A quick Google search found only four:

https://www.mozilla.org/en-US/security/advisories/mfsa2013-9... another local file disclosure)

https://www.mozilla.org/en-US/security/advisories/mfsa2015-3... (needs to be "combined with a separate vulnerability" to be exploitable)

https://www.mozilla.org/en-US/security/advisories/mfsa2015-6... (needs to be "combined with a separate vulnerability" to be exploitable)

https://www.mozilla.org/en-US/security/advisories/mfsa2015-7... (this one)

It still is looking better than the plugin it replaced.

All these extra bells and whistles added to browsers to allow websites to pretend they're 'native apps' should require a very large switch to be thrown from 'safe' to 'unsafe' whenever an application requests such a thing. And what a pdf reader has to do with javascript is a mystery as well. Systems that are too complex are almost by definition insecure.

Would like to know if an installation is vulnerable if:

 1) If Applications, PDF is set to "Always ask" 2) Ublock and/or privoxy are used 3) Javascript is disabled 4) pdfjs.previousHandler.alwaysAskBeforeHandling == false 5) pdfjs.disabled == true

cf https://twitter.com/swiftonsecurity/status/62840155490772582...

Why do advertising networks allow advertisers to exectue Javascript? What need is there for it?

Every time one of these exploits that use advertising networks is found, it just increases the value of blockers such as uBlock. Whether you accept adverts or not, you shouldn't have to accept javascript being executed on your machine that isn't from the site you visited.

But sending hashes of your downloads to Google [1][2] is a feature, right?

1. https://support.mozilla.org/en-US/kb/how-does-phishing-and-m...2. https://bugzilla.mozilla.org/show_bug.cgi?id=1138721

https://grepular.com/Protecting_a_Laptop_from_Simple_and_Sop...

Specifically, the "Securing the Web browser" section.

[edit] Also worth mentioning is the stuff about smartcards on that blog post. You can steal my ~/.ssh/ and my ~/.gnupg/, but because I'm using a smartcard, it wont do you any good.

Edit: NVD does list a bunch of vulnerabilities with "PDFium" in them [1], and I guess there are a few more from when it wasn't called PDFium yet, but I'm curious as to how an expert would interpret these numbers.

[1] https://web.nvd.nist.gov/view/vuln/search-results?query=pdfi...

previous discussion: https://news.ycombinator.com/item?id=10020361

even though I don't use pdf.js, have ublock and a strong key password, I'm not risking it.

I have access to so many servers, I'd rather spend 30 mins changing keys than take the chance

I was never comfortable with pdf.js and changed the setting to use the default pdf viewer in all my machines.

Note: If you use your Linux distribution's packaged version of Firefox, you will need to wait for an updated package to be released to its package repository

It would be particularly scandalous if they knew that disabling pdfjs would suffice yet refused to mention it because they couldn't bear to see their precious CPU/memory-hogging scribd knockoff no one asked for being disabled by their users, in effect putting their grandiose vision of the browser-as-OS ahead of their users' security.

1. If PDF files aren't set to open using Firefox's built-in PDF viewer, was the relevant system still vulnerable? (That is, if under Options->Applications, PDFs were set to something other than "Preview in Firefox", would this attack still work?)

2. Which were the 8 popular FTP clients potentially affected?

3. Was this specific case all that could be done or was it an example of a wider class of potential exploits? (That is, can we actually trust any sensitive credentials in any applications on any system that has been running Firefox before today? And could we have disclosed other sensitive information that was held in well known local files?)

I do deal with sensitive details, and have access to lots of external systems run by various clients. If there is a real danger here then I need to act. If there isn't, then I would prefer not to spend the next 1-2 days of my time updating everything that could have been silently compromised instead of doing revenue-generating work, and worse, contacting every client I work with to notify them that their security may have been compromised and it's my responsibility.

Olimex, who are in a position to know, says that the BOM for this adds up to more than $20.

https://olimex.wordpress.com/2015/06/05/how-to-get-in-the-ne...

So, it's basically a marketing ploy, which is still cool, but they will have to find some way to make up the difference post launch.

1) It is a non-profit that has done things I am happy about.

2) It is kind of a standard which allows the sharing of code and parts very easy.

My money goes to Raspberry Pi because it is good at what it does and I like the company.

https://www.kickstarter.com/projects/1598272670/chip-the-wor...

All we need is a 'pre-order' button that, when pressed, pops up a message telling you that pre-orders don't exist!

Any more info about the platform? (Processor, memory size, OS, API)

I learned so much there, so many amazing people.

Great work guys!

http://Clara.io

But my experience in a baker-shop can tell you everything on the european attitude towards technology."So what are you doing for a livin?""I work as a software developer..""Oh, so your company doesent produce anything real?"

You cant force a culture to embrace something new that it detests. This doesent mean that this culture will not buy the products, but it will never produce them on the level as californium.

Another example? People pay ridiculous amounts of money for public television in germany. And it is bad. Outright horrible. Not regarding production quality, not the acting, execution and direction. Then what is missing to create a german game of thrones? The answer: A diffrent production culture, that doesent view half a hour of screaming drama as a authentic drama, and understands that a joke on the henchmans axeblade makes drama so much more impacting. Will that change come? No. Cultures only adapt when they suffer and europe is not suffering enough.

>That might be the scariest thing of all for Google. It isnt dealing with an antitech ideologue or a competition czar consumed with cementing a personal legacy. It faces a straightforward prosecutor in a hostile political climate dominated by powerful local business interests with their own regulatory agendas. Good luck to Google searching for a way out of that.

I've been following this story for a while and I watched the press conferences she gave and that's the impression I got from her as well.

I think Google is definitely not going to skate by like they did in the US with a slap on the wrist. The investigation into Android is going to be another big one and if they break up Google's ability to bundle/tie in their services, it pretty much neutralizes the entire benefit of Android to Google as a defensive moat.

It seems completely ridiculous to call those two different markets. Finding the most relevant X on the web is fundamentally part of the same market no matter what X is.

Now, if they'd accused Google of using their market position in search to promote gmail, for instance, they might have a point. Not a very good point, but at least an understandable point. But calling "general search" and "product search" two different markets? They seem to just be looking for a way to extort concessions out of a company that seems like a tempting target, all the more so for not being an EU company.

Later in the same article is an indignant accusation that Google's display of other types of search results don't label themselves as ads. Of course they're not; if you search for an address, and you conveniently get a map of that address (which is one of the most likely things you were looking for), that's not an ad, that's the content you actually wanted. (By contrast, the garbage next to it telling you about other services related to random keywords in the search terms are ads.)

Now, the crazy 2014 deal that fell through certainly does sound like antitrust-style collusion; it's certainly ridiculous to have competitors bid for the right to appear as a list of competing services at the top of Google search results. But far from the "extortion" it's described as, it sounds a lot more like collusion between multiple large companies to exclude smaller players. The solution isn't to find a way to include more companies; it's to forget that that anticompetitive arrangement was ever proposed, and continue on with the current situation where Google shows users whatever it thinks they're looking for.

(I'm not suggesting that Google has pure and altruistic motives here; far from it. They're out to make money. I'm just saying that they've done nothing wrong here, and more generally that there's no wrong here for anyone to be accused of doing. That some random local company in the EU got annoyed at not being at the top of Google search results should not be Google's problem, or anyone's problem other than that company's.)

However, another plausible position is that Google is merely behaving negligently. There are some studies (paid by competitors, sure) showing users dislike Google promoted content and products. Those products should probably have their A/B tests ended, but nobody has the guts to pull the plug (and willpower to evolve the effort into something else). Knowledge Base has sucked away ~30% of Wikipedia's traffic, which thankfully has not yet hurt donations. Google certainly doesn't want Wikipedia to fall apart.

If we want to draw a parallel to Microsoft's monopoly, we could point out how IE was initially a good product but then fell behind the competition. Pushing it on consumers not only hurt consumer choice, but (over time) locked users into a poor experience. But did we really need to carry out a lengthy (and ineffective) anti-trust case?

Building a legal case is expensive and highly political. If discovery doesn't uncover evidence of malicious intentions, then one must prove competitors and consumers were harmed. But if the monopoly has been held for so long, how can one prove those damages without resorting to small, expensive, and contrived studies?

We should begin to embrace an expectation that the producer of any successful product will eventually become negligent. Protecting consumer choice is not just about fair discovery, but ensuring the diversity needed for markets to evolve (for better or, perhaps in the short term, for worse). Why do we have to go to such effort to show how Google is specifically doing harm? Why can't we say they had their turn, and here are places where they have concentrated marketshare and thus places in need of diversity?

But today I'm afraid Europe suffers memory loss.

They're using coercion against another country (always the same one, the USA) for ideological reasons... which is the very definition of war.

The fact they're citing money as the reason only makes it more frightening. Prosperous countries avoid war and favor trade instead, if possible.

As a European citizen, I can witness the anti-american mindset: it's growing, nurtured by press and politicians. Don't think "it's not the USA, it's Google/Amazon/Apple/Microsoft/Facebook": they actually cite the USA all day long until Google is a synonym for the USA in people's mind.

A quick check with the first article I can find in my Google newsfeed: in the french press, about Apple Music, the article starts with "Le gant amricain de l'informatique Apple" (The american IT giant/behemoth Apple)

The internet is an amazing promoter of free-trade, so unsurprisingly it's the perfect target for Europe.

Please don't call it a conspiracy theory: it's not one, because I hope I'm wrong ;-)

It's an excellent list. Most designers will have seen many of these already.

http://www.amazon.com/Dont-Shoot-Dog-Teaching-Training/dp/05...

This is actually a very fun read about conditioning - no matter if you have a cat or dog. I've read it quite a while ago, and I remember that conditioning cats is not that difficult, as long as you stick to positive rewards. Punishment doesn't work.

For those who think this will be abused for manupilating people - that's what we do all day no matter if we read this book or not. It's just the way you do it, and that probably won't change by reading this book. It will teach you a lot about your own behavior.

Do things fast when the cost of doing them wrong is low. If you're learning something, or doing something with low risk, then doing it as fast as possible is a really good idea (for all the reasons set out in the article).

But...

Do things slowly if the cost of getting it wrong is so high that you'll have no opportunity to try again. For example, don't pack a parachute quickly.

The key is recognising that there's more than one way to approach soemthing; selecting the right method for the problem at hand is the winning strategy.

But one good counter example does come to mind - designing a database schema.

I'm trying to wrestle with what the difference might be. I think Markov processes, e.g. processes where the future state depends on a prior state, are relevant.

Maybe we could say tasks are either "strongly Markvoian", that is, how well we do them now will influence our future work and hence we should really think them through, e.g. designing a schema. Weakly Markovian, in which case there may be some future impact but not much, and so we exercise caution but "done is better than perfect". And finally non-Markovian - e.g. throwing out the garbage, cooking dinner, most emails - getting the thing done is simply a pass/fail and so we just have to do it, quality is relatively unimportant.

I think what I'm saying is, most tasks will be weakly or non-markovian, so we should "move fast and break things", but every now and then there'll be something we need to do that is strongly markovian. For such things we should be prepared to take a step back and give ourselves a little extra time, so things don't blow up further down the track.

An alternative explanation would be that if you don't take your time to understand people's mail and just rush to answer them as quickly as possible, things that would take two mails to communicate now end up being a thread of ten mails, two phone calls and an in-person meeting.

Nothing is more infuriating than a person that replies 30 seconds later with a message that suggests they didn't read past the first sentence.

I don't know the author or his ways of responding to emails, but in my experience the above often applies to people that value speed above all else.

Slow is smooth. Smooth is fast.

If I take 20 minutes more to code a module because I'm thinking about it, but spend 30 minutes less debugging problems with the module, that's fast.

If I take a day to respond to an email, but the person I'm conversing with gets the info they need, avoiding three more days of back and forth, that's fast.

If I take a week longer to iterate through a project idea, but nail the implementation, then I can know that I'm pivoting because the idea was wrong, not the implementation.

Speed lets you try many alternatives, experiment with many different even opposite options, and draw out creativeness.

Another possible reason is that speed is the strength of the younger generations. In human history, if new comers want to beat the current authority (in business or politics) who have already mastered the intricacies of the current game, one have to propose and experiment large quantity of new alternatives, new rules of new games, even though most of experiments might have low quality results judging by the established rules. But it's the better way to compete and survive.

I found this an interesting view of property but I suspect it may need a shift in definition over the next few decades.

Esser has his reasons - "Short reminder: Europeans are not allowed to disclose vulns privately to a foreign company like Apple without registering dual-use export"[1] - but it's hard to believe he couldn't have told them anonymously. Disclosures make careers, though, so there's a strong incentive to go public.

[1] https://twitter.com/i0n1c/status/624172774915973120

Or perhaps a fresh environment with a few of the most important variables sanitised and copied over? And perhaps with the old variables available with a prefix (_UNPRIVILEGED_DYLD_PRINT_TO_FILE etc)?

What would this break?

I'm suddenly very glad I don't use my macbook as my main machine, but I guess I'll remove the set{u,g}id bits on newgrp for now. Don't know if that will break things, but it's better than getting a rootkit.

What do you recommend as security software for OSX currently? How do you help secure your devices from public wifi and the internet in general? Especially for novice users?

 chflags uchg /etc/sudoers

I've always felt these were more of a trick in being single instruction set because you are using some of the addressing bits to encode an opcode.

https://en.wikipedia.org/wiki/Concepts_(C%2B%2B)

[0] https://www.youtube.com/watch?v=mCrVYYlFTrA

Exploiting non-vulnerable SMM code through a remap flaw in x86 architecture. Ouch.

Not only can this arbitrarily exploit the running OS. It might actually be able to physically destroy the computer it's running on, for example by abusing thermal controls.

Doesn't affect Sandy bridge or newer.

Scary.

It's fortunate that newer platforms seem to be immune (see https://security-center.intel.com/advisory.aspx?intelid=INTE... ), but remediation after exploit via total hardware replacement would _suck_ for anybody with servers just a couple of years old.

Fortunately, it's `just` a root => SMM escalation, which are already more common than anyone would really like to admit.

However it does mention ring -2 is under the hypervisor, so.. that allows guest->host escape under VT-x?

Ie. downsample 4x-8x, blur at smaller px radius and resize back to orig size - much faster than blurring at original resolution, and looks almost identical.

Maybe the bad guys are really bad, but sometimes I hope that they get off just to make the point that the cops are suppose to do the "right thing", otherwise the cops really are the bad guys.

Ideas and tools can be conceived, developed, deployed and adopted before a (state-sanctioned) response can be formed. Significant results (and value) can be reaped in the inherent lag between deployment/discovery and responsive-legislation.

In tech, we've seen it recently as startups deploy faster than labor laws can (re)define boundaries.

In government, when it's the police doing the rapid deployment... well, it's kind of uncharted territory.

Has anyone modeled a system of checks and balances where one of the three processes has an n month setTimeout() before it can respond to inputs from another? Where does the system find equilibrium?

They just mention that there is no conflict between Russia and Ukraine, although Russia send unofficial armed troups to Ukrain :p, because they didn't allowed the coupe of "obama's" administration.

The problem is, America didn't send any troops to Ukrain, Russia did:

http://www.telegraph.co.uk/news/worldnews/europe/russia/1165...

https://en.wikipedia.org/wiki/Web_brigades

I can guarantee you that your typical regular transit user is capable of walking a couple blocks without having to stop for a Gatorade.

http://m.nydailynews.com/opinion/extend-7-train-secaucus-art...

Have a nice summer! :)

Hmmm... I guess I'm not the first to think that my home plumbing would be the perfect transmission medium to gather data from temperature sensors.

I am not so much into cryptoanalysis so, I really should have some suggestion in this case.

edit: I meant "hack" in the "cool application of technology" sense.

http://www.inf.fu-berlin.de/lehre/WS07/mafi1/90zahlen.txt

His point was: It it simple to prove that those subsets must exist, but it is very hard to compute them. To make his point even more clear, he offered some prize money if anyone found an explicit solution.

A friend told me about that challenge, and I tried. With a lot of conceptual work, programming, optimization and some luck I was finally able find such a solution (and received the prize):

https://njh.eu/90

(Sorry, German language, but the solution is readable, I guess :-))

For generations you have been giving us little correlations, tidbits of mechanisms. Vitamin X, High Intensity Sleep, Antioxidants, Kale, CR Hot off the presses new experiment reintroducing critically endangered carnivorous gut fauna

There is nothing useful that we can do with this "information." It's just random letters from some book that you are throwing at us one at a time. "We found some Hs! It's the first letter in this chapter about Kano Jigaro and appears a dozen time a page. He had exceptional balance, grip strength and organizational skills. It's important. Pay attention to your Hs."

I demand a theory, preferably something simple and powerful like Darwinism that we can demonstrate by drawing sailboats. An equation would be nice.

Just this week I burned my mouth on a chili pepper. I fainted getting out of my ice bath after a 48 hour CR Fast and I went through the window doing HIIT sprints on an omnidimensional walking desk.

I'm going back to the food pyramid. Gimme some spuds.

My mother is the kind who changes the whole family's diet when she reads some sufficiently convincing diet book or study. At one point we ate dissociated food. At another point it was blood type food.At another point it was raw roots or something. I love my mother and she's an excelent cook, and she never forced us to eat according to the books, but she would be very insistent, because there were studies that showed ...

Most of the time the results of those studies were disproved, either by another experiment or by some technical issue with the way the study was conducted.

Just like there were studies that smoking is actually good for you and studies that showed that children who drink sugar soda from an early age are heathier.

The point I'm trying to make is that these studies are not just 'informative', they have real consequences on real families. There are families out there who will start eating hot food just because they've read this study.

I hope they don't torture themselves for nothing.

> After controlling for family medical history, age, education, diabetes, smoking and many other variables, the researchers found that compared with eating hot food, mainly chili peppers, less than once a week, having it once or twice a week resulted in a 10 percent reduced overall risk for death. Consuming spicy food six to seven times a week reduced the risk by 14 percent.

TL;DR: "As the authors acknowledge, a cause and effect relation cannot be inferred from their work. In this prospective study, Lv and colleagues have shown temporality of association, but we need to evaluate additional criteria to judge the strength of evidence. Their findings should be considered hypothesis generating, not definitive, and will undoubtedly encourage further work."

Jokes apart on a more serious note the crux of the study is --

"Compared with those who ate spicy foods less than once a week, those who consumed spicy foods 6 or 7 days a week showed a 14% relative risk reduction in total mortality. "

Although this study is very vague, in Asian cultures health benefits of spices and various plant products is well known.

Ginger : Has Cox2 inhibitory function. Acting in a similar way to Aspirin and other NSAIDS. Helps prevent heart attacks

Curcumin : found in turmeric has anti-inflammatory similar to ginger but is poorly absorbed. Hence mad more benefits for the Gut.

Arjuna Terminalis : Bark of the plant is known to have anti-hypertensive benefits.

And the list goes on.

The problem is that in the traditional way these plants are consumed (unprocessed in food and NOT in EXTRACT form) these have very poor Bioavailability.

The only way these so called health benefits would be apparent is if they were part of the diet (you eat them everyday - as noted in the study) or they are consumed in the form of Extract.

Also many of these compounds can not be patented and this deters the pharmaceutical industry to make large investments in the clinical trails and bringing them to the market.

http://www.ncbi.nlm.nih.gov/pubmedhealth/?term=curcumin

http://time.com/3984504/turmeric-supplements-curcumin/

Link: https://en.wikipedia.org/wiki/The_China_Study

Obviously a whole lot other things also differ together with the spices in these cuisines. It would be nice if they'd asked if the subjects identified with a specific cuisine/area.

There could also be a wealth relation. The poorer Guandong (Cantonese) kitchen has little less chili than the famously spicy Szechuan kitchen which is from a richer area.

They can control for any number of things, but this isn't science, it's a correlation and anyone who has taken an intro to statistics class shouldn't be fooled by a pseudoscience blog post. Really surprised to see this on the front page of a community which prides itself on its scientific knowledge.

I do know that at times when I get a spell of mild depression, munching on some hot peppers seems to pull me out of it.

Does anyone know the chemical mechanisms causing this, and whether any other foods, combined with or after the spicy meal, could help more-quickly neutralize this lagged skin odor?

Spicy food also has a tendency to clear sinuses. I believe a couple of studies have shown that clearing sinuses occasionally (but not too often) is beneficial.

I have a secondary systemic inflammation to due a genetic condition that make my mitochondria to malfunction. Usual symptoms include a profound fatigue after working-out and muscle weakness, specially in the extra-ocular muscles.

I have been always centered around supplements to improve the energy output (ATP) of my mitochondria (Coq10, ALCAR, idebedone ... you name it). While this made a big difference in my everyday energy levels, I always felt that this systemic fatigue couldn't come only from a energy deficit, as I was able to workout with pretty good intensity and decent weights (I can squat 1.5 my body weight).

The first hint came a couple of months ago when a friend of mine went to the doctor because he was also profoundly fatigued and the doctor told him that he had some kind of auto-immune disease that was causing a systemic inflammation and this systemic inflammation was likely the main cause for the fatigue.

The second hint came right here from HN [1]. So, I just added turmeric extract to my daily regimen 10 days ago and the results have been really impressive so far. I can recover much easier from my workouts and my general energy level has also improved a lot, specially during the mornings. It is too soon to tell, but after so many years trying so many supplements I have developed a anti-placebo and anti-bullshit sense for all these things, and this one is working for real.

Now, I am not meaning that spicy food will make you live longer, but it seems clear that they have some potent active substances that "do" something in our bodies.

I am now trying to add some spicy foods to my meals. The first one has been a very simple curry rice with black pepper (to improve absorption) to eat it post-workout.

Some relevant references:

Curcumin database [2]

Good general info about turmeric [3]

Mitochondria as a target in the therapeutic properties of curcumin [4]

[1] https://news.ycombinator.com/item?id=9960441

[2] http://www.crdb.in/

[3] http://www.whfoods.com/genpage.php?tname=foodspice&dbid=78

[4] http://www.ncbi.nlm.nih.gov/pubmed/25243820

http://education.nationalgeographic.com/maps/doggerland/

A lot of previously-inhabited territory -- presumably fertile lowlands! -- was inundated as sea levels rose after the last ice age ended, around 9500-8500 years ago.

https://en.wikipedia.org/wiki/G%C3%B6bekli_Tepe

It is truly revolutionizing our understanding of mesolithic culture.

That would suggest that oral knowledge survive thousands of years (a little more than DVDs). It's pretty remarkable.

B.P. == Before Present https://en.wikipedia.org/wiki/Before_Present

http://www.bbc.co.uk/programmes/b01s6xyk/episodes/downloads

"Discover birds through their songs and calls. Each Tweet of the Day begins with a call or song, followed by a story of fascinating ornithology inspired by the sound."

If you insist on not using javascript we provide a simplified website here"

here leads here: http://blog.rekahsoft.ca/nojs/index.html

At the time of posting this comment it was 404