hacker news with inline top comments    .. more ..    19 Jul 2012 News
home   ask   best   7 years ago   
Living with HTTPS imperialviolet.org
94 points by daniel02216  2 hours ago   33 comments top 9
tptacek 1 hour ago 2 replies      
This is pretty great. I guess he gave this talk at HOPE, but it's laser scoped to startups, down to the order in which he gives the advice:

* Enable HSTS

* Don't link to HTTP:// javascript resources from HTTPS pages

* Set the secure flag on cookies

Very few of the sites we test enable HSTS. But it's easy to do; it's just an extra header you set.

The only quibble I might have is the fatalism he has about mixed-security Javascript links. I'd go further than he does: when you source Javascript from a third party, you have leased your users security out to that third party. Don't like the way that sounds? Doesn't matter: it's a fact. Companies should radically scale back the number of third parties that they allow to "bug" their pages.

agwa 1 hour ago 1 reply      
> There's a second collarary to this: attackers can set your HTTPS cookies too.

If your app uses session ID cookies, then another implication of this is that attackers can set a user's session ID to a value they know, wait for the user to log in, and then use the session ID to hijack the logged-in session. To prevent this make sure you regenerate session IDs when logging a user in. (This isn't the only reason to regenerate session IDs on log in but it's a very compelling one.)

DannoHung 25 minutes ago 2 replies      
Please for the love of god, if you're working at google and read this: Add a deeply set option to FORCIBLY enable that button in all situations where it might appear. We sometimes have certificate issues with our proxy server at my workplace and it makes Chrome practically unusable when they happen.

I know what I'm doing. I'll reset the option when the underlying issue is resolved, and overall it's a great feature for the browser, but I need to have the ability to be responsible for myself.

rdl 54 minutes ago 0 replies      
This was by a wide margin my favorite talk at HOPE this year.

(and a great advertisement for using Chrome in secure settings where you need a web browser)

The irony of Google being one of the main http-only JS resources for a long time was kind of amusing, though.

sp332 2 hours ago 0 replies      
Moxie published a tool called SSLstrip http://www.thoughtcrime.org/software/sslstrip/ here's a simple video demonstration https://www.youtube.com/watch?v=PmtkJKHFX5Q
jenseng 1 hour ago 2 replies      
The author seems to gloss over the importance of browser built-in HSTS lists. If you're just relying on a response header to tell the browser to use HTTPS, aren't you still vulnerable? Isn't that the same fundamental problem with redirecting to HTTPS via Location headers?

In other words, a MITM could downgrade any HTTPS traffic and simply remove that STS header. The browser would be none the wiser.

clarkevans 38 minutes ago 2 replies      
I'm wondering if there could be an equivalent DNS entry that might help signal a site should only be accessed via SSL? Then you could possibly protect against initial access as well as returning users.
yorhel 57 minutes ago 3 replies      
Somewhat related question: It's fairly common for sites to have static files (images/css) served on a different (sub)domain. What are you supposed to do when the html content is being served on HTTPS? Should the static files be on HTTPS as well? If so, wouldn't it need a different certificate? Certificates are only valid for a single domain, after all.
isaacaggrey 1 hour ago 1 reply      
For users, HTTPS Everywhere is a must: https://www.eff.org/https-everywhere

Also, by using DuckDuckGo [1] over HTTPS you get the same ruleset in HTTPS Everywhere [2] even if you don't have the extension installed.

[1] https://duckduckgo.com/

[2] http://www.gabrielweinberg.com/blog/2010/09/duckduckgo-imple...

15-Year-Old Maker Astronomically Improves Pancreatic Cancer Test makezine.com
192 points by swombat  5 hours ago   50 comments top 12
randomdrake 4 hours ago 5 replies      
"I actually love single-walled carbon nanotubes; they're like the superheroes of material science." I feel the same way. This kid is genuinely excited and interested which, is extraordinary. I love seeing youngsters getting excited about science.

Unfortunately, this blog post and the one it claims as a source [1] are rather fluffy on details. Justin organized this information and presentation for the Intel Science and Engineering Fair (ISEF) [2]. More details about the process he discovered can be found on the ISEF 2012 profile page [3] and for those who don't want to follow the trail, I've reproduced it here:

"Pancreatic cancer is a devastating disease with a five-year survival rate of 5.5%. One reason for this is the lack of a rapid, sensitive, inexpensive screening method. A novel paper sensor is described that simply, rapidly and inexpensively screens for pancreatic cancer. Mia Paca cells overexpressing mesothelin, a biomarker for pancreatic cancer, were cultured; mesothelin was isolated, concentrated and quantified with ELISA. After optimization with the Western Blot assay, the antibody to human mesothelin was dispersed with single walled carbon nanotubes. This dispersion was used to dip-coat strips of filter paper, rendering the paper conductive. Optimal layering was determined using a scanning electron microscope. Cell media spiked with varying amounts of mesothelin was applied to the paper biosensor. Change in electrical potential was measured before and after application and a dose-response curve was constructed with an R2 value of 99.92%. In vivo tests on human blood serum obtained from healthy people and patients with chronic pancreatitis, PanIn, pancreatic cancer revealed the same trends.. The sensor's limit of detection was found to be 0.156 ng/mL, satisfying the limit of 10 ng/mL, the level considered an overexpression of mesothelin consistent with pancreatic cancer. The sensor costs $3.00; 10 tests can be performed per strip. A test takes 5 minutes and is 168 times faster, 26,667 times less expensive, and 400 times more sensitive than ELISA, 25% to 50% more accurate than the CA10-9 test and is a sensitive, accurate, inexpensive, and rapid screening tool to detect mesothelin, a biomarker for pancreatic cancer."

[1] - http://www.fastcoexist.com/1680194/meet-the-15-year-old-who-...

[2] - http://www.societyforscience.org/isef/

[3] - http://apps.societyforscience.org/intelisef2012/project.cfm?...

mistercow 3 hours ago 2 replies      
>he's just pioneered a new, improved test for diagnosing pancreatic cancer that is 90% accurate

Without more context, that claim is meaningless. Surely it cannot mean "this test gets the right answer 90% of the time when used on the general population". Nearly 99.99% of people do not have pancreatic cancer, so if I make a program that prints out the sentence "You don't have pancreatic cancer.", then my "test" would have a 99.99% accuracy rate against the general population.

lifeisstillgood 4 hours ago 2 replies      
I am reminded of the Steve Jobs quote, A class people hire other A class people.

199 rejections, and the Professor that decided to let a 15 year old try a wild idea is at ... Johns Hopkins.

America may be doing a lot of things foolishly, but mentoring great talent for the future seems taken care of

politician 3 hours ago 1 reply      
The real question now is whether this work will be patented and made 26,000 times more expensive or buried.
larrydag 2 hours ago 1 reply      
From the article... "Yes, he even got in trouble in his science class for reading articles on carbon nanotubes instead of doing his classwork."

This just irks me about our (U.S.) education system. I understand doing classwork is important. Yet here you have a young student taking interest in science and engineering and gets in trouble for it? That doesn't make sense to me at all. The work he's doing should be more than enough credit for his classwork. Take him aside from the class and foster this work and passion. He'll learn more science from this one project than doing 10x the amount of classwork in any syllabus. I see no reason why his science grade could be reflected on this work.

benthumb 1 hour ago 0 replies      
Great story. You have to admire this young man's drive, determination, and obvious intellectual precocity. He'll surely go far (he already has).

I also think it's inspirational b/c it points up the importance of synthetic scientific research done by folks who are so to speak 'out of the fold'. We need institutional science, clearly, but we also need people who can take a step back and look at the big picture and see how things fit together.

spyder 3 hours ago 1 reply      
Video about him when receiving the award: https://www.youtube.com/watch?v=pmVzs3-GNBc
marknutter 3 hours ago 1 reply      
I get tired of "X-Year-Old Does Such and Such" posts. If the accomplishment is newsworthy enough on its own, why can't it stand on its own merit?
nzeribe 4 hours ago 0 replies      
Because "we" are mediocre, our children follow after us, staring out of classroom windows while teachers prattle on about only-God-knows-what.
When we are inspired and and challenge our kids to do more, they come up with s* like this. Age is no barrier! Bravo.
majorapps 3 hours ago 2 replies      
I'd love to hear the reaction of those universities who initially rejected this and their reasons.
molossus 4 hours ago 2 replies      
I've actually read about this before, but still never found any technical details about how the test works. My inner conspiracy theorist worries that a pharmaceutical corporation has bought this idea up.
lhartwich 3 hours ago 0 replies      
Straight up awesome!
Microsoft Open Sources their Entity Framework ORM hanselman.com
57 points by jmcqk6  2 hours ago   17 comments top 6
cek 2 hours ago 0 replies      
This makes me even more bullish on Xamarin/Mono. As Miguel de Icaza of Xamarin tweeted this morning after this was announced: "Wow @scottgu announces that Microsoft open sourced the Entity Framework, Mono's Achilles heel"

I believe if you are building mobile clients and need to target more than one platform you should do your UI with the native APIs on each platform, but should use something like Mono to achieve as much code-reuse as possible for the lower layers of your app.

modarts 2 hours ago 1 reply      
Despite my usual complaints about Microsoft, I really appreciate the direction they've been heading with their adoption of open source for a growing number of their products.

ScottGu, Hanselman et al. really deserve a lot of credit for the big cultural changes they've caused to allow a lot of this.

outside1234 1 hour ago 1 reply      
Its hard for me to say this in some ways, but of the bigcos, I'm most bullish on Microsoft. I might actually go stand in line (if there are any) for the Surface tablet and maybe even a Windows Phone 8 device.

They are (finally) making the right moves and doing it in a consistent and open way. Any Microsoft insiders know who is driving all this change? ScottGu? Steven Sinofsky?

tarr11 57 minutes ago 1 reply      
Interesting that they put this in a Git repo (instead of TFS), but only to then push it to CodePlex (instead of Github)
flyinRyan 2 hours ago 3 replies      
Is Entity used a lot? We looked at using it but it seemed to be inferior to NHibernate (don't remember details, think there was a problem with type error detection and other stuff).
klausjensen 2 hours ago 0 replies      
This is so awesome.

Partly as a developer who enjoys open source software, but also in part because decisions like this makes life much easier, when you suggest using open source in some a large corporations, where they have a very conservative approach to open source.

Backbone.js: Hacker's Guide dailyjs.com
53 points by jashkenas  3 hours ago   12 comments top
tambourine_man 2 hours ago 7 replies      
Could anyone show me what kind of problems Backbone.js solves?

Not a description like “it will replace a lot of your jQuery spaghetti boilerplate”, but some actual code:

  //this is what I had to write in jQuery

//this is how I'd do it in Backbone.js

Act Bigger than You Are hbr.org
10 points by wallflower  31 minutes ago   discuss
Unbreakable crypto: Store a 30-character password in your subconscious memory extremetech.com
120 points by mrsebastian  4 hours ago   60 comments top 22
dkokelley 1 minute ago 0 replies      
Some clarification/speculation: This is a method of authentication, not encryption. The trained sequence is not used to unlock/decrypt your data. In the multi-factor authentication scheme, this is probably best thought of as "something you are", and might be used along with something you have (RSA token, physical key, RFID badge) and something you know (encryption password, secret handshake). The threat model in the paper talks about protecting physical access and ensuring the person is watched by a guard.

"Threat model. The proposed system is designed to be used as a local password mechanism requiring physical presence. That is, we consider authentication at the entrance to a secure location where a guard can ensure that a real person is taking the test without the aid of any electronics"

Many of the comments I see here tend to assume that this is directly applicable to protecting a remote system such as logging in to a website. Perhaps with adaption this could be a useful technique for authenticating into a website, but as far as I know no authentication scheme can protect against an intruder with a gun to your head forcing you to log in. Instead, the use case here is to prevent someone who has stolen your ID badge and forced you to give up your PIN from being able to get access to the top-secret bunker.

DanBC 3 hours ago 5 replies      
> It also gives you deniability: If a judge or policeman orders you to hand over your password, you can plausibly say that you don't actually know it

The UK law requires that you make the encrypted data intelligible. Since you have encrypted data there's a pretty good chance you have the software to decrypt it. "They" don't want the password, they want the data.

Failing to make the data intelligible (whether that's failing to provide the passphrase or whatever) carries a 2 year prison sentence for some people, with possibilities for a 5 year sentence for others.

tl:dr - this does not prevent law enforcement from getting the password.

Also, using this to guard against rubber hosing is stupid. People prepared to use torture will do so, whether there are laws preventing it or if it's going to provide any useful evidence or not.


Extremetech articles are really lousy. The self-posting by the author of a poorly written article is a problem; the heavy ad load is another problem, but I find it hard to believe that there isn't a vote ring up-voting these lousy articles.

A quick glance shows that about 90% of Mrs Ebastian's subs are to articles that they've written, for their employer.

brittohalloran 4 hours ago 2 replies      
Quite the login method:

1) Tell me who you are, so I can load up your secret 30 character "password" from some database (the fact that this needs to be stored in a retrievable way makes this entire system insecure)

2) Here's one random sequence of 30 characters. Look at it for a little bit, ok now try to reproduce it from memory.

3) Repeat several times (not stated how many).

4) One of those attempts was your specific password, let me check to see if you did significantly better at it than the other (random) ones.


EDIT: Upon re-read, it sounds like 2-4 are a bit different:

2) Play a long sequence of characters "Guitar-Hero" style. The computer will "slip-in" the true password and watch to see if you do better on that section.

Still storing the password in the clear and still susceptible to being watched several times and finding the "common" sequence.

peterwwillis 3 hours ago 6 replies      
This is basically the same method I use for laptop hard disk encryption. I don't remember the password, but I typed it so many times my fingers remember exactly the pattern to type. Kind of like playing a piano.

Several times i've been drinking and am unable to remember how to log into my machine, because I can't replicate the pattern and don't remember the password. After 15 minutes of concentration it comes back.

eswangren 4 minutes ago 0 replies      
Unbreakable? Bah, torture would work, and that's much faster than cracking a password.
colanderman 4 hours ago 1 reply      
Beside the title being misleading (it's a 30-symbol password, not 30-character, as "character" implies printable ASCII to most people), the math doesn't quite make sense:

Before running, the game creates a random sequence of 30 letters chosen from S, D, F, J, K, and L, with no repeating characters. This equates to around 38 bits of entropy

So that's 6 choices for the first character, and 5 choices for each of the next 29 gives us log2(6*5^29) =~ 70 bits of entropy. Does anyone know where this 38 bit figure came from?

corin_ 4 hours ago 1 reply      
> If a judge or policeman orders you to hand over your password, you can plausibly say that you don't actually know it

Surely for this system to help in allowing you to plausibly say that, you'd have to reference this system (or equivalent) and demonstrate that it is indeed used for the authentication the police want access to. And in that case, surely the police could just say "in that case, please authenticate for us"?

Dove 2 hours ago 1 reply      
They had me until this part . . .

    Authentication requires that you play a round of the game "
but this time, your 30-letter sequence is interspersed with
other random 30-letter sequences.

Which makes it sound to me like your password could be deduced from a single (failed) login attempt, and then reproduced after a session in the trainer.

its_so_on 1 hour ago 0 replies      
This is a sensationalist headline, and this is not a strong password length. Based on the information in the article, this is really equivalent to a "strong" 5-character password - not very secure.

It's not "30-character unbreakable cryptography", you can crack it in minutes on your phone or desktop.

Technical details:

The article actually says that each 'character' you learn is one of only 6 possibilties - for only 2.5 bits per character and total entropy of 38 bits.

To see how woefully little entropy this is, if you code, try writing a program that counts to 2^38 billion - or on a 32-bit system go through the 4.2bn possible values of an integer 64 times. That's how many possible keys there are in a 38-bit password. It really just takes minutes - it takes longer to learn than it does to crack!

powrtoch 4 hours ago 0 replies      
This is pretty awesome, but the following is noteworthy:

> creates a random sequence of 30 letters chosen from S, D, F, J, K, and L, with no repeating characters. This equates to around 38 bits of entropy

Which is not so bad for certain applications, but certainly isn't the 180+ bits you'd have in a true random 30 character password.

I wonder what applications they have in mind where this password system could be used.

jere 3 hours ago 0 replies      
>The most important aspect of this work is that it (seemingly) establishes a new cryptographic primitive that completely removes the danger of rubber-hose cryptanalysis " i.e. obtaining passkeys via torture or coercion.

Does not compute. If there is a mechanism by which you can authenticate, you can be coerced into authenticating through that method.

The paper covers this of course:

>Coercion detection. Since our aim is to prevent users
from effectively transmitting the ability to authenticate
to others, there remains an attack where an adversary
coerces a user to authenticate while they are under adversary control. It is possible to reduce the effectiveness of this technique if the system could detect if the
user is under duress.

I take issue with the the article suggesting it's completely resistant to coercion. A system that detects duress... interesting I guess but seems like a stretch.

>This equates to around 38 bits of entropy, which is thousands/millions of times more secure than your average, memorable password.

Really? Playing around with KeePass briefly, it seems this is comparable to a 6 character password that includes upper, lower, numeric, and special characters. I wouldn't consider that very strong. Besides the fact that it appears you're not entering the password exactly, but only (if I'm understanding correctly) "good enough".

thematt 4 hours ago 1 reply      
Obligatory xkcd: http://xkcd.com/538/

Only this time you'll have to log-in/decrypt on the spot rather than cough up your password.

woobles 1 hour ago 0 replies      
While this does sound interesting from a psychological/neurological perspective, I feel bad for anyone who actually tries to implement a password system based on this. 38 bits of entropy is nothing, a standard password with 38 bits of entropy would take about 5 minutes to crack (assuming a GPU that can compute 1 billion hases/second). Nevermind that by the NIST specification for human-generated passwords, a 30 character string of alphas would be 45 bits of entropy.
Also, as some others have pointed out, storing people's unique strings in the clear invalidates any strength this scheme could hope to achieve.

Source: http://en.wikipedia.org/wiki/Password_strength#Human-generat...

Conclusion: Interesting psychological experiment, not actually backed by any appreciable crypto knowledge.

Edit: disregard my NIST comment, someone linked the paper used to get the 38 bit figure, http://bojinov.org/professional/usenixsec2012-rubberhose.pdf.

ojosilva 2 hours ago 0 replies      
It may not be even close to unbreakable or torture-free as the author implies, but this encryption system (or similar approaches) could work to tighten some classic security flaws with passwords.

For instance, this could prevent employees of a large corporations from writing down or sharing a password with a coworker, or even spelling out their password over the phone to a bogus "support engineer" -- although probably fingerprint/eye/face recognition systems are more practical and easy to implement than a "guitar hero" learning session. But then the OP method has an advantage over those: you can change your implicit-learned password easier than your face or fingerprint...

exue 1 hour ago 0 replies      
On the topic of courts: There is a US court case in the 11th circuit where a federal judge, in fact, ruled that people are not required to give up their encryption passwords under the 5th amendment. It isn't a supreme court case however.

http://www.techrepublic.com/blog/tech-manager/personal-data-... "Last week in San Francisco, a federal court for the first time ruled that the Fifth Amendment of the U.S. Constitution " the right to not self-incriminate " protects against “forced decryption.” The judge, from the 11th Circuit in San Francisco, ruled that a Florida court violated a defendant's rights when its Grand Jury gave him the choice to either reveal his TrueCrypt password or go to jail."

anologwintermut 3 hours ago 0 replies      
This proves Authentication, not key storage that enables encryption/decryption. Per the paper, for authentication "a participant is presented with multiple SISL tasks where one of the tasks contains elements from the trained sequence." Hence the system must already know the secret password. If that system is your laptop, then the feds already have the key when they seize it and don't need to resort to rubber hose or its russian variant thermal-rectal cryptography.

Also, the paper assumes physical presence of a live human at some terminal for authentication. At the point that you can make assumptions about who is operating your authentication system, biometrics seem to be a far faster and more reliable authentication system. Both those limitations,however, could change with further research.

dylanrw 1 hour ago 0 replies      
This explains why I could never remember my locker combo, but could unlock it if you handed me the blasted thing. Same goes for pin numbers. The second I think of what the real number is I lose it...
bunderbunder 3 hours ago 2 replies      
Nitpick: This is not unbreakable crypto. This is more of a more secure key storage mechanism. Perhaps also a good defense against phishing attacks.

And it's not unbreakable. For starters, this system absolutely requires that the passwords be stored in the clear.

geraldo 4 hours ago 1 reply      
This is interesting in regards of the brain, but not so much when it comes to waterboarding cryptoanalysis... I mean, instead of asking for the password, they'd ask you to play the game: same difference, right? Or am I missing something?
ww520 1 hour ago 0 replies      
It's not going to fly because it's not compatible with the corporate policy of changing password every 60 days.
gvsyn 3 hours ago 1 reply      
Isn't there a slight problem whereby someone denies knowing the password, you just put them in front of the keyboard and just ask them to type something? Due to it being a subconcious memory, it 'just happens'.
countessa 3 hours ago 0 replies      
>> can't be obtained via coercion or torture
"Hi, yes that is a gun to your back, please log in to your system for me"....."atta boy"
Microsoft Expected To Post First Ever Quarterly Loss In Its History cbs19.tv
84 points by z92  4 hours ago   51 comments top 10
bunderbunder 3 hours ago  replies      
The news is somewhat less disastrous in that it's because Microsoft had to write down a purchase they made a while ago. So they didn't lose money this quarter so much as acknowledge that they had previously lost a lot of money and put that on their books this quarter.

What's really disastrous, though, is Steve Ballmer's recent comments about how they are determined to compete with Apple on every single front, regardless of whether they have any other reason to be in that portion of the market. This aQuantive debacle is a result of Microsoft trying to do exactly the same thing with Google. With that statement, Ballmer indicated in no uncertain terms that he has learned absolutely nothing from that mistake.

moron 1 hour ago 0 replies      
It's weird to me that aQuantive is apparently not viewed as a massive failure for MS, even though they paid billions in cash for it and it's now worthless. But not only that, it was supposed to make them more competitive in a big market and didn't do that at all. So from a lay perspective it seems like that should be a disaster for Ballmer and probably others at MS, but it's being met with an attitude of "yep, that happened, and it doesn't really mean anything".
randomdrake 3 hours ago 0 replies      
More information about this can be found in their press release [1] from a couple weeks ago. It appears that they are having to do a writedown [2] on their purchase of aQuantive [3]. The original purchase was to be more competitive in the online advertising marketplace when they lost out to Google in acquiring DoubleClick [4].

Unfortunately, there is little information about this will actually affect their financials. The single-sentence blurb from the source doesn't shed much light on the situation.

[1] - http://www.microsoft.com/en-us/news/Press/2012/Jul12/07-02Co...

[2] - http://en.wikipedia.org/wiki/Write-off#Writedown

[3] - http://en.wikipedia.org/wiki/AQuantive

[4] - http://www.pcworld.com/article/131991/microsoft_to_buy_aquan...

stephengillie 4 hours ago 0 replies      
It's not an article, just a blurb:

(CBS/CNN) - Microsoft is in danger of reporting its first quarterly loss in the last 20 years.

The world's largest software company will absorb a $6.2 billion dollar charge stemming from an online advertising service it bought in 2007. Analysts estimate Microsoft earned about $5.3 billion dollars in the quarter that ended in June, so that charge would send the company into the red.

dkhenry 1 hour ago 0 replies      
This is more of an accounting trick then an actual problem. Normally a company would write down a bad asset over a series of quarters to help drive good will from investors. As MSFT is currently preforming very strongly I think they chose this route (The quarterly loss) so that subsequent quarters when they launch their new products , and more specifically the Microsoft surface. They have good comparison numbers.
jmduke 1 hour ago 0 replies      
The hubris in some of these comments are incredible. I'm no fan of Microsoft, but wanton armchair criticisms aren't constructive in the least.

Microsoft has a great number of flaws, and "hurf durf Ballmer is a dunce" doesn't really address any of them.

adventureful 3 hours ago 3 replies      
It'll actually end up being a tax benefit while costing them no actual red ink.
sabat 2 hours ago 0 replies      
Steve Ballmer is a used car salesman cast in the role of a CEO. These are the natural consequences.
cubicle 2 hours ago 1 reply      

  Analysts surveyed by FactSet Research estimate Microsoft MSFT +0.91%  will 
earn 62 cents a share on $18.2 billion in revenue, compared with a profit of
69 cents a share, on sales of $17.37 billion, in the same period a year ago.


At Citigroup, analyst Walter Pritchard said that even with the huge
writedown, he expects Microsoft to report results in line with expectations.
Still, Pritchard said, in a research note, that there are “many moving pieces
in the numbers” from Microsoft, and that the prospects for Windows 8 will be
a big driver of how investors treat Microsoft over the next year.

Microsoft shares rose 64 cents, or more than 2%, to $30.32 Wednesday, and the
stock is up by almost 17% since the start of the year.

I can't comment myself, due to lack of information. We'll all see in four hours.

carsongross 2 hours ago 1 reply      
I am become Steve Ballmer, the destroyer of companies...

Don't let the bean counters or sales guys run the company. Always the product guy.

How One Business Guy Earned the Opportunity to Co-Found a Tech Startup jasonshen.com
15 points by jasonshen  1 hour ago   2 comments top
coryl 11 minutes ago 1 reply      
Can't we know the name of the startup?
Microsoft employee on stack ranking and its 'most universally hated exec' networkworld.com
39 points by boopsie  1 hour ago   34 comments top 6
pwny 51 minutes ago 4 replies      
I'm honestly wondering why we value management so much. It might be my lack of corporate experience but I have a lot of trouble seeing most management positions as important (in fact, my general feeling is that they're a hindrance most often than not).

Do companies really go down in flames if no one is there to try and measure, through various ineffective ways, the quality of other people's work (often in a field they don't even understand)?

Would a bunch of engineers really sit there doing nothing if they didn't have a manager to report to? Is said manager more apt at taking decisions than they are?

I'm curious and also pretty sure that if I ever started a company, I'd at least try to do it without any sort of formal management. At least to try.

aaronbrethorst 1 hour ago 2 replies      
Maybe something's changed in the four-and-a-half years since I left, but people were pretty ok with Lisa Brummel when I was at Microsoft. People gently made fun of the fact that she always wears shorts, but there was never anything mean-spirited in that.

She was seen as a huge step up from the guy she replaced, who was rumored to have been having an affair with an underling[1] at the same time that he recorded a video admonishing us to never have inappropriate relations with subordinates. He was also responsible for the infamous towel debacle, which came to define the worst aspects of penny-wise, pound-foolish cost-cutting at the company.

Edit: Thx to, uh, moron for pointing out the new Mini-MSFT post that includes this:

    Is she really the most universally hated executive?
I don't know about that, but she certainly slipped away from being loved.
Thousands of employees used to cheer for her. Now?


[1] In the (admittedly anonymous) comments: http://minimsft.blogspot.com/2006/06/locked-doors-martin-tay...

[2] http://www.scribd.com/doc/39324385/Towels-Talent

CurtHagenlocher 32 minutes ago 1 reply      
"Productivity at Microsoft has skidded to a brief halt thanks to the Vanity Fair article, which employees are reading on tablets and Nooks and Kindles because no one dares bring in the actual magazine."

Seriously? When was the last time you've seen anyone with a physical Vanity Fair magazine? To the extent that this claim is true -- and I have to say that no one in my circle of friends at the company seems to care about this article -- it's because surprise tech people largely consume text through electronic devices.

joe_the_user 30 minutes ago 0 replies      
Well, the ole "X% of programmers are rocker stars" position gets a lot of play here (alone with the Steve Jobs quote etc).

I would say that unless a company of some size has the luxury of choosing absolutely who they want from the start, the "rock star" ideology is going to be as corrosive as it sounds like it is at MS.

sidcool 1 hour ago 1 reply      
I don't think Ballmer is hated. People think he is inefficient. And upto some extent, rightly so. But in no way he deserves what's dished out at him in all those grudgingly written blogs by people who couldn't make anything out of themselves.
chamanbuga 1 hour ago 1 reply      
So... this article simply isn't true.
Botnet Responsible for 18% of World's Spam Knocked Offline mashable.com
31 points by sheckel  2 hours ago   12 comments top 5
ChuckMcM 1 hour ago 1 reply      
I read these numbers, and I look at my bandwidth costs at my data center, and I think, "wow, it sure is fortunate that so much excess backbone capacity ended up being build in the dot com era."
0x0 49 minutes ago 2 replies      
I never understood why not the upstreams of "bulletproof hosts" simply disconnect / de-peer the entire AS until they clean up their act? Why won't their BGP neighbors take action?

If you can't get ScumBagISP-A to clean up their act, go to ScumBagISP-Upstream-B, and then the next hop ScumBagISP-Upstream-Nexthop-C, and the next, until you find a responsible carrier who can de-peer?

TamDenholm 1 hour ago 0 replies      
Didnt this happen not so long ago and it only took a few months for the levels to go back up again?
benmanns 36 minutes ago 1 reply      
Why don't botnet operators use a peer-to-peer style command centers? According to the original article on the FireEye blog, the network was taken down with only "three days of effort."
Is Kickstarter selling dreams? reuters.com
34 points by zmj  3 hours ago   13 comments top 7
powrtoch 2 hours ago 0 replies      
> Has Kickstarter invented a new form of online commerce, where merchants who are close to you on the social graph, rather than in terms of physical geography, can thereby charge a premium for products which would never fly in the open market?

I think this is by far the most interesting sentence in the entire article. Traditionally we think of the web as a globalizing force, which will tend to strengthen big business: I might choose a mom-n-pop bookstore over Barnes and Noble if it's nearby and I'm buying in person. But online it will be at a severe disadvantage, and I'm not likely to find it at all unless I set out for it specifically. It's interesting to think that there may be an online equivalent of this physical proximity effect in the social graph. This possibility seems to open up lots of interesting avenues for discussion.

ChuckMcM 1 hour ago 2 replies      
TL;DR version: OpEd on Kickstarter, and more specifically on Ouya.

Answer to the headline, in spite of Betteridge's law, is 'yes they are.' More along the lines of why would you invest your money in a Kickstarter project? And the answer is that what you imagine it will be like greatly exceeeds what it actually will be like.

I pointed this out to in another conversation that making a good pitch is a lot simpler than making a good product (We were discussing the difference between hype and reality, our examples were the RasberryPi and the Ouya). And people buy into the pitch, sometimes overwhelmingly so, and when it comes up short they often blame the pitchman not themselves.

I experienced a bit of this first hand when putting together 'hobby' robotics projects with folks. There is no amount of disclaimer that can break the spell.

It reminded me of a t-shirt I saw which was an expression "Makers != Engineers" and I thought it a bit snarky at the time but realized there is a grain of truth there. Anyone can have an idea, but not all of them can execute on it.

freyr 1 hour ago 0 replies      
Lots of people have ideas. Lots of people even have good ideas. But few people have the necessary mix of talent, drive, and experience to turn ideas into reality.

I haven't spent much time on Kickstarter, but my impression is that a lot of people are being handed money for ideas before they discover out how hard it is to turn those ideas into a tangible quality product.

mtgx 1 hour ago 0 replies      
People should be aware that even though they say they can give you a watch or whatever half a year from now for $99, that doesn't mean that they will or that it will be as good as you think it will be.

But yes, Kickstarter is selling dreams. It's helping start-ups take off simply by believing in their vision.

sharkweek 2 hours ago 3 replies      
Have there been any notable scams on Kickstarter yet? I'm curious what sort of impact a massive scandal through these crowd funding sites would have on future donations
fallous 1 hour ago 0 replies      
Is there an "inverted" kickstarter anywhere? Basically putting out a request for Widget and companies/individuals present offers to provide Widget. Close the loop with a kickstarter-type order/financing aggregation and you get purely demand-driven products.
msrpotus 2 hours ago 0 replies      
What did you think it was selling?
Tethr: Getting online in a crisis bbc.com
9 points by sciurus  1 hour ago   4 comments top 3
ondrae 16 minutes ago 0 replies      
Tethr is a really cool convergence of open source software and hardware that will save lives. I'm really impressed by disaster response technology. I hope Tethr works well and is widely deployed.

Light weight related, the Open Street Maps response to the Haiti earthquake was particularly impressive. Here is a slideshow about that. http://www.slideshare.net/sabman/haiti-quake-public-key

tobylane 22 minutes ago 1 reply      
I'm surprised to ever say the words, but copy of this BBC page for those of us in the UK?
matan_a 16 minutes ago 0 replies      
seems like a good candidate for Kickstarter
Let Developers Register for Your API with Their Github Profile apievangelist.com
21 points by awwstn2  2 hours ago   3 comments top 2
jdludlow 51 minutes ago 1 reply      
Having never used github for authorization, I clicked on the sign-up button that Singly provided. Among the bullet points that github issues, this one seemed a bit more than mildly concerning.

  * Update your public and private repositories (Commits, Issues, etc).

There is a zero chance of me ever agreeing to that.

bigfrakkinghero 54 minutes ago 0 replies      
This looks fine if you're a single developer working on a (relatively) small project, but what happens when you grow to two developers? Or you hand off the project? At that point shouldn't the API registration be tied to the application and not the developer?

That said, it's probably more important to lower the initial barrier for entry to drive adoption.

Firefox 15 plugs the add-on leaks mozilla.org
142 points by AndrewDucker  10 hours ago   83 comments top 13
suprgeek 7 hours ago 2 replies      
I am very happy that the Firefox team has finally managed to lick this issue. When at every occasion I used to raise this issue, the typical Mozilla Evangelist would answer:
"It is because of the add-ons".

My counter to this was that the whole Raison d'être for Firefox is its add-ons community. You cannot claim that there are great benefits to this approach while simultaneously ignoring the problems caused by it.
Better late than never. It is critical to have a popular browser alternative to Either IE or Chrome.

One is closed source and the other is produced by a company whose entire revenue model is built around showing you the most targeted ads possible in the maximum number of ways possible.

mindcrime 3 hours ago 0 replies      
This is awesome news. The single biggest reason that I initially moved to Chrome, from Firefox, was the memory consumption situation. But lately, Firefox has gotten a lot better, and I've basically switched back to FF now as my primary browser. Hopefully this will make the situation even better.

And that's good for everybody. Competition is a Good Thing and it would be a shame if Chrome become so dominant as to completely displace Firefox. A healthy ecosystem with a great Firefox and a great Chrome, along with IE, Opera, Safari, etc., should benefit everyone in the long run.

rexreed 6 hours ago 1 reply      
The about:memory feature is useful to get a glimpse into what extensions and tabs are chewing up the most memory, although I haven't had much luck in FF 14 using the GC/CC to correct that. I hope that FF 15 gives the user a bit more intuitive view and control over the memory consumption on tabs and addons/extensions.
conradfr 8 hours ago 2 replies      
As a webdev who use Firebug (and Adblock) a lot, I'm so glad about this. FINALLY !

However they are three years too late about that, from a market share perspective.

alainbryden 5 hours ago 1 reply      
> Leaky add-ons usually cause zombie compartments by holding references to DOM structures within a web page even after the page has been closed or navigated away from. This prevents Firefox from garbage-collecting the page's compartment.

If an add-on relies on persistent references to closed pages by design (such as a form data history plugin), is there a way to adapt it to this new feature to not let Firefox sever it's references under the assumption that it's a memory leak?

mun2mun 9 hours ago 0 replies      
I am really happy that Firefox 15 stops most of the leaks caused by firebug. Competition is good.
zader 8 hours ago 2 replies      
For anyone who wants to download the Nightly build for Firefox 15:

Windows version

Mac version

pmarsh 5 hours ago 3 replies      
One of the issues I've seen people complain about is having to close Firefox after a few days. I understand you shouldn't HAVE to close a program, but how are people using their browsers that this becomes such an huge problem?
jfb 2 hours ago 2 replies      
That's a cool blog post, and kudos to the Mozilla people, but I have to wonder about the mindset of the user whose stuck with Firefox even as his setup was unusable to the point of needing to install a restart button add-on. I mean, I know from being habituated to a given routine, but that seems particularly self defeating behaviour, especially considering that decent alternatives to Firefox exist?
adambenayoun 3 hours ago 0 replies      

I've been using firebug for quite a long time and I can't even remember at what version things went off the rail. But ever since Firefox would consume 70% of my CPU and 2GB RAM which is complete nonsense.

Because of these memory leaks, I migrated to Chrome for browsing the web and constantly having an open tab for Gmail (because that was the only browser that wouldn't go banana on RAM), but still use FF for doing front-end development

Sgoettschkes 10 hours ago 1 reply      
Wuhu, finally! Let's see if FF does not take 1GB after a few days.
twodayslate 8 hours ago  replies      
I used to be an avid Firefox user. I switched to Chrome because it was faster and had all the same extensions I used on Firefox. Why should I switch back? Chrome is still faster no?
kevinSuttle 3 hours ago 0 replies      
I think the fault is not just the add-on devs. If anything, the add-on SDK should prevent this by default. I'm not sure when Firefox got so memory-hungry and leaky, but it's the single reason I keep jumping around to Chromium and Opera. Really, really hoping that this time is for real. It's not the first time a blog post like this has been posted by Mozilla.
Entity Framework and Open Source asp.net
18 points by aespinoza  2 hours ago   discuss
New High I/O EC2 Instance Type - hi1.4xlarge - 2 TB of SSD-Backed Storage aws.typepad.com
170 points by jeffbarr  12 hours ago   84 comments top 14
bravura 12 hours ago  replies      
What are good use-cases for on-demand high I/O servers?

At $3.10/hr, these instances work out to $2k/mo.
There are probably many more cost-effective options if you want a 2TB SSD server.

Since the benefit of using EC2 is that you can provision instances elastically, what are the sorts of scenarios in which one needs to provision high I/O servers elastically?

[edit: A few minutes of Googling, and I can't find any dedicated servers with 2 TB of SSD.]

Fizzer 11 hours ago 3 replies      
This is a game changer for big sites on EC2. The key word here is local: 2 TB of local SSD-backed storage.

In this video [1], Foursquare says the biggest problem they're facing with EC2 is consistency in I/O performance. They say that the instance storage simply isn't fast enough for them, and while EBS is fast enough when RAIDed, it isn't consistent since it isn't local (EBS is traffic goes over the network). Reddit has also complained about EBS, but they've been able to move onto the instance storage.

If you're willing to reserve the instance for 3 years, the average monthly cost becomes only $656. That's quite a good deal.

Foursquare says in that video they're planning to migrate off of EC2, in part due to I/O performance. I'll be interested to hear whether or not this instance type changes their minds.

[1] http://www.10gen.com/presentations/MongoNYC-2012/MongoDB-at-...

josephcp 4 hours ago 2 replies      
Reminder since it's a pair of SSDs and most people will probably look into using this for their DB store: If you use current generation controllers/software & SSDs, you're going to have a bad time if you turn on RAID and don't know exactly what you're doing.

TRIM ( https://en.wikipedia.org/wiki/TRIM ) isn't supported with RAID on SSD today on hardware controllers and most distributions of linux don't support TRIM on RAID out of the box if you're doing software RAID, so you're going to see performance plummet like a rock after you do one pass of writes on the disk. In many RAID configurations, you're going to zero-write the entire disk when formatting it, so performance is going to suck from the get-go. For this reason, even if you have a tiny database and don't expect to write 1TB worth of data, your performance might still suck. Personally, I haven't tried linux software md TRIM in production, the patch is pretty recent, so you're on your own here (if possible, scaling out horizontally may be a solution to consider for redundancy, I have no idea what Amazon using for SSDs, but recent Sandforce generations fail all the time, so plan for that).

If you don't know to look for this issue, you're going to be scratching your head when your RAID10 SSD configuration write throughput is worse than a single 7200rpm drive. On the other hand, IOPS on SSDs are AMAZING for databases/datastores. Amazon may have solved this for you already behind their visualization instance, and they might be running their own software striping behind whatever raid you're doing, so be sure to test it out fully first.

mrb 7 hours ago 1 reply      
Anyone can report on the model of SSD they use (via ATA IDENTIFY)?

My guess based on perf characteristics is each instance has 2 x 960GB OCZ Talos 2 C Series SSDs: http://www.oczenterprise.com/ssd-products/talos-2-c-sas-2.5-...

jbarham 11 hours ago 0 replies      
FWIW it costs $27,156 a year on-demand or $12,720 as a reserved heavy utilization instance.

For heavy analytics workloads I'd bet that Google BigQuery (https://developers.google.com/bigquery/) would be cheaper and faster and more reliable.

ehsanu1 12 hours ago 2 replies      
This has been a long time coming, but AWS has consistently been improving their service (as long as you can ignore the particularly bad reliability as of late).

It's telling that they have only enabled this for a huge (quadruple extra large) instance type. It's probably hard to make this work for someone who just wants a 10GB disk with great IO. The problem at the low end is that disks are larger and would thus have to be divided up to make proper use of them, leading to IO contention..

The high IO options will probably only ever be available for pretty large instances.

rit 5 hours ago 2 replies      
It seems we all may be missing the "backed" part - which I did on my first read through. They don't seem to be revealing how much of the logical volume is actual SSD, which I think is why they're instead putting down IOPS numbers.

Still, a huge and significant improvement over anything previously available. I'm looking forward to playing with it.

oomkiller 12 hours ago 2 replies      
Hopefully we will start to see some other providers offer SSD-backed storage since Amazon does it now. It would be nice if they offered it on some smaller instances too though.
jaredstenquist 3 hours ago 0 replies      
Since I'm spending more than $1,000/month for an RDS master, which is backed by EBS, i'm intrigued at the idea of running our database off of these. Of course I'd lose all the awesome automated features of RDS, but worth considering.

Maybe AWS will release a High Performance RDS option that runs off of them. Wishful thinking.

Loic 10 hours ago 1 reply      
Another approach is something like OVH SSD servers (24GB ECC memory, 2x300GB SSD, £210/month)

If you are using MongoDB, you take 3 or 4 of them and shard and you backup with "conventional" storage for the replica set. You end up with a 6 node cluster for less than the price of this Amazon instance.

Lesson: You need to have a business which can benefit from a lot of start/stop of your instances for them to make sense from a pure financial point of view.

btb 10 hours ago 1 reply      
Would these be suitable to run a single big SQL Server on? I mean specwise they seem perfect for our size/use. They say data will survive a reboot, but what are the chances I would some day have to wake up in the middle of the night and having to restore the database to a new server? Would some of the recent amazon downtimes be one of those cases where that could happen?
damian2000 11 hours ago 0 replies      
The pricing in the blog post is a bit unclear - the prices on http://aws.amazon.com/ec2/pricing/ are ...
US East
$3.10 for linux and $3.58 for windows.
EU West
$3.41 for linux and $3.58 for windows.

(Reserved instance prices are cheaper)

amnigos 11 hours ago 0 replies      
This would be very useful for elastic EMR workloads, will be good for killing I/O bottlenecks.
beedogs 12 hours ago 1 reply      
Amazon will find some way to make this slower than shit and less reliable than a campaign promise.
Ways startups get screwed rayhano.com
54 points by rayhano  4 hours ago   51 comments top 16
mattmaroon 3 hours ago 3 replies      
His advice about lawyers is bad. Very bad. Not incorporating properly can sink you quickly, especially if co-founder disputes come up. I've seen perfectly good startups get sunk that wouldn't have had they just gotten the founder contracts right in the beginning (especially with respect to vesting).

They cost so little in the grand scheme of things and take so little time. I don't know what he means about them becoming advisers. Mine have never advised me in any unnecessary capacity, and I suspect he just has experience (first or second hand) with some Saul Goodman type.

Get an experienced startup lawyer to help you incorporate at a bare minimum. Many will even defer something like your first $15k of fees (more than enough to get started) in the hopes of earning more business later when you turn into the next YouTube.

bluedevil2k 2 hours ago 3 replies      
#1 should always be medical insurance coverage. Large corporations get group plans at big discounts, and then offer it to their employees for free or hugely discounted rates that aren't taxed at all. Big corporations give health care coverage away for free as a perk.

Good luck getting the same plan at a start-up. Buying an individual plan is grossly expensive, especially if you're married with kids. Even if you're lucky enough to be at a startup with a group plan, you probably won't get it for free. And your company surely won't get the big discounts Dell, IBM, and HP get.

benatkin 13 minutes ago 0 replies      
Y Combinator is different from other accelerators in that it isn't an incubator. This is part of what sets it apart IMO.

I think that TechStars is an exception to the rule about accelerators and incubators being little more than a distraction, but you're entitled to your opinion. The benefits of Y Combinator are much clearer.

kcodey 3 hours ago 2 replies      
I totally agree with the "negative people" part. I once gave the groupon elevator pitch to a relative who knows nothing about what's going on in terms of start ups or anything internet. His response was it was the the stupidest idea ever and he thought I should focus my efforts on something more worth while. I then told him they started 4 years ago and it's a billion dollar company. His reaction was priceless.

I mention this story because everyone will always be negative if they have never heard of what you are doing. That's just human nature. As entrepreneurs we have to keep plugging forward amidst the criticism and build our dreams.

swombat 2 hours ago 1 reply      
> 8. Agencies - This ranges from people who want to build your product to those who want to file your R&D tax credits. You can spend a lot of time talking to agencies, as there are a LOT of them around. Some are genuinely useful partners. You'll often have speakers at Hacker News London espousing the benefits of using an agency that worked wonders and had aligned incentives. And that is the key, make sure your incentives and those of people you work with are aligned. Bonus structures do not work. If people fail, there's got to be pain. There will be for you, after all, if your startup fails.

Well, I hope GrantTree falls into the "genuinely useful partners" category! I'm not a fan of development agencies for startups, but for tax and grants getting a specialist firm involved makes sense, imho.

Not sure about the title, btw... are those really ways startups get screwed, or just aspects of running a startup?

mammalfriend 1 hour ago 0 replies      
This seems like bad advice from someone who is not especially experienced at building startups. As he suggests, there are kernels of knowledge but the recommendations are unbalanced and in many cases suggest he made newbie mistakes (e.g. - I didn't know how to manage my lawyer, so you should not hire one at all!).

There seems to be an abundance of advice out there regarding startups from people who have very limited experience, and it's a bit worrying to see it get voted up on hackernews so easily.

TomGullen 2 hours ago 0 replies      
Over a sample size of about 10 million page views, our top 4 referring domains of all time are all exclusively social media, and account for a total of around 30% of our visits. Twitter is the most engaging, on average Twitter referals view 4.5 pages per visit.

I think it's easy to dismiss social media, it's gotten quite clichéd, it's sometimes dull, it's sometimes frustrating, but if you understand the differences between each channel and utilise them properly they can have great benefits.

msrpotus 2 hours ago 2 replies      
He's right about some of those but others are just ridiculous. Sure, being home with your family or socializing with other people at an event might not contribute much to your startup, but you need to relax sometimes. It's dangerous to confuse that with work but if you don't want to burn out, it's also dangerous to work all the time without any break.
ojbyrne 3 hours ago 1 reply      
I don't accept that "negative people" somehow screw a startup. Handling criticism makes for a stronger product.
Jacqued 2 hours ago 0 replies      
I strongly clicked with the Investor part. It's funny that every one and their mother is saying they are part of a seed fund these days, while they do not invest in companies that have less than 2 years/15 employees/numerous clients/revenue in the 7 digits already.

And, maybe could he add :
"11. Hacker News. After reading it for a while and understanding a bit better what it means to run a startup, just stop reading it all day long and focus on your customers. I've seen startups fail because the founders hired people only to monitor HN and report on interesting stories"

sreyaNotfilc 2 hours ago 0 replies      
Schmerg has already stated #11. Here's my #12.

#12... Reading blogs/articles about startups. I'm guilty of this as well. Its ok to ready every once and a while, but the constant research on startup life does take you out of your element.

Put your head down and get to work! Its all up to you and you alone. Make the effort, and get to coding/building. The rest will fall into place.

alexro 2 hours ago 2 replies      
Can somebody more experienced in the matter attest there are no seed money in the UK? I was under impression that Launch48, Seedcamp and others do a great job here.
spyder 3 hours ago 1 reply      
Just a friendly reminder about the title of the submission from the HN guidelines:
If the original title begins with a number or number + gratuitous adjective, we'd appreciate it if you'd crop it. E.g. translate "10 Ways To Do X" to "How To Do X," and "14 Amazing Ys" to "Ys." Exception: when the number is meaningful, e.g. "The 5 Platonic Solids."
xmmx 3 hours ago 2 replies      
0. Adding a launchrock page before anyone has any idea who you are.
schmerg 3 hours ago 2 replies      
11. Blogging :)
otibom 3 hours ago 1 reply      
This is unreadable on mobile.
Fred Wilson is wrong about “Free” daltoncaldwell.com
3 points by sachitgupta  7 minutes ago   discuss
An Amusing Lesson In Social Media earbits.com
4 points by yotamros  35 minutes ago   discuss
CSRF: Cross-Site Request Forgeries coffeeonthekeyboard.com
30 points by huntern  5 hours ago   17 comments top 7
DanielRibeiro 5 hours ago 0 replies      
Google also did a very good job introducing security vulnerabilities, and also a sandbox for trying them out. Their take at Cross-Site Request Forgery: http://google-gruyere.appspot.com/part3#3__cross_site_reques...

The sandbox: http://google-gruyere.appspot.com/start

psychotik 2 hours ago 0 replies      
A simple explanation for the non tech folks: http://crazyviraj.blogspot.com/2009/10/xsrfcsrf-attacks-in-n...
zeroonetwothree 1 hour ago 0 replies      
One thing that's not covered by a lot of frameworks is protecting against CSRF in AJAX requests. Django has some info on enabling this (https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax), but it's easy to overlook.
languagehacker 1 hour ago 0 replies      
This is a decent article, but it's really just another "use your framework to mitigate CSRF" article. There's probably been hundreds of them in the last five years. Useful for junior devs who haven't seen it before; uninteresting for most everyone else.
smcl 4 hours ago 2 replies      
Is it displaying as grey text on a brown background for everyone else? That's nigh-on unreadable

edit: maybe not grey but some colour which doesn't contrast with brown at all

mrfu 4 hours ago 2 replies      
* These are submitted with a form (over POST, hopefully) *

I don't think that the author implies that using POST prevents CSRFs but the article seems to imply it. In case anyone thinks it is the case: using POST won't prevent a CSRF.

Cross Site Request Forgeries occur when a user opens an "evil" page on site B, while being logged on site A. If site A solely relies on cookies in order to identify logged users, there is a risk of CSRF. The attack exploits the fact that the user's browser will always send the auth cookies when issuing a request to siteA.
If the evil page on siteB embeds an image (or script, or any resource that can be loaded using an URL) whose source is an URL on siteA, the browser will request the resource on siteA with the auth cookie coming along.

In order to issue a POST request to siteA from the evil page, the attacker only has to submit a crafted POST form using an iframe.

ericmoritz 3 hours ago 3 replies      
Perhaps I'm just nieve but if someone has access to the DOM via XSS; isn't CSRF nonces like Django uses pointless?
We're not going to patch the patch polytroncorporation.com
26 points by cyanbane  5 hours ago   14 comments top 3
ars 15 minutes ago 2 replies      
Anyone know how much money he's talking about to certify the new patch? Even a ballpark?
shawabawa3 3 hours ago 2 replies      
> People often mistakenly believe that we got paid by Microsoft for being exclusive to their platform. Nothing could be further from the truth. WE pay THEM.

Does anyone know any reason why they would do that? Why would you pay to be exclusive to anyone?

CubicleNinjas 3 hours ago 2 replies      
• Game company signs deal with Microsoft to be a platform exclusive.
• Game company releases game with problems but has a successful launch.
• Game company complains that their original contract is bad, it would be fixed in an alternate world, and that they complain about paying to be a platform exclusive.

If I didn't think Phil Fish was a drama queen before...

Lightning captured at 7,207 images per second thekidshouldseethis.com
248 points by yk  7 hours ago   20 comments top 9
WillyF 4 hours ago 0 replies      
I was almost hit by lightning a few months ago.

My Dad and I were on a fly fishing trip with a guide in a long canoe-like boat on a river. When the storm came up behind us, we pulled to the side of the river and took cover under the branches of some small overhanging trees. I wasn't very concerned, as the storm wasn't all that big and I'd been in similar situations before.

When it started hailing, I became a bit more worried, but I was still reasonably relaxed. Then I saw an extremely bright flash, screamed, and ducked. My Dad and my guide never heard the scream because the thunder was instant. It took me a few seconds, but I turned around to see if they were ok. They were, and they asked me if I saw where it was. I said that I just knew that it was close. They told me that it was about 3 feet to my right, and it hit the water (my Dad said he saw a hole in the water).

I definitely felt something from it, but I can't really describe what it was. I'd pay a lot of money to be able to see a video like this of that strike.

I'm pretty lucky to be alive/not disabled for life. Don't let your misconceptions about lightning put you in a similar situation. Read NOAA's guide on lightning safety: http://www.lightningsafety.noaa.gov/

polyfractal 5 hours ago 1 reply      
More (awesome) videos can be found at the original Vimeo page:


(Why link to that blog? It offered nothing extra to the videos)

jaekwon 6 hours ago 2 replies      
Holy bolts, that looks like the source of the lightning is doing a distributed spatial breadth search of the potential space looking for a connection for the main jolt (the action potential event).

Could this be what the brain is doing? A group of neurons get excited (some concept or thought), and a distributed spatial search happens electrically starting at the source of excitation (literally brainstorming), until it finds the best pathway to connect to "ground" (reasoning), at which point the pathways between "source" and "ground" stay continuously excited for a measurable period of time (the ephiphany moment, learning is happening via hebbian). "Ground" is whatever that causes the source energy to drain, such as the epiphany of a solution, which makes the solution appear obvious.

Kiro 6 hours ago 1 reply      
A video that went viral 5 years ago pops up on HN three times in two days. What's up?
DanielRibeiro 5 hours ago 0 replies      
Former discussion (the links is now dead) from last week: http://news.ycombinator.com/item?id=4247484
noahc 4 hours ago 1 reply      
Does anyone know how close prosumer/off the shelf technology can get to reproducing this?

I've seen 1000fps on prosumer cameras, before, but are we close to 5,000 even on sub-$1000 cameras?

ChuckMcM 1 hour ago 0 replies      
I love how once the circuit to ground is established it just pumps power through it until it is fully discharged.
jeremyarussell 4 hours ago 1 reply      
Nikola Tesla would have loved being alive with today's camera technology.
perlgeek 5 hours ago 0 replies      
This says "Any use requires licensing via [...]", and yet the web page doesn't indicate that it obtained any such license.

So, is this illegally copied material on the top 1 spot of HN?

Windows Executable Walkthrough Graphic corkami.com
193 points by philthom  16 hours ago   28 comments top 8
pud 14 hours ago 5 replies      
One of the things that's held back Windows and made it so complex, according to an MS engineer I recently spoke with who's been with the company since the 80's, is that it contains thousands of pieces of code to fix bugs in third-party software.

In other words, there's code in Windows 7 that prevents crashing due to a rare bug in Where In The World Is Carmen Sandiego v1.3 (hypothetical example). And so on.

ralfd 7 hours ago 0 replies      

In the reddit thread the original author said: "I will also do a linux (ELF) version, but not in the near future."

For a Mac OS X version he would need a Mac (which he don't has.)

jjguy 2 hours ago 0 replies      
For any new reverse engineers in Hacker Newsland, another win32 PE classic is Ero Carrera's diagram from 2005: https://www.openrce.org/reference_library/files/reference/PE...
_sh 13 hours ago 2 replies      
Nice one. I'd love to see a walkthrough for .NET executables[1].

[1] http://en.wikipedia.org/wiki/Portable_Executable#.NET.2C_met...

melicerte 7 hours ago 0 replies      
"made entirely under Inkscape" +1
Simucal 13 hours ago 1 reply      
This is great but why is English the only version that is in jpg rather than png?
jpoehls 6 hours ago 0 replies      
This is awesome. I would love to see versions of this for Linux and OS X.
marcusrobbins 11 hours ago 1 reply      
This is awesome :)
Apple granted broad mobile patent macworld.co.uk
79 points by ianox  4 hours ago   84 comments top 18
VanL 3 hours ago 4 replies      
The hyperventilating in this article is ridiculous. First, patents always issue on a Thursday - and any large company usually has a number in the pipe. There is nothing unusual about a company the size of Apple getting 25 patents issued in one release.

Now, I haven't read all of the 25 patents issued to Apple, but this article makes the classic mistake of confounding the specification (which describes lots of stuff) and the claims (which describe what is protected). Here is what this patent is actually about:

1. A method, comprising: at a portable multifunction device with a touch screen display: displaying a portion of an electronic document on the touch screen display, wherein the displayed portion of the electronic document has a vertical position in the electronic document; displaying a vertical bar on top of the displayed portion of the electronic document, the vertical bar displayed proximate to a vertical edge of the displayed portion of the electronic document, wherein: the vertical bar has a vertical position on top of the displayed portion of the electronic document that corresponds to the vertical position in the electronic document of the displayed portion of the electronic document; and the vertical bar is not a scroll bar; detecting a movement of an object in a direction on the displayed portion of the electronic document; in response to detecting the movement: scrolling the electronic document displayed on the touch screen display in the direction of movement of the object so that a new portion of the electronic document is displayed, moving the vertical bar to a new vertical position such that the new vertical position corresponds to the vertical position in the electronic document of the displayed new portion of the electronic document, and maintaining the vertical bar proximate to the vertical edge of the displayed portion of the electronic document; and in response to a predetermined condition being met, ceasing to display the vertical bar while continuing to display the displayed portion of the electronic document, wherein the displayed portion of the electronic document has a vertical extent that is less than a vertical extent of the electronic document.

Translated from patent-speak, this just means that the little position indicator along the side of the display indicates where you are in a document. Further claims indicate that the position indicator disappears when you don't do anything for a minute. Anyone who has seen iOS (or Mac OS X Lion) has seen it.

If I were Google, though, I wouldn't care about this patent. Why not? Because of the words "and the vertical bar is not a scroll bar." These words were added to get around prior art. All Google would need to do is allow its position indicator to also function as a scroll bar and this patent doesn't apply.

I am annoyed by patents as much as the next guy - more, even, because I deal with them every day - but this kind of breathlessness helps absolutely no one.

Sidnicious 3 hours ago 3 replies      
> We can't take all of our energy and all of our care and finish the painting, then have someone else put their name on it.

What a load of shit. What happened to “great artists steal”? Great art must be stolen to inspire new, greater art.

The iPhone is awesome. May a thousand devices like it bloom.

bcrescimanno 3 hours ago 4 replies      
I'm not entirely sure why this is surprising news to anybody; in the original iPhone announcement, I believe Steve Jobs said, "...and boy have we patented it."

Let's be frank: Apple is not the only major technology company with a massive collection of questionable patents that they could use to stifle their competition. The system, as it is today, basically forces companies into these patents because if they don't patent it someone else will. To put it colloquially: "Don't hate the player, hate the game."

nicholassmith 4 hours ago 5 replies      
If Apple decides to use them it'll take years for it to litigate, and they'll probably be proved invalid in the process.

Don't fear poor Android phones, you're safe for now.

huggyface 4 hours ago 1 reply      
Ridiculous headline (the submission simply mirroring the original article) that is the sort of hysterical end-of-times interpretation of patents that has yielded so many nonsensical, time-wasting discussions before.
mattmaroon 3 hours ago 0 replies      
Anyone who thinks this is a death-knell for Android (especially any time soon) doesn't understand how patent law works in practice.
seclorum 35 minutes ago 0 replies      
Well, that seals it. My next Tablet will be based on 100% open sources. I will now proceed to build an Ubuntu-based tablet to replace the iPad form-factor.. boots up laser cutter and 3d printer .. </dream>
smackfu 4 hours ago 1 reply      
I don't really trust anyone to properly interpret patents.
freehunter 4 hours ago 1 reply      
>"Steve Jobs, former Apple CEO, may finally get his wish and see Android devices ... completely taken off the market."

Was the author not reading the news last October?

watmough 4 hours ago 0 replies      
Apple fanboi that I am, freely admitted, my Nexus 7 is wonderful, and I think the granting of this entire patent is insane.
StavrosK 4 hours ago 0 replies      
Don't be silly, that would mean that something would change in the patent system.
jack-r-abbit 3 hours ago 0 replies      
Android won't be killed off. There will always be an Android.

"If you outlaw Android, only outlaws will have Android." - Anon.

Rhymenocerus 1 hour ago 0 replies      
Hoorah for us all, even less viable products for us to choose from! I don't understand why people look up to Jobs, but still hate Bill Gates for his business practices during the 90's.

"Picasso had a saying - 'Good artists copy, great artists steal.' And we have always been shameless about stealing great ideas." - Steve Jobs

wwwtyro 4 hours ago 3 replies      
So, my question is: given all the controversy in the (tech) media over patents lately, how is the patent office able to rationalize granting (what appears to me to be) a very bad patent?
evilmushroom 3 hours ago 2 replies      
Hmm.. brb patenting the process of applying for a patent.
richworks 3 hours ago 0 replies      
"It could kill off Android completely in the US and not anywhere else."

Granted, the US is a major market for Android but these patent disputes will get laughed at in the UK courts and others as we have seen so far.

majorapps 3 hours ago 0 replies      
I honestly believe that this is the beginning of the end for the patent system. If this was granted and enforced we would see something along the lines of the advertising mantra: "good advertising the the fastest way to kill a bad product"
arrowgunz 1 hour ago 0 replies      
Competition is what drives companies to create better products. Without that there would be very little progress in innovation. I am an Apple fanboy and still hope nothing happens to Android.
How we built Lanyrd's foursquare integration lanyrd.com
52 points by jot  7 hours ago   7 comments top 2
jot 7 hours ago 2 replies      
I had no idea Foursquare's API had matured so much, loads of opportunities to build interesting things. This write up has some great insights into some of the challenges of implementing against it.
adrianwaj 6 hours ago 1 reply      
"Step one: matching up the venues" - for your interest Bopgig uses a Google search on foursquare.com to obtain venues, seems to work decently and is automated. The 4sq api seemed to return too many errors when last tested.
       cached 19 July 2012 19:02:01 GMT