hacker news with inline top comments    .. more ..    13 Oct 2014 News
home   ask   best   3 years ago   
visited
1
The Emails Snowden Sent to First Introduce His NSA Leaks
183 points by secfirstmd  2 hours ago   36 comments top 3
1
noir_lord 1 hour ago 5 replies      
> Assume your adversary is capable of one trillion guesses per second

Jesus, one trillion passphrase checks a second.

Well I know what I'm changing this afternoon.

> My personal desire is that you paint the target directly on my back. No one, not even my most trusted confidant, is aware of my intentions and it would not be fair for them to fall under suspicion for my actions.

Snowden has always had my respect but the more I read the more he has my admiration as a person.

2
desdiv 1 hour ago 5 replies      
Does anyone know if "Citizen Four" (what Snowden signed his first email with) is a reference to anything?
3
ck2 51 minutes ago 2 replies      
Let's also take a moment to remember James Risen who will likely be sent to prison in January for exposing what the NY Times refused to print.

(and of course Manning who will be left to rot for the next 35 years by each president)

2
How Wolves Change Rivers
31 points by enraged_camel  1 hour ago   3 comments top 3
1
finkin1 17 minutes ago 0 replies      
Wonderful and enjoyable video. It's sad that the accuracy of it is debatable: http://www.nytimes.com/2014/03/10/opinion/is-the-wolf-a-real...
2
VikingCoder 11 minutes ago 0 replies      
This reminded me of a NATURE episode I saw, where it was all about one Fig Tree, and all of the species that live on it, nurture it, depend on it. It was fantastic.
3
enraged_camel 17 minutes ago 0 replies      
I think this is just one example of how little we understand nature's systems. The food chain effect is well-documented in terms of numbers. For example, we already know that if you decrease the number of predators in an ecosystem, the species they normally prey on grow out of control. But the video shows that there's a massive amount of complexity under the surface of this model. For example, the wolves in Yellowstone changed not just the number of deer (their prey) but also their behaviors, which is one of the factors responsible for the cascade effect. Similarly, the increase in beaver numbers resulted in the creation of more niche ecosystems for other species.
3
Nixie The first wearable camera that can fly
34 points by mhb  57 minutes ago   14 comments top 9
1
Mithaldu 21 minutes ago 2 replies      
> Nixie is in development.

What kind of development? Are you trying to figure out if you can do it? Are you building the first prototype? Do you have a prototype? Are you working towards making it mass-producable?

Don't just waffle, actually tell people where you are. Otherwise you run a good risk of being mistaken for snake oil peddlers.

2
taylorbuley 19 minutes ago 0 replies      
It's clever psychology to place the (3D-rendered?) product shot right next to the mountain climber action shot. But it's trickery and leaves a foul taste in my mouth.

Failing to include any actual pictures (or in this case, real footage) of a product "in development" always undermines my confidence by giving me the vaporware vibe.

I'm a much bigger fan of Oculus' "in development" communications. "Here's what we built, here's what works and doesn't work about it, and here's where we're going next and why."

3
cwal37 20 minutes ago 0 replies      
So putting together: Quality Video + Small Size + Aerial Mobility + Flexibility + Weatherproofing(presumably, even just sweat on a wrist or fog could be a problem) seems incredibly ambitious (and of course, super neat).

However, I can't picture something comfortably wrapping around my wrist that also has enough battery power to have any significant flying time and deal with basic weather conditions, like a breeze. Just in trying to remember tiny copters and things I've had in the past, it would be kind of amazing to me if the power supply and utilization has advanced that much.

Any new action-cam is going to be referenced against the ubiquitous GoPro, so I feel ok making a comparison. I have a GoPro Hero 3+, and filming at 1080 the battery only lasts a couple hours. Turn on the wifi, and that time takes a significant hit. As far as I can tell from the renders in the video, this would have a smaller battery than those in a GoPro, but would need to provide more power, since the thing is flying. Maybe I'm wrong about this, again, just eyeballing form the renders.

It's a neat concept, and when I first got a GoPro I was surprised by how damn small the thing was, so I imagine camera boards will only get more intriguingly small and effective. I do wonder about the lens though, as it appears to be tiny. Perhaps more is explained in the video which I watched on silent. Would be nice if there was some text to parse somewhere for people without sound.

4
gregbarbosa 21 minutes ago 0 replies      
The problem I see with the product so far is that all the images appear to be renders, and not actual product shots.

Also the demo video shows shots from what appears to be a drone; is it the actually Nixie, or is it another drone used to exemplify what the Nixie would be able to do?

I want this to be real.

5
jasonlfunk 39 minutes ago 0 replies      
Looks pretty cool. Of course, it's all in the execution. If the thing takes bad video and doesn't consistently record the action that you want it to - it doesn't matter how cool it is.
6
Malic 8 minutes ago 1 reply      
I think the headaches of the FAA in their efforts to define the approved use of drones, has yet to begin.
7
ponyous 26 minutes ago 1 reply      
But do you need to control it with your phone? It looks awesome if you can just release and that's it, without the need to control the camera.
8
aman1121 15 minutes ago 0 replies      
Looks super cool. Let's see how well it works, can't wait to try it out myself.
9
mariusz79 24 minutes ago 0 replies      
It makes me sad when I see a device like this advertised as just another way to take selfies. It could be so much more.
4
Guide List for Startups Applying to Y Combinator
109 points by kevinwdavid  3 hours ago   14 comments top 5
1
sillysaurus3 3 hours ago 3 replies      
Whenever someone makes a system to select for the best, someone else will figure out how to game it. Preparation past a certain point might actually do more harm than good.

It's a very comprehensive list, and I don't want to imply it's bad to organize such a list. I was just surprised at how much stuff has been written about "how to impress YC." The goal is to make something people want, not to impress YC.

Thank you for the list though. It's an awesome collection. I just realized how negative I probably sounded, so I wanted to clarify that your time is very much appreciated in organizing this. I was just wondering how much time YC actually spends defending against people who are primarily trying to game YC rather than trying to make a valuable startup. Maybe it's not even an issue.

2
AhtiK 1 hour ago 0 replies      
I have no data to back it up but if YC interview setup is even slightly inspired by the YC video guidelines [1] then being genuine is better than having scripted answers for everything.

Of course there is a point for balance and being unprepared is not the way to go.

[1] http://ycombinator.com/video.html

3
kevinwdavid 3 hours ago 2 replies      
Do let me know of any other links from YC partners or Alumni that could be useful for startups applying for Y Combinator.
4
eatitraw 3 hours ago 1 reply      
Tip: you can get advice posted on dead blogs(e.g. posterous) by using the wayback machine: http://archive.org/web/
5
jndsn402 2 hours ago 0 replies      
Great list. Thanks.
5
For business school graduates, investment banking is out and consulting is in
46 points by sebgr  2 hours ago   31 comments top 12
1
Someone1234 1 hour ago 8 replies      
That's unfortunate. MBAs are toxic to businesses. They're the classic middle-manager, the random internal goal creators, the inefficiency masters, and so on. They also, as this article makes clear, only care about short term profitability over long term growth or stability (as they won't be there in five years anyway!).

You can look at tons of formally successful businesses that took in too many MBA types and lost their edge (e.g. IBM, Microsoft, HP, Cisco, et al). Google is also starting to go in that direction. Amazon has actually been fairly successful in avoiding that culture (partly due to their own internal culture being almost anti-MBA philosophy).

I'd happily hire an accountant, a lawyer, or even an economist. They're all specialists who bring different knowledge and perspectives to the table. I'd avoid hiring an MBA as they're largely useless people who just want to gum up the works with bullshit.

Engineers for engineering managers aren't perfect, but at least they aren't so far removed as MBAs are. At least once in their lives they knew what it took to deliver, and I'd prefer to train up an engineer into a decent manager than take in a pre-trained MBA.

2
hammock 1 hour ago 1 reply      
Peter Thiel, last week, on MBAs getting jobs:

The conceit of the MBA is that you dont need to have any substance at all. Its just this management science, and you can apply that equally well in [any company].

At the end of [their MBA program], a large number of people go into whatever was the last trendy thing to do. Theyve done studies at Harvard Business School where theyve found that the largest cohort always went into the wrong field. So in 1989, they all went to work for Michael Milken, a year or two before he went to jail. They were never interested in Silicon Valley except for 1999, 2000. The last decade their interest was housing and private equity.

http://www.washingtonpost.com/blogs/on-leadership/wp/2014/10...

3
jordanpg 22 minutes ago 0 replies      
To me, "business" in any generic sense just seems incredibly boring. It always has, it always will. I could care less about what the trends are or where I perceive the money is.

In contrast, "technical challenges", have and will always be of interest to me, even if they are pointless, like the Euler Project or going to ground on some obscure syntax question.

It seems likely that sharp graduates coming into tech because they perceive they can make a lot of money there or because they perceive it is a good launching pad into an executive lifestyle is not going to be a net benefit to the technical community in the long run. This group of people, as a whole, will never share in the ESR-style hacker ethos.

4
pptr1 1 hour ago 2 replies      
On a contrarian point of view it is probably a good time to be on wall street and it is probably a bad time to be in tech.
5
sshah1983 47 minutes ago 0 replies      
I don't think it's ever fair to generalize and hate on people just because they have a specific degree. Sometimes grad school is a good place to reboot your career and I'm of the belief that education is never a bad move.

There's plenty of insanely smart people I know who have an MBA and can get their hands dirty and hustle (versus the stereotype that they can just build a powerpoint on execution but can't actually deliver). It's just a matter of finding the right people.

6
applecore 20 minutes ago 0 replies      
For those in the know, the prospects for an investment banking career just haven't been the same since 20082009, so it's not surprising to see graduates go elsewhere.
7
baq 1 hour ago 0 replies      
the headline is another way of saying 'tech is officially in bubble mode'
8
Eric_WVGG 1 hour ago 0 replies      
Anecdotally, I work in tech in New York City, and holy shit do I see a lot of this.
9
bluedevil2k 1 hour ago 0 replies      
MBAs follow the money, and right now that's in tech and consulting and not as much in finance.
10
alimoeeny 1 hour ago 0 replies      
I think it is not just MBAs.
11
vparikh 1 hour ago 0 replies      
That is when you know tech is in a bubble
12
vparikh 1 hour ago 0 replies      
Thats when you know you have a bubble.
6
Show HN: Avremu An 8-Bit Microcontroller in Pure LaTeX
81 points by stettberger  4 hours ago   12 comments top 7
1
apricot 42 minutes ago 0 replies      
In the 1990s, when I was in college, I wrote a 6502 emulator in a text editor macro language (the text editor was QEdit, a DOS editor that was popular at the time). It was completely useless but a lot of fun.

There was a very low hard limit on the number of jumps (32, if I recall correctly) that complicated things. I eventually had to resort to a two step process, first translating 6502 code to a simpler virtual machine (using and abusing the find-and-replace command), and then executing that simpler code.

2
adhambadr 2 hours ago 0 replies      
"Are you insane?Not that anybody knows of."

hahaha that cracked me up, especially that i actually considered the possibility when i read the title.

3
userbinator 1 hour ago 1 reply      
That reminds me of this, a slightly bigger AVR emulating an ARM SoC running Linux:

http://dmitry.gr/index.php?r=05.Projects&proj=07.+Linux+on+8...

Emulate that system instead, and now you can theoretically boot a Linux system inside of TeX.

4
grundprinzip 2 hours ago 1 reply      
Nice work, though I liked the dataref package even more!
5
Extigy 2 hours ago 0 replies      
This is mental and I love it.
6
SeanLuke 3 hours ago 1 reply      
To be pedantic: this code is largely in TeX, not LaTeX.
7
xg15 1 hour ago 1 reply      
why?
7
Rolling Shutters
571 points by hazz  16 hours ago   31 comments top 11
1
zorpner 13 hours ago 3 replies      
Nice! Whenever I see rolling shutter photos on flickr/etc I always think about this old page where a fellow built a long-distance camera from a flatbed scanner to get the effect intentionally: http://www.sentex.net/~mwandel/tech/scanner.html

(There's a great image of a garage door opening & closing about 2/3 of the way down the page if you don't feel like reading the whole thing.)

2
kordless 17 minutes ago 0 replies      
The radial graph half way down the page reminds me of this: http://en.wikipedia.org/wiki/Ulam_spiral#mediaviewer/File:Sa...
3
pbnjay 13 hours ago 2 replies      
It's a neat analysis from a mathematical perspective, but (especially for a rotating component like this) wouldn't the lighting be all wrong for the remapped pixels? The slow-speed scanning examples use a fixed image (note the highlight doesn't change) so it's likely not usable for real-world digital photography without updates to account for lighting.
4
britta 13 hours ago 1 reply      
Ha, my friend used the same photo as the example for his mathematical analysis of the rolling shutter effect: http://danielwalsh.tumblr.com/post/54400376441/playing-detec...

The questions he investigated: "Can we figure out the rate at which a propellor is spinning by analyzing this kind of photo? And can we figure out the real number of propellor blades in the photo?"

5
salimmadjd 13 hours ago 1 reply      
Sony is making steady advancements in the global shutter with CMOS sensors. A bit harder on DSLRS with larger sensors and more pixels to read but the smaller sensors with smaller megapixels already have them [1]. So it's matter of a time that most CMOS bases videos will be free of rolling shutter, starting with higher-end video cameras that have sensors with just enough pixels to cover 2k-4k videos [2]

[1] http://www.sony.net/Products/SC-HP/new_pro/december_2013/imx...

[2] http://www.newsshooter.com/2014/09/11/io-industries-4k-super...

6
andmarios 6 hours ago 0 replies      
A very cool article, indeed; but I believe he uses the term exposure wrong.

Exposure is the total time our whole light sensitive area is exposed to the light coming from our scene. You can think of it as an integral of the sensor (or film) area exposed as a function of the time, divided by the total sensor area.

In the examples he uses the term exposure to describe the total scantime of the sensor, whilst it seems that his actual exposure (which is equal to the time each row of pixels samples the scene) is much smaller.

It may sound as a small difference but if one wants to reproduce the effect, we will essentially need to match two parameters: exposure and scantime. While exposure is easy to set, scantime is pretty much hardcoded and depends on the physical characteristics of the camera. Even an analog shutter has a scantime on small exposure times.

7
carsonreinke 2 hours ago 0 replies      
Awesome animated GIFs, definitely helps explain the concept.

This effect was manipulated to extract more information for this: http://newsoffice.mit.edu/2014/algorithm-recovers-speech-fro...

8
kitd 7 hours ago 1 reply      
If I understand this correctly, it is effectively doing what a photo-finish camera does at race sports events, except that the slit moves across the scene, rather than the scene moving past the slit.

Photo-finish shots also end up looking pretty weird:http://coachdeanhebert.files.wordpress.com/2007/08/100-photo...

9
Magi604 11 hours ago 3 replies      
I can see it now. Soon Adobe will include some tool or setting in Photoshop that will automagically "fix" rolling shutter.
10
GuiA 12 hours ago 0 replies      
Definitely check out other articles on the author's blog; he's a great technical writer.
11
Sami_Lehtinen 9 hours ago 1 reply      
Rolling shutters were also used by traditional cameras. This effect is really old school stuff. Rolling shutter providers better exposure than circular shutter. I remember that most of professional photographs taken in 80s also used rolling shutter.
8
The Unix System: Making Computers Easier to Use (1982)
19 points by shawndumas  1 hour ago   7 comments top 5
1
dmix 33 minutes ago 0 replies      
I'm currently reading The Design of the UNIX Operating System [0], so this is super interesting for me to watch. I love how he creates a spellchecking program live, while being filmed.

[0] http://www.amazon.com/The-Design-UNIX-Operating-System/dp/01...

2
shawndumas 1 hour ago 0 replies      
rtmpdump -r rtmp://cp262207.edgefcs.net:80/ondemand/mp4:techchannel/11316/videos/AA13001_UNIX_Making_Computers_Easier.mp4 -o unix-01.flv
3
coppolaemilio 46 minutes ago 1 reply      
Thanks! I'm a little scared that things haven't change a lot
4
larrys 16 minutes ago 0 replies      
I owned an AT&T 3b2/400 multi user system in 1985 running Unix System V. Came with a bound set of loose leaf manuals (might have been about 10 of them iirc). [1]

I learned pretty much everything I needed from those manuals.

https://www.youtube.com/watch?v=ZLwd32muHwM

[1] Had about 12 Wyse 30 terminals hooked up to it as well as a Courier 2400 model to be able to dial into it.

5
simula67 29 minutes ago 1 reply      
I wish they had patented truly novel ideas like pipes, hierarchical file systems and "everything is a file" and then licensed it so that anyone releasing software under an open source license can use them and not others.

That would have put an end to others like Microsoft, Apple etc from taking all these innovations and then further "innovate" with 'phones with rounded edges' or 'performing an action on a structure in computer-generated data', patent them and extort money out of free software. Not that there was any way they could have known that.

9
Fuzzing on Edison: field report
46 points by Nowaker  4 hours ago   17 comments top 6
1
1o57 57 minutes ago 1 reply      
The x86 compatibility is what is amazing here. I almost used the processor that the Edison uses on this year's Defcon badges for that very reason...
2
xedarius 31 minutes ago 0 replies      
Maybe I could use the Edison as a foundation to build something I've been after for a while.

I'd like a 'thing' that would attach to the back of a pair of bookshelf speakers and allow me to stream music through the speakers via Bluetooth. The 'thing' would also need to act as an amp. I had seen 'The Vamp' but this doesn't offer stereo.

3
StavrosK 1 hour ago 4 replies      
Has anyone tried the Edison? Is it good? It seems to me that it's a Raspberry Pi with better specs, wifi, etc, plus Arduino compatibility, which sounds amazing, but I haven't figured out how it connects to stuff. How do I power the little die? Do I need breakout boards for everything?
4
Narishma 40 minutes ago 0 replies      
I think the author is wrong about the CPU supporting HT. Merrifield is based on the Silvermont micro-architecture, which does away with HT and replaces it with OOE.
5
joosters 1 hour ago 0 replies      
I wonder if the performance can be improved by adding a heat sink? The CPU might be throttling itself if running at 100% for a while.
6
dharma1 1 hour ago 0 replies      
would be nice if it ran Ubuntu
10
Building Web Apps with Go
205 points by linhmtran168  9 hours ago   30 comments top 8
1
shadowsun7 7 hours ago 3 replies      
I tried to post this review on gitbooks.io, but couldn't. So I guess I'll put this up here:

This is a great introduction to building web apps in Go. (I started roughly two months ago, but had this book been around, I'd have been brought up to speed a lot faster).

Here's why: the predominant approach to building web apps in Go is to build on top of standard interfaces (e.g. net/http), and to keep things as simple as possible. Heavy, prescriptive frameworks are frowned upon. This is a great approach, but probably strange to people (like me) who come from prescriptive frameworks like Rails or Django.

Jeremy's guide sticks to Go conventions, while respectfully suggesting lightweight libraries that complement this approach. The guide is never "YOU MUST USE THIS", instead it always introduces the bare-bones approach first, and then tells you "hey, there's a 3rd party library that gives you some useful shortcuts on top of those." And indeed, each of the recommended libraries are idiomatic and easy to understand.

My review is probably biased, though, because I now have some idea now of how to write web apps in Go. But I certainly wished this book had existed when I first started.

2
melling 4 hours ago 3 replies      
I run a simple Go server behind Apache for my weekend project (http://www.thespanishsite.com). I started with this blog:

http://www.jeffreybolle.com/blog/run-google-go-web-apps-behi...

I also use MySql on Digital Ocean with a $10/month droplet. The few issues at first where that I started with a $5/month which didn't enough RAM so I'd run out of memory until I created swap:

https://www.digitalocean.com/community/tutorials/how-to-add-...

Still need to make it a daemon, but I'm not finished. I have one big method to set up my pages. I could write a blog, github repo or create a summary page on my site, if there's any interest.

func runWeb() {

    serveSingle("/robots.txt", "./robots.txt")    http.Handle("/css/", http.StripPrefix("/css/", http.FileServer(http.Dir("./css/"))))    http.Handle("/resources/", http.StripPrefix("/resources/", http.FileServer(http.Dir("./resources/"))))http.Handle("/static",  http.FileServer(http.Dir("./static/")))    http.HandleFunc("/chinese", chineseHomeHandler)    http.HandleFunc("/french", frenchHomeHandler)    http.HandleFunc("/chinese/numbers", chineseNumbersHomeHandler)    // Many handlers deleted ...    http.HandleFunc("/", homeHandler)    // http.ListenAndServe("localhost:9999", nil)    port := GetPort()    fmt.Println("listening...", port)    err := http.ListenAndServe(port, nil)    if err != nil {        panic(err)    }
}

/*http://stackoverflow.com/questions/14086063/serve-homepage-a.../

func serveSingle(pattern string, filename string) {

    http.HandleFunc(pattern, func(w http.ResponseWriter, r *http.Request) {    http.ServeFile(w, r, filename)    })}

3
falcolas 2 hours ago 1 reply      
The hard-coded dependencies on GitHub (not to mention they're dependencies to code owned by someone else) have always bothered me. It seems like it would create a real problem for compiling, auditing, or even just testing code in the long run; and this example relies on a ton of them.

I haven't kept up with the state of the art Go packaging; have these problems been addressed?

4
akbar501 6 hours ago 0 replies      
It would be helpful for Go newbies if a 3rd column (description) was added to the table in the "Required Packages" section.
5
humanfromearth 7 hours ago 2 replies      
Aren't there a lot of required packages to build a webapp? I would recommend against using any of those at least in the beginning. Maybe gorilla/mux, but even that can be avoided.

Don't just add deps you will never use, it's going to make your life painful.

6
john2x 8 hours ago 4 replies      
If there's one thing Go did right, it's the logo/mascot. (sorry for OT)
7
JoeAcchino 6 hours ago 1 reply      
Is this guide specific for Go on Heroku or its concepts can be easily applied elsewhere?
8
krat0sprakhar 7 hours ago 0 replies      
This looks awesome! Thanks a lot, Jeremy for doing this and sharing it with us!
11
Hive is free unlimited cloud storage for you and your friends
33 points by rid  2 hours ago   33 comments top 13
1
marklittlewood 21 minutes ago 2 replies      
Is this a serious thing or are people always blinded by 'FREE'?

There is no way of getting information about the company on the company website, you have to go to the company web app.

So you get free unlimited storage, ad funded and to target you better with advertising they look at your content. This is hidden in the Terms of Service. https://beta.hive.im/terms/

At the company web app, there is no information about the company, the backers, the people etc. The 'about section' of the company is a bunch of marketing speak https://beta.hive.im/about/

There is an address if you look hard enough - in the Privacy section. https://beta.hive.im/privacy/ It is in Hong Kong. There is no information about team, backers etc.

Best of luck to anyone that tries this.

2
CJefferson 1 hour ago 2 replies      
Won't let me drop a directory of files in, because one of them is a bittorrent file (why are you looking so carefully at the types of my files?)

mp3s don't seem to come back bit-identical, obviously some editting going on remotely.

So, don't trust this with files where you actually care about your data not getting "adjusted".

3
vlunkr 1 hour ago 1 reply      
I wonder what their game is here. Why is it free to share with 100 friends? I can't see that it would be any cheaper for them. Also, 100 friends? When would I ever want to share file storage with that many people?
4
sdoering 1 hour ago 1 reply      
So this becomes "You are not paying, so you are the product" with a twist. As the premium plan gets cheaper, the more friends you invite, the saying goes something like this:

"If you are not paying, you sell your friend's data as a product?"

Sorry, but that is some twisted pyramid scheme imho.

5
tuxone 10 minutes ago 0 replies      
Where can i access my profile? http://i.imgur.com/9zbI6ac.png
6
azurelogic 1 hour ago 2 replies      
I really dislike the fact that this is totally anti-privacy which is one of the hottest topics in cloud file storage today. Everyone is asking for things to be more secure, and people are willing to pay for storage and security when they need it. This is solving the wrong problem.
7
joshstrange 47 minutes ago 1 reply      
I am a heavy user of Plex and have about 600GB of video in my Dropbox via Plex Cloud Sync. Hive has no desktop client as far as I can see which is already a deal breaker as the machine I browse on is not the machine my video is stored on. On top of all of this we have no clue how they plan to offer this free storage other than "Ads".

Don't get me wrong $9/mo for unlimited data sounds nice but there is no way I am using my upload pipe to move my 10-12TB of media into a cloud that I know nothing about and could shut down next month.

To be fair I doubt I am the user they are targeting. It's not a "All your media in the cloud" but rather "A way to share one-off video/picture/music in the cloud which is not something I am interested in at all.

8
jastanton 1 hour ago 0 replies      
So it looks like the general consensus is people are not comfortable being the product. They would rather pay a nominal fee. So it's funny if Hive charged only like $0.99 / month or even $2 / mo I bet this launch would be received a little more graciously.
9
hobolobo 1 hour ago 0 replies      
Everything about this says creepy.
10
n1c 48 minutes ago 0 replies      
If only turning off the email notifications would turn off email notifications.
11
bratfarrar 52 minutes ago 1 reply      
If it's free, you're the product.
12
ARCarr 1 hour ago 1 reply      
If you scroll right the site breaks.
13
iliaznk 1 hour ago 1 reply      
The logo looks a bit creepy to me.
12
Dronecode Open source UAV platform
20 points by privong  2 hours ago   5 comments top 4
1
chubot 2 minutes ago 0 replies      
So does this have something to do with Linux?

Do most drones run embedded Linux, or some other OS? (honest question, I have no idea)

2
gvb 9 minutes ago 0 replies      
To those wondering, like me, it looks like a spinoff nonprofit from/with DIYdrones.

http://diydrones.com/profiles/blogs/introducing-the-dronecod...

3
spiritplumber 38 minutes ago 1 reply      
I'd like to know why these guys get a press release from the linux foundation, and I didn't in 2007 when I released mine.
4
privong 2 hours ago 0 replies      
There is a press release from the Linux Foundation here:http://www.linuxfoundation.org/news-media/announcements/2014...
13
Show HN: FolioPanda Create photo gallery websites from your Dropbox folder
8 points by taskstrike  46 minutes ago   3 comments top
1
mjohn 31 minutes ago 1 reply      
Doesn't work. "This app is in development mode and can't accept more users. Contact the app developer and ask them to use the Dropbox API App Console to apply for production status."
14
No Smoke, No Mirrors: The Dutch Pension Plan
5 points by luu  3 hours ago   discuss
15
An open source tool to generate a complete backend from a MySql database
73 points by jonseg  7 hours ago   24 comments top 11
1
jimktrains2 12 minutes ago 0 replies      
I've been working on a tool where you spec your data in an xml file and it'll generate a dbsteward [1] file and some Kohana [2] ORM files. It's pluggable so it could be easily add more modules to produce applications for other frameworks.

I'm using it for an application I'm working on now (and working out little kinks) and will be releasing it shortly.

[1] https://github.com/nkiraly/DBSteward[2] http://kohanaframework.org/

2
dmacvicar 4 hours ago 0 replies      
About 10 years ago, I had to do a php/mysql online shop for a customer, and I did not had much time for the backend.

So I bought a ~$100 product, I think it was CodeCharge Studio from YesSoftware. I was skeptic, but I had no option.

Turned out great. I was ready in a day and it looked very good. You could generate the admin site in multiple languages and it was very easy to use.

3
mrleinad 5 hours ago 2 replies      
There are pull requests from May that haven't been even answered or commented. Am I wrong, or shouldn't it be a custom to at least comment why you're not including it into the code?
4
jeffasinger 2 hours ago 0 replies      
Another similar option is to use django's inspectdb, which will get you all the model's for a django app, which means adding the admin (a simple CRUD interface) is only a few lines of code away.
5
samspenc 1 hour ago 0 replies      
I'm wondering how this is different from using CakePHP or Ruby on Rails for generating a similar interface. I've used CakePHP heavily and am generally a fan of CakePHP - plus, CakePHP lets you customize your application once you have the basic CRUD scaffolding in.
6
knitatoms 2 hours ago 0 replies      
A similar tool that I've had great fun with is Sandman:

https://github.com/jeffknupp/sandman

From the Readme: "Given a legacy database, sandman not only gives you a REST API, it gives you a beautiful admin page." It uses Python and SQLAlchemy and supports a good selection of databases.

7
8
thejosh 6 hours ago 1 reply      
>The backend is generated in seconds without configuration files where there is a lot of "magic" and is very difficult to adapt to your needs.

Double check that :).

9
zerolinesofcode 5 hours ago 0 replies      
Also have a look at Spring Roo and roostrap if you're planning to do with Java and want to migrate your application to Google AppEngine or any other database.

http://bhagyas.github.io/roostrap/

10
ponytech 6 hours ago 4 replies      
How is it different from phpMyAdmin ?
11
ExpiredLink 2 hours ago 0 replies      
Not one example on the front page.
16
Show HN: Find bugs before your users do
52 points by pauljohncleary  6 hours ago   37 comments top 21
1
aw3c2 5 hours ago 1 reply      
> Crawling http://bughunt.io/ for issues, results will appear below.

> Pending

> Oops, an error occured. Please contact us for support or try again.

;)

If you get "Oops: Request to start crawl failed" and click "Try It Out" again and again you get a lot of duplicate messages.

2
hangonhn 20 minutes ago 1 reply      
Can it crawl non port 80 addresses? My site is in testing and it's on 8080. bughunt.io comes back with no response.
3
frankdenbow 5 hours ago 1 reply      
This is one of those projects that has been on my side project list. I'm thinking you may want to play with the pricing a bit, since you could definitely charge more for the first paid plan, and its a big jump from the $9 to the $199 plans.

Are there any types of checks you plan to do in the future that you're not doing now?

4
HostingDetector 2 hours ago 0 replies      
Looks nice! But when feeding my site, it seems to ignore the HTTPS scheme, just doing HTTP and getting stuck with the 301 response.

As already suggested, would be nice not needing to specify scheme.

5
romanovcode 2 hours ago 1 reply      
I'm not sure how useful this is. AFAIK it crawls your websites and tells if you have 404 somewhere and it's all it does?
6
pattle 3 hours ago 1 reply      
Looks cool and its a useful tool. I couple of things I would suggest. The top bar where you mention funding shouldn't be positioned over the logo and top links. Because there isn't a way to remove it it makes the header links hard to click (you can only click the bottom half of them).

Also the business plan offers crawling for 50 websites. Is this plan aimed at digital agencies? If it is then that's good but if not then that number is probably too high and more links per crawl might be better?

7
gildas 1 hour ago 0 replies      
Shameless plug: this is the kind of feature SEO4Ajax [1] already implements for SPAs and Ajax websites.

[1] http://www.seo4ajax.com/

8
MicroBerto 3 hours ago 1 reply      
Cool idea.

We've been using Pay4Bugs though (http://www.pay4bugs.com), it's a crowdsourced solution. You should get together with them!

Nothing beats having a ton of bug finders with different browser versions or phones... Some things just can't be automated.

9
brodd 5 hours ago 1 reply      
When trying to crawl a URL that sends a 302 with a relative URI reference in Location, it fails. E.g. if http://www.example.com sends a 302 with "Location: /en/".
10
lewispb 5 hours ago 1 reply      
Looks cool. Spotted a bug.. clicking the link in the sentence.. "Crawling http://www.example.com..." doesn't work.
11
realusername 5 hours ago 2 replies      
Looks nice but it does not work for me, it seems to load forever.

By the way, I've noticed a small bug, the website seems to try to load http://localhost:35729/livereload.js so you should check your sources to modify this to the production URL.

12
wehadfun 1 hour ago 0 replies      
Website is offline No cached version of this page is available.
13
thejosh 5 hours ago 1 reply      
Why does it require http:// ? example.com should work without it.
14
k2xl 3 hours ago 1 reply      
Cool, but how does this differ from all of the SEO tools out there that do the same thing? brokenlinkcheck.com for example?
15
riquito 4 hours ago 0 replies      
A bug you may want to fix: double click on "Try it out!" send the request twice and show twice the errors
16
rmc 5 hours ago 1 reply      
If you enter a protocoless url (like "google.com"), it doesn't recognise it. Maybe default to HTTP if it's not entered?
17
dimman 5 hours ago 1 reply      
"Privacy policy: Coming soon". That would be great.
18
cowls 5 hours ago 0 replies      
Didn't work for me "Request to start crawl failed" after I entered a web page and clicked try it out.
19
thejosh 5 hours ago 0 replies      
>Error 502 Ray ID: 178ae6800de40b14Bad gateway

Woops.

20
pearjuice 1 hour ago 0 replies      
I am not sure what the value of this service is. Simply loading a website in your web browser will verify all of those things bughunt.io does - something you do before push to production anyway.
21
paromi 5 hours ago 0 replies      
error 502 , Bad gateway
17
The Sveriges Riksbank Prize in Economic Sciences 2014
28 points by srikar  4 hours ago   5 comments top 3
1
stuaxo 2 hours ago 2 replies      
Not to be associated or confused with the The Nobel Prize:

http://economicstudents.com/2013/10/a-brief-history-of-the-n...

[EDIT]http://en.wikipedia.org/wiki/Nobel_Memorial_Prize_in_Economi...

Among critics is the Swedish human rights lawyer Peter Nobel, a great-grandson of Ludvig Nobel.[26] Nobel criticizes the awarding institution of misusing his family's name, and states that no member of the Nobel family has ever had the intention of establishing a prize in economics.[27][/EDIT]

3
naturalethic 24 minutes ago 0 replies      
Another fascist wins the central bank prize.
18
The Space Shuttles Controversial Launch Abort Plan
122 points by ironchief  11 hours ago   32 comments top 10
1
shirro 3 hours ago 0 replies      
Almost as good as sliding 200ft from the base of an exploding Saturn V to a rubber room, a quick crawl to the blast room, slam the door shut, cover yourself in a fire blanket and if you survive long enough light oxygen candles until the rescuers arrive. http://www.spaceflightnow.com/news/n1211/19rubberroom/
2
Ankaios 8 hours ago 3 replies      
If I had a spare billion bucks laying around when the shuttle program ended, I thought it would been fun to actually try out an RTLS. Tie up the necessary loose ends on the autopilot, stack up an empty shuttle, invite a lot of people, and let it go. No real use to it, but it would have been a great "Hey y'all, watch this" moment.
3
Pinckney 9 hours ago 1 reply      
Still not as crazy as the planned Lunar Escape Systems.

https://en.wikipedia.org/wiki/Lunar_Escape_Systems

"There was no mass or power available in the LESS for an Inertial Measurement Unit to measure acceleration and tell the astronauts where they were, where they were going or how fast they would be getting there, or even for a radar altimeter to show altitude above the lunar surface."

4
mrbill 55 minutes ago 1 reply      
Also related - "Shuttle Down" by Harry Stine:

"In the book, the Space Shuttle Atlantis launches on a polar orbit flight from Vandenberg Air Force Base in Southern California. During the launch, the main engines cut off prematurely and the shuttle is forced to make an emergency landing on Rapa Nui, better known to most of the world as Easter Island."

http://en.wikipedia.org/wiki/Shuttle_Down

5
Narkov 10 hours ago 2 replies      
Surely more controversial would be the range safety "Flight Termiantion" (i.e. self destruct) option?

http://www.popularmechanics.com/science/space/nasa/4262479

6
drpancake 4 hours ago 1 reply      
I grew up in the English countryside a few miles away from a US airbase which was designated as one of the possible landing sites in the event of an aborted launch, due to it's long runway.

There was an American couple living in our village and the guy's job was to be on call during a shuttle launch. Suffice it to say he and his buddies spent most of their days playing poker.

7
jpdus 4 hours ago 0 replies      
Somewhat related and another great read - the detailed plan for a never-launched Columbia rescue mission (including a space shuttle rendezvous):

http://arstechnica.com/science/2014/02/the-audacious-rescue-...

8
adamwong246 9 hours ago 2 replies      
I wonder if this maneuver could be performed in that Kerbal Space Program game?
9
pdonis 10 hours ago 3 replies      
From the article:

"Of the 135 Space Shuttle launches, only one (STS-51F on 7/29/85) experienced an abort-inducing failure during ascent. In the case of 51F, they safely made a lower-than-planned orbit and carried out the mission. All of the other flights cleanly avoided the dubious honor of settling the RTLS bet."

All but one. Did the writer just forget about the Challenger mission, or did that one somehow count as "cleanly avoiding" an "abort-inducing failure"?

(Someone in the comments to the article has brought this up as well.)

10
rplnt 7 hours ago 1 reply      
> Mind = blown.

What an unfortunate "sentence" in otherwise very informative and captivating article.

19
Show HN: Trunk Private links for you to collect and distribute digital content
3 points by dko  24 minutes ago   2 comments top
1
minimaxir 23 minutes ago 1 reply      
...so it's a Dropbox Shared folder? (which also has the ability to generate public links of private documents, and have other users download them directly to their folder)
20
Arrow's Theorem
4 points by infinity  2 hours ago   1 comment top
1
aaron-lebo 8 minutes ago 0 replies      
William Poundstone's Gaming the Vote is a great read that covers this and related topics.
21
A Quick and Practical Reference for Tcpdump
4 points by madflojo  1 hour ago   discuss
22
One Less Password
348 points by cpeterso  20 hours ago   144 comments top 51
1
abalone 18 hours ago 4 replies      
Not a bad idea but the chief drawbacks I see:

1. Needs a very long-lived session to be convenient. Elsewhere they note their's is a whole year.[1] That's a long time to go without reauthenticating a client!

2. Authentication is or should be a much more common event than recovering a lost password, and now that's totally dependent on your email provider. One concern is latency.. a minute can feel like an hour while waiting to log in to your account to do something urgent. But also worrisome is provider downtime, spam filters, etc. all can block you from accessing your accounts.

Of course the way they "deal" with #2 is by just trying to avoid authenticating you very often (#1), which is not a generally-applicably awesome security practice. Might be ok in some cases but I wouldn't classify that as an overall "better" way to sign in.

I think a better way to solve this is at the browser/OS level with built-in password generation and management. And that's actually a third drawback to this approach.. it's incompatible with password managers.

[1] https://chrisdecairos.ca/one-time-passwords-pt-2/

2
janfoeh 19 hours ago 1 reply      
I like the idea. The downside is of course having to switch between the site and your email.

One could bridge that gap by adding two headers to the authentication emails - one containing the URL where the sign in request originated, and one with the sign in URL that must be visited.

A browser extension could then check your emails, and if an incoming mail matches the sign-in page of the current tab, log you in directly.

3
peterwwillis 6 minutes ago 0 replies      
Most people on HN have identified that this system has some potential security flaws. I think the problem is that the purpose of the system is extremely limiting, and the end result is it makes the user less secure.

"When fewer websites require passwords from each of us, fewer passwords will be lost, stolen, and repeated across sites."

A password is just a really short, guessable token in remote storage (your brain). It is used as a primary authenticator; that is, if you are completely unauthenticated you can use this token and gain access to resources.

In this new system, the password becomes an optional secondary authenticator. Your primary authenticator is now moved to some pre-authenticated service, such as your e-mail (which you have already logged into, presumably with a password) or SMS messaging (which you have already logged into, presumably with a swipe or pin on your phone).

Note that this is different than two-factor authentication, when you need two separate factors to authenticate. Now the system becomes multiple-one-factor, or "If any of my authentication methods work, I have access".

This means the attack vectors have increased in number. If I can steal your password, I gain access. If I can break into (again, probably just a password) or intercept your e-mail, I gain access. If I can intercept your SMS messages, I gain access. In theory, removing the finicky process of relying on users to choose strong passwords would increase the security of said tokens, and thus the user's security. In practice, it just moves the target down the line to the next authentication point.

What does this mean for the real-world security of users? By lacking an out-of-band authentication mechanism, the system makes it easier for an attacker to subvert and control the user's access.

Passwords are good because they're out of bound: stored in your head, typed in real-time, kept in memory for a short time. Passwords are bad because users get to define them (poorly), people reuse the same password for multiple sites, and it's up to the remote site to store the password securely. So while it can be difficult for an attacker to gain access without your password, it can be easy for them to get it from one site and reuse it on many.

Other out-of-band authentication methods have their own pros and cons. SMS is good because it depends on a device you control and it's temporary and not reused. SMS is bad because it can be easily intercepted. E-mail is worse because it's even easier to intercept and it doesn't depend on a device that you control. Better options are randomly-generated authentication tokens like those of Google Authenticator, but software exists on almost all smartphones sold today to allow carriers to inspect data on the phone, allowing another attack vector. The safest, strongest method is a keyfob like an RSA SecurID, which cannot be intercepted and isn't reused. (Although even this is fallible, as in the case of RSA's customer keyfob database being compromised a few years ago)

Now, one of the major flaws with out-of-band authentication access is that we assume the user only has one form of input: the computer. If the computer gets hacked (via malware for example), the user's cannot protect themselves. But the future is here, and we carry [networked] computers in our pockets! It turns out that the most secure way a user can authenticate is via two separate networks and two separate computers using two secured connections, which is exactly what we should be doing today. Here's an example:

  Step 1. User requests to login to HTTPS Site A.  Step 2a. Site A prompts User for a password.  Step 2b. Site A sends an SMS to User with an HTTPS link to click.  Step 3a. User enters password on site.  Step 3b. User clicks link on SMS in mobile device.  Step 4a. Site authenticates password.  Step 4b. Mobile site reads cookie on User's mobile browser.  Step 5. User is authenticated; both mobile device and computer have access to site.
In this way, you have two different authentication factors on two independent devices which are combined to authenticate the user. The attackers now have to both crack a password and steal a cookie from a mobile device. This is of course completely plausible, but requires much greater attack coordination; it makes it much less likely, and much more expensive, for a typical attack to succeed. And best of all, it can be done with almost no work on the part of the user if they use their browser's existing password manager.

It would be trivial to add this dual-auth method to their existing system, so hopefully they implement that instead of throwing the baby out with the bath water.

4
thedufer 18 hours ago 0 replies      
I implemented this style of login in the app I'm currently building. I don't think its necessarily appropriate everywhere; the reason I decided to use it is that its the type of service you very rarely log into. For things like that, a large portion of logins are (anecdotally) going to end up going through the forgot password flow anyway.

I will admit that not being responsible for storing passwords was one of the reasons I used it. I'm by no means a security expert; one less thing I can screw up seems like a major plus.

5
atmosx 19 hours ago 2 replies      
A modern password manager (e.g. 1Password) seems like a way more natural solution that this. Not to mention that many services do not use smtpd+ssl/tls.
6
ChuckMcM 18 hours ago 0 replies      
I really like this, I was thinking the other day when I used a site that I rarely use, and went through the whole 'forgot resend reenter' password thing that just that could be the 'standard' way of dealing with low impact sites and wouldn't force a password to be generated. It does imply the mail path is workable but that seems pretty common these days.
7
netheril96 8 hours ago 1 reply      
Isn't email transferred in plain text? This is not very secure in my mind. Granted, nowadays a lot of service lets you reset your password through email, but that is only a one time thing. Now the whole system is dependent on someone not introspecting the packets flowing in the Internet.
8
downandout 15 hours ago 2 replies      
This is still nothing more than a password...it's essentially just a password that is emailed to you. I've never understood why we can't instead authenticate ourselves to our browser or device, and get people out of the habit of authenticating to individual websites. This would eliminate phishing and greatly enhance security. Touch ID is a big step in this direction, but still can't be used for websites.

When authenticating, the browser could just send the user's public key, and if a user with that key is in the system, it replies with a session key encrypted with the user's public key. If browser companies would get their act together, we wouldn't have as many authentication issues as we do today.

9
BinaryIdiot 19 hours ago 4 replies      
It's clever but I wouldn't use it. First the user experience of going from one channel (web) to another (email) isn't very natural but the second and biggest reason is that it turns an email account into a central authority to access my other accounts from.

Some say email is already like that but it isn't with services using two factor authentication.

I don't think there is an easy and intuitive way to get rid of passwords without involving some sort of physical component that stays on yourself.

10
pmichaud 20 hours ago 2 replies      
I remember this idea from a while back, and I still think it's not going to work. It's too cumbersome to have to access your email every time you want to log into something. I love the creativity of the solution, but I just don't think it's workable on a large scale.
11
sarahj 16 hours ago 1 reply      
This essentially mimics my login flow to every site I only use occasionally (e.g. twitter) and therefore can never remember the password for:

1. Go to login

2. Forget password - click reset password

3. Go to email, find reset password email

4. Login.

I wouldn't really mind if this became more common. I don't trust password managers (and access the internet from so many different devices that the only common thing they share between them is that I can access my webmail client or email on my phone.)

12
mderazon 17 hours ago 0 replies      
I like this idea for mobile apps a lot.

In mobile the sign up flow can even be more streamlined using deep linking:

1. User enters email address.

2. Opens email client and click the link.

3. Link contain app specific schema myapp://login?token=cold_fish etc.

4. App opens and verifies the token with the server.

5. User is logged in.

User has to enter only email address as opposed to email + password (and sometime password confirmation)Then only needs to click a link in email client to sign up.

13
jordanpg 19 hours ago 2 replies      
The cynic in me observes that although this post is couched in the language of an improved UX, what it also does is absolves Mozilla from keeping any (hashed) passwords stored in their databases. Only tokens with a very short shelf-life.

(Hashed) Password storage is moved to a third-party database (the email provider). Presumably the client "remember me" links are meaningless by themselves.

14
skion 2 hours ago 0 replies      
"Passwords might be useful for someone who works on a public computer at the library."

Key loggers anyone?

15
rakoo 16 hours ago 0 replies      
Ah ! I built this a few months back:

https://github.com/rakoo/xauth

It uses the same idea as in the post, ie the "lost password flow for login", but with XMPP. The latter gives you much higher flexibility in that it actually is thought out as a programmable protocol. You try to login, the server sends a token to any of your connected clients via a bot message, you just repeat it to the bot and you're then granted access.

I feel there is high potential here, and there even is an official XEP (http://www.xmpp.org/extensions/xep-0070.html) for this.

16
scottmotte 18 hours ago 0 replies      
I too would "like to see [this approach] used and pushed further by other designers and developers."

I'm one of those who have been trying to do so. I created an open source approach called Handshake.js that is re-usable for developers. [1]

I presented this topic to a good crowd at JS.LA [2].

At the current time, I'm finding developers still hesitant to jump into the approach. Passwords are familiar and there are many developer tools/libraries to quickly setup the defacto username/password approach to authentication.

[1] https://sendgrid.com/blog/lets-deprecate-password-email-auth...[2] https://vimeo.com/90883185

17
RexRollman 17 hours ago 1 reply      
Playing with NetBSD the other day, and bored, I created an SSH key for the first time and was amazed that I had not been using this for forever. I think keys could replace passwords, or at least, cookie based logins.
18
MicroBerto 18 hours ago 0 replies      
What's funny is that we're basically doing a very similar thing at my startup, PricePlow (https://www.priceplow.com), and it was actually inspired by discussion earlier here at Hacker News.

It works very well for our purposes. We don't need crazy security because we store no important personal information -- just product preferences. It's insanely easy on the users.

I guess I should get back to blogging about my entrepreneurial lessons learned, as this has been one of many of them....

19
imrehg 9 hours ago 1 reply      
Startup Digest event submissions use similar method: no account, every login is an email sent to you. The problem I have is that I do use a password manager and like that much a lot more than switching back and forth of email and the site. If I go to your site, I don't want to go to my email...

It really feels like they want to solve my password storage problem for me, in a very opinionated manner without any alternative for me, and while it might be a good solution, it does not feel like one (for me).

20
pulkitpulkit 10 hours ago 1 reply      
I really like the way TranferWise (transferwise.com) automatically signs me in when I load the page. It's a way to transfer money online so has to be secure, but uses my email authentication to verify it's me. I don't even have to click a sign-in button! I'm surprised this hasn't caught on more...

https://transferwise.com/support/customer/portal/articles/16...

21
harigov 19 hours ago 1 reply      
So instead of directly logging in using the ID provider like FB/Google/Microsoft, which are also the email providers, you send an email to those accounts and ask user to take one extra step of checking and clicking the link. It seems to be inefficient. A much better solution should be for the devices to support accounts natively and integrate authentication directly into the platform.
22
ilitirit 3 hours ago 0 replies      
This is (partially) only as secure as your email provider's authentication system.
23
jsudhams 11 hours ago 0 replies      
If the service is not going to contain any privacy related stuff or need not be so secure why not just keep the cookie after typing in email address.

What i do is i keep all worthy sites'password on the password manager and the rest of the site follow a pattern based password or a common simple password. For e.g. i typically use some this "keepass"or domain of visited web + keepass

24
codinghorror 20 hours ago 1 reply      
How is this any materially different than the "I always forget my password and I always use the forgot password link"? I guess you don't have to pick a new password each time? But you could just rapidly type in gibberish and achieve nearly the same effect, no real password, login via email.
25
jplarson 20 hours ago 1 reply      
The biggest reason for me to pass on implementing an approach like this is what I THINK is the actual most common use case for a typical user when logging into a site at which they are a regular:

They're doing so for the nth time, and on the (or a) device they usually use, and thus their browser (or other password manager) has already got their password remembered and thus it is pre-filled in.

Having to click back and forth between email every time you log in seems way clunky relative to that, which for me is something above 90% of the instances I log in to some web application.

Couple that smoothness with picking a non-reused, strong password for a web application (which password managers make actually practical) and the friction in the user login experience seems to have little if any upside.

26
LukeB_UK 20 hours ago 2 replies      
Every time I've heard of this system, I've thought that it would make it clumsier to access an account.

I go to a site and my intention is to stay on that site throughout whatever I'm doing there. If you force me off your site for something like logging in (where it's the point of 'I trust your site, give me access') then I've lost focus and you've put your experience in someone else's hands.

If I was doing this, I'd have to open a new tab, go to GMail, wait for it to load, find the tab within GMail that has the email and then click the link. Every so often, I'd probably have to put my Google password in too. That's a lot of effort, considering that your site probably isn't that significant to me.

27
joesmo 16 hours ago 0 replies      
The main flaw with this idea as well as pretty much every password reset flow is that email itself is insecure. If I want to attack the login system and I have the ability to intercept the emails at some point, I essentially get access to the link/code in plaintext and now have access to the account. The difference might be that there will be a much higher volume of emails from a system like this than from one that just uses email for resetting passwords, though that's not guaranteed. I'd like to see a system that address this issue.
28
thesumofall 15 hours ago 0 replies      
There is a fully fledged implementation for Node.js https://passwordless.net Disclaimer: I'm leading the development
29
lazyjones 16 hours ago 0 replies      
Does this handle concurrent logins from multiple devices reasonably? If every login essentially resets the "password", either all other existing sessions are terminated (bad usability) or kept (possibly insecure).

The linked more technical description suggests that the latter is done (sessions on trusted devices are valid for 1 year), so you apparently cannot stop someone with a stolen device from accessing your account (while the session is active / the cookie persists).

30
FlailFast 20 hours ago 1 reply      
I like this idea a lot, but given the centralization of authority to a user's email account, I do think it requires beefed up security for however the user accesses their email---i.e., would be great to allow this only for users who have 2FA enabled on their webmail, although I have no idea how you'd check or enforce that.

Actually, the "lost password" flow already assumes email as a single point of failure, so I suppose my 2FA comment is moot (in other words, we should be pushing for 2FA for accounts regardless of their password approach on other accounts).

31
cpeterso 18 hours ago 0 replies      
Here is the Mozilla Webmaker blog post with a more user-centric discussion of the password-less system: https://blog.webmaker.org/one-less-password

I was initially concerned that email is insecure, but then I remember sites already use email for password reset. :) My bank does something similar by also remembering my personal computers by browser fingerprinting and/or IP address.

32
TomGullen 17 hours ago 0 replies      
Submit phone number, and it SMS's you your password.

If I steal someone's phone, I get access to any system using this.

If I buy a sim card off someone, or buy used sim cards, I could also gain access to some potentially high value targets if they use this.

If I 'borrow' my phone of someone, I can steal things from them if the sites using this have value.

etc etc.

33
marco1 18 hours ago 0 replies      
We shouldn't abuse email for this. Any one of LastPass, 1Password, KeyPass etc. or SSO with Google, Facebook or Twitter can do this way better. You will probably be using extremly long and random strings, i.e. you're storing secure tokens there. You can't call those passwords any longer -- and we should forget about the notion of manually creating and then remembering passwords to sign-in.
34
aidos 17 hours ago 0 replies      
I've wondered for a while why this pattern isn't more common.

In the past I had thought it would be great if instead of email it could push to your phone so a message would pop up saying "confirm login? Yes/no". It would be a really simple option from a ux perspective but screw going anywhere near making the crypto tech to support it.

35
kylequest 17 hours ago 0 replies      
Good option for B2C services that are not that important (pretty much most of them actually :-)).

Email delivery problems is a factor that needs to be considered though.

Stolen "remember me" cookies is another factor... The password stealing malware will start harvesting those cookies instead of passwords (it's already happening in some cases).

36
esolyt 20 hours ago 0 replies      
This makes a lot of sense. On every device you would use to login to some kind of service, you already have access to your primary email. Clicking a link is easier than typing your password. It also seems to be safer. Your account is safe as long as your primary email is not compromised, in which case the attacker would gain access to your account by Forgot Password anyway.
37
droopybuns 20 hours ago 2 replies      
https://fidoalliance.org/ is a much better idea and worth investing in instead.

Passwords must die. We need to get to the point where there is a modular mechanism for authentication so that individual devs never are tempted to create a users table and add a note field for password storage.

38
nicarus1984 13 hours ago 0 replies      
What if I want to have this authentication process on my email account itself? :)The only other option (soon to be available) is SMS. Seems a bit too limiting and maybe not completely practical.
39
mcmillion 17 hours ago 0 replies      
I'd much rather just use a password.
40
frewsxcv 20 hours ago 3 replies      
Less -> Fewer
41
flowerpot 20 hours ago 0 replies      
Interesting, I would like to see how non-tech users evaluate the user experience of this.
42
alexsmolen 16 hours ago 0 replies      
I built an open-source Rails engine for something like this: https://nopassword.alexsmolen.com.
43
bibonix 19 hours ago 0 replies      
Sounds like a good idea, but how many sites/companies will adopt it? There are tons of similar ideas, but none of them are as popular as login/password...
44
cpeterso 18 hours ago 2 replies      
How does the user log in if they've changed their email address (e.g. switched ISPs and not using a gmail address)? Authenticate using SMS?
45
nathancahill 20 hours ago 0 replies      
Flask-Security supports this experimentally. I love it. It's much less of a hassle than you might imagine, having to click a link in an email.
46
amino 15 hours ago 0 replies      
Oculus have been doing something similar with their order tracking for quite a while now.
47
davidkhess 17 hours ago 1 reply      
I don't think storing authentication tokens in people's email is good UX and raises expiration issues.

Here's another take on how to get rid of passwords: The Password Manifesto

http://www.tech-spelunking.com/home/2014/9/5/the-password-ma...

48
jchysk 18 hours ago 1 reply      
LaunchKey. No Passwords. https://launchkey.com
49
cameronehrlich 20 hours ago 0 replies      
I think this could be a very elegant solution.
50
imaginenore 19 hours ago 0 replies      
I actually prefer Reddit's version - email is optional, while password isn't.
51
mbrain 20 hours ago 1 reply      
What to do with projects those have both web and mobile apps?
23
Charles Petzold Departing MSDN Magazine
55 points by pjmlp  4 hours ago   16 comments top 5
1
julianpye 2 hours ago 1 reply      
Slightly OT, but If you haven't heard about it before Charles book 'Code' is one of the best computing books I have ever read. I gave it to my engineer father and my MBA brother for Xmas years ago, as it is such a great introduction for anyone to understand how computers work. You will also need a copy if you ever were trying to build a computer from scratch :)
2
zerr 1 hour ago 0 replies      
I wish Xamarin had different way of monetizing... This 90s style shareware is a real deal-breaker (aka PowerBuilder, Clarion, Delphi).

Hint: Charge for IDE, make raw SDK/compiler available for free.

4
narag 2 hours ago 0 replies      
Having someone like Petzold for a tools company sounds like an excellent idea. It could be called MDD (for Manual Driven Development) to give it a catchy name. Many tools seem like nobody bothered to check if it's actually practical to use them as intended.
5
chiph 2 hours ago 1 reply      
I used Mono forms several years ago, and the performance was a problem. Just way too slow. I'm certain it's gotten better in the meantime, but given Charles' experience (I learned Win16 programming from his book!), I think it's really going to become first class now.
24
Homebrew Cray-1A
91 points by nilicule  11 hours ago   16 comments top 7
1
fentonc 4 hours ago 1 reply      
Chris Fenton here - someone did actually send me an 80MB 'disk pack' with software, and I was able to modify a super old disk drive to actually read it:

http://www.chrisfenton.com/cray-1-digital-archeology/

And thanks to some awesome help from others, I was able to actually recover a copy of COS (Cray OS):

http://www.chrisfenton.com/cos-recovery/

Andras Tantos and I have been collaborating on this together for a while now, and he actually has a downloadable Cray X-MP datacenter simulator he wrote, where you can run the COS image I found:

http://www.modularcircuits.com/blog/articles/the-cray-files/

2
Animats 8 hours ago 3 replies      
Now if only someone can get this guy some Cray-I software. Even the Computer Museum, which has an actual Cray-I they use as a piece of furniture, apparently doesn't have any.

The Cray-I is a rather simple machine at the logic level. There are 64 of some registers, but they're all the same. The instruction set is small.

3
jhallenworld 2 hours ago 0 replies      
Please upload any working cray image to bitsavers.org.

I wrote an emulator for a Motorola Exorciser (6800 development system: http://exorsim.sourceforge.net/ ), and am totally in debt to whoever uploaded the MDOS disk images.

4
krylon 6 hours ago 1 reply      
This is so awesome.

But what I'd really like is that to-scale case and put a small PC in it. Even if one does not care at all about its historic significance, the Cray-1 was one of the most visually appealing computers I have ever seen. Having a miniature version of it sitting on my desk would be extremely cool.

5
philf 7 hours ago 1 reply      
6
eaxitect 9 hours ago 0 replies      
I really like the idea and implementation.
7
JetSpiegel 6 hours ago 0 replies      
But can it run Crysis?

Or even Doom?

25
The Magazine: The Book (Year One), Free Download
16 points by Flenser  3 hours ago   2 comments top
1
symmetricsaurus 1 hour ago 1 reply      
In case you missed it they are also shutting down. [1]

It's unfortunate, I think, since the model for a publication was interesting.

[1]: http://glog.glennf.com/blog/2014/10/8/the-magazine-is-making...

26
In Search of Times Origin
3 points by dnetesn  3 hours ago   discuss
27
Capturing the Potential of Outlier Ideas in the Intelligence Community [pdf]
3 points by poindontcare  4 hours ago   discuss
28
Humans are not constraint solvers
4 points by miguelferreira  3 hours ago   discuss
29
Tamper: Chrome devtools extension for capturing and editing HTTP requests
51 points by adamnemecek  13 hours ago   8 comments top 7
1
dutzi_ 5 hours ago 1 reply      
I built this tool because I had a lot of production issues where I needed to make some changes and test them. I couldn't use devtools' Elements or Sources panel since I had to make this changes available as the page loads (inline script changes, css url changes, etc...).

I tried using Fiddler and similar alternatives (Charles, Burp), but:

1. When running it on the Mac you need to run a VM.

2. Fiddler shows you ALL the requests made by you're machine.

3. Moving between Fiddler, Chrome and Sublime is just annoying.

Since it's running a proxy server (it's actually based on http://www.mitmproxy.org) on your machine, it's also very useful when you want to test things on mobile devices.

2
elmotri 7 hours ago 0 replies      
The background of that pages makes my screen look dirty. Even though I know it's the background every time my eyes move I see new dust on my screen :)
3
kasbah 3 hours ago 0 replies      
I was hoping this would be a more modern Tamper Data [1] but it sounds like you can't edit requests before they are sent?

[1]: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/

4
h43k3r 2 hours ago 0 replies      
I am already behind my institute proxy. Does it have a cascading feature ??
5
passfree 6 hours ago 0 replies      
Interesting idea. There is also a similar tool over here: https://suite.websecurify.com/market/httpview
6
NoMoreNicksLeft 2 hours ago 0 replies      
Sweet, I was looking for something like this just last week.
7
unwind 7 hours ago 0 replies      
There's a typo in the title, somebody please s/extenstion/extension/. Thanks.
       cached 13 October 2014 16:02:01 GMT