hacker news with inline top comments    .. more ..    7 Aug 2015 News
home   ask   best   3 years ago   
Firefox exploit found in the wild mozilla.org
172 points by _jomo  4 hours ago   100 comments top 19
1
cesarb 2 hours ago 1 reply      
How many PDF.js security vulnerabilities have been found so far?

A quick Google search found only four:

https://www.mozilla.org/en-US/security/advisories/mfsa2013-9... another local file disclosure)

https://www.mozilla.org/en-US/security/advisories/mfsa2015-3... (needs to be "combined with a separate vulnerability" to be exploitable)

https://www.mozilla.org/en-US/security/advisories/mfsa2015-6... (needs to be "combined with a separate vulnerability" to be exploitable)

https://www.mozilla.org/en-US/security/advisories/mfsa2015-7... (this one)

It still is looking better than the plugin it replaced.

2
jacquesm 3 hours ago 7 replies      
I don't even want my browser to have a 'local file context', is there a way to switch such behavior off entirely until explicit permission is given?

All these extra bells and whistles added to browsers to allow websites to pretend they're 'native apps' should require a very large switch to be thrown from 'safe' to 'unsafe' whenever an application requests such a thing. And what a pdf reader has to do with javascript is a mystery as well. Systems that are too complex are almost by definition insecure.

3
Nanzikambe 2 hours ago 3 replies      
The lack of additional detail in this very sparse announcement really compromises users' ability to damage control effectively.

Would like to know if an installation is vulnerable if:

 1) If Applications, PDF is set to "Always ask" 2) Ublock and/or privoxy are used 3) Javascript is disabled 4) pdfjs.previousHandler.alwaysAskBeforeHandling == false 5) pdfjs.disabled == true
Also which advertising network and which Russian site would be helpful for blocklists.

4
lorenzhs 2 hours ago 2 replies      
Once again, this demonstrates that blocking advertisements is a really good idea from an InfoSec perspective. Ad blocking not only abates a nuisance, it's an important security measure.

cf https://twitter.com/swiftonsecurity/status/62840155490772582...

5
aembleton 3 hours ago 3 replies      
If at all possible it would be worth naming and shaming the advertising network that is allowing this exploit through.

Why do advertising networks allow advertisers to exectue Javascript? What need is there for it?

Every time one of these exploits that use advertising networks is found, it just increases the value of blockers such as uBlock. Whether you accept adverts or not, you shouldn't have to accept javascript being executed on your machine that isn't from the site you visited.

6
jonaslejon 2 hours ago 1 reply      
Since the vulnerability is in pdf.js, is the Tor Browser Bundle vulnerable?
7
johnnydoebk 2 hours ago 2 replies      
Well, sending some user files to Ukrainian server is a bug.

But sending hashes of your downloads to Google [1][2] is a feature, right?

1. https://support.mozilla.org/en-US/kb/how-does-phishing-and-m...2. https://bugzilla.mozilla.org/show_bug.cgi?id=1138721

8
mike-cardwell 3 hours ago 2 replies      
I'll just chuck this old blog post of mine out there:

https://grepular.com/Protecting_a_Laptop_from_Simple_and_Sop...

Specifically, the "Securing the Web browser" section.

[edit] Also worth mentioning is the stuff about smartcards on that blog post. You can steal my ~/.ssh/ and my ~/.gnupg/, but because I'm using a smartcard, it wont do you any good.

9
currysausage 1 hour ago 1 reply      
Semi off-topic: What does the security track record of Chrome's integrated PDF viewer (PDFium) look like? Should I make it Click-to-play or is it about as secure as any other part of the browser?

Edit: NVD does list a bunch of vulnerabilities with "PDFium" in them [1], and I guess there are a few more from when it wasn't called PDFium yet, but I'm curious as to how an expert would interpret these numbers.

[1] https://web.nvd.nist.gov/view/vuln/search-results?query=pdfi...

10
0xffffabcd 3 hours ago 0 replies      
Yet another reason to use uBlock and NoScript.

previous discussion: https://news.ycombinator.com/item?id=10020361

11
mrbig4545 1 hour ago 0 replies      
I guess now is a good time to change my ssh keys. joy

even though I don't use pdf.js, have ublock and a strong key password, I'm not risking it.

I have access to so many servers, I'd rather spend 30 mins changing keys than take the chance

12
hornbill 1 hour ago 1 reply      
Out of curiosity, how many users will be opening pdf using pdf.js? Is it widely used?

I was never comfortable with pdf.js and changed the setting to use the default pdf viewer in all my machines.

13
ffuseronlinux 2 hours ago 0 replies      
I believe using "about:config" and setting "pdfjs.disabled" to "true" will neutralize the vulnerability, at least from the description they gave of it, but confirmation from them to that effect would be appreciated, especially for users stuck on the current (or older) version, as the download page acknowledges some might be:

Note: If you use your Linux distribution's packaged version of Firefox, you will need to wait for an updated package to be released to its package repository

It would be particularly scandalous if they knew that disabling pdfjs would suffice yet refused to mention it because they couldn't bear to see their precious CPU/memory-hogging scribd knockoff no one asked for being disabled by their users, in effect putting their grandiose vision of the browser-as-OS ahead of their users' security.

14
Grue3 58 minutes ago 0 replies      
15
Rexxar 2 hours ago 0 replies      
Why the new version number is "39.0.3" ? Did I miss "39.0.1" and "39.0.2" ?
16
joosters 2 hours ago 1 reply      
17
Silhouette 3 hours ago 1 reply      
Some more details would be helpful here. Specifically:

1. If PDF files aren't set to open using Firefox's built-in PDF viewer, was the relevant system still vulnerable? (That is, if under Options->Applications, PDFs were set to something other than "Preview in Firefox", would this attack still work?)

2. Which were the 8 popular FTP clients potentially affected?

3. Was this specific case all that could be done or was it an example of a wider class of potential exploits? (That is, can we actually trust any sensitive credentials in any applications on any system that has been running Firefox before today? And could we have disclosed other sensitive information that was held in well known local files?)

I do deal with sensitive details, and have access to lots of external systems run by various clients. If there is a real danger here then I need to act. If there isn't, then I would prefer not to spend the next 1-2 days of my time updating everything that could have been silently compromised instead of doing revenue-generating work, and worse, contacting every client I work with to notify them that their security may have been compromised and it's my responsibility.

18
afeef 22 minutes ago 0 replies      
19
drvortex 3 hours ago 3 replies      
GitLab: Almost everything we do will be open gitlab.com
15 points by jobvandervoort  38 minutes ago   1 comment top
1
jobvandervoort 3 minutes ago 0 replies      
As always, if anyone has any questions, we're here.
C.H.I.P. Raspberry Pi competitor nextthing.co
26 points by adam_klein  2 hours ago   16 comments top 8
1
tyingq 18 minutes ago 0 replies      
I was, at first, amazed at the price point.

Olimex, who are in a position to know, says that the BOM for this adds up to more than $20.

https://olimex.wordpress.com/2015/06/05/how-to-get-in-the-ne...

So, it's basically a marketing ploy, which is still cool, but they will have to find some way to make up the difference post launch.

2
baldfat 1 hour ago 2 replies      
Personally I prefer the orginal Raspberry Pi due to two things.

1) It is a non-profit that has done things I am happy about.

2) It is kind of a standard which allows the sharing of code and parts very easy.

My money goes to Raspberry Pi because it is good at what it does and I like the company.

3
zzzaim 1 hour ago 0 replies      
FYI, its Kickstarter page has lots more information than "CHIP does computer things" :)

https://www.kickstarter.com/projects/1598272670/chip-the-wor...

4
joosters 33 minutes ago 1 reply      
I've got a great idea, guys! Let's create a web page for our product, but put absolutely NO information about it on there. After all, who needs to know anything about it?

All we need is a 'pre-order' button that, when pressed, pops up a message telling you that pre-orders don't exist!

5
deadmik3 22 minutes ago 0 replies      
I'm working on a raspberry pi project right now that would be MUCH better with this. Built-in wifi and bluetooth, battery power, it's a lot smaller... I want this now
6
avinassh 16 minutes ago 0 replies      
Wow, this is just amazing. But looks like we have to wait till Feb 2016?
7
avodonosov 1 hour ago 3 replies      
Ah, $9 is just a chip, not a pocket chip. What is the pocket chip price?
8
avodonosov 1 hour ago 1 reply      
I like the pencil stand.

Any more info about the platform? (Processor, memory size, OS, API)

WebGL Studio webglstudio.org
137 points by desp  6 hours ago   36 comments top 15
1
aplummer 2 hours ago 2 replies      
This blows my mind. I've got bugs with a carousel today and people are building this. So impressive.
2
wildpeaks 47 minutes ago 1 reply      
That's great, it looked already good in 2013 when it won best paper (http://gti.upf.edu/webglstudio-gti-paper-goes-viral-at-web3d...), I'm happy to see it reached a 1.0 release.
3
ambrop7 3 hours ago 2 replies      
Do they have permission to use the WebGL trademark in the name? Khronos has quite some info about that, but I don't see immediately how their use fits into the terms. https://www.khronos.org/legal/trademarks/#webgl
4
danboarder 4 hours ago 3 replies      
This is amazing and feels very fluid. I think it is part of a web-based software trend that will surprise a lot of people who think of the web at best as an interactive document display system. Another app that has a very snappy UI like this is http://OnShape.com CAD software, which is full featured 3D solid modeling without any plugins (all JS and WebGL).
5
yeureka 3 hours ago 1 reply      
I have to say I feel very proud that this comes out of Pompeu Fabra University.

I learned so much there, so many amazing people.

Great work guys!

6
bhouston 1 hour ago 1 reply      
If you want to create 3D models and animations for WebGLStudio, you can do so via:

http://Clara.io

7
nkoren 1 hour ago 0 replies      
Looks amazing, but is there a demo scene I can load to test it out?
8
thebeardedone 1 hour ago 0 replies      
Great job! Keep up the good work!
9
Keyframe 1 hour ago 0 replies      
This is really nice! how did you do the UI?
10
mixedbit 4 hours ago 2 replies      
Is the author here? What license do you plan to use?
11
dented 2 hours ago 0 replies      
Brilliant work!
12
Turing_Machine 5 hours ago 0 replies      
Very impressive.
13
rashthedude 4 hours ago 0 replies      
Wow
14
justaaron 3 hours ago 0 replies      
wow!
15
morganwilde 2 hours ago 3 replies      
Googles $6B Miscalculation on the EU bloomberg.com
149 points by ghosh  7 hours ago   99 comments top 7
1
guelo 6 hours ago 11 replies      
If you look at what has happened in China after Google left, how they were able to quickly grow massive web companies, protectionism seems like a no-brainer for every slightly advanced country. Silicon Valley sees the huge first-mover advantages and is moving as fast as possible to move into every liberalized market. But it makes no sense for a country to allow Silicon Valley to take these industries for themselves. This is the fastest growing industry for the next several decades with the best paying jobs. It only makes sense to nurture the local companies and local talent instead of giving it all away to the Americans. Europe is always fretting about how they need to create their own Silicon Valley but it's easy to do, kick out the Americans! You'll have your own Baidu, Tencent and Alibabas in no time.
2
louithethrid 1 hour ago 0 replies      
Im in Germany, i can see no investment to grow a european google. Oh, yes there are great declarations of grandios plans.

But my experience in a baker-shop can tell you everything on the european attitude towards technology."So what are you doing for a livin?""I work as a software developer..""Oh, so your company doesent produce anything real?"

You cant force a culture to embrace something new that it detests. This doesent mean that this culture will not buy the products, but it will never produce them on the level as californium.

Another example? People pay ridiculous amounts of money for public television in germany. And it is bad. Outright horrible. Not regarding production quality, not the acting, execution and direction. Then what is missing to create a german game of thrones? The answer: A diffrent production culture, that doesent view half a hour of screaming drama as a authentic drama, and understands that a joke on the henchmans axeblade makes drama so much more impacting. Will that change come? No. Cultures only adapt when they suffer and europe is not suffering enough.

3
IBM 5 hours ago 0 replies      
>Although she uses Google frequently, Vestager says it doesnt cloud her view of the case. Congratulations for being big, but dont misuse it. For Europeans, this is very fundamental, she says.

>That might be the scariest thing of all for Google. It isnt dealing with an antitech ideologue or a competition czar consumed with cementing a personal legacy. It faces a straightforward prosecutor in a hostile political climate dominated by powerful local business interests with their own regulatory agendas. Good luck to Google searching for a way out of that.

I've been following this story for a while and I watched the press conferences she gave and that's the impression I got from her as well.

I think Google is definitely not going to skate by like they did in the US with a slap on the wrist. The investigation into Android is going to be another big one and if they break up Google's ability to bundle/tie in their services, it pretty much neutralizes the entire benefit of Android to Google as a defensive moat.

4
JoshTriplett 6 hours ago 2 replies      
> Dominant companies cant abuse their dominant position to create advantage in related markets, she said bluntly, formally accusing Google of exploiting its supremacy in general search to dominate the market for online product searches

It seems completely ridiculous to call those two different markets. Finding the most relevant X on the web is fundamentally part of the same market no matter what X is.

Now, if they'd accused Google of using their market position in search to promote gmail, for instance, they might have a point. Not a very good point, but at least an understandable point. But calling "general search" and "product search" two different markets? They seem to just be looking for a way to extort concessions out of a company that seems like a tempting target, all the more so for not being an EU company.

Later in the same article is an indignant accusation that Google's display of other types of search results don't label themselves as ads. Of course they're not; if you search for an address, and you conveniently get a map of that address (which is one of the most likely things you were looking for), that's not an ad, that's the content you actually wanted. (By contrast, the garbage next to it telling you about other services related to random keywords in the search terms are ads.)

Now, the crazy 2014 deal that fell through certainly does sound like antitrust-style collusion; it's certainly ridiculous to have competitors bid for the right to appear as a list of competing services at the top of Google search results. But far from the "extortion" it's described as, it sounds a lot more like collusion between multiple large companies to exclude smaller players. The solution isn't to find a way to include more companies; it's to forget that that anticompetitive arrangement was ever proposed, and continue on with the current situation where Google shows users whatever it thinks they're looking for.

(I'm not suggesting that Google has pure and altruistic motives here; far from it. They're out to make money. I'm just saying that they've done nothing wrong here, and more generally that there's no wrong here for anyone to be accused of doing. That some random local company in the EU got annoyed at not being at the top of Google search results should not be Google's problem, or anyone's problem other than that company's.)

5
choppaface 4 hours ago 1 reply      
Much of this debate centers on the premonition that Google highlights their own content and services in order to fight competition and maximize their own profits. They are acting intentionally and rationally. But their monopoly is hurting others, so we (er, the EU) convict(s) Google of malice.

However, another plausible position is that Google is merely behaving negligently. There are some studies (paid by competitors, sure) showing users dislike Google promoted content and products. Those products should probably have their A/B tests ended, but nobody has the guts to pull the plug (and willpower to evolve the effort into something else). Knowledge Base has sucked away ~30% of Wikipedia's traffic, which thankfully has not yet hurt donations. Google certainly doesn't want Wikipedia to fall apart.

If we want to draw a parallel to Microsoft's monopoly, we could point out how IE was initially a good product but then fell behind the competition. Pushing it on consumers not only hurt consumer choice, but (over time) locked users into a poor experience. But did we really need to carry out a lengthy (and ineffective) anti-trust case?

Building a legal case is expensive and highly political. If discovery doesn't uncover evidence of malicious intentions, then one must prove competitors and consumers were harmed. But if the monopoly has been held for so long, how can one prove those damages without resorting to small, expensive, and contrived studies?

We should begin to embrace an expectation that the producer of any successful product will eventually become negligent. Protecting consumer choice is not just about fair discovery, but ensuring the diversity needed for markets to evolve (for better or, perhaps in the short term, for worse). Why do we have to go to such effort to show how Google is specifically doing harm? Why can't we say they had their turn, and here are places where they have concentrated marketshare and thus places in need of diversity?

6
weddpros 3 hours ago 1 reply      
For a long time, countries agreed that free-trade was the best way to avoid another war. Europe was created as an economic region first, to avoid another war.

But today I'm afraid Europe suffers memory loss.

They're using coercion against another country (always the same one, the USA) for ideological reasons... which is the very definition of war.

The fact they're citing money as the reason only makes it more frightening. Prosperous countries avoid war and favor trade instead, if possible.

As a European citizen, I can witness the anti-american mindset: it's growing, nurtured by press and politicians. Don't think "it's not the USA, it's Google/Amazon/Apple/Microsoft/Facebook": they actually cite the USA all day long until Google is a synonym for the USA in people's mind.

A quick check with the first article I can find in my Google newsfeed: in the french press, about Apple Music, the article starts with "Le gant amricain de l'informatique Apple" (The american IT giant/behemoth Apple)

The internet is an amazing promoter of free-trade, so unsurprisingly it's the perfect target for Europe.

Please don't call it a conspiracy theory: it's not one, because I hope I'm wrong ;-)

7
afeef 20 minutes ago 0 replies      
old twats.
50 Design Documentaries Every Designer Should Watch rrrepo.co
33 points by mildrenben  2 hours ago   5 comments top 2
1
tomelders 1 hour ago 2 replies      
Snark Attack! I think this title should have been: "50 Design Documentaries"
2
baseballmerpeak 35 minutes ago 1 reply      
51 Design Documentaries

It's an excellent list. Most designers will have seen many of these already.

Monkey the Cat Hunts for Dinner benjaminmillam.com
68 points by benjaminfox  5 hours ago   13 comments top 4
1
teddyh 3 hours ago 2 replies      
This is awesome, but the training schedule seems overly complicated. One would think it would be easier to have the balls initially positioned so that they fall into the feeding mechanism at the touch of a feather; probably at a place where food used to be served, so the cats are likely to be there and search for food. A cat should be able to figure out the procedure after knocking the balls in accidentally a few times. After this, it would just be a matter of moving the balls gradually further and further away from the feeding apparatus over time.
2
rogeryu 1 hour ago 1 reply      
But Don't Shoot the Dog! ;-)

http://www.amazon.com/Dont-Shoot-Dog-Teaching-Training/dp/05...

This is actually a very fun read about conditioning - no matter if you have a cat or dog. I've read it quite a while ago, and I remember that conditioning cats is not that difficult, as long as you stick to positive rewards. Punishment doesn't work.

For those who think this will be abused for manupilating people - that's what we do all day no matter if we read this book or not. It's just the way you do it, and that probably won't change by reading this book. It will teach you a lot about your own behavior.

3
soggypretzels 32 minutes ago 0 replies      
Using RFID to detect the presence of the balls feels like overkill. Why not a light sensor, or a hair trigger switch out of reach of the cat. Sure The cat can now be fed by finding random objects, but maybe the training of using the ball will stop the cat from figuring that out.
4
cautious_int 3 hours ago 3 replies      
I'm trying to think of a useful thing to teach a cat, using this technique, that would be helpful at home.
Speed matters: Why working quickly is more important than it seems jsomers.net
77 points by colinprince  9 hours ago   30 comments top 11
1
onion2k 1 hour ago 1 reply      
Yes and no.

Do things fast when the cost of doing them wrong is low. If you're learning something, or doing something with low risk, then doing it as fast as possible is a really good idea (for all the reasons set out in the article).

But...

Do things slowly if the cost of getting it wrong is so high that you'll have no opportunity to try again. For example, don't pack a parachute quickly.

The key is recognising that there's more than one way to approach soemthing; selecting the right method for the problem at hand is the winning strategy.

2
shardinator 2 hours ago 3 replies      
I have to agree. My personal experience suggests if you want to get good at something, keep doing lots of it and aim for speed rather than perfection. You'll end up being speedy and get closer to perfection, than if you just try for perfection.

But one good counter example does come to mind - designing a database schema.

I'm trying to wrestle with what the difference might be. I think Markov processes, e.g. processes where the future state depends on a prior state, are relevant.

Maybe we could say tasks are either "strongly Markvoian", that is, how well we do them now will influence our future work and hence we should really think them through, e.g. designing a schema. Weakly Markovian, in which case there may be some future impact but not much, and so we exercise caution but "done is better than perfect". And finally non-Markovian - e.g. throwing out the garbage, cooking dinner, most emails - getting the thing done is simply a pass/fail and so we just have to do it, quality is relatively unimportant.

I think what I'm saying is, most tasks will be weakly or non-markovian, so we should "move fast and break things", but every now and then there'll be something we need to do that is strongly markovian. For such things we should be prepared to take a step back and give ourselves a little extra time, so things don't blow up further down the track.

3
avian 6 minutes ago 0 replies      
> Ive noticed that if I respond to peoples emails quickly, they send me more emails.

An alternative explanation would be that if you don't take your time to understand people's mail and just rush to answer them as quickly as possible, things that would take two mails to communicate now end up being a thread of ten mails, two phone calls and an in-person meeting.

Nothing is more infuriating than a person that replies 30 seconds later with a message that suggests they didn't read past the first sentence.

I don't know the author or his ways of responding to emails, but in my experience the above often applies to people that value speed above all else.

4
falcolas 24 minutes ago 0 replies      
Perhaps this applies more to shooting than software development, but...

Slow is smooth. Smooth is fast.

If I take 20 minutes more to code a module because I'm thinking about it, but spend 30 minutes less debugging problems with the module, that's fast.

If I take a day to respond to an email, but the person I'm conversing with gets the info they need, avoiding three more days of back and forth, that's fast.

If I take a week longer to iterate through a project idea, but nail the implementation, then I can know that I'm pivoting because the idea was wrong, not the implementation.

5
DrNuke 10 minutes ago 0 replies      
Entrepreneurs would say that speed is the signal of mature markets: more and more effort for less and less return. Mobile games were very profitable in 2009-10 (low effort, high return), balanced in 2012 (speed was important at that stage), unbeatable and unbearable as a business in 2015 (however fast you are, you're just playing a lottery).
6
thoastbrot 1 hour ago 2 replies      
7
polskibus 1 hour ago 2 replies      
I believe the author has mistaken speed with efficiency. What's the benefit of being fast if you're sloppy and have to redo things often?
8
sigsergv 2 hours ago 1 reply      
High speed alone is not so good if it comes without quality.
9
erikb 1 hour ago 0 replies      
It's funny that they include google as a fast example. On my Nexus4 and Nexus7 Google search is the slowest thing you can do on the internet. Youtube HD videos are way faster than a google search and fail less often when on the train/bus. I always wonder how sending a String and getting back a list of Strings can be so much more expensive than a HD video but who am I to judge, right?
10
kev6168 2 hours ago 0 replies      
Working quickly is important because it's the better method to survive and thrive. Quickly producing 100 deliverables with qualities ranging from shit to pretty good, will probably on average always defeat carefully crafting one deliverable in the same time frame.

Speed lets you try many alternatives, experiment with many different even opposite options, and draw out creativeness.

Another possible reason is that speed is the strength of the younger generations. In human history, if new comers want to beat the current authority (in business or politics) who have already mastered the intricacies of the current game, one have to propose and experiment large quantity of new alternatives, new rules of new games, even though most of experiments might have low quality results judging by the established rules. But it's the better way to compete and survive.

11
1arity 52 minutes ago 0 replies      
Bitcoins lost in Mt. Gox debacle not subject to ownership japantimes.co.jp
16 points by fortytw2  2 hours ago   11 comments top 2
1
keithpeter 1 hour ago 4 replies      
"The judge said it is evident bitcoins do not possess the properties of tangible entities and acknowledged that they also do not offer exclusive control because transactions between users are structured in such a way that calls for the involvement of a third party."

I found this an interesting view of property but I suspect it may need a shift in definition over the next few decades.

2
MikeNomad 11 minutes ago 0 replies      
I am confused: If BC is not subject to ownership claims, how can anyone be harmed by the bankruptcy, etc? No one has "lost" anything through mismanagement, blah blah.
OS X sudoers exploit found in the wild malwarebytes.org
229 points by hew  12 hours ago   118 comments top 16
1
flashman 10 hours ago 9 replies      
I'm not sure who makes me more cranky: Apple for apparently sitting on the fix, or Stefan Esser for flinging the vulnerability into the breeze for anyone to catch.

Esser has his reasons - "Short reminder: Europeans are not allowed to disclose vulns privately to a foreign company like Apple without registering dual-use export"[1] - but it's hard to believe he couldn't have told them anonymously. Disclosures make careers, though, so there's a strong incentive to go public.

[1] https://twitter.com/i0n1c/status/624172774915973120

2
twic 14 minutes ago 1 reply      
Would it make sense for the kernel to use a fresh, empty environment when executing a setuid binary?

Or perhaps a fresh environment with a few of the most important variables sanitised and copied over? And perhaps with the old variables available with a prefix (_UNPRIVILEGED_DYLD_PRINT_TO_FILE etc)?

What would this break?

3
chjj 9 hours ago 6 replies      
I'm seriously shocked. This is ridiculous. This looks like possibly the easiest root exploit ever discovered on a desktop OS (a one-liner in bash). Why in the world would they allow an env variable to write to a file in a setuid'd binary?

I'm suddenly very glad I don't use my macbook as my main machine, but I guess I'll remove the set{u,g}id bits on newgrp for now. Don't know if that will break things, but it's better than getting a rootkit.

4
mey 11 hours ago 8 replies      
I keep asking this question and Mac people keep looking at me like I'm an alien, so I guess I'll turn to the HN community for this questions.

What do you recommend as security software for OSX currently? How do you help secure your devices from public wifi and the internet in general? Especially for novice users?

5
esusatyo 11 hours ago 2 replies      
Isn't this the time when Mac App Store supposed to shine? When they found something that's dodgy and linked to a company that has apps on App Store, can't they just turn on the kill switch? That way the malware won't have anywhere to direct the users to.
6
odonnellryan 9 hours ago 1 reply      
For anyone looking for the patch: https://github.com/sektioneins/SUIDGuard
7
athenot 9 hours ago 3 replies      
Would it be possible to mitigate this by setting the immutable flag on /etc/sudoers:

 chflags uchg /etc/sudoers

8
kordless 8 hours ago 1 reply      
I seriously wonder if issues that have highly polarized responses aren't some sort of rip in reality.
9
zwetan 6 hours ago 0 replies      
I don't see in the article where they all blame the fault on Flash ?
10
ganessh 5 hours ago 0 replies      
Does this issue arise from Unnix or Mac OS?
11
qudat 8 hours ago 0 replies      
12
geofft 9 hours ago 0 replies      
There's a reason that the store staff are instructed to encourage you to leave the store if you open a terminal.
13
BinaryIdiot 10 hours ago 0 replies      
Because that means bugs are impossible?
14
chadscira 5 hours ago 1 reply      
15
ikeboy 10 hours ago 0 replies      
16
cmurf 10 hours ago 1 reply      
Movfuscator: A single-instruction C compiler github.com
57 points by franzb  5 hours ago   5 comments top 3
1
cautious_int 3 hours ago 1 reply      
I suggest taking a look at the slides, which show how much trickery is involved: https://github.com/xoreaxeaxeax/movfuscator/raw/master/slide...
2
pkaye 45 minutes ago 0 replies      
The Maxim Integrated MAXQ is is one commercial processor that uses a MOV based instruction set. http://www.maximintegrated.com/en/app-notes/index.mvp/id/322...

I've always felt these were more of a trick in being single instruction set because you are using some of the addressing bits to encode an opcode.

3
ishtu 1 hour ago 0 replies      
Author is the same person who published epic X86 vulnerability https://github.com/xoreaxeaxeax/sinkhole
C++ concepts support merged into gcc trunk gnu.org
66 points by octoploid  7 hours ago   16 comments top 5
1
cshimmin 5 hours ago 1 reply      
For others like me who have been living under a rock:

https://en.wikipedia.org/wiki/Concepts_(C%2B%2B)

2
qznc 4 hours ago 0 replies      
After watching this talk [0] by Andrei Alexandrescu, I became somewhat sceptical about concepts (and type classes and traits). Nevertheless, it's probably an improvement for C++.

[0] https://www.youtube.com/watch?v=mCrVYYlFTrA

3
kirab 5 hours ago 1 reply      
I'm really glad that concepts are finally making their way in after such a long time. Concepts make using and developing templates so much more straight-forward and easier to read!
4
smegel 4 hours ago 2 replies      
So type checking for thing inside the <> as well as the ()?
5
jahnu 4 hours ago 1 reply      
Is this just for experimentation or is it planned that this will be more or less the solution that makes it into the standard?
X86 rootkit github.com
186 points by jsprogrammer  13 hours ago   32 comments top 14
1
vardump 10 hours ago 1 reply      
Read through it all. Seems legit so far. This is bad.

Exploiting non-vulnerable SMM code through a remap flaw in x86 architecture. Ouch.

Not only can this arbitrarily exploit the running OS. It might actually be able to physically destroy the computer it's running on, for example by abusing thermal controls.

Doesn't affect Sandy bridge or newer.

2
mjn 9 hours ago 0 replies      
Looks like this was a talk at the Black Hat conference today. In addition to the slides PDF in the Github repository, the Black Hat site also has a short paper: https://www.blackhat.com/us-15/briefings.html#the-memory-sin...
3
thomasrossi 2 hours ago 0 replies      
Hm, what is really interesting would be to understand how this can impact a shared machine, say an EC2. Is there any more reasearch on this?
4
x0 7 hours ago 1 reply      
Oh man... when I read the title, I was thinking "sure, x86, whatever, but what OS is this rootkit for?"

Scary.

5
Rantenki 8 hours ago 1 reply      
It's going to be interesting to see what the ramifications are this for trusted execution environments, where people are validating the hardware they are running on via tboot.

It's fortunate that newer platforms seem to be immune (see https://security-center.intel.com/advisory.aspx?intelid=INTE... ), but remediation after exploit via total hardware replacement would _suck_ for anybody with servers just a couple of years old.

6
strstr 7 hours ago 0 replies      
The APIC's registers are an unusual form of per core black magic. As far as I know, no other memory addresses behave in the same way -- visible and reacting only to that specific core. It's unsurprising that Intel initially didn't catch this case.

Fortunately, it's `just` a root => SMM escalation, which are already more common than anyone would really like to admit.

7
mappu 7 hours ago 1 reply      
The PDF indicates this requires ring 0 to work, right? So you can't go from user to root.

However it does mention ring -2 is under the hypervisor, so.. that allows guest->host escape under VT-x?

8
flashman 7 hours ago 1 reply      
9
im3w1l 7 hours ago 2 replies      
Is it a coincidence that newer CPU's aren't vulnerable, or was it fixed because of discussions with Intel?
10
MrBra 7 hours ago 0 replies      
What does this imply?
11
jsprogrammer 8 hours ago 0 replies      
12
cft 7 hours ago 0 replies      
Does this apply to all server boards or only some?
13
hmottestad 5 hours ago 0 replies      
Should we call it "halt and catch fire 2015"?
14
pmalynin 5 hours ago 3 replies      
3-D Printer Firms Fall Flat, as Buyers Wait for New Models wsj.com
5 points by andore_jr  1 hour ago   5 comments top 3
1
baseballmerpeak 1 minute ago 0 replies      
The charade is up: 3D printers are not the design panacea they were claimed to be.
2
savrajsingh 5 minutes ago 0 replies      
Here's 3D systems on Good Morning America in 1989: http://youtu.be/NpRDuJ5YgoQ
3
SirFatty 45 minutes ago 2 replies      
Why the need to print cheap plastic crap? That's why we have dollar stores and China.
The technology behind preview photos facebook.com
35 points by anand-s  9 hours ago   2 comments top 2
1
dharma1 12 minutes ago 0 replies      
Nice. If you are doing heavy blurring, it's a good idea to scale down before applying gaussian blur anyway for a performance boost, as the blur processing time grows with blur radius.

Ie. downsample 4x-8x, blur at smaller px radius and resize back to orig size - much faster than blurring at original resolution, and looks almost identical.

2
amit_m 2 hours ago 0 replies      
Why go through the blurring, rescaling and JPEG compression?Simply take the first few DCT coefficients of the image, then quantize and compress them. In fact, one can make this scheme output the gaussian-blurred image by adding gaussian-weighted coefficient decay.
An Oakland shooting reveals how cops snoop on cell phones arstechnica.com
53 points by anamexis  10 hours ago   11 comments top 4
1
gleenn 3 hours ago 2 replies      
This is the first time I've heard of a pen register, apparently somewhat broad, modern parlance for things that capture phone data. It seems pretty damning that they spent the time to fax MetroPCS but couldn't, ya know, even get the pen register or ask a judge to ask if they thought it was a good idea.

Maybe the bad guys are really bad, but sometimes I hope that they get off just to make the point that the cops are suppose to do the "right thing", otherwise the cops really are the bad guys.

2
jonpaine 4 hours ago 0 replies      
An interesting side-effect of the scale and efficiency of current tech is this phenomenon of deploy first, ask questions later.

Ideas and tools can be conceived, developed, deployed and adopted before a (state-sanctioned) response can be formed. Significant results (and value) can be reaped in the inherent lag between deployment/discovery and responsive-legislation.

In tech, we've seen it recently as startups deploy faster than labor laws can (re)define boundaries.

In government, when it's the police doing the rapid deployment... well, it's kind of uncharted territory.

Has anyone modeled a system of checks and balances where one of the three processes has an n month setTimeout() before it can respond to inputs from another? Where does the system find equilibrium?

3
paulmd 4 hours ago 0 replies      
What is "CRUM ADV LOCK ON PHONE"?
4
ggreer 3 hours ago 3 replies      
Honeypot code challenge softwareskills.se
14 points by mirceasoaica  5 hours ago   2 comments top 2
1
babo 48 minutes ago 0 replies      
Python3 framework is broken: SystemError: E:Unable to read /etc/apt/apt.conf.d/ - opendir (13: Permission denied
2
hislaziness 56 minutes ago 0 replies      
Sounds familiar. Robocode, c++ robots, c robots?
Running V8 isolates in a multi-threaded ArangoDB database arangodb.com
5 points by ifcologne  39 minutes ago   discuss
The $100M Business Club Crime Gang krebsonsecurity.com
16 points by pnevmatico  5 hours ago   6 comments top 2
1
NicoJuicy 2 hours ago 2 replies      
The fascinating thing is, there's already Russian propaganda in that article's comments - called web brigades.

They just mention that there is no conflict between Russia and Ukraine, although Russia send unofficial armed troups to Ukrain :p, because they didn't allowed the coupe of "obama's" administration.

The problem is, America didn't send any troops to Ukrain, Russia did:

http://www.telegraph.co.uk/news/worldnews/europe/russia/1165...

https://en.wikipedia.org/wiki/Web_brigades

2
Tangokat 34 minutes ago 1 reply      
Can someone explain how they get the money out? I understand that they hack a company, send themselves money to a bank in China... and then? Can't the chinese just trace the money and go tell the bank to give it back? Do they use money mules to get the money in cash, if so how do they distribute it to the many members?
Where the New York City Subway Doesn't Go citylab.com
18 points by qzervaas  8 hours ago   8 comments top 5
1
koliber 28 minutes ago 1 reply      
The author is misleading about lack of subway access to JFK airport. I have traveled many times to JFK by subway. He is technically correct that the subway does not tunnel underneath JFK and does not go to terminals. However, you take the A train and then hop onto the AirTrain provided by JFK to get to the terminal.
2
bunderbunder 6 minutes ago 0 replies      
The radius of the circle the author used, 500m, is a bit under twice the length of a Manhattan block.

I can guarantee you that your typical regular transit user is capable of walking a couple blocks without having to stop for a Gatorade.

3
wjnc 34 minutes ago 1 reply      
Walk people, walk! Why only 500m, it's only a 6 minute walk! Not including traffic, so might be some more. Increase that radius to a 10 minute walk on one end and a there is a lot more coverage (pi x r2). And you're hitting your daily movement lower limit of 30 minutes. Or am I really thinking outside the US box?
4
melling 26 minutes ago 0 replies      
It doesn't go to New Jersey either, but it should.

http://m.nydailynews.com/opinion/extend-7-train-secaucus-art...

5
mosburger 39 minutes ago 1 reply      
The lack of subway access to LGA is what I, an occasional traveler to NYC, find the most mind-boggling.
How an Australian team won the robot soccer world championships smh.com.au
35 points by bootload  13 hours ago   discuss
Show HN: PJON Communications bus system for Arduino github.com
30 points by gioscarab  10 hours ago   9 comments top 4
1
gioscarab 10 hours ago 1 reply      
Hi there I wrote in years of trial and error PJON library for my home home automation project. It is a multi-master, single wire, addressed and checked communication protocol and is designed to be an alternative to i2c, 1Wire, Serial and the other Arduino compatible protocols with the addition of all the functionalities you need to fastly bring working a multipurpose embedded devices network. It was a really enourmous physical and mental effort of years to bring together all the knowledge and code skills to let all this work, so I hope could be useful for all Arduino users. Please feel free to suggest and crytic if necessary and if you can TEST IT would be an enormous pleasure!!!

Have a nice summer! :)

2
liotier 1 hour ago 1 reply      
> One of the first tests I suggest to try with PJON is to let two arduinos communicate through your body touching with the left hand the port of the first and with the right the port of the other arduino. It's stunning to see more then 90% of accuracy for this digital communication doing all that path inside a biological body. This opens the mind to possible creative solutions; generally the average reaction is like: "lets use the car frame to let all the digital embedded systems to communicate together" and so on...

Hmmm... I guess I'm not the first to think that my home plumbing would be the perfect transmission medium to gather data from temperature sensors.

3
gioscarab 3 hours ago 0 replies      
Thank you for your suggestion. Take a look if you can to the crypt() function, I use on top of a modified version of RC4 the use of 1 byte initialization vector to further fuzz information (the iv is trasmitted with the string).

I am not so much into cryptoanalysis so, I really should have some suggestion in this case.

4
creshal 4 hours ago 0 replies      
RC4? Please don't. Use e.g. NORX for an embedded-friendly cipher that isn't dangerously insecure.
Same origin violation and local file stealing via PDF reader mozilla.org
76 points by ehPReth  12 hours ago   18 comments top 4
1
JoshTriplett 9 hours ago 1 reply      
Why does pdf.js even have any special permissions? It doesn't need any to render a PDF.
2
LaSombra 6 hours ago 0 replies      
I believe the upstream pdf.js fixed this already, https://github.com/mozilla/pdf.js/.
3
ikeboy 8 hours ago 3 replies      
Why are they linking to private bugs?
4
surrealize 8 hours ago 2 replies      
pdf.js was a pretty cool hack, but I wonder if it's time to integrate pdfium.

edit: I meant "hack" in the "cool application of technology" sense.

The Easiest Hard Problem (2002) americanscientist.org
21 points by te  7 hours ago   3 comments top
1
vog 1 hour ago 1 reply      
This reminds me of a challenge at the Free University Berlin. A lecturer gave the following list of numbers to his students. The task was to find two different subsets that have the same sum:

http://www.inf.fu-berlin.de/lehre/WS07/mafi1/90zahlen.txt

His point was: It it simple to prove that those subsets must exist, but it is very hard to compute them. To make his point even more clear, he offered some prize money if anyone found an explicit solution.

A friend told me about that challenge, and I tried. With a lot of conceptual work, programming, optimization and some luck I was finally able find such a solution (and received the prize):

https://njh.eu/90

(Sorry, German language, but the solution is readable, I guess :-))

Eating Spicy Food Linked to a Longer Life well.blogs.nytimes.com
141 points by gwintrob  20 hours ago   103 comments top 32
1
netcan 4 hours ago 3 replies      
OK health and nutrition people.. enough is enough.

For generations you have been giving us little correlations, tidbits of mechanisms. Vitamin X, High Intensity Sleep, Antioxidants, Kale, CR Hot off the presses new experiment reintroducing critically endangered carnivorous gut fauna

There is nothing useful that we can do with this "information." It's just random letters from some book that you are throwing at us one at a time. "We found some Hs! It's the first letter in this chapter about Kano Jigaro and appears a dozen time a page. He had exceptional balance, grip strength and organizational skills. It's important. Pay attention to your Hs."

I demand a theory, preferably something simple and powerful like Darwinism that we can demonstrate by drawing sailboats. An equation would be nice.

Just this week I burned my mouth on a chili pepper. I fainted getting out of my ice bath after a 48 hour CR Fast and I went through the window doing HIIT sprints on an omnidimensional walking desk.

I'm going back to the food pyramid. Gimme some spuds.

2
codeshaman 2 hours ago 1 reply      
Shhh... Don't show it to my mother ! If she sees this, my whole family is going to be on a regimen of hot peppers until she reads something else :)

My mother is the kind who changes the whole family's diet when she reads some sufficiently convincing diet book or study. At one point we ate dissociated food. At another point it was blood type food.At another point it was raw roots or something. I love my mother and she's an excelent cook, and she never forced us to eat according to the books, but she would be very insistent, because there were studies that showed ...

Most of the time the results of those studies were disproved, either by another experiment or by some technical issue with the way the study was conducted.

Just like there were studies that smoking is actually good for you and studies that showed that children who drink sugar soda from an early age are heathier.

The point I'm trying to make is that these studies are not just 'informative', they have real consequences on real families. There are families out there who will start eating hot food just because they've read this study.

I hope they don't torture themselves for nothing.

3
seizethecheese 11 hours ago 3 replies      
Since some comments are trying to explain away the findings, here is a quote from the article about what variables were controlled for and the results:

> After controlling for family medical history, age, education, diabetes, smoking and many other variables, the researchers found that compared with eating hot food, mainly chili peppers, less than once a week, having it once or twice a week resulted in a 10 percent reduced overall risk for death. Consuming spicy food six to seven times a week reduced the risk by 14 percent.

4
6t6t6 10 hours ago 5 replies      
That's always the same story. A group of researchers finds a funny correlation in the data. They don't know the cause of the correlation, but they just write an article explaining that. Of course, the article if full of conditionals and sentences like: "this should be investigates further".Then, a journalist finds this paper, eliminates all the conditionals and writes a click-bait article, so his employer can earn money from the announcers. Profit.And I am not talking only about this article in particular, but about all the scientific journalism in general.
5
jlg23 9 hours ago 0 replies      
In an editorial that was also published in thebmj they point out alternative explanations for their results: http://www.bmj.com/content/351/bmj.h4141

TL;DR: "As the authors acknowledge, a cause and effect relation cannot be inferred from their work. In this prospective study, Lv and colleagues have shown temporality of association, but we need to evaluate additional criteria to judge the strength of evidence. Their findings should be considered hypothesis generating, not definitive, and will undoubtedly encourage further work."

6
healthenclave 3 hours ago 0 replies      
This is why Indian people eat Curry!

Jokes apart on a more serious note the crux of the study is --

"Compared with those who ate spicy foods less than once a week, those who consumed spicy foods 6 or 7 days a week showed a 14% relative risk reduction in total mortality. "

Although this study is very vague, in Asian cultures health benefits of spices and various plant products is well known.

Ginger : Has Cox2 inhibitory function. Acting in a similar way to Aspirin and other NSAIDS. Helps prevent heart attacks

Curcumin : found in turmeric has anti-inflammatory similar to ginger but is poorly absorbed. Hence mad more benefits for the Gut.

Arjuna Terminalis : Bark of the plant is known to have anti-hypertensive benefits.

And the list goes on.

The problem is that in the traditional way these plants are consumed (unprocessed in food and NOT in EXTRACT form) these have very poor Bioavailability.

The only way these so called health benefits would be apparent is if they were part of the diet (you eat them everyday - as noted in the study) or they are consumed in the form of Extract.

Also many of these compounds can not be patented and this deters the pharmaceutical industry to make large investments in the clinical trails and bringing them to the market.

http://www.ncbi.nlm.nih.gov/pubmedhealth/?term=curcumin

http://time.com/3984504/turmeric-supplements-curcumin/

7
haffi112 4 hours ago 2 replies      
The more spicy food you eat the less crappy food you eat...? That could actually be the explanation (not a variable I saw corrected for in the text at least).
8
dpflan 12 hours ago 1 reply      
A co-author mentions they need more data. This reminded me of the huge study of diet and health outcomes in China byT. Colin Cambell of Cornell in the late 1900's.

Link: https://en.wikipedia.org/wiki/The_China_Study

9
wslh 12 hours ago 1 reply      
10
tinco 12 hours ago 1 reply      
China has eight main cuisines related to different areas in China. Some of these cuisines are spicy and some are not.

Obviously a whole lot other things also differ together with the spices in these cuisines. It would be nice if they'd asked if the subjects identified with a specific cuisine/area.

There could also be a wealth relation. The poorer Guandong (Cantonese) kitchen has little less chili than the famously spicy Szechuan kitchen which is from a richer area.

11
simplyluke 8 hours ago 1 reply      
Correlation vs causation. Is it possible that people who eat the peppers also eat lots of vegetables as opposed to starchy carbs? Definitely. Is it possible people who, say, exercise more are for some reason more inclined to eat spicy foods.

They can control for any number of things, but this isn't science, it's a correlation and anyone who has taken an intro to statistics class shouldn't be fooled by a pseudoscience blog post. Really surprised to see this on the front page of a community which prides itself on its scientific knowledge.

12
derekp7 11 hours ago 3 replies      
One thing that I don't quite understand -- what is it about spicy food that makes it desirable? Esp. the super hot peppers? I know that I love them, but I can't really say why (after all, I normally try to avoid pain). The only thing I can think of is that part of the brain knows that the pain isn't "real" (that is, it isn't being caused by something that is damaging you), yet another part is releasing endorphins to counteract the pain, causing a mild euphoria. But I haven't really found much information to back up this theory.

I do know that at times when I get a spell of mild depression, munching on some hot peppers seems to pull me out of it.

13
hncomment 5 hours ago 2 replies      
I'd love to have spicy food more often but 2-4 days after a spicy dish, I can usually smell the pepper/byproducts coming out of my skin as a particular, somewhat unpleasant body odor. The odor can remain detectable even immediately after a shower. Red curry/chili-peppers seem the worst trigger. Only time (and maybe a good sweat) eventually clear it.

Does anyone know the chemical mechanisms causing this, and whether any other foods, combined with or after the spicy meal, could help more-quickly neutralize this lagged skin odor?

14
bsder 11 hours ago 1 reply      
"Spicy" things tend to have anti-microbial properties. That could certainly trigger a beneficial intestinal flora change--especially in places without a good refrigerated handling chain.

Spicy food also has a tendency to clear sinuses. I believe a couple of studies have shown that clearing sinuses occasionally (but not too often) is beneficial.

15
hammock 12 hours ago 4 replies      
The spicier the food, the slower/less you eat?
16
thedogeye 12 hours ago 3 replies      
Did they control for being Asian?
17
akyu 11 hours ago 1 reply      
I love spicy food so this is great news. But lately I've been wondering about the potential effect of spicy food on gut bacteria. Anyone who's had a painful bowl movement after eating some high Scoville level hot sauce knows what I'm talking about.
18
itbeho 8 hours ago 0 replies      
Take this with the same perspective as how the article treats correlation/causation, but I'll share an interesting anecdote. I have several family members in their 90's that love to put cayenne pepper in/on almost anything. One even puts it in orange juice if you can believe that. I tried it once... That fellow started smoking when he was in WWII and hasn't stopped. The less-eccentric/vegan/non-smoker members of the family seem to make it to late 70's.
19
codingdave 12 hours ago 0 replies      
...maybe. I saw another article about this yesterday, in which they stated that there were other variables in play that could have impacted the results, including a greater of variety of spices in spicier food. Capsaicin is a possible cause of the results, but not definitive
20
fasteo 4 hours ago 0 replies      
My n=1 case for spicy foods.

I have a secondary systemic inflammation to due a genetic condition that make my mitochondria to malfunction. Usual symptoms include a profound fatigue after working-out and muscle weakness, specially in the extra-ocular muscles.

I have been always centered around supplements to improve the energy output (ATP) of my mitochondria (Coq10, ALCAR, idebedone ... you name it). While this made a big difference in my everyday energy levels, I always felt that this systemic fatigue couldn't come only from a energy deficit, as I was able to workout with pretty good intensity and decent weights (I can squat 1.5 my body weight).

The first hint came a couple of months ago when a friend of mine went to the doctor because he was also profoundly fatigued and the doctor told him that he had some kind of auto-immune disease that was causing a systemic inflammation and this systemic inflammation was likely the main cause for the fatigue.

The second hint came right here from HN [1]. So, I just added turmeric extract to my daily regimen 10 days ago and the results have been really impressive so far. I can recover much easier from my workouts and my general energy level has also improved a lot, specially during the mornings. It is too soon to tell, but after so many years trying so many supplements I have developed a anti-placebo and anti-bullshit sense for all these things, and this one is working for real.

Now, I am not meaning that spicy food will make you live longer, but it seems clear that they have some potent active substances that "do" something in our bodies.

I am now trying to add some spicy foods to my meals. The first one has been a very simple curry rice with black pepper (to improve absorption) to eat it post-workout.

Some relevant references:

Curcumin database [2]

Good general info about turmeric [3]

Mitochondria as a target in the therapeutic properties of curcumin [4]

[1] https://news.ycombinator.com/item?id=9960441

[2] http://www.crdb.in/

[3] http://www.whfoods.com/genpage.php?tname=foodspice&dbid=78

[4] http://www.ncbi.nlm.nih.gov/pubmed/25243820

21
gruez 9 hours ago 0 replies      
> As the study, published in the BMJ on Tuesday, was observational, conclusions could not be drawn about cause and effect but the team of international authors, led by researchers at the Chinese Academy of Medical Sciences, suggested that more research could lead to dietary advice being updated. Experts warned that the study did not provide evidence to prompt a change in diet.
22
fractalb 8 hours ago 1 reply      
I don't think there's any truth to this. Because here in Andhra (India) people only eat spicy food and I see most people don't live longer than 70-80yrs. To quantify the spiciness: Most Indians from other states just run away from Andhra cuisine
23
_ak 7 hours ago 5 replies      
Well, if that is true, then why is German statistically the country with the highest average age in the world (on par with Japan), even though their food is quite bland?
24
clevep 12 hours ago 2 replies      
I think it's pretty common to eat milder foods when you are ill. I know I do. If that is universally true, and all else being equal, you could probably simplify this headline down to "getting sick less linked to a longer life."
25
noobplusplus 11 hours ago 0 replies      
"rapid adoption of new drugs has substantial benefits in the form of increased life expectancy, higher productivity and lower non-drug health care expenditures" - Do more drugs!
26
detrino 7 hours ago 1 reply      
I don't understand why these studies never seem to control for height.
27
yugoja 5 hours ago 0 replies      
If this is true, Indians are gonna kick ass.
28
Everhusk 10 hours ago 0 replies      
29
EugeneOZ 4 hours ago 0 replies      
30
maerF0x0 11 hours ago 1 reply      
except if you have GERD.
31
PythonicAlpha 12 hours ago 2 replies      
32
limaoscarjuliet 8 hours ago 0 replies      
Buffer: What We Got Wrong About Self-Management: Embracing Natural Hierarchy bufferapp.com
10 points by SyneRyder  56 minutes ago   discuss
A Submerged Monolith Near Sicily: Evidence for Mesolithic Human Activity sciencedirect.com
84 points by Petiver  15 hours ago   33 comments top 10
1
cstross 14 hours ago 1 reply      
On a similar note, see also Doggerland (the large, submerged peninsula off the north-west coast of Europe, of which the British Isles are the only surviving above-surface relics today):

http://education.nationalgeographic.com/maps/doggerland/

A lot of previously-inhabited territory -- presumably fertile lowlands! -- was inundated as sea levels rose after the last ice age ended, around 9500-8500 years ago.

2
mudil 10 hours ago 0 replies      
The most important Mesolithic site is Gbekli Tepe

https://en.wikipedia.org/wiki/G%C3%B6bekli_Tepe

It is truly revolutionizing our understanding of mesolithic culture.

3
RobertoG 7 hours ago 0 replies      
It could be that the flood myths (Atlantis, the floods in the bible and a lot of others) come from this time.

That would suggest that oral knowledge survive thousands of years (a little more than DVDs). It's pretty remarkable.

4
ams6110 10 hours ago 0 replies      
All these worlds are yours, except Sicily. Attempt no contact there.
5
Asbostos 3 hours ago 0 replies      
I didn't see any discussion of this in the article, but could it have just fallen off a ship, maybe from the Romans or something? It looks like the only dating they've done so far is of the area it was found in, not the monolith itself.
6
rational-future 13 hours ago 4 replies      
I've done some diving in the Black Sea and have stumbled upon a number of structures that looked like human-made artifacts. They are near the shore lines as they were before the end of the last glacial period. I'm personally 99% sure there was a somewhat advanced civilization at that time.
7
coldcode 10 hours ago 0 replies      
I wonder if it's black.
8
ftcHn 13 hours ago 1 reply      
9350 200 year B.P.

B.P. == Before Present https://en.wikipedia.org/wiki/Before_Present

9
tdonia 14 hours ago 0 replies      
10
straws 7 hours ago 0 replies      
Cornell's Macaulay Library: world's largest archive of wildlife sounds macaulaylibrary.org
28 points by zdw  8 hours ago   1 comment top
1
gadders 2 hours ago 0 replies      
For people interested in birds and birdsong, I can recommend the Tweet of the Day podcast by the BBC:

http://www.bbc.co.uk/programmes/b01s6xyk/episodes/downloads

"Discover birds through their songs and calls. Each Tweet of the Day begins with a call or song, followed by a story of fascinating ornithology inspired by the sound."

VHDL implementation of Hack computer from Nand to Tetris rekahsoft.ca
10 points by mirceasoaica  5 hours ago   2 comments top
1
sobkas 1 hour ago 1 reply      
"This site requires javascript!

If you insist on not using javascript we provide a simplified website here"

here leads here: http://blog.rekahsoft.ca/nojs/index.html

At the time of posting this comment it was 404

       cached 7 August 2015 13:02:03 GMT