hacker news with inline top comments    .. more ..    27 Dec 2015 News
home   ask   best   3 years ago   
32C3 Chaos Communication Congress Streams Online ccc.de
219 points by axx  6 hours ago   41 comments top 10
palcu 5 hours ago 4 replies      
I'm always mindblowned by the sheer number of networking equipment deployed and maintained during the conference. They now have[0] 5000 WiFi clients connected, downloading with 2.70 Gbps and uploading with 8.93 Gbps. It's like, once a year, a big part of the internet traffic is routed through Hamburg.

[0]: http://dashboard.congress.ccc.de/

zymhan 1 hour ago 1 reply      
They did a presentation about Red Star OS [1] using Red Star OS. Brilliant.

EDIT: http://streaming.media.ccc.de/32c3/hall6

[1] https://en.wikipedia.org/wiki/Red_Star_OS

lispm 1 hour ago 0 replies      

Fatuma Musa Afrah gave the keynote speech at the annual hacker conference, the 32nd Chaos Communication Congress in Hamburg/Germany.

She is from Somalia and lives currently in Berlin/Germany as a refugee/newcomer.

r3bl 30 minutes ago 1 reply      
Is there a place where recordings get saved once they're finished or will I have to wait until the end of the conference? My internet connection is too unstable to watch them live.
yexponential 5 hours ago 4 replies      
"Use a desktop player!Browsers and video doesn't go together well, even in 2015 and especially when it's live. So for your best viewing experience please use a desktop player like VLC or mplayer."

Am I the only one to be bothered by this comment.

axx 4 hours ago 1 reply      
As a side node, you can join the discussion on IRC (hackint):






- http://32c3-wiki.top/congress/2015/wiki/Congress_Everywhere

- https://hackint.eu/

lumberjack 3 hours ago 0 replies      
Where can I find a list of the scheduled talks? I found this link but I get a 503 and the cached version is not navigable.


EDIT: https://events.ccc.de/congress/2015/Fahrplan/

This link works

dimdimdim 1 hour ago 1 reply      
45% Insecure WiFi traffic? at a Hacker Conference? :)
rdl 6 hours ago 0 replies      
Audio is fixed now.
Extracting the Private Key from a TREZOR jochen-hoenicke.de
65 points by csomar  4 hours ago   8 comments top 5
runn1ng 1 hour ago 0 replies      
Hey, I work for SatoshiLabs makers of TREZOR, just a small note.

Jochen did a responsible disclosure and this has been fixed already in the firmware before the article hit. Also he is actively submitting patches to the firmware, which is awesome.

I will also note we have a bug bounty program - see http://satoshilabs.com/security/

Also, see us at 32c3, some of us are here :)

trevyn 38 minutes ago 0 replies      
I know nothing about TREZORs, but I found it odd that the article mentioned a lack of time resolution in resolving certain events, but made no mention of looking for decoupling capacitors or removing them. Does anyone know if the TREZOR design includes decoupling caps?
ibejoeb 1 hour ago 0 replies      
Fascinating. Best look into side channels via electrical analysis I've seen. Thanks.
lovelearning 18 minutes ago 0 replies      
I find his ability to relate changes in voltage to steps in the programming logic truly amazing.
diafygi 1 hour ago 3 replies      
Are their any small form factor smart card like devices that are immune from side channel attacks like these? It seems like using constant power without much hardware to buffer stuff out is very difficult.
A better way to teach technical skills to a group miriamposner.com
20 points by mdlincoln  2 hours ago   2 comments top 2
wturner 0 minutes ago 0 replies      
I consider this the "normal" way we learn ( one-on-one ). Since the instructor can't be one-on-one with everyone, she offloads the burden onto the students themselves - which is a good thing. The psychology allows them each to facilitate their own sense of "flow" instead of having it shoe horned into them by the facilitator.

This isn't to say that the other style of teaching doesn't have its place , but at its core (IMHO) resides in a more imposed tradition of social order, military influence, etc..

djaychela 15 minutes ago 0 replies      
Interesting. I've had exactly the reactions she talks of, and have tried all the previous methods she mentions to get students to ask questions, and nothing has worked well. I will be trying this next term, hopefully it will do the trick, as there is always someone who refuses to ask questions, but will ask a neighbour instead.
Open-Source Watch oswatch.org
57 points by yitchelle  6 hours ago   7 comments top 6
maxwelljoslyn 24 minutes ago 0 replies      
On mobile, I can't scroll down on the page this link leads to or on the Home page.

Chrome 44, Android 4.4.2.

mandeepj 53 minutes ago 0 replies      
Thanks for sharing this. I am thinking about creating a smartwatch. A nicely built smartwatch can replace smartphone. Instead of building the parts ourselves would not it be better to import parts?
iask 2 hours ago 0 replies      
Wow! You just made my weekend. Some projects take time and to see you do this from start to end is inspiring to me. I have some projects sitting for months and find it hard, sometimes, to just get them done.
petepete 2 hours ago 1 reply      
Can't scroll up or down on mobile. Chrome 47/Android 6.0
steaminghacker 31 minutes ago 0 replies      
calcwatch.com also plays chess.
as1ndu 3 hours ago 0 replies      
what type of 3d printer is best for making the casing?
AngularJS and MongoDB: Goodbye middle tier? codebulb.ch
9 points by mkj6  1 hour ago   3 comments top 2
trjordan 3 minutes ago 0 replies      
This means every backend deploy is a data migration. In my experience, that's the only kind of difficult / scary deploy, and I'd rather not do more of those.
mcorrand 9 minutes ago 1 reply      
For really small projects, a proper backend is not always necessary and talking directly to the db can speed up development. I wouldn't dare do that for anything serious though.

Couchdb is also a really nice way to do this, since it provides you with an extensive (an extensible) rest api out of the box, serves your site and even gets you a nice heroku like deployment workflow with the Couchapp project (https://github.com/couchapp/couchapp). Sticking it behind varnish is really easy too.

Much faster incremental apt updates juliank.wordpress.com
89 points by edward  6 hours ago   20 comments top 4
saurik 2 hours ago 3 replies      
I run an ecosystem of tens of millions of "end users" who are working with a GUI package manager I developed (Cydia) built on APT (using libapt). We stress APT to its limit, with users often using very large numbers (thirty is common, but I have seen well over a hundred) repositories that are often hosted by random people of varying skill at IT (and so tend to be slow or have errors in their metadata; DNS errors and 200 OK HTML error pages abound).

We have so many non- and semi- skilled people using APT that if you Google many APT errors, you actually tend to come across people using Cydia as the primary people discussing the error condition ;P. Our package churn and update rate is faster than Debian, and we have run into all of the arbitrary limits in various versions of APT (total number of packages known about, total number of delete versions, total number of bytes in the cache): really, we use APT a lot.

1) Despite APT supporting cumulative diffs (where the client gets a single diff from the server to bring them up to date rather than downloading a ton of tiny incremental updates and applying them in sequence), Debian's core repositories are not configured to generate these. I can tell you from experience that providing cumulative diffs is seriously important.

So, while a 20x speed-up applying a diff is cool and all, users of Debian's servers are doing this 20x more often that they need to, applying diff after diff after diff to get the final file. This is an example of an optimization at a low-level that may or may not be useful as the real issue is at the higher-level in the algorithm design.

What is extra-confusing is that the most popular repository management tool, reprepro, can build cumulative diffs automatically, and I think it does so by default. Debian really should switch to using this feature: I keep seeing Debian users complain on forums and blog posts that APT diff updates are dumb as you end up downloading 30 files... no: the real issue is that debian isn't using their own tool well :(.

2) The #1 performance issue I deal with while using APT even on my server is the amount of time it takes to build the cache file every time there is a package update. It sits there showing you a percentage as it does this on the console. On older iPhones this step was absolutely brutal. This step was taking some of my users minutes, but again: that is the step I most notice on my server.

I spent a week working on this years ago, and made drastic improvements. I determined most of the time was spent in "paper cuts": tiny memory allocations and copies distributed through the entire project which over the course of running the code hemorrhaged all the time.

The culprit (of course ;P) was std::string. As a 20-year user of C++ who spent five years in the PC gaming industry, I hate std::string (and most of STL really: std::map is downright idiotic.. it allocates memory even if you never put anything into the map, and I can tell you from writing my own C++ red-black tree tools that there is no good reason for this).

Sure, maybe APT is using C++11 by now and has a bunch of move constructors all over the place that mitigate the issue somewhat (I haven't looked recently), but it still feels "weirdly slow" to do this step on my insanely fast server (where by all rights it should be instantaneous) and frankly: APT's C++ code when I was last seriously looking at the codebase was abysmal. It was essentially written against one of the very first available versions of C++ by someone who didn't really know much about the language (meaning it uses all the bad parts and none of the good; this happens when Java programmers try to use C++98, for example, but APT is much much worse) and has no rhyme or reason to a lot of the design. It reminds me a little of WebKit's slapped together "hell of random classes and pointers that constantly leads to use-after-free bugs".

Regardless, I rewrote almost every single usage of std::string in the update path to use a bare pointer and a size and pass around fragments of what had been memory mapped from the original file whenever possible without making any copies. I got to be at least twice if not four times faster (I don't remember). I made the code entirely unmaintable while doing this, though, and so I have never felt my patches were worth even trying to merge back (though it also took me years to ever find the version control repository where APT was developed anyway... ;P). To this day I ship some older version of APT that I forked rather than updating to something newer, due to a combination of this and the gratuitous-and-unnecessary ABI breakage in APT (they blame using C++, but that isn't quite right: the primary culprit is their memory-mapped cache format, and rather than use tricks when possible to maintain the ABI for it they just break it with abandon; but even so, the C++ is buying me as a user absolutely nothing: they should give me a thin C API to their C++ core.)

If I were to do this again "for real" I would spend the time to build some epic string class designed especially for APT, but I just haven't needed to do this as my problem is now "sort of solved well enough" as I almost have never cared about the new features that have been added to APT, and I have back ported the few major bug fixes I needed (and frankly have much better error correction now in my copy, which is so unmaintainably drifted due to this performance patch as to not be easily mergable back :/ but we really really need APT to never just give up entirely or crash if a repository is corrupt, and so they are also critical for us in a way they aren't for Debian or Ubuntu).

If anyone is curious what these miserable patches look like, here you go... check out "tornado" in particular. (Patches are applied by my build system in alphabetical order.) (Actually, I have been reading through my tornado patch and I actually did at some point while working on it build a tiny custom string class to help abstract the fix, but I assuredly didn't do it well or anything. I really only point any of this maintainability issue out at all, by the way, as I don't want people to assume that performance fundamentally comes at the price of unmaintainable implementations.)


orf 3 hours ago 2 replies      
This is crazy, apt has been reading diffs a byte at a time? Think of the millions of hours that have been wasted due to this.
aidos 2 hours ago 1 reply      
This is great.

Even more so because after gem, or pip, or something (can't remember) had a similar issue a while ago (think they had an n2 algorithm) a lot of people jumped on it as being bad computer science. There were all sorts of calls about how web people were not real computer scientists.

Either way, good useful products were made and they've been further optimised. That's great. More of that more of the time.

IgorPartola 3 hours ago 3 replies      
I am really surprised that something as frequently used as apt had these obvious performance issues. Was there a technical reason for it? I noticed that it ran painfully slow on devices with slower disks. I suppose that is going to change now.
How Jack Dorsey Runs Both Twitter, Square wsj.com
13 points by prostoalex  2 hours ago   1 comment top
n0us 16 minutes ago 0 replies      
I think his status as a single child-free person goes understated in this article. It takes a special kind of husband/wife to be okay with someone who works this hard and not having to juggle a home life frees up his schedule to a huge degree. I can imagine working hard 18hr days while still in my 30s, but I cannot imagine doing that while maintaining a marriage and taking care of a kid or two. The guy is a billionaire so I guess he could pay for full time staff to help out but that isn't really the same as being there in person.
How DEA Agents Took Down Mexico's Most Vicious Drug Cartel theatlantic.com
12 points by jseliger  3 hours ago   3 comments top 3
patrickaljord 4 minutes ago 0 replies      
By spending billions of dollars to stop people from committing victimless crimes.
SlyShy 44 minutes ago 0 replies      
An ultimately futile thing to do until we change our own drug policies which fuel the economic incentives for such cartels to exist. Unless we change out laws and end prohibition new cartels will continue to spring up out of economic necessity.
discardorama 19 minutes ago 0 replies      
Money quote from the article: Drug enforcement as we know it, Herrod [the DEA agent] told me, is not working.
What have we lost now that we can no longer read the sky? aeon.co
13 points by benbreen  4 hours ago   5 comments top 3
crimsonalucard 2 minutes ago 0 replies      
>I will write the laws that are to govern mankind for all time. These laws cannot be written on the water as that is always changing its form, nor can they be written in the sand as the wind would soon erase them, but if they are written in the stars they can be read and remembered forever.

Mankind looked at the stars. One man claimed that the stars were laws written by god named Jehovah. Another man claimed that the stars were poems written by a god named Allah. Both men went to war and killed each other in a nuclear holocaust.

The survivor was the man who never looked at the stars because he always used GPS for navigation.

hedgew 40 minutes ago 1 reply      
This whole article is nonsensical.

>"If humans do someday migrate outward toward the stars, our narrative space will move like an expanding wave before us, a vanguard of the imagination."

What reason is there to think that "narrative space" has to expand when a species becomes space-faring?

>"Our need for stories that help us find our way is too important to be left behind."


Are species or cultures that don't need stories somehow inferior?

Do we really need stories?

>"Knowing where you are in the world is fundamental to knowing who you are"

How do you measure "knowing who you are"? Are people who "know", better or more human than people who don't?

How can anyone claim that anyone "knows where they are"? How many people could point their exact location on a galactic map? (Less than one in a million?)

dingaling 55 minutes ago 1 reply      
I would argue that it's not so much that people ignore or have forgotten the stellar sky.

Instead for most of us we cannot see more than 30 or so stars plus a few planets, due to light-pollution. So trying to do back-yard astronomy or simply star-gaze is futile and therefore we carry on with other pursuits.

Take people out to a dark site and they will always be awe-struck by the real night sky. Once you've persuaded them to go 100 miles into the wilderness... but in daily life the stars, galaxies and nebulae are simply pretty pictures in books.

Holography Without Lasers: Hand-Drawn Holograms (1995) eskimo.com
67 points by networked  9 hours ago   1 comment top
DanBC 3 hours ago 0 replies      
Optimizing C++ Const Objects in LLVM docs.google.com
27 points by jjuhl  6 hours ago   11 comments top
ape4 1 hour ago 2 replies      
So it seems 'const' has gone the way of 'register' - ignored by the compiler.
Gujarati Capitalism: Going Global economist.com
27 points by omarkassim  5 hours ago   9 comments top 4
lumberjack 1 minute ago 0 replies      
The confidence with which the author generalizes various groups of people in the article makes me quite uneasy.

We know that this is not permitted if we are attributing negative qualities to a group of people. Why is it then permissible to generalize when we are praising the same groups? In doing so the author is sort of admitting that it is at times logical to generalize groups of people and that there is no risk of prejudice in doing so.

ignoramous 1 hour ago 0 replies      
I'm a Gujarati. My ancestors established businesses in most British colonies at the time, from Ceylon to Hong Kong, from Siam to Runion, from Australia to the Suez, from Kenya to Rangoon. Our family names are based on places where our dad worked for a living. For instance, my mother's family name is Siamwala (an indicator that my grand dad and his family were involved in international trade based in Thailand).

This article seems more like PR but isn't far from truth. I think, as a community, Jews have probably outdone any one community out there.

In fact, a great many jewish business families in British-India adopted Gujarat, and spoke Gujarati.

Here's another biased take on the topic by a Pakistani journalist:


And here my answer on Quora on a related question:https://www.quora.com/Why-do-Gujarati-people-make-up-a-large...

dominotw 1 hour ago 0 replies      
I am reading this sipping dunkin donuts coffee made by gujarati lady.
JoeAltmaier 1 hour ago 2 replies      
Of course cultures have attributes - that's what defines them as a separate culture. Not everybody around the world is the same. That would be PC blather. Folks are different, and we can celebrate that.
If youre 30% through your life, youre 90% through your best relationships qz.com
59 points by hunglee2  2 hours ago   42 comments top 17
codingdave 55 minutes ago 1 reply      
This article shows zero understanding of the relationships one has with their spouse and children. Those grow and build over time, and are the people you really will spend your time with in your elder years. Thinking of them, someone who is only 30 has possibly not yet even met the people you will spend the rest of your life with. There is far more to come.
autarch 1 hour ago 1 reply      
Only if your best relationships are with people you met in high school.

My best relationships right now are with my wife and my close friends in the same city as I live in. I see them a lot more than I see people from high school (which is never).

nether 1 hour ago 3 replies      
Articles like these make it seem really hard to avoid a scarcity mindset. I get desperate, clingy toward people and experiences since every advice columnist says "life is short!" and this may be my last chance at happiness. But meanwhile you're supposed to think otherwise with a feeling of abundance, even if that doesn't reflect reality.
mortenjorck 7 minutes ago 0 replies      
I propose that this model of time spent with people is too simplistic. Shared daily time, whether with parents or childhood friends, builds relationships in a way that is naturally resilient to later time apart. It's not impervious, of course you have to commit to maintaining these relationships, but we have more channels through which to do this than ever before. Not seeing a family member for a few months is an entirely different thing from not communicating with them for a few months.
achamayou 1 hour ago 1 reply      
That's ignoring entirely the possibility of children, grand-children, nephews and nieces etc.

Plenty of opportunity for meaningful relationships with younger generations.

level09 52 minutes ago 0 replies      
I find the article too subjective. After 30 I am finally able (financially) to travel around and meet interesting people, travelling increases probability of meeting more people and forming interesting relationships.
adamwong246 16 minutes ago 0 replies      
This article (I've read it before today) inspired me to start my current side project. It's an app that visualizes your google calendar. For instance, you can really understand how much parent-time you have left.
hamhamed 1 hour ago 1 reply      
I'm 20, and say I'll live until my 60's..

Ever since I've co founded a startup, I've been meeting ppl I've never thought I would ever meet. My pre-startup era relationships are just regular ppl who have 9-5 jobs. I am def not through 90% of my BEST relationships..hell probably not even at 5%. I've got a lot more to meet.

This article is based on if you were going to live until 90, meaning after 30 ur basically fucked..while it may be more true, I still think it's way too early. Especially if the target demographic is ppl who browse HN

elorant 53 minutes ago 0 replies      
The more I understand of life and myself the more meaningful my relationships become. So getting older is a blessing in that regard, not a disadvantage.
eric_h 24 minutes ago 0 replies      
I'm not actually convinced by the author's point, but I do find the fact that you can comfortably fit all the days of one's life on a single page (or phone screen for that matter) to be rather depressing. I don't think it would have bothered me in the same way 20 years ago.
jpeg_hero 1 hour ago 0 replies      
I am not sure that the time I spent with my parents from age 2 yo to age 3 yo was 365x better than the Saturday I just spent with them.

Google:"childhood amnesia"

djsumdog 1 hour ago 0 replies      
I've lived outside the US for four years. I move about every two years. I have amazing friends from all around the world and I work hard to keep up with then; even meet up with them on other sides of the planet.

Honestly, I think I'm on the better end of the quality vs quantity agreement (plus my sister and I never really got along either).

losty 34 minutes ago 0 replies      
Nonsense. It's a choice to work a typical job and not form new relationships. It's also the easiest choice.
QuercusMax 1 hour ago 0 replies      
This year I moved from Ohio (where I've lived all my life), where my parents and younger brother (1.5 years younger, we are very close when we were small) lived about a half hour from me, but I typically only saw them once a month or so, as my parents and younger brother are very busy and I have four children, which makes going out complicated.

Now I'm living in California, a similar distance from my older brother (10y older) who moved away when I was still in middle school. We now see each other twice a week, and my kids now have a real relationship with their cousins and my brother and his wife.

This article really made me think; I'm not super sure what my point is exactly, but thinking about things this way can be useful.

scandox 1 hour ago 0 replies      
I think it is possible to say we have ongoing relationships with people we never see or talk to...even with the dead. Depends how intensely the person affected us.

Sometimes actually meeting someone again diminishes the quality of my relationship with them.

armitron 52 minutes ago 7 replies      
Am I the only one who finds this bit of social conditioning (relationships with other people) as hugely overblown in terms of what's important in life?

Only in a culture that's so far fallen into degeneracy could something as tripe as that be considered (near or THE) ultimate purpose of life?

What about technology, scientific progress, our guided evolution as a species and so on?

We're far too obsessed about "relationships" with other walking-dead sacks of meat instead of what really matters, our legacy and the future. Which is why we find ourselves in this sad state of affairs today.

Endlessly bombarded and distracted by cheap entertainment (social networking, sex, porn, consumerism, money) and all too happy to leave the important bits in the hands of who exactly? People who have turned academia into a filthy whore that is constantly being pimped out to the highest bidder.

We have become the plebeians while mega corporations and elite government groups are free to write history and dictate how we will evolve.

I'm not saying we should live life as automatons, but this article is the perfect example of someone who's completely missing the picture. It would be great if we had a stabilizing factor to counteract this sort of bullshit but alas it's pretty much non-existent these days.

Namrog84 58 minutes ago 1 reply      
Some of my favorite people I first met by moving far away from those I loved :|

There are also lot of sad things. There was a moment of time someone picked you up and then put you down for the last time.

Many of the things have already ended. I wish the article touched on at least 1 thing that may still have 100% left and some things that have 0% left as well for some contrasting.

Progress in graph processing github.com
25 points by mrry  4 hours ago   2 comments top
anonymousDan 1 hour ago 1 reply      
In terms of system support for graph algorithms that don't fit the "think like a vertex model", check out the arabesque paper from sosp 2015 (" arabesque: a system for distributed graph mining").
Yubico with new 4096-bit keys and gpg-agent for ssh authentication trmm.net
66 points by kn9  9 hours ago   26 comments top 9
deno 4 hours ago 1 reply      
Nitrokey[1] is about the same price as Yubico but has open source firmware & hardware. You might also know them as CryptoStick[2].

[1] https://www.nitrokey.com/

[2] https://blog.mozilla.org/security/2013/02/13/using-cryptosti...

tetraodonpuffer 7 minutes ago 0 replies      
for folks interested in more on yubikeys and gpg I also would suggest these two blog posts



grhmc 26 minutes ago 0 replies      
> Encrypting by default is a good idea.

I suspect the author intended to say Signing by default is a good idea.

chx 5 hours ago 0 replies      
May I offer my article on an excellent password manager complementing the Yubico devices well? https://drupalwatchdog.com/blog/2015/6/yubikey-neo-and-bette...
gruturo 6 hours ago 3 replies      
Is there any way to store an ssh server key in it, or an https server's key? Basically turning this into a mini-HSM ?
late2part 2 hours ago 0 replies      
In the article it's written that the yubikey is tamper proof.

This is not the case. They report their product as tamper evident but not tamper proof.

beezle 3 hours ago 1 reply      
Looked at these last year but opted for smartcard and secure pinpad reader instead.
sofaofthedamned 7 hours ago 2 replies      
Are the github keys they sold cheaply compatible with 4096 bit keys? I'm loathe to buy another, considering i've got 3 already...
wtbob 7 hours ago 2 replies      
I'm surprised that more folks haven't just gone to 8,192-bit keys, out of an abundance of caution.
Chevrolet Volt Extends Its Appeal consumerreports.org
42 points by jseliger  7 hours ago   16 comments top 5
blisterpeanuts 1 hour ago 2 replies      
Knock $6K off the price, bump the electric range to 100 miles and gasoline range to 400 miles (500 total) and you have the car of the future. Congratulations to GM/Chevrolet for continuing to be innovative in this sector.

I just wish Chevrolet would move a little faster with its release cycle; five years is a long time to take for what amounts to an incremental improvement.

Unfortunately for them, the new Volt arrives just as fuel prices hit a low of $2/gallon, which when adjusted for inflation is the same as in 1971 (about $0.50). Of course, fuel prices will rise again at some point, but the American car market has a short term mentality; when fuel prices are low, large vehicle sales rise, and vice versa.

The Volt will probably continue to do well in the niche market of local urban commuting. The average Volt owners are going 900 miles between fill ups, and the larger battery will probably raise this number.

secabeen 1 hour ago 0 replies      
Just as a note prices on used Model S's are lower than you might expect. There's a model S listed for $48k from Tesla today, and there was one at $43k in the last few weeks. Some buyers have mentioned that even lower-priced Tesla's are sold without ever reaching the public list, so if you were in contact with your local Tesla location, they might be able to find one for you for under $40k.

http://ev-cpo.com/ is a nice aggregator for the public listings.

dsfyu404ed 1 hour ago 0 replies      
If/when they update the Cadillac equivalent I'm going to miss being able to say that my 20yo truck with the economy engine is faster than a new Caddy. That said, this is a step in the right direction for electric cars. I've always thought an incremental transition from hybrids was the way to go and that's basically what the Volt it.
technotarek 2 hours ago 4 replies      
Does anyone here have experience with / an opinion about the Ford C-Max? We're about to enter the new car market and are pitting the Volt against it and the Prius. (The new 2016 Prius is so ugly, though, that it's starting to fall off our radar.)
ebbv 3 hours ago 4 replies      
The battery capacity is increasing by only 7.6% (from 17.1 KWh to 18.4 KWh) but they are claiming an increase electric only mode range of 51% (35 miles to 53 mlles.) I wonder where all the extra range is coming from.

My Leaf gets a claimed 80-90 mile range on its 24 KWh battery, so proportionally the 53 miles on 18.4 would make sense, but remember the Volt is carrying around an ICE and all its trappings (it foregoes the drivetrain for the ICE, but it still needs lubrication, cooling, intake, exhaust, etc.) so the volt weighs about 300 lbs more than the Leaf (which is ~10%), and that's going to have an efficiency cost.

Also, I should point out the leaf has had a 25% battery capacity increase in the new model, which should result in a direct 25% range increase since the new battery takes up the exact same space and weight as the old one.

Shellcode Injection dhavalkapil.com
116 points by piyush8311  11 hours ago   14 comments top 7
cedricvg 7 hours ago 1 reply      
Almost every program nowadays is compiled with W^X (--no_execstack) by default which means the memory is not executable and writable at once (Windows equivalent is DEP). Still a good example of how a basic overflow can lead to arbitrary code execution. A follow-up post using ROP or return-to-libc would be interesting, with W^X enabled.
juanuys 7 hours ago 1 reply      
My favourite resource for these types of exploits used to be phiral.com (see Wayback Machine circa March 2007 [1], since it doesn't exist anymore), belonging to author Jon Erickson who wrote "Hacking: the Art of Exploitation" [2].

[1] https://web.archive.org/web/20070305111749/http://phiral.com...

[2] https://en.wikipedia.org/wiki/Hacking:_The_Art_of_Exploitati...

trampi 8 hours ago 0 replies      
The same author refers to another article of him, in which he explains the basics of buffer overflows quite nice.https://dhavalkapil.com/blogs/Buffer-Overflow-Exploit/
dimdimdim 7 hours ago 0 replies      
Here are 2 good courses on Assembly and Shellcoding on x86 and x86_64 if you are interested:


Ecco 8 hours ago 1 reply      
Why "echo 0 | dd of=foo" and not simply "echo 0 > foo"?
dmeeze 8 hours ago 1 reply      
I must be missing something. If you can create an executable which is suid you already have root...
amenod 7 hours ago 2 replies      
> ... -fno-stack-protector -z execstack

Does anyone know how common stack protector is in the wild?

LambdaCube 3D lambdacube3d.com
59 points by lelf  9 hours ago   6 comments top 5
overgard 26 minutes ago 0 replies      
This is pretty fascinating, although superficially a lot of this seems more complex than just plain opengl. For example:

 clear = FrameBuffer $ (DepthImage @1 1000, ColorImage @1 navy) -- ... mapFragments s fs = Accumulate colorFragmentCtx PassAll (\a -> FragmentOutRastDepth $ fs a) s clear
Compared with:

State management is a nightmare in OpenGL, but that second chunk of code is a lot easier to wrap my head around even if it's objectively worse in a lot of ways. Still though, I'm waiting to see the language tutorial before I make up my mind. Looks interesting!

abecedarius 35 minutes ago 0 replies      
For anyone else wondering what this has to do with https://en.wikipedia.org/wiki/Lambda_cube -- in a few minutes I couldn't find anything.
vlastachu 2 hours ago 0 replies      
http://lambdacube3d.com/editor.html why type inference (for hints in editor) is so cool? Can I do something similar for haskell (without pain if possible)?
wiz21 3 hours ago 1 reply      
it compiles, but how does it run ?
vegabook 3 hours ago 0 replies      
Does anything like this exist in Ocaml?
Web Security Client side certs w3.org
47 points by rvern  8 hours ago   11 comments top 8
newscracker 0 minutes ago 0 replies      
If this has to take off, even with browsers providing an easier UI to create and manage client side certificates, two things would be important to avoid confusing users and a lot of "<insert browser name here> is crap and broke my login" messages:

1. Easy sync of the certificates across devices (as mentioned in the article, allow the user to choose which ones to sync). Most people still don't use password managers, and instead remember or write down passwords. You have to make it easy for these people to use multiple devices without having to jump through hoops. Even private keys protected by a passphrase/password add one more barrier (assuming each user has a separate OS account and is logged in). How would a user setup a new device with a previously setup client certificate? What fallback mechanisms (other than form based user/password auth) would be required for cases where a user wants to use a public or a shared computer account?

2. Handling the reissue of client side certificates for the expiring/expired ones along with revocation (if/when necessary). I believe this is a huge topic by itself on both the usability and security fronts. What would be the sweet spots for the expiry enforced for a particular site? Six months? One year? Two years? Ten years? Considering that users in the current form based authentication scheme rarely change passwords, the convenience, or rather, the reduction in annoyance to end users, should be an important consideration.

I have seen client side certificates used in corporate environments where the management of these is easier, but even in those cases I have always seen alternatives like form based authentication available, along with other things like NTLM, etc.

Please comment/inform if any/what prior work has been done in these areas (I'm sure many people must have thought about these).

mikegioia 4 hours ago 0 replies      
Our development server at work is authenticated using client-side certificates that I install on every employee's computer (along with our Root CA cert). This takes me about 5 minutes to generate for them [1] and another 2 minutes to put into their OSX keychain. It's fun to sit there with each person and show them what I'm doing and how this wonderful system works.

But if I asked ANY ONE of them to do ANY step along the way, they'd throw their hands up and quit. My brother who is extremely tech competent can't do this. I like these suggestions but I just don't know fundamentally if this system can be used by people without a drastic overhaul to the UI.

[1] https://github.com/TeachBoost/pki

pilif 3 hours ago 1 reply      
Back in 2008 I have blogged (http://pilif.github.io/2008/05/why-is-nobody-using-ssl-clien...) about client certs. The UI around them is horrendous and they also serve as a very good solution to uniquely identify clients across sites. This was a good idea, but in its current implementation it's unusable.
bblfish 1 hour ago 0 replies      
Actually creating client side certificates is quite easy if you use the <keygen> tag. See http://www.w3.org/2005/Incubator/webid/spec/tls/#certificate...Sadly some browser vendors have been threatening to remove that functionality rather than trying to improve it. But see the work by the Technical Architecture Group There is also this document now produced by the TAG.https://github.com/w3ctag/client-certificates
vbezhenar 2 hours ago 0 replies      
Actually there's not a lot of work for browsers to do. Polish UI, make "logout" button, provide JS API, allow apps to handle errors better. Actually they should provide JS API to work with standard security cards and that will help to extinguish Java Applets from a lot of places. Not a lot of work, but it might start new era of web security.

I always wondered, why password-bases authentication is so prevalent, when asymmetric cryptography is there and actually used under the hood. That's a dream: one key to rule them all and no security problems with leaked accounts, unified UI to register, login, logout.

Freak_NL 5 hours ago 0 replies      
Good set of recommendations. Client-side certificates are great for securing web applications in a corporate setting, but the client-side is indeed a bit rough in the UI although once set-up, it is no hassle at all.

A major benefit of client-side certificates, is that you can increase the security of all internet-facing web applications you have by routing all external traffic through a gateway proxy, and performing the certificate check there. We use Nginx for that, and host applications such as GitLab, MatterMost, OwnCloud, and DokuWiki that way (performing authentication with LDAP so users can log in with the same credentials on all services).

I'm not sure I agree with his suggestion of having the ability to automatically synchronize client-side certificates between devices. I would rather have that be a conscious (security) choice rather than an automatic feature.

rdl 2 hours ago 0 replies      
Mobile browsers/devices handle client certs better than any desktop I've seen. Especially since they have hw trusted storage.

The issue is identity/linkage. If they let you set up an arbitrary number of keys, so you could do one per site, that's fine (and really, if you use the same username everywhere it's sort of the same thing)

aSp1de 6 hours ago 2 replies      
This is interesting , to use cross device there needs to be a vault of some kind to share btw browser would it make sense to have a recommendation for that also , so it would be standardized ?
StateFace: A font you can use when you want tiny state shapes as design elements propublica.github.io
18 points by pajtai  7 hours ago   7 comments top 3
moron4hire 3 hours ago 2 replies      
This sort of thing, minus the propensity for screwing up screen-reader progeams, is what SVG is for. Normally, I wouldn't complain about someone's project like this, but we as an industry really need to start treating the handicapped better.
loktarogar 4 hours ago 0 replies      
american states
jlarocco 44 minutes ago 1 reply      
This is over-engineering to use a specific technology even when it makes no sense what-so-ever.

A bunch of small image files would have been easier to implement and easier to use, and wouldn't require a stupid letter -> state mapping like this has. <img src="new_york.svg"/> is obviously New York - <span class="state-font">h</span> is not.

Instagram's Million Dollar Bug: Case Study for Defense summitroute.com
52 points by r721  8 hours ago   3 comments top 2
cdubzzz 4 hours ago 0 replies      
This seems like a very good basic guideline. I have actually been meaning to do some additional security review of various personal projects after reading the Instagram bounty article. This will be very helpful, thanks!
blazespin 2 hours ago 0 replies      
Really excellent write up. Required reading for anyone who was seriously interested in the fundamental technical / architectural issues behind what the bounty hunter brought up.
IntermezzOS: a teaching operating system for experienced developers intermezzos.github.io
45 points by sferik  8 hours ago   2 comments top 2
steveklabnik 2 hours ago 0 replies      
Hi all. This project isn't really _ready_ yet, but I'm happy to answer questions.

I actually wrote some more stuff yesterday, but since it's on HN... just deployed it anyway. I was on a long bus ride home from my parents' house, and didn't have any internet, so there's a bunch of notes to fill things out and double check stuff... I have some stuff to do today, but am hoping to clean that up by tonight.

Here's a sort of synopsis: there's been a lot of really great stuff going on in the Rust OSDev space lately, and I managed to get my own little OS going, with a VGA driver and keyboard input. You can see that source here: https://github.com/intermezzOS/kernel/tree/original_backup

But then I realized that one of the reasons I've struggled a lot here in the past was the lack of tutorials. And I love writing. Christmas three years ago was when I discovered Rust, started writing about it, and is why I have the job I do today. So I decided this break that I'd embark on another project...

I really, truly think that many high-level programmers could do operating systems development if there were more resources that catered to them. Hence this project. Once it's got some polish, I hope that someone who has learned programming through JavaScript can follow along and have their own little OS too.

sghiassy 4 hours ago 0 replies      
Great idea. I read the beginning and it was well written and very encouraging. Keep it up!
Haskell Game Server Part 1 mojobojo.com
18 points by bojo  6 hours ago   2 comments top
aban 2 hours ago 1 reply      
I don't want to sound mean, I really appreciate the article, but the choice of colours (the blue background and the colour of links) is making it quite difficult to follow the post, for me at least.

Maybe you could take a look at some of the web palettes at http://www.colourlovers.com/web/palettes ?

Thanks for the nice blog post!

DMR Unix Edition Zero Manual Unearthed (restoration in progress) tuhs.org
33 points by jritorto  9 hours ago   8 comments top 3
luckydude 12 minutes ago 0 replies      
Is it just me or are the comments here missing the point?This is the original writeup of Unix. It's amazingly well written and pretty complete for when it was done. This is v0 of Unix, it's barely started.

You could, and people did, write a lot of code with just that doc as documentation.

Maybe it's because I'm a Bell Labs fanboy, I find this doc impressive.

gamache 2 hours ago 1 reply      
There must be some OCR errors in there -- the system call "create" was spelled with an "e"!
teddyh 2 hours ago 1 reply      
Why does this supposedly old file contain UTF-8 encoded characters? (The apostrophe in search in the users current directory is U+2019, RIGHT SINGLE QUOTATION MARK.)
Perl 6 Released perl6advent.wordpress.com
388 points by e15ctr0n  19 hours ago   154 comments top 29
SwellJoe 19 hours ago 3 replies      
Perl 6 sort of set itself up for a tremendous uphill battle. By taking so long to "firm up", in terms of specification (or the test suite, in this case), while Perl 5 had a period of neglect, it lost a whole bunch of its early momentum to other languages. Sometimes, former Perl programmers have passed through two or three other languages as their "primary" language since they last called Perl home (I know there are several formerly reasonably well-known Perl folks who are more known now for their involvement in JavaScript, Go, or Haskell, or Rust, etc.).

It would take a ridiculously advanced language to counter that turning of the tides. Luckily (or, I guess, not due to luck but because Perl 6 developers realized they had to deliver something amazing to justify the time lost in the wilderness), Perl 6 is a ridiculously advanced language.

I haven't started a new project in Perl in several years (though my primary projects, which have existed for 9-17 years, are in Perl), but I'm strongly considering making my next project a Perl 6 project. It looks like a really fun language. All the stuff I like about Perl, with almost none of the stuff I don't, plus some advanced stuff that I don't even know enough to know why I might want it. But, I know that Higher Order Perl for Perl 5 (which I actually read while I was mostly working in Python) was a lot of fun and made me a better programmer, so I assume Perl 6 and its new paradigms will be similarly eye-opening.

nedludd 5 minutes ago 0 replies      
As if to confirm Perl's descent into obscurity they give the release a name that 95% of the people of the world can't read.

The cherry on top of the public relations disaster that the introduction of Perl6 has been...

bane 16 hours ago 2 replies      
This is impossibly exciting. Most people don't realize it yet, but it's like a programming language hand grenade just went off in the world...little bits of the new paradigms in Perl 6 are going to start winding their way into languages of the future.

I first remember learning about rumors around the development of Perl 6 about the time I picked up Perl 5 for the first time. I had been doing a bunch of C and C++ code (and a smattering of Java) up to that point, but coding in Perl was like hitting the idea accelerator. At the time (programming resources on the Internet were few and far between) I didn't even know where to look to find resources to do things in C++ that were quick one-off scripts in Perl. Need CGI? No problem. Mucking around with a database, here ya go.

I jettisoned C++ and dove heavily into Perl for years after that. I'm pretty sure that Perl made me a much worse programmer (it turns laziness into a kind of opiate), but a better conceptual developer -- I now had a much better idea of what computers could do, and didn't have to reinvent an entire civilization every time I wanted to do something (not a joke, where and when I worked, I was partially responsible for working on a pre-STL String library for C++, that's where we were in the world). Perl was really the first time I had encountered the productivity benefits a true high-level language could bring.

I've since abandoned Perl and have moved onto Python for day-to-day. There's lots of electrons spilled by many former Perlers who've made similar transitions. I've never really liked Python in the same way I liked writing Perl. With Python I've always felt like I'm assembling Tinker Toys or an erector set into a thing. It's quick to build and it works in the end but there's not much passion in it. With Perl I always felt like I was writing poetry -- code just sort of fell out of me.

I thought about checking out Go, but there's something about the sort of terse opinion the language designers have about the language that's made me feel like the entire language is a premature optimization that's going to go stale quick.

Perl 6 feels like we've just entered a new evolutionary period, where we've been given all new tools, where the opinion is careful inclusionism. It's like being stuck writing couplets and haiku in Perl 5 and now we can write anything.

Congratulations Larry et. al. This has been a long time coming, and I hope this is an amazing start!

doodpants 18 hours ago 1 reply      
> We will continue to ship monthly releases, which will continue to improve performance and our users experience.

Is that a Freudian slip? Do they really only have one user? :-)

cies 16 hours ago 0 replies      
I'm really excited about Perl6, it is so jam packed with interesting novel features, that it serves as an amazing testbed for stretching the limits of what programming languages are capable of. I always feel that Ruby was a language that came out of Perl; a subset of it's features, carefully selected and implemented with the knowledge of what did not go too well with Perl. This might just happen again with Perl 6, judging from the exotic features it brings together.

Thanks Larry and co! So this Christmas it did happen :)

danso 19 hours ago 1 reply      
Congrats! The new regex features sound exciting ("Dramatically reforms and sets a new standard in regex syntax, which scales up to full grammars powerful enough to parse Perl 6 itself")

I really liked the post that precedes the submitted one, in which Perl 6 is described as a teenager being adopted into a family, "An Unexpectedly Long-expected Party" https://perl6advent.wordpress.com/2015/12/24/an-unexpectedly...

unixhero 19 hours ago 2 replies      
Learn X in Y Minutes[0] is a fresh and quick intro to Perl6. It looks jolly good, readable(!) and quite fun!I hope I get to work on a project in Perl6.

[0] https://learnxinyminutes.com/docs/perl6/

kriro 18 hours ago 2 replies      
Perl was probably the first language I did interesting stuff in (yay IRC-bots, who didn't write one in Perl) but I gradually moved on to other languages. I didn't keep up with it at all, only knew that Perl6 took forever. Then I read up on Perl6 and now I'm really excited about the language. One of the projects I want to work on involves building a DSL, most likely an external one. I was pretty set on using ANTLR4 for it but now I'm seriously thinking about Perl6 as that seems to be one of the strength of the language.
godzillabrennus 19 hours ago 5 replies      
Duke Nukem Forever and Perl 6 in my lifetime? Next thing you'll know we will have cold fusion.
rsiqueira 2 hours ago 0 replies      
Perl6 example:

sub (@array_to_sum) { return [+] @array_to_sum; }

say (1,2,3,4); # It will display 10

stesch 7 hours ago 1 reply      
Some of the operators use non ASCII characters. Here is how you enter them: http://doc.perl6.org/language/unicode_entry

No risk, no fun.

bshimmin 7 hours ago 0 replies      
I have a lot of fond memories of Perl from a decade or so ago, and would love to do something more than just installing and tinkering with Perl 6 and then forgetting all about it. I also conveniently have a little "weekend project" coming up where I can probably just choose whatever language seems most fun (and then rewrite it in something sensible later if it grows beyond "weekend" status).

If I chose Perl 6, what's a nice Sinatra-esque thing, and is there an ORM? And how do I deploy it and run it in production (copy it into cgi-bin?!)?

bad_user 5 hours ago 2 replies      
The thing that excited me about Perl6 was Parrot (http://parrot.org), which is supposed to be this very ambitious VM targeting dynamic languages.

But unfortunately it seems that Perl6 is Rakudo and they've developed a Rakudo specific VM. Maybe that's best for Perl6 the language, but it also makes it less interesting for me.

nstart 10 hours ago 0 replies      
On a side note, I love how welcoming all the language is around getting people to join the community. Off to the irc we go :)
Sniffnoy 10 hours ago 0 replies      
julianpye 17 hours ago 2 replies      
My first thought for Perl 6 killerapp: a html5/js build replacement for grunt, gulp and other such monstrosities.
Kabacaru 7 hours ago 3 replies      
I'm fairly disappointed with this release. My read through of a tutorial in it went something like this:

* Oh you're sticking with that confusing % for hashes, @ for arrays then $ for everything else... maybe maybe classes have been sorted out though.

* Hmm, why is the syntax for defining a class totally different to defining functions and variables everywhere else

* Well they can't have made anything WORSE. Oh fields can have minuses in them?? Packages exist and you can define them but you're not supposed to anymore?

* Well at least you can't totally rewrite the language in some arcane way which means every bit of perl you come across is totally different and unreadable for 45min while you work out what the custom DSL does. looks at phasers, Meta operators, fix'es sigh

Great that this has finally been released, but it really doesn't solve the problems that Perl always had that it is TOO expressive and too customisable, meaning it'll always be vastly different project to project. On top of that it doesn't have the things that people are really excited about now, which is channels, selects and other things that make async easy. I think that this would have been an amazing release when Ruby was getting popular, but I think it's a few years too late.

marshray 19 hours ago 1 reply      
On behalf of a long time onlooker: Congratulations, Perl 6!
BuckRogers 17 hours ago 0 replies      
I can't say I'll be using Perl6 for my next project, but I'm glad it's here because it should push other languages forward in meaningful ways. I think the PL landscape has been missing something and Perl6 was it.
scriptdevil 17 hours ago 1 reply      
I installed rakudo and played with it a little. However, the repl was horrible. Is there a repl that accepts multiline subroutines and if possible readline support?
3dfan 17 hours ago 7 replies      
Variable names can contain dashes?

Then how do you know what this means:

oh, i see ... they are prefixed with $. so it's:

Hm... still a bit confusing. But ok. It can be avoided by avoiding dashes in variable names.

rubyfan 2 hours ago 1 reply      
Anyone have an idea of how perl6 performs? All the performance articles I've read are really old.
meesterdude 16 hours ago 4 replies      
Perl was the very first language I learned. I was using it to parse incoming emails to insert records into a timetracking database, so i could log my time via email. loved it.

But ya know, 15 years is a long time. in fact i was around 16 at the time, and am 30 now, and remember talk about perl 6.

I'm a ruby guy now, and I don't see how I could ever go back to perl. Is perl 7 going to take another 15? or 30?

Despite whatever features came about; i should not need to wait half my life to get them. That I think reflects poorly on the perl culture, or its momentum. And it's not that perl 5 was without issues (though they were rare for me)

Maybe a revival will come about from this, and maybe a change of pace and approach; but as it stands the 15 years it took to release feels closer to failure than to a success, and to tie my code to such neglected foundations does not jive with me. Or maybe I just really like ruby now.

Honestly, I hope something good comes of it. Even if its just new features that other languages go on to adopt or take cues from.

frik 6 hours ago 0 replies      
It's impressive how different the languages Perl (5 -> 6), PHP (5 -> 7; no 6) and Python (2 -> 3) developed in the last 10 years. And how their community reacted and their transition to newer releases.
sofaofthedamned 19 hours ago 6 replies      
How many times is it going to be posted on HN that Perl 6 is released?!
Thiz 15 hours ago 1 reply      
I like what I see. Now make it available at Godaddy, Namecheap and all hosting providers for it to dethrone PHP as the king of the web.
mintplant 17 hours ago 1 reply      
Are there any good tutorials/introductions/blog posts/etc. on using Perl6 for language parsing/implementation?
gabesullice 18 hours ago 1 reply      
Didn't quite make it by Christmas
bitmadness 18 hours ago 4 replies      
Too little, too late, IMO. The world has moved to Ruby and Go for the web/cloud and Python for data analysis/scientific computing.
       cached 27 December 2015 17:02:04 GMT