hacker news with inline top comments    .. more ..    21 Jan 2017 News
home   ask   best   2 years ago   
Container Tabs mozilla.org
199 points by malikNF  2 hours ago   57 comments top 15
rlpb 1 hour ago 2 replies      
I would like to be able to configure my browser to open every URL in a domain-specific "container", unless I say otherwise.

Say site www.a.org includes an image from www.evilcorp.org, and www.evilcorp.org sets a cookie. When I then go to www.b.org and it includes an image from www.evilcorp.org, I don't expect the cookie to be sent back.

In other words, the cookie should be tied to www.a.org, even though it actually came from www.evilcorp.org. It should only be sent if my URL bar says www.a.org AND the image is coming from www.evilcorp.org.

I feel that this is how browsers should have been designed in the first place. I welcome this Container Tabs feature, but I don't think it quite goes far enough to restore my privacy.

JohnBooty 1 hour ago 2 replies      
I am a Mozilla supporter and FF is my "daily driver" browser. Very interested in this feature.

Chrome has had it for a years, and it's a killer feature for many developers. It's very very useful to have multiple browser windows open, each logged into the same site as a different user. A lot of people do this by opening multiple browsers (FF, Chrome, Edge, Safari, etc) but that has its limits and it just adds another variable my poor brain would prefer not to handle.

Also very useful for home/work separation. One browser account for work and one for home. And also maybe one for porn. So that when you're screensharing in a meeting and you type a URL into the browser, you don't get autocomplete suggestions for your favorite porn sites popping up. Happened to an old (married) boss of mine once while displaying his screen on the projector... typed "a" into the URL field and the browser helpfully suggested he navigate to AdultFriendFinder. Right in front of some clients. :)

Firefox's "container tabs" implementation may be slightly confusing. Chrome's implementation is dead simple. One identity per window, and the identity name is always displayed in the upper right.

With FF's container tabs, I'll have one identity per tab, and I can see they're color coded, but that means I'll have to mentally map colors to identities. It's more flexible than Chrome's implementation but there's more cognitive overhead involved.

Also, what's up with the name "container tabs?" That tells me nothing about what they do. All tabs... contain things. I think they need to rename it to "identity tabs" or something. How on Earth would anybody ever guess that "container tabs" is related to identities and data sharing?

We'll see how it plays out though. I'm excited to try it and I am continually grateful for Mozilla's efforts. In fact this reminds me I haven't donated to them in a while....

altano 1 hour ago 0 replies      
This is awesome. Microsoft's identity system is a nightmare so switching between my Office 365 email account and my OneDrive/music accounts is always annoying. I'd love to be able to contain each and stay logged in to both accounts.

At work I test lots of user accounts on the same site and make heavy use of Chrome profiles for that. This would fill a similar role.

But while I'm glad to have them, no average user would ever understand any of these concepts as presented in these screenshots.

znpy 1 hour ago 6 replies      
I've been doing this for years using both Firefox' and Thunderbird's multiple-profile features.

Just run "firefox --no-remote -ProfileManager" and here you go.

So the serious question is: how is this any different from using multiple profile?

Multiple profile also have the pro/con that they are actual different processes, so there's no information leak between profiles whatsoever (well, unless some serious hacking happens).

Edit: being different processes with different profiles, they also have different configuration folders, different cookie sets, different password storage locations etc...

chrisper 4 minutes ago 0 replies      
This is pretty awesome. Very useful.

My school's security is a joke. You cannot log out except by closing your browser. The session also never expires.

Not only that, but now they moved to a "single-sign on." If I sign in on one app, it signs me in for all apps.

sirn 1 hour ago 0 replies      
This looks amazing!

I have been using Self-Destructing Cookies[1] for few years and while I think the extension is great, I always feel there's not enough isolation between tabs. For example, if I have Twitter logged in in one tab, and other tab contain Twitter button, then the other tab can still have access to my Twitter cookie. (Because Twitter tab is still active, so SDC would not destroy the cookie.) I know this is solvable using tracker blocker, but something like SDC but worked on tab container level would be very welcomed.

(Other side effect of using SDC is I seems to get the harder ReCAPTCHA that make you click an object until all of it disappear, with new ones popping up after clicking. Usually took about 5-10 clicks. Very annoying.)

[1]: https://addons.mozilla.org/en-US/firefox/addon/self-destruct...

grenoire 2 hours ago 2 replies      
I would love this feature and it would actually get me to switch to Firefox in a heartbeat. I'm currently using Chrome just because of the the (subjectively) better developer tools, but this is a feature that would make my life so much easier!
thewisenerd 1 hour ago 3 replies      
why isn't "Saved Passwords" and "Saved Search and Form data" separated between containers?

There have been autofill/form-data attacks in the past[0] and there was a story recently on HN's front page showing the same[1].

I'd like to point out that mozilla already has a configuration option to disable form data saving on https sites, 'browser.formfill.saveHttpsForms'. Why?[2]

> Right; the idea is to eliminate "opportunism". If my laptop is stolen, Firefox's current behavior makes it easy for a thief to find a https: site in my history, go to it, check out, and then just let autocomplete hand them my complete credit card details.

[0] https://news.ycombinator.com/item?id=12171547[1] https://news.ycombinator.com/item?id=13329525[2] https://bugzilla.mozilla.org/show_bug.cgi?id=252486

nmy 36 minutes ago 0 replies      
This is why I'm using Firefox nightly. It is a killer feature to keep open my many AWS and GCP accounts (one container per client). It still needs to be polished though.
alkonaut 1 hour ago 3 replies      
Why do I even need this? Isn't it by default so that site1.com can't see cookies from site2.com for example?
therealmarv 1 hour ago 2 replies      
Tech question: Does Firefox has technical process seperation of tabs nowdays? This is one of the main features of Chrome since 1.0 and just want to know if Firefox has something similar finally.
TazeTSchnitzel 1 hour ago 0 replies      
This would be nice for using more than one Twitter account without needing to open one in private browsing (TweetDeck exists, and I do use it, but I prefer Twitter Web). I hope it makes it to the release channel.
muddysky 1 hour ago 0 replies      
Slightly OT: This page reads like Mozilla's Developer Network (MDN) online documentation, I had to read the first sentences few times until I got what container tabs are about.

However, very nice feature.

Tajnymag 2 hours ago 0 replies      
Lack of history separation seems quite pitty to me imo :-/
hkjgkjy 2 hours ago 3 replies      
As a user, I actually just want my browser to contain less features. Vendors add and add and add features. If I want different user profiles, I already have many users on my OS - I just switch between them.

When Chrome came out, I and many others switched to it just because it was lacking so many features. It was great!

A very casual introduction to Fully Homomorphic Encryption (2012) cryptographyengineering.com
58 points by ergot  3 hours ago   13 comments top 5
mmastrac 29 minutes ago 0 replies      
Oh hey, this is something I've actually done some real work on!

> Just try converting that into a circuit

Hmm. I think this article is a little behind the times. Loops are not a problem with Homomorphic encryption, as we can create circuits that work exactly like a transistor-based CPU.

In fact, I've got an implementation of one that I've been working on here: https://github.com/mmastrac/oblivious-cpu

The trick to making this work is that you may not know how long the computation is going to take, so you need to either add a set number of iterations to run (ie: clock cycles), or send back encrypted updates as you run to give your trusted computer a chance to determine when the calculation has finished.

ajb 2 hours ago 2 replies      
One limitation of Homomorphic encryption, as far as I can see, is that there is no way for the encrypted program to choose to communicate some data in the clear.

Which means it can't be used to allow an untrusted party to run your encrypted server, and have the server communicate with parties that it doesn't trust. Which is what most servers do. Unless I'm mistaken, or there has been an advance?

kaffeemitsahne 1 hour ago 1 reply      
Was there ever a followup blogpost?
Snatch: A simple and fast download accelerator, in Rust github.com
35 points by nukifw  1 hour ago   6 comments top 2
ycmbntrthrwaway 1 hour ago 2 replies      
Downloading from several mirrors at once makes sense, but using "download accelerators" to cheat on TCP congestion control is just wrong. Some mirrors will even ban you for making more than 4 connections at once.
Too 1 hour ago 2 replies      
Wow, does download accelerators still exist? I remember using them back in the days on my 56k modem. I guess it still makes sense though if your home internet is faster than what the server allows per connection. Usually you don't need it anyway because today most things are already fast enough.
Douane personal firewall for GNU/Linux douaneapp.com
38 points by dd112  2 hours ago   11 comments top 6
dimitar 1 minute ago 0 replies      
Douane is "Customs" (as on a border between countries) in French. Clever name!
asrp 36 minutes ago 0 replies      
Nice project and makes you think why all programs are given all network access by default.

This page lists nothing under Packages but the author has actually made AUR packages for Archlinux:


Here's a directly link to the installation instructions for anyone who'd want to try it out


tscs37 1 hour ago 0 replies      
I like this.

Linux has been missing a personal firewall with good GUI for a looong time.

I'll probs give it a try on a VM and see how well it works.

floatboth 1 hour ago 4 replies      
I like the Little Snitch style "allow/deny per binary" thing. It's really unfortunate that it needs a new kernel module because current default firewalls (pf, iptables, etc.) only operate on IP addresses don't know anything about processes.
bastawhiz 1 hour ago 1 reply      
Can't a process forge its name and icon?
chris_wot 1 hour ago 0 replies      
This looks a bit like Murus Firewall for OS X. Cool project! Are there any options for exporting the rules or tweaking them in more complex ways?
The perils of reporting on China's GDP bbc.com
29 points by clouddrover  2 hours ago   8 comments top 3
ecommerceguy 57 minutes ago 2 replies      
As someone who's frequently been to China, and I'm talking remote, countryside, ox sowed rice paddy China, everything published from the government is known locally as being totally fake. Bribes are standard and should be expected to do any transaction of volume. Fake GDP numbers are obvious. Heck, fake everything is the norm there. Tax day is very interesting. Uniformed government officials setup camp at the major "5 star" hotels in town and the factory bosses show up in their Lexus SUVs with duffle bags full of Yuan to pay the toll. It's something to be seen for sure. There is no real accounting in middle China. I attribute all the fakeness to 3 main factors; communist party politics, local politics and the diversity of cultures equating to local protectionism and face saving. It's entrenched and will likely never change.

I could probably write a book about fake China.

rrggrr 1 hour ago 1 reply      
Anyone interested in China's real economic condition should have a look at the ongoing analysis by Michael Pettis:


And Christopher Balding:


Like other China watchers, they tease economic reality out of ancillary economic data that is difficult to spin (eg. capital outflows, HK-China cross-border trade, energy consumption).

The picture is not good. Reforms are needed, to increase low and middle-class domestic consumption; and perhaps a trillion? in non-performing loans must be written off. The rules for foreign trade and investment in China need to be rewritten to allow for unrestricted foreign competition and investment in the broadest of terms. In sum, system inefficiency in China markets must be rooted out quickly to avoid a much worse crisis.

jayjay71 1 hour ago 1 reply      
"Now, for the first time, we have official confirmation that GDP (in China) has been fabricated."

How much have the numbers been changed?

Stanford Natural Language Parser stanford.edu
22 points by aphextron  1 hour ago   5 comments top 4
charlieegan3 8 minutes ago 0 replies      
I always thought http://corenlp.run was a better demo of the tool. Sadly it's no longer available: https://github.com/stanfordnlp/CoreNLP/issues/273

You could use this Dockerfile to run a local copy if you're interested: https://gist.github.com/charlieegan3/910276eef0f8658b44b42af...

m0th87 12 minutes ago 1 reply      
Looks like it can even handle garden path sentences [1] like "the complex houses married and single soldiers and their families."

1: https://en.wikipedia.org/wiki/Garden_path_sentence

aminorex 2 minutes ago 0 replies      
This software kinda sucks. I guess you get what you pay for, sometimes.
Cryptography Discussion: Speculation on "BULLRUN" (2013) mail-archive.com
64 points by wfunction  4 hours ago   8 comments top 5
Iv 3 hours ago 1 reply      
Said it before and will say it again: privacy on internet is a technical problem only up to a certain point. It becomes a political problem at one point.

The power of strong and asymmetric cryptography led a lot of programmers into the belief that this is a political problem that can be solved with technical solutions but it is not.

Whether it is a subtle influence as is described here or as a heavy handed approach like in China, politics trump technological means.

If your government is actively trying to undermine the security and privacy of your technological solution, you need to be outspoken about it.

debatem1 32 minutes ago 0 replies      
Regarding end-to-end encryption on phone calls, it's pretty much illegal for telcos to deploy in the US or Europe due to lawful intercept requirements. That, not NSA meddling in standards committees, is what keeps carriers from deploying it.
diafygi 2 hours ago 0 replies      
And we just experienced a major consequence of the culture of agencies favoring offense over defense. The NSA could have been working with American companies to help secure their systems instead of hoarding exploits. And now civilian organizations are vulnerable to hacking by foreign powers. Election manipulation is what you get when you favor offense over defense. We're now not in control of our own coutry anymore.

Was it worth it? I guess for the stock prices of the contractors and the people the foreign power favors at the time. But everyone else gets screwed.

tptacek 1 hour ago 0 replies      
It's amusing to me that this keeps coming up, because I'm 99.9% sure I know exactly who Gilmore is referring to here, and they're definitely not an NSA operative. Never attribute to state-sponsored malice that which is adequately explained by simple douchebaggery.

Further explanation:


aburan28 2 hours ago 1 reply      
Just take for example Elliptic Curves which sit at the crossroads of analytic theory, theory of functions, abstract algebra, algebraic geometry and number theory. It is nearly impossible for a single person to bear the cognitive overhead needed just to understand how might one approach attacking Elliptic Curve systems
It's not too late for slow parenting leonsbox.com
25 points by LeonidBugaev  2 hours ago   25 comments top 8
pgrote 9 minutes ago 0 replies      
I am in unique position as a parent. We have a 26 year old, 8 year old and 3 year old. We never tried to stop having kids, but all of the sudden we found ourselves pregnant when the oldest was 18. Then, a complete surprise when the last one came along.

When the 26 year old was born I was hyperfocused on getting her involved in everything. We signed her up for tons of stuff, exposed her to many things and we were continually going. I coached her in soccer and basketball, my wife taught her things like sewing and home maintenance. She's now an RN and working in a hospital.

Sounds good, right?

In our rush to expose her to so much, we overlooked the simple premise that she should do what interests her. She didn't graduate from college until 25 due to her inability to stick with things. I am so proud of her since she is the most caring person I know, but part of me knows we failed her by forcing her into so many different activities through her childhood. She felt she could try something and quit, try something else, quit. Rinse. Repeat.

Our youngest 2 kids aren't forced to do things they don't want to do. We ask them if there is interest and if there is we sign them up. If not, we don't. We've eliminated TV and limit kindle screen time and spend so much more time with them than we did the oldest. Honestly, I don't know if there are differences yet, but I do know the younger kids seem to find more things to do on their own.

Part of me thinks it might depend on the kid, but I am convinced parents forcing their children into so many activities hinders them in the long run.

codegeek 44 minutes ago 1 reply      
My wife and I argue over this all the time. She wants the kids to enroll in soccer, swimming and what not, all at the ripe age of 2+. I have been like "whats the hurry. Let them grow up naturally and we can always do those things". I guess it is a difficult topic but there is never really a right answer.
Adutude 8 minutes ago 0 replies      
I have two children and I am now a grandparent. I have to agree that there is no hurry. Too often parents get caught up in comparing their children to the "Norm". Truth is that they all have their own schedule, and they are all different. In my opinion, you and your children will lead a much happier, more well adjusted life, if you let your kids set their own pace. Enjoy every moment and step along the way, don't try to make it go faster, childhood is very fleeting.
ced 1 hour ago 1 reply      
Moreover what your full-grown kid would do at school, if you already taught him reading, counting, talking in foreign languages, practicing yoga and kung fu and playing the violin?

My uni physics professor had similar fears about his child, so he didn't teach him as much as he could have. I'm curious to hear from other parents on HN about this. It seems like a valid concern. At the same time, I didn't enjoy the traditional school system at all, and I'm glad that there are alternative schools where a child can learn at the speed he wants, whether fast or slow.


FraKtus 11 minutes ago 0 replies      
My child did start speaking 2 languages (French and English) since she is 3 (she is now 6).She is in an environment where she is motivated to move forward and learn (a good school).But I am very careful to monitor her happiness and want to make sure she enjoy learning for herself...
rand_r 54 minutes ago 7 replies      
It's hard to know what the right thing to do, but young kids have an immense advantage that they'll quickly lose: the ability to learn really fast.

A couple of examples:

If you don't start playing soccer really young, you will never be able to catch up to someone who did.

A child can easily become fluent in two languages if they're immersed from a young age. Learning a second language once you're past 20 is hard.

It would be shame to waste potential.

sudhirj 1 hour ago 4 replies      
Just became a parent a month ago, and yeah, I am struggling to balance what my aspirations are for my daughter with what will would give her the best childhood she could have. Not and easy line to walk.
joshuaheard 44 minutes ago 0 replies      
I have always viewed my role as a parent as setting the boundaries of behavior, and providing a nourishing environment, within which the child could grow and develop on their own, slow or fast, with subtle guidance by me.
Reading Ubers Internal Emails (Uber Bug Bounty report worth $10K) pentestnepal.tech
57 points by vinnyglennon  4 hours ago   14 comments top 8
zaroth 50 minutes ago 0 replies      
I found this write-up a bit confusing and hard to follow.

The vulnerability is that any SendGrid user could configure a webhook callback which would POST back all received emails for any domain which had its MX set to 'mx.sendgrid.net'. OP exploited this against Uber to receive copies of their emails.

Presumably there was no way to tell from one account that another account is web-hooking your email out from under you. So you have to wonder, if it's as easy as just typing the domain you want to listen in on.... who else was getting all their emails tapped this way?

From Sendgrid's documentation;

 Setup The following steps are required to begin parsing email: Point the MX Record of a Domain/Hostname or Subdomain to mx.sendgrid.net Associate the Domain/Hostname and the URL in the Parse API settings page.
Shocking omission by Sendgrid, where's their write-up and apology?

ndaiger 1 hour ago 1 reply      
Sendgrid allowed attackers to social engineer control of my company's account and intercept password resets, despite an explicit warning from us a week prior (we received a chat transcript of the failed attempt and let them know that it was not us and someone was actively trying to social engineer access to our account).

Then they had the gall to try to convince me on the phone that it must have been my fault (after our blog post about it blew up).

Needless to say, I think they are terrible.

Previous HN discussion: https://news.ycombinator.com/item?id=7476836

ComputerGuru 2 hours ago 0 replies      
The last time there was a SendGrid article on here, the feedback from the community was far from kind [0]. I again re-iterate that SendGrid has no business sending emails [1].

[0]: https://news.ycombinator.com/item?id=12142728[1]: https://news.ycombinator.com/item?id=12145019

tyingq 3 hours ago 0 replies      
Ouch. No domain verification required by Sendgrid before allowing you to inject a hook that dumps email contents.

That's much broader than just Uber.

Edit: Yes, it's been fixed, but the fact that it existed for quite some time is still troubling. I'm also curious if the fix retroactively disabled any existing unverified hooks.

mikesea 1 hour ago 0 replies      
Someone reported this same vulnerability to us via HackerOne months ago. We worked with Sendgrid support to re-claim the domain and they said they were urgently working to fix the issue, or not.

Edit: just saw this post was from September. Author probably made thousands in rewards circulating this vulnerability.

ransom1538 2 hours ago 1 reply      
Totally just curious. The law for "exceeds authorized access" is 20 years in prison. I think uber has a bug fixing program. Maybe sendgrid does? Do the DNS carriers? Does his ISP? I read the law. If one of these companies refutes access - this guy is facing 20 years [1]? W(why)TF do people do this? The US government is notoriously creative in these prosecutions [3]. Companies refute access all the time to not look like idiots EVEN WITH a bounty program. [2]. If I came across this I wouldn't be blogging about it for 10k?

[1]"(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains(C) information from any protected computer;"(C) except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 20 years, or both, in the case of"


[2] http://motherboard.vice.com/blog/facebook-is-refusing-to-pay...


gizmo 3 hours ago 1 reply      
This looks like a massive security flaw on sendgrid's side. They should use DNS validation like everybody else to prove ownership of the subdomain.
hartator 2 hours ago 1 reply      
It's just me, or $10k is far from being generous?
Hellogopher Just git clone and make any Go project github.com
105 points by FiloSottile  5 hours ago   35 comments top 10
FiloSottile 5 hours ago 2 replies      
Hey all, author here. Happy to take any feedback, in particular I tried and it didnt work out of the box stories. I will NOT tell you to RTFM.

I recommend reading https://github.com/cloudflare/hellogopher#why for more insight.

Theres also a gif demo https://twitter.com/FiloSottile/status/822745605806112768

EDIT: uploaded the keynote I gave at Golab where I present the problem and introduce this project https://vimeo.com/200469720

Ruphin 4 hours ago 3 replies      
Projects like these and their popularity are indicative of how unapproachable the Go development environment is to new users. One of the first things I did when introducing Go at work is write a bunch of script that solved this exact issue for our team, and I suspect that a solution like this has been written a million times over already.

I love the Go language but the development environment tooling is just awful (aside from some great things like gofmt). This requirement of having files in specific folders to be able to build, the (lack of a sane) vendoring system, both problems keep popping up and spawning new solutions over and over. There is no excuse for a modern language to force people to learn how to use the tools before they can even start using the language. Tools should work for the user, not the other way around. Other languages get this right, so why can't Go?

Kudos to the author for spending some time to document and publish their solution to this specific issue. If these projects get enough traction, like govendor, perhaps the language authors will at some point incorporate the most popular solutions into the language platform. At least it'll save everyone else from rewriting the same tool.

nnx 2 hours ago 1 reply      
The annoyance/confusion/hurdle of GOPATH for beginners in the language will finally be resolved with the upcoming Go 1.8 release.


verandaguy 2 hours ago 0 replies      
As someone who's more fond of this approach than Go's native one, it's funny how we've come full circle (even if this never gains widespread adoption).

Thank goodness for the inclusion of sensible vendoring, by the way! Go's default system broke a lot of older code because of the native vendoring system (if you can call it that).

drdaeman 2 hours ago 1 reply      
Sorry, maybe this is a stupid question... but does this require me to store all the dependencies under ./vendor in the repo?

I would really prefer it ./vendor would be .gitignored (like .virtualenv or node_modules) and `make deps` would parse the source and fetch the deps, sort of like `go get` does. Bundling all the dependencies in your own repo just feels wrong to me. Especially if it's not git submodules (and I've heard submodules are frowned upon by those who have tried them - I've haven't had such necessity, so don't hold any opinion). At least very similar approaches had led to some really bad experiences I had in early 2000's with PHP (it was typical to bundle vendored deps there because of relative lack of package management).

weitzj 4 hours ago 2 replies      
This looks awesome. I haven't tried it yet, but the hopefully it supports writing test coverage files for multiple packages, i.e. I already split the code up into separate packages and put each package in a corresponding subfolder. Using go test ./... I want to collect coverage reports for all my packages while ignoring `vendor`

So my workaround is something like the following, where I generate a coverage report for each package to later concatenate them into a final coverage report

```for i in $(go list ./... | grep -v 'vendor')do coverName="$(basename $i).coverraw" go test --ldflags '-extldflags "-static"' -v -race -coverprofile="${coverName}" "${i}" | tee -a "${test_outfile}"done```

blablabla123 4 hours ago 2 replies      
I think Go works very well without Makefiles. (IMHO even better) You can just enter `go build .` You can install the stuff using your favorite package manager, e.g. dpkg - then it's even possible to uninstall your stuff.
codedokode 3 hours ago 0 replies      
I also have spent some time to make bash scripts that would allow me to copy my Go project into a temporary folder to linux machine and compile it.
justincormack 2 hours ago 0 replies      
I have long used docker to build all my Go so I can put it where I wish, and where makes sense for projects that are not all Go. Looking forward to a permanent fix upstream eventually.
Sphax 4 hours ago 1 reply      
I don't understand how HN ranks posts: this was at the very top with just 9 points, no comments, how does that work exactly ?
DuckDuckGo Hits Milestone 14M Searches in a Single Day searchenginejournal.com
107 points by riqbal  2 hours ago   47 comments top 13
AdamSC1 1 hour ago 2 replies      
For the team here at DuckDuckGo, we were excited not only to hit 14M searches in a single day but to also cross the threshold of 10B total private searches served. Of which 4B were from last year alone.

We wrote a post covering it in our newly launched blog:https://spreadprivacy.com/10-billion-fc7808c91343

It is always an amazing and humbling moment when we hit a new milestone in our metrics. Our team is so incredibly passionate about what we do. To have people from all over the world rally around this concept of raising the standard of trust online and build this product is one thing. But, for users to endorse that mission at such a growing pace and to share us with their friends and family -- it lets us know we're truly making a difference for people who want to be more private online, and that is incredibly rewarding.

So thank you, to all of you who search with us, all of you who know privacy matters, and all of you who work along side us to show that privacy is not a fringe interest but something we can all have!

decasteve 1 hour ago 0 replies      
I've been using DuckDuckGo since @yegg's first announcement of it (on reddit iirc). The relevance of the results compared to their competitors' has been noticeably improving over the years.

When a search doesn't quite give me what I'm looking for, I prepend !sp on my query (to use startpage.com). I use this less and less and for most things DDG gets me where I need to go.

I'm a huge fan. I'm thankful services like this are available--that respect our privacy. I did have good intentions of contributing to duckduckhack.com but have regretfully not gotten around to it yet.

pcora 5 minutes ago 0 replies      
DDG is a great search engine. I missed the lack of personalized search that Google gets you, but once you get used and learn how to search properly, you start loving it.

And I moved from Google on my phone due to the AMP crap.

philfrasty 2 hours ago 3 replies      
The key for switching to DuckDuckGo for me was to set it as the default searchengine / startpage on all browsers. While the relevance of search results is slightly (noticable) worse than Google, I think the tradeoff between privacy VS result-quality is worth it. Thanks for making such a great product!
hyperpape 1 hour ago 2 replies      
I couldn't find anything obviously authoritative, but various sources suggested Google does 3500m or so daily searches.

That puts DDG at less than 1%, but their percentage growth is huge. It can't continue forever, but they could be a significant search engine if it doesn't peter out too soon.

I tried DDG several times, but it finally stuck earlier this year. I'm really happy it's available as an alternative.

mkj 1 hour ago 1 reply      
Just trying it now, when you go "back" after clicking Images you go to duckduckgo.com, not the previous page you were on. The url changes, so it's a bit strange.

Results are decent, though the results page seems harder to skim read.

yclept 1 hour ago 1 reply      
Congratulations on the big growth.

I'm annoyed that I can't set DDG has the default search engine in Chrome (Android). I hold a bookmark though so 'duc' autocompletes to duckduckgo. Not too inconvenient.

ecommerceguy 1 hour ago 0 replies      
Given the climate of political discord that is occurring on Google sites, especially google "news" (which gets prominent placement in many google searches now), I've switched my iPhone default search in Safari to DDG. I've been pleasantly surprised that I don't need to google things for 90% of searches.
verandaguy 1 hour ago 1 reply      

 >In addition, the search engine is celebrating a combined total of 10 billion searches performed, with 4 billion searches conducted in December 2016 alone.
This can't be right, can it? DDG's been around for years, and nearly half of its total use volume has been in the past month?

nerdponx 2 hours ago 3 replies      
I'm a professional data scientist. Apart from donating, how can I support the project? It's my default search engine everywhere now.
rangibaby 1 hour ago 0 replies      
I switched to DDG as my default search everywhere a few months ago, and I recommend everyone does. The results are passable and when they aren't there is always !g
RodericDay 42 minutes ago 0 replies      
DuckDuckGo is great and I've actually had surprising success in getting non-tech people to try it out, and stick with it! My girlfriend has set it as default it in all of her devices, she loves the !bang searches (imdb, wiki, etc.) and lack of ads.

Also, half of my co-workers. !python, !mdn, etc.

I think the biggest hurdle going forward is the fact that DDG is much better for English results than in other languages (we work half in French), but I hope the project grows and grows. Google needs to go down eventually!

muninn_ 2 hours ago 0 replies      
I use it. It's not as good as Google, but it pretty much gets the job done when I need it to.
Kafka compatible alternative in Go without Zookeper github.com
31 points by cube2222  5 hours ago   8 comments top 2
bsaul 57 minutes ago 3 replies      
What are the usual benefits of all those "x reimplemented in go" type of projects ? Do people see performance improvments in practice ? Or is it simpler to deploy / monitor ?

I know go has all the hype at the moment, but i'm curious to know what the benefits are in practice. Those real world reimplementation project make for a great benchmark.

tcbawo 33 minutes ago 0 replies      
Since reading through the source of the Kafka server (and several client implementations), I've been intrigued by the idea of reimplementation using cooperative multitasking.

Kafka clients tend to be very resource intensive. It would be interesting to support a smaller/scalable footprint and a lower latency mode of operation.

Don't Be a Free User (2011) blog.pinboard.in
153 points by oskarth  3 hours ago   67 comments top 17
danieldk 2 hours ago 1 reply      
Unfortunately, it often seems that with too little money, a service disappears due to bankruptcy, with too much money a service disappears due to talent acquisition.

With software as an application, there was still the possibility to continue using software for years when a company shut down. Windows has terrific backwards compatibility and on UNIX you get far by keeping around old shared libraries and giving a hint to the dynamic loader.

With services, you are lucky to get a one-year heads up. Sometimes the service disappears in mere months. For this reason, I only give my money to services that are too big to fail (e.g. Dropbox & Office 365) or have an easy migration path (Fastmail). Other than that I refuse to buy anything but software where I actually own a copy.

resoluteteeth 2 hours ago 0 replies      
I think this made sense in 2011, but now the trend of acquihires has gotten so out of hand that it hardly makes a difference; products making plenty of revenue are still being instantly shut down after being bought out.
anondon 2 hours ago 2 replies      
The term "free software" is used rather ambiguously in the article. The free software that is referred to in the article is free as in beer. The more commonly used meaning of the word (among hackers) implies free as in freedom. If you want to learn more refer here https://www.gnu.org/philosophy/free-sw.en.html
nerdponx 3 hours ago 2 replies      
This is why web services should be open source and available for self hosting:

- The geeks with the know-how to run a Web server benefit from your product for free, but in exchange you get bug reports, patches, etc.

- Everyone else pays, because you also offer a paid hosting option.

But because the product is fundamentally open source and federated, it can and hopefully will outlive its original developer.

Raed667 2 hours ago 3 replies      
These arguments fall apart when you're living in a country with no access to online, international payment methods.

And I realize that you don't want to bother with people that are not currently potential customers, but I'm just saying that you're locking entire countries out.

alt3red 2 hours ago 0 replies      
I think many services become popular and see wide adoption, because they are free. When the free element goes away there will not be nearly as many users willing to try it or to use it and love it so much that they will recommend it.
wodenokoto 52 minutes ago 0 replies      
While I don't disagree with the sentiment, I do feel like $5 here and $5 there in monthly charges quickly adds up.

mail, web site/blog (some blog services want a minimum of $10-15!), maybe git hosting, another 5 for a bookmark service (pocket is $5, though pinboard is only $1) a back-up solution, and so on and so on. Should I also have a paid subscription to my internet search and social network services?

a3n 2 hours ago 1 reply      
I pay for pinboard, for exactly this reason. I like it enough that I want it to be there tomorrow. Same with LastPass, Fastmail (don't know if they still have free accounts), The Guardian and The NYT.

There is much, much more of the web that I use for free, either because they have their own reasons for for not charging at all, or they appear to have enough of a paying base that I'm merely small-guilty but not worried, or because I don't care enough about them to think about the issue.

joelthelion 2 hours ago 1 reply      
Cool, you can pay and be screwed a second time when the company is sold anyways.
4684499 1 hour ago 0 replies      
I thought people who "clone them" was considered unethical? a copycat? And then if you start charging money from it, well, be read for the storm...

I totally agree with the logic of the article. And I do hope this will become a cultural thing. I just don't believe it will be widely accepted because of ingrained "free and open spirit".

I think, in practice, you'll be competing with fund-raising start-ups who provides free and better services with "free and open spirit" and lots of money ready to burn, after they took the large share of the market, small competitors will not be the only game in town, instead, they'll be out of the game.

That said, it's amazing that pinboard.in is still alive after so many bookmarking services closed. I guess the philosophy of Don't Be a Free User could work well on specific areas.

adjwilli 1 hour ago 0 replies      
Polly Lingual https://pollylingu.al is a little mom-and-pop software creation. We're probably in the lightest shade of green on that chart. Someone help us!
thatlooper 3 hours ago 1 reply      
So what about HackerNews?
ehnto 3 hours ago 1 reply      
HTTPS error when trying to view. Chrome isn't happy with the ciphers supported.
_h_o_d_ 3 hours ago 0 replies      
Nothing changes. Except, perhaps Facebook might be around a while. What are your thresholds for relying on a service? I still backup my google and fb data.
SFJulie 53 minutes ago 0 replies      
I am gonna stop giving books at my local library and burn my library card.

OOps, it sounds stupid.

Okay then, I am gonna stop taking first aid lessons and helping/be helped by benevolent persons.

Ooops, still sound stupid.

I am gonna stop eating my wife bread without paying her.

Still sounds stupid.

I am gonna stop voting because it is free! And counting ballots for free!

I give up. It is amazing how people that are specialist of hammers see every problems as a nail, and may fail to understand that our time is a valuable.

For instance, free services of exchange of native seeds is nowadays the only way to conserve and preserve very important biological diversity and help compensate regulations made to accommodate Bayer/Monsanto racket on seeds. And it is free, so that it lowers the friction in taking part in the global system.

Most actual services nowadays are close to extorsion and developping free as a beer alternative where you exchange time for a service help keep alive important stuff such as culture, seeds, knowledge, freedom... software. Stuff money cannot buy.

We don't need the market every where in our life. Economy is not what drives our existence, else why have kids? They are a cost center. Let's kill them.

akjainaj 3 hours ago 1 reply      
I am a proud free user. When a service closes because of bankruptcy, a new one always appears. Or maybe two or three. So who cares?

There's always a free alternative to every service, especially web ones.

andrewclunn 3 hours ago 1 reply      
Still gonna use Linux, sorry. There should be a disclaimer, "Does not apply to Open Source projects."
How a Kalman filter works, in pictures (2015) bzarg.com
116 points by panic  9 hours ago   19 comments top 6
messel 1 hour ago 0 replies      
For those familiar with least squares estimation, there's a good answer here that relates it with the Kalman filterhttp://dsp.stackexchange.com/a/2398

It's a little simpler to derive the least squares smoothing functionhttp://stats.stackexchange.com/a/138342

amelius 1 hour ago 7 replies      
Pardon my ignorance, I'm just wondering about some context, since the Kalman filter was invented in the 60s. Are Kalman filters still highly relevant, or are they (in practice and/or in theory) obsoleted by other techniques, such as general ML?
wdfx 5 hours ago 1 reply      
Good work putting the colour highlighting on the formulae. It does make them easier to follow for someone who is not a complete wizard with algebra. Without this little formatting touch I would find the article to be mostly a sea of symbols that I would likely skim over and still not properly understand.
agustamir 38 minutes ago 1 reply      
My ML professor once took hidden markov model and arrived at equations of a kalman filter. That just completely blew my mind, I could never think the concepts from estimation theory machine learning could be related so beautifully.
tomkat0789 1 hour ago 0 replies      
This is really great! I kept encountering Kalman filters in my research during graduate school, but they didn't directly affect my research so I never made the time to understand them. What a fantastic explanation!

I'm also a huge fan of the use of colors to understand all the different concepts at work. Yesterday I actually asked the secretary of my department to get my an 8 pack of multicolored pens for this exact purpose (red, blue, and black aren't enough!).

sn41 3 hours ago 0 replies      
That was a really coherent explanation. The coloring was helpful, also the way in which the details were introduced one by one.
BuckleScript: write JavaScript faster, safer and smaller bloomberg.github.io
186 points by dkarapetyan  12 hours ago   58 comments top 13
virtualwhys 3 hours ago 1 reply      
From Why BuckleScript[1]

Large JS output even for a simple program

"In BuckleScript, a Hello world program generates 20 bytes JS code instead of 50K bytes. This is due to the fact that ... all BuckleScripts runtime is written in OCaml itself so that these runtime libraries are only needed when user actually call it."

What happens when you go beyond Hello World though? Surely there's some overhead vs. plain JS. For example, Hello World in Scala.js is tiny, but once you touch, say, the Scala collections library, then file size increases significantly. In the end, once you go beyond trivial applications, there's a 150KB baseline tax to pay for using the full power of Scala in the browser.

If BuckleScript provides an OCaml-like language with file sizes comparable to plain JS that is both compelling and impressive.

[1] http://bloomberg.github.io/bucklescript/Manual.html#_problem...

yawaramin 9 hours ago 0 replies      
I wrote up a non-technical post about my experience with BuckleScript http://yawar.blogspot.ca/2017/01/bucklescript-significant-ne...
jxm262 1 hour ago 0 replies      
Built in npm support is huge for me. I use Scalajs full time and one of my biggest issues is having to use SBT and webjars. I also end up using some mashup of npm modules as well later on in the build which complicates it even more. Plus the speed of the compiler becomes a massive issue, especially during unit tests.

By turning it into a more readable Js, I wonder if the debugger would play more nicely too. I've noticed in Scalajs the debugger randomly misses breakpoints or moves to the wrong line sometimes. Anyway not a rant on Scalajs, I do like it but there's definitely some bottlenecks for me.

bootload 11 hours ago 5 replies      
"BuckleScript is one of the very few compilers which compiles an existing typed language to readable JavaScript."

Elm (type inference) is sort of. While there is a lot of OS type projects used, having bloomberg use it is a plus. Interesting that FB have build system ^Reason^ (build system) doing something similar (OCaml backend->JS) ~ http://facebook.github.io/reason/

djsumdog 8 hours ago 3 replies      
This looks pretty interesting. It makes me want to learn OCaml. :-P

I've been using Coffeescript in projects for about two years. I know people have raised issues with it vs ES6, but I still really like Coffeescript. I feels more natural with my Scala/Ruby background and it outputs into Javascript in ways that (mostly) make sense and are predictable.

willtim 9 hours ago 0 replies      
I found a page explaining the differences between bucklescript and js_of_ocaml : https://github.com/bloomberg/bucklescript/wiki/Differences-f...
david-given 5 hours ago 1 reply      
This looks really interesting. Does this implement the entire OCaml language? I found a section of the docs marked 'semantic differences', but it seems... suspiciously small...

This would allow me to write GWT-style client/server apps where both ends are written in the same language with a set of common library code compiled for both, right? What's the library support like? Don't suppose there's any ELM-style DOM diffing support, is there?

grandalf 10 hours ago 1 reply      
I think BuckleScript is going to blow up one of these days and become hugely popular.
hazza1 9 hours ago 1 reply      
BuckleScript looks great but I've never found any project using it - maybe Reason will be the tooling to make it mainstream?
progx 6 hours ago 3 replies      
Learn a language to program another language. Find the issue. (I did not say that BuckleScript is bad, i have only a problem with all kind of these tools)
buzzybee 10 hours ago 0 replies      
Ooh, I wonder this could lead to the Haxe compiler running in JS.
sheerun 8 hours ago 1 reply      
Could somebody compile Flow to JavaScript?
dochtman 10 hours ago 2 replies      
Well, Rust can compile to asm.js or wasm, too.

Might still be rough around the edges, but it will improve soon enough.

Attention Federal Employees: If You See Something, Leak Something theintercept.com
65 points by saycheese  3 hours ago   28 comments top 6
adgfadgdfsa545 56 minutes ago 1 reply      
Having had my name smeared before by journalist from a certain "broadsheet" who took the truth and twisted it to make me look like some sort of criminal regarding a story where the parent company of this newspaper has sent my startup an injunction and this journalist was sent to harass me (no other papers, media printed the story because there was none)

f^&k journalists! they will sell you down the river, ignore your side of the story and lie lie lie

/posting from throwaway account

kbutler 1 hour ago 5 replies      
The site claims to be non-partisan, but the only presidential names cited are Republican, and it ignores abuses and issues under Democratic administrations, except the NSA surveillance scandal.

Admittedly, they are seeking input from disaffected people at a time when Republicans hold the presidency and both houses of Congress, but it seems they are so completely biased they think their examples are "non-partisan."

losteverything 4 minutes ago 0 replies      
This is a great resource for people who make fake news
deadalus 23 minutes ago 0 replies      
This article would not have been posted if Hillary had won.

The entire site reads like an anti-trump ad : https://theintercept.com/

tossacct444 11 minutes ago 1 reply      
There's definitely an agenda in place on HN. Every comment even remotely pro Trump has been downvoted to grey text.
elmerfud 2 hours ago 0 replies      
Asking people to uphold their sworn oath is one thing, but equating unlawful government abuses with getting a lawful tax write off.... Wow

Is this going to be the "birther movement" equivalent against trump?

2D game art for programmers 2dgameartguru.com
126 points by jstrieb  10 hours ago   23 comments top 4
ENTP 3 hours ago 9 replies      
How do programmers like myself meet decent pixel artists with common interests? Art has always held me back in gamedev. I imagine there are people with the opposite problem?
vog 9 hours ago 0 replies      
Very nice introduction. I find it especially interesting to see that in graphics design, simplicity is almost as important as in software development - and moreover, for very similar reasons: So it is easier and faster to change, so you can faster try more variants.
j1436go 4 hours ago 2 replies      
I miss the days of pixel art and 90s anime. I just can't appreciate contemporary game art.
0xcoffee 6 hours ago 0 replies      
I'm not sure if OP is owner of the site, but the BlockBuddies download doesn't seem to be working. I click 'download for free' and nothing happens. Very generous giveaway however.
The analysis of 28.000 results suggests that hardly anybody gets indexes right use-the-index-luke.com
24 points by mariuz  4 hours ago   4 comments top 3
falcolas 49 minutes ago 0 replies      
I think that the problem is that "right" changes with use. Something which works perfectly acceptable at 100,000 rows fails miserably at 100 million rows. Write heavy tables will want different index use. Your DB engine will also change what indexes you want to use.

DBAs may not be valuable for day-to-day work at most companies with the prevalence of RDS and similar hosted DB offerings, but they are still invaluable resources for periodic checkins.

Complete side note, but some of the defaults for MySQL RDS instances are silly. They're inconsistent in what size of instance they target, and don't follow best practices. Drives me batty.

gigatexal 4 hours ago 0 replies      
This site has been an invaluable resource for me as a DBA. Indexing isn't intuitive at least for me but I've gotten better thanks to articles like this.
amelius 48 minutes ago 1 reply      
> The analysis of 28.000 results suggests that hardly anybody gets indexes right

Right, it is "indices", not "indexes" :)

The practice of programming, 18 years later kjamistan.com
134 points by f2f  12 hours ago   14 comments top 6
gtrubetskoy 55 minutes ago 2 replies      
People like Pike and Kernighan is the reason I've invested so much of my time in learning Go lately. To some this may seem completely irrational, because you should pick a language based on its merits (e.g. does it support generics, etc), but for me, the books they authored and the software they wrote (e.g. Ken Thompson's contribution to what we now know as unix) says a lot more than a seemingly objective review based on language features. I guess time will show whether I'm right.
petercooper 1 hour ago 0 replies      
I had similar experiences with Programming Pearls (1986) by Jon Bentley last year. Most of the principles are still there, although the scales have changed somewhat.
nickcw 2 hours ago 1 reply      
This site is blocked by my ISP's porn filter!

SafeGuardYou tried to viewkjamistan.com

The account holder has activated SafeGuard and this page is blocked by the category pn_pornography.

The account holder is me - I have children hence the filter

ptero 3 hours ago 0 replies      
Kernighan and Pike (and other books of each author) is IMO almost as relevant today as then. It is short, clean, and even if examples seem obsolete they often contain useful nuggets of wisdom.

The blog post cites a few paragraphs, as examples. Read the book itself, it is a good one.

baguette 5 hours ago 0 replies      
> If you think that you have found a bug in someone else's program, the first step is to make absolutely sure it is a genuine bug, so you don't waste the author's time and lose your own credibility.

I am thinking we need to create an open-source "10 commandments" website and this should be on it.

quickben 10 hours ago 4 replies      
"including tips on finding patterns, rubber ducking (but with a teddy bear instead), "

I find all this devaluing of the seriousness of the technical problems a very wrong thing to do.

Especially when gimmicks like rubber ducks, bears and the rest of the animal kingdom are involved. They just make one focus on the analogies, instead of building a better mental model of the problem.

RISC-V 64-bit Linux in JavaScript bellard.org
79 points by mbroncano  11 hours ago   21 comments top 6
alpb 9 hours ago 1 reply      
This was discussed last month. https://news.ycombinator.com/item?id=13210711
netheril96 4 hours ago 1 reply      
So, how do you do 64-bit arithmetic in JavaScript? Emulate with two 32-bit number? Won't that be a huge performance bottleneck, one that cannot be optimized by JIT?
bobajeff 9 hours ago 2 replies      
Wow, I'm running Linux on top of RISC-V in an emulator in my browser on my phone!
Yan_Coutinho 4 hours ago 1 reply      
Architeture doesn't have kernel memory protection? Seems risky...
chris_wot 7 hours ago 3 replies      
Silly question, but is there an x86 instruction set emulator written in JavaScript? Not even Linux, just something that takes x86 instructions into a "virtual CPU" and lets you run the assembly statements?
ramblenode 9 hours ago 0 replies      

 ~# date Thu Jan 1 00:03:09 UTC 1970

Trying to Cure Depression, but Inspiring Torture newyorker.com
17 points by dsego  3 hours ago   2 comments top 2
parasubcutaneor 7 minutes ago 0 replies      
Within the context of post 9/11 torture, one might wonder about the actual goal of such torture programs.

I've never been entirely clear about the information being searched for among supposed terrorists. Operating without state sponsors, terrorist cells are pretty threadbare, and don't have many valuable secrets. The secrets they might have are limited in use, and have a short shelf life.

Then we read in the article:

 Here we have no direct data - after all, there have never been controlled torture trials that we know of...
Given that the government has a monopoly on violence, maybe the entire goal all along was to conduct exactly this research as a non-survival experiment in humans, under an opportunistic pretense such that the subjects being expended would be considered despicable enough to waste on such exploration?

Maybe doing so would fill in such knowlege gaps, and provide answers in the only way possible.

mcguire 31 minutes ago 0 replies      

Seligman investigated learned helplessness by torturing dogs, and was then surprised to learn that someone else investigated torture by learned helplessness.

Psychologists aren't very bright, are they?

Is Newtonian physics Newtons physics? (2016) thonyc.wordpress.com
8 points by Hooke  3 hours ago   5 comments top 3
Koshkin 32 minutes ago 0 replies      
TL;DR: Yes.

The article is actually is rather short; it points out the differences in the mathematical notation used in the development of (then new) calculus, which is an interesting topic in itself since it has been a source of some confusion up to this day.

For example, using the dot to denote the (time) derivative is extremely confusing for many beginning students of analytical mechanics due to the casual mixing it with the other notation adopted in most of the literature. A first attempt to parse an expression containing the time derivative of the partial derivative of a function (the Lagrangian) by the "time derivative" of a generalized coordinate, the latter derivative being denoted by the dot, may be quite challenging.

My advice is to see the dot, at least in such contexts, merely as some kind of diacritic which is used to denote another independent variable - with the reminder that this new variable will, in some other appropriate context, be taken to be the time derivative of the other one (i.e. the one without the dot).

jamesrcole 34 minutes ago 0 replies      
I can't help noticing that this article, questioning Newton's role, was posted by a user named Hooke.
GregBuchholz 41 minutes ago 1 reply      
Lavabit Reloaded lavabit.com
552 points by ycmbntrthrwaway  18 hours ago   200 comments top 27
mvip 7 hours ago 3 replies      
If you really want secure email, having it hosted and owned by a U.S. company is a recipe for disaster. Since we know that the U.S. gov't will gladly issue gag orders and blackmail, why even bother? It's great that Lavabit is innovating but Protonmail is already ahead by simply not being in the U.S..
bigbrooklyn 18 hours ago 12 replies      
If you NEED encryption, don't use email.

From: https://blog.fastmail.com/2016/12/10/why-we-dont-offer-pgp/

What's the tradeoff?

If the server doesn't have access to the content of emails, then it reverts to a featureless blob store:

 Search isn't possible Previews can't be calculated If you lose your private key, we can't recover your email Spam checking on content isn't possible To access mail on multiple devices, the private key needs to be shared securely between them

codehusker 18 hours ago 5 replies      
Is there any person as trustworthy as Ladar Levison for a service like email or chat?

To my knowledge, he is one of the few that has gone to the mat for his users.

jimnotgym 17 hours ago 0 replies      
Whatever did or didn't happen in the past, I for one am pleased to see another organisation attempting to make email more secure. Especially when governments have gone surveillance crazy. Goodluck Lavabit
tinkersec 18 hours ago 1 reply      
Code for Magma Mail Server: https://github.com/lavabit/magma

Code for DIME (Dark Internet Mail Environment):https://github.com/lavabit/libdime

MichaelGG 16 hours ago 1 reply      
Last I looked, DIME was just org level trust. That is, your domain determines what level of verification you get as far as knowing you have the right key for the recipient.

So if you used, say Gmail and they did DIME, you'd still be trusting them totally. Am I misunderstanding?

And still no admitting he was selling a fundamentally critically flawed service in the first place. If that's not even being mentioned, it really removes confidence from their new service.

As far as hardware HSM, that's cool. I very much enjoyed reading about how an HSM, the Luna CA3, was cracked:


akerl_ 18 hours ago 1 reply      
Trustful seems like a strange way to refer to the insecure mode. It is indeed full of trust, but not in the way a normal read would suggest: it requires full trust in Lavabit's hosting provider and administrator.

If you're going to operate in "trustful" mode, lavabit isny offering any real security wins over any other mail host.

MaymayMaster 18 hours ago 2 replies      
>Lavabit believes in privacy and will always ensure your digital freedom.

>Asks for your credit card information on the same page.

Wew, at least let us use buttcoin, Levison.

daveheq 1 hour ago 0 replies      
Naming it the "Dark Internet Mail Environment" is not going to get the average person's sympathy or interest, and will be an easy target for politicians.
coretx 13 hours ago 3 replies      
Sensible choices in a nutshell: If you live in a 5-eyes nation, don't use or buy services hosted or operated from a 5 eyes nation. If you don't live in a 5 eyes nation, only use services hosted and operated from Iceland or Switzerland.( Nation states are the #1 threat, and your own nation is always the most dangerous one. )
mike-cardwell 17 hours ago 1 reply      
So they're using a HSM to protect the SSL key this time. Makes me wonder how many HSMs out there are already backdoored.
macmac 16 hours ago 2 replies      
Why would they ask for name, address etc?
smoyer 18 hours ago 1 reply      
How do we know who's controlling the Lavabit domain?
tptacek 17 hours ago 2 replies      
In August 2013, I was forced to make a difficult decision: violate the rights of the American people and my global customers or shut down. I chose Freedom.

Shouldn't that "or" be an "and"?

advisedwang 18 hours ago 1 reply      
The explain document doesn't describe how key distribution works. How do I get a public key for somebody that I want to email, and how can I know that I am getting the right key?

This is the hard part of an modern cryptosystem and the usual source of weakness.

chadcmulligan 6 hours ago 1 reply      
If I was a government spook I'd set up an email service, then make a big show of closing it down because the government. Then decide to make a big show of 'No, Security is paramount' and reopen my mail service.

Not saying this is what happened of course but without legislation all 'secure servers' must be considered corrupted or corruptible. There isn't a technical solution to trust.

..or even going into extreme tinfoil hat mode - how do we even know this is the same person. Again no technical solution

Edit: why the down vote? - perhaps a counter argument would be better, I'd like to be proved wrong.

zymhan 18 hours ago 4 replies      
Any reason I shouldn't sign up right now?

edit: Signed up. Half off for life is a sweet deal.

betolink 14 hours ago 0 replies      
I consider this article relevant to this discussion: "Hackers can't solve surveillance" http://www.dmytri.info/hackers-cant-solve-surveillance/
wjd2030 3 hours ago 0 replies      
this smells funny.
Arallu 17 hours ago 1 reply      
What's the difference between Standard and Premier?
grecy 10 hours ago 0 replies      
> Today is Inauguration Day in the United States, the day we enact one of our most sacred democratic traditions, the peaceful transition of power

Sitting here in West Africa, watching the news, we didn't see much peace during the rioting in the streets in (I assume) Washington

newsat13 12 hours ago 1 reply      
There is no way I would trust lavabit again given it's past...
truebosko 15 hours ago 0 replies      
Is this the right space to ask for opinions about Fastmail and its privacy? I just switched on trial after being on Gmail. I'm happy but I switched primarily to get part of my life away from Google.
kijin 12 hours ago 0 replies      
What I want is an open-source proxy that I can install on localhost to provide IMAP/SMTP access on the one side, and talk to the encrypted remote data store on the other side.

All of the encrypted email services I've seen so far, including Protonmail and now Lavabit v2, require using a special client (app or webmail) instead of common email software. This fails the very first test that I apply when trying to decide whether or not to use an online service: can I get all my data out of it on short notice, in a standard format through an automated process?

For email, this means IMAP access so that I can use standard tools like imapcopy to back up and migrate my mailbox. I don't care how secure your product is if it leads to vendor lock-in. I want both good encryption and an exit strategy, and the latter is much more important because if you screw up, I can always move to someone who does it better.

DKnoll 17 hours ago 1 reply      
I can finally get my old mail back. :)
satysin 17 hours ago 0 replies      
No trial is a shame.
tastythrowaway2 13 hours ago 2 replies      
this vs protonmail.ch?
Magic Leap is neither magic nor leaping theregister.co.uk
162 points by zby  7 hours ago   101 comments top 22
ryandamm 4 hours ago 8 replies      
I think what's missing from this discussion is the demo is apparently really, really good. Google didn't put ~$500m, and Alibaba something like $800m, just on a whim, or some investment thesis. And everyone I've spoken to who's gotten the demo is a believer.

I think this article suffers from an overly binary view of technology -- if it isn't market ready, it's vaporware. No, there's probably some real tech there (aforementioned demo), but miniaturizing / productizing is still a risk. I think the blowback has something to do with the marketing itself, and Abovitz's amazing idiosyncracies. Neither of those indicate anything about the tech, but (absent any public information) it helps fuel the hate.

And from what I understand about their likely approach, it's definitely more aggressive than the HoloLens. I don't personally think that nearfield focus in a headset is that valuable, but that's just a guess. If light field displays are the tech that takes AR over the top -- from curiosity to a new computing platform -- then Magic Leap is really well positioned, vis a vis a large lead and big IP portfolio.

Also, with ~$1.4 bn raised, they're too big to fail.

oculusthrift 7 hours ago 2 replies      
sometimes i get tired of all the fakeness in the world. it seems to corrupt every part of society and makes me sick thinking about it. theranos, magic leap, and a lot more. everything seems to be overhyped bs, while the only successful things are essentially avenues to cram ads down your throat and brainwash you to spend money you don't have.
argonaut 7 hours ago 2 replies      
The first video was known to be fake back in 2015, when they released another video that explicitly stated no visual effects were used. And my guess is the second video isn't fake, but it's using their non-miniaturized technology. This is not news.

Unlike Theranos (where people's health was also at stake), if/when Magic Leap fails, their investors will lose their money and capitalism will go on - this is how things are supposed to work.

jaypaulynice 4 hours ago 2 replies      
The problem is honesty isn't rewarded anymore. Someone working hard will be beaten by someone who tells all the fancy stuff...I know a lot of startups that raised millions, but their tech and growth is totally non-existent. I did some research and a lot of companies have little to no social media presence, yet are "growing" crazy. How do people find them?

Add network effect and you get overly hyped stuff that don't deliver. I wish startup accelerators relied more on experienced, reputed judges in the startup's field instead of growth gimmicks. Online contests/challenges seem to be the way to find really good tech startups.

curiousgal 6 hours ago 0 replies      
"In general, signal theory says if you have a good way of proving something and a noisy way of proving something and you choose the noisy way chances are it's because you couldn't do the good way in the first place."
imode 7 hours ago 1 reply      
I keep getting Magic Leap confused with Leap Motion.

though at least the latter has a proper, released product...

grabcocque 7 hours ago 2 replies      
That these guys are a bunch of snake oil merchants has been obvious from day zero. Sometimes the overwhelming stench of bullshit is a little too difficult to ignore.
orasis 37 minutes ago 0 replies      
I saw an AR demo earlier this week using a google cardboard type setup with a phone screen and it was fairly compelling already.

Based on this cheap setup I'm confident we'll see something mind blowing in the near future.

joelg 6 hours ago 0 replies      
> Quick guide to spotting non-existent tech

> - Refusing to give a launch date

> ...

> - Confusing working hard with making progress

Some of these are valid, but some are inevitable for any tech that is actually revolutionary. Magic Leap's actions seem so far to be consistent with both theories. It's kind of unfortunately true that it's impossible to distinguish between the exaggerated-for-media-coverage-sake case and the actually-world-changing-but-really-technically-difficult case.

oelmekki 1 hour ago 0 replies      
Sounds like Magic Leap is making the same prelaunch communication errors than Hello Games did with No Man's Sky : creating high expectations without showing much, which causes expectation to build up when people imagination feels the gaps, and cause backslash in the shape of frustrations.

But to be fair, author does the exact same thing than he is accusing Magic Leap of : making claims without displaying anything to back them up. He states that Magic Leap won't happen, just like flying cars. Based on what, except his frustration of not seeing the product? Same there : "The truth is that Magic Leap cannot get its huge prototype working in a much, much smaller version". Starting a sentence with "The truth is" doesn't make it true by itself, we need evidences.

As far as I know, maybe author is stating exactly what will happen, but I can't agree with him given so few evidences.

redgc 4 hours ago 1 reply      
Benedict Evans doesn't seem like the kind of guy to fall for BS though, let alone defend it. And surely at least one of their investors had the technical due diligence capability to investigate how much computing power is in the demo "rigs" and be able to know if such power can be "miniaturized" into a consumer product by year X, perhaps allowing for a little software optimization on the way too.
evo_9 1 hour ago 0 replies      
Similar tech, less hype, perhaps more 'real'...http://www.roadtovr.com/realview-holoscope-ar-headset-hologr...
aphextron 4 hours ago 0 replies      
I lost any respect I had for that company when they released that whale video referenced in the article. Complete marketing hype nonsense.
drelihan 1 hour ago 0 replies      
It's unlikely that 500m or 800m investment is 1.) all in cash or 2.) given out on day 1. If there are proper investor controls in place, cash is likely staged in and noncash vests over time as milestones are hit. At least, I hope that is the way it is setup...
ismail 4 hours ago 0 replies      
I have a theory secretive + massive hype = emperor without clothes
xorcist 7 hours ago 0 replies      
It's easy to fool those who want to be fooled. The likelyhood that these people developed electronics 10x smaller with 10x performance is roughly the same as my cold fusion reactor in my garage delivers free energy for all. If someone pulled that off they wouldn't need to fleece investors for their money.
Geee 4 hours ago 3 replies      
It doesn't matter if their tech doesn't yet work. Augmented reality is inevitable and someone will make it happen. Now, the logic is that whoever pours the most money into it will win the race and with patents be in a monopoly position. It's a gamble, but they have a likelihood of succeeding with money and hard work. That's what they've sold to their investors.
wodenokoto 5 hours ago 1 reply      
The article mentions a large helmet. Any pictures of it around?
DonHopkins 4 hours ago 1 reply      
Sounds like Magic Leap developed schpilkaz in their genektagazoink. The demo was like buttah. Like a big stick of buttah. I love Rony Abovitz, but he's a little ibaboodled in the kebbie. Talk amongst yourselves. I'll give you a topic: Magic Leap is neither magic nor leaping. Discuss.


Kiro 4 hours ago 1 reply      
The author of this article needs to try Hololens. The technology is definitely here.
soneca 7 hours ago 1 reply      
I believe that will be a lot of frustation when they finally launch something. But I dont believe that Microsoft Hololens has "fallen short" as they say. I believe the Hololens demo was great and transparent on how the tech is, how it shows, what it takes to produce. Not a "magical" new sci-fi world made real, but definitely more close to reality than flying cara.
camus2 5 hours ago 0 replies      
This comment is interesting :

> If you were investing millions into something, would you not request a personal demo where you actually see the demo for yourself, in your own time, and see how it works?

I know I would.

       cached 21 January 2017 17:02:02 GMT