U.S. As far as I can tell there's not been much innovation in the implementation of the safety net since Johnson.
Like anything else humans try to do, there will be bugs, there will be blind alleys, there will be mistakes. Small scale testing is a necessary step so that a working model is ready for larger-scale testing or maybe it'll be found that the implementation will have to have configurations that vary according to local conditions and even just preferences.
I'm a Pacific Northwest guy perhaps out of touch with what Silicon Valley is up to, sometimes I'm critical, but for this initiative, I say thank you. I have no clue how I'd thank anyone for this so just in case anyone involved is reading my comment I would like to express gratitude for doing work that has a high probability of playing a part in making the world a liveable place for my young son and the rest of humanity in the years to come.
By the way, if you've got the chops to beta test UI any chance you could save the Amazon Basin?! Please.
So, yeah machines are a big black hole and our jobs are doomed asteroids spiraling into the black hole. As they spiral into the singularity, humans will be displaced at an accelerating rate, and it will take more ingenuity and effort for humans to maintain "work". And, for what? In the asymptotic limit, the outcome should be no more jobs and "work" in a the way we currently define them, and humans will be truly free to creative pursuits. Never shall a beautiful human mind be wasted on labor which a machine can do.
At some point, machines will be the dominant species pushing civilization forward, not us.
Until then, we're forced to work, we're forced into employment because our world does not simply give us what we want. Food and spears don't fall out of the sky, so we will waste our time hunting and farming until we figure out how to make those things "fall out of the sky".
Oh, really? Where do we sign up? I'd love to be able to build my business(es) without taking investor funds.
That was my immediate reaction after reading this. What about after the twelve years, when the donors ride off into the sunset? There are some encouraging stories there of participants using the money wisely, but not all will do so. You could argue that nobody is forcing them to participate, but it does seem at least a little ethically questionable. Particularly given the targeted demographic of a rural Kenyan community with (presumably - I could be wrong) low education levels.
The worst-case scenario I fear is that UBI given without also providing outlets for activities that actually get used will result in an adult version of problem of otherwise well-off of suburban youth.
I think history has proven that we can live in extremely wretched conditions. By giving money to people, are we going to be increasing their living standards or just creating more mouths to feed?
Note that the basic income only applies to whoever registers at the beginning of the program. Would that amount of basic income cause the population to explode, so that the per-capita amount of goods/money remains constant?
Forget about "fake news", the New York Times is literally evil news. It is literally promoting views that proliferate evil. Injecting this level of disorder into an economy and lying about it is a level of deception that goes into moral perversion.
Let me make this clear: I am directly accusing Annie Lowrey of promoting excessively morally corrupt views. She is responsible for promoting evil. This is a person who wakes up in the morning and works hard to promote evil.
Think about that.
Edit: I was down-voted without explanation or rebuttal. If you disagree with what I have written, don't attack my anonymously. I want my karma to be a healthy score, and I don't appreciate people (or bots) decreasing my karma score, and I consider it a personal attack against my reputation.
Liberals believe that the poor are too dumb and helpless to figure out what they want, so the government should do it, both domestically and in foreign aid.
Conservatives believe that the poor are poor because they are unintelligent and lack good values (or they are acting rationally in response to liberal welfare programs), and domestic and foreign programs should be eliminated in favor of religious missions.
What programs like this are finding is the the poor are intelligent and well-motivated, and they just need an opportunity to get out of the hole they are stuck in.
Let me add that, from what I understand, foreign aid programs can be very helpful in areas like public health.
This is not the situation I think of when I hear "basic income." Why Kenya?
> GiveDirectly wants to show the world that a basic income is a cheap, scalable way to aid the poorest people on the planet.
I was under the belief that only the middle class protested for basic income. It would have been more interesting if the "beta test" was done on educated/ first world persons, so we can finally get progress (or a full stop) on this debate.
I believe this idea wasn't thought out past the "we want to put on airs" phase. Is injecting capital into a system that relies on crime to keep afloat, really the best idea GiveDirectly could have come up with?
This is similar to the Toms fiasco where they would donate a pair of shoes to Africa for every pair bought -- it crippled the local fabrics businesses.
Perhaps if one wanted to fix the African economy, one would invest into economic think-tanks and their executionary tandems, instead of over glorified tax shelters.
I think that in addition to the money they should help with the following:
1)Education and the ability to get it at will. Financial education should be a priority.2)Entrepreneurship, make sure anyone that wants to start a business knows what to do.3)Security and the enforcement of the law thru a judicial system, both criminal and civil.4)A working financial system. Make sure businesses and people can borrow money.5)A way to go bankrupt that will let people start over. It should not be too painful for both creditors and borrowers.6)A political system that works for the majority.7) Community leadership that works towards the betterment of the town.8)A tax system that will let the town provide items that no single person can provide on their own. It's a reality as painful as they are taxes and their prudent use help improve the community's standard of living.9) Secure property rights. If someone owns something they should do with it what they want without infringing on the community's well being and no one should be able to take it away from them by force.
What gets me railed up is the inability to use the town's human capital. Giving free money will not help forever. If you could get people to work together they would eventually get out of poverty. Maybe the current generation might not but eventually they would be able to do it.
Also the Swedish national council for crime prevention expected this rise over the last few years because in 2013(before there was a serious influx of migrants) Sweden broadened the definition of rape. A similar increase in crime was seen around 2006 because of 'legislative changes' about how things were recorded.
In the US research on the link between immigration and crime largely find no link between the two, and of the relative minority of studies that find a link, there are twice as many studies that find that increased migration reduces crime as the reverse.
In Germany, refugees are less likely to commit a crime than the average citizen. From the publicly available information it is impossible to conclude with certainty that taking in refugees increases crime, especially considering that the vast majority of 'crimes' they do commit are non-violent things like not travelling with a ticket.
What is rarely mentioned is the increasing crimes committed against refugees in refugee camps. In germany, there were 1,029 attacks against refugee residences in 2015, following 199 in 2014. Attacks on refugees increase the crime rate themselves.
Claim: "In Sweden there are a number of 'no-go zones' where criminality and gangs have taken over and where the emergency services do not dare to go."
Facts: No. In a report published in February 2016, the Swedish Police Authority identified 53 residential areas around the country that have become increasingly marred by crime, social unrest and insecurity. These places have been incorrectly labelled 'no-go zones'. What is true, however, is that in several of these areas the police have experienced difficulties fulfilling their duties; but it is not the case that the police do not go to them or that Swedish law does not apply there
It's shocking to me that "grenade attacks" have virtually become an every day occurrence.
Refugee centers have already been burned down in several instances, and anti-migrant sentiment is growing.
I really don't see how the large scale immigration going on in a Europe is going to result in a positive result, at least in short term over the next few generations.
I think it's incredibly irresponsible to encourage migration without being able provide productive meaningful lives to the migrants. People are not pets.
Let's go and convince all the victims of crimes in recent years that they're just imaginging things and they're safer then ever. And hand out more "don't grope me" bracelets for extra protection.
 Classic HN, don't forget to upvote the guy who says physically assaulting people with different opinions is OK. Sounds tolerant and progressive.
Ban my account, but the comments can stay for exposing your collective hypocrisy for the future. Goodbye.
Translation: I'm so fucking tired. What I will write here below, is not politically correct. But I don't care. What I'm going to promote you all taxpayers is prohibited to peddle for us state employees. That tends to drive in a non-career and non-individual pay. Even though it's true. I don't care about all of this, will soon still retire after 47 years in this activity. I will now and every week to explain in detail what for employing me as investigators / investigator on coarse mcu police in rebro. It's not going to be good with the opinion or other leftist kriminologers perception in the general debate.
Our pensioners is on its knees, the school's a mess, healthcare is an inferno, the police have totalhavererat etc etc. We all know why but no one dare or wants to peddle the reason, due to the fact that Sweden always lived on the myth of prudes ultimate society who have osinnliga resources to be at the forefront when it comes to be the only politically correct option in a dysfunctional world that beats Knot on their own by destructive behavior in different name of.Here we go; this I've handled Monday-Friday this week: rape, rape, robbery, aggravated assault, rape-assault and rape, extortion, blackmail, off of, assault, violence against police, threats to police, drug crime, drugs, crime, felony, attempted murder, Rape again, extortion again and ill-treatment.
Suspected perpetrators; Ali Mohammed, mahmod, Mohammed, Mohammed Ali, again, again, again Christopher... what is it true. Yes a Swedish name snuck on the outskirts of a drug crime, Mohammed, Mahmod Ali, again and again.
Countries representing the weekly all crimes: Iraq, Iraq, Turkey, Syria, Afghanistan, Somalia, Somalia, Syria again, Somalia, unknown, unknown country, Sweden. Half of the suspects, we can't be sure because they don't have any valid papers. Which in itself usually means that they're lying about your nationality and identity.
Now we're talking just rebro municipality. And these crimes occupies our utredningsfrmga to 100 %.
So it looks here and has been like for the past 10-15 years.
Return next Friday with a statement for the past week
In the case of Islamic terrorism, I've heard it commented that recruits come from the children of migrants rather than the migrants themselves.This certainly seemed to borne out by the London 7/7 bombers and the Charlie Hebdo attackers to name two cases.
Prison populations in western countries also seem to have disproportionate numbers of ethnic minorities.
I also heard that Canada refuses to break down crime figures by ethnicity/race as a matter of public policy. If that is true it seems that there is a fear that the figures might look bad for minorities.
In the interests of community harmony, authorities commonly seem to want to accentuate the positive and sweep any negativity under the rug.
Trump Is Right: Swedens Embrace of Refugees Isnt Working https://www.wsj.com/articles/trump-is-right-swedens-embrace-...
I see the same rhetoric in NL and DE, and other parts of Europe. Officials keep denying the issues with manipulated statistics. People know better, and as long as "populists" are labelled a cause rather than an effect, the problem is not going away.
"I know it's sensitive and controversial ... But for us it's really a no go because we have directives not to go into dangerous situations."
The interview video has English subtitles:
How about you stop lying to me?
Even using hand picked numbers to try and alleviate people's fears, they have to admit that the main assumptions about immigrant crime are correct and that many areas are in fact turning into "shitholes", for lack of a better term.
Regardless of the context in which we are discussing these counter-arguments, having raw statistics is always helpful:
The data comes from the same agency, BRA, that is referenced in the report: https://www.bra.se/bra/bra-in-english/home/crime-and-statist...
Doing a google image search of "Angela Merkel Family" or "Stefan Lfven family" (PM of Sweden) and its night and day compared to "Barack Obama family" or "Donald Trump Family".
Whether you are conservative or liberal, we all agree that we need leaders who are thinking about the future generations of the nation. Too much short-sightedness going on. Anyone who has raised kids knows that it changes you.
First, they want to make it look as though their policy choices have had positive outcomes.
Second, they want to retain support for the current leading political power groups. The top 3 parties are the Swedish Social Democrat Party, the Moderate Party, and the Sweden Democrats. The latter two support tougher immigration laws, but they are mostly outweighed by the first. The PM (who recently made comments denying any attacks) is a member of the social democrats.
The left (S, V, mp) haven't touched much of these issues (ignorant or delusional), the right (C, L, KD, M) have chosen to ignore the problems for a long time until recently (swayed by the left?), and the extreme right (SD) has gotten very popular as they acknowledged problems but they seem to believe that it's an innate trait of the culture where these people are coming from and have extreme ideas about how to deal with it (rescind citizenship and deport). I don't think it's an innate trait, I myself is an immigrant and know many other immigrants from different backgrounds, and there's a huge difference between those that grew up in these neighborhoods and those that grew up in more areas which better represent the Swedish population. The one thing that is common to all successful immigrant (and immigrant children) is that they are confident and optimist, fast learners and choose to only hold on to parts of their original culture that fits within the Swedish norms.
This failure of integration, to build a modern, cohesive and beneficial culture for everyone, is common in the west, and particularly in Sweden who primarily takes in refugee immigrants from countries in war and not highly skilled immigrants from diverse backgrounds.
I hope these areas don't deteriorate even more and became like some ghettos of USA, where people die every other day because of gun violence as that's what I would call a no go zone.
The solution should be to stop creating conflicts in countries which the western world wants to destabilize or dominate because of geo-economical advantages to them, causing war and poverty and then forcing men, women and children to escape into the Western world where they get pushed into ghettos, which leaves them no option other than prostitution and crime.
The solution should not be to stop immigration, but to stop forcing people in other countries to emigrate.
Is this really a problem with the increasing levels of automation?
Guess it depends on how you define terrorist attacks...
the level [of lethal violence] in 2015 when a total of 112 cases of lethal violence were reported was higher than for many years.
lethal violence using firearms has increased within the context of criminal conflicts. The number of confirmed or suspected shootings was 20 per cent higher in 2014 than in 2006. The statistics also show that 17 people were killed with firearms in 2011, while the corresponding figure in 2015 was 33.
The number of reported rapes in Sweden has risen.
some 13 per cent of the population were the victim of an offence against them personally in 2015. This is an increase on preceding years, although it is roughly the same level as in 2005.
In a report published in February 2016, the Swedish Police Authority identified 53 residential areas around the country that have become increasingly marred by crime, social unrest and insecurity.
It starts here. I've scraped it with some regexs:
Thread: Both left and right are talking a lot of nonsense about the situation in #Malmo. I was there four weeks ago, reporting on the fatal shooting of 16-year-old Ahmed Obaid, an Iraqi-Swede immigrant with a bright future ahead of him. Heres some actual info for anyone not interested in the shrieking leftist eye covering or racist right wing exaggeration that is surrounding #Malmo atm.
Ahmed (police, family & gang members all agree he was innocent & not affiliated with gangs) was one of three murders in Malmo in Jan 2017. In that month, there were 13 shootings, a small IED explosion and a hand grenade thrown into the lobby of a police station. Statistically this was a sharp increase in violence.
People pretending there's no problem with gang violence in #Malmo need to get real. The problems in #Malmo stem from many things. One big issue is how the Swedish government seems to have pushed its large migrant population in #Malmo into a corner and tried to forget about them.
This, coupled with the lack of employment and easy access to weapons across from Denmark and from the Balkans, has of course created a problem. The unemployment rate for foreign-born men between 16 and 64 in #Malmo is 30%. That compares with 8% nationally. (despite what the Trump lot with their half mast Pepe hard-ons and Wotsit fingers might claim).
A lack of skilled work, discrimination, housing issues, failed assimilation and ridiculously lenient laws toward violence (sorry lefties) all plays a role in the very real problems Malmo is facing. Theres also a huge lack of support for the police in #Malmo from the Swedish government. They dont have enough officers, are under resourced & with Sweden's laws their power to lock up criminals they do catch, is diminished.
Police in #Malmo seized ~600 weapons in 2016. Some semi-auto rifles & hand grenades. From 16 therere also 13 currently unsolved murders. Whilst reporting in #Malmo, I spoke to the family of Ahmed Obaid, a gangster parading around the streets in a bullet proof vest and with a policeman about all of this. They all agreed, that yes, there IS a big problem in #Malmo and it is being largely ignored.
Unfortunately its now blown up (excuse the pun) in a way that isnt currently shedding light on anything of substance. You have the right wing pretending there are no go zones (theres arent, thats bullshit), non-stop rape and daily explosions, and you have the left whore pretending its all milk, honey and racist propaganda. Ignoring the situation in #Malmo doesnt mean it doesnt exist, and exaggerating why doesnt make it so.
TL;DR - #Malmo has a problem with gang related violence, but this cannot be blamed entirely on immigrants, it also cannot be ignored.
I guess it's interesting enough, but I just don't see the link. Why is it being upvoted so much?
OK, so you have statistics that show that you are right. What you going to do with them? Start discriminating against every single individual of that particular ethnic group?
> "The number of reported rapes in Sweden has risen. But the definition of rape has broadened over time, which makes it difficult to compare the figures. It is also misleading to compare the figures with other countries, as many acts that are considered rape under Swedish law are not considered rape in many other countries."
> "the main difference in terms of criminal activity between immigrants and others in the population was due to differences in the socioeconomic conditions in which they grew up in Sweden."
Firstly, "socioeconomic conditions" can not excuse away rape or murder. And even if they could, that's little solace to the victims of these crimes. Secondly the study they are referring to states that "socioeconomic conditions" can explain 50% to 75% of the difference. Even then, what about the other 25% to 50%?
As for the redefinition of rape, it was expanded in April 2005 to include acts perpetrated against victims in a helpless state, such as being intoxicated. So it's broader but much of what it captures still falls under the term rape in other countries' legislation too. New crimes weren't invented, they were simply shifted from the sexual assault column. Plus it keeps on rising, a decade after the redefinition.
But here's the thing. We can ignore the redefinition and the associated noise, and instead look at trends before 2005 as well as at aggravated rape (Grov vldtkt) whose frequency is not affected by changing definitions. We can also just see what the crime reports tell us. Let's do that.
Here's the facts:
- Studies in 1996 and again in 2005 showed that foreign-born individuals were 4.7 times more likely to commit a crime of rape and 3.7 times more likely to commit the crime of murder.
- Multiplying each group's proportion of suspects by their absolute size gives us the absolute amount of those suspected of "Rape" for each group. Doing that we find that "Swedes" made up 43.5% of "Rape" suspects, "Half-Swedes" made up 14.6% of "Rape" suspects, and "Foreigners" made up 42% of "Rape" suspects. These are approximations.
- 2005's info is less informative as Sweden stopped publishing info on ethnicity but had this to say in a their report: "Immigrants risk of being registered for crime has not changed in any pronounced way since the previous study conducted by the National Council, which related to the situation at the end of the 1980s"
- Before the change to the penal code in 2005, rapes were rising rapidly. "The number of consummated rapes reported to the police has increased dramatically, more than tripling over the course of the past two decades. A total of 2,261 consummated rapes were reported to the police in the year 2004. It is not possible to exclude the possibility that the dramatic increase in reported rape offences may at least to some extent be the result of an increase in the propensity to report these crimes to the police. On the whole, however, no support was found for interpretations suggesting that this factor, even taken in combination with the effects of the legislative change referred to above, would be sufficient to explain any major part of the increase in the number of reported rapes. Thus it has not been established, but it does not appear unlikely, that the number of rapes committed has in fact increased."
- "Since 1990, the number of reported cases has increased by an average 400 per year. According to the National Council for Crime Prevention (Br), peoples propensity to report has probably increased during this period, but a reasonable assumption is that actual violence against women in close relationships also increased in the 1990s."
- A 1996 BRA (Swedish Criminal statistics) study found that "there any indication that immigrants in Sweden are discriminated in the courts. Immigrant overrepresentation in registered crime is almost certainly real...nor is it caused by any generally lower social economic status (calculated as per SEI code) in Sweden."
- Swedish National Council for Crime Prevention determined that between 1985 and 1989 individuals born in Iraq, North Africa (Algeria, Libya, Morocco and Tunisia),Africa (excluding Uganda and the North African countries), other Middle East (Jordan, Palestine, Syria), Iran and Eastern Europe (Romania, Bulgaria) were convicted of rape at rates 20, 23, 17, 9, 10 and 18 greater than individuals born in Sweden respectively."
- Eurostat use the ICCS (international classification of crime for statistical purposes) method which standardises types of crimes so that they mean the same thing in different countries. Their stats show rape in Sweden is rising both before and after 2005.
- Audited sentences for rape from 2009 shows an over-representation by as many as 48 percent of the rapists were born abroad. (This represents an increase compared data from 2005, which could point to the phenomenon is growing.) Within the category of aggravated rape, the figure was as much as 64 percent.
- Professor Sten Levander, a member of BR:s scientific board, in an interview with tabloid Aftonbladet said "That the number of reported rapes has increased so significantly in a short time can not be explained by regulatory changes and increased willingness to report the crime. Scientists believe that certain types of rape may indeed have become more common."
So, yes. Sweden's real rape-rate is rising and, yes, migrants are disproportionately responsible. Often shockingly so.
In Sweden, as in other Western European countries, public debate about immigration, islamisation and its consequences to society is being smothered under a suffocating blanket of political correctness.
After the New Year's Eve attacks in Cologne - when on one square, during one night a total of about 1200 women were hemmed in individually and sexually assaulted by a mob of muslim men  - the German press and the government managed to keep the events under wraps for four days until the outrage on social media became too great to ignore.
In the slipstream of the press coverage that followed, the Swedish newspaper Dagens Nyheter revealed that similar events had happened since a couple of years on the summer music festival "We Are Sthlm" in Stockholm . When asked for reasons as to why nothing of this ever became public knowledge, Police chief Peter gren is quoted explaining how he performs self-censorship on these kinds of cases as to not play into the hands of the anti-immigration party Sverigedemokraterna .
I don't follow Swedish media because of the language barrier but if my experience with Flemish and Dutch media is any indication then this political party might very well be demonised beyond recognition in the Swedish press. People don't like to play into the hands of what they're told to consider as the Second Coming of Lucifer, even when the events turn out to be the very thing this party has been warning for for years.
It would be quite understandable if events like wat happened in Stockholm would lead to a moral panic , but as soon as it becomes clear that muslim immigrants are the perpetrators, the opposite happens. People will vent their outrage about what happened in a close circle of trusted friends but put on a mask of political correctness to anyone outside that circle. Not unlike the Soviet Union in its heyday. On the other hand, as soon as there is a hint of how racist the native population allegedly is, the press kicks into full moral panic mode.
A striking example of this double standard are the events of 2016 in Belgium. During the arrest of terrorist Salah Abdeslam in Brussels , the anti-terror units were pelted with stones and bottles by muslim youth from the Molenbeek neighbourhood where his hideout was. Quite the contradiction to the eternal story we keep hearing about "a few bad apples". So the public broadcaster VRT decided not to mention that pesky detail. Elsewhere it hardly got any coverage until a minister got angry over it . When on the other hand a few racist comments made by native Belgians are found on Facebook among millions of non-racist ones, then this is reason enough for the newspaper "De Morgen" to appear with a entirely black front page .
The Swedish government's "fact" sheet puts on a brave face about having immigration-related violence under control. One look at the ever growing list of recent grenade attacks  (that they conveniently forget to mention in their factsheet) tells us there is a very serious problem . No mention neither of the fact that of the 160.000+ asylum seekers that arrived in 2015 only, fewer than 500 landed a job . On a total population of 10 million people hundreds of thousands of relative newcomers - many of them functionally illiterate - are living on benefits without any prospect of ever playing a role in the economy of Sweden where less than 5% of the jobs is low-skilled .
The "factsheet" lambasts its own citizens - who foot the bill for the benefits and the urban unrest - for being islamophobe, for harrassing muslims and for discriminating them on the job market. It misleadingly suggest a percentage of 1.5 muslims by only counting "muslim faith communities". While the real number is probably at least 6% . Apparantly the Swedish government wants us to believe that the other 4.5% have become secular.
The findings of the Dutch scholar Ruud Koopmans, who does research at the Humboldt university in Berlin tell another story. By conducting surveys among the European muslim population he comes to the conclusion that 40 to 45% percent can be classified as fundamentalist . There is also the British Channel 4 docu "What British Muslims Really Think" .
That many muslims in Sweden are quite fundamentalist is why the Jewish actor Kim Bodnia decided to quit the crime series "The Bridge" because he did no longer feel safe in Malm with its growing antisemitism .
And if you think this will all blow over once the children of the first generation immigrants have finished school and are ready for the job market, think again. Second generation muslim immigrants are no better integrated, they are even worse integrated. If you want to look up some stats from Belgium on that topic you hit a stonewall. But the Dutch central bureau for statistics has some solid public data on that.
So one of the disturbing things they found was that for many non-Western minorities criminality rate increased with the second generation w.r.t. the first one. Take for instance Moroccans and Turks, as they are important minorities in both Belgium and the Netherlands.
Males with a Moroccan background are almost six times more likely to be a crime suspect than a native Dutchman. Males of Turkish descent more than three times. And when you split up by generation: second generation Moroccans in the Netherlands are almost three times more likely to be a crime suspect than the first generation. Second generation Turks more than two times .
So you have a generation of people who were born and spent their entire life in the Netherlands, went to the same schools and got the same education as Dutch kids, and yet they are more of a burden to society and are less well integrated than the first generation of immigrants.
I think you can extrapolate that to other European countries like Sweden and to immigrants with a background in other parts of the world, like the horn of Africa, Syria, Iraq or Afghanistan.
The share of muslims among the European population is also rapidly growing  because of a number of factors that amplify each other. First of all there is the continued influx. Then you have family reunification. Add to that the fact that many muslims of 1st, 2nd or 3rd generation prefer to look for a spouse in their country of origin. And there is the higher birthrate among muslims compared to the native population. And finally there are native people who feel alienated in their own country and go try their luck in North America, Australia or New Zealand.
So I think these "facts" are a desperate attempt by the Swedish government to shape perception towards their own interests, and you are better informed when reading the testimony of that courageous Swedish cop:
 https://www.cbs.nl/-/media/_pdf/2016/47/ji2016s_web.pdf, paragraph 1.7, "Proportion of crime suspects by background and background characteristics, 2015*"
1. William B. Irvine, "A Guide to the Good Life: The Ancient Art of Stoic Joy", https://www.amazon.com/Guide-Good-Life-Ancient-Stoic/dp/0195...
This is an introduction to Stoic thought as it applies today by a professor in philosophy, very clearly written. Great for first exposure. It (sensibly) skips some of the more arcane stuff, such as Stoic metaphysics (historically relevant, but really obsolete).
2. Donald Robertson, "Stoicism and the Art of Happiness", https://www.amazon.com/Stoicism-Art-Happiness-Teach-Yourself...
This is a touch more academic and historic on one hand, and very practical and text-book-like on the other hand, in that it has self-assessments, key points, exercises for every section. Excellent second book. The author also has a course, blog and FAQ at http://donaldrobertson.name
3. Epictetus' Enchiridion is available on Project Gutenberg, btw. It's very short, and many things are not really relevant today anymore, yet surprisingly many sections still "speak to us".
4. Note also that Tom Wolfe's huge novel "A Man in Full" is suffused with Stoic themes.
I find Stoicism quite wise, and still substantial enough when you subtract all the obsolete superstition (which cannot be said of, for example, Abrahamic religions). Certainly good for tranquility and empathy. Sometimes hard to translate into positive action, though, I find.
I am 2/3 into it, maybe one of the best philosophy book I've ever read.
That view of the universe is in error, people are part of the universe and they certainly care. To view the universe without humanity is to not view the universe.
There is bleakness in the universe for sure, but there is also compassion and caring.
I think both the stoics and Buddhism were definitely on to something.
This actually is presented in Buddhism too, which was where I first encountered it before re-discovering similar principles in stoicism and Ellis's Rational Emotive Behavior Therapy. See this sutta: http://www.accesstoinsight.org/tipitaka/sn/sn36/sn36.006.tha...
"When touched with a feeling of pain, the uninstructed run-of-the-mill person sorrows, grieves, & laments, beats his breast, becomes distraught. So he feels two pains, physical & mental. Just as if they were to shoot a man with an arrow and, right afterward, were to shoot him with another one, so that he would feel the pains of two arrows; in the same way, when touched with a feeling of pain, the uninstructed run-of-the-mill person sorrows, grieves, & laments, beats his breast, becomes distraught. So he feels two pains, physical & mental."
But what is nice about Buddhism is that there is a practical skill-training that comes along with the theory. When disagreeable events happen to you, mindfulness training teaches you not to grasp on to the events automatically and start your own narrative about it, but instead, observe them mindfully. This gives you the opportunity to skillfully deal with the situation. REBT in addition implores you to consider the situation rationally.
These are troubling times (especially where I live in India), and I think a little bit of stoic + Buddhist teachings can go a long way in maintaining our composure even as we engage with the world. I still struggle with this from time to time, but I would have been completely lost without these teachings.
The Penguin edition of fellow stoic Marcus Aurelius' Meditations is free on Amazon kindle:https://www.amazon.com/Meditations-Marcus-Aurelius-Wisehouse...
Is there someone among you HNers who has retained a positive outlook by believing that the universe is a bleak, chaotic place with no intrinsic meaning to the things happening in it?
Basically Stoicism, I suppose, though I've not looked up the term in detail.
I also like this quote by him which I read long ago:
"Practice yourself, for heaven's sake, in little things, and thence proceed to greater."
The Stockdale Paradox is also interesting. Stockdale was influenced by Epictetus.
It blows me away how that part about taking every problem as a chance to learn and become a better "wrestler" fits right in with my natural conclusions. The rest of it describes me adequately also.
I'm reading Epictetus now, thanks for sharing.
If it helps you suffer less: great. But before you dive in, know that you might be able to save a lot of time and avoid a lot of jargon by learning about mindfulness from a secular source.
Stoicism has been one of the most appealing one to me. However, one issue I have with Stoicism is similar to that of religions.
Most people who follow Stoicism or any other religion, tend to pick and choose to what is the best fit of them.
Stoicism is not about giving up anything (common misunderstanding) but it IS to moderate everything including things like our carnal desires. I do not think anyone does this nowadays.
Does this mean we need a Stoicism 2.0 like we do in many religions? _______ 2.0? Not entirely sure...
In a section further down the article she discusses the books "Upheavals of Thoughts" and "Therapy of Desire". There she elaborate how stoicism and emotions relate in a fairly comprehensive way.
The first paragraph told me that I should stop reading and what kind of Stoicism I would find below.
This really stood out for me. I'm always tempted, while writing something specific, to generalize it. I try to resist that, when I recognize it. Writing a ThingThatImWritingFramework risks ThingThatImWriting never seeing the light of day, or never being used.
It is easy to slide into an OCD mindset when programming, to make things tidy and proper. It feels dirty to make stuff just work, to make stuff disposable, but evolution operates a lot like this - many little, reversible mistakes that add up to big improvements quicker than any other method.
This one is also nice, especially for mid to large software houses. As long as a common denominator is respected, I guess.
They just got on with it because they were talented experienced and motivated. For that reason, the rest of the talk is very inspiring - so listen to the hour-long video (half talk, half questions), and not the article which only has the post-hoc bits. https://youtu.be/E2MIpi8pIvY
I disagree with this so much, prototypes and proof of concepts teach you so much but usually they are crap you will always write it better a second time. Throw away the prototype and re-write it as a much better implementation.
These are achievements beyond belief.
To paraphrase an old mentor, curing diabetes in mice is kind of the sport of the field. It's been done a number of times. Mice have some abilities to regrow tissue we don't. It's unclear how well various mouse models for diabetes mimic the human phenotypes.
I am very hopefully for this line of research in general but I expect any cure in humans will be more complex and perhaps also deal with somehow suppressing the immune response that destroys the Beta cells in type 1's like myself. For a type 1 the best I'd expect something like this to be able to achieve is a temporary return to the "honeymoon" period where the pancreas still produces enough insulin to make small adjustments but supplemental insulin is required.
On a personal level i have found that diet can have massive effects on my diabetes management. I may try a diet like this (with the advice of a doctor in adjusting insulin to handle it well etc and with the realization i may need to break the diet to treat low blood sugars etc). Edit: I also use a continuous glucose monitor which helps greatly with avoiding low bloodsugars while changing diet/activity levels and recommend one to any other diabetics.
I don't expect anyone who's actually diabetic to fall for this; every T1 diabetic is in practice forced to become an expert. But, for the sake of confused bystanders: for a diabetic using insulin, fasting is dangerous. That's not an abundance of caution thing; we diabetics micromanage a key part of our metabolism using insulin, and if we leave the range of metabolic states we're familiar with we'll get insulin dosages wrong. The most likely outcome of trying to fast for a day would be being forced to abort the fast by hypoglycemia.
Today: Story about a weak, non-replicated animal study at the top of hacker news.
With that in mind, I wonder how effective this actually is. I (I'm a T1 diabetic) grow some new beta cells, my overly aggressive immune system wipes them out again..
EDIT: reading the reddit thread (https://www.reddit.com/r/science/comments/5vufpb/the_pancrea... - thanks austinjp) i'm not the only one to ask this. The general consensus is it's not going to be useful for T1 diabetics, it's just treating the symptoms, not the cause (the immune system), again (like injecting insulin).
Details on the human feedings:
"The human version of the FMD is a propriety formulation belonging to L-Nutra (http://l-nutra.com/prolon/). It is a plant-based diet designed to attain fasting-like effects on the serum levels of IGF-I, IGFBP1, glucose and ketone bodies while providing both macro- and micronutrients to minimize the burden of fasting and adverse effects (Brandhorst et al., 2015). Day 1 of the FMD supplies 4600 kJ (11% protein, 46% fat, 43% carbohydrate), whereas days 2-5 provide 3000 kJ (9% protein, 44% fat, 47% carbohydrate) per day. The FMD comprises proprietary formulations of vegetable-based soups, energy bars, energy drinks, chip snacks, tea, and a supplement providing high levels of minerals, vitamins and essential fatty acids (Figure S3). All items to be consumed per day were individually boxed to allow the subjects to choose when to eat while avoiding accidentally consuming components of the following day. For the human subjects, a suggested FMD meal plan was provided that distributes the study foods to be consumed as breakfast, lunch, snacks, and dinner. (See lists below for ingredients and supplements)"
All guys/gals with any sort of disease, I pray you all get well and better soon!
Also, it's impractical to fast when you have work to do and meetings. You risk becoming cranky and grumpy and pissing colleagues off. Better to fast when you have a day off or at night.
Ok, where can I find more information?
Apple has solved this problem in the current models. There's no longer any way for the hard disk to leave you in doubt. It's now fused to the motherboard permanently so that it cannot be recovered even if it does survive some kind of trouble.
Keep your backups up to date.
That's true. Damn, Apple, how about a bloody sensor for such stuff at least to give an early warning?
>If you have a MacBook be careful leaving it unattended on the bed, battery fires burn hot and fast with little time to react.
Whereas if you have any other brand it's OK?
Millions of computer users were on red alert last night after they were warned that their laptops could burst into flames at any moment. In an extraordinary admission, the world's largest computer firm, Dell, said yesterday that 4.1 million laptops are at risk. The computer giant was forced to confess that problems with the laptop's batteries, made by Sony, means they are a major 'fire hazard'.
Maybe it's time to require that anything bigger than a phone use lithium-iron-phosphate battery technology, which doesn't have a thermal runaway problem. Most pro power tools already do; it's expected that they will be used hard and abused. So do "Boosted" brand electric skateboards, and many (all?) second generation UL approved "hoverboards". If it's going to be banged around, that seems to be the way to go.
There's a 14% energy density penalty with lithium-iron-phosphate batters vs regular lithium-ion. They're also more expensive. But the "does not blow up or catch fire" feature is worth it. Here's a video of someone driving a 3" nail through a LiFePo battery. Five minutes of heavy white smoke and some runny black stuff, but no flames or explosion. Compare the standard nail test (done by remote control) of a LIon battery.
 https://www.cnet.com/news/why-is-samsung-galaxy-note-7-explo...  https://www.youtube.com/watch?v=EMARDvMz62A https://www.youtube.com/watch?v=f30fBFitkSM
I was confused and didn't understand why, but I wonder if maybe battery swelling is why.
Having said that, of course, safety mechanisms should have shut down everything before the temperature goes into the proximity of the danger zone.
It swells, the circuit goes dead, and that's the signal for the charger to stop charging.
What I'm curious about is, are companies like Tesla able to put some sort of safety precautions into their cars and their PowerWall to prevent this from happening and to alert the user that something in their battery is horribly wrong? An electric car battery is way bigger than a Mac's battery, but at least the car owner has the chance to get out of the car and get away from it. But a Powerwall? If it's going to blow up is it going to burn your house down in the process?
> The house had filled up with smoke everywhere, the acidic stench of melted plastic made my eyes water.
> After I had opened up all the windows in the house and cleared out the smoke, ...
Wrong answer. The correct answer was "leave the building and call the fire department". You reallyreally do not want to breathe the smoke from a battery fire.
It is a remanufactured from Apple though. So I know the battery was replaced. But still...
One other thing: if you smoke, residue can also reduce the effectiveness of cooling systems and affect system performance.
EDIT: Not suggesting this was the OP's fault, just suggesting there are logical ways to reduce this risk.
People really need to be educated on battery chemistry when they buy battery operated products. Here's a programmer, so I assume he has some technical abilities/interests, and yet even he doesn't seem to know that some batteries can do this.
I honestly don't know, and that worries me.
Next-gen's MPB will be .5 inches slimmer.
> Didnt look like it:
I agree. This is the first time I've seen a hard drive transform into (what looks like) an SSD under any condition.