hacker news with inline top comments    .. more ..    28 Jan 2014 News
home   ask   best   5 years ago   
Square thinks I dont exist kevinchen.co
251 points by kevinchen  4 hours ago   110 comments top 34
pyduan 2 hours ago 3 replies      
(Disclaimer: I write fraud detection algorithms for Eventbrite, and work closely with the team that built the fraud systems at PayPal.)

I'm sorry this happened to you. I personally believe the burden of proof should be on the company. However, that some choose to err on the side of caution is perfectly understandable.

The thing is that companies that handle credit card payments are very vulnerable to fraud because they are liable for consumer chargebacks [1], at least in the US. This is particularly unfortunate since US cards also happen to have pretty poor security (which also has probably something to do with the fact the merchants are liable, and not the banks). Stolen credit card numbers are extremely easy to obtain (cf. Target breach) [2], and once this is done fraudsters have basically two main ways to extract money out of it:

1) Use the card number to make purchases online, or better yet, find a self-service platform that lets you become a merchant then purchase your own offerings (eBay/PayPal, Eventbrite, etc.).

2) Duplicate the card (made much easier by the US' slowness in adopting chip-and-pin), and use it to pay for goods or to load the money on some account. Square is perfect for this since you own the card-reading device, which makes it much less risky than attempting to use a duplicated card at an ATM or at a retailer.

Now, the problem is that you potentially need a lot of cushioning to withstand fraud attacks: while the processor only makes profit from the transaction fee, they are liable for the entirety of the charge, so one single fraudulent transaction can wipe out the profit of thousands of good ones. Being attacked by a fraud ring for hundreds of thousands or even millions of dollars in a single day is not impossible (in fact we've seen this happen, and Eventbrite's transaction volume is much smaller than PayPal's or even Square's), so this is a lot of risk to take on for a company, especially a startup.

Regarding the bad customer service you've received, there is a specific reason why companies often decline to comment on fraud security checks: by allowing you a way of recourse, they would be disclosing information about how their system works, which makes it potentially vulnerable to attackers. For example, if they said "sure, just send us a copy of your driver's license and we'll lift the ban", this would be a signal for fraudsters to try to fake such documentation.

Overall, it's a complex issue and unfortunately frustration is part of the game (trust me, if PayPal could have found a way to make operations smoother and less frustrating, they'd have done it). At Eventbrite we've chosen to assume this risk and be more liberal with verification because we decided that providing a good user experience is worth losing some money over (and because we have faith in our ability to keep up with the fraudsters), but this is a decision every company that handles money has to make and it's not an easy one.

[1] http://en.wikipedia.org/wiki/Credit_card_fraud#Merchants

[2] fun fact: you'd be surprised to see how big this underground economy is; it's so well-oiled that some sellers even provide customer service on the credit card numbers they sold, and offer money back guarantees if the card has already been deactivated

steven2012 1 hour ago 4 replies      
To the OP:

If I were you, I would check your credit report IMMEDIATELY.

I'm in the same boat as you, except I'm in my 40s. Most companies use Experian or Equifax to do some sort of credit verification by asking these questions. However, about 5 years ago, the credit agencies merged my credit record with someone else with the same name, but entirely different birthday and location.

Evidently, they don't give a fuck because it took me years to get this wrong information off of my credit records. I don't understand how this isn't libel, since they are spreading false information about me, and that drastically affected my credit, and I had to jump through hoops to get everything corrected.

The thing that really sucks is that Experian STILL has the wrong information about me, so when I'm asked these credit questions, it's mixed with the other person's data, so I always fail the credit check. Despite having nearly perfect credit, I've failed the credit check numerous times, and like you, the decision has always been final, because no one appears to give a fuck.

The problem is I have no idea how to get Experian to refresh their data, even though it's several years old now.

It might be the case that the OP's credit history has been merged with someone else, and if this is the case, they need to fix it as soon as possible. Use the yearly free credit report to make sure there is no loans or credit cards associated with your name, and if so, you need to call every single credit agency and dispute it. It really sucks, and I don't understand how we let the credit agencies have this much power, where we the consumers have to suffer like this whenever THEY fuck up.

nlh 2 hours ago 1 reply      
The response "I'm sorry our decision is final and we cannot communicate any further" that vendors give (Google, Square in this case, etc.) is nothing short of stomach-clenching maddening. Just reading it fires up rage inside me.

I understand why they do it -- it's pretty clearly related to their anti-fraud / anti-spam / security systems, and I understand that by giving any further information, they're exposing those prevention measures to weakness. And I'm sure in cases of real fraud / spam / security risk, this is the right approach.

But man, does it stink for everyone involved when there's a false positive (i.e. in this case). There's got to be a better way of handling this. Some sort of escalation / appeal process?

(And if there isn't -- hint hint, companies that haven't gotten big enough to be immobile on this issue: Implement one.)

JumpCrisscross 3 hours ago 3 replies      
File a complaint with the:

(1) Consumer Financial Protection Bureau (CFPB): http://www.consumerfinance.gov/complaint/, and,

(2) New York State Department of Financial Services (DFS): http://www.dfs.ny.gov/consumer/fileacomplaint.htm.

This will make it more likely that you see a favourable resolution. Further, this assists due process in identifying and resolving problems in our financial system.

uladzislau 3 hours ago 0 replies      
From the recent story - Square faces rancor from merchants over customer service:

"Barry said she grew so frustrated exchanging e-mails with customer service representatives that she drove two hours to the company's San Francisco headquarters to get some help in person.

Instead, she cooled her heels in the lobby for a couple of hours. No one would speak to her, she said, and the security guards threatened to call the police. Then Square deactivated her account, saying "high-risk activity was detected."


abalone 2 hours ago 3 replies      
Just to add some context, this is a not unexpected consequence of Square's approach, which in many ways parallels what Paypal did in the ecommerce space.

Prior to Square the individual / very small business market was underserved (for real-world transactions). You had to go through a PITA application and due diligence process with a processor. And you typically had to pay significant up-front costs and ongoing fees to maintain your account.

There's a reason for that: the processor is financially liable for any fraudulent merchant charges. If a merchant signs up and puts through $10K of fraudulent charges and skips town with the money, it's the processor that pays.

So Square did two things. First it lowered the upfront costs by piggybacking mobile devices to turn them into low-cost swipers.

But the second very crucial thing they did is hidden on the back-end: they streamlined the signup process and support costs. They did that by doing exactly what you see here, using alternative ID and credit check methods. And making their customer support largely a self-service operation.

The good news is that the particular case you see here is probably fixable with continued improvement. But that's why it happened.. they are replacing an otherwise more costly and burdensome signup process with something largely automated. And there's a lot of money at stake if they screw it up and let fraudsters on board.

HectorRamos 3 hours ago 2 replies      
I went through this almost two years ago, with the key difference being that I was able to sign up with Square and accept payments around four years ago (whenever they launched). I even interviewed there at one point, just like you.

After two months, they closed my account because I was living in Puerto Rico at that time and there are no partner banks in Puerto Rico. Once I moved to San Francisco and linked Square with my new California bank account, I was able to accept payments again.

Then one day I got a notification indicating that my account had been closed, and that the decision is final. I contacted Support, and they reiterated that their decision was final, and could not communicate with me any further.

It is the weirdest interaction I've ever had with a company. I still use them as a payment method and I'm a big fan of the company, but I feel disappointed whenever I log in and they remind me that my merchant account is disabled.

mcphilip 3 hours ago 1 reply      
From the fine print on the linked Identity Verification Service page [1]:

>Due to the nature of the origin of public record information, the public records and commercially available data sources used in reports may contain errors. Source data is sometimes reported or entered inaccurately, processed poorly or incorrectly, and is generally not free from defect. This product or service aggregates and reports data, as provided by the public records and commercially available data sources, and is not the source of the data, nor is it a comprehensive compilation of the data. Before relying on any data, it should be independently verified.

I'd guess the failure rate of using this service was deemed an acceptable trade off to implementing an independently verified service.


siculars 2 hours ago 0 replies      
So this is what millions of low income, undesirable customers face every day when they try to join the financial system by opening a checking account. What OP has experienced is the next iteration of that. What happens to society when the gatekeepers of our technologically enhanced future decide for some arbitrary, non-appealable reason that you are an undesirable and you may not participate. Everything from accepting payments via a dohickey on your iphone to even having an iphone. Or maybe the internet. Maybe you can't have the internet cause the we say so authority says they don't like the neighborhood you live in or something that was in your credit history.

I'm getting failed on a similar knowledge based identification on coinbase right now. Failed twice already. At least it's not a final decision, to their credit.

There needs to be laws against this almost certain dystopia. That's one reason why I support the EFF.

tptacek 3 hours ago 4 replies      
The comparison to Paypal is funny. Paypal has decided that I don't exist, or, if I do, that I'm somehow ineligible to buy things through Paypal using my credit card.

Buy. Things.

If your site does payment processing through Paypal then, through some accident of account processing or technology or the history of my account, I can't use any of my 3 payment cards to buy what you're selling, because Paypal believes it needs to (for reasons passing understanding) link directly to my bank account before any card with my name on it can be used through Paypal.

DigitalSea 2 hours ago 0 replies      
I am seeing some parallels between how Paypal operates and deals with their customers and how Square deals with their customers, you know the ones that make them profit from the fees they charge for using their service? Sadly, this is how big commerce works. You try and try to get a human response and you're met with the old favourite, "Our decision is final" nonsense.

I recently encountered this with Electronic Arts and their Battlefield 4 game. I forked out about $150 AUD for the base game and premium addition only to be informed my account has been permanently banned after coming back from a month in Europe on holiday because they said I was cheating. Well actually, they wouldn't give the exact reason, but that was essentially what their response implied. When I asked for whatever proof they had, they said our decision is final and we can't show you any proof.

I am in the process of getting a refund as I paid by credit card, but this is definitely a commonly recurring theme amongst larger companies who struggle to deal with their customers and ultimately retain them. What kind of business model punishes their customers?

Good luck, I think you have a real chance of getting some human response now that this is on the front page of Hacker News. My understanding is that this is how people get responses from people over at Paypal as well, create a loud enough noise for someone higher up to respond as to avoid a PR nightmare and get your problems resolved.

tzs 56 minutes ago 0 replies      
So could I potentially vex an enemy by trying to sign up for Square in his name, and blowing the questions, so that he gets banned from Square?

(I realize I could possibly answer this experimentally, but I'd rather keep this theoretical)

geetee 3 hours ago 0 replies      
I really dislike these ID verification services. I had my identity stolen about a decade ago; worked it out with the police and credit bureau. To this day, I still get verification questions related to the fraudulent credit card account. Do I answer truthfully and not get verified, or play the game and choose the "correct" yet wrong answer? (answer: play the game.)
lisper 3 hours ago 2 replies      
I had a similar experience recently when I tried to get my free annual credit report. To verify my identity they asked me questions about my financial history, mainly about my credit history. Well, I haven't had a loan in many years, so they had to dig deep into the archives and asked me about the monthly payment amount on a car loan that my wife had over ten years ago. My financial records actually go back that far, but hers don't, so I was unable to "prove" that I am me (with "prove" in scare quote because IMO it's highly questionable whether getting the right answer on a multiple-choice quiz can possibly "prove" anything about anyone).
rurounijones 2 hours ago 0 replies      
The whole "Prove you are who you say you are by answering questions a fuzzy computer system says you should know" seems very Kafkaesque.
jessaustin 3 hours ago 1 reply      
It's sort of funny, that all three verification questions listed would be answerable by an attacker, but at least two would be easy for normal people to get wrong.
cordite 3 hours ago 0 replies      
I like how I had no problem, when I was sixteen, setting up Paypal so that I could buy some random components for some old PDA's from china on ebay.

But this is seriously upsetting, the tone of this writing wants to rip my heart out for the author. I can only wish that this gets resolved decently.

His comparison also reminds me how Amazon's customer service is absent as much as possible. Automation and all that. Yet on that topic, it seems people don't mention Google as much. (I wonder if they filter that out in their results..)

tomasien 1 hour ago 0 replies      
This is another problem with payments that rely on the Credit Card rail. I hate the credit card rail. The CC rail doesn't know who you are, it doesn't know anything, isn't convenient online, and charges merchants insane fees. Forget it, unless you want to pay with money you don't have (aka credit, aka how only 30% of consumers use CC's)
pmorici 1 hour ago 0 replies      
And people keep asking what the advantages of BitCoin are over Paypal/Square/Credit Cards/you name it.
rajacombinator 16 minutes ago 0 replies      
Welcome to the world of financial services. They're not designed to help you.
adamio 3 hours ago 0 replies      
There are also lots of reports online regarding Square holding payments to sellers, without much info why. Plus they have no phone support, only an email address.
rdl 1 hour ago 0 replies      
You have to be 18 to sign up because you need to be able to sign a legal contract.
rpauli 3 hours ago 0 replies      
And don't be forgetful or old... I'm way over 60 and since I cannot remember names and places I lived 30 or 40 years ago, I am constantly locked out.

So if they have the data, why couldn't a pirate, NSA officer or errant banker?

Perhaps a better test is what I choose to forget.

jtbigwoo 2 hours ago 0 replies      
It's time for us to understand that Square is the bare-bones bottom-of-the-market provider. Just because they seem slick and high-tech doesn't mean they're Apple. They want to be the Wal-Mart of payments, driving down their costs at every turn. There's nothing wrong with that, but it's something that we, as potential customers, have to be clear about.
jayzalowitz 3 hours ago 0 replies      
Well crap. I have social data for millions of people. I could put togeather a backup version of this easily. Does anyone have a use?
ck2 2 hours ago 0 replies      
I have the same problem with raise.com - they refuse to sell me anything.
billclerico 2 hours ago 0 replies      
identity verification of small merchants is a really hard problem to solve with 100% accuracy. (or even 90% accuracy) At WePay, we use Facebook identity to help supplement KBA. It's not 100%, but does dramatically increase success rate.
imkevinxu 2 hours ago 0 replies      
Same exact thing happened with Dwolla. Couldn't figure out if the identity verification service used my old address, current address, or my parents' address. I'm still locked out...
midas007 3 hours ago 0 replies      
It's trying to be a non-repudiation system based on something only you and they know. Unfortunately, without a credit history or paying utility bills, credit sources alone aren't enough. So why not use other facts such as partial DoB, partial SSN, parent/s SSN, etc. only when no other details are available? It's not ideal, but it's better than either losing business or falling back on something much less secure eg facts that are in the public record.
pbreit 1 hour ago 0 replies      
If you visited and interviewed there, I'm assuming you tried emailing one of your contacts?
Sami_Lehtinen 3 hours ago 0 replies      
Sounds really silly and backwards. Why they simply don't use strong online identity detection? Should be simple and secure.
rpicard 3 hours ago 0 replies      
I always seem to fail these kind of identity verification systems. It has made it a pain to get a bank account online and to get a credit report.
nathancahill 3 hours ago 2 replies      
Does Bitcoin think you exist?
fivre 3 hours ago 0 replies      
This story loaded right above https://news.ycombinator.com/item?id=7131231 the Bitcoin exchange arrests). Kind of ironic.
Facebook can now read your texts calileo.com
26 points by WestCoastJustin  1 hour ago   25 comments top 16
simonsarris 34 minutes ago 1 reply      
Is there any recourse short of "don't use the app" that regular users have against this sort of thing?

Is there no meaningful way to push back against Facebook for demanding this permission?

cwilson 22 minutes ago 0 replies      
The title of this thread should be modified with the addition of: "if you use an Android phone."
rodrodrod 19 minutes ago 0 replies      
This has been a thing for about a month and a bit now. A Facebook engineer posted the following on Reddit[0], explaining the rationale behind the SMS permission:

> As for the READ_SMS permission, we require that so we can automatically intercept login approvals SMS messages for people that have turned 2-factor authentication for their accounts, or for phone confirmation messages when you add a phone number to your Facebook account. Unfortunately, the Androids permissions system does not allow us to specify that we would like to be able to read only SMS messages from a specific number (plus that wouldn't scale well because the list of numbers varies per country, but that's a separate issue).

[0] http://www.reddit.com/r/WTF/comments/1t5z45/facebook_why_the...

kevinmchugh 34 minutes ago 3 replies      
At this point I'm running at least 2 versions behind on the facebook app. I didn't install it last time it asked me to allow it to "Send emails to guests [of events] without host's knowledge" among other things. I see now that they also want to be able to connect and disconnect from WiFi.

The Facebook app is probably the fastest way to find a list of all permissions in the Android system. "Draw over other apps", "Read battery statistics". I don't know what part of facebook requires either of those options, and the mobile version of their website offers me the minimal amount of functionality I need.

The act of writing this comment has made me uninstall the damned thing. Just reclaimed 17.61MB, and probably a fair amount of space in my mind since I'll check Facebook less often.

I'm sure, as the author of the linked article asserts, most people blindly accept the permissioning changes, but I hope this permission-creep starts to cost them installs.

jblz 30 minutes ago 1 reply      
"Read your text messages (SMS or MMS)If you add a phone number to your account, this allows us to confirm your phone number automatically by finding the confirmation code that we send via text message."

That's a pretty crap feature to use to justify this.


billyjobob 9 minutes ago 0 replies      
At this point, if you care about your privacy, why would you even still have a Facebook account?

I used to think I could be 'safe', that my advanced knowledge of privacy settings and optimised usage patterns could somehow shield me from the fundamental nature of these data monger corporations. But the truth is concepts like cloud and social networking are fundamentally toxic to privacy and freedom.

I'm now pretty close to the day I delete my Google account, and that provides far more useful functionality than Facebook.

eksith 22 minutes ago 0 replies      
Right now, the Twitter app is no better:

  - NEW: Receive text messages (SMS)  - NEW: Read phone status and identity
Another reason I haven't updated yet.

kunjanshah 22 minutes ago 1 reply      
The best way to prevent this in this app, and many other apps is to use "App Ops" in 4.4 or use CyanogenMod and enable privacy guard and then you can long press on the app and prevent the app from reading SMS and many other things while you are at it.
frozenjuice 3 minutes ago 0 replies      
I remember noticing this on a lot more than just facebook. The Android permissions model seems to now be pointless as so many apps ask for pretty much all of the permissions.
pwnna 24 minutes ago 0 replies      
Which is why Privacy Guard from CM is so important.

I have it enabled default for all newly installed app.

elnate 33 minutes ago 0 replies      
Is it possible for another app to interface with facebooks chat or do they prevent this? I remember there used to be chat apps for pc that could do MSN, AIM, Yahoo and a bunch of others.
DorianMarie 10 minutes ago 0 replies      
That's why Privacy Guard from CyanogenMod is so useful.

(Actually it's called AppOps and it's from Google but it's an hidden feature on stock Android)

runn1ng 33 minutes ago 0 replies      
Everyone I know - me including - just clicks "yes" on the giant list with every second application.

It's kind of sad.

depsypher 30 minutes ago 0 replies      
I switched to using the mobile web version of FB on my phone because of this (and made a shortcut to it on the homescreen)... though really it's a losing battle, the real solution is to dump FB altogether.

I will say that the app provides very little that the mobile web version doesn't give you. I don't even notice the difference.

jonobird1 31 minutes ago 0 replies      
Does anyone know what they are using this feature for exactly?
therealpatriot 33 minutes ago 0 replies      
I'm a god fearing american citizen with nothing to hide
The descent to C greenend.org.uk
82 points by coherentpony  3 hours ago   39 comments top 10
ChuckMcM 2 hours ago 4 replies      
Shhhhhh! If you let them know how fun it is then everyone will want to be C programmers :-)

I got to use my crufty C knowledge to useful effect when I discovered that there is no standard system reset on Cortex M chips. That lead me to trying to call "reset_handler" (basically the function that kicks off things at startup) which I couldn't do inside an ISR because lo and behold there is "magic" in isrs, they are done in "Handler" mode versus "Thread" mode and jumping to thread mode code is just wrong apparently. C hackery to the rescue, hey the stack frame is standard, make a pointer to the first variable in the function walk backwards on the stack to return address, change it to be the function that should run next, and return. Voila, system reset.

The whole time I am going "Really? I have to look under your covers just to make you do something anyone might want to do?" As a respondent to one of my questions put it "ARM is a mixture of clever ideas intermixed with a healthy dose of WTF?"

lstamour 4 minutes ago 0 replies      
Knowing a bit of C but often programming in just about any other language, I was recently inspired to work with lower-level languages like C++ thanks to a bunch of talks from Microsoft's Going Native 2013. Specifically Bjarne Stroustrup's The Essence of C++: With Examples in C++84, C++98, C++11, and C++14 -- video and slides at http://channel9.msdn.com/Events/GoingNative/2013/Opening-Key...

C++ really has changed and is changing from what I learned back in university. It's quite exciting. They seem to be standardising and implementing in C++ compilers the way HTML5 is now a living standard with test implementations in browsers. See also: http://channel9.msdn.com/Events/GoingNative/2013/Keynote-Her...

benched 2 hours ago 1 reply      
This looks like a pretty good summary. The stylistic way it's written as if about a 'foreign' language sure makes me feel old though. Twenty years ago, this was completely normal. When I went to work, the code was this. This is what there was. It wasn't "low level" or esoteric - just a nice language to feed through the compiler to get executable code.
michaelhoffman 2 hours ago 2 replies      
> If you've used Java or Python, you'll probably be familiar with the idea that some types of data behave differently from others when you assign them from one variable to another. If you write an assignment such as a = b where a and b are integers, then you get two independent copies of the same integer: after the assignment, modifying a does not also cause b to change its value.

This is incorrect when it comes to Python. a and b will be two different names for the same integer object, which is stored in a single memory location. The difference is that Python guarantees that integers are immutable.

betterunix 2 hours ago 4 replies      
"the length of the array isn't stored in memory anywhere"

This is probably not true. For arrays on the heap, the size (or an approximation e.g. number of pages the array spans) would have to be stored somewhere in order for the array to be deallocated. For arrays on the stack, the size is either known at compile time, or else it was at least available when the array was allocated and could be kept in the stack frame (and in many cases would be kept in the frame anyway).

Not only that, but the common pattern of passing a pointer to an array and its length as arguments to a function implies that most of the time C programmers keep the length of the array stored somewhere. You are really talking about niche cases where the length of the array is truly and inherently unavailable.

Really this has more to do with the fact that C is meant to do as little as possible for programmers -- it is supposed to be "close to the machine."

Tegran 1 hour ago 2 replies      
> And there's no simple excuse for the preprocessor; I don't know exactly why that exists, but my guess is that back in the 1970s it was an easy way to get at least an approximation to several desirable language features without having to complicate the actual compiler.

Clearly this guy has never had to deal with a large, complicated code base in C. Dismissing the preprocessor as a crutch for a weak compiler shows a significant ignorance about the useful capabilities that it brings.

warmwaffles 2 hours ago 0 replies      
I love C. It wasn't my first language to jump in to, but it was eye opening to see the power of pointers and low level operations. Java just couldn't get me close enough to the system.
rayiner 2 hours ago 4 replies      
The article is good, but I disagree with this part:

"To a large extent, the answer is: C is that way because reality is that way. C is a low-level language, which means that the way things are done in C is very similar to the way they're done by the computer itself. If you were writing machine code, you'd find that most of the discussion above was just as true as it is in C: strings really are very difficult to handle efficiently (and high-level languages only hide that difficulty, they don't remove it), pointer dereferences are always prone to that kind of problem if you don't either code defensively or avoid making any mistakes, and so on."

Not really, and not quite. A lot of the complexity of C when it comes to handling strings and pointers is the result of not having garbage collection. But it does have malloc()/free(), and that's not really any more fundamental or closer to the machine than a garbage collector. A simple garbage collector isn't really any more complicated than a simple manual heap implementation.

And C's computational model is a vast simplification of "reality." "Reality" is a machine that can do 3-4 instructions and 1-2 loads per clock cycle, with a hierarchical memory structure that has several levels with different sizes and performance characteristics, that can handle requests out of order and uses elaborate protocols for cache coherence on multiprocessor machines. C presents a simple "big array of bytes" memory model that totally abstracts all that complexity. And machines go to great lengths to maintain that fiction.

mooreds 2 hours ago 1 reply      
As someone who swore off c after a college class and an experience with perl (three cheers for memory management), this was a great intro article to the idioms of c.
collingreene 1 hour ago 0 replies      
This is really great. I have found myself saying some of these same things when explaining things. Going to keep this in my pocket to use in the future. Thanks!
Microsoft Joins the Open Compute Project, Shares its Server Designs datacenterknowledge.com
79 points by 1SockChuck  3 hours ago   15 comments top 2
McGlockenshire 42 minutes ago 0 replies      
I work for a server manufacturer. We integrate other people's hardware (SuperMicro and Intel EPSD mostly) and sell it to customers. We sell everything from simple individual systems to highly-integrated multi-rack clusters to an incredibly diverse set of customers.

We were one of the initial Open Compute hardware partners thanks to some historical networking connections. We had almost zero interest in Open Compute from our customers. Maybe a dozen quotes total over six months, and we've never shipped a single Open Compute system despite all the initial hype, and despite the designs suiting a lot of our repeat customers. Nobody that would otherwise buy a commodity server wants these Open Compute designs, at least from us. We ended our Open Compute effort a few months ago.

Is anyone outside of the original designers actually using Open Compute hardware in a production environment?

alrs 2 hours ago 7 replies      
This counts as a wanton act of hostility toward every server vendor in the x86 space.

Is this payback for all of the PC players adopting Chromebook and Android, or is this the tipping point where MS has decided not to care about selling Windows Server and instead cares only about driving down its own costs to deploy Azure and O365?

Why not kill -9 a process? stackexchange.com
12 points by justinzollars  28 minutes ago   discuss
Halluxwater: NSA Exploit of the Day schneier.com
44 points by zmh  3 hours ago   37 comments top 8
timsally 2 hours ago 7 replies      
This article states the NSA developed an exploit for a product made by a Chinese networking and telecommunications firm. Honest question for HN readers inside the US: does anyone seriously have a problem with this? In my mind it falls squarely within the NSA's mission, i.e. this is we pay them to do! Question for HN readers outside the US: can you credibly claim your intelligence agencies aren't trying to do the same thing?

For those thinking about whether such things could be used inside the United States. Of course they can. So can all the equipment and weapons the military buys. And it's happened before! The gun in the Fort Hood shootings was bought and paid for by US tax dollars and it was used to kill a civilian. So this raises the question, is the military to be trusted with weaponry it needs for its defense mission even though they could be used in the US? Similarly, is the NSA to be trusted with exploits it needs for its SIGINT mission? Interesting question. An infantryman could go rogue at any time and use his service weapon against US citizens and someone at the NSA could use an exploit for personal gain, but on the whole I believe the system accounts for these possibilities in a reasonable and controlled way.

If this information is true, it seems a little crazy to me to be propagating it since there isn't really a domestic/whistleblower angle. At least, no more of a domestic angle than the military developing a new missile. Some of Snowden's disclosures are responsible for starting a productive civil liberties debate in the United States, there's no denying that. But these disclosures are ones of a different color in my opinion.

rurounijones 2 hours ago 0 replies      
Well the US govt has been saying that Huawei kit could not be trusted... I guess they were right...
Zarathust 34 minutes ago 0 replies      
So you need access to the router first with enough power to force a firmware update. What would surprise me is if there are vendors immune from this kind of APT. Given the money and talent invested in those hacks, bricking a whole cargo container of router doesn't seem out of reach, dissolving it in acid or other potentially destructive reverse engineering.

If they own the vendor source code then it is even easier, but the mere fact that it is a router/firewall and not an off the shelf Dell pc is of little importance.

joshwa 27 minutes ago 0 replies      
jevinskie 2 hours ago 1 reply      
Does anyone know the process that took this leak from the Snowden dumps to Schneier's site? Did Schneier seek consensus from the the other recipients that he should release this particular information? Did Schneier unilaterally decide to release this?

Regarding the article, I think it is fascinating proof of the lengths that state-level actors will go through to backdoor their targets.

higherpurpose 2 hours ago 0 replies      
Sounds like typical NSA/US gov modus operandi: accuse others of stuff they're already doing.
pistle 2 hours ago 0 replies      
NSA logos are horrible.
Nginx Patch: SPDY/3.1 protocol implementation nginx.org
85 points by jdorfman  5 hours ago   14 comments top 6
dmix 4 hours ago 1 reply      
With help from some companies:

> Three companies that like Google's approach -- Automattic, MaxCDN, and CloudFlare -- are funding Nginx developers to update its SPDY support to version 3.1, CNET has learned. Under the deal, SPDY 3.1 should arrive in Nginx 1.5 in January, a source familiar with the partnership said.


AhtiK 4 hours ago 1 reply      
Good initiative! Just a heads up that server push does not seem to be implemented.

Server push is one of the spec items that got much wanted clarifications in SPDY3 and would be awesome to see nginx support that. Apache mod_spdy, jetty and netty do have it.

Server push makes it handy to provide super low latencies for full page loading by pushing out all the files that "server thinks" browser might need for a page without waiting for the requests.

Server push is not a magic bullet, it can take more bandwidth compared to the regular visit with a browser that has required resources (images, css, js etc) cached. But still better than inlining in html because the resources from server push can be cached.

If you care more about page loading speed (especially for first-time visitors) and less about actual bandwidth consumed, SPDY with server push can be great. Hint: deciding on whether visitor might benefit from "a little push" as a fresh visitor could be done with a cookie existence check or smth similar.

newman314 2 hours ago 0 replies      
I've been having issues compiling the last 2 versions of nginx. Anyone else seeing this?

  make -f objs/Makefile  make[1]: Entering directory `/home/newman314/src/nginx-1.5.9'  cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -march=native -Ofast -fomit-frame-pointer -fstack-protector -D_FORTIFY_SOURCE=2 -I src/core -I src/event -I src/event/modules -I src/os/unix -I objs \-o objs/src/core/ngx_string.o \src/core/ngx_string.c  {standard input}: Assembler messages:  {standard input}:1253: Error: no such instruction: `vfmadd312sd .LC5(%rip),%xmm1,%xmm0'  make[1]: *** [objs/src/core/ngx_string.o] Error 1
Configure flags used:./configure --with-http_ssl_module --with-http_spdy_module --with-http_gzip_static_module --with-cc-opt='-march=native -Ofast -fomit-frame-pointer -fstack-protector -D_FORTIFY_SOURCE=2'

ecesena 1 hour ago 1 reply      
Is this connected with Dropbox testing SPDY [1], or they're on HN front page by chance? Just curious...

[1] https://news.ycombinator.com/item?id=7132202

dylz 3 hours ago 0 replies      
is QUIC[0] going to be supported anytime soon?

[0] http://en.wikipedia.org/wiki/QUIC

xfalcox 4 hours ago 1 reply      
Thats great. I have been waiting for this since Firefox and Chrome stated that spdy will no longer be supported on next versions.

I hope that nginx will maintain spdy2 and serve version 3 to compatible clients. My company just upgraded to Firefox 14...

US makes Bitcoin exchange arrests bbc.co.uk
356 points by majc2  12 hours ago   276 comments top 41
eterm 11 hours ago 6 replies      
A good excerpt from page 13.

"Shrem email accounts reflect that "BTCKing" not only obtained his supply of Bitcoins through the Company, but did so with extensive support from SHREM. Even though SHREM quickly realized that "BTCKing" was reselling Bitcoins on Silk Road, which SHREM knew to be a marketplace for illicit drugs, SHREM went out of his way to facilitate "BTCKing's" business. Among other things, SHREM: permitted "BTCKing" to continue doing business with the Company, despite initially threatening to "ban" him based on his illegal activity; personally ensured that "BTCKing's" orders with the Company were filled everyday; gave "BTCKing" discounts based on his large order volume; sought to conceal "BTCKing's" activity from the Co-founder and the Cash Processor to prevent "BTCKing's" orders from being blocked; advised "BTCKing" how to evade the transaction limits imposed by the Company's own AML policy; let "BTCKing" conduct large transactions without ever verifying his identity, in violation of federal AML laws; and failed to file a single Suspicious Activity Report about "BTCKing," [sic] despite the obvious "red flags" raised by "BTCKing's" dealings with the Company."

If all that is alledged is true, that's pretty damning and this isn't just a general bitcoin crackdown.

siculars 11 hours ago 7 replies      
I find it hilarious that they take this guy down and nobody from HSBC does a perp walk. I guess it's who you know and how much you can pay off, ya? This has everything to do with the threat Bitcoin represents. HSBC literally paid a 2 Billion dollar fine against specifically money laundering on behalf of organized drug cartels. The investigation took years and not a single HSBC employee has done a perp walk.

Oh, and since when does selling BTC anywhere, including Silk Road, constitute a crime? It's what you buy with BTC, or any other currency, that is the crime.

jahewson 10 hours ago 6 replies      
There seems to be a general lack of understanding here on HN that money laundering is incredibly harmful to society. It allows organised crime to operate with great ease. It facilitates the corrupt in any walk of life, be it political, corporate, or even law enforcement.

Any money-trading entity needs to keep track of who money is coming from and going to and to monitor their transactions. The recent billion-dollar HSBC settlement is an example of a failure to properly monitor transactions, it is not clear that there was any criminal conspiracy involved [1]. That's very different from this BitInstant charge: the operators are accused of knowing that one of their customers was reselling hundreds of thousands of dollars worth of BitCoin on SilkRoad where the transaction was anonymous, which means it can be used to launder money. Worse still, they're accused of helping this guy circumvent their own monitoring systems so that they weren't obliged to report him. This is serious stuff.

[1] The criminal charges from that case were dropped as part of a settlement, but that's an entirely separate contoversy. Failure to correctly charge possible criminals in once case does not make it ok in another.

JumpCrisscross 6 hours ago 0 replies      
This is not an attack on Bitcoin per se, but an attack on blatant money laundering:

US Attorney for the Southern District of New York, Preet Bharara, who filed the charges: "truly innovative business models dont need to resort to old-fashioned lawbreaking, and when Bitcoins, like any traditional currency, are laundered and used to fuel criminal activity, law enforcement has no choice but to act" [1].

This is different from HSBC's case because while HSBC was negligent in implementing proper anti-money laundering procedures Shrem was actively aiding his clients in their money laundering. That has not been proven in the case of any of HSBC's U.S. executives, at least so far.

[1] http://www.ft.com/intl/cms/s/0/a994436a-8770-11e3-9c5c-00144...

untog 12 hours ago 2 replies      
Note that this isn't an arrest just for operating a Bitcoin exchange. It's specifically to do with Silk Road.
epaga 10 hours ago 2 replies      
For me, the biggest shock is that Shrem is on the board of the Bitcoin Foundation and was involved in this stuff. The Bitcoin foundation is one of the strongest voices in Washington about Bitcoin.

This is a big hit to the credibility of Bitcoin in the near to midterm future.

jboggan 11 hours ago 0 replies      
I am very supportive of the Bitcoin Foundation, but it doesn't look good to have your Vice Chairman [1] taken down on money laundering charges.

1 - https://bitcoinfoundation.org/about/board

olefoo 11 hours ago 1 reply      
From reading the complaint; it seems that the BTCKing guy was advertising his services on Silk Road and was active on the forums. Which means that he was knowingly violating the laws on money transmission and specifically the know your customer aspects.

It's pretty clear that in the not too distant future it will be illegal to not make a good faith effort to identify anyone you are selling bitcoins to.

CapitalistCartr 12 hours ago 0 replies      
There is a bit more information here, not much to be had anywhere I see, though.


mcantelon 10 hours ago 0 replies      
Meanwhile, the US allows the Sinaloa to move drugs in the US:


johnmurch 11 hours ago 1 reply      
I am sure this will get down voted, but I can't help but find it interesting (Gov going after them after this recent HSBC news) HSBC was involved with drug cartels and much more and just had to pay a 1.9 billion dollar fine (sounds like a lot, but keep in mind its about 5 weeks of profits) http://www.reuters.com/article/2012/12/11/us-hsbc-probe-idUS...
dreen 12 hours ago 3 replies      
Seems like they were arrested for selling bitcoins to silk road users en masse. Is this just a US law oddity or is that what passes for money laundering these days?
rayiner 12 hours ago 1 reply      
It's worth reading the indictment: http://www.scribd.com/doc/202555785/United-States-vs-Charles.... At least read the e-mail exchanges starting on pages 10 and 12.

What the article doesn't make clear is that the charge isn't for just selling BTC to Silk Road users. The charge is that Faiella purposefully targeted Silk Road users, sold them BTC at a markup, and Shrem coordinated with him to bypass BitInstant's anti-money laundering mechanisms and deliver the actual Bitcoin.

CodeCube 12 hours ago 2 replies      
People are gonna have to learn to play by the rules. They are obviously paying attention.
jbb555 11 hours ago 2 replies      
If my understanding is true, then bitcoin isn't really relevant here. They could have been selling hand written money tokens to people that they then used to pay their drug dealer with. The allegations are about intent and money laundering.

If this is all as presented, this is good for bitcoin. The fact that a criminal has been caught is good. The fact that they were using bitcoin to commit their crime makes it doubly good they were arrested as it reflects badly on the community.

teawithcarl 6 hours ago 0 replies      
Here's Andy Greenberg's excellent article on today's events--


kumarski 11 hours ago 1 reply      
This seems a bit ridiculous considering the half a TRILLION dollars that were laundered for drug cartels by the American bank Wells Fargo.

Am I missing something?

zmanian 12 hours ago 3 replies      
Seems like solid evidence that the reason the US govt is so comfortable with Bitcoin is that they have a handle on anonymizing the blockchain as needed.

Also maybe an example of crypto over-confidence.

nullc 11 hours ago 0 replies      
The Justice Department press release is the ultimate source for all these stories and is the most informative: http://www.justice.gov/usao/nys/pressreleases/January14/Schr...

I guess this bodes poorly for the people who were hoping to get their coins back from Bitinstant: http://bitinstant.info/

mikecane 11 hours ago 2 replies      
"and operating an unlicensed money transmitting business"http://bnowire.com/inbox/?id=2158

And they reveal the hand they'll use to shut it all down.

jusben1369 11 hours ago 0 replies      
I wonder how central figures in Bitcoin feel about this. The headlines aren't helpful but in the longer run if the Feds drive down or out the number of bad guys using Bitcoin that would seem to help it's image over the long run.
ChuckMcM 11 hours ago 0 replies      
Interesting that they charged them with the money transmitting and laundering charges. I suspect it is hard to get someone indicted for just trading in coin since to the average lay person that probably seems like baseball collector cards or something.
ada1981 3 hours ago 0 replies      
"Drug law enforcement's job is to investigate and identify those who abet the illicit drug trade at all levels of production and distribution, including those lining their own pockets by feigning ignorance of any wrong doing and turning a blind eye."

Start with congress for making drugs illegal in the first place.

at-fates-hands 8 hours ago 0 replies      
>>> Given that everyone involved was an American citizen.

I guess this is the moral of the story. Don't do this stuff within the confines of the US? Find a nice island paradise (I hear Vanuatu is nice this time of year) and do your business from a country that has no extradition treaty with the US.

SoftwarePatent 11 hours ago 0 replies      
A better headline: "U.S. makes money-laundering arrests"
kbar13 11 hours ago 1 reply      
Title is very sensationalist and almost gave me a heart attack.
dsugarman 9 hours ago 0 replies      
HSBC admitted to laundering $800M for drug cartels. No arrests.
brianbarker 8 hours ago 0 replies      
I've been worried about random people opening up exchanges, pools and other BTC transaction web applications. There are so many regulations, particularly in Anti-Money Laundering and Compliance that complicate business. People need to be careful and realize exchanges aren't a business you jump into on a whim.

The worst is, if you innocently run a site like this and don't have the correct AML protections, the baddies will use your service for their goals. You will be in trouble for not having the appropriate controls in place.

NAFV_P 11 hours ago 2 replies      
> "It is unfortunate Silk Road continues to make the headlines in association with Bitcoin - this is the dark side of Bitcoin, which the vast majority of digital currency users have no association with."

Every currency or commodities of value have a dark side. A significant percentage of British notes have traces of cocaine, occasionally you see ones with blood on them. I'd consider blood diamonds to have just as sinister connotations as bitcoin.

Discussing this reminds me of the scene in Beverley Hills Cop, where the character Michael Tandino is murdered for stealing a wad of bearer bonds.


rtpg 6 hours ago 1 reply      
tangential to the story, but can someone explain to me why the government hates bitcoin(or rather, why people seem to think this)? It's a public ledger of all payments, seems like a pretty good thing for the IRS.
ommunist 9 hours ago 1 reply      
Criminalizing BTC is a sure sign of fear from the US/UK banking system. But you cannot criminalise maths, you can only do that with mathematicians like Alan Turing.
egocodedinsol 10 hours ago 1 reply      
Without being upset, I'm curious what the difference is between this type of arrest and various traditional banks that were civilly fined for money laundering, but not criminally charged.

I doubt many FBI agents would hesitate to pursue a big bank. But they don't seem to be able to, even when there are civil fines given. What causes that, I wonder?

aerialfish 3 hours ago 0 replies      
For me, the worst part is I went to high school in Brooklyn with this guy. Ugh.
amiramir 9 hours ago 2 replies      
How is what these people were arrested for different than what Coinbase does?
CryptcWriter 8 hours ago 0 replies      
HSBC just had to pay a 2b fine for money laundering, I guess the US gov doesn't accept BTC yet...
mbloom1915 4 hours ago 0 replies      
so uncool, much dogecoin to invest
lama_drama 7 hours ago 0 replies      
The difference between HSBC money laundering and Bitcoin's money laundering is more political hands involved with HSBC's profits.
btcstanford 9 hours ago 1 reply      
what about coin base and bitpay do they have any anti money laundering issues? Is the burden of AML KYC fall on the merchant or on coin base bitpay?
thinkcomp 10 hours ago 0 replies      
This is no different from many of the companies that Andreessen-Horowitz, Y Combinator, Sequoia, KPCB, and other big names have invested in. In fact, it's just the tip of the iceberg.

More arrests will likely follow. I wouldn't be surprised if Dwolla and/or Veridian Credit Union is next. They were one of the largest pipes to the Silk Road.


DeepMind to Work Directly With Googles Search Team recode.net
28 points by jamesjyu  2 hours ago   8 comments top 3
nl 2 hours ago 2 replies      
It's difficult not to get caught up in the excitement around Deep Learning. The unsupervised nature of it at its best really does seem to approach human levels of learning (if not intelligence).

Also, I thought this was hilarious:

In a 2011 interview that predated DeepMind, co-founder Shane Legg said he gave only a 50 percent chance that human level-machine intelligence would exist by 2028.

ONLY?!? By 2028? That is a pretty radical prediction. Indeed, Legg says there is a 10% chance of human level intelligence by 2018, and 90% by 2050[1].

Legg has multiple papers published in the field of measuring machine intelligence, so I guess he has a pretty good view of the field.

If that 2028 prediction is even close to correct then I think setting up an ethics board now probably is the correct thing to do. (the notion that DeepMind asked that Google create an internal ethics board as a condition of the acquisition, as reported by The Information, had some AI researchers griping)

Edit: Legg's posting on his blog in 2011 deserves to be read:

Ive decided to once again leave my prediction for when human level AGI will arrive unchanged. That is, I give it a log-normal distribution with a mean of 2028 and a mode of 2025, under the assumption that nothing crazy happens like a nuclear war. Id also like to add to this prediction that I expect to see an impressive proto-AGI within the next 8 years. By this I mean a system with basic vision, basic sound processing, basic movement control, and basic language abilities, with all of these things being essentially learnt rather than preprogrammed. It will also be able to solve a range of simple problems, including novel ones.

[1] http://lesswrong.com/r/discussion/lw/691/shane_legg_on_risks...

[2] http://www.vetta.org/2011/12/goodbye-2011-hello-2012/

sjg007 39 minutes ago 0 replies      
What I am really curious about is the difference between Deep Learning using RBMs, PCA, Factor Analysis, Bayesian graphical models. All of them seem to treat a numerical problem in different ways. I'm particularly interested in the identifiability of the equations (and introduce some constraints to do so).. or else you have multiple (infinite) solutions. As far as I can tell, the deep learning is basically a multi layer RBM with greedy optimization at each level. Maybe that is good enough for text summarization or robotics, but in a mathematical sense depending on your starting vectors you can arrive at different local minima. In physical dynamical systems we are typically interested in the global solution from which we do further analyses to prove stability etc... Bayesian networks have loopy belief propagation, and of course PCA/SVD require strict linear independence.
zvanness 1 hour ago 1 reply      
Here's what I said when the story first came out:

"I'm not so sure their technology is as futuristic as everyone thinks it is. If I had to take an educated guess, I would say it's some powerful AI that makes their knowledge graph smarter. Currently Google's Knowledge Graph uses more structured data sets and depends on a mechanism like this: http://www.zachvanness.com/nanobird_relevancy_engine.pdfBut the real challenge is to make the knowledge graph update in real time and take meaning from something as unstructured as a blog post or an email. And to do something like that requires some really unique AI."

This is most likely what they are going to be implementing: http://www.zachvanness.com/nanobird_relevancy_engine_vision....

Show HN: Taplytics Mobile A/B testing you'll actually use taplytics.com
54 points by aglazer  4 hours ago   20 comments top 12
RealGeek 46 minutes ago 1 reply      
It looks like 'mobile first design gone too far'. This is how the website looks like on 1920 x 1200 monitor. http://i.imgur.com/asP7Fdx.png

Browser: ChromeOS: Windows 8.1

aaronbrethorst 1 hour ago 1 reply      
Relevant disclosure: I run an iOS developer-related website (http://www.cocoacontrols.com), and I asked Andrew, one of the co-founders, to advertise on my site sometime soon (and I owe him a follow-up email...Andrew, if you see this, sorry I haven't done that yet. I spent the weekend in bed with a seriously bad head and chest cold, and am only now digging myself out of my backlog of work.)

I received a demo of Tapylytics last week, and I have to say it is really impressive. There are definitely some rough edges here and there in the product, but if it holds up half as well as it did in the demo then it'll be the first product I've seen that might actually make people A/B test their iOS apps. It's really cool.

I can't wait to try it out in the real world with an app I've been building on the side for the past few days.

I should also mention that I have a really high bar for accepting ads for Cocoa Controls, and only do it for products that I actually like (reputation takes years to build, and can be pissed away in a second if you screw up badly enough).

MaxGabriel 7 minutes ago 0 replies      
Is it necessary to set the `elementKey` property of views beforehand?
jensen2k 24 minutes ago 0 replies      
I just tested this, and even tho i didn't got it to work on my project (Linker-errors) it was exceptional on the test app.This is very innovative and fresh, and makes it so easy. Kudos to you guys. I'm gonna do some testing, and maybe i'll try this out in our beta rounds.

A question tho: It seems like you hijack all UI-elements and subclass them on runtime. (Or something. Swizzling?)How is this in regard to speed and performance?

diziet 1 hour ago 0 replies      
I'm really excited by all the mobile a/b testing companies that emerged in the last year. There were almost no companies working on this space just a scant year ago, though a lot of the more successful and large companies had implemented these tools internally for their own apps. Seamless updates, ui changes, full a/b testing is something we'll likely see a lot more of in the future.
kyro 57 minutes ago 0 replies      
For someone not familiar with iOS development, how does this work?
billclerico 2 hours ago 0 replies      
congrats guys. I love that you can run experiments without having users update apps.
brryant 2 hours ago 1 reply      
How are you guys different from apptimize? http://apptimize.com/
brettfarrow 3 hours ago 1 reply      
Are you affiliated with Optimizely? I ask because I know one of their primary marketing statements is also "A/B testing you'll actually use."
goeric 2 hours ago 0 replies      
This is pretty amazing. Congrats, I think this will be extremely useful to a lot of apps.
wahnfrieden 2 hours ago 1 reply      
Just FYI, blog is unreadable on iphone.
raj_saheb 1 hour ago 0 replies      
How you guys are different than https://www.vessel.io ? They have very advanced solution in this segment. Last week I have seen Vessel's new product and its amazing. Very close to Optimizely or visualwebsiteoptimizer in web space.

They have built a visual web editor, which allows users to change the UI of their Android or iOS application from editor directly.

Just keep eye on them. I will try your solution too.

Vinod Khosla Wants Californians To Keep Out of Martins Beach npr.org
13 points by the_arun  1 hour ago   discuss
Take Buffett's Billion takebuffettsbillion.com
71 points by songzme  5 hours ago   90 comments top 24
startupfounder 4 hours ago 5 replies      
Buffett is making big money on this deal, increasing his personal brand and here is how (my guess):

Quicken is paying Buffett for the advertising exposure right before tax season.

Quicken is also taking out prize indemnity insurance[0] from National Indemnity Company[1] which Buffett owns.

Even if someone happens to beat the odds (which they won't) it's still a win-win for Buffett because he has stacked the odds in his favor.

Its 40 annual payments of $25M or a single payout of $500M. Also, they are only allowing 10M people to register.[2]

We should all take a note from his playbook on this one.

[0] http://en.wikipedia.org/wiki/Prize_indemnity_insurance

[1] http://en.wikipedia.org/wiki/National_Indemnity_Company

[2] http://www.latimes.com/business/money/la-fi-mo-warren-buffet...

everettForth 5 hours ago 4 replies      
The expected value of an entry is something like ten cents assuming you know a lot about basketball.

This is like saying, "let's all work together to hack ten cents into eleven cents" (except we're doing something secret to do the hacking, which we won't tell you, but trust us. ps we love Nate Silver)

Edit: Actually, Now that I think about it more, the people who made this are probably concerned with too many teams using the same statistical techniques, and choosing the same bracket. Assuming several teams find this "highly likely" bracket, and it wins, those teams would all share the prize. This way, the organizers can choose their favorite bracket, and help ensure that other brackets aren't going to share the prize with them.

kristopolous 4 hours ago 1 reply      
I like to imagine Buffet personally knocking a key player's knees in if it appears that someone is getting too close to winning -- like some Adam West Batman villain.

"Let me show you why the first three letters of my name spell 'War'."

euphemize 2 hours ago 0 replies      
Buffett won't have to pay a billion dollars. As he mentions in one of the articles linked, at the end:

"If you get to the Final Four with a perfect bracket, I may buy you out of your position," Buffett said. "I'll make you an offer you can't refuse."


Steko 4 hours ago 2 replies      
The 60 odd coaches should get together and rig the whole thing for 15+ million a piece.
kqr2 3 hours ago 0 replies      
Actually, Buffett already did something similar with the Pepsi Billion Dollar Sweepstakes:


adam-f 4 hours ago 0 replies      
Image of Warren Buffet courtesy of (i.e., served from) blackmbawomen.com.


Very classy tBB.

ghshephard 5 hours ago 2 replies      
The very first thing that comes to mind when I read this - why on earth would anybody honor their agreement with $500mm on the line? I'm a pretty honorable person, but I'll admit - I'd be highly tempted to just take the money and ignore the pool.
gojomo 1 hour ago 0 replies      
Interesting idea, but rather than assigning picks, might be nearly as good to simply have members of the cooperating group register their picks, so that they can avoid wasteful duplication.

Then, when someone proposes a duplicate, suggest to them either the minimal-change-for-uniqueness, or the-best-yet-unclaimed from the pool analysis.

In fact they could offer both to appeal to a wider range of participants, and perhaps offer a software tool (like a bookmarklet) to make the dup-check/autosuggest as easy as possible.

cl8ton 2 hours ago 0 replies      
Here is your mathematical odds of doing a perfect NCAA bracket.


pyrrhotech 4 hours ago 1 reply      
Buffett will definitely pay. It's less than 1.2% of Berkshire's cash on hand. And only about 0.24% of Berkshire's book value. Roughly the amount his personal wealth fluctuates each day.

source: http://finance.yahoo.com/q/ks?s=BRK-A+Key+Statistics

cschmidt 4 hours ago 2 replies      
Has anyone read what happens if there are multiple winners? Do they split the prize? Is one winner chosen at random? Do they all get a billion? It really affects how you should play.

For example, a common bracket might be to pick all the top seeds. In some sense that's the most likely outcome. But that may be a bad entry as there would certainly be lots of people who enter that.

In a similar way, the worst possible lottery entry is 1 2 3 4 5 6 is the most common lottery entry, and hence the worst since if it did come up, you'd have to split the prize many ways. [1]

[1] http://www.economist.com/news/britain/21573993-britons-love-...

ck2 4 hours ago 1 reply      
He's insured if someone wins, it won't even be his money if I understand it correctly.

All a rich person's game. Soak the insurance rates for the next people.

hacknat 4 hours ago 1 reply      
Forget the game theory the odds are still insane.


Also consider that statistically significant deviations away from the huge list of ideal brackets they come up with are likely to happen. That's the nature of March madness, usually at least one bottom seed flips a top seed or two. Guessing which one will do so is a fools errand. So even if lots of people participated in this the idea that they would all be increasing their odds of winning could be an illusion.

hayksaakian 2 hours ago 1 reply      
correct me if I'm wrong, but couldn't you just generate every possible combination of brackets and "assign" to each participant the top most statistically likely combinations?

or is this precisely what they're doing?

codyb 4 hours ago 0 replies      
I thought of this too but no one at work wanted to spend a bunch of weekends hacking away :/.

I figured it would just be a fun way to learn and apply a bunch of machine learning and pattern recognition concepts.

I'll probably still try to do that.

Signed up though.

pbhjpbhj 4 hours ago 1 reply      
How many seconds will the Quicken Loans website last on March 3?

How long is there to submit entries. How long will it take, will it be bot-able in a reasonable time?

judk 5 hours ago 1 reply      
I would love to see the paperwork they use to attempt to prevent defection by the winner if any.
nsiemsen 3 hours ago 1 reply      
Matt Levine who writes for Bloomberg is a great daily read. He posted about this about a week ago and it provides a good overview of how this type of thing is priced/insured.


gmays 3 hours ago 1 reply      
So...would you take the $500M or $25M/yr for 40 years?
maerF0x0 47 minutes ago 0 replies      
only for US citizens, boo.
kyle_t 3 hours ago 0 replies      
Did anyone else's email address get auto submitted without having to hit submit?
pbhjpbhj 4 hours ago 1 reply      
What's the tax on a 1 billion prize?
jessaustin 4 hours ago 2 replies      
The likelihood of Buffett actually paying this prize is even lower than that of someone actually winning it.
CloudFlare Transparency Report on National Security Orders cloudflare.com
28 points by jgrahamc  3 hours ago   6 comments top 3
chimeracoder 1 hour ago 0 replies      
As a Cloudflare customer, I'm really happy to see this. Cloudflare provides a great service, but to do so, they have to assume a position of enough power that makes them an easy (legal) target for a determined government.

As a US resident (and citizen), though, I find this very disconcerting. The difference between 0 and 249 requests is a lot.

There isn't much else a company the size of Cloudflare can be expected to do (lobbying the government requires levels of cash that I doubt Cloudflare has right now), but it makes me sad that this is even newsworthy.

rtfeldman 1 hour ago 0 replies      
It says 0-249, but it means 1-249.

If you've never received one, my understanding is that there's no law preventing you from saying "0", so why wouldn't you if it were true?

nacs 2 hours ago 3 replies      
> Starting with 0-249

I'm puzzled why it's not 1-249 with 0 being a different group. So this law basically means that as long as you send less than 250 requests to a single company you're fine.

Might as well start sending 249 requests to every company they can think of.

Show HN: Random Street View randomstreetview.com
296 points by hanezz  15 hours ago   151 comments top 68
crazygringo 11 hours ago 3 replies      
Nice! So interesting. This is the kind of thing that, 30 years ago, you could only dream about. Stuff like this reminds me how much we take things like the Internet and Google Street View for granted, and sometimes you need to step back and think how amazing they are.

But stepping forwards to a minor detail... are there keyboard shortcuts? If you click on the image, you can already use Google controls to pan/walk around using the arrow keys and +/-..., so that all works...

But it would be awesome if there were another shortcut to move to the next/previous location, so I could move around, and between images, solely using the keyboard.

Anyways, great work!

[Edit: another thing, so many locations seem to have... not much going on. Instead of picking a random spot by area, it might be interesting to pick a random spot by population distribution... so that half the locations would wind up being urban, and you'd see a lot more people.]

kirchhoff 11 hours ago 6 replies      
I don't mean to gatecrash, but as I have been running a near identical site for a few years I feel compelled to comment.

The street views generated on this site are not really random; they are picked from a predefined list in a db. This is why duplicates appear after a number of clicks.

I run http://www.mapcrunch.com which also generates random street views, but with more options - you can define a region on a map (like a city) and generate street views from within it. You can also restrict the generated views to those taken within buildings, or within urban areas. The views generated are also totally random.

I don't have any objection to someone copying the concept of an existing site / service, but I feel that if you do so, you should at least try to differentiate it in some way - most easily done by making improvements or including superior functionality.

colinbartlett 14 hours ago 4 replies      
I would love to know how much Google spends on StreetView.

When they first started sending those cars around, I think everyone collectively mocked, "Haha. Well you're certainly not going to photograph every street in the world."

ak217 14 hours ago 3 replies      
RankingMember 14 hours ago 4 replies      
There's definitely something intriguing about seeing random mundane scenes (with occasional awesome exceptions) in far away locations.
petercooper 15 hours ago 2 replies      
There's a guy on Twitch who livestreams "playing" a game with something like this, except there's no map. It's a similar site that shows you a random location and he basically "walks" around and tries to drop a pin on a map as close to the point as possible. Sounds kinda boring but I ended up watching an hour of it and it's interesting the sort of visual clues and techniques you can use to suss places out.
xixi77 47 minutes ago 0 replies      
Interesting! A few things:

- Some locations repeat after a short while- Not sure how the randomization is done, but some countries like Botswana and Bulgaria seem over-represented- Address language seems random (often English, sometimes other, not much relation to where location is -- e.g. some US locations had addresses shown in Czech etc.)

DanBC 14 hours ago 1 reply      
I'm getting lots of really pretty scenery in Bulgaria. So much that it's making me think about moving. I love this!

People interested in mapping and computers may also like this BBC Radio 4 programme "mapping the void" which covers some of the open sourced volunteer projects. http://www.bbc.co.uk/programmes/b03s6mf0

3rd3 11 hours ago 1 reply      
Its quite banal, but it always baffles me that everywhere something is happening at the same time. A wast complexity which we can only make sense of because it all works according the same principles. People build roads, houses, raise families and eventually die. Isnt there a word for this feeling?
henrik_w 14 hours ago 0 replies      
Neat! There was a similar project here a few years ago: http://www.mapcrunch.com/ comments: https://news.ycombinator.com/item?id=3215460
giarc 12 hours ago 3 replies      
I might have found the most English looking location (also very beautiful)


SonicSoul 1 hour ago 0 replies      
reminds me of a manager i worked for in 2000. he wrote a random lat/lang algo and actually used it for his vacation trips.


this is a clear upgrade :)

willismichael 11 hours ago 0 replies      
Denmark has separate paved bike streets out in the middle of the countryside! I sure wish the road systems in the United States were more bike friendly.


Patrick_Devine 10 hours ago 0 replies      
I ended up shrinking the map/location bar and then clicked on the "next" button and tried seeing how long it would take me to figure out where I was. There are a lot of immediate clues, like what side of the street people are driving on, the ethnicity of people if they're at the side of the road, the condition and type of the cars/buildings and a lot of geographical features like mountains and red soil.

It reminded me of a thought exercise I used to do about what would I do if I were kidnapped and then drugged/blindfolded/disorientated/whatever and then dropped somewhere in the world. I'd come up with elaborate strategies to try and find my way back home.

james33 13 hours ago 0 replies      
Does it actually pick a completely random spot? Because the first one it showed me was a place I visited recently halfway around the world.
mdisraeli 6 hours ago 0 replies      
There's an interesting game one can play with such sites - get a random location, and try to find your way back to an airport without looking at a map

...Of course, this was easier before google indexed so much countryside....

jader201 14 hours ago 0 replies      
It's funny seeing the attention these vehicles draw coming out in some of the photos. This is especially true on dirt streets in the middle of residential areas.

Walk this one back down the street, you can see the pedestrians watching.


lhgaghl 13 hours ago 1 reply      
How does it work without flash?? I was never able to use street view because in google maps when you zoom in it just says in a popup:

  To use street view, you need Adobe Flash Player version 10 or newer.  Get the latest Flash Player.

lelandbatey 8 hours ago 0 replies      
Wow, it only took me two clicks to get a glitched out shot : http://randomstreetview.com/#p6d4o_-4vsu8_93_a_4
iandanforth 12 hours ago 0 replies      
This is really neat! The very first place it took me was overlooking a sweet crater in Yosemite. Then there were a couple boring ones then a super awesome church in the Czech republic. ... And now I'll forget about this forever.
pwenzel 2 hours ago 0 replies      
Simple. Enjoyable. I just found several dozen places I want to travel to.
beefsack 5 hours ago 0 replies      
Reminds me of the fantastic game based around random street view: http://geoguessr.com/
hawkharris 7 hours ago 0 replies      
I'm curious: has Google used any of its autonomous vehicles to perform mapping for Street View?
rlu 13 hours ago 0 replies      
Yes!!! I sometimes do this manually by zooming out the map and then dropping the Street View pin with my eyes only half open (can't drop him in the ocean).
sz4kerto 14 hours ago 1 reply      
Wow, the second random street is in my hometown.
plaguuuuuu 5 hours ago 0 replies      
earlz 12 hours ago 0 replies      
I didn't even know that Google had street view cars in rural Africa! http://randomstreetview.com/#-en562_fdoqw_-2i_a_-7
frozenport 3 hours ago 0 replies      
You should weight the streets by population, as that is what people "experience".
cek 13 hours ago 0 replies      

Within a few minutes of clicking NEXT I started getting duplicates.

nader 13 hours ago 0 replies      
Even though I mostly end up in the middle of nowhere this surely makes me want to travel :
andys627 3 hours ago 0 replies      
Would be cool if it gave you a slow 360 view instead of just a random side of the road. Good job!
aabalkan 6 hours ago 0 replies      
I guess I hit the API limit very quickly after 20-30 tries. Map does not refresh anymore.
time0 14 hours ago 1 reply      
What's your randomizer? Maybe it's just me or maybe a lot of France looks the same but I swear I'm seeing a lot of repeats, perhaps as much as 1 in 20.
ivanbrussik 1 hour ago 0 replies      
I don't see North Korea?
acdanger 7 hours ago 0 replies      
A non-random Street View project that has some very interesting images.


arianvanp 13 hours ago 2 replies      
I recall something similar that would show random places on street view and you had to guess where it was located on the map. The closer you were the more points you would get. Does anybody remember how that was callled, because that was way cool.
state 12 hours ago 0 replies      
I used to love to just take a 'walk' using street view from time to time. This is great. It really gives you a sense of how enormous the data set is.
frogpelt 13 hours ago 0 replies      
At first I thought, what is the point?

Then I clicked next a few times and visited random parts of France, Lithuania, Norway, and Harju County, Estonia on the coast of the Baltic Sea.

This is really cool.

asd 13 hours ago 0 replies      
I've been enjoying a similar site, http://www.mapcrunch.com/, for 2 or 3 years. It is very well done. You can select one or many countries in the options menu. It's a great way of enjoying the world from your couch.
nathan_f77 9 hours ago 0 replies      
My colleague just showed me http://geoguessr.com/, which is a pretty fun twist on the same concept.
tomatohs 10 hours ago 0 replies      
I built something similar for university. Though it uses location from Instagram, the photo, and description text to provide some context.http://sm.rutgers.edu/thebeat/
PedroBatista 4 hours ago 0 replies      
Great, i landed in the middle of nowhere in Oklahoma.

Story of my life...

michelutti 11 hours ago 0 replies      
Ok now I'll spend my entire day on this! However, my friend also visited the website and guess what? The same sequence of streets was showed to him. How this random works?
kitsched 13 hours ago 1 reply      
I don't know if others suggested this but it might be interesting to define a rectangular region and it would only return views from inside that rectangle. Let's see how well I actually know my hometown.
samolang 12 hours ago 1 reply      
This would make an awesome wallpaper/screen saver.
megalomanu 13 hours ago 0 replies      
Wonderful ! The sites like yours remind me why I love Streetview, which is like a gift for me.I take this opportunity to share one of my favorites blogs, "Dreamlands - Virtual Tour". It's a photograph blog, like every photograph blogs, except that all pictures are made with Streetview ! You don't have to speak french to enjoy it. Some places are incredible.http://dreamlands-virtual-tour.blogspot.fr/
lewispollard 14 hours ago 0 replies      
I chose United Kingdom and on the second click it showed a street in my childhood hometown!
brak2718 6 hours ago 0 replies      
This site does the same thing and has been around atleast a few years: http://www.globegenie.com/
rokhayakebe 11 hours ago 0 replies      
Can we go by city? PLEASE. I think you could charge something for this. Maybe a one-time fee.
l-p 7 hours ago 0 replies      
Well, is really does what it says, that _was_ random: http://randomstreetview.com/#phyzb_dnid7_-d_r_-5
finishingmove 6 hours ago 0 replies      
Or not so random. I keep getting USA, Taiwan, Estonia and Sweden far more often than any other countries. Do they have the most streets? :P
0x0 15 hours ago 0 replies      
Strangely hypnotizing! Fun!
joelcollinsdc 13 hours ago 0 replies      
been around longer and funner: http://www.geoguessr.com/
callesgg 8 hours ago 0 replies      
Amazing :)An auto turner and a timmer would be nice.
BenjaminN 14 hours ago 0 replies      
Hey, did you get the idea after seeing http://smwh.re ?
sdegutis 14 hours ago 0 replies      
It's really awesome to see how much of the world looks almost exactly like my street.
MichaelTieso 13 hours ago 1 reply      
This would be pretty awesome as a screensaver.
sushirain 12 hours ago 1 reply      
I was surprised to see that most street-views in the world are rural.
keammo1 13 hours ago 0 replies      
Great! I am getting lots of beautiful scenery. An up vote/down vote or ratings system would be great, and then you could start compiling a list of the most beautiful (or interesting) views.
gamerDude 11 hours ago 0 replies      
I would love to see a like feature here to aggregate the most amazing pics around the world.
jonheller 13 hours ago 0 replies      
This is really awesome, thanks!
ishener 14 hours ago 0 replies      
kudos for the mobile supportthat's what i'm going to do on my ride home today
shangxiao 11 hours ago 0 replies      
Love it. Could be the source for some interesting social activities.
jcutrell 14 hours ago 1 reply      
Check out this sweet dragon.


Seriously, this is a fantastic thing you've made. I'm enjoying it immediately.

n_coats 12 hours ago 0 replies      
Really enjoying this! Thanks for building!
dextimilus 13 hours ago 0 replies      
good idea!
van_hn 14 hours ago 0 replies      
Not random.
Two "WontFix" vulnerabilities in Facebook Connect homakov.blogspot.com
151 points by homakov  10 hours ago   30 comments top 11
latchkey 6 hours ago 0 replies      
This is a serious thing Egor is bringing up.

Egor privately contacted my little site a couple weeks ago to let us know we had a vulnerability with the redirect issue. At first, we didn't quite understand it, but once we dug deeper, it is a pretty major issue.

Simply put, we use ElasticEmail to send out email from our service. They have a feature called 'custom tracking domain' where you can setup tracking.your_domain.xyz to enable link tracking of emails you send out. This is great except that the url is something like this: tracking.your_domain.xyz?redirect=urlencode(some other domain) <- EE will then do a redirect to whatever is specified in there.

Because we offer facebook connect authentication on our site, this created a security hole for us based on what Egor has discovered. In other words, because we setup some simple configuration of some 3rd party service that happens to allow for redirects, we are now exposing our users auth tokens. Doh!

The solution to fix this is to simply not enable tracking.your_domain.xyz, but now that we've turned that off, old links in emails are broken. If EE had tinyurl'd the links they send out, this wouldn't have been an issue because it wouldn't be an open redirect service. The emails would have to go through them, get rewritten and then they would store the unique ID to do the redirect. Yes, we've contacted EE about it and they are looking into it, but probably not seriously since it isn't really their bug per se. In a way, this is similar to what FB is saying to Egor (not our issue), but the fact is that a simple bit of configuration by people using these systems can really cause a lot of problems.

In the end, it all really means that you have facebook connect on your site, you absolutely need to do an audit of your code and 3rd party systems and make 100% sure that you don't have any open redirects on your domains. This is a lot harder than it sounds.

As time goes on, I really hope we move to systems like Persona which haven't had these sorts of issues (so far). We also support Persona login on our site (as well) and it has been excellent. Being an open standard and allowing for multiple identity providers makes the chances of 'wontfix' a lot less of an issue.

arice 7 hours ago 0 replies      
This is great work by Egor, as usual. I work on Facebook's security and thought I'd add a bit more clarity here on the mitigation steps available to developers. Awareness here is important.

The first issue manifests itself if 1) an account has been previously registered on a client site, 2) that site offers the ability to "link" that existing account with a Facebook account, and 3) the action that performs the linking on the client site is vulnerable to CSRF. If you're a developer implementing conditions 1 & 2, make sure the linking action is protected by your anti-CSRF framework. Requiring explicit consent prior to linking accounts is a good idea for a number of reasons beyond this attack.

The second issue builds on what Egor refers to as "OAuth's Achilles' Heel": if the client site contains Open Redirect or XSS vulnerabilities, those vulnerabilities can often be leveraged to compromise the OAuth credential. To greatly reduce the likelihood of this attack, you should restrict which endpoints on your domain are capable of participating in the OAuth flow. See Facebook's Best Practices for Login Security guide[1], specifically the "Specify a whitelist of OAuth redirect URLs" section. Of course, you probably want to fix any Open Redirect & XSS vulnerabilities as well.

[1] https://developers.facebook.com/docs/facebook-login/security...

korzun 9 hours ago 0 replies      
"In my opinion I'd recommend not using Facebook Connect in critical applications"

Sums it up pretty well.

Great job as always Egor :)

grrowl 1 hour ago 1 reply      
Sadly, Egor (who found this vulnerability) mentioned he's moving away from exclusively white-hat security since he "[tried to do] responsible disclosures but it gave me 0 profit. So now i will play with gray methods and see if its reasonable."

It's sad to see a researcher so talented and committed be pushed to the dark side simply because companies decide their bugs aren't "worth it"

Original post (now edited): http://egorhomakov.com/post/72088934127/year-2013

jonahx 8 hours ago 2 replies      
nice work, although it would be nice to have an end to end example (what i, the user, do at each step, and what the hacker is doing) and what the final result of the hack will be. in particular, the practical meaning of these two sentences:

> Now to all OAuth flows Facebook will respond with Attacker's profile information and Attacker's uid.

> as long as attacker can replace your identity on Facebook with his identity and connect their Facebook account to victim's account on the website just loading CLIENT/fb/connect URL.

was not clear to me.

theboss 9 hours ago 1 reply      
You would be ASHAMED how many websites and companies with software have "Won't fix vulnerabilities". The list to which I have reported is long....
Einstalbert 9 hours ago 0 replies      
I'm addicted to these blog posts, the guy is like some sort of magician.
SnacksOnAPlane 8 hours ago 2 replies      
I don't think I understand the first one. The flaw is that you can force someone to login to Facebook as someone they're not? It looks like you're saying that you can pass a custom username and password to the FB connect button and it'll log in as that user.
Rajiv_N 3 hours ago 0 replies      
Can some of the risk be mitigated by sending the user an email to confirm the connection? If the user has a verified email address on file before the connection is attempted, the facebook profile information (in this case the information of the attacker) could be sent to them asking them to confirm the connection.
uslic001 9 hours ago 2 replies      
Any way to find out what sites you have used this on in the past?
midas007 8 hours ago 2 replies      
Another reason I use NoScript, Disconnect and LightBeam, and also don't use Facebook.
Fig: Fast, isolated development environments using Docker orchardup.github.io
139 points by andrewgodwin  10 hours ago   33 comments top 12
thu 7 hours ago 3 replies      
I'm not involved with this project but there is some confusions in this thread, maybe I can share my point of view:

Docker is a tool to run processes with some isolation and, that's the big selling point, nicely packaged with "all" their dependencies as images.

To understand "all" their dependencies, think C dependencies for e.g. a Python or Ruby app. That's not the kind of dependencies e.g. virtualenv can solve properly. Think also assets, or configuration files.

So instead of running `./app.py` freshly downloaded from some Git <repo>, you would run `docker run <repo> ./app.py`. In the former case, you would need to care of, say, the C dependencies. In the second case, they are packaged in the image that Docker will download from <repo> prior to run the ./app.py process in it. (Note that the two <repo> are not the same things. One is a Git repo, the other is a Docker repo.)

So really at this point, that's what Docker is about: running processes. Now Docker offers a quite rich API to run the processes: shared volumes (directories) between containers (i.e. running images), forward port from the host to the container, display logs, and so on.

But that's it: Docker as of now, remains at the process level. While it provides options to orchestrate multiple containers to create a single "app", it doesn't address the managemement of such group of containers as a single entity.

And that's where tools such as Fig come in: talking about a group of containers as a single entity. Think "run an app" (i.e. "run an orchestrated cluster of containers") instead of "run a container".

Now I think that Fig comes short of that goal (I haven't played with it, that's just from a glance at its docuementation). Abstracting over the command-line arguments of Docker by wrapping them in a JSON file is the easy part (i.e. launching a few containers). The hard part is about managing the cluster as Docker manages the containers: display aggregated logs, replace a particular container by a new version, move a container to a different host, and thus abstract the networking between different hosts, and so on.

This is not a negative critique of Fig. Many people are working on that problem. For instance I solve that very problem with ad-hoc bash scripts. Doing so we are just exploring the design space.

I believe that Docker itself will provide that next level in the future; it is just that people need the features quickly.


Docker -> processes

Fig (and certainly Docker in the future) -> clusters (or formations) of processes

bryanlarsen 8 hours ago 3 replies      
Is this meant to be a next-generation Vagrant? What advantages does it have over vagrant-lxc?
fit2rule 10 hours ago 2 replies      
I'd love to use this .. but who has time to learn yet another configuration and provisioning management tool? I mean, I can make the time - and will - but since this is just another docker management tool, lets use this moment to pick on it, a little bit..

What this needs is the ability to be pointed at a working VM - lets say, Ubuntu 13.10 server - and then just figure out whats different about it, compared to the distro release.

Something like the blueprint tool, in fact.

cameronmaske 9 hours ago 0 replies      
I've been using fig on some side projects. It's incredibly exciting how easy it makes configuring what could be a quite involved development environment. Installing redis is 3 line addition to a fig.yml file (https://github.com/orchardup/fig-rails-example/blob/master/f...). It also has amazing potential for an agnostic development environment across teams.
aidos 5 hours ago 0 replies      
Looks interesting. I know that Docker is all about the single process model, but there's are some images I've been meaning to play with that align themselves more with the single app (including dependencies) model (which fig also seems to attempt to solve).



frozenport 3 hours ago 0 replies      
How does Docker handle ABI incompatibility?

For example, EC2 disabled some of there extended instruction sets to ensue uniformity but I am not sure how long this will last. Then we will have to deal with Docker deployment problems.

I propose we dig deep into our Gentoo roots and build the dependencies on demand.

rwmj 9 hours ago 0 replies      
See also libvirt-sandbox (in Fedora for more than a year) which lets you use either KVM or LXC to sandbox apps:


slowmover 9 hours ago 3 replies      
Can anyone explain, in a nutshell, what features this tool provides beyond just using Docker itself?
maikhoepfel 7 hours ago 1 reply      
So, why is this development only? What's missing to make it production ready?
finishingmove 6 hours ago 0 replies      
Can't help but think about the Framework Interoperability Group whenever I read FIG. This looks awesome though.
tudborg 9 hours ago 0 replies      
This is exactly what i have been working on for the past few days, just in a way nicer package. Think i will ditch my current work and use this instead. thx.
notastartup 8 hours ago 1 reply      
can someone explain to me the application of Fig and Docker? Also, how do they differ?

One application I thought of is for deploying to client. You just get them to use the instance and there's zero configuration needed. but then, what if you need to make updates to the code base, how do you update the code changes to all the deployed fig/docker instances running already?

Hackathon Starter Boilerplate for Node.js web application github.com
224 points by sahat  13 hours ago   43 comments top 21
mackwic 12 hours ago 5 replies      
If you want boilerplate, the Yeoman collection tools: http://yeoman.io/ is what you need. There's boilerplate for a huge amount of projects, with generators of the parts (like: service for Angular, models for Ember, routes for Backbone...).The angular-generator is a very complex piece of work, but is extremely efficient. I highly suggest you to try it twice: once to fuck things up, another to understand the good way.

You can eventually use these CSS and HTML skeletons (http://html5up.net/) to do something neat, but I don't think someone will judge you because you used bootstrap.

In term of javascript development, I've found SugarJs (http://sugarjs.com) to be extremely productive and efficient for what I need, combined with the front-end framework of your choice.

And you, what's yours ?

Xdes 10 hours ago 0 replies      
There's also a nice tool called Lineman http://www.linemanjs.com/. It's a simple convention-over-configuration-get-out-of-your-way command line utility that does all the heavy lifting so you can just code your app.

There are a number of templates[1] to get you started and once you get over the initial learning curve lineman fades into the background while you iterate on your app.

For a comparison with Yeoman see: http://www.linemanjs.com/#lineman-vs-yeoman

[1]: http://www.linemanjs.com/#project-templates

dworin 10 hours ago 0 replies      
As a casual hackathon participant, this is a really great tool. I've seen countless teams with winning ideas go down in flames when they spent two days on the log-in page. And I attribute any success I've had at hackathons more to my ability to prioritize away from those activities than my actual programming chops, which are average at best.

The biggest advantage you'll get out of this system is that it's simple, and you know it in and out because you built it. With all of the other tools that do the same thing, you run into the same problem: you don't have time to learn a new tool at the hackathon. By the time you've figured out Yeoman (which looks really cool), you only have a few hours to implement your app's actual functionality.

driverdan 8 hours ago 0 replies      
Very nice! This is a much better (and updated) version of my express-foundation project I created for hackathons: https://github.com/driverdan/express-foundation

I've pretty much abandoned express-foundation since I haven't been to a hackathon in a while. This repo pretty much seals its fate.

will_work4tears 11 hours ago 1 reply      
Is XCode or Visual Studio really a prerequisite? I guess I'm missing something, but looks like I could do this in IntelliJ or even sublime. Looks very interesting but I don't use either of those and don't have the current ability to run out and buy a Mac and have no interest in developing on Windows.
fantastical 13 hours ago 0 replies      
The use of the word "kickstarter" is pretty confusing here. My first thought was that this was something people at hackathons could use to put up ideas and see who's interested in joining them. I guess I should have noticed the lowercase "k".
samingrassia 12 hours ago 1 reply      
You should also checkout Drywall (http://jedireza.github.io/drywall/)

Has all major oauth integrations and a fantastic user system... I have also heard that it was used a bunch at node knockout recently. Definitely worth checking out-

subpixel 13 hours ago 0 replies      
A boilerplate for Node.js would be less confusing.
pavingways 7 hours ago 1 reply      
I know it's shameless, but what are comments for if not self-promotion... I'm working on something like that too:


My focus is on clean structure, completeness of tools and documentation (mostly inline) so you not only get a node/express/jade/everyauth/mongodb app but also can learn what's going on and how it all works together.

SPA app on top coming up ...

squigs25 12 hours ago 2 replies      
This is so cool! Has anyone seen anything similar for a python flask app boilerplate (with OAuth + how to use guide)?
jsumrall 13 hours ago 0 replies      
Cool work, but like others say, the title here is confusing.
cridenour 12 hours ago 0 replies      
I think the differentiator here is the amount of documentation and that they make no assumptions about your system. For instance, telling me I need XCode to even build some of the libraries - not something I see in very many docs but absolutely something I see people run into at events like Startup Weekend.
romain_dardour 8 hours ago 0 replies      
Or you could use http://hull.io and not even need backend code
tvaughan 9 hours ago 0 replies      
I wondered when this day would come. This project doesn't consider Linux a platform you develop on https://github.com/sahat/hackathon-starter#prerequisites, but rather a platform you deploy to, if that. Heroku is so abstract it could be almost any OS.
nathan_f77 8 hours ago 1 reply      
Cool! Is there anything like this for Rails?
ankit84 12 hours ago 0 replies      
Kudos !!

Awesome, this is what I wanted to make. We should make this config driven. say what Oauth/logins to be enabled, etc.

Any one starting a new project should use this this config and be able to get desired features up and running in minutes.

nawitus 10 hours ago 0 replies      
I think it should include a Gruntfile.
aioprisan 12 hours ago 0 replies      
Awesome work! I think the tag line "boilerplate for node.js hackathon apps" would be more fitting.
twog 8 hours ago 0 replies      
Does anyone know of a similar project in Ruby?
vamur 7 hours ago 1 reply      
Unfortunately requires Mongodb as every other boilerplate Node.js app.
Marcus316 12 hours ago 0 replies      
Thanks for posting this. I am particularly interested in the OAuth2 portion. I'm going to go pick through your code now. :D
Uber sued by family of six-year-old killed in San Francisco crash theguardian.com
9 points by georgebashi  1 hour ago   19 comments top 6
rd108 15 minutes ago 0 replies      
Uber, Lyft and its ilk are half innovative, efficient tech services and half hypercapitalist scavengers employing workers while avoiding paying those pesky benefits, worker's compensation or damages to a dead six year old's family.
nobody_nowhere 1 hour ago 0 replies      
FTA> This is the first case against Uber and is likely to be hard fought by the company

First legal case against uber? My ass it is.

faramarz 47 minutes ago 2 replies      
The article doesn't mention if the driver was en-route to pick up a driver.

Uber should be liable once driver taps on the button and a customer is locked in. He's rushing to get there, like any other taxi who sees a customer flag them down across the road.

Makes sense no? That said, this is any company's nightmare. Why don't they just settle and be a good citizen.

zobzu 31 minutes ago 0 replies      
kinda funny how it defends "taxi's good driving".pretty sure i don't need to describe how theres safe and less safe drivers and taxi certainly aren't a model of safety for driving in general.
jonobird1 24 minutes ago 4 replies      
I don't see how Uber is responsible. Correct me if I'm wrong but you wouldn't sue Android if you were texting while driving, or Google Maps if you were changing your location and had a crash.

So why would Uber be responsible if their driver was using their app? Especially if Uber says to their drivers not to use it while driving.

Interested to hear thoughts here.

RealGeek 27 minutes ago 1 reply      
> 3) The news reports - "at green light". Does that mean, even the driver was not at fault?

The driver was turning right, that means the pedestrians light was also 'Go'. Moreover, the driver must yield pedestrians according to right of way traffic laws. So, the driver was at fault not the pedestrians.

Most likely the driver was in a hurry to pick up an Uber passenger, that means he was on Uber's duty. Uber's argument is ridiculous.

Uber should step up and do the right thing. Their drivers and cars should be covered by insurance as long as their app is being used.

There Are Only Four Billion Floats So Test Them All randomascii.wordpress.com
5 points by thedufer  50 minutes ago   discuss
US and UK spy agencies scoop up private data from 'leaky' phone apps theguardian.com
134 points by weu  11 hours ago   87 comments top 16
suprgeek 10 hours ago 5 replies      
Many interesting "nuggets" buried in this report. For example:

...A more sophisticated effort, though, relied on intercepting Google Maps queries made on smartphones, and using them to collect large volumes of location information.

So successful was this effort that one 2008 document noted that "[i]t effectively means that anyone using Google Maps on a smartphone is working in support of a GCHQ system."

At this point it is perhaps not wrong to conclude that the whole internet is bjorked by these agencies. Open to snooping and manipulation at any and every level for any user.

It is time for a reboot, this time with much more focus on security.

CWuestefeld 10 hours ago 2 replies      
One slide from a May 2010 NSA presentation on getting data from smartphones breathlessly titled "Golden Nugget!" sets out the agency's "perfect scenario": "Target uploading photo to a social media site taken with a mobile device. What can we get?"

To me, this is quite telling.

The NSA is not considering what data they need to achieve their mission, and then trying to find that data. Instead, they're just looking for "what can we get", and worry later about how it might be useful (or legal!).

This is no way to run a successful organization in the 21st century.

falcolas 10 hours ago 5 replies      
Anymore, it seems prudent to simply assume that if you use the internet at all, all of the details about you are available to determined individuals, public or private. Even details you've never consciously given out over the internet are available to those with the power and desire to infer from your browsing datasets (see: Target and the pregnant daughter).

Someone, please tell me I'm wrong.

minimax 6 hours ago 4 replies      
Exploiting phone information and location is a high-priority effort for the intelligence agencies, as terrorists and other intelligence targets make substantial use of phones in planning and carrying out their activities, for example by using phones as triggering devices in conflict zones.

That's a good point and a good reason why it's irresponsible for these newspapers to post the details about this technology. This kind of CI doesn't work as well once everybody knows what you're doing. It also gives a road map to more oppressive governments looking for ways to spy on their citizens.

The documents do not make it clear how much of the information that can be taken from apps is routinely collected, stored or searched, nor how many users may be affected.

Right, so this is just publishing some details of NSA/GCHQ counterintelligence technology without saying how they are using it. Unless they have some evidence of wide scale deployment of these techniques, how is this surprising? Do we not expect spy agencies to develop surveillance technology?

hackoder 8 hours ago 1 reply      
(Copied from https://news.ycombinator.com/item?id=7132790)

If you're using Android, I'd highly recommend using a combination of XPrivacy [1] and Android Firewall [2] (iptables frontend).

To make your life easier, disallow everything from accessing the net in Android Firewall. Then, for those apps which you've allowed net access, further tweak what they're allowed to access in XPrivacy. As a rule, turn off account info, clipboard, location, contacts, and storage.

Not perfect, but a decent solution.

[1] https://github.com/M66B/XPrivacy

[2] https://play.google.com/store/apps/details?id=com.jtschohl.a...

cryoshon 9 hours ago 1 reply      
So they're spying on the children playing Angry Birds in the name of preventing terrorism. I bet the data they're gathering has saved a lot of lives.

This is just one more strike into the already well-beaten dead horse of an argument that the NSA is spying in the name of preventing terrorism.

I will spell it out: the goal of the NSA surveillance is omniscience in the name of preserving the power of the state. They have made great progress toward this ideal.

fit2rule 10 hours ago 4 replies      
The only solution is to move to a phone OS that is 100%, completely, open. I.e. Not even apps developers are allowed to ship blobs - its All-Source-Code, All-The-Time.

I know, its a highly unlikely scenario, but I can't help but feel in the midst of this human rights disaster, Open Source can come to the rescue.

pirateking 4 hours ago 0 replies      
The only fix to our information, privacy, and security pop culture is destroying the whole system, and building a new one holistically with a focus on security and education at the lowest levels of the system. This almost certainly means destroying computing as we know it as a prerequisite.

Once you have something that grows faster than education grows, you're always going to get a pop culture. - Alan Kay

username223 3 hours ago 0 replies      
Between this and the recent credit card and identity leaks by Target and others, I really wish people would connect the dots. If companies are grabbing and storing incredible amounts of information about millions of people, that information will inevitably get the attention of spammers, scammers, stalkers, criminals, governments, and anyone else who could possibly put it to use. The solution is to limit what companies collect in the first place.
seanr 10 hours ago 2 replies      
There ought to be more emphasis that these documents are circa 07/08. HTTPS websites were an oddity back then.
nly 10 hours ago 0 replies      
AFWall+ doesn't hurt, if you can get the damn thing to work (I seem to have issues with loads of apps that require root on my Nexus 4)


fredgrott 10 hours ago 1 reply      
Curious, how many app devs are doing security/permissions audits?

On Android java side we have a tool called:


Which I am recently learning to use..

winslow 8 hours ago 1 reply      
I'm sure they are finding and identifying tons of "terrosim threats" by looking at angry birds data... /s

If anything they are just making it harder to find the needle (terrorist threat) in the haystack (their dragnet of data). At the end of the day maybe they don't care about finding the needle anymore.

Learjet 10 hours ago 1 reply      
Ridiculous,seems like they are taking data and storing it and waiting to get subpoenas to look into and analyze the data later. Welcome to the new world order where your every movement is known.
ommunist 9 hours ago 2 replies      
Hmmm.... I can see how open source app can exist on githib and in your iTunes if you have Developer Account. But can you be sure it is 100% open source once it went through the AppStore gates? I am just asking.
CryptcWriter 8 hours ago 0 replies      
Is any of this really a surprise to any of you?
Tesla Completes L.A.-to-New York Electric Model S Drive Chargers bloomberg.com
196 points by gus_massa  11 hours ago   169 comments top 19
TallGuyShort 11 hours ago 4 replies      
>> provide 170 miles of range in a 30-minute charge

That would have still sounded impractical to me when I was still able to just drive through the night to get where I needed to be. Now that I travel with a young baby and a dog, that's about how often and for how long I have to stop for breaks anyway. This is impressive progress anyway, but I'm especially impressed now that it really wouldn't alter my own schedule much.

codex 6 hours ago 4 replies      
The most serious issue with electric cars isn't road trips, it's the fact that if you don't own your own home, or live in a dense city with no off street parking, you likely don't have reliable access to a daily recharge overnight. That's probably half the driving population of America. 30 minutes of quick charging is fine every so often, but not every day or even every week.

This is why fuel cells continue to be pushed as a viable alternative--quick, carbonless refueling. The closest equivalent that the EV world can offer is a battery swap station, but that has a host of issues.

mdturnerphys 9 hours ago 3 replies      
Not the most direct route between the two cities [1]. It looks like there are at least two parts of the route that don't follow interstates. The excursion up to South Dakota to go past Mt. Rushmore makes sense, but I can't figure out the jog into New Mexico. Unless someone's really interested in a couple of National Monuments in that corner of NM, it looks like the only reason for that jog is to go to the Four Corners Monument with the minimum travel distance through an Indian reservation.

[1] http://www.teslamotors.com/supercharger

gregpilling 2 hours ago 0 replies      
According to this http://www.thetruckersreport.com/infographics/cost-of-trucki... the average semi truck driver spends $70,000 a year on fuel. I have to wonder how this could change with a big rig sized version of the Supercharger stations. Nationwide trucking with (basically) free fuel.

The trucks could hold a lot more batteries.

baddox 7 hours ago 2 replies      
Does anyone have any idea what the current bandwidth of the LA-NY route is? In other words, given how many chargers exist along the route, how many Tesla cars can make the trip per unit time?

Obviously, if you assume the optimal arrangementeach car being separated from the next by exactly 30 minuteseach charge plug can support 48 cars per day.

That's also assuming that the chargers are arranged such that each leg between chargers is less than 170 miles. The article doesn't indicate whether this is the case.

cjensen 9 hours ago 1 reply      
Great progress on the supercharger buildout [1]! That said, traveling from LA to NY via New Mexico and South Dakota is a pretty funny route.

[1] http://www.teslamotors.com/supercharger

rdl 10 hours ago 2 replies      
I'm curious if I'd want a Model S (top model) or a BMW 535d or other mid-luxury diesel sedan in Germany in a couple years.

Around the city, sure, big advantage to the Tesla. For Autobahn trips at 150-250 km/h, stopping every 1-2h would get old fast, even if every service stop had a supercharger.

ajcarpy2005 1 hour ago 0 replies      
These superchargers are great but I think in many cases it would be more practical to fully charge overnight at a hotel. (not sure how likely a hotel would be to accomodate this) Hopefully hotels begin to build-out electric outlet access for some of their parking spaces. The beauty of charging overnight is you don't need to buy a special charger so the infrastructure would be relatively inexpensive.

Imagine if you could simply rent a fuel-cell (hydrogen?) for long trips and connect it in the trunk...Or even just renting extra batteries. (although quite heavy and inconvenient to carry)

I'm fully convinced electric cars are a big component in tje future of transportation but there are many challenges to solve. Also ET3/hyperloop seems promising.

offmango 9 hours ago 4 replies      
I find it fascinating how Tesla is approaching this from both ends, supplying both the vehicles and the power. If the electric vehicle trend goes their way, they'll have an enormous advantage in the market. But if Tesla goes belly-up for whatever reason and the charging stations had to close, Tesla owners could lose their primary fuel source.
fit2rule 10 hours ago 8 replies      
I hope actually that Americans learn to drive less, not more, as a result of these sorts of changes in the market.

It always amuses me that a majority of American life is lived on the road. For all the pleasures of the free and the brave, they love their little cages..

babuskov 10 hours ago 3 replies      
A perfect solution would be to switch your empty battery with a full one and just go. Let the charging station fill it up.

Are there any drawbacks to this?

digikata 9 hours ago 2 replies      
It's too bad you couldn't just hitch a secondary external battery pack to a mini-trailer hitched to the car for long distances. Roll into a station, unhitch the pack, swap for charged one, go on your way maybe 15 min later.

I know there are proposals for swappable internal packs, with automatic swap machinery at the station, but a trailer hitch and external plug requires a lower capital investment, and is much less intrusive to the vehicle design.

umsm 9 hours ago 3 replies      
Is it reasonable to buy a Model S now hoping that within 6-7 years you can swap out the "old" tech batteries for newer / better / faster / higher capacity battery packs which will be introduced in 5-7 years?

If so, it wouldn't be a bad long-term car for those of us who like to keep cars more than 5 years.

dm2 8 hours ago 0 replies      
Unrelated: That pond / front water thing on http://www.teslamotors.com/supercharger seems like it would be unnecessarily easy to drive or walk into.
QuantumGood 3 hours ago 0 replies      
If I needed to make a long road trip, I'd lease a car that is good for long road trips and rent my Tesla to someone (or not).

If I wanted to make a long road trip, I might not mind more frequent stops.

coreymgilmore 3 hours ago 0 replies      
Good to see the network growing. I may still be sorta impractical, but at least Tesla is putting a foot forward and expanding their charging network. In the end, this alone could push their sales higher since no other vehicles (brands) can charge on the supercharger network.

So in, lets say, 5 years...would you rather buy an electric car with an established and easy to use charging network. Or a different brand electric car that is just launching their charger network? Tesla for the long term

chiph 4 hours ago 0 replies      
McDonalds or Cracker Barrel ought to get in on this at a corporate level.
ryanobjc 10 hours ago 0 replies      
This is what the future looks like people!
The Great Code Club greatcodeclub.com
145 points by cocoflunchy  12 hours ago   72 comments top 20
crazygringo 8 hours ago 4 replies      
This seems cool, as far as I can tell it's more for one's personal education, rather than producing something for others to use?

So I'm curious... is there any kind of "open-source incubator" out there? Like, a site with 500 developers signed up, they all vote on new project ideas, start a new project each month, kind of like a great big collaborative hackathon, in order to put out some really impressive piece of software, that then hopefully lives on?

E.g., an open-source iTunes integrated with bittorrent, complete with iPhone app. A font-design program for amateurs. A keyframed animation tool that outputs to HTML5 canvas. A dynamic texture generator program. A user-friendly neural net trainer. A new lossy image compression format and encoder/decoder designed for resolution independence instead of a fixed pixel grid. I don't know, just cool projects that get people really excited.

I mean, the logistics of organizing such a thing would be a little crazy, since not every type of project is amenable to a large number of developers working in parallel, and you'd need a kind of domain expert and lead architect on each one. But it would be so, so cool...

asgard1024 11 hours ago 6 replies      
Neat, but I would prefer something similar to Alcoholics Anonymous. A self-support group for people who already have personal projects, want to work on them, but are either lazy or procrastinating or paralyzed by analysis.

Although I would probably not pay money for either.

shawndrost 22 minutes ago 0 replies      
I know Marc-Andr and can vouch for the quality of his instruction and his creative, effective class formats. This is a very cheap way to learn a lot from him, and I highly recommend it.

(I teach software engineering for a living.)

CGamesPlay 10 hours ago 1 reply      
Is this more of a curated program where I am assigned a project to work on and given support towards doing so, or is this a community where people come in with projects and the community works collaboratively towards supporting these projects?

Is it a club or a school?

macournoyer 11 hours ago 4 replies      
I'm the creator of the club. Happy to answer any questions about this. I'm just getting started with this so feedback is very much appreciated :)
sdegutis 12 hours ago 3 replies      
A little off-topic, but it makes me a little sad that the exemplar my_great_project it mentions is in JavaScript.

It's not because of the language itself. It's because it's implied that the platform my_great_project would be built on is "Chrome, the new C runtime". This is the "platform of the future" and that makes me kinda sad.

EDIT: clarified

evv 11 hours ago 1 reply      
Are you trying to find people who are learning to code, or recruit experienced developers?

Falling into the latter group, I don't see any reason to pay $30/mo for an online community which already takes my time.

k-mcgrady 10 hours ago 0 replies      
Nice idea. I don't have the time to do this right now as I'm already working on a few side projects but I'll definitely be checking back in a few months. Not too sure $30 is the right price. $20/25 feels better to me (small difference I know but $30 just 'feels' a little high).
coenhyde 8 hours ago 0 replies      
I never have any problems starting something new. I have problems finishing what I start. When I start a new project I do the hard parts first for a proof of concept. Except now that I know it can be done I loose interest...
ssully 1 hour ago 0 replies      
I really appreciate this idea and have signed up, but the $30 monthly tag seems a bit much with the amount of information given.

This could really benefit from a trial period, or maybe a demo project. A demo project would be neat; have it offer everything the other monthly projects will so people know exactly what they are getting into.

wil421 7 hours ago 0 replies      
This looks really great. I have enough knowledge from school and online courses that I really dont need to take another curated tutorial.

We havent started development on my main project at work and I am itching to use my new skills. Recently I have been looking for something to collaborate on with more experienced devs but havent found an outlet. This looks like something I was looking for.

mholt 9 hours ago 0 replies      
Cool idea.

And if you're gonna blur an image, blur the image. :)

jonhmchan 12 hours ago 0 replies      
Nice resource - just applied
githulhu 11 hours ago 0 replies      
Blocked by WebSense at my work. "Potentially Damaging Content." :(
codezero 11 hours ago 2 replies      
I'm curious why this even mentions that no credit card is required to apply. Is it required later? Why mention it at all if it's not?

Also, I use Ghostery and it blocks Google Analytics which seems to consequently block the click-through on your Apply button.

rgj 6 hours ago 1 reply      
So.... Your forum is meta.discourse.org with a photoshopped logo and a blur?
ricankng787 10 hours ago 0 replies      
Just applied, very excited to see how this works.
Baadier_Sydow 8 hours ago 1 reply      
Any idea when it will be launching and do you have plans to limit the size of the community?
Jack5500 10 hours ago 0 replies      
It would be nice to receive a confirmation mail. I'm quite sure if my application got to you now :)
naturalethic 9 hours ago 2 replies      
Buyer beware
Government to Allow Companies to Disclose More Data on Surveillance Requests nytimes.com
47 points by brnstz  7 hours ago   15 comments top 7
rst 5 hours ago 0 replies      
Analysis by Marcy Wheeler here: http://www.emptywheel.net/2014/01/27/the-new-transparency-gu...

Quoting the nub of it (please note, this is all her, not me):

First, you can sort of see what the government really wants to hide with these schemes. They dont want you to know if they submit a single NSL or 215 order affecting 1000 customers, which its possible might appear without the bands.They dont want you to see if theres a provider getting almost no requests (which would be hidden by the initial bands).

And obviously, they dont want you to know when they bring new capabilities online, in the way they didnt want users to know they had broken Skype. Though at this point, what kind of half-ased terrorist wouldnt just assume the NSA has everything?

I think the biggest shell game might arise from the distinction between account (say, my entire Google identity) and selector (my various GMail email addresses, Blogger ID, etc). By permitting reporting on selectors, not users, this could obscure whether a report affects 30 identities of one customer or the accounts of 30 customers. Further, theres a lot we still dont know about what FISC might consider a selector (they have, in the past, considered entire telecom switches to be).

pippy 5 hours ago 1 reply      
They can now declare how many National Security Letters and FISA requests they get in increments of 250.

That's absolutely ridiculous. It's no better than not stating at all. They also still can't state if the request is relating to terrorism, or industrial espionage under the guise of alleged crimes. For now foreign companies have to assume the worst.

It's pretty depressing knowing that the United States has one of the best, and most clear constitutions ever written. You can't misinterpret the First Amendment, and yet it's now completely void.

mcphilip 6 hours ago 1 reply      
>The Justice Department had endorsed the new rules months ago but intelligence officials argued they still revealed too much information. The breakthrough came in recent weeks with a rule requiring new companies to wait two years before publishing data.

> That provision means nobody will know whether the government is eavesdropping on a new email platform or chat service. And itpersuaded intelligence officials to endorse the rules, a U.S. official familiar with the discussions said. The Justice Department proposed the changes to the companies late last week and, by the end of the weekend, they agreed to drop their case before the FISA court.

Does this imply that the two year waiting period (as opposed to 1-year, six month delay) is a new restriction specifically added in for new companies in order to get Microsoft, Google, Yahoo, and Facebook to drop their case?

I don't expect that too many new companies would be eager to report that data, but I'm curious if this is ultimately a win for intelligence officials.

MWil 3 hours ago 0 replies      
This is tiered justice aka not justice.

"New" companies can be less open with their users?!Is company defined by it's specific name? If Google snaps up the service, does that make it less new? If my LLC moves to another corporate form, is it "new"?

What can make the six-month delay more delayed? How indefinitely can an investigation that lasts longer than six-months take?

I'm also confused about the and/or status for NSLs, "selectors", and FISA orders."Selectors" seems the most specific but the use of "will also be allowed" makes me question whether it's subject to the 250/1000 increment requirements at all.

qwerty_asdf 6 hours ago 0 replies      
Makes perfect sense!

I mean, thank god. I was really worried that they weren't disclosing nearly enough of my ostensibly confidential information.

God bless America.

14th 6 hours ago 1 reply      
How kind of them to allow freedom of speech!
kyleblarson 4 hours ago 2 replies      
More gems from the most transparent administration in US history. How stupid does he think the average American is?
In the world of war games, Volko Ruhnke has become a hero washingtonpost.com
128 points by mcu  12 hours ago   20 comments top 7
kriro 11 hours ago 4 replies      
Labyrinth is indeed brilliant. The best wargames recreate history and suck you in. Twilight Struggle is another excellent example. But that's also the highest level of complexity I'll tolerate. Friends of mine enjoy the super detailed a rule for everything games but I think those are better left for the digital realm...just too fiddly for my taste.

I'm an avid gamer (>150 games in my collection) but I only own three war games. Twilight Struggle, Napoleon's Triumph and Maria. I'd recommend all of them :)

Andean Abyss is on my to buy list.

Edit:Link to BGG, wargames only: http://boardgamegeek.com/wargames/browse/boardgame

res0nat0r 12 hours ago 1 reply      
Awesome to see this on a big site like WaPo. Labyrinth is a great game and I'm looking forward to playing A Distant Plain.

Also if you want tons more info and pics, the best place to go is here: http://boardgamegeek.com/boardgame/127518/a-distant-plain

walshemj 11 hours ago 2 replies      
Interesting though HG Wells arguably produced the first "wargame" with little wars published in 1913. And even in the USA Fletcher Pratt and Jack Scruby predate Tactics

Will defiantly have to see if I can get a copy as i am sure my war-gaming club woudl enjoy it.

nnnnni 3 hours ago 1 reply      
I wonder what he thinks of Campaign for North Africa: http://www.boardgamegeek.com/boardgame/4815/the-campaign-for...

It's 8-10 players with a playtime of about 60000 hours. Yes, sixty thousand hours. That's twice the length of the actual conflict. The amount of detail is insane...

fidotron 12 hours ago 0 replies      
This is a fascinating article. The ethos here reminds me of the work of Dan Bunten ( https://en.wikipedia.org/wiki/Danielle_Bunten_Berry ), in the sense of combining entertainment with solid messages about reality. It's disappointing the market for such things doesn't seem to be bigger or the legacy from that strand in modern video games would be much stronger.
plinkplonk 10 hours ago 0 replies      
I just bought "A Distant Plain" and while it is more complex and fiddly (too many tiny counters on the board, the rules could be clearer) than say "Twilight Struggle" the design is very nice and the game is well worth playing.

Just in case any one is on the verge of buying :)

VLM 11 hours ago 1 reply      
Its an OK piece of journalism. He's a popular designer and its a popular game. Not the best or the most popular and there wasn't much discussion about the lively ecosystem other than some company 30 years ago went out of business, which is like claiming computers are dying because Atari stopped making the 800 about three decades ago. Its a fairly healthy marketplace.

According to boardgamegeek the avalon hill "up front" is more anticipated or whatever than this. I like the solitaire wargames and I'm really looking forward to Nimitz (which incidentally beat Distant Plain in the "anticipated" rankings for solitaire). I'm waiting to hear about the solitaire rules in Distant Plains before playing it.

The internet is whats driving modern tabletop wargaming, first excellent desktop publishing tools, second excellent printing-over-the-internet and third the community rallys around places like boardgamegeek, probably not so much WashPost.

One interesting thing about cardboard games, of which I have quite a few indeed (like, almost everything DVG has ever made, along with many other games) is the costs aren't flinched at very much because they last a long time. I have very little use for the first Bioshock game I bought many years ago for like $30, but the copy of DVG's Napoleon (probably long out of print) around the same time for about a hundred bucks is still perfectly playable. Given the cruddy weather I may do some gaming tonight...

Before someone pipes up about "putting these old fashioned things on a computer" there's already VASSAL although I don't like it because its so low res. By low res, imagine professional printing at 600 DPI across an eight foot wide dinner table, thats like, what 60000 pixels across, and there are no 60K pixel tablets available the size of a kitchen table anyway. So, no, online or on a tablet has little artistic appeal to me for playing. On the other hand I lurk BGG and other websites to learn, its hardly a technophobic hobby by any means.

One interesting social media type effect is the designer might not be able to financially swing certain addons or feelies in the game, but the community will host them anyway online for printing at home. So if you always thought "Alexander" was supposed to be a card game instead of a counter game, there's a printable set of cards available at BGG to replace the random counters. I have a set and I agree Alexander should have been a card game not counter game. I'm sure you'll be totally shocked to hear that designers / distributors who support / tolerate their communities tend to be dramatically more financially successful than the cease and desist crowd. Another socially shared board game characteristic is print at home helpers. Flow charts, place mats, that kind of "artwork" that can't be economically shipped with the games but you can print at home if you want. Checklists, AARs, flowcharts, sometimes mods or alternatives...

Its a fun hobby which I greatly enjoy.

Board gaming / war gaming is already pretty well successfully startup'd and social media'd and could provide a good role model / map for other industries to do "stuff" online. If you're in another industry and you don't have a BGG work alike in your industry, well, you should, so some startup should hop to it and make some dough.

Improving Dropbox Performance: Retrieving Thumbnails dropbox.com
76 points by lowe  10 hours ago   18 comments top 10
herf 9 hours ago 1 reply      
Mostly you shouldn't have to hide backend latency by reordering, and if you don't reorder, you can just use JPEG image strips/sprites, which don't need double compression. JPEGs also stream, but in an order determined by the client, not the server.

In my experience, Dropbox is quite a bit slower (by 10-20x) than services optimized for serving images - using 1500ms to deliver a 25k file is very slow on the web, but it is very common when requesting files via the Dropbox web API. (I can only speculate about the reasons, but Amazon's s3 has big latencies too.)

erikpukinskis 6 hours ago 1 reply      
I don't really use Dropbox, but I was randomly browsing through mine looking for a photo the other day and it was a "holy shit" moment. It's really fast to scroll through a huge number of photos. I had been scrolling through Flickr a few minutes before and it was a massive difference. Flickr was very much a scroll-and-wait experience.
cstuder 9 hours ago 1 reply      
What about a sprites-like system?

Since you pretty much know which pictures the user will request, just glue the next 100 thumbnails together into one big picture and then take it apart again on the device.

drcross 7 hours ago 1 reply      
On the functionality end of things I think dropbox should be stop new feature development until heavy UX is done with large unbiased test groups. The application is simple and it works pretty well but recently I've noticed different barriers to use, notifications that I'd prefer not to see just getting in the way. It's a result of Zawinski's law, it's happening to gmail where they think adding more bells and whistles is needed but it's not, in many case user experience declines, for example playing a youtube clip now blacks out the rest of your gmail page while you watch it. Application developers need to learn that less is more.
b0b0b0b 3 hours ago 0 replies      
Were you already serving thumbnails over https? Or were they served over http?

edit: I was also wondering whether you can skip downloading some thumbnails based on the velocity of the scroll.

zaptheimpaler 8 hours ago 0 replies      
Basically, they chunk thumbnails - client asks for the next 10 thumbnails in one request, server sends back 10 thumbnails in the response.
WhitneyLand 9 hours ago 0 replies      
I think they could still do better without using SPDY. Going to try and make time to test a different approach.
cmicali 9 hours ago 0 replies      
tldr: use SPDY, but until more universal support a similar custom hack is proposed

Neat hack though.. frustrating how much perf is lost due to HTTP sometimes

zoren 9 hours ago 1 reply      
Base64 and then gzip just to make it easier on javascript? Seems hard on dropbox servers.

Why not use a multipart binary response?

tinganho 7 hours ago 2 replies      
I just see one problem with this solution. You can't create Retina images out of base64 strings on any web browsers today.
The Failures of "Intro to TDD" testdouble.com
124 points by davemo  13 hours ago   61 comments top 21
akeefer 8 hours ago 2 replies      
I think this is a great explanation of a lot of the obvious pitfalls with "basic" TDD, and why so many people end up putting in a lot of effort with TDD without getting much return.

I personally have kind of moved away from TDD over the years, because of some of these reasons: namely, that if the tests match the structure of the code too closely, changes to the organization of that code are incredibly painful because of the work to be done in fixing the tests. I think the author's solution is a good one, though it still doesn't really solve the problem around what you do if you realize you got something wrong and need to refactor things.

Over the years I personally have moved to writing some of the integration tests first, basically defining the API and the contracts that I feel like are the least likely to change, then breaking things down into the pieces that I think are necessary, but only really filling in unit tests once I'm pretty confident that the structure is basically correct and won't require major refactorings in the near future (and often only for those pieces whose behavior is complicated enough that the integration tests are unlikely to catch all the potential bugs).

I think there sometimes needs to be a bit more honest discussion about things like:* When TDD isn't a good idea (say, when prototyping things, or when you don't yet know how you want to structure the system)* Which tests are the most valuable, and how to identify them* The different ways in which tests can provide value (in ensuring the system is designed for testability, in identifying bugs during early implementation, in providing a place to hang future regression tests, in enabling debugging of the system, in preventing regressions, etc.), what kinds of tests provide what value, and how to identify when they're no longer providing enough value to justify their continued maintenance* What to do when you have to do a major refactoring that kills hundreds of tests (i.e. how much is it worth it to rewrite those unit tests?)* That investment in testing is an ROI equation (as with everything), and how to evaluate the true value the tests are giving you against the true costs of writing and maintaining them* All the different failure modes of TDD (e.g. the unit tests work but the system as a whole is broken, mock hell, expensive refactorings, too many tiny pieces that make it hard to follow anything) and how to avoid them or minimize their cost

Sometimes it seems like the high level goals, i.e. shipping high-quality software that solves a user's problems, get lost in the dogma around how to meet those goals.

richardjordan 8 hours ago 1 reply      
The comments section today looks like a support group for beginners/intermediates who struggled with TDD and gave up, and so want to explain why it's all bunk. I get this. I am not a great programmer. I'm self taught like a lot of you. I had tremendous difficulty grokking TDD and for the longest time I'd start, give up, build without it.

But, I'm here as a you-can-do-it-to. You might not think you want to but I'm so glad I DID manage to get there.

Feel free to ignore because I respect that everyone's experience differs. But the real problem is that there are few good step by step tutorials that teach you from start to competent with TDD. Couple that with the fact that it takes real time to learn good TDD practices and the vast majority of TDDers in their early stage write too many tests, bad tests, and tightly couple tests.

Just as it's taken you time to learn programming - I don't mean hello world, but getting to the competent level with coding you're at today, it'll take a long time to get good with TDD. My case (ruby ymmv) involved googling every time I struggled; lots of Stack Overflow; plenty of Confreaks talks; Sandi Metz' POODR...

Like the OP says - at different stages in the learning cycles you take different approaches because you're better, it's more instinctive to you. I thought I understood the purpose of mocks/doubles, until I actually understood the purpose of mocks/doubles. When used right they're fantastic.

The key insight that everyone attempting TDD has to grok, before all else, is that it's about design not regression testing. If you're struggling to write tests, and they're hard to write, messy, take a lot of setup, are slow to run, too tightly coupled etc. you have a design problem. It's exposed. Think through your abstractions. Refactor. Always refactor. Don't do RED-GREEN-GOOD ENOUGH ... I did for a long time. It was frustrating.

This is a good post. Don't dismiss TDD because you're struggling. Try to find better learning tools and practice lots and listen to others who are successful with it.

It's true that sometimes fads take hold and we can dismiss them as everyone doing something for no reason. But cynicism can take hold too and we can think that of everything and miss good tools and techniques. TDD will help you be a better coder - at least it has me. If your first response to this post was TDD is bullshit, give it another try.

usea 8 hours ago 3 replies      
I have tried many times to do TDD. I find it extraordinarily hard to let tests drive the design, because I already see the design in my head before I start coding. All the details might not be filled in, and there are surely things I overlook from the high-up view, but for the most part I already envision the solution.

It's difficult to ignore the solution that is staring my brain in the face and pretend to let it happen organically. I know that I will end up with a worse design too, because I'm a novice at TDD and it doesn't come naturally to me. (I'd argue that I'm a novice at everything and always will be, but I'm even more green when it comes to TDD)

I have no problem writing unit tests, I love mocking dependencies, and I love designing small units of code with little or no internal state. But I cannot figure out how to let go of all that and try to get there via tests instead.

I don't think that I'm a master craftsman, nor do I think my designs are perfect. I get excited at the idea of learning that the way I do everything is garbage and there's a better way. If I ever learn that I'm a master at software development, I'll probably get depressed. But I don't think my inability to get to a better design via TDD is dunning-kruger, either.

I want to see the light.

hcarvalhoalves 9 hours ago 2 replies      
The approach outlined actually makes much more sense without OO. I guess the WTF comes from forcing yourself into a world of "MoneyFinder", "InvoiceFetcher", etc. Makes it look a lot more complicated and prone to error than it is, because you're now supposed to mock objects that may have internal state. Otherwise it's the usual top-down approach with stubs.
mattvanhorn 10 hours ago 0 replies      
I think that Red-Green-Refactor is as much about learning to habitually look for and recognize the refactoring opportunities as it is about being meticulous in reacting to those opportunities.

It's true that nothing forces your to refactor - but I think wanting that is a symptom of treating TDD as a kind of recipe-based prescriptive approach. It is not a reflection of the nature of TDD as a practice or habit.

It's a subtle difference, but important:

A recipe says "do step 3 or your end result will be bad"

A practice says "do step 3 so you get better at doing step 3"

ChuckMcM 4 hours ago 1 reply      
I suspect if they had called it Architecture Driven Development (ADD) rather than Test Driven Development (TDD) it might contextualize better. Basically what the author explains is that you can design an architecture top down from simple requirements, deriving more complex requirements, and then providing an implementation strategy that lets you reason about whether or not you are "done."

But that 'test' word really puts people in the wrong frame of mind at the outset.

richardjordan 8 hours ago 2 replies      
Shout out for Sandi Metz book POODR, and her Railsconf talk The Magic Tricks of Testing, if you're a rubyist (though the principles hold true for non-ruby OO programmers too).


Nimi 7 hours ago 0 replies      
I wonder about these workshops (even asked Uncle Bob Martin about them in a recent thread). I can't shake the feeling they are the exact opposite of agility (obviously, he is better qualified than me to judge that). Their limited time schedules, which is essentially a bound over the amount of contact between the client and the supplier, seems analogous to the infamous "requirements document". Also, there doesn't appear to be a "shippable" product at the end - the developers apparently don't end up practicing TDD.

I used to be an instructor for a living, and I kind-of equated lectures to waterfall and exercises to XP. There is even a semantically analogous term in teaching research, problem-based learning (each word corresponds to the respective word in test-driven development - cool, right?). Is there anyone else who sees these analogues, or am I completely crazy here?

GhotiFish 4 hours ago 1 reply      
I like the way he broke things up, but something bothers me about his technique.

All his classes ended in "er".

he's not writing object oriented software, he's writing imperative software with objects.

mattvanhorn 10 hours ago 2 replies      
I agree with the general approach suggested in the article (in tests, write/assume the code you wish you had).

But one detail ran counter to my personal practice.

I don't believe that "symmetrical" unit tests are a worthy goal. I believe in testing units of behavior, whether or not they correspond to a method/class. Symmetry leads to brittleness. I refactor as much as possible into private methods, but I leave my tests (mostly) alone. I generally try to have a decent set of acceptance tests, too.

Ideally, you specify a lot of behavior about your public API, but the details are handled in small private methods that are free to change without affecting your tests.

julie1 1 hour ago 0 replies      
TDD and agile have been an effort at breaking an old must have for code which was: ISO9001; the code should behave according to the plan, and if they don't conform, plan must be revised if the tests failed. The Plan Do Check Act Mantra.Now, they find themselves facing the consequences of not respecting the expectation of the customers and they whine because "it was not applied correctly, because no one cared".

So now, they reformalize exactly the so "rigid" ISO9001 they were trying to throw down.

What an irony.

zwieback 6 hours ago 0 replies      
Sure, but if the end result is "lots of little objects/methods/functions" maybe there's a simpler way of getting there, e.g. prescriptive design rules. After all, that's what every design method, including stuff from the waterfall era attempted.

I'd like TDD to be more than just another way to relearn those old rules, especially if we arrive at the same conclusions on a circuitous path. Perhaps the old design rules, object patterns, etc. have to each be integrated with a testing strategy, e.g. if you're using an observer you have to test it like this and if you refactor it like that you change your tests like so.

The general rules are easy to understand and your post makes perfect sense but once you formulate your new design approach you'll have to find a way to teach it precisely enough to avoid whatever antipattern is certain to evolve among the half-educated user community, which usually includes myself and about 95% of everyone else.

radicalbyte 10 hours ago 2 replies      
Excellent post, I've had exactly the same experience and come to exactly the same conclusion.

I still follow the old Code Complete method: think about the problem, sketch it out, then finally implement with unit tests. The results are the same, and it's a lot less painful than greenhorn-TDD.

tieTYT 9 hours ago 0 replies      
OK but after you "Fake It Until You Make It" and you have to add a new feature to that class structure, aren't you just going to start over with all the failures he brings up?


I haven't designed code the way he's advocating, but I have attempted TDD by starting with the leaves first. Here are the downsides to that:

1) Sometimes you end testing and writing a leaf that you you don't end up using/needing.

2) You realize you need a parameter you didn't anticipate. EG: "Obviously this patient report needs the Patient object. Oh crap I forgot that there's a requirement to print the user's name on the report. Now I've got get that User object and pass it all the way through".

Maybe these experiences aren't relevant. As I said, I haven't tried to "Fake It Until You Make It".

mrisse 10 hours ago 1 reply      
Might one of the problems be that we place too much importance on the "symmetrical" unit test. In your example the child code is still covered when it is extracted from the parent.

As a developer that often prefers tests at the functional level, the primary benefit of tests for me is to get faster feedback while I am developing.

Arnor 9 hours ago 0 replies      
> ...TDD's primary benefit is to improve the design of our code, they were caught entirely off guard. And when I told them that any regression safety gained by TDD is at best secondary and at worst illusory...

Thank you! Details of this post aside, this gave me an Aha! moment and I feel like I'm finally leaving the WTF mountain.

danso 11 hours ago 3 replies      
The more I try to explain TDD, the more I realize that some of my favorite concepts, like the ability to mock functionality of an external process because the details of that process should be irrelevant...is just beyond the grasp of most beginners. That is, I thought/hoped that TDD would necessarily force them into good orthogonal design, because it does so for me...but it seems like they have to have a good grasp of that before they can truly grok TDD.

Has anyone else solved this chicken and the egg dilemma?

searls 11 hours ago 0 replies      
Apologies for the downtime folks, this post is proving a little too popular for us. Would love to see some folks reaction to the post in the comments
viggity 9 hours ago 0 replies      
Yes! I've always hated the common kata, because for every dev writing software for a bowling alley, there are 200,000 devs writing software the sends invoices or stores documents.

When I'm teaching TDD, the kata I have everyone go through is a simple order system.

The requirements are something like:

A user can order a case of soda

The user should have their credit card charged

The user should get an email when the card is charged

The user should get an email when their order ships

If the credit card is denied, they should see an error message


This way they can think about abstracting out dependencies, an IEmailService, a ICreditCardService, etc. There are no dependencies for a Roman Numeral converter.

asfa124sfaf 8 hours ago 0 replies      
What about tools like Typemock? How does that fit in?
glittershark 8 hours ago 1 reply      
Hello there, Heroku error page
If You Used TorMail, the FBI Has Your Inbox wired.com
192 points by barkingbad  17 hours ago   125 comments top 26
skwirl 15 hours ago 8 replies      
I don't really see what there is to be upset about in this particular case. This is how investigations are supposed to be done, by the book.

The FBI has copies of the servers TorMail ran on that they legitimately seized in an unrelated investigation (the servers were also hosting child pornography websites).

In the course of another investigation, the FBI found that orders for forged credit cards were being sent to a TorMail account.

The FBI obtained a search warrant for that specific account and then accessed it from their own copy.

This is not trolling the seized database for anything and everything that might be illegal. This is finding probable cause from another source and obtaining a specific search warrant. This is how it is supposed to be done. Why would you expect anything less from competent law enforcement?

The FBI is not the NSA. FBI cases have to hold up in the light of open court.

If you are upset about the fact that TorMail was not in fact secure, well, that's on the TorMail operators and on the users for trusting the entity that controlled TorMail while knowing absolutely nothing about them. Remember, TorMail has nothing to do with the Tor protocol, and is just the name someone gave their supposedly secure and anonymous e-mail service that they hosted on the deep web. For all anyone knew, the FBI could have been running TorMail all along.

DanBC 16 hours ago 0 replies      
{EDIT: I really hope people were risk assessing and choosing an appropriate provider. Sadly, many people weren't and were choosing what they thought was secure. This is why the newer crypto tools get a lot of hostile scrutiny. Not because people don't want them, but because they have to operate in a hostile environment and consequences of failure can be severe. If prison is a risk you need have a lot to learn about encryption and privacy.}

There should be legal controls over what information is seized. Requests should need a warrant, signed by a judge. "Accidental" seizures of too much information should be reported to the body who provides scrutiny and oversight.

Some of those accidental seizures should be criminal offences and lead to punishments for the agencies involved. (Or the individuals).

While the UK has a lousy record on this (with bizarre interpretations of law so spies can say they obey the law) the reports from the scrutineers are interesting reading.


Here's a PDF of the latest report: http://iocco-uk.info/docs/2012%20Annual%20Report%20of%20the%...

Some parts of the UK government use statistics carefully and they have real statisticians available to produce and review the charts. This document? I'm not so sure. While the raw data can be trusted the use of pie-charts is usually a flag for me, and this document does include a few of them.

scrabble 15 hours ago 2 replies      
According to the article they did not look at the other data in the database until they had a warrant to do so. And they didn't obtain a warrant until a different investigation pointed at a tormail account.

That honestly doesn't sound too ridiculous.

nullc 13 hours ago 1 reply      
I never used TorMail, but people who emailed me did. So they have private email from me even though I never used the service.
dkokelley 12 hours ago 0 replies      
OT: Let me propose that link titles now replace link-baity parts (i.e. "This Secure Webmail Site") with specific data where available (i.e. "TorMail").
sdfjkl 15 hours ago 1 reply      
This post (and article) really need to have "TorMail" in the title.
belorn 15 hours ago 1 reply      
Email is one of the really worst security risk regarding exposure to false accusations. Its even worse if you consider prosecutors who is more interested in statistics and carer than justice and truth.

Almost everyone has hundred thousands of emails laying around. All in your name, all forever stored, all with a legal signature on them binding you, and each with a short text message with no context. It is very often used as evidence, attached with a conjecture provided by the prosecutor. The defended is then forced to try defend themselves both regarding the conjecture, but also having to remember and explain the original context.

It has been used in a profile case to "prove" conspiracy, and has also been used by prosecutors to move public opinion by providing snippets (official sanctioned leaking) to media.

This is why I view running a email server without full disk encryption to be negligence, and that everyone should have their own mail server. Until the legal system have caught up with technology, its not much more one can do.

zvanness 16 hours ago 0 replies      
It sometimes amazes me how naive people are. The reality is that since the patriot act, the entire intelligence community has had access to any information they need. One needs to be delusional to think that they do not already have access to your emails, browsing history, phone call conversations in both audio and text versions, mapping points of where you have been throughout the day. They collect a very wide net of data that they can later scan through for any reason. And no, that data isn't deleted after a certain time frame.

Why are articles like this so shocking?

Have any of you guys had IQT reach out to you, the CIA's investment ARM? They are very active in finding tech companies that can decipher this data, profile everyone automatically, categorize people, and try to predict their next behaviors.

nraynaud 11 hours ago 0 replies      
If the French hosting service was really OVH, it would be quite strange that a Polish refugee fleeing for political reasons take part in a large-scale spying operation. But since they are now operating in the US, I guess they have no choice than look like nice little soldiers.
nly 15 hours ago 1 reply      
Who goes to the hassle of using Tormail and then doesn't use PGP? Tormail only kills off metadata.
hendersoon 1 hour ago 0 replies      
Unless I missed it, the FBI still hasn't disclosed how they tracked down the physical server. The FBI said was it was "located in a country with an arrangement with the US, who gave us access", but remained intentionally vague and said nothing more. Can they really use that data without disclosing how they got it?
malka 16 hours ago 1 reply      
NEVER EVER trust the pipes. If you want your communication to be safe, encrypt it yourself.
interstitial 11 hours ago 0 replies      
If HN is going to be a nexus of discussion on the FBI and NSA, it needs to understand the "social engineering" programs going on, and take steps to out astroturfing.
Thiz 16 hours ago 1 reply      
If you used ANY webmail site, the FBI has your inbox.


atmosx 5 hours ago 0 replies      
People who used tormail with their real name and/or without PGP are naive and have clearly no idea in what they were into. If the NSA has a huge amount of PGP's well... who cares? :-)
f_salmon 17 hours ago 2 replies      
While investigating a hosting company known for sheltering child porn last year the FBI incidentally seized the entire e-mail database of a popular anonymous webmail service called TorMail.

Now the FBI is tapping that vast trove of e-mail in unrelated investigations.

That says pretty much all about their methods.

codys 4 hours ago 0 replies      
Parallel Construction, anyone? They just happened to be executing a search of his gmail account and certainly hadn't looked over this trove of emails from people trying to be secretive?
jobigoud 15 hours ago 0 replies      
Surely if you use TorMail you are also the type to encrypt your messages, right? Right?
afhsfsfdsss88 15 hours ago 0 replies      
Seize it all now and justify it[or not] later. Makes sense. Maybe we should all just go to jail now and wait to see if the government finds a 'lawful' reason later for us to be there.

"Strength through unity. Unity through faith."

midas007 8 hours ago 0 replies      
Privacy as a Service with centralized servers isn't "swat proof."
higherpurpose 15 hours ago 0 replies      
> Now the FBI is tapping that vast trove of e-mail in unrelated investigations.

Wait - can they do that? Why can they do that?! Isn't that like a fishing expedition? Now they're just looking for crimes from that database trove? I've never used TorMail but screw everything about that!

This is why we need to pass some strict laws against mass collection of data, and against using data in "unrelated investigations".

sprash 4 hours ago 0 replies      
So bitmessage it is then...
htns 10 hours ago 1 reply      
The site was heavily associated with small time trading of drugs and weapons and what not. While US law might be overly harsh on the criminals, I can't really bring myself to feel bad for the half a dozen people who had any substantial legitimate traffic on the server.
imdsm 15 hours ago 1 reply      
Is anything safe anymore?
mfisher87 13 hours ago 1 reply      
"...we had to oppose their application to preserve our own ability to protect our own games.&nbsp; Otherwise, it would be much easier for future copycats to argue that use of the word Saga when related to games, was fair play."

That's disgusting. "We use the word saga in more than one of our games, therefore it's our game word and it's unfair if other people steal that word from us." ...

aronvox 12 hours ago 0 replies      
Startups that have bootstrapped their way to profitability beatrixapp.com
110 points by uptown  13 hours ago   59 comments top 24
alberth 11 hours ago 7 replies      
What classifies as "bootstrapped" these days?

Because many of the companies on the list have taken VC/Angel money.

The following have taken VC/Angel money:

- Github [1]

- 37signals [2]

- BigCommerce [3]

- BrainTree [4]

[1] http://www.crunchbase.com/company/github[2] http://www.crunchbase.com/company/37signals[3] https://angel.co/bigcommerce[4] http://www.crunchbase.com/company/braintree-payment-solution...

chromaton 11 hours ago 7 replies      
What strikes me is the geographic diversity of this list. If you look at the classic startup with young founders and big VC investments, they're almost all in Silicon Valley or San Francisco. But this list shows that you can start a business in anywhere with a reasonable tech scene.

1 Carbonmade: Chicago

2 Github: San Francisco

3 Clicky: Portland, OR

4 WooThemes: Cape Town, SA

5 AppSumo: Austin

6 Mailchimp: Atlanta

7 37Signals: Chicago

8 Envato: Melbourne, Australia

9 Litmus: Boston

10 Bigcommerce: Austin

11 Braintree: Silicon Valley

12 Freshbooks: Toronto

dazbradbury 12 hours ago 1 reply      
For anyone looking for some inspiration across the pond in the UK, we're a bootstrapped company that started with just the two of us (OpenRent - Launched in 2012 [1]).

We're currently letting in the thousands of properties each month, saving tenants and landlords huge amounts of money - and we're certainly still growing (both in raw properties let each month, and revenue)!

Clearly there are avenues to success for VC backed companies, as well as those going it alone, so not sure what can be drawn from this article other than a bit of inspiration...

[1] https://www.openrent.co.uk

rdoherty 55 minutes ago 0 replies      
SmugMug was bootstrapped, never took any VC. Family owned and operated! http://www.smugmug.com/
oldstrangers 12 hours ago 0 replies      
Companies aren't even bothering trying to make their blog articles relevant anymore. 'Here's 10 Ways To Drive Pageviews To Your App' might have been the better article.
grimtrigger 12 hours ago 1 reply      
Most seem to be B2B with a focus on independent workers and small companies. Is that a bias of the author, or a lesson for anyone trying to bootstrap their own company? My hunch is that its the latter: if you target small companies and independents, you're hitting a sweet spot of buyers who don't expect a sales/support team but also have dollars to fork over for good products.
error54 12 hours ago 2 replies      
Not a very good or well researched article. They left out many popular bootstrapped companies such as Imgur, one of the most popular image sharing services on the net or the fact that Github has VC money now.
gavanwoolery 9 hours ago 0 replies      
Not particularly noteworthy compared to the listed companies, but my brother's company Appstem has taken $0 of funding now grosses in the range of $1-3 million annually (I don't know what their books say, I only have a general idea of how much they take in per contract and pay out). They don't make a single given product like most software startups (though they do have at least one in the pipeline that I know of) - I guess they are sort of like the early version of 37 Signals in that respect.
frankdenbow 2 hours ago 0 replies      
Squarespace is a great example: they raised a round only after many years of building a solid customer base (started by a lone designer/dev in his dorm room).
inthewoods 1 hour ago 0 replies      
Also missed Wayfair - ecommerce website bootstrapped to around $700m in revenue before they took a first round of funding.
AznHisoka 10 hours ago 0 replies      
"Pretty impressive for an application that was built in a dorm room by founder Paul Farnell, with just a used computer and a few hundred bucks (and over a single weekend at that)"

Not to take anything away from Litmus, but I highly doubt the entire Litmus app was written in 1 weekend. This is something I'd expect Techcrunch to write.

chmullig 11 hours ago 0 replies      
Braintree was acquired by eBay, after several rounds of VC including a $35M Series A.......
bijanv 11 hours ago 0 replies      
Adding to this list is EventMobi[1]. We help over 4000+ events & conferences in 25+ countries create cross-platform apps for their attendees.

We've grown our team to about 35 people across our Toronto (HQ), Berlin and Virginia offices and are planning to grow to about 60 people by years end.

We just hit our 4th birthday a week ago, and are now expanding to providing the complete toolset for event planners to help make planning, running, and gather data about events easier.


livestyle 3 hours ago 0 replies      
I currently work at bootstrapped, distributed and profitable startup.

This year we did appx $15mm in rev.

http://www.inc.com/profile/buysellads (member of the Inc. 500)

up_and_up 7 hours ago 0 replies      
37Signals has been interviewing profitable bootstrapped companies for years now. There are indepth articles about each one available here: http://37signals.com/bootstrapped
maywoo 4 hours ago 0 replies      
Gliffy is bootstrapped http://www.zdnet.com/gliffy-bootstrapped-in-san-francisco-70... We're funded entirely by our customers and we're also hiring! :) http://www.gliffy.com/index-h.php
theseoafs 10 hours ago 1 reply      
> Github is a web-based hosting service for software development projects that use the Git revision control system. Say what? Think of it as the Wikipedia for programmers.

Wow, what a tremendously poor description of Github.

mdellabitta 9 hours ago 0 replies      
http://www.squarespace.com was bootstrapped.
asah 7 hours ago 0 replies      
It's all a matter of degree: virtually all successful companies take convertible debt, venture debt and other options along the way. We call ourselves bootstrapped but the founders took no salaries, put in $100+K and took $200+K from angels to hit profitability with a team of 30 and signing up 12,000 companies.
taf2 10 hours ago 0 replies      
And CallTrackingMetrics :D

shameless plug obviously but in this day and age - there are a lot of self funded companies on the internet right?

you just need to start writing code and answering the phone.

oneplusone 11 hours ago 1 reply      
Freshbooks is not bootstrapped.
wellboy 10 hours ago 0 replies      
Grindr was as well and I think still is bootstrapped to 5M+ users. Pretty impressive as a solomo app.
BIackSwan 12 hours ago 2 replies      
       cached 28 January 2014 05:02:02 GMT