hacker news with inline top comments    .. more ..    31 Jul 2012 News
home   ask   best   5 years ago   
Company withdrawing from Facebook as analytics show 80% of ad clicks from bots facebook.com
960 points by petercooper  12 hours ago   291 comments top 2
nhashem 9 hours ago  replies      
My startup is essentially an advertising aggregator (pooling traffic from a variety of publishers and routing it to advertisers) and dealing with things like bot detection is a HUGE chunk of what we work on, technology-wise. Let me try and give you an idea of how deep the rabbit hole can go.

- Okay, you want to detect bots. Well, "good" bots usually have a user agent string like, "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)." So, let's just block those.

- Wait, what are "those?" There is no normalized way of a user agent saying, "if this flag is set, I'm a bot." You literally would have to substring match on user agent.

- Okay, let's just substring match on the word "bot." Wait, then you miss user agents like, "FeedBurner/1.0 (http://www.FeedBurner.com)." Obviously some sort of FeedBurner bot, but it doesn't have "bot" or "crawler" or "spider" or any other term in there.

- How about we just make a "blacklist" of these known bots, look up every user agent, and compare against the blacklist? So now every single request to your site has to do a substring match against every single term in this list. Depending on your site's implementation, this is probably not trivial to do without taking some sort of performance hit.

- Also, you haven't even addressed the fact that user agents are specified by the clients, so its trivial to make a bot that identifies itself as "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1." No blacklist is going to catch that guy.

- Okay, let's use something else to flag bot vs. non-bot. Say, let's see if the client can execute Javascript. If so, let's log information about those that can't execute Javascript, and then built some sort of system that analyzes those clients and finds trends (for example, if they originate from a certain IP range).

- This is smarter than just matching substrings, but this means you may not catch bots until after the fact. So if you have any sort of business where people pay you per click, and they expect those clicks not to be bots, then you need some way to say, "okay, I think I sent you 100 clicks, but let me check if they were all legit, so don't take this number as holy until 24 hours have passed." This is one of the reasons why products like Google AdWords don't have real-time reporting.

- And then when you get successful enough, someone is going to target your site with a a very advanced bot that CAN seem like a legit user in most cases (ie. it can run Javascript, answer CAPTCHAs), and spam-click the shit out of your site, and you're going to have a customer that's on the hook to you for thousands of dollars even though you didn't send them a single legit user. This will cause them to TOTALLY FREAK THE FUCK OUT about this and if you aren't used to handling customers FREAKING THE FUCK OUT, you are going to have a business and technical mess on your hands. You will have a business mess because it will be very easy to conclude you did this maliciously, and you're now one Hacker News post away from having a customer run your name through the mud and for the next several months, 7 out of the top 10 results on any Google search for your company's name will be that post and related ones. And you'll have a technical mess because your system is probably based on, you know, people actually paying you what you think they should, and if you have no concept of "issuing a credit" or "reverting what happened," then get ready for some late nights.

I'm seriously only scratching the surface here. That being said, I'm not saying, "this is a hard problem, cut Facebook some slack." If they're indeed letting in this volume of non-legit traffic, for a company with their resources, there is pretty much no excuse.

Even if you don't have the talent to preemptively flag and invalidate bot traffic, you can still invest in the resources to have a good customer experience and someone that can pick up a phone and say, "yeah, please don't worry about those 50,000 clicks it looks like we sent you, it's going to take us awhile but we'll make sure you don't have to pay that and we'll do everything we can to prevent this from happening again." In my opinion this is Facebook's critical mistake. You can have infallible technology, or you can have a decent customer service experience. Not having either, unfortunately, leads to experiences exactly like what the OP had.

reustle 11 hours ago  replies      
Copying the text just incase FB decides they don't like it


Hey everyone, we're going to be deleting our Facebook page in the next couple of weeks, but we wanted to explain why before we do. A couple months ago, when we were preparing to launch the new Limited Run, we started to experiment with Facebook ads. Unfortunately, while testing their ad system, we noticed some very strange things. Facebook was charging us for clicks, yet we could only verify about 20% of them actually showing up on our site. At first, we thought it was our analytics service. We tried signing up for a handful of other big name companies, and still, we couldn't verify more than 15-20% of clicks. So we did what any good developers would do. We built our own analytic software. Here's what we found: on about 80% of the clicks Facebook was charging us for, JavaScript wasn't on. And if the person clicking the ad doesn't have JavaScript, it's very difficult for an analytics service to verify the click. What's important here is that in all of our years of experience, only about 1-2% of people coming to us have JavaScript disabled, not 80% like these clicks coming from Facebook. So we did what any good developers would do. We built a page logger. Any time a page was loaded, we'd keep track of it. You know what we found? The 80% of clicks we were paying for were from bots. That's correct. Bots were loading pages and driving up our advertising costs. So we tried contacting Facebook about this. Unfortunately, they wouldn't reply. Do we know who the bots belong too? No. Are we accusing Facebook of using bots to drive up advertising revenue. No. Is it strange? Yes. But let's move on, because who the bots belong to isn't provable.

While we were testing Facebook ads, we were also trying to get Facebook to let us change our name, because we're not Limited Pressing anymore. We contacted them on many occasions about this. Finally, we got a call from someone at Facebook. They said they would allow us to change our name. NICE! But only if we agreed to spend $2000 or more in advertising a month. That's correct. Facebook was holding our name hostage. So we did what any good hardcore kids would do. We cursed that piece of shit out! Damn we were so pissed. We still are. This is why we need to delete this page and move away from Facebook. They're scumbags and we just don't have the patience for scumbags.

Thanks to everyone who has supported this page and liked our posts. We really appreciate it. If you'd like to follow us on Twitter, where we don't get shaken down, you can do so here: http://twitter.com/limitedrun

Ask PG: What caused the downtime?
87 points by aaronbrethorst  1 hour ago   39 comments top 14
pg 28 minutes ago 1 reply      
Still investigating. The site was slow all day. We got an immense spike in unique IPs. Typically we get a bit over 150k/day. Today we got 220k. Not sure if the downtime was related.

I was travelling today and didn't have proper access to the server, or I would have been on it sooner.

ghshephard 48 minutes ago 1 reply      
I wonder if ycombinator could see a correlative increase in the value of their portfolios through the simple process of shutting down news.yc for 3-4 hours a day?
joshmlewis 52 minutes ago 3 replies      
It is very interesting how..eh..addictive this site is. It's like a habit to do CMD + T and start typing in news.y..etc. And while it was down I was refreshing every few minutes. I think personally I do get a lot out of this site, I definitely wouldn't be where I am today without it. I've learned a lot, asked a lot, and tried to give back as much as I could. I landed a couple jobs from here that have now set me on a very successful path at such a young age. I'm very thankful for the community here. Sorry for turning this into an emotional post, but I really owe a lot to HN.

EDIT: I do just do CMD + T and then n for everyone who thought I did otherwise. Sometimes it happens so quickly I do new..or whatever, but you get the idea. This is a trivial point.

wildmXranat 46 minutes ago 1 reply      
Netflix chaos monkey is released into the wild, HN goes down soon after. Coincidence, I think not!
Xcelerate 54 minutes ago 1 reply      
Wow, I got a surprising amount of work done in the last few hours. I had to check isup.me to make sure it was really down, else I would have found a proxy server :)
josdewolk 30 minutes ago 0 replies      
Is anyone else out there proud to have a healthy relationship with hacker news?
ck2 47 minutes ago 0 replies      
I would bet it was from some of the direct links on Reddit?

The Ubisoft backdoor was linked on reddit front page for awhile today.

eranation 59 minutes ago 1 reply      
Yep, I have the same question, lot's of frustrated tweets https://twitter.com/#!/search/hackernews%20down
unimpressive 47 minutes ago 0 replies      
I think I might start throttling my bandwidth to 56kbs over HTTP/HTTPS.
mikescar 52 minutes ago 0 replies      
Glad y'all got some work done, I just didn't do work elsewhere :).
MatCarpenter 46 minutes ago 0 replies      
I'm curious to see if it had something to do with hitting the front page of Reddit. The Facebook Bot Clicks post received over 1,700 upvotes and perhaps Reddit "performed the most friendly DDoS"
emeraldd 49 minutes ago 0 replies      
I actually found that I didn't get as much done. I kept checking to see if the site had come back up and wondering if there was a status page hiding somewhere I didn't know about. Sheesh!
Kilimanjaro 55 minutes ago 0 replies      
God, it seemed like an eternity!
aaronh 50 minutes ago 0 replies      
same question, noticed after i got sent two bogus password reset attempts...
Why Apple's new ads look like Microsoft made them. seanoliver.me
244 points by seanoliver  10 hours ago   177 comments top
freehunter 9 hours ago  replies      
I'm beginning to feel that Apple wasn't a company, it was a man. His employees were just extensions of his brain; they would make what he wanted, and if he didn't know what he wanted they would make every variety they could come up with until they hit it right.

Without Steve, Apple still has all the raw talent they've had for years, there's still so much creativity sitting in that office. But without a lens to distill it, without a final authoritative sign-off, they don't seem to know anymore what is good enough and what is Apple.

I'm willing to give them the benefit of the doubt that they will find it again, but I'm not willing to bet on it. Apple is on track to become just another PC vendor, just another consumer products vendor. There's not much magic coming from Cupertino lately.

Codecademy now has Python lessons codecademy.com
131 points by arjunblj  7 hours ago   34 comments top 12
Legion 7 hours ago 4 replies      
I still cannot read that name without my brain auto-correcting in the missing "a".

I wish they would change the name to something more distinct from Code Academy.

joshuahedlund 6 hours ago 1 reply      
I've been increasing my intention to learn Python for awhile now, this may just lower the barrier enough to be my tipping point.
DanielN 5 hours ago 1 reply      
So from what I understand Codecademy's long term monetization plans seem to be focused on being a middle man between new programmers and companies looking to hire [1].

But I'm curious how this is actually achieved. The key in such a system would be keeping users engaged in the site from the time they first start learning to the point that they are ready and qualified to get their first job. This is likely six months to a year of training (at the low end) and it can't just be 1)learn the basics of javascript 2)learn the basics of html css 3)learn the basics of python.

New programmers with an eye for getting to their first programming job asap are better off building a portfolio that shows that they can work in the full stack and get stuff done. Or alternatively with in the confines of Codecademy if you're not going to have a deep portfolio, showing a mastery of the full stack with deep knowledge or maybe one platform (say deep understanding of javascript and the fundamentals of CS).

I'm curious how Codecademy plans to bridge this divid or if they have other plans in mind (which they probably aren't as willing to share with the masses)

[1] http://www.quora.com/How-will-Codecademy-monetize

slaundy 6 hours ago 1 reply      
The original link points to a non-official course that is still in beta testing.

Here is the link to the official Python track: http://www.codecademy.com/tracks/python

EDIT: all better now!

MarlonPro 23 minutes ago 0 replies      
Is Ruby/Rails coming too?
chrisbroadfoot 3 hours ago 1 reply      
Can someone explain how this works? Looks like the page loads socket.io - is Python running in a sandbox on a server?
iamphilsharp 5 hours ago 2 replies      
I'm very excited by this, but also VERY skeptical. I was using Codecademy for months to learn Javascript, HTML and CSS but recently stopped because the course quality was getting very poor. It seems like they spent a lot of time developing the first 1-2 months of lessons, and then started winging it from there.
joshlegs 5 hours ago 0 replies      
Most excellent, Ted!!

I heart Python. (I'm learning it as my first language). I've already passed much of what they are going through (at least in these introductory lessons), but I am super happy to have another resource to help me learn the language. Thanks for the post!

mrjoelkemp 6 hours ago 0 replies      
So excited about the Python courses! Enjoy!
michelleclsun 5 hours ago 0 replies      
awesome! python is my first language and it lays a great foundation for picking up other languages like javascript and go, both which I'm learning now.
Its exciting to see codecademy make python more accessible to beginners.
cdvonstinkpot 5 hours ago 1 reply      
It's buggy in Firefox, so I can't app tab it with the rest of my everyday tabs. A little disappointing, but no biggie.
siegecraft 4 hours ago 0 replies      
are there more lessons past the basic addition stuff? (oh, I see that there are, but for whatever reason it didn't take me to them automatically)
ASCII Google Streetview tllabs.io
124 points by divy  7 hours ago   26 comments top 15
alex_h 6 hours ago 1 reply      
What is your algorithm for shading here? It seems like brightness is partially provided by the density of the characters (eg, '8' vs '.', as in normal ascii art), but also partially by the color of the characters.
Lambdanaut 6 hours ago 0 replies      
If you keep zooming in eventually the perspective flips. As you keep zooming in more the perspective gets warped and it creates a bizarre fish-eye effect.
I had about as much fun playing around with perspective warping as I did the finding things to look at in ASCII.

It's a pretty cool toy!

TheBoff 5 hours ago 0 replies      
It's interesting that to me, this looks more "3D" than normal street view. I would guess it's the thing about the human brain filling in the detail...
rwos 5 hours ago 0 replies      
What a nice way to find out that my rather old Thinkpad (on Debian testing) now has WebGL support - I only updated everything from time to time, and apparently stuff actually started working. Great!

Great hack, too. I really, really want that thing as a screensaver!

cdrxndr 4 hours ago 0 replies      
From my boy Hakim in May, 2011 - http://hakim.se/experiments/textify
Not sure how the approach differs technically, but obviously a different stylistic feel per the translations.

And I'm glad I read the comments and played with the zoom. Drastically changes the effect ... very much like a video-game world with incredible detail.

csphy 7 hours ago 1 reply      
How is it that this and GSVPano does not violate Google's term of service, since they pull images from Google's undocumented street view API? I have a related project, but am not sure if I can make it public because of this issue. Does Google simply not care?
codequickly 5 hours ago 2 replies      
I'm on macbook with nvidia 9400m, only works on Firefox. On Chrome (latest) and Safari, it doesn't show anything. I wonder why WebGL isn't working on these browsers.
Kartificial 7 hours ago 0 replies      
This look pretty good, but is there any way to turn of the default scrolling behaviour? Kind of makes me nauseous.
halis 6 hours ago 1 reply      
Looked pretty cool but it slowed down my work computer so bad that it practically crashed it.

And this box is an i7 with 10GB of memory...

jof 6 hours ago 2 replies      
This is the dopest WebGL application, IMO.

Totally loving this, including the green mode.

dataangel 6 hours ago 2 replies      
I see nothing.
nbertram 4 hours ago 0 replies      
gingerlime 6 hours ago 0 replies      
chimmy 6 hours ago 1 reply      
it hurts my eye.
n0mad01 5 hours ago 0 replies      
Lying on your resume steveblank.com
348 points by ridruejo  14 hours ago   208 comments top 2
nirvana 12 hours ago  replies      
I think the college degree hiring issue is all about confusing a symbol- the diploma- with reality- having the skills. So, Steve's anecdote is about getting hired by someone smart enough to test him to find the reality.

I have similar situation as Steve. I was studying physics, working for a nationally recognized lab under a guy who should have gotten a nobel, when I got a job as a software developer and realized that was what I really wanted to do with my life.

I used to put down that I studied physics, but eventually, I just dropped it. My resume now is one page, with a summary at top of my skills and a list of the places I've worked taking up the rest.

I find that this is a really good filter. If someone won't hire you because you didn't go to college, you know that this is someone you don't want to work for. They are expressing a prejudice-- assuming you lack a skill based on their own assumptions, because they probably needed college to teach them. Many times people rationalize this by saying "college shows commitment". Well, keeping a job for 4 years shows commitment. Outside projects that are a lot harder than college was shows commitment.

The real reason I didn't finish college is that it didn't make mathematical sense. It costs a lot, delays your career and doesn't deliver sufficient value to cover these costs. I think that situation has gotten a lot worse.[1]

So, the right thing to do is look at the education section skeptically. Did they work their way thru college? Why did they go? Did they think they were getting more value than the cost?

I hear companies won't hire people without degrees. I see "BS requires, Master preferred" a lot. I never let that stop me from sending my resume, and back when I was willing to work for others (rather than myself) I tended to get interviews, and 4/5 of those interviews would result in an offer or another step in interviewing (for companies that had a multi-step process.) I learned quickly to send all my resumes out on one single day, and have interviews scheduled close to each other, lest I get offers from some companies before I'd had a chance to interview at others.

None of these companies cared whether I had a degree. (And the ones who did, probably never called me in for an interview, but there's no way to tell which jobs have already been filled vs. which ones were at companies with that prejudice.)

But I consider that a blessing-- this filters out companies that confuse the symbol (eg: the diploma) for the reality (eg: having the skills.)[2]

I've met a lot of "smart" people who think they are so smart that they don't realize how much smarter other people can be. This limits their world view. It even interferes with their ability to comprehend or think logically. They let prejudices and ideology get in the way of perceiving reality.[3]

The last thing you want to do is work for a boss who believes his fantasy over reality.

And filtering out the ones who think you're not qualified because you don't have a diploma is a useful tool for that.

I express strong feelings here. I am unabashedly opinionated, but I think it is critical in hiring to hire people who think differently than you. I think its critical to give the benefit of the doubt, allow a wide variation and then focus on what's really important- the relevant ability, their capabilities. I think "cultural fit" is often used to exclude good candidates for unfair reasons. I think I'd hire someone I disagreed with all the time if they were qualified (but haven't put this to the test yet- only having hired someone who disagrees with me most of the time.)

[1] I am very willing to hire people with degrees. Even though college is often a waste of time and money, and could show bad judgement, they can also show other things-- like the need to spend a couple years finding yourself outside the overwhelming influence of your parents, or the need to figure out what it is you really want to do with your life, etc. Some do it out of a commitment to their parents because it means so much to their parents, and I respect that. I don't think that someone turning 18 magically means they've figured everything out.

[2] I have found, however, that hackers (eg: people who taught themselves when they were young) right out of highschool are about as equally prepared for employment life as (most) people with CS degrees right out of college. Either way its going to take a couple years before they're really productive. Hackers shouldn't go to college.

I am assuming that hackers are generally auto-didects and not the kind of people who need to be trained, while college is for people who need to be trained, the kind of people who can't just pick up a new language over the weekend, or can't just read a college textbook to get the stuff they hadn't learned otherwise.

[3] In fact, I think that the fact that so many of these people who focus on degrees are people who went to college because they needed to be Trained, means that they are people who generally simply don't understand that some people self train. They don't see the advantage of the auto-didact who will learn things that seem ancillary (eg: economics) or irrelevant to someone who has been trained.

I think the training in college teaches a narrow way of thinking, or maybe it just doesn't expand the mind, while the autodidacts will expand their own minds.

Companies would be much better off hiring autodidacts and making sure at least one is in the interview loop, to ensure that the trained people don't exclude someone based on their own narrow thinking.

"Oh, your company has written your product in Haskell? That's nice. No I've never written any Haskell in my life, but I learned Lisp when I was 14 and write a long of Erlang, and pick up languages easily. I'll have no problem picking up Haskell."

I think this above conversation sounds like nonsense to a trained person, because a trained person doesn't "just pick up" a language.

btilly 13 hours ago  replies      
There is a general rule of thumb. People who don't cheat, tend to strongly dislike people who do. People who do cheat, convince themselves that everyone does it, and it isn't a big detail.

Admittedly a ton of people cheat. But as someone who doesn't cheat, if I find out that you did, I'm going to lobby to not have to have you as a co-worker.

I have no idea how many people there are out there like me. Hopefully enough to discourage you from cheating. (Probably not, but I'd like to believe that it is not just a quixotic gesture on my part.)

Sam Soffes open sources Cheddar for iOS github.com
129 points by jamesjyu  9 hours ago   23 comments top 9
flyosity 8 hours ago 1 reply      
For people learning iOS development, this is an awesome project to download and tinker with. Learning how to use Core Data managed objects? It's in here. Custom tableviews? Here, too. Custom fonts? Yup. Blocks? Yes. External RESTful APIs? That, too.
stevenbrianhall 7 hours ago 0 replies      
Just saw this come across Twitter:

"What @samsoffes has built with @cheddar is amazing for a solo gig: website, iOS app, API, open source, blog, store. Many startups do less." - @bb

After checking everything out and struggling with finishing up a thousand little side projects myself, I really respect the thoroughness.

carson 5 hours ago 3 replies      
As much as I love seeing example apps like this I think beginners probably need to be cautious looking at this code. Here are a couple things that concern me:

* The UI is all hand coded. Not to start a religious war but interface builder makes supporting different devices a lot easier.

* There is some hairy concurrency stuff going on like this https://github.com/nothingmagical/cheddar-ios/blob/master/Cl...

davepeck 6 hours ago 1 reply      

After a quick poke around, this looks like a great codebase to learn from -- I will certainly point aspiring iOS developers in its direction. All the basics (CoreData, custom table views) are there, as are nice uses of more modern features like blocks and APIs like in-app purchase.

Out of curiosity, what's the deal with the CDKHTTPClient? It looks like the implementation is stubbed out for this release -- aka there is a back-end, but none of the back-end code is made available (at least so far)? I only took a quick look, so I might have missed something obvious.

brackin 8 hours ago 1 reply      
Cheddar's syncing is a bit hit-or-miss. On one hand you know that when you post a task it's synced instantly and you know when it's finished but on the other you have to have a constant internet connection.

I use these apps on the Underground to plan my day and always get errors when trying to do anything in app. It's also a huge battery drain, after each small change I see that my iPhone is connecting to the internet and using the app for a few minutes can drain a large percentage.

Forgetting about those problems, it's a beautiful app and is very functional although slightly limited. Which could be a selling point vs it's tedious competition.

natep 4 hours ago 0 replies      
Excellent! I've been meaning to get into Emacs Lisp, so maybe I'll use the API to create an extension or lightweight alternative to org-mobile, with this client as inspiration. I've been meaning to do the same for Google Tasks (which I use) but their product and API is much more complicated and intimidating.
veyron 6 hours ago 0 replies      
Who produces the high quality photos and video on the site?
mgurlitz 8 hours ago 1 reply      
I'm surprised he included the app's resources (icon, etc.) under the BSD license -- rewriting the data store to use iCloud instead of his service (where Cheddar makes money, but also the source of many complaints in reviews) while keeping the UI would make a quick (though somewhat seedy) buck on the App Store.
dillera 9 hours ago 2 replies      
the app reviews in iTunes store seem to hilight some deficiencies
The world's largest domain name registrar is seeking a new CEO. domainnamewire.com
4 points by bane  14 minutes ago   discuss
On Apple's new ads frank.is
51 points by fratis  4 hours ago   46 comments top 16
forrestthewoods 4 hours ago 4 replies      
"Apple, are you serious with this commercial? We're in trouble."

Is anyone else bothered by usage of "we" here? I suppose it's not unlike a sports fan referring to their team as "we". There's just something disturbing about someone saying "we're in trouble" because a corporation they are a fan of produced a slightly less than stellar advertisement.

CoffeeDregs 4 hours ago 4 replies      
At the end of the airplane ad: gotta go to aisle 2 to help with a Keynote issue!

    1) Why was the first guy having so many issues?
2) To the average user, WTF is a keynote?
3) I thought that Macs were easy to use? Why do we need
a "genius" to help use them?

In hindsight, I have no recollection of the nature of the issues the Genius solved. I just remember that lots of Macs were being used and lots of problems were occurring, leading the genius to have to run around the plane. Or something.

This is in stark contrast to Apple ads of the past:

    * Rainbow colored people dancing around with iPods.  
Music + simple + fun = iPod. Got it.
* I'm a Mac. Funny, non-threatening, laid-back hipster versus clumsy,
goofy, sweaty guy. Macs are simple, smart, cool. Got it.
* Old iPhone ads. Lots of swiping, cool effects, plenty of brands, easy to use.
Pick up an iPhone, noodle with it and I'll get it. Got it.

gojomo 13 minutes ago 0 replies      
I like the new genius-centered ads, such as the ones with a genius helping a plane passenger or an expectant father.

They're gently absurd situations. The genius is helpful above-and-beyond what would be reasonable, emphasizing an important Apple advantage. And, specific product benefits get worked into the dialogue.

I always thought the 'genius bar' naming was a bit pretentious, but clearly it's worked as a brand differentiator for Apple for years. And while I've got nothing against Justin Long, the Mac-vs-PC ads featuring him were far more elitist/patronizing/snooty. In these ads, the genius is more amiable.

Let's not forget the generation of 'Switcher' ads that had Ellen "beep, beep, beep" Feiss. Apple ads have varied in tone and focus from year-to-year: you can't feature archetypes against a white background forever, as any look will get dated over time.

(Maybe some of the future genius-helping-outside-the-store ads can feature cameos of previous ad actors... Feiss, Hodgeman, Dreyfuss getting direct genius help?)

vegashacker 3 hours ago 0 replies      
I like the one called Mayday (http://www.apple.com/mac/videos/#tv-ads-mayday). The awkward delivery of "I'm a genius" comes off as sincere modesty, in contrast to the condescenion of Justin Long's "I'm a Mac" character. This is actually charming.

The task in the commercial (creating a video from lots of raw footage) is something a non computer pro wouldn't expect to be easy. Being able to do that in "27 minutes" sounds impressive. And the fact that a Genius could show you how to do this in that short amount of time is appealing. This isn't portraying Macs as having lots of problems--it's showing that mere mortals can do impressive things with them.

Finally, the guy the Genius helps first actually gets up with the Genius to go help the guy in 21F. The commercial ends with him saying, "Let's do this." The Genius gave someone such confidence in their Mac skills that he feels ready to become a Genius-like helper himself.

The other two suck though.

brudgers 15 minutes ago 0 replies      
The commercials make geniuses seem analogous to crapware.

Buying a sleek computer without one who acts in the way depicted in the commercials might be seen as a feature.

ruethewhirled 47 minutes ago 2 replies      
I find that American style ad's have an underlining fakeness to them, its hard to put my finger on it. I'm assuming its just a cultural difference being from New Zealand but some ad's from the States just grate me the wrong way. These Apple ad's are particularly bad in this respect.
Johngibb 51 minutes ago 0 replies      
I think that people are way overreacting to these ads. They're not great - I don't like them. I didn't like Mac vs. PC ads either.

Apple has made mistakes while Steve Jobs was there too. Think of the cube, of antennagate, of all the cracks and discoloring and recalls of early MacBooks. Think of Ping, and MobileMe.

Not every misstep is a signal that Apple is in decline without Steve Jobs; I'm not even convinced that these ads wouldn't have come out with if Jobs was still with us.

andrewfelix 4 hours ago 1 reply      
These ads will move product. Let me explain why;

There is a large segment of the market that isn't tech savvy. Computers scare them, they know they're not very good with machines, and they know they'll need help. Now imagine this consumer presented with two potential options; 1) A laptop with paid phone support. 2) A laptop with face to face human support.

Apple is attempting to communicate the human support they offer with their products.

These ads look bad to you and I because they're not marketed to you and I. We don't need a 'Genius', we don't need to be condescended, we know how a Macbook works. We will make purchase decisions completely outside of what these new ads communicate. There will be and are other marketing techniques used to appeal to our market.

mladenkovacevic 3 hours ago 0 replies      
I guess on the plus side the ads present the friendly, cheery, non-threatening genius as a contrast to some grumpy, over caffeinated helpdesk guy you might have working at your office or a sleazy, lazy Best Buy customer service rep who just wants to sell you another warranty. What's odd though is that every ad shows exactly the situations where you wouldn't have access to a genius :S

Here is everybody analyzing these ads like they are a long-lost Kubrick reel so I guess it still works on some level among the Apple faithful.

jsz0 4 hours ago 3 replies      
I think they're fine. I'm not sure how else Apple could advertise the Genius Bar / Apple Store which is clearly what these ads are for. Any approach to that is going to be a bit exhausted. They could have a Genius stand there and explain the service, they could do consumer testimonials, they could do fake celebrity testimonials, they could do some mock in-store experience thing, but what else? There is no tangible product to show off. People are kind of missing the more interesting story here which is Apple deciding to advertise for the Apple Store and services. They've never done that before. It is a big competitive advantage so I think the message is important. If someone can come up with a better ad for the Genius Bar / Apple Store I will concede they are bad ads. Otherwise I think the message of the ads is more important than the style.
taligent 4 hours ago 1 reply      
As we have said before in the previous post:

1) You are not the target audience for this ad. Nobody cares whether you like it or not. We want to know what your parents and grandparents think of them. And AFAIK this is the first time Apple has deliberately targeted an older audience.

2) Steve Jobs personally said that he was involved in 2-3 years worth of products. So you can skip that whole "Steve Jobs is gone. Apple is going to die." rhetoric.

ebzlo 4 hours ago 2 replies      
I feel like I wasn't delivered the train wrecks I was promised. I didn't think these were so bad.
rglover 3 hours ago 0 replies      
I shared similar sentiments about the airplane ad that started popping up recently. It really does feel like a watered down, misdirected version of Apple. My initial reaction was an audible "huh?"
veritas9 4 hours ago 0 replies      
Since when did TV commercials dictate a company's success? While I agree, the ad is pretty crumby, at the end of the day the most important thing is that Apple keeps the same level of quality in it's product pipeline.

Besides, last time I checked, Apple sources out their ads through an agency, specifically - TBWA Media Arts Labs http://www.mediaartslab.com. If anything, someone in marketing screwed up and approved a lame ad. Not a determining factor in their continued innovation or actual products.

radley 3 hours ago 0 replies      
Apple used to demonstrate effulgence and creativity.

These were Lifestyle-channel ads.

I couldn't watch after the first one.

Metrop0218 4 hours ago 0 replies      
They're not terrible by themselves, but relative to Apple's older ad campaigns, they're awful.
Live Streaming in Rails 4.0 tenderlovemaking.com
102 points by tenderlove  9 hours ago   28 comments top 5
tenderlove 8 hours ago 3 replies      
I didn't go in to this in much detail in my article, but I'd like to follow up with my long term plan for this feature. I think that buffered responses are a special case of streaming responses (they're streaming responses with one chunk), and I'd like to make this API the underpinnings of the response system in Rails.

One of the things that I think Rack got wrong and that J2EE, Node.js, etc got right is that the response bodys should be treated as IO objects. Whether the IO object streams, buffers, gzips, etc is up to the IO object. Regardless, the API remains the same.

I hope to eventually push the concept of an IO response up to Rack itself and eliminate this code from Rails.

mtkd 9 hours ago 2 replies      
I really respect the hard work going in to the evolution of Rails, but it does feel like some new features should be considered as Gems.

The hardest part of managing mature software is keeping it lean.

heyrhett 7 hours ago 6 replies      
I don't want to be a wet blanket here, but does anyone else find this "tender love making" branding all over Aaron Patterson's technical content a bit... distracting?

Personally I do. That said, Aaron does amazing work and he should be able to brand it however he likes. I'm also very grateful for what he gives to the community.

So, am I just an old fuddy-duddy, or what? I mean, personally, I actually enjoy it, despite the distraction, but I'm surprised that this seems to be such a non-issue to everyone else.

jeltz 7 hours ago 1 reply      
I find it curios that he does not mention Thin as a webserver which is good for streaming. Thin was perhaps the first ruby webserver which got good support for streaming responses. While Rainbows! and Puma might be better at least Thin should deserve a mention due to its popularity alone. It is way more downloaded than both Rainbows! and Puma together.

Is there some problem with running Thin together with stream in rails 4?

hemancuso 3 hours ago 0 replies      
The one thing I think Rack really messed up is the hard requirement for rewindable input. Try streaming an upload through to a back-end. Can't do it.
Chaos Monkey released into the wild netflix.com
196 points by timf  12 hours ago   27 comments top 8
InclinedPlane 12 hours ago 1 reply      
This reminds me of something I read the other day¹, the idea that complex fault tolerant systems tend to end up running with faults as a matter of course (and sheer probability). This elevates that notion to another level, get rid of the idea of operating without faults and maintain a low-level of faultiness artificially to ensure that resiliency to faults in the system is always working.

¹ http://www.johndcook.com/blog/2012/07/13/fault-tolerant-syst...

technomancy 9 hours ago 2 replies      
Having the code behind the chaos monkey is not nearly as valuable as having the guts to run it in the first place.
waivej 9 hours ago 1 reply      
This is so cool, and I'm wondering if I can do something similar. It reminds me of "bug seeding" where you purposely insert bugs into your product and count how many are found through testing. (Of course, you track them so you can take them out later.)
coob 12 hours ago 2 replies      
Very interesting. However, this won't catch bugs that don't cause instance outages. I suppose the next step to is to somehow simulate misconfigurations/overloaded services/unexpected errors (I have no idea how this would work).
wanderr 11 hours ago 2 replies      
This is certainly a great idea in theory, but I wonder if it has caused them to build things to be a little too fault tolerant, by assuming there are faults when maybe things are just slow. On Xbox, my recently watched fails to appear about 30% of the time even though it appears just fine on the site. The only thing I can think is that it must be taking just a little bit too long to return, so they assume failure and move on.
joelcox 11 hours ago 0 replies      
Webpulp TV recently did an interview with Jeremy Edburg from Netflix in which they discussed Chaos Monkey, albeit shortly.


oonny 12 hours ago 1 reply      
Jeff Atwood had a good piece on this: http://www.codinghorror.com/blog/2011/04/working-with-the-ch...

Overall it's brilliant from an infrastructure standpoint but it's up to the developers to make your code monkey proof!

Zenst 10 hours ago 1 reply      
Still think playing kerplunk with processes/systems whilst good is akin to pissing on your server and then seeing how quick you can repair it.

I personaly like to run stuff on a CPU/network crippled test setup as that can expose cracks normal testing fails to highlight and in a way that is indicative of what can actualy happen under some load spikes.

Titan, one of Saturn's moons, has an underground ocean nasa.gov
134 points by rblion  11 hours ago   26 comments top 6
rbanffy 8 hours ago 6 replies      
Please, can we now put a reasonable nuclear reactor in space, power a VASIMIR engine (or something equally adequate), and do it with humans instead of robots? We already proved we can do it with machines and who will make first contact with alien life in becoming a really important question. We are not a race of robots.

People wonder why the general public lost interest with space exploration, but we need to look no further than all the excitement every six-wheeler is experiencing right now, as they watch their six-wheeled brothers, the daring explorers of Mars.

I am an engineer. I can comprehend and I do have the ultimate respect for the genius that allows us to land and operate robots on Mars, but that's the same genius that allowed us to land people on the Moon and, sadly, this is something we don't do anymore because it's too expensive. And we refuse to spend money on that while, at the same time, we fight unnecessary wars against the dictators we financed in the past. There is water ice on the Moon, probably a lot of it. There are minerals, abundant energy, just enough gravity to make industrial processes easy and a high grade vacuum that's the dream of every metallurgist. With these resources, we can become a true spacefaring civilization fit to meet our neighbors from the other islands floating around our sun.

We shouldn't do with robots the work of humans.

InclinedPlane 9 hours ago 0 replies      
In case anyone's counting, this makes it the 5th planetary body in the solar system with a high likelihood of having an ocean (Earth, Europa, Ganymede, Callisto, and now Titan).

Add to that a parcel of additional moons and other other bodies that show indications of having sub-surface oceans (Triton, Enceladus, Pluto, Rhea, Titania, Eris, Sedna, Orcus, and Oberon).

bfe 9 hours ago 0 replies      
Link to abstract of the original research paper in the journal Science: http://www.sciencemag.org/content/337/6093/457.abstract

...and for accompanying news article in Science: http://www.sciencemag.org/content/336/6089/1629

akkartik 7 hours ago 0 replies      
Reading this article gave me a glimpse into the richness of extra-terrestrial biosphere processes. Even if Fermi's right and we never find life, there's a lot of stuff left to observe, study, and learn about, like the methane cycle on Titan.
startupfounder 9 hours ago 1 reply      
... and here is how we get there, similar to how Bill Stone proposes we get to Jupiter's moon Europa: http://www.youtube.com/watch?v=-Bn6Gel7yEs#t=6m9s
quotemstr 8 hours ago 2 replies      
It's not really an "ocean" in the way we think of such things. In the outer solar system, ice is a rock in the same way granite is a rock. What Titan has isn't so much an ocean as an interior layer of molten ice --- just as our planet has an interior layer of molten rock.
Amicus (YC S12) Uses Facebook To Mobilize Volunteers for Nonprofits techcrunch.com
87 points by sethbannon  9 hours ago   12 comments top 4
_delirium 8 hours ago 3 replies      
I'm a little confused as to what is being targeted here. The title says "volunteers for nonprofits", which suggests a platform aimed at recruiting people to donate their labor to charitable causes (e.g. recruiting volunteer workers for the Red Cross or Habitat for Humanity or soup kitchens). But the article is entirely about increasing voter turnout in political campaigns, by having people canvass their like-minded acquaintances, thereby increasing their interest in elections. That seems quite a bit different as a use-case, though I could imagine similar technology aiming at both problems.

edit: Thanks for the reply; looks like TechCrunch just chose to take an election-year angle on the story.

fredsters_s 9 hours ago 0 replies      
Awesome work guys. The gap between aspirational support and actually pushing forwards a cause is still far too great, and I'm looking forward to see how you narrow it.
sethbannon 8 hours ago 1 reply      
OP here. FYI Amicus helps all nonprofits turn supporters into fundraisers and advocates. The reporter chose to focus on only one use case -- political activism. This is only a small part of what Amicus does.
vgurgov 9 hours ago 0 replies      
Congrats to Seth and team!
The API Hub: Jeff Bezos-Backed Mashape Launches To The Public With 430 APIs techcrunch.com
43 points by rigelstpierre  6 hours ago   16 comments top 11
joshmlewis 27 minutes ago 0 replies      
I was fortunate enough to spend a couple days with these guys when I was first getting my feet wet a few months back. Although my chops weren't built enough yet for what they needed, I enjoyed doing a little problem solving with them and getting to see my first glimpse of startup life. They were super nice and they really had a passion and dedication for Mashape. It's cool to seen them finally launch.
sandfox 5 hours ago 0 replies      
I think the open source equivalent to this is well worth a mention: http://apis.io/
It's not quite the same feature set but was never designed to be and all the code is on github so you deploy your own if you so wished, https://github.com/apisio/apisio pull requests welcome
kt9 51 minutes ago 0 replies      
I don't know how useful the clients in different languages are when all the client code returns is a JSON object.

I would have thought that the whole point of a custom client would be that it would expose objects and methods that had represented the request and response data for the API.

If I have to interpret and parse the JSON myself then the client code they provide isn't very useful IMHO.

scribu 3 hours ago 0 replies      
Standardizing APIs is a Good Thing. Unfortunately, standards alone don't seem to be enough. (oAuth2 anyone?)

Therefore, offering a proxy that has enough benefits to developers to make them switch to it's standard seems like a more realistic approach.

So, I truly hope Mashape takes off.

captn3m0 4 hours ago 2 replies      
I spend a lot of time trying to convert the heckyesmarkdown.com service to an API in mashape. It was time consuming and kept on returning me incomprehensible errors. The documentation is unclear on how the APIs are supposed to be documented.

For a purely REST API, this might work, but for something like free-to-find services for which I need a quick-api solution to use, it just does not work. The API documentation editor (seriously, stop calling it documentation and call it specs instead) needs an advanced mode so I can use it better. Another thing I found missing was user help text on the apis themselves.

This might take off to become something like programmableweb, but developers won't rush to it with open-arms unless (a few) major api providers start using this.

danso 5 hours ago 1 reply      
Some of these APIs aren't very well developed...the Airbnb API, for example, is just an unofficial one, and so far supports only a "Hello World" endpoint


mangoman 5 hours ago 0 replies      
I think the idea of putting APIs into a store is a great way for smaller devs to really get their products noticed, and even monetize their hard work easier. And as a developer I totally see the need for this kind of product. I'm tired of searching for an api on google/github/etc and not being totally sure of its quality, and I would love to see if Mashape will grow and perhaps allow people to review APIs, and host examples as well.
3amOpsGuy 6 hours ago 1 reply      
>> When you're a marketplace, you always fight the chicken/egg problem and the last thing you want to do is open up a marketplace when you don't have enough supply yet

What's are your views here?

This is a really interesting question for me. I keep putting off a side project that I'd love to do because it suffers this exact problem.

I want to believe there's another way to handle this situation.

mike626 4 hours ago 0 replies      
Craigslist isn't participating? That's surprising!
eranation 5 hours ago 0 replies      
Too much load on launch day? I get a "Oops, an error occured :S" screen

Edit: back now

nivertech 5 hours ago 1 reply      
looks kinda like APIgee
Some Fresh Twitter Stats (as of July 2012, Dataset Included) diegobasch.com
4 points by ryannielsen  37 minutes ago   discuss
Jonah Lehrer Resigns From The New Yorker After Making Up Quotes mediadecoder.blogs.nytimes.com
80 points by kevinalexbrown  8 hours ago   57 comments top 7
tptacek 8 hours ago 1 reply      
Just in case you're skimming: this comes at the end of a bit of a saga for Lehrer, who had also been discovered "plagiarizing himself", recycling significant chunks of previously-published work in new New Yorker pieces. No doubt there's been a fine-toothed comb running through everything he's done since that first story broke.
credo 8 hours ago 1 reply      
It is interesting that this duplicate submission (submitted 14 minutes after http://news.ycombinator.com/item?id=4314048 ) is on the front page, while the original submission only has one upvote :)

[edit]: response to th0ma5: As the smiley and the comment should have made clear - this is not a matter of anyone being "too upset" about anything (and you th0ma5 were the only person investigating and talking about karma :)

Btw in spite of the downvotes, the comment is back in positive territory, so presumably, other people disagree with your comments about what is OT

As for the title, the NYT headline doesn't fit into 80 chars, which is why one submission removed "Dylan" and the other removed "New Yorker"

hammock 8 hours ago 3 replies      
The full AP story has more info at the bottom. http://www.google.com/hostednews/ap/article/ALeqM5iEB7lzn2h8...

Among Lehrer's inventions was a quote that first appeared in the famous documentary from the mid-1960s, "Don't Look Back," in which Dylan tells a reporter about his songs that "I just write them. There's no great message." In "Imagine," Lehrer adds a third sentence " "Stop asking me to explain" " that does not appear in the film.

According to Tablet, Lehrer also invented quotes on how Dylan wrote "Like a Rolling Stone" and, when confronted about them, alleged that he had been granted access to an uncut version of "No Direction Home," a Dylan documentary made by Martin Scorsese. Lehrer now says he never saw such footage.

Still curious to see a full account of all the Dylan quotes in question. Anyone have it?

monochromatic 55 minutes ago 0 replies      
> "The lies are over now," he said. "I understand the gravity of my position. I want to apologize to everyone I have let down, especially my editors and readers."

This reads as "I am so so sorry that I got caught."

dmazin 7 hours ago 2 replies      
My favorite part of this mess is that Jad Abumrad (one of the two guys behind Radiolab which, I think, is extremely messy with its science) called the initial ousting of Lehrer when he recycled passages a "cheap moral crusade."[1]

[1]: https://twitter.com/jadabumrad/status/218042197826732033

misiti3780 7 hours ago 3 replies      
I understand that making up quotes is illegal and unethical but is using prior work acceptable as long as you cite it (I'm not a journalist)
ChuckMcM 8 hours ago  replies      
Sad. Too many people operate with the motto 'its not illegal if you don't get caught'. It nearly always turns out badly for them.
Does category theory make you a better programmer? debasishg.blogspot.nl
65 points by jamesbritt  8 hours ago   36 comments top 10
tikhonj 8 hours ago 3 replies      
I think it does. Of course, I think this as somebody who has just begun learning about it, so I certainly don't speak from any experience :P.

Particularly, category theory seems to center around abstraction. I think abstraction is essentially the core of CS (but maybe that's just because of SICP) and exceptionally important in everyday programming. Learning this sort of math (along with some related fields like abstract algebra) essentially allows you to unlock a higher level of abstraction.

This can help in two ways. For one, it allows you to write more general code and create extremely useful libraries. The Haskell standard library, naturally, is a great example of this. Additionally, it helps with thinking about conceptually difficult concepts in programming. For example, even just the basic ideas of category theory really helped me to understand and work with non-deterministic programming. Thinking about composing non-deterministic functions, and how these functions behave much like normal functions, made life much easier.

Category theory is one of the more abstract branches of math, so it's no surprise that it lends itself to great programming abstractions. Understanding and using such abstractions in a uniform and systematic way is extremely useful, so I think it's definitely an area that would be beneficial for programmers to study.

It's also fun, but that's another story entirely :).

skybrian 6 hours ago 3 replies      
In my experience, programmers who try to "think generically" tend to write overly abstract code that just gets them into trouble and leaves a mess for the next programmer. So maybe knowing category theory makes you a worse programmer?

It seems like this question would be more convincingly answered by showing how a practical program can be improved by knowing some category theory.

strlen 7 hours ago 0 replies      
This is a very well written post and I have a great deal of respect for its author. I also happen to find Category Theory to be extremely beautiful, but its beauty (much as the beauty of many other theories in physics and mathematics) does not rest upon its applicability to programming.

The ultimate answer to the question is more nuanced: understanding functors and monads is probably only moderately correlated with programming skill and not just in an enterprise software context (would it be of any use to an embedded programmer or a kernel hacker?). Additionally, using and applying a limited subset of category theory in practical context (lifting, functors, monads) does not really require understanding category theory per-se, although I'd imagine it's a good "gateway drug" (learning Haskell had this effect on me).

DanielRibeiro 6 hours ago 0 replies      
Yes. It can also make you a better topologist, physicist and logician, as this paper states it[1]: Physics, Topology, Logic and Computation: A Rosetta Stone

This paper is also a very good introduction to Category Theory.

[1] http://math.ucr.edu/home/baez/rosetta.pdf

justincormack 7 hours ago 3 replies      
You don't need Category Theory to tell you that there is a duality between structs and unions, any C programmer could tell you that.

Mind you I spent a lot of time working with Haskell in an academic environment and never understood the first thing about category theory. Especially those bloody diagrams that were supposed to be proofs.

It is entirely possible to understand functional programming and abstraction without understanding any category theory...

michaelfeathers 5 hours ago 0 replies      
Every new way that you can impose a schema on the world helps you as a programmer, as long as you know that it is just another way of looking at things.
pgcosta 7 hours ago 0 replies      
One of my CS teachers is very bold on saying that understanding program calculation can increase the quality of code, though he fails completely to help his students apply the knowledge he "preaches".
Anyway is a very intelligent guy(genius like), and is making a book on the subject (still incomplete). Here's the link if you're interested: http://wiki.di.uminho.pt/twiki/pub/Education/CP0809/Material...

My teacher does bring up interesting points, such as the lack of programming quality these days, and the lack of precision in what should be very precise and defined, namely "software engineering".

patrickmclaren 7 hours ago 0 replies      
Although some aspects of Category Theory will apply to Programming, it seems to me to be a slight abuse of language in that the majority of the theory does not correspond to physical and/or digital systems.

More importantly, Category Theory is a language that allows you to describe behavior and qualities, abstractly; it does not prescribe a specific methodology.

taybin 4 hours ago 1 reply      
Yes, in the same way learning anything can make you a more well-rounded person. Learning category theory would also make you a better basket weaver.
nnythm 5 hours ago 0 replies      
It seems like you get most of this stuff from a basic abstract algebra course. How does category theory help me beyond what I got from modern algebra 101?

edit: this is from the perspective of someone who knows a little abstract algebra, and wonders if it would be sufficient to brush up on my algebra to get these ideas, which seem a little familiar, or if category theory is really important to get these ideas. I'm not trying to be a contrarian.

How Intuit Manages 10 Million Lines of Code drdobbs.com
3 points by aritraghosh007  21 minutes ago   discuss
Lessons in website security anti-patterns by Tesco troyhunt.com
305 points by troyhunt  20 hours ago   107 comments top 6
chrisacky 18 hours ago 6 replies      
Hey Troy,
Thought you might be somewhat interested in this one. Remeber the cool guys over at http://www.realestate.com.au/ Just to refresh your memory..


Anyway, "we are aware of this issue and are working on it".

Click http://www.realestate.com.au/ then "Register".

Then stand in utter amazement at their solution.


Why do we need your email address?

     *We send your password via email.*
*Your email address is your log on.*
*If you forget your password, we'll send you a new one.*


This is hilarious. I can only assume that they took offence to you choosing a "strong version" password, so they decided, how can we fix this? I know, lets just pick the password for them.

So, their fix that they told you about, was to ensure that you can't pick a password at all, and they will still email you their "super strong version password"...

> Thank you for registering. Your password has been sent to username[at]gmail.com. It should arrive shortly.

12 seconds later.

Your password is: DTCNE

(In case people aren't aware, realestate.com.au is owned by HomeAway)

Smerity 18 hours ago 5 replies      
This is a hilarious, albeit depressing, view of the state of cyber security as seen by the general public. People, even those who are generally considered computer literate, don't have any understanding of web security. Due to this, Tesco won't hit any negative publicity outside of a tight knit circle of programmers. In fact, saying that everything is "stored securely" according to "industry standards" would reassure most people.

There have been many calls in past exploit threads for a name and shame policy, but that won't do anything. Name and shame only works when people keep up with the list, and people won't. They're too busy with their lives to focus on a list, especially given the number of insecure websites around the world.

We need everyone to have a list of easy to remember rules about web security from a consumer perspective. This list of rules needs to reach everyone. Putting them in the browsers may lead to the exposure needed, but I don't see that happening.

This primitive level of education needs to start breaking through as it's only going to get worse as computing and security advance further. We haven't even finished explaining to people that plain text passwords almost always indicate impending disaster, yet we already need a way to explain MD5 is never enough and SHA256 isn't enough without a salt...

peterwwillis 14 hours ago 2 replies      
What's really weird to me is how some people can foster an actual anti-security mindset, where they explicitly try to argue against proper security practices. I don't know where it comes from, but i've seen it often.

You report that the way a particular type of SSL cert is implemented leaves a MITM attack, and they come back with a dissertation on why MITM is not a concern of ours. (Oh? Then why the fuck are we encrypting the connection?!)

You tell them that they have unpatched, years-old, remote root vulnerabilities in their servers, and they give you the long list of reasons why we not only don't need to patch it, patching it would be bad.

You tell them how storing a password unhashed will lead to a PR catastrophe when an attacker gets your PW DB. They tell that implementing scrypt isn't feasible, bcrypt is weaker than scrypt, SHA1 hashes are easily crackable, and that if somebody has our PW DB we have bigger problems, so we shouldn't even worry about the passwords. And since we shouldn't worry, we might as well e-mail them.

My guess is they think it will be extra work and they're trying to avoid it. The alternative that I hope isn't true is that their egos are so big they don't want to believe they did something insecurely, so they craft a story to tell themselves and others that actually what they did was smart. Either way, the users lose out in the end, and there's nothing we can do about it.

elithrar 19 hours ago 1 reply      
I watched this exchange occur over Twitter on the weekend; the worst part of it was not that Tesco stores the password in a reversible manner, but that their representative actively defended their mechanism.

Otherwise, all of their other "crimes" (cookies are sent unencrypted, etc) are bad but not really unexpected from a large chain like this. I'm never really surprised when large organisations get these things so wrong, given the way many either contract this work out and/or [mis]handle it in-house.

codeka 17 hours ago 2 replies      
> In fact the only real possibility that leaves any credibility whatsoever is that the stored password is being decrypted then compared to the password provided at logon using a non-case sensitive comparer.

You can do case-insensitive passwords with hashing/salting. It's just a matter of lower-casing the password before hashing it. (Edit: I'm not saying this is a good idea, of course!!)

I remember reading once that Facebook actually hashes multiple versions of your password (eg with the first letter upper-cased to handle the case where a phone auto-corrects it, and also with all character cases toggled to handle the case when you left caps lock on). I wonder if there's any statistics about how often this kind of thing actually helps?

Of course, it seems pretty clear in this particular case that Troy is right and they're just storing your password in a case-insensitive database column.

jiggy2011 14 hours ago  replies      
The plain text password thing might have been an edict come down from marketing.

For example, they might find that people who forget their password become less likely to use the site because when they get their new (hard to remember) password emailed to them they can't figure out how to change the password back to what it used to be. This means they end up resetting their password every week to do their shopping.

Is Nginx obsolete now that we have Amazon CloudFront? peterbe.com
45 points by peterbe  7 hours ago   37 comments top 11
gojomo 6 hours ago 3 replies      
More generally: once you adopt any of the various schemes for having a inbound proxy/front-end cache (Fastly, CloudFlare, CloudFront, or an in-house varnish/squid/etc), are all the optimizing habits of moving static assets to a dedicated server now superfluous?

I think those optimizing habits are now obsolete: best practice is to have a front-end cache.

A corollary is that we usually needn't worry about a dynamic framework serving large static assets: the front-end cache ensures it happens rarely.

Unfortunately it's still the doctrine of some projects that a production project will always offload static-serving. So for example, the Django docs are filled with much traditional discouragement around using the staticfiles serving app in production, including vague 'this is insecure' intimations. In fact, once you're using a front-end cache, there's little speed/efficiency reason to avoid that practice. And, if it is specifically supected to be insecure, any such insecurity should to be fixed rather than overlooked simply because "it's not used in production".

kiwidrew 21 minutes ago 0 replies      
There's a good post from late 2011, in the context of 12-factor deployment on Heroku, where the author muses about just using a pure Python server behind a CDN to serve static content:

...and yeah, I think I should bloody use this server as a backend to serve my in production.


bithive123 4 hours ago 1 reply      
I think not. Requirements change, and locking myself in to a front-end cache is not appealing. I may also have things which I can't or won't let others cache for me, so I want my local stack to be optimized anyway. You won't see me serving everything out of WEBrick anytime soon just because I have a cloud cache.

It's nice to be able to defer decisions, especially optimizations, but making performance someone else's problem entirely seems like it could promote sloppy thinking and poor work. It's the difference between augmenting a solid platform when the need arises versus front-loading dependencies because it's okay to be lazy.

meritt 5 hours ago 1 reply      
When you're only using nginx as a CDN, then yes another CDN can replace it.

nginx can do a lot more than serve static files.

StavrosK 4 hours ago 1 reply      
Does anyone have experience with using nginx as a caching proxy? I've used Varnish and swear by it, it's just an amazing piece of software. How well can nginx replace Varnish?
georgebarnett 5 hours ago 2 replies      
I was once told by somebody wise that if a post asks a question, then the answer is usually no.

e.g.: Is Mountain Lion going to kill Windows 8? .. etc.

devmach 6 hours ago 3 replies      
Sure it's obsolete, who needs databases and live, chancing data. All we need is a static pages. Besides who needs to build his own infrastructure, it's 2012 right ? Let's buy it.
rabidsnail 5 hours ago 2 replies      
nginx still buys you SSI (which allows you to, for example, cache the same page for all users and have nginx swap out the username with a value stored in memcache), complex rewrite rules, fancy memcache stuff with the memc module (ex: view counters), proxying to more than ten upstream servers, fastcgi, and lots of other fancy stuff.

Cloudfront is a replacement for varnish, not nginx.

cbsmith 5 hours ago 0 replies      
Wait, so if I pay more for a CDN to deliver my static data, that will work better than when I try to save money and do it myself?

[Insert Oscar winning Face of Shock here]

zimbatm 4 hours ago 0 replies      
Before implementing that, be aware that CloudFront doesn't support custom SSL certificates. If you have any user-session in your app, you don't want them to login on https://efac1bef32rf3c.cloudfront.net/login
banana_bread 6 hours ago 2 replies      
CloudFront is pretty good, just make sure you are able to config your asset source in one line. Otherwise you have to use a tool to invalidate the cloudfront cache frequently during dev and it's not instant.
After Carping About NBC's Olympics Coverage, Journalist Suspended from Twitter betabeat.com
61 points by iProject  8 hours ago   26 comments top 5
nthitz 7 hours ago 6 replies      
Technically he was suspended from Twitter for tweeting the email address of NBC exec Gary Zenkel.
josephcooney 5 hours ago 1 reply      
Toppling governments in north africa/persian gulf - OK. Lambasting major US corporation for their ineptitude - NOT OK.
debacle 7 hours ago 2 replies      
This appears to be true. If it is, coupled with all of the other crazy Olympics Twitter snafus, Twitter is pretty much dead to me. I only use it to follow the ~20-30 obscure Internet celebrities that I care about, and for that it was useful, but it's not worth associating with such a scatterbrained company.
stfu 5 hours ago 0 replies      
Sad to see Twitter becoming one of these companies who easily bow to corporate/government intimidation. Always thought Twitter was one of the good guys. Very disappointing but fortunately this is becoming a "story". Let's see what kind of damage control they are trying to pull off.
kaiju 7 hours ago 2 replies      
"How are the first social media games going?"

Wait, what? Social media didn't exist in 2008?

Google Talk for Developers developers.google.com
114 points by ovechtrick  12 hours ago   36 comments top 9
kyro 11 hours ago 4 replies      
I'll take this opportunity to kindly request that someone build an alternative to gTalk and Skype for video chatting. The forums for both are filled with complaints that do not ever get answered. Both products are huge resource hogs " gTalk will freeze my browser and Skype repeatedly disconnects and just slows down my entire machine. And it seems to happen to many, many people out there. On top of that, we all know Google offers little to no customer service, and it seems as if the Skype folks have just completely abandoned addressing any issues.

I've said this before: we are long, long overdue for a gTalk/Skype killer for video chat. At this point, I'm willing to pay for something better.

ZoFreX 6 hours ago 0 replies      
This is absolute hogwash. Google Talk moved away from the standards it was built on a long time ago and this token gesture does nothing to make it any easier for developers to integrate their systems. If Google really wanted to be open, here's what they would do:

* Create an XEP for the method they use for history replay so that other clients and servers can get in on that goodness

* Implement XEPs that the most popular XMPP clients have that Talk does not (for example contact sharing so you can use transports without having to click "yes" to adding a contact 200 times)

* Either bring their Jingle in-line with the standard /which they helped create/ or create a new version of the standard incorporating their proprietary changes

* Release the protocol that the Google Talk Android app uses. It's proprietary, slimmed-down, and means that any other XMPP client or GTalk client on Android is at a huge disadvantage in terms of sign-in time and data usage.

Yrlec 9 hours ago 1 reply      
If you're looking for Java alternative to libjingle (which is written in C++) then I can recommend Jitsi (https://jitsi.org/). From what I understand they are more or less compatible with each other.
Kilimanjaro 11 hours ago 0 replies      
Allow me to connect to GTalk via webSocket and I'll do the rest. Appengine already support xmpp bots so it would be a piece of cake to manage presence, stanzas, etc.

That's all I ask for:

    ws = new WebSocket('ws://talk.google.com:5222')

mikeevans 11 hours ago 1 reply      
What's so special about this? I thought it was common knowledge that Google Talk was on Jabber/XMPP.
pm90 9 hours ago 1 reply      
Its high time that they also released an api for google voice[1] . If there are any googlers reading this: why has this not been done yet? I've been looking into this in my spare time as there is no google voice client for Meego (Nokia N9) and I wanted to write one/improve an existing one[2]

[1] http://stackoverflow.com/questions/1668619/is-there-a-google...

[2] http://code.google.com/p/qgvdial/

wamatt 10 hours ago 1 reply      
And now if they could combine Google Voice and Google Talk into a combined product....
cmatthieu 8 hours ago 0 replies      
I agree and recently started working on a peer-to-peer, audio/video chat client called twelephone - here's a demo of the WebRTC-based project as of this weekend. http://youtu.be/9GvBe0kCJGI
jeffxl 11 hours ago 2 replies      
Wait, Jingle supports file transfers, but Google Chat currently doesn't?
HTML5 & CSS3 Fundamentals: Development for Absolute Beginners | Channel 9 msdn.com
42 points by johndcook  8 hours ago   10 comments top 4
debacle 7 hours ago 2 replies      
I'd really like an "HTML5 & CCS3 for developers who have supported IE6 for the last ten years."

Because that's where I'm at. I don't have the time to learn HTML5 because I wont be able to use it for years to come.

kimmel 5 hours ago 1 reply      
No mention of polyfills for IE8 and below. Ha. It should read 'HTML5 & CSS3 Fundamentals: This shit don't work in IE6-8 without polyfills'
bgramer 3 hours ago 0 replies      
Too bad the videos are not subtitled/captioned.
azat_co 8 hours ago 0 replies      
Thanks for the link!
Chrome treats DELETE requests as GET and caches them code.google.com
91 points by eranation  12 hours ago   56 comments top 9
T-R 9 hours ago 2 replies      
Chrome's excessive caching is so broken for RESTful web services that I've just given up on letting it cache any requests from Javascript. It completely ignores Vary headers, too, so hitting the back button after an AJAX request to the same URL (but with a different content-type) as a visited page displays the AJAX response (e.g., JSON) instead of the page. Worse yet, it's been marked as WONTFIX.


jperras 9 hours ago 1 reply      
Not surprising. The amount of aggressive caching that Chrome does to make the web "faster" is excessive, not to mention infuriating. Developing a web application and using Chrome is an exercise in anger management.

And then there's the bug in the dev channel where multiple assignment was just plain broken (bug report: http://code.google.com/p/chromium/issues/detail?id=136380)


    var foo = function() { /* foo function */ };
var bar = function() { /* bar function */ };
var baz = function() { /* baz function */ };
var sup = function() { /* sup function */ };

foo.test = bar.test = baz.test = sup;

console.log(foo.test); // shows bar, not sup

KirinDave 9 hours ago 0 replies      
And the update to fix this will be pushed in 3... 2... 1...
eranation 9 hours ago 0 replies      
By the way credit goes to Sebastian from blueimp.net (who wrote the excellent jQuery File Upload) for discovering and opening the bug initially.
eranation 12 hours ago 6 replies      
Why is this bad? for example if you have an Image you want to both DELETE and GET, and have cache control, once it's cached, the DELETE will return the bytes of the image without going to the server...
eranation 6 hours ago 0 replies      
Apparently your votes have helped, see official comment http://code.google.com/p/chromium/issues/detail?id=136320#c8

Priority was bumped

darkhorn 4 hours ago 0 replies      
Aahhhaaa that's why it behaves strange when you click the back button on ExtJS documentation! Instead of the previous page I see JavaScript codes. But yeah yeah Gogole knows what he is doing, for sure!
recursive 9 hours ago 1 reply      
I wasn't even aware that browsers could use request methods other than GET and POST.
pgambling 9 hours ago 1 reply      
Comment 4 on the bug report cracked me up:

"Obviously, google doesn't believe in deleting data."

NewsBlur (YC S12) Takes Feed Reading Back To Its Basics techcrunch.com
118 points by conesus  14 hours ago   33 comments top 10
conesus 14 hours ago 4 replies      
Thrilled to be launching NewsBlur's social features. NewsBlur has become something much bigger than what I ever thought possible when I wrote the first line of code in June 2009 in the New York City underground.

We're now two people and YC-backed. We have so many new big features coming down the pipeline. An iPad app, an updated iPhone app, an Android app, all first-class experiences.

This is the launch of Blurblogs. This is my blurblog: http://samuel.newsblur.com.

JeffJenkins 12 hours ago 1 reply      
I was working on a (now-shuttered) startup in this space. Almost universally people's favorite feature was seeing the live website. I had also built in a reading queue into the application, the idea being that you could do inbox-zero with your feeds if you could process them extremely fast.

I talked to a bunch of largely non-technical RSS power users and discovered that the people who really use RSS readers are subscribed to 1500+ feeds and barely scratch the surface of reading everything in them.

It was really disheartening to discover my fundamental premise was wrong, and at the same time my now-cofounder contacted me with a great idea with a clearly underserved market so I abandoned the solo effort for that.

I think there's a ton of room for innovation in the media reader space, so I wish NewsBlur luck!

bryanh 11 hours ago 0 replies      
I've been watching NewsBlur for a while now, even exchanging a few emails with Sam. He's a first class guy and I'm excited to see what he can do with NewsBlur. Congrats on the launch!
untog 13 hours ago 2 replies      
This is barely related to the actual article, and only occurred to me because I was excited by the name "NewsBlur", but then discovered that it isn't necessarily news-related.

Are there any startups doing interesting stuff with news, journalism or any of the like? I've seen a lot of services that will aggregate the links your Twitter friends are posting and so on, but I'm more interested in the actual reporting itself.

heyitsnick 9 hours ago 1 reply      
So as a heavy Google Reader user (processing about 300 articles a day), can someone sum up the advantages to switching to NewsBlur? It's not entirely clear from this article or the NewsBlur site. Or perhaps its target audience is not me?
look_lookatme 12 hours ago 1 reply      
First off congrats to the Newsblur guys. I am a big fan. One thing that I would really like to see is some sort of sharing feature akin to Google Reader's old "shared items".
carterschonwald 13 hours ago 1 reply      
Are you going to fix the feed archival problem at some point? (we've spoken about it before :-) )
roycyang 9 hours ago 1 reply      
Check out my version of a Blurblog, I styled it a little differently: http://roy.newsblur.com

On the roadmap, theming and letting people really make their Blurblog their own.

Full disclosure, I am 2 of 2 at NewsBlur!

misiti3780 11 hours ago 1 reply      
Congrats - does the funding affect plans to continue open-source development?
dtwhitney 8 hours ago 0 replies      
Google Reader is missing a serious mobile component, and I'm excited by what I see with NewsBlur. Congrats on the launch!
Google removes plus one button from organic search alexwebmaster.com
15 points by flavio87  4 hours ago   3 comments top 3
seanp2k2 10 minutes ago 0 replies      
Wow. Maybe they're actually realizing that people lately don't care about +1 (because it was both ambitious and horribly implemented in G+.)
pherk 7 minutes ago 0 replies      
At last some sanity sets in. That button really made no sense at all. In a typical scenario, I will decide whether I like or not only after visiting the page. And to visit the page, I have to leave the Google search results page.
austenallred 4 hours ago 0 replies      
Praise the Lord!
Hangouts now available in Gmail, Google+ account not required googleenterprise.blogspot.com
71 points by patrickaljord  11 hours ago   23 comments top 8
eoghan 9 hours ago 2 replies      
Google Hangouts is a surprisingly, truly amazing product, marred by its relationship with Google+.
zheng 10 hours ago 4 replies      
...not quite. The hangout backend will now power all video calls, but to do more than a 1-on-1 chat, you will still need a G+ profile.

Interesting as the old backend was p2p, but it sounds like hangouts are a more standard client/server. Maybe Google needed more voice data to mine. Actually better yet, facial expression data to mine. After all, Glass could live and die by its ability to correctly identify faces.

drivebyacct2 10 hours ago 0 replies      
I hope this is the first in a long line of reducing redundancy across Google's messaging platforms. Google+ posts, Google Talk, Google Hangouts, Google+ Messenger, Google Voice. Ahh! I wonder if iMessage's simplicity is motivating it?

I love the power of Google Voice but it doesn't get much love and iMessage is damn simple and pretty.

rodh257 5 hours ago 1 reply      
Disappointing that this doesn't include screen sharing. Our team have been using Google Hangouts for remote code reviews as it seems to be one of the better free options for screen sharing at a 30" monitor resolution (MeetingBurner is probably slightly better though). I'd much rather just use our Google apps gmail interface, rather than having to create a second Google+ account.
k3n 9 hours ago 2 replies      
> Google+ account not required

I think this is misleading on Google's part...

From outward appearances, everyone that has a Google account (aka. GMail) has a G+ account, and the only thing that changes when you "sign up" (or otherwise activate) is that you can log in to it yourself.

I was on G+ for awhile, but I've now since disabled it in my control panel, and yet people still share crap with me (as I'm still in their "circles") -- it just goes to my email. I think the service is always-on, they just don't let you into the UI if it's not "active".

itsnotlupus 8 hours ago 1 reply      
The truly radical change in Hangout is of course the recent addition of an alert sound being played when Hangout warns you they're about to kill your chat for no particular reason.

Long lived hangouts rarely get to stay on screen, so the silent "are you still there" message shortly followed by a disconnect was painful.

I'm still not sure how much money Google spends on maintaining p2p video calls open that makes it worth pushing users to stop using Hangout so darn much.

austenallred 5 hours ago 0 replies      
Perhaps this is evidence of Google realizing that they're putting too many good products inside of a product that nobody wants to use? Perhaps Google has regained its sanity?

Haha, just kidding. They're just going to use this to try and get more people on Google+

masek 10 hours ago 0 replies      
Would greatly improve the service...
The Boston Globe gets a look at a DB of every bomb the US has ever dropped bostonglobe.com
74 points by eob  11 hours ago   12 comments top 3
pan69 20 minutes ago 1 reply      
"One particularly relevant example: From October 1965 to May 1975, at least 456,365 cluster bombs were dropped on Vietnam, Laos, and Cambodia, according to the records analyzed. Cluster munitions, designed to release small bomblets, often did not explode on impact and still pose a hazard to villagers."

Apparently Laos is the most bombed country in the world:

"During the Vietnam War, Laos was the target of the heaviest US bombing campaign since World War II, making Laos the most bombed country in history."[1]

I believe the story is that US B52 bombers would take off out of Laos to drop their load on Vietnam targets. However, if they bypassed their target they were not allowed to dispose of their load on Vietnam terriroty. Since the bombers can't land with their load on board it has to be disposed of before landing. Apparently Laos was the place of choice. [2]

[1] http://en.wikipedia.org/wiki/Bomb_Harvest

[2] http://topdocumentaryfilms.com/bombies-the-secret-war/

danso 10 hours ago 3 replies      

   He worked nights and weekends finding out. 
Robertson unearthed 1,000 original World War I
raid reports, and entered each by hand. For World War II,
he scanned roughly 10,000 hand-written or typed pages.
More modern conflicts meant combing a hodgepodge of
conflict-specific databases.

This is the kind of thing I wish they [the Pentagon] would open up to hackathons. How many hours of this valuable historian's time was wasted doing manual entry, something that could've been expedited with some mTurk + OCR work? Not all civic data projects draw attention, but this one at least has the cachet of notable history, worldwide good (to help identify areas of possible unexploded unordinance) and, of course, things that go boom.

dfc 10 hours ago 0 replies      
It is worth pointing out that the article never claims that the database contains information on every bomb the US has ever dropped. The article clearly states that more information is needed, eg:

    "For the Korean War Robertson found the detailed mission records for the 
first 10 months of the three-year conflict but he is still trying to
get his hands on the rest."

       cached 31 July 2012 04:02:01 GMT