hacker news with inline top comments    .. more ..    26 Feb 2017 News
home   ask   best   2 years ago   
How Nasty Gal Went from an $85M Company to Bankruptcy morningstar.com
48 points by prostoalex  3 hours ago   16 comments top 4
headmelted 2 hours ago 1 reply      
The most interesting part of this to me is the purchase by Boohoo.com, itself capitalising on legendary dotcom failure boo.com's branding.

It sounds very much like the parent is running a business model very similar to the "one last draw" model Warren Buffet was so successful with earlier in his career.

It might make a lot of sense for the right type of investor, too. The growth won't likely be there in the long term (minus an unlikely resurgence), but revenue will come early, meaning a fast if limited return.

I'd be interested to know what kind of revenue Nasty Gal is doing now, obviously it's not anything like $85m on a price of $20m.

firasd 1 hour ago 0 replies      
Oh snap, I didn't expect this headline sentence to end this way. It was so lauded in the media for a while. Good PR.

(File under sama's warning about founders falling in love with personal press? http://blog.samaltman.com/the-post-yc-slump)

em0ney 2 hours ago 1 reply      
Can't read the article without a subscription to WSJ
Linus on Git and SHA-1 plus.google.com
422 points by dankohn1  15 hours ago   131 comments top 16
frik 0 minutes ago 0 replies      
Can someone correct me. SVN/Subversion and GIT are affected by SHA-1 problem. SVN uses SHA-1 internally, but exposes only a numeric int as revision. GIT uses SHA-1 internally and as revision. So if someone commit a modified PDF that collides he can run havoc on both SVN and GIT at the moment. It seems easier to fix the issue in SVN than GIT.
joatmon-snoo 6 hours ago 1 reply      
The actual mailing list discussion thread can be found here, and is infinitely more informative than any of the bull being spouted in this thread: http://public-inbox.org/git/20170226004657.zowlojdzqrrcalsm@...
maxander 7 hours ago 2 replies      
I don't really get the threat model here. If an attacker is pushing commits into your repository, you're long since toast on all possible security fronts, right? Is there anything nefarious they could accomplish through hash collisions that couldn't be done simply by editing commit history?
runeks 12 hours ago 1 reply      
One thing SHA-256 has going for it is that millions can be made from finding pre-image weaknesses in it, because it's used in Bitcoin mining. If you could "figure out" SHA-256, and use it to take over Bitcoin mining, you'd make $2M the first 24 hours, at current rates. And if you play it wise, it could take a long time before anyone figure out what's going on.

With regards to market price for a successful attack, I don't think any hash function stands close to SHA-256. And for that reason I think it would be the right choice.

bascule 13 hours ago 13 replies      
Linus's transition plan seems to involve truncating SHA-256 to 160-bits. This is bad for several reasons:

- Truncating to 160-bits still has a birthday bound at 80-bits. That would still require a lot more brute force than the 2^63 computations involved to find this collision, but it is much weaker than is generally considered secure

- Post-quantum, this means there will only be 80-bits of preimage resistance

(Also: if he's going to truncate a hash, he use SHA-512, which will be faster on 64-bit platforms)

Do either of these weak security levels impact Git?

Preimage resistance does matter if we're worried about attackers reversing commit hashes back into their contents. Linus doesn't seem to care about this one, but I think he should.

Collision resistance absolutely matters for the commit signing case, and once again Linus is downplaying this. He starts off talking about how they're not doing that, then halfway through adding a "oh wait but some people do that", then trying to downplay it again by talking about how an attacker would need to influence the original commit.

Of course, this happens all the time: it's called a pull request. Linus insists that prior proper source code review will prevent an attacker who sends you a malicious pull request from being able to pull off a chosen prefix collision. I have doubts about that, especially in any repos containing binary blobs (and especially if those binary blobs are executables)

Linus just doesn't take this stuff seriously. I really wish he would, though.

hannob 11 hours ago 0 replies      
One thing that I think is worth mentioning: This was completely avoidable. Git isn't that old, it wasn't taken by surprise by the SHA1 attacks.

The first paper from Wang et al, which should've put SHA1 to rest, was published in 2004, the year before the first ever Git version was released. It could have been easy: Just take a secure hash from the beginning.

ploxiln 13 hours ago 0 replies      
If anyone is really interested in more assurance of git commit contents, there's "git-evtag", which does a sha-512 hash over the full contents of a commit, including all trees and blob contents.


simias 10 hours ago 0 replies      
While this post sounds very reasonable to me there's one point that I really don't get: why does he keep saying that git commit hashes have nothing to do with security?

If he believes that, why does git allow signing tags and commits and why does Linus himself sign kernel release tags? Isn't that the very definition of "using a hash for security"?

hackuser 6 hours ago 0 replies      
Related, from Mozilla:

* The end of SHA-1 on the Public Web


As announced last fall, weve been disabling SHA-1 for increasing numbers of Firefox users since the release of Firefox 51 using a gradual phase-in technique. Tomorrow [Feb 24th], this deprecation policy will reach all Firefox users. It is enabled by default in Firefox 52.

claar 14 hours ago 0 replies      
Also see discussion of Linus's earlier comments at https://news.ycombinator.com/item?id=13719368
yuhong 4 hours ago 0 replies      
I do wonder how many outside of crypto circles know about SHA-2 circa 2004.
theseoafs 13 hours ago 1 reply      
Have there been writings on what exactly git's migration strategy to a new hash function will be? Apparently they have a seamless transition designed that won't require anyone to update their repositories, which seems like a pretty crazy promise in the absence of details.
jmount 9 hours ago 0 replies      
Probably isn'y the sky falling. But if knowing the length fixed all hash function issues then cryptographic hashes would just use a some more bits for length.
dboreham 13 hours ago 0 replies      
Um what? Software written in the past 20 years has a baked-in assumption that the length of some ID can't change?
debatem1 13 hours ago 4 replies      
I'm mystified as to why this is even a discussion.

SHA1 is busted. That impacts some git users. The fix is not invasive. Fix the bug. Make the transition. Move on.

Super unprofessional.

colin_fraizer 12 hours ago 1 reply      
This, btw, is why we have e-cigarette bans. The fact that the generally high-IQ, paid-to-think-about-subtle-categorization community of software developers needs to be inoculated against the "I Heard SHA-1 Was Bad Now" meme, should serve as a reminder for why most things should not be managed by democracy.

(Yeah, I know this will be read as a plea for monarchy and downvoted. It simply proves my point: people are WAY too subject to errors in the classes (1) "I hate him because he said something 'bad' about something 'good'." and (2) "I hate him because he said something 'good' about something The Tribe now knows is 'bad.')

The Future of Not Working nytimes.com
285 points by WheelsAtLarge  15 hours ago   164 comments top 23
Razengan 3 hours ago 8 replies      
With almost 8 BILLION people on this planet soon, not everyone can meaningfully contribute to something that can't be done more efficiently by automation (which is also cheaper for everyone and easier on the environment) or done away with entirely. See [1], [2], [3] for examples from our not-so-distant past.

You just cannot expect everyone to "earn" money while expecting technological progress to continue unabated.

Don't want so many people? Mandate reversible sterilization at birth.

Don't want so many disgruntled and unemployed people? Endorse some form of guaranteed income, or incorporate basic housing, meals, healthcare and internet into the list of undeniable human rights.

[1] https://en.wikipedia.org/wiki/Lamplighter

[2] https://en.wikipedia.org/wiki/Link-boy

[3] https://en.wikipedia.org/wiki/Switchboard_operator

spyckie2 13 hours ago 6 replies      
The article's title is misleading - it is not about not working, it's about giving money directly to poor villages for 12 years to provide what is similar to basic income but meeting fundamentally different needs in a very different part of the world. That said, I think it is a fascinating anthropological read.

We often do not realize how many layers of wealth we had to stand on to possess our current wealth.

hackathonguy 13 hours ago 4 replies      
"One estimate, generated by Laurence Chandy and Brina Seidel of the Brookings Institution, recently calculated that the global poverty gap meaning how much it would take to get everyone above the poverty line was just $66 billion. That is roughly what Americans spend on lottery tickets every year, and it is about half of what the world spends on foreign aid."

Love this.

chvid 1 hour ago 0 replies      
As a form of foreign aid giving money directly probably works well. But idea that developing countries need basic income because of automation is just absurd.

If anything they need to get to work developing their country; those shacks are not going to be built by robots.

Fully developed countries on the other hand may face the situation where their country is so well run and have such a high level of automation and specialisation that there is too little work left for the population to be fully employed.

And thus they may lower their pension age, experiment with 30 hour work weeks, sabbaticals, maternity leaves, basic income and so on.

The countries that are closest to this are probably the Scandinavian countries. However at the moment they are all moving towards lower social transfers and higher pension age.

compareglobal 12 minutes ago 1 reply      
Imagine life where you enjoy your work so much that it becomes your hobby. And here's our solution: we're seeking for rockstar developers to join us in Hong Kong! Email me for more details: rasmus.kors@compareglobalgroup.com
Clubber 13 hours ago 7 replies      
The people with the wealth pay people for one reason and one reason only: they have to. Once they no longer have to, they will lobby the government to continue to lower taxes and squawk about laziness, welfare queens, and all that garbage.

This will go on for a few decades until there is an uprising of sorts, then those with the money will return to giving everyone else crumbs, or just enough to quell the uprisings. This will probably go on perpetually.

marmot777 12 hours ago 0 replies      
I got to this on my reading list finally, realizing my first impression that this was a piece promoting an organization called GiveDirectly, wasn't a sound impression (lesson: don't comment till you read the article). This is a higher level than that, it's testing Universal Income, frequently called universal basic income.

Public policy whether implemented by governments or by organizations should test, innovate, change, not just pick an approach and run with it as seems to happen with the largest programs here in the U.S. As far as I can tell there's not been much innovation in the implementation of the safety net since Johnson.

Like anything else humans try to do, there will be bugs, there will be blind alleys, there will be mistakes. Small scale testing is a necessary step so that a working model is ready for larger-scale testing or maybe it'll be found that the implementation will have to have configurations that vary according to local conditions and even just preferences.

I'm a Pacific Northwest guy perhaps out of touch with what Silicon Valley is up to, sometimes I'm critical, but for this initiative, I say thank you. I have no clue how I'd thank anyone for this so just in case anyone involved is reading my comment I would like to express gratitude for doing work that has a high probability of playing a part in making the world a liveable place for my young son and the rest of humanity in the years to come.

By the way, if you've got the chops to beta test UI any chance you could save the Amazon Basin?! Please.

agumonkey 1 hour ago 0 replies      
Work will have to be redefined. It's a psychological need to form teams and solve your needs or some others. That is the underlying basis.
NumberCruncher 11 hours ago 2 replies      
The African people would me much better off if we would stop selling them weapons and would pay a fair price for their work and natural resources. But hey, that wouldn't be a great PR action making headlines!
paulpauper 12 hours ago 0 replies      
It would seem like 'going to work' is becoming a thing of the past, at least for increasingly many people. Labor force participation at multi-decade lows. Gig jobs, welfare, disability, prolonged education, social security/retirement, and the 'underground economy' is replacing a significant chunk of the traditional job market.
praetorian84 4 hours ago 1 reply      
Interesting comment below the article regarding a government-run programme in Brazil trying something similar:"However, there is a trend of the part of these persons become dependent of this benefit and do not strive to change this situation..."

That was my immediate reaction after reading this. What about after the twelve years, when the donors ride off into the sunset? There are some encouraging stories there of participants using the money wisely, but not all will do so. You could argue that nobody is forcing them to participate, but it does seem at least a little ethically questionable. Particularly given the targeted demographic of a rural Kenyan community with (presumably - I could be wrong) low education levels.

temp-ora 9 hours ago 0 replies      
we do not use money because it makes sense. money exists in the form it takes today because of human nature. we think someone has to earn their food. we think a homeless person deserves a handout because they look like they are at least trying to get on their feet (or not when they dont). machine intelligence is not the only problem that our wealth distribution system is facing. we have faced massive inequality before, and are facing it right now, and no solutions have been implemented. and like all the trials of equality before it, the automation of jobs will result in the smartest and fasted humans owning the vast majority of wealth and influence while the rest of us sit in mud.
Sir_Substance 1 hour ago 0 replies      
This is a nice article, but I'd like to remind everyone that it's probably also native advertising.
rubicon33 13 hours ago 2 replies      
> "The research wing of Sam Altmans start-up incubator, Y Combinator, is planning to pass out money to 1,000 families in California and another yet-to-be-determined state."

Oh, really? Where do we sign up? I'd love to be able to build my business(es) without taking investor funds.

WheelsAtLarge 3 hours ago 0 replies      
Giving money is a great short term solution but we all know that free always has a limit. 22 dollars per month is a good start but at 22 bux they will never reach the standard of living we enjoy in the west. The goal should be to ensure that everyone has a job or business that provides the person a decent living.

I think that in addition to the money they should help with the following:

1)Education and the ability to get it at will. Financial education should be a priority.2)Entrepreneurship, make sure anyone that wants to start a business knows what to do.3)Security and the enforcement of the law thru a judicial system, both criminal and civil.4)A working financial system. Make sure businesses and people can borrow money.5)A way to go bankrupt that will let people start over. It should not be too painful for both creditors and borrowers.6)A political system that works for the majority.7) Community leadership that works towards the betterment of the town.8)A tax system that will let the town provide items that no single person can provide on their own. It's a reality as painful as they are taxes and their prudent use help improve the community's standard of living.9) Secure property rights. If someone owns something they should do with it what they want without infringing on the community's well being and no one should be able to take it away from them by force.

What gets me railed up is the inability to use the town's human capital. Giving free money will not help forever. If you could get people to work together they would eventually get out of poverty. Maybe the current generation might not but eventually they would be able to do it.

Dagwoodie 13 hours ago 3 replies      
Here's how I think the only possible way this will ever be realized: A non-profit organization will have one of the highest (top 10 to pick an arbitrary number) net-worths of any company on earth.
stagbeetle 12 hours ago 3 replies      
> As automation reduces the need for human labor, someSilicon Valley executives think a universal income willbe the answer and the beta test is happening in Kenya.

This is not the situation I think of when I hear "basic income." Why Kenya?

> GiveDirectly wants to show the world that a basic income is a cheap, scalable way to aid the poorest people on the planet.


I was under the belief that only the middle class protested for basic income. It would have been more interesting if the "beta test" was done on educated/ first world persons, so we can finally get progress (or a full stop) on this debate.

I believe this idea wasn't thought out past the "we want to put on airs" phase. Is injecting capital into a system that relies on crime to keep afloat, really the best idea GiveDirectly could have come up with?

This is similar to the Toms fiasco where they would donate a pair of shoes to Africa for every pair bought -- it crippled the local fabrics businesses.

Perhaps if one wanted to fix the African economy, one would invest into economic think-tanks and their executionary tandems, instead of over glorified tax shelters.

woodandsteel 10 hours ago 3 replies      
It's interesting how this runs counter to the two dominant political ideologies in the US.

Liberals believe that the poor are too dumb and helpless to figure out what they want, so the government should do it, both domestically and in foreign aid.

Conservatives believe that the poor are poor because they are unintelligent and lack good values (or they are acting rationally in response to liberal welfare programs), and domestic and foreign programs should be eliminated in favor of religious missions.

What programs like this are finding is the the poor are intelligent and well-motivated, and they just need an opportunity to get out of the hole they are stuck in.

Let me add that, from what I understand, foreign aid programs can be very helpful in areas like public health.

temp-ora 9 hours ago 0 replies      
the title does not reflect the article and the article does not reflect the subject. like everyone else here, i did not read it because after dangling a few hard facts and conclusions in front of your face, the article goes off on tangents about the personal stories of people who are involved but not instrumental. this toxic mix of novel-style story telling and actual reporting has made these articles unreadable for me. people dont give a shit about the narrative of the stupid author or even people involved in setting up this whole thing -- people want to know how the experiment went! did it work? did the people end up being lazy and unproductive like all the ubi detractors say they will? but no, i cannot know these things without fishing through pages of garbage. and when i know someone else has already done it here in the comments to reap the karma, why on earth would i even click the link?
jayajay 10 hours ago 0 replies      
If every known resource acquisition task was automated, and the discovery of unknown non-automated tasks could be automated to be automated, we'd be post-scarcity and the concepts of working and income wouldn't be useful metrics anymore.

So, yeah machines are a big black hole and our jobs are doomed asteroids spiraling into the black hole. As they spiral into the singularity, humans will be displaced at an accelerating rate, and it will take more ingenuity and effort for humans to maintain "work". And, for what? In the asymptotic limit, the outcome should be no more jobs and "work" in a the way we currently define them, and humans will be truly free to creative pursuits. Never shall a beautiful human mind be wasted on labor which a machine can do.

At some point, machines will be the dominant species pushing civilization forward, not us.

Until then, we're forced to work, we're forced into employment because our world does not simply give us what we want. Food and spears don't fall out of the sky, so we will waste our time hunting and farming until we figure out how to make those things "fall out of the sky".

fiatjaf 8 hours ago 0 replies      
Can someone summarize the results?
jimmywanger 11 hours ago 2 replies      
I think that fundamentally, the thing we're going to run up against is population growth.

I think history has proven that we can live in extremely wretched conditions. By giving money to people, are we going to be increasing their living standards or just creating more mouths to feed?

Note that the basic income only applies to whoever registers at the beginning of the program. Would that amount of basic income cause the population to explode, so that the per-capita amount of goods/money remains constant?

ImTalking 10 hours ago 1 reply      
Anything that reduces the oppression of women is a good thing. Freedom is the ability to make choices.
Real-time, collaborative Markdown editor with end-to-end encryption standardnotes.org
70 points by shrikant  5 hours ago   19 comments top 10
mobitar 4 hours ago 2 replies      
Here's a sample document: https://extensions.standardnotes.org/collab/doc/741ec80a-366...

Source is available here: https://github.com/standardnotes/collab-editor

The editor relies on an impressive client-side library called ChainPad, which uses blockchains as inspiration for determining the authoritative document after conflicts or many simultaneous edits. Typically operational transformation algorithms and systems to manage conflicts are handled by the server, precluding the possibility for end-to-end encryption.

However, ChainPad runs completely on the client-side, and is oblivious to the underlying text, thus allowing us to encrypt text client-side before broadcasting to other participants and the broadcast server. This is the first major effort I've seen for a real time client-side collaboration algorithm, and its use of a blockchain type structure is ingenious.

More info on ChainPad here: https://github.com/xwiki-contrib/chainpad

grogenaut 2 hours ago 0 replies      
One thing that scares me is that links like they should be shared. So I think people would just be sending these links to the other person over open email. But the link IS the doc, and people will share it incorrectly. So it doesn't hit the server with the doc on it... but it hits facebook, gmail or snapchat so the other person can get it.
Kubuxu 1 hour ago 0 replies      
It uses the same base as Cryptpad [0] (Chainpad) which is created by the same people that created Chainpad.

It has more functions like a presentation mode [1].The edit resolution is done client side and the "server" only relays encrypted messages. Alternative transports are in works, including WebRTC. Everything is open source on [2].

[0]: https://cryptpad.fr[1]: https://cryptpad.fr/slide/#/1/view/xQOAr26XzkbKDNuXvXwL4Q/E-...[2]: https://github.com/xwiki-labs/cryptpad/

cyphar 4 hours ago 1 reply      
> Since the encryption key follows the # symbol, it is never sent to the server.

This doesn't seem like a safe idea to me. While it's true that browsers don't send the # part of a URL when fetching a page, you can use JavaScript to get the value (in fact that's what this webapp is doing).

So what is the mitigation if someone manages to XSS the website and start snarfing the encryption keys for everyone's messages?

Really cool idea BTW.

KirinDave 3 hours ago 0 replies      
I'm a bit confused about ChainPad. Why use a blockchain here? Wouldn't treedoc be enormously better?

I confess to being a bit uninformed about how chainpad resolves editing being done in the exact same area by multiple people all at once. Treedoc handles this elegantly and with good performance. Does ChainPad?

I'd test myself, but since I lack friends it's difficult to do correctly.

akkartik 4 hours ago 1 reply      
I recently came across CryptPad: https://news.ycombinator.com/item?id=12566326
franciscop 4 hours ago 0 replies      
The back button seems broken so you might want to check on the History API. I understand you need a pure JS redirect for generating the encrypted URL so that would seem like the best way to go. Otherwise you could also do:

- Add a button in the main page that generates the page in-the-spot.

- Add a button in the middle page that generates the page when clicked.

Edit: removed dupe link so added more content

tracker1 4 hours ago 1 reply      
Nice... though would be cool to have an integrated preview on the right-side of the screen.
chuckdries 2 hours ago 0 replies      

I've been using Standard Notes for my normal note taking for a while now. Cool stuff.

nathancahill 3 hours ago 0 replies      
US billionaire backed Brexit using AI and Facebook data theguardian.com
42 points by jsvaughan  1 hour ago   18 comments top 6
BillyParadise 1 minute ago 0 replies      
Extraterritorial corporate interests manipulating a decision arguably more important than a single election?

Please, help me explore how this is significantly different than the Russia vs US election issue on the other side of the pond.

tomp 13 minutes ago 0 replies      
Here is a fascinating (yet very long) account from one of the leaders of Vote Leave campaign, he details the use of Big Data as well.



gaius 6 minutes ago 1 reply      
I am pretty sure that no-one's vote was swayed in either direction by either campaign and that every penny spent by both sides was wasted. Whether you are Leave or Remain, that is driven by underlying fundamentals, not by abstract arguments about balances of trade...
doctorstupid 18 minutes ago 1 reply      
It's clear that Facebook and its ilk are becoming the gatekeepers to elections and social movements. China must have foreseen this long ago when it blocked them. The means are now in place to steer the governments of the democratic world in the directions preferred by those able to pay Facebook. As an increasingly political group of corporations, perhaps these new social gatekeepers will one day like to do a bit of steering towards their own goals. After all, cybernetics is the art of steering.
kkleindev 23 minutes ago 1 reply      
What makes a person like Steve Mercer, being extremely well educated and highly succesful take part in such dubious procedures? Will a personal experience drive one into being involved in Breitbart and such or is clinical financial calculation fueling such decisions?
brad0 35 minutes ago 4 replies      
It's depressing to see how our opinions are collectively shaped to further someone's agenda.
Ask HN: What is so great about Bloomberg Terminal?
89 points by sreenadh  4 hours ago   31 comments top 21
hazard 2 hours ago 2 replies      
It brings together a vast variety of otherwise extremely hard to find information. The keyboard is specialized because it literally reduces the number of keystrokes required to quickly access financial information. This is a business where seconds matter - even when you have humans talking to other humans to negotiate trades.

Literally almost every piece of useful financial information is available via bloomberg. And I don't mean relatively basic info like "What's the current yield the Apple 3.85% of 2043?" or "What's the current CDS spread for Citibank?" that you can easily google for but also stuff like "Which oil tankers are in for repair right now, and what are their capacities?" and similar info on power plants, international agriculture, equities, interest rates, etc.

Experienced bloomberg users have their most-used keystrokes in their muscle memory. Less experienced users can hit F1 twice and immediately be connected to a live bloomberg rep who will research your question for you (although it may take 20 minutes for them to figure it out).

Bloomberg Chat is also extremely important, as others have mentioned.

nostrademons 4 hours ago 2 replies      
I think most of your questions can be answered by realizing that Bloomberg was founded in 1981, and they basically got a monopoly in financial data provision because there were no other options in 1981. That is why they have a custom monitor & keyboard: in the days before the IBM PC, everyone had a custom monitor & keyboard, because these things were not standardized. Bloomberg was a technologist & businessman before he was a politician; his business success gave him the money to run for office, his office doesn't force people to pay for Bloomberg.

The reason they're still a monopoly is because knowing how to navigate a Bloomberg is a critical skill for most finance professionals, and now that they have that skillset, they can be very productive moving around in it. A different (better?) UI would require they re-learn everything, which is not going to happen. And when financial professionals are making half a million a year, paying $24k/year for a terminal so that they can be productive isn't a bad investment.

(Source: have a couple friends at Bloomberg. One is in their UI department, and keeps having his proposals for better UIs shot down for business reasons. Also married a financial professional who had to use a Bloomberg in her days as a bond trader.)

matco11 1 hour ago 0 replies      
Bloomberg (the company) became the de facto standard in the financial industry decades before Mike Bloomberg became a politician.

Mike Bloomberg started the company because while working at Merrill Lynch (in the 80ies) he thought the computer terminals banks used at the time to see stock and bond prices where ridiculous. He got funded by Merrill Lynch and disrupted the industry, overtaking rivals like Reuters (which well into the 90ies was usually considered the most trustworthy source for stock data)

You needed their special hardware only until the late nineties (the "Bloomberg box" - consider that up until around 96 or 97, only few employees would have internet access on their desktop, even inside "bulge bracket" investment banks): nowadays, you can get Blooomberg terminal on their workstation or on your own hardware. Likewise, you can run in on a dedicated connection, or on your normal internet line.

The key element of Bloomberg terminal is reliability: it feeds data you can usually trust and price feeds you can almost certainly trust. When you are checking prices changing several times a second across exchanges in different part of the world that's no easy feat). That's crucial when millions of dollars are at stake.

Second is the ability to access 80% of the data and information you would ever want to check wihout leaving the terminal.

Third ingredient is ease of use.

Fourth is incredible customer service.

Fifth is innovation: they continuously innovate, improve old features, add new features, introduce access to new data/information.

Once you remove the cost of the underlying live price feeds (from stock exchanges), The Bloomberg terminal is not that expensive for what it does. Bear in mind its customers are people that spend their day optimizing their financial decisions: if there was something cheaper working as well, they would go for it. If there was something working even better, they would go for it, probably even at a higher price point (because that's how the economics in the banking and investing world work).

Fun read:https://www.fastcompany.com/3051883/behind-the-brand/the-blo...

unixhero 24 minutes ago 1 reply      
You are looking at this from a computer engineer's point of view (perhaps). However if you look at it from the world of finance, access to a data broker with up to date(seconds) information where you can also chat with major bank traders and hedge funds the package is very complete.

Data brokers. Not a regular thing in comp.sci, but very much so in the world of finance.

rl3 56 minutes ago 0 replies      
315,000 subscribers paying north of $20,000 per year, as of 2013.[0] Whoa.

[0] https://qz.com/84961/this-is-how-much-a-bloomberg-terminal-c...

princeb 1 hour ago 0 replies      
it's everything:

- news articles

- squawk

- economic data releases

- historical and live market data

- asset pricing

- charts and analytics

- click trading

- trade execution and transaction cost analysis

- trade order management and post trade processing

- portfolio and risk management

- alerts

- chat

- mail

- Excel integration

- amazing stuff like DINE<GO>, FLY<GO>, and POSH<GO> (lol)

there's probably a ton more stuff that i don't use and don't know. bloomberg is a mile wide and a mile deep in some areas.

you can get any of these features individually from plenty of service providers in the market. some are less specialized and cheaper and some are more specialized and more expensive. if you don't want to manage fifty different contracts with different service providers bloomberg provides a one-stop shop.

bloomberg is more than just data now. it wants to be absolutely everything that a financial firm needs - front office, middle office, back office.

brentis 2 hours ago 0 replies      
It's a good question. There are many reasons - and I don't think the speed of information is the real one. I almost left a single word response - "chat" - but think it is more complicated.

Another aspect is trust. If you are trading billions you want the information/trade data "currency" everyone else uses. I built backends converting MBS bid to yield and if it wasn't tuned to a 1/16 or better of Bloomberg, it wasn't usable.

Bloomberg also offers custom studies like "fear/greed" which may have some value.

TR/Thompson Reuters also has a competitive product for much less and you can't really go wrong with either for 99% of use cases.

There are also many stand alone news sources you could use. Benzinga comes to mind as one example.

Interesting note - Bloomberg is highly protective of their IP and has been know to write takedown notices of screenshots posted online.

// built 2 SaaS Fintech systems

markatkinson 34 minutes ago 0 replies      
I used to work for Bloomberg. They bring together countless data feeds, analytical tools, some analysis and news into one central location. They pump a lot of money into these data capturing efforts. They hire hoards of data capturing grunts to trawl the web for renewable energy projects and heavens knows how many more to process financial statements.

I suppose at the end of the day even though they do all this I'm not 100% sure they do it very well. I don't use the terminal or claim to know how, but it seems to have have become an essential tool for many people in the finance industry.

Although after all that I know there is a joke going around that the main reason most people fork out for the terminal is for the chat functionality.

tezza 3 hours ago 1 reply      
* Bloomberg Chat

* It is a well accepted reference. You will often see a screenshot of a bloomberg terminal as "proof" of something

jowalski 1 hour ago 1 reply      
Well, the monopoly aspect has had a limiting effect on a few things I've been involved in, at least in government/quasi-government. Given that some data series I've used are only (? or most conveniently) available through the terminal, it has meant having only half-automated tools. You always still need to do a weekly walk down the hall to a terminal followed by a lengthy boot-up on an old box, entering of password, opening of spreadsheet. They tend to lock down those machines too.

While I guess there are APIs, I don't get the impression they're easy to just integrate into any old workflow if the terminal is down the hall or even on the other side of your desk. It's all linked to that terminal, no? Pretty annoying if you ask me, from a programmers standpoint. Not to mention another case of closed, proprietary tech in the financial sector.

greenyoda 4 hours ago 0 replies      
It's more than news. It also provides real-time financial data, access to trading, and a way to securely communicate with other traders.

You can find some background here on what it does:


sz4kerto 43 minutes ago 0 replies      
Chat. In other words: whoever matters is accessible through it. It's an integrated platform for trading that also includes 'social', you can do every bit of your workflow there -- communication, sales, research, trade.
ry4n413 3 hours ago 0 replies      
It's fast in terms of time takes from press release to screen, total news coverage is unrivaled (Reuters you could say maybe), forgot how many trillions of dollars they control all together. bonds they are the king, tradebook, their international financial data is a little rough, and their sales force is relentless. Try to sell me a god damn terminal every time. also they were ahead of pack regarding supply chain data, graph modeling, they are moving into Law.
rodionos 3 hours ago 0 replies      
The terminal is the 'last-mile' endpoint in a centralized system that delivers real-time data to subscribers with low latency and actually allows them to take action on data. Low latency is what sets it apart from closest competitors such as Reuters.

The ability to trade is perhaps no so important these days given the advent of algo trading/stat arb, but it serves to emphasize the point that there is more to the terminal than just viewing the data.

dustinkirkland 34 minutes ago 0 replies      

$ apt install wallstreet

$ wallstreet

I created that for Ubuntu, as a follow-on to:

$ apt install hollywood

$ hollywood

Purely for fun. Try it!

seesomesense 20 minutes ago 0 replies      
"BMAP is the coolest.

Pulls up a global map with "near-realtime" locations of cargo ships, offshore oil derricks and wind farms, tropical depressions and hurricanes, uranium mines, all kinds of crazy stuff.

You can zoom in on the Panama Canal and see which oil tankers under whose flag are waiting in line to pass through, where they're going and how much oil they're carrying.

You can sort the world's ocean-going cargo vessels by commodity, to see where all the orange juice is."


kgwgk 2 hours ago 0 replies      
You are not paying for the hardware, you're paying for the platform and data. The monitor is a regular monitor (and I think it's only marginally used). The keyboard has a few extra keys which are convenient but not absolutely required (you can also use Bloomberg on a laptop).
Marazan 2 hours ago 0 replies      
It's not the terminal pet se, it's the information it is connected to.
afeezaziz 3 hours ago 0 replies      
Network effects especially for the chat function. Most of other functions are easily replicated by by Reuters Thompson, one of Bloomberg's competitors.
jzwinck 1 hour ago 0 replies      
I worked there for quite a while. I'll try to address some of your specific questions directly.

> it's just a portal that gives the news

A portal? Bloomberg News has its very own reporters (and jourobots). They investigate and write original content. People usually don't buy the terminal (~2000 USD/month) only for that, but if they do, they can read everything directly in the terminal.

> What I don't get is why have a custom monitor, keyboard?

The monitor is, these days, only about branding. Ten to fifteen years ago, Bloomberg offered good-quality LCD screens with integrated mounting arms for 2 or 4, at a time when that was a pretty high-end setup. As LCD screens became cheap and ubiquitous, many users don't have the Bloomberg ones, but they still have the Bloomberg keyboard. It's useful because it has special labels for a few hotkeys, plus some of them have extras like fingerprint readers. If you lack the special keyboard you can press Alt+K on any keyboard and the terminal will show you a graphic of the special keys for reference.

But to really understand why they have a special keyboard, you need to look back a good long while. That's covered here: https://www.fastcompany.com/3051883/behind-the-brand/the-blo... - the gist is that a "Bloomberg terminal" used to be a real terminal, connected to a magic box on the customer premises (which served several terminals). There have been many, many iterations of the terminal hardware, from a dedicated proprietary box, to software running on Sparc workstations, to software running on Windows, with the keyboard becoming more like a PC keyboard around the turn of the century.

> is it a VPN

No. Traditionally, customers connect their terminals back to the Bloomberg service via leased lines (i.e. not the internet). But for many years now you have the option of using the internet, though not everyone wants that.

> The cost of the product is ridiculous.

The cost of the product is much less than what some customers would be willing to pay. Most customers pay about the same monthly fee, regardless of where they are in the world, regardless of their corporate income statement, etc. So yes, it seems expensive to people who wouldn't get that much out of it. Some schools get a discount.

> Is there a cheaper alternative that does not require specialised hardware?

Bloomberg does not require specialized hardware at all. You can install it on any Windows laptop, and you are more than welcome to do so. As for cheaper--yes, there are lots of things which are cheaper, but you will be hard-pressed to find any combination of those which is still cheaper and yet does most of what Bloomberg does (i.e. has similar quantity and quality of data, and applications built up).

> I know Bloomberg is a politician

He is now, but he was not when his company went from 0 users to 100,000 users.

seesomesense 3 hours ago 0 replies      
Symphony was marketed by Goldman Sachs and Blackrock as a $15 Bloomberg killer, but still has not gained much traction. Bloomberg provides real-time data feeds, analysis tools, real-time secure communication with other traders, news and entertainment. When you are looking after AUMs of tens or hundreds of billions, $24,000 a year for a Bloomberg subscription is negligible.

"Potential users dont want to get onboard unless all the other people in their ecosystem are on the service. That dynamic obviously keeps most people from joining Symphony. Most everyone working in financial markets is already on Bloomberg, and it would take virtually everyone leaving at the same time to give Symphony critical mass.

I think Facebook is the best comparison, Ayzerov says. If Facebook had only one fourth of your friends, you wouldnt use it. The advantage of Bloomberg is that every financial person has it."

See http://www.institutionalinvestor.com/article/3572874/banking... for some of the obstacles that Symphony faces

The Google project to put an aquarium full of water bears inside a phone venturebeat.com
135 points by seycombi  13 hours ago   62 comments top 16
PepeGomez 26 minutes ago 0 replies      
The line between microdosing and tripping balls is thinner than many people realize.
patsplat 4 hours ago 0 replies      
The main thrust of the comments so far are negative, but in my opinion this was a great idea.

Phones are personal devices. Plenty of time is spent on smoothly machined surfaces, wood cases, etc. A little biosphere is a beautiful idea, and likely cost a fraction of the overall project.

rdtsc 7 hours ago 0 replies      
This is like the rumor of 1970's platform shoes filled with water and fish floating inside.

But to be serious here are some of the other modules they planned on:


And yeah some look pretty cool, a scale, iris detector, a better microphone and speaker, laser range finder, smoke detector (but could imagine perhaps other hazardous materials). Might think of other specialty application, but the problem is in any of those fields, there are probably higher quality tools already available not tied to an experimental expensive phone. They'd have to first make the phone as ubiquitous as an iPhone then start selling add-ons. Not make add-ons as as a major feature of the phone.

But tardigrades just seems like a way to get someone in management to notice and say "Wait wut, we are spending the money on this? Somebody, please defund this project".

Animats 11 hours ago 3 replies      
I saw that in a list of Ara modules. They had real trouble coming up with useful modules to justify the thing.
gravypod 10 hours ago 1 reply      
These sealed aquatic systems are really cool. How do you go about finding out how much of everything you need to put in them for long term survival?

Can the biological processes of these simple organisms be modeled as checmical equations and all you need to do is balance them out and solve for the mols of everything you need to pour in?

WheelsAtLarge 4 hours ago 1 reply      
We might have hit peak phone. As much as I try I don't get the reasoning on this one. How is it that these top techs could not find a better idea?

Forget the aquarium, how about a really strong microscope. Or a portable testing lab or a television or some kind of art project.

kartickv 6 hours ago 1 reply      
Sad to see Ara die. I don't understand why they took three years to realise the path they were pursuing didn't work. Why couldn't they figure out earlier so they still had time to do something that works?

Google should have pursued a less ambitious and more practical version of the idea. Instead of making everything replaceable, maybe just identify one component that would be. Like the camera. Why do I have to buy a new phone if all I want is a new camera? Would a phone with only one or two replaceable components be feasible to build, and not impose too many tradeoffs?

The Ara team pursued the "everything should be replaceable" dream for too long, and failed. I wonder if a limited version would have been feasible.

It doesn't make sense that you should buy a new smartphone, priced at as much as 80K ($1000) even if all you want is one new component. Imagine if you had to buy a new laptop for more storage for your movies, and external hard discs didn't exist. Or a bigger screen, when you could use an external monitor. And so on.

labster 4 hours ago 1 reply      
Those poor tardigrades would be killed by all of the dangerous radiation coming from the phone.

Just kidding, they'd be killed by the dangerous conduction from the phone. The little guys can't handle the rapid heat changes caused by the battery and CPU.

yeukhon 4 hours ago 0 replies      
It would be cool if in the future a device can scan (real life scene, blood, piece of chalk) anything and tell you the composition and everything you ask. Think Pokedex and those fictional gadgets in sci-fi movies.
alexandersingh 6 hours ago 0 replies      
Coming across the Lapka concept for Project Ara[0] made me realize that the problem was to market this as a "phone" in the first place.

Few people are willing to take the risk on a phone with an entirely new form factor, let alone an entirely novel premise, and no one would carry two phones around in their pocket.

It seems like they missed an opportunity to position this as a customizable mobile computing platform. Or perhaps they did and thought it was too niche.

[0] https://medium.com/@my_lapka/lapka-x-project-ara-78fc5fe9f50...

1001101 8 hours ago 1 reply      
Would make an interesting random number generator (which are tough to find on some systems). Waterbears are rad hard as well :) Would be tough for Mallory to "reduce their entropy."
frozenport 1 hour ago 1 reply      
Seven engineers? Isn't that a million dollar a year project?
xyzzy4 9 hours ago 2 replies      
Sounds like they are doing great things with investors' money.
sandworm101 7 hours ago 4 replies      
Cruelty to animals. I eat meat but do not like seeing anything suffer for purposes of amusement. These are small, but mistreating even insects can be a crime in the US (specifically if you film it). Give them a digital version and leave the actual animals out of such displays.
webwielder2 11 hours ago 1 reply      
Is this the innovation that's supposedly lacking at Apple under Tim Cook?
maxander 8 hours ago 2 replies      
"Hey, the Ara is going nowhere, but it would be a shame to not get any return from it... Lets see how many click bait blog articles we can generate from it!"
Carl Bildt: The truth about refugees in Sweden washingtonpost.com
32 points by imartin2k  1 hour ago   4 comments top 3
redsummer 18 minutes ago 0 replies      
Asylum seekers are now 2-3% is Swedens population. If the US did the same thing that would mean 10 million people. (Israel, next door, has taken in zero)

The people coming in now are completely different from Balkan refugees, Persians and Lebanese. In the case of the Balkan refugees, they were European. And the Persians were fleeing from an Islamic theocracy - they didn't share their values. Ironically, it was a women of Christian Lebanese descent who was murdered by these new arrivals:https://en.m.wikipedia.org/wiki/Killing_of_Alexandra_Mezher

Bildt mentions Spotify and Minecraft, but the new arrivals are making a different use of modern technology: http://www.independent.co.uk/news/world/sweden-facebook-gang...

Carl Bildt has his head in the sand. Look at these most-wanted pictures from Sweden and Denmark:https://www.interpol.int/notice/search/wanted/(RequestingCou...


Try not to notice any patterns, since that would be crimethink.

tobltobs 37 minutes ago 0 replies      
"I suspect that his [President Trump] actual knowledge of the issue is extremely limited. If it were not for the massive turmoil that could ensue, I would urge him to skip one of his golfing weekends and come to us and see for himself."
tomjen3 29 minutes ago 1 reply      
Yet almost every weekend somebody is getting shot in Malm, in one area of the city the police gets rocks thrown at them by organized groups of youth when they show up.
RIP LivingSocial: The fast rise and slow demise of a daily deals company washingtonpost.com
17 points by dannylandau  5 hours ago   4 comments top 2
swang 1 hour ago 1 reply      
> As executives reflect on LivingSocials fatal moment, all point to a security breach in April 2013. Hackers gained access to the account information of 50 million subscribers, and LivingSocial forced all of them to reset their passwords. About 20 percent never came back.

I don't know how they came to this number, but at least it's something to point to when the c-level executives decide password security is something that they can just skip doing. Obviously part of that 20% is are just dead accounts but still, something to show next time you're in this situation.

pmiller2 1 hour ago 1 reply      
What does a $0 acquisition even mean? What would the purpose be?
Fingerprinting Firefox users with cached intermediate CA certificates shiftordie.de
69 points by jwilk  10 hours ago   5 comments top 4
progval 1 hour ago 0 replies      
It reminds me of the HSTS Super Cookie https://github.com/ben174/hsts-cookie
JoshTriplett 6 hours ago 1 reply      
This is brilliant, especially the idea of loading content from correctly configured sites to set bits, loading incorrectly configured sites to test bits, and using an error-correcting code in case the user happens to visit some of the correctly configured sites before returning.

The right fix would be to either always fail a site load that doesn't serve the right intermediate certificate, or do what Chrome and IE do and always find and load the intermediate certificate.

Sami_Lehtinen 49 minutes ago 0 replies      
I've been asking browsers to provide per tab security isolation for a long time. Would make many of the attacks much less efficient. Each new tab should be clean as well as closed tabs should get destroyed.
Tharkun 58 minutes ago 0 replies      
Is there a way to clean up cached (intermediate) certs without having to nuke your entire firefox profile?
How RCA Lost the LCD (2012) ieee.org
47 points by centerorbit  9 hours ago   6 comments top 3
leoc 1 hour ago 0 replies      
Also covered in Chapter 3 of We Were Burning: Japanese Entrepreneurs And The Forging Of The Electronic Age by Bob Johnstone http://www.goodreads.com/book/show/2135359.We_Were_Burning .
petra 4 hours ago 1 reply      
So all RCA had to do was to solve the innovator's dillema and fight for the future something like 20-30 years in advance ?
metaphor 7 hours ago 1 reply      
FYI this Spectrum article dates back to November 2012.
Ask HN: How do you deal with loss of motivation?
172 points by rampipod  6 hours ago   78 comments top 54
conceptme 2 hours ago 1 reply      
"I need to find something with purpose,big money, and satisfaction."

I think you need to be more realistic, sorry but you sound a bit like a child, everybody is dumb and doing useless things except you the little snow flake who comes to save the world and will be a billionaire if only he was recognized.

hueving 5 hours ago 2 replies      
>I need to find something with purpose,big money, and satisfaction.

Consider giving up the big money requirement and your options will open up significantly. At companies like Google and Facebook where you get the good pay, there are very few roles that get to work on the super interesting problems so they are hard to get. Most likely you will end up working on data migration tools, front end interfaces for existing systems, account life cycle tooling, etc that may be interesting at first, but they aren't that satisfactory in the long run because you'll realize you're a very small cog that can be easily replaced.

If you give up big money and join a startup (even mid sized), your impact can be a lot more tangible and satisfying. Programming for government/industry research can also be pretty satisfying but the pay is much lower (e.g. I worked for an academic consortium on HPC networks and really felt like I was improving tooling for cutting edge science).

dbrunton 5 minutes ago 0 replies      
Find someone to help.

Preferably, this will be someone at work. Either someone in your job who's as stuck as you are, someone in the next layer up who needs a boost, or someone in the next tier down who needs a hand. It will be your next big challenge, to recognize that someone else needs help, to determine what kind of help that is, and to offer what you can.

Your only measure of success is whether that person succeeds.

The three benefits to taking this approach are:

 1) it's easier to objectively measure whether what you're doing is working 2) you get to practice helping yourself, on someone else! 3) it will help you stop being an asshole, which is probably something you're doing
I hope you try it. It doesn't take very long, maybe just a few weeks, but don't hesitate to try it a few times.

Good luck!

kabdib 28 minutes ago 0 replies      
I had a very long post about humility and emergent leadership that I mercifully just lost to an errant keystroke. I won't attempt to duplicate the deathless prose and deep, though humorous anecdotes from my work history that I dredged up as evidence. Lucky you.

Let's just say that the worst leaders I've worked under have had the certainty that they were Leaders, that they were somehow born to it, and that they were surrounded by idiots.

If you truly are surrounded by idiots, get out fast. This will work out well no matter the true situation:

1. If they are idiots, you'll be pushing a rope. You can't save them. Do your best elsewhere. Unless you're an investor, who the heck cares? Just another ship going down.

2. If they aren't idiots, but you only think they are, it will end badly, and it's best ended early.

The only way that a King of the Idiots gig ends well for you is when they pay you a pile of money to leave because they can't fire you because of bad press or something, and most people won't even be in a room with people who are at that level.

leoh 5 hours ago 1 reply      
Something that has helped me a lot with motivation is figuring out how to calm down my nervous system, for example, with a good massage, a yoga class that encourages holding poses for longer periods of time (Iyengar-style), meditation, and reading offline. It's really easy to be "on" all the time, even when you are not feeling particularly motivated for example, being on the internet is often over-stimulating and leads me to feel a lot of fatigue and a lack of motivation. There is no one solution. I would be wary, however, of pushing myself into doing something just because it's impressive or exciting. Acting from a place of centeredness is always more fruitful. There is no one solution. Best of luck to you.
webmaven 6 hours ago 0 replies      
First, if work is not challenging, you can make it challenging. For example, challenge yourself to automate every aspect of your job. It will give you something interesting to work on, you will learn a lot (and not all of the lessons will be technical), and you will have some tangible accomplishments to point to (whether that is efficiency, uptime, cost savings, ...) during you next conversation about being given more responsibility and authority.

Second, as you noted you can find challenges outside of work (particularly with all the free time your automation has given you. |-D

You could try for getting into MIT or Stanford, but you could also simply take the courses you are interested in. Learning something new if a great motivator, I've found.

Then again, so is crushing your enemies, seeing their men flee before you, and hearing the lamentations of their women.

But I digress.

Another possible creative outlet & source of inspiration is participating in open source, up to and including starting your own project (which might be part of your automation platform, or something completely different).

Or get a non-tech hobby. Drawing, painting, knitting, dancing, a sport, volunteering at an animal shelter, gourmet cooking, write a novel, learn a new language etc. I personally find gardening to be a great way to recharge my mental and emotional batteries.

Good luck!

cel1ne 10 minutes ago 0 replies      
Let me quote from the internet:

Fuck motivation. its a fickle and and unreliable little dickfuck and isnt worth your time.

Better to cultivate discipline than to rely on motivation. Force yourself to do things. Force yourself to get up out of bed and practice. Force yourself to work. Motivation is fleeting and its easy to rely on because it requires no concentrated effort to get. Motivation comes to you, and you dont have to chase after it.

Discipline is reliable, motivation is fleeting. The question isnt how to keep yourself motivated. Its how to train yourself to work without it.

dandersh 4 hours ago 4 replies      
You're not motivated because you did not get what you wanted (leadership position) and you identify yourself as being superior to those whom are in your position (dumb, working on useless things).

Motivate yourself by either pulling up those around you or leave for what you really want to do.

koonsolo 40 minutes ago 0 replies      
It did not really matter what we expected from life, but rather what life expected from us. We needed to stop asking about the meaning of life, and instead to think of ourselves as those who were being questioned by lifedaily and hourly. Our answer must consist, not in talk and meditation, but in right action and in right conduct. Life ultimately means taking the responsibility to find the right answer to its problems and to fulfill the tasks which it constantly sets for each individual.

Viktor E. Frankl, Man's Search for Meaning

comeon3 2 hours ago 0 replies      
> I wanted a leadership position at my company, but I was hired for a position that has no decision making power at all. Everyone here seems dumb and working on a few useless things.

> I need to find something with purpose,big money, and satisfaction.

> I have tried being altruistic,but I ended up on the receiving end. I now presume that everyone is selfish and will not think for a second they get better deal. Hunt or be hunted - Frank Underwood

I guess you believe that you where meant for something greater here in life and that people should treat you like the natural leader you are. Am I right?

I'll say that there is a very big risk that your have narcissistic tendencies and looking at your comments from an employer's perspective, I would be very, very worried.

rdtsc 6 hours ago 0 replies      
> Lately, I don't feel motivated about anything. Job is okay and I just switched about 8 months back.

I wonder why you mentioned "job" as your first driver for motivation and happiness. What about other parts of your life besides the job? Now I imagine since this is HN your probably only shared about that part, but I hope there is more to it - relationships with family, friends, significant other and so on. Hobbies (go to local meetups about your favorite technology), maybe other interests like sports. Someone mentioned other stuff like helping others: mentoring perhaps, a soup kitchen (I did that for a while, it really changes your perspective on a lot of things and challenges some assumptions).

> I need to find something with purpose,big money, and satisfaction.

That won't sit right with a lot of people. It is good you are honest though. But be prepared for people to focus on that. So you already make good money it seems but you feel you deserve big money? Why do you think you deserve to be in a leadership position and making big money?

> was hired for a position that has no decision making power at all. Everyone here seems dumb and working on a few useless things.

Now imagine if you made big money and still had no decision making power? What if you made less money but had decision making power? Which one would make you happier?

cammil 1 hour ago 0 replies      
You should only do things for love OR money, but not both.

Don't spread yourself thin serving two masters. Serving one, often brings the other, but both should not be your goal.

If you do things for love, and also seek out money, your art will suffer. If you do things for money, but try to do more of the things you like doing, you will fail to do the hard things that bring you financial success.

Pick one. Love or money. Commit to that.

ne01 4 hours ago 2 replies      
In my opinion,

Complete lack of motivation is the result of mental congestion.

Start emptying your mind! Delete all good and bad memories! Don't worry about the past and don't be afraid of the future.

What you have right now is not what you really want! That's why you are not happy!

Just empty your mind and you'll find what you really want!

And we always have motivation for the things we TRULY want!

hentrep 6 hours ago 0 replies      
You alluded to this with mention of interest in a leadership position at work, but what are your near-term goals in life? Make a list, devise a strategy, and focus a portion of each day stepping toward those goals. Be careful and explicit in drafting these goals. For instance, "Become wealthy" isn't as clear and actionable as "Increase my income by $500 per month."

Are you focused too much on work? When is the last time you took a week or two off just to mentally reset? How is your social life? I was interested in a specific field a few years back, but I had zero friends or connections in said field. I started a meetup group around the topic, grew it to 1500 members in just over a year, learned a TON about the field in the process, and made invaluable and exclusive connections that would have been otherwise very difficult. It was a beautiful blend of social and professional advancement and I highly recommend something similar.

Last point: if you're considering grad school, be aware that this is much more accessible and palatable early in your career vs. late. If you have a shot at getting into an MIT or Stanford, why no give it a whirl? It isn't necessarily the degree that is of value, but the high-end network you'll obtain in the process.

Keep your head-up -- motivation will ebb and flow throughout your life. This is normal and a sign that change is in order.

buzzybee 25 minutes ago 0 replies      
Nothing happens if you don't make it happen. It's that simple, but this also means that you can't use the easy indicators for feedback. Everyone is waiting on the social approval, they got hired into a designed role that coddles and limits them, and so did you. That's why they and perhaps you look "dumb".

Go seek out a good conversation. About anything. What you should be doing now is finding ways to dream bigger.

WheelsAtLarge 5 hours ago 0 replies      
What you are learning is that money does not buy you happiness. Clearly you accepted a job you really did not want for the security and the salary.

I can think of 3 options in your case. 1)keep your job and find fulfillment doing something else on the weekends and free time such as hitting a hobbie hard. 2)Keep your job and figure out how to get to the top. This option means you'll have to become a master at social skills. Learning more techie stuff will not help you. Top decision makers are NOT the most technology savvy but they are the best at managing people and getting the most out of the team.3) Start finding the job you want. It might be less money or not as safe but at least it's something you enjoy.

"I need to find something with purpose,big money, and satisfaction."

That's what we all want but you won't get it unless you are willing to take some big chances. So decide what to do and do it. You can't start at the top but you can get there and find all 3. You might fail but there's a possibility of hitting it big. If you go this route make sure you make a plan and decide now how to deal with adversity.

Good Luck!

dnautics 59 minutes ago 0 replies      
you're not motivated because you put a lot of effort into something and your brain had a huge expectation miss; in other words it trained itself that 'effort is pointless'. My suggestion is to do a lot of very small things (that you know will work) that ramp up small successes and retrain your brain to appreciate effort.

I'm currently going through what would probably tear many people apart - out of money (literally had no money last week since I sold the last of my bitcoin to stay afloat and it didn't hit my bank account quickly enough), applied to several jobs in SV, all turned down because "they're looking for someone more senior", tried to start a company, couldn't find funding, can't finish some biochemistry work that I've been doing because I can't pay for the equipment I need... The part time coding job I took on still hasn't paid me for january's work...

But I have a bunch of small projects that keep me going and while it is slightly harder to get up in the morning, I am still productive. (I just wrote a library that transpiles Julia into Verilog)

throw_away_777 6 hours ago 0 replies      
The easiest way to make big changes is to make a lot of small changes. Try to focus on small improvements you can make and work towards them. Don't get frustrated if progress is slower than you expect.
failrate 5 hours ago 1 reply      
For the depressive affect I consume St. John's Wort and L-Carnitine and I use a sun lamp.For the creative side, I ensure that I work at least 15 minutes a day on a creative project outside of work hours.At work, I strive to improve the overall quality of my environment.Remember that if you dress well and act confidently, people become remarkably deferential (i.e. even though your role may not technically have any decision-making power, if you are confident and reliable, people may start to look to you for your opinion on decisions, and so on).
CodeWriter23 4 hours ago 0 replies      
I've been driving for Lyft to cover cash flow gaps in between freelance gigs. Nothing like sitting on my ass in traffic having inane conversations with strangers many hours a day to increase my motivation.
johnfn 6 hours ago 0 replies      
You could be mildly depressed. How is your sleep? How do you feel about other aspects of your life, like relationships?
d--b 3 hours ago 0 replies      
I would get some vacation time, rest for a while, and think about what to do next. You don't have to be motivated 100% of the time in your life.
always_learning 1 hour ago 0 replies      
I'd advise you do some more charity work outside your normal job. That met give you lots of fulfillment. Spent your time outside work wisely. Like go to the gym, excercise, sport, eat healthily and hang out with people. That'll give you more fulfilment.

We can't get everything in life. Your idea of the "perfect job" is unrealistic.

magiconair 2 hours ago 0 replies      
If you have the luxury to pick your job then the most important thing IMO is that you find something which interests you since you will derive your motivation from that. Everything else is secondary.

If you're doing something that doesn't interest you then it doesn't matter how good the other benefits are since you constantly have to use energy to motivate yourself. Then you won't produce something you're proud of which helps neither you or the company.

thestepafter 6 hours ago 1 reply      
Satisfaction isn't found in money. Focus on helping others and you will find true joy.
mirekrusin 1 hour ago 0 replies      
You can try to do your job 10x faster, this will get you recognised and promoted in no time.
watwut 3 hours ago 0 replies      
Consider it learning experience - for that leadership role you want. What it is that demotivated you, exactly? What you leaders could do to take better advantage of your skills and ambitions, to make you more productive and as result more happier? Is it just you being demotivated or other people too? How does it affects performance?

What will you do differently once you are leader to avoid similar demotivation of talent? Leadership is not just decision making, it is also dealing with issues like this. They won't tell you, so self awareness now will go long way later.

Taek 4 hours ago 0 replies      
My motivation is derived from a massive discontent with my environment. Namely, a lack of digital privacy, a government that I feel has greatly overstepped its boundaries, the fact that I have signed over my life basically in full to Google (email, phone, search engine).

I don't know what would motivate me besides the idea that things could be a lot better than the way they are.

sauronlord 2 hours ago 1 reply      
What kind of helpless self pity is this crap?

"I wanted a leadership position at THEIR company..." (fixed that for you)

It's not YOUR company, but THEIRS.

Incorporate your own company (couple hundred bucks) and list yourself as "President" on your linkedin.

Put together a bullshit website about your consulting services.

Start acting like a leader in your own affairs.

Mind YOUR OWN business.


Money solves almost all problems. For the remaining issues time and good health covers everything. I challenge anyone to show a convincing argument to the contrary.

Better get to $300k/year asap and let the other chumps have their "leadership position"

Gigablah 1 hour ago 0 replies      
"Everyone here seems dumb and working on a few useless things."

You can start by working on your attitude.

hunvreus 1 hour ago 0 replies      
You will rarely get all things on your wish list. More often than not, you'll get one and work your way up on the others.

The way I've dealt with burnouts and demotivation has been to identify the actual root cause and then take a decision;

- Option 1; leave it be (and maybe whine about it).

- Option 2; give up & move on to something else.

- Option 3; bite the bullet and work my way out of it.

9 times out of 10, I pick option 3.

As an example, I've been dealing with business development for a while, but I'm naturally more interested in product development and R&D.

I got stuck on option 1 for a while and tried a couple time (unsuccessfully) to go for option 2.

And for the past 6 months I've been working on option 3.

It's not glamorous and it requires a good deal of patience, but the opportunity to get to a place where I can automate/document/delegate myself out of it has kept me motivated enough.

I'm writing a business playbook [1], created a few sales decks and refined techniques on clients and colleagues to the point that I can train others. I have automated, documented and understood enough [2] that I can finally bring in a BD person and hand over my responsibilities.

I recommend you have a hard look at what really makes you unhappy and list your options.

From the limited understanding of your current situation, I'd say;

- Deal with it. You stay where you are and find a way to be ok with not being passionate about your job.

- Give up. Find another occupation, either now or after a while once you acquired new skills.

- Work your way out of it. Find a way to change your role at your company. Maybe you can automate, document and delegate. Maybe you can make yourself valuable enough to another team to force a promotion or re-assignment.

Additionally, I don't think I would recommend you to go back to school. I'm a lot more likely to trust and respect somebody who went on to learn new things on their own, especially considering you can virtually learn anything online these days.

[1]: http://playbook.wiredcraft.com/business/

[2]: http://playbook.wiredcraft.com/article/tools-methodologies-p...

aji 6 hours ago 0 replies      
I'm certainly no expert in motivation, and can't give you advice on your specific goals, but I personally find that reframing long term goals into short term goals can be a big source of motivation. for example, don't focus on bench pressing your own weight, focus instead on getting to the gym 3x or 4x a week and working on your bench press. don't focus on finishing that personal project, focus instead on making a little progress on your personal project every day or every week. having long term goals is still valuable, but having short term goals to focus on can make it a lot easier to find motivation. it's easy to get demotivated on big goals, but if in a given day you meet every single one of your daily goals, then you've aced that day as far as your goals are concerned. and you'll ace the next day, and the next, etc.

having a job with big impact and big money is a sizable goal that you won't reach overnight. you might not even reach it in a year, or several years, who knows. it's a big goal that's easy to lose motivation on. but reframing it into daily goals, and focusing on taking one step at a time, could be a source of motivation. just my 2

kilburn 13 minutes ago 0 replies      
> I wanted a leadership position at my company, but I was hired for a position that has no decision making power at all. Everyone here seems dumb and working on a few useless things.

This sentence alone signals that you are not ready to be a leader. Contrary to what you probably think right now, being a leader sucks in many ways:

- You should be empowering to those around you. This starts by being constructive instead of judgemental. Find out what are their strengths and weaknesses, and tell them how you think they can improve instead of poking at their weak spots. You should strive to always keep this attitude, even when under pressure and/or during bad personal times.

- You must be a good listener. Try to understand your team member's motivations and desires, and how they think/react to what's coming to them. Be prepared to accept that other people's thought processes are very different from yours, and your job is to understand them instead of trying to change them. Even if you possessed the absolute truth about everything, trying to shoehorn that truth into their minds wouldn't work. They need to see that truth by themselves, so you can only try to steer them towards finding it. In some cases the way to do that is by providing arguments. Other times arguments won't do it and you must show them. Later on, once you're actually seen by them as a leader you'll be able to appeal to trust. Don't overuse that though because you are not perfect and will make mistakes, which will erode your trust if you used that to impose your opinion onto others.

- You should be prepared to deal with the worse bullshit that's thrown to your team. You don't need to deal with all bullshit, but your team should be confident that you'll be first in line if/when shit hits the fan, and that you'll do your best to cover them.

- You should lower your expectations about others. You must demand the highest standards from yourself, but not from others. Do what you can to help them improve instead.

- Don't overreact when you get stabbed in the back (which will happen at some point). Attribute any bad situation to ignorance/stupidity before malice. Always try speaking with people first, and over time you'll develop a "sense" to discern bad actors from misunderstandings. In any case, being stabbed is an opportunity to improve that "sense", and is always a better situation than initiating work-warfare against a person who acted in good faith.

In case you haven't noticed, you don't need any "leadership position" to put all that to practice. You can start doing it right now, and I assure you that leadership will follow naturally. People will start turning to you when they need help. People will start wanting and valuing your opinion much more. This will make you feel important and purposeful, but it will also be stressful and demanding. Be up to the task and the pay will follow.

HortYuoh 47 minutes ago 0 replies      
Get married and have childern. Raising children makes you think of more important issues than big money. You people in CA have really lost it.
theparanoid 6 hours ago 0 replies      
If you get in to MIT/Stanford it'll be fun. I did a masters, when I had a dead-end job. It was exciting and opened doors.
delbel 5 hours ago 0 replies      
Its ok to feel unstatistifed some of the time, because it gives you the drive to be better or do better things with your time, and to find a way to challenge yourself to set higher goals. Its also ok to have loss of motivation some of the time, because it can make you more creative and let you step back and analyze different situations. But if you get stuck in a hole and need some advice, I'd say get rid of your comfort zone in life and take some risks and make life more exciting (for good or for worse) and just let things flow. Could be as easy as switching to cold showers, or selling everything and traveling in a van in the forest. That's why life is great, it's up to you!
omarchowdhury 4 hours ago 0 replies      
We have to assess what drives our motivation. There could be many factors. Forgetting those factors, may lead to a loss of motivation. Rekindling motivation is just remembering those factors, and then refining our action based on the present situation. Since you say you lost your motivation, that would imply you had possession of it before. But now you're trying to grasp for the previous motivation, when you just have generate it, anew.
jsemrau 6 hours ago 0 replies      
I started a side project in 2013 to satisfy that constant urge to create. Year after year in part time growing the infrastructure, app ecosystem, and user base. Just completed launching a Twitter Event Recommendation Service Bot. The marketing and negotiation skills I learned in my side job helped me in my day job making me more successful in both.When I feel not motivated or tired, I play video-games specifically the Mass Effect series because it is Leadership training in a nutshell.
Nosleep 4 hours ago 0 replies      
This seems like to me (with little text) you need to build that fire back up.

If you are good at your job and they pay you well enough, just keep it. Keep doing well at your job. In your leisure time, start working on passion projects. Something that you have been thinking about for a long ago and/or understand well. If this passion project turns into something amazing that you can run-away with, profit from, and bring you more power to change, do it.

There are a million things to be motivate by. There are people with serious problems in the world, like dying from thirst.

Just find out what you what to achieve and find out if you are capable of doing it.

Watch the real news. Find out about how terrible things are. Ask yourself if there is any small thing that you can do.

bsvalley 3 hours ago 0 replies      
Do you think college is challenging? I think your current situation is challenging. So I'd say - go ahead and tackle the crap out of it. Work on a solution to pull yourself out.
mrmrcoleman 5 hours ago 0 replies      
Sounds tricky. I would recommended you look into Stoicism: Epictetus, Seneca, Marcus Aurelius, Boethius, etc.

I'm not saying you shouldn't keep seeking something, but the aforementioned might help you to decouple your happiness from it.

4n0n73u2 2 hours ago 0 replies      
Leave the tunnel. Go hiking. Get married & make some children. Do anything that accounts to your satisfaction. Then, go back to work.
dodysw 6 hours ago 0 replies      
Paddle harder. Motivation is like wave/wind on the sea. Easier to get around with it, but we still have to move on with life even without it, even if it's harder, slower, or more painful.
z3t4 2 hours ago 0 replies      
go out into the woods. live off the nature a few days. makes you apreciate a warm bed modern conforts
deepnotderp 5 hours ago 0 replies      
L-carnitine for "sourceless" depression

Otherwise you need to rethink your career choices. Good luck man!

joeguilmette 6 hours ago 1 reply      
I take some time off and go scuba diving.
agjacobson 4 hours ago 0 replies      
Management Summary

"I need to find something with purpose,big money, and satisfaction"

Hold yoga poses long.Take strong patent medicine herbs.Knitting.Volunteering at an animal shelter.Cold showers.Realistic goals on the bench press.Scuba diving.

The answer has become clear.

Go for the money.

golergka 2 hours ago 0 replies      
First thing you should do when you find yourself in a hole is stop digging.

If you feel a loss of motivation, the worst thing you could do is feel guilty about it. Feel like you're somehow bad or inferior because everyone around you seems to have this drive to move forward and you don't.

It's completely OK to not feel particularly motivated. Your job is not your life; sometimes it's fine to just work 9 to 5 and put only the effort required, nothing extra. Spend your nice salary on things that you like. Excersize because you like it, not because you have to. Do something else with your time. Meet friends. Watch TV shows. Don't care about wasting your time, just enjoy wasting it.

And please, when you see the people with "TED speaker", "self-motivated", "energetic" image, take it with a grain of salt. This happens to everyone, it's OK.

exabrial 4 hours ago 0 replies      
Start playing music. (This is not a snarky comment, try it)
yarou 1 hour ago 0 replies      
Substituted phenethylamines for motivation.
kfrzcode 3 hours ago 0 replies      
Double down and grind.
partycoder 4 hours ago 0 replies      
People call it being burned out. Not every job is a fit or has to be a fit, just quit the job and keep looking.

Spend some time not only looking for good compensation but also balancing it with a good culture.

Startups are usually early technology adopters, and you may be giving more responsibility and autonomy than in a large company. You might enjoy it more there.

Most interviewers may ask you: "Do you have questions for me?". Ask them: "who are the most valued engineers in your company and why?"

If the most valued engineer is a warm body whose only purpose is to suggest places for lunch to their managers or some fake wine snob continue looking.

ak39 4 hours ago 0 replies      
Talk to your superior and ask for projects you believe are challenging, will benefit the company and allow you to use your creative skills.

Talk to your boss.

ebbv 5 hours ago 0 replies      
With how unhappy you are in your job the lack of motivation is no mystery. You should find another job or found a startup or if you think it will be useful to what you want to do, sure get a degree.

I would caution though that usually when people say "Everyone here is stupid" it's usually not everyone else that's really the problem. This goes for my younger self as well.

Machine Learning from scratch: Bare bones implementations in Python github.com
558 points by eriklindernoren  18 hours ago   53 comments top 23
schmit 17 hours ago 2 replies      
One quick comment: in general it is a bad idea to compute the inverse of a matrix (to solve a linear system). It's much better to compute the QR factorization or SVD instead (or simply call least square solver).

See for example: https://www.johndcook.com/blog/2010/01/19/dont-invert-that-m...

imdsm 9 hours ago 0 replies      
Great resource, but it could be a phenomenal resource if you documented each method and explained how and why it does what it does.

Don't get me wrong, having working code to play with is key, but when you don't fully grasp the concepts behind it, an explanation can become so valuable.

That being said, you've included names, so research can be done. Great work and I hope you're enjoying it!

f311a 14 hours ago 0 replies      
onvalleysilic 16 hours ago 1 reply      
Just tried it with an equities dataset and it seems to have performed nicely. Great work!
metaobject 7 hours ago 0 replies      
In your RandomForest implementation, on the line in fit() where you're building the training subsets to give to each tree, it appears that your bagging approach doesn't use 'sampling with replacement' strategy.

 idx = np.random.choice(range(n_features), size=self.max_features, replace=False) 
It would appear that the replace=False prevents the 'sampling with replacement' behavior usually implemented by bagging algorithms. Should the replace=False be changed to replace=True?

compactmani 15 hours ago 1 reply      
This is a nice project. I think it would be great to add references used for the implementations and some tests that demonstrate they return what is expected (or perhaps the same result of sklearn maybe).
fnl 7 hours ago 1 reply      
This could become a fantastic resource for anybody who is teaching machine learning.

One vital improvement suggestion to make that path attractive would be if the Jupyter notebook format were used. It would be easier to add more documentation and references.

But in any case, thanks for sharing!

onlyrealcuzzo 16 hours ago 1 reply      
This is awesome! I'm working on something similar for JavaScript. Definitely will be using yours for reference. Thanks, dude!
victor106 16 hours ago 4 replies      
Would you suggest any books/resources to learn the theory behind these implementations so a newbie can follow along?
Jasamba 15 hours ago 1 reply      
This is impressive, and kindof exactly what I am in the process of doing. It's certainly the best way to get familiar with the internal workings of these methods than just tune parameters like an oblivious albeit theoretically informed monkey. How long did it take you to do them?
mrcactu5 16 hours ago 0 replies      
sci-kit learn is excellent, but their implementations are a bit to complicated to learn from.

this is for people who don't just want to tune parameters but build the whole thing from scratch

I can buy buy a pie all the fix-ins from a bakery, or I can buy the ingredients myself, and make it to exactly my liking. it may not be a professional.

ussser 16 hours ago 1 reply      
Cool! How long did it take to learn and implement these models?
edshiro 16 hours ago 1 reply      
Nice! I have started brushing up my maths and reading about machine learning in general. Next step is to get my feet wet in the implementation. I think looking at your project can give me a good idea as to how to implement some of the most basic algorithms.Good luck!
dnautics 14 hours ago 0 replies      
Nice project! I'm doing something similar in julia, with the added advantage that as I build it the numerical types are variadic so I can play around with numbers that aren't IEEE FPs.
searchfaster 10 hours ago 0 replies      
Very nice project! Very very useful for a ML beginner like myself. Thank you very much !
peter_retief 13 hours ago 1 reply      
I feel happy to see your wonderful work you share so freely
jogundas 17 hours ago 2 replies      
Very cool! I have actually been planning to do exactly what you did, sir :)
joelberman 14 hours ago 0 replies      
Very nice project! Learning stuff makes me happy.
sp4ke 10 hours ago 0 replies      
Amazing, thanks for sharing :)
Winterflow3r 16 hours ago 1 reply      
This is really cool and inspiring!
thinkr42 15 hours ago 1 reply      
This is awesome!
SvenDowideit 15 hours ago 0 replies      
Deliver and release stuf that people actually use. Or work on projects that do.

Delivering value trumps painting every day

List of Sites Affected by Cloudflare's HTTPS Traffic Leak github.com
858 points by emilong  2 days ago   204 comments top 43
r1ch 1 day ago 6 replies      
Just got this classy spam from dyn.com. Wonder if they're going through this list emailing every domain contact.

> As you may be aware, Cloudflare incurred a security breach where user data from 3,400 websites was leaked and cached by search engines as a result of a bug. Sites affected included major ones like Uber, Fitbit, and OKCupid.

> Cloudflare has admitted that the breach occurred, but Ormandy and other security researchers believe the company is underplaying the severity of the incident

> This incident sheds light and underlines the vulnerability of Cloudflare's network. Right now you could be at continued risk for security and network problems. Here at Dyn, we would like to extend a helpful hand in the event that your network infrastructure has been impacted by today's security breach or if the latest news has you rethinking your relationship with Cloudflare.

> Let me know if you would be interested in having a conversation about Dyn's DNS & Internet performance solutions.

> I look forward to hearing back from you.

actuator 2 days ago 3 replies      
I wrote this(1) script to check for any affected sites from local Chrome history. It checks for the header `cf-ray` in the response headers from the domain. It is not an exhaustive list but I was able to find few important ones like my bank site.

1: https://gist.github.com/kamaljoshi/2cce5f6d35cd28de8f6dbb27d...

crottypeter 2 days ago 2 replies      
Today I learned that uber does not have a change password option once you are logged in. You have to log out and pretend you forgot the password. Bad UX if you don't know.
cloudvrfy 7 hours ago 1 reply      
I wrote a simple website[1] to show if user have visited the websites included in the list automatically without browser plug-ins. It uses :visited CSS pseudo-class to highlight the site user have visited before. It is not 100% accurate, but it can be a fun way to quickly show people that they may visit sites on the list.


ig1 1 day ago 7 replies      
Worth noting this statement by Cloudflare CTO:

"I am not changing any of my passwords. I think the probability that somebody saw something is so low it's not something I am concerned about."


nikisweeting 2 days ago 1 reply      
Aww man I submitted my list hours ago but I guess it never made it past the New page. https://github.com/pirate/sites-using-cloudflare

Original post: https://news.ycombinator.com/item?id=13720199

koolba 1 day ago 2 replies      
That's a wide impact. While any hijacked account is bad, some of these are really bad.

For example, https://coinbase.com is on that list! If they haven't immediately invalidated every single HTTP session after hearing this news this is going to be bad. Ditto for forcing password resets.

A hijacked account that can irrevocably send digital currency to an anonymous bad guy's account would be target number one for using data like this.

Cyphase 2 days ago 1 reply      
You missed the "possibly" in the header.

And the disclaimer right at the top:

This list contains all domains that use cloudflare DNS, not just the cloudflare SSL proxy (the affected service that leaked data). It's a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised.

pulls 2 days ago 0 replies      
For what it's worth, as part of work on the effects of DNS on Tor's anonymity [1] we visited Alexa top-1M in April 2016, recording all DNS requests made by Tor Browser for each site. We found that 6.4% of primary domains (the sites on the Alexa list) were behind a Cloudflare IPv4-address. However, for 25.8% of all sites, at least one domain on the site used Cloudflare. That's a big chunk of the Internet.

[1]: https://nymity.ch/tor-dns/

jitbit 1 day ago 2 replies      
Webmasters and App-devs running on CloudFlare. You (at least) have to "force-logout" your users that have a "remember me" cookie set.

At least change the cookie name so the token stops working. For example, in ASP.NET - change the "forms-auth" name in the web.config file

nodesocket 1 day ago 1 reply      
This is ridiculous and somewhat irresponsible. This is just a list of domains using CloudFlare. The leak was only active under a set of very specific cases (email obfuscation, server-side excludes and automatic https rewrites).

I question Pirates (https://github.com/pirate) motives for even doing this? Karma? Reputation?

JaggedJax 1 day ago 2 replies      
In an email from Cloudflare sent out this morning they said:

> In our review of these third party caches, we discovered data that had been exposed from approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.

Does this jive at all with the Google or Cloudflare disclosures? They are claiming that across all caches they only found and wiped data from ~150 domains, can that be true?

Splines 2 days ago 1 reply      
If I have an account on an affected site, but did not interact with the site (via my browser or through some other site with an API call) during the time period when the vuln was live, am I still at risk?
vmarsy 1 day ago 3 replies      
Something I have a hard time understanding, is how Cloudfare's cache generator page had access to sensitive information ?

Were the 2 things running on the same process? If they were not, there's no way that the buffer overrun could read an other process memory, right? it would have failed with a segfault type of error.

If so, shouldn't Cloudfare consider running the sensitive stuff on a different process, so that no matter how buggy their caching engine is, it would never inadvertently read sensitive information?

edaemon 2 days ago 0 replies      
This list doesn't appear to include sites that use a CNAME setup with CloudFlare -- i.e. sites on the Business or Enterprise plans that retain their authoritative DNS and use CNAMEs to point domains to a CloudFlare proxy.

There probably aren't many but with something this serious it could be important. I'm not sure how one would go about finding the sites that use the CNAME option. If it helps, they use a pattern like:

 www.example.com --> www.example.com.cdn.cloudflare.net
Hacker News is one such site, but it's listed in the "notable" section (it's not in the raw dump).

jschpp 2 days ago 3 replies      
That list isn't that useful...First of all, there is a LOT of pages hosted by CloudFlare @taviso acknowledged that in the original bug report. (https://bugs.chromium.org/p/project-zero/issues/detail?id=11...)Furthermore, you can't say which sites were hit by this bug and simply listing all CloudFlare sites is more or less fearmongering. If you are a verified victim of this bug CloudFlare will contact you.Lastly, if you want to be sure to mitigate effects of the attack just do it... If you want to be absolutely sure that your session keys etc will remain uncompromised simply repeal all active session cookies.
em0ney 2 hours ago 0 replies      
The list of websites once again reminds me of what avenue Q immortalised in song: the internet is for porn
jandy 2 days ago 2 replies      
I'm confused by the "not affected" remarks. I thought the issue was any site which passes data through cloudflare could be leaked by requests to a different site, due to their data being in memory. Have I misunderstood?
AdmiralAsshat 1 day ago 1 reply      
Authy is on the list. It would be really nice if they confirmed whether they are vulnerable or not, considering they hold all of my 2FA tokens. Otherwise I'll have to re-key the database.
dikaiosune 2 days ago 0 replies      
I've been tinkering with a Python notebook for a few minutes to try to quickly assess how much of my LastPass vault is affected:


Improvements welcome.

One interesting thing: the raw dump that's linked from the list's README doesn't seem to include a couple of notable domains from the README itself, like news.ycombinator.com or reddit.com. I may be mangling the dump or incorrectly downloading it in some way.

EDIT: disclaimer, be responsible, audit how the dump is generated, etc etc etc

RidleyL 1 day ago 0 replies      
I wrote a python script to help check your LastPass database for any potentially affected sites.


danjoc 1 day ago 2 replies      
Is there a "standard" in the works for changing a password? Stuff like this is happening rather too frequently for my taste. I need a tool I can use to update all my passwords everywhere automatically and store the new ones in my password manager.
grogenaut 23 hours ago 0 replies      
I ginned up this little tool tonight to help people out instead of grepping.


Sorry for the index.html, trying to figure out how to get index file to work on cloudfront.

You can also run the python script on the website anonymously on your computer to dig sites out of your email, which is a good indicator that you have an account with them.

kiallmacinnes 22 hours ago 0 replies      
And, I've found several of my domains on this list.. Some of which don't host web content etc and only use cloudflare for DNS. The list is currently ~4.3mil entries, which honestly feels like a rather low figure. I have no data to back up my gut feeling though ;)

Anyway, I'm OK with them being on this list, as I believe understanding the scope of the problem is important to figuring out how we prevent these kinda problems in the future.. (For example, answering this question requires understanding who uses CloudFlare: Why are so many sites concentrated on a single infrastructure?)

pmontra 2 days ago 3 replies      
I have hundreds of passwords in my password manager. That's going to take a week, considering I also have to work.
Wrhector 2 days ago 0 replies      
This list seems to be missing any sites that are using custom nameservers, which would be common on top sites using the enterprise plans. A better way to detect if the proxy is being used would be to resolve the IP and see if it lies in Cloudflare's subnets.
luckystartup 1 day ago 1 reply      
Oh crap. I've entered my banking password into Transferwise quite a few times.

Welp, time to change all my passwords.

janwillemb 2 days ago 0 replies      
Thanks for posting and curating this list.
pbhjpbhj 1 day ago 0 replies      
Do browsers still leak history info (eg http://zyan.scripts.mit.edu/sniffly/) is it possible to have a page show visitors if they are likely to be affected?
iKenshu 2 days ago 1 reply      
What if I sign in with facebook or other? Should I change muy password con facebook or what?
paradite 1 day ago 1 reply      
Couldn't find a practical description of who is affected anywhere. Is it just the customers who have Cloudflare HTTPS proxy service being affected, or anyone using Cloudflare DNS is affected?
arikrak 1 day ago 2 replies      
It would be more useful if there was a way to see sites that actually were using the Cloudflare features that caused this bug. A large number of sites use Cloudflare, but few should have been affected by this bug:

> When the parser was used in combination with three Cloudflare featurese-mail obfuscation, server-side excludes, and Automatic HTTPS Rewritesit caused Cloudflare edge servers to leak pseudo random memory contents into certain HTTP responses.https://arstechnica.com/security/2017/02/serious-cloudflare-...

base698 1 day ago 1 reply      
Has Cloudflare fixed the issues? Should I update passwords now or wait?
vasundhar 1 day ago 1 reply      
Unfortunately this seem to include news.ycombinator.com
tonyztan 1 day ago 1 reply      
Just received an email from Glidera, a Bitcoin exchange. This is the first service to ask me to reset my password. I wonder why Uber, NameCheap, FitBit, and many others have yet to warn their users? Is Cloudflare downplaying this?

> Hi [Username],

> A bug was recently discovered with Cloudflare, which Glidera and many other websites use for DoS protection and other services. Due to the nature of the bug, we recommend as a precaution that you change your Glidera security credentials:

> Change your password> Change your two-factor authentication

> You should similarly change your security credentials for other websites that use Cloudflare (see the link below for a list of possibly affected sites). If you are using the same password for multiple sites, you should change this immediately so that you have a unique password for each site. And you should enable two-factor authentication for every site that supports it.

> The Cloudflare bug has now been fixed, but it caused sensitive data like passwords to be leaked during a very small percentage of HTTP requests. The peak period of leakage is thought to have occurred between Feb 13 and Feb 18 when about 0.00003% of HTTP requests were affected. Although the rate of leakage was low, the information that might have been leaked could be very sensitive, so its important that you take appropriate precautions to protect yourself.

> The actual leaks are thought to have only started about 6 months ago, so two-factor authentication generated before that time are probably safe, but we recommend changing them anyway because the vulnerability potentially existed for years.

> Please note that this bug does NOT mean that Glidera itself has been hacked or breached, but since individual security credentials may have been leaked some individual accounts could be vulnerable and everyone should change their credentials as a safeguard.

> Here are some links for further reading on the Cloudflare bug:

> TechCrunch article: https://techcrunch.com/2017/02/23/major-cloudflare-bug-leake...> List of sites possibly affected by the bug: https://github.com/pirate/sites-using-cloudflare/blob/master...

> If you have any questions or concerns in response to this email, please contact support at: support@glidera.io

StavrosK 2 days ago 5 replies      
I would like to point out that, if most sites used two-factor authentication, this leak would be at most a minor inconvenience. Maybe we should push for that more. Just days ago I talked to Namecheap about its horrible SMS-only 2FA and asked them to implement something actually secure, maybe contact your favorite site if they don't have 2FA yet.
arca_vorago 1 day ago 1 reply      
Apparently root case was:

/* generated code */if ( ++p == pe ) goto _test_eof;

"The root cause of the bug was that reaching the end of a buffer was checked using the equality operator and a pointer was able to step past the end of the buffer. This is known as a buffer overrun. Had the check been done using >= instead of == jumping over the buffer end would have been caught."

Detailed timeline:

"2017-02-18 0011 Tweet from Tavis Ormandy asking for Cloudflare contact information

2017-02-18 0032 Cloudflare receives details of bug from Google

2017-02-18 0040 Cross functional team assembles in San Francisco

2017-02-18 0119 Email Obfuscation disabled worldwide

2017-02-18 0122 London team joins

2017-02-18 0424 Automatic HTTPS Rewrites disabled worldwide

2017-02-18 0722 Patch implementing kill switch for cf-html parser deployed worldwide

2017-02-20 2159 SAFE_CHAR fix deployed globally

2017-02-21 1803 Automatic HTTPS Rewrites, Server-Side Excludes and Email Obfuscation re-enabled worldwide"

Seems like a pretty good response by cloudflare to me.

jasonlingx 1 day ago 0 replies      
Do I need to change my cloudflare password?
yeukhon 1 day ago 0 replies      
Would Internet Archive able to "cache" the leaks?
beachstartup 1 day ago 0 replies      
this is another data point that supports my personal, hare-brained theory that the expectation of privacy on the internet is simply naive, a fool's errand. it never existed, and never will.

this is despite (or maybe because) of my best efforts to secure systems as a major part of my job.

djph0826 1 day ago 0 replies      
amq 2 days ago 1 reply      
The title is misleading (for now). It is just a list of all sites using CF, compromised or not.
cromulent 2 days ago 3 replies      
"List of Sites possibly affected"

Sites using Cloudflare, really. However, Cloudflare say that only sites using three page rules were affected - email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites. [1]

Is this over-estimating the impact, perhaps?

[1] https://blog.cloudflare.com/incident-report-on-memory-leak-c...

Buffett Assails Money-Manager Fees as Berkshire Reports Profit Rise wsj.com
85 points by rottyguy  8 hours ago   32 comments top 4
dcposch 4 hours ago 1 reply      
i worked at a startup called addepar for several years, making software for asset managers.

addepar's a cool place, and i learned a ton there and made some good friends.


that said, my overwhelming impression of asset managers is that most capture more value than they add. fee-bearing mutual funds, family offices, financial advisors, hedge funds: few are worth their fees.

hedge funds, with their standard two-and-twenty fee structure, are especially bad. you could hardly design worse-aligned incentives, short of outright betting against your own clients.

two-and-twenty means 2% of assets under management every year plus 20% of any profit and 0% of any loss. why people agree to those terms is beyond me.

for example, running a strategy similar to a martingale, a negative-EV fallacy when done in a casino, can be incredibly positive-EV when you're a hedge fund manager. it produces streaks of above-market returns, where you keep doubling your AUM and rake in the fees, for however long that lasts.

when the crash happens, the managers walk away unscathed.

if you're interested in an entertaining story that starkly illustrates this dynamic, check out Long Term Capital Management.

bsamuels 7 hours ago 2 replies      
alright so whats the newest trick needed to get around the paywall?
lutusp 2 hours ago 0 replies      
Quote: "Billionaire also declares victory in his $1 million bet with another asset manager that low-cost index funds would out earn hedge funds over a decade."

Okay, I've been publishing this advice for 20 years now, to the annoyance of any number of financial advisors:


The WSJ dartboard contest makes the same point:


rbcgerard 8 hours ago 3 replies      
Little rich coming from an ex-hedge fund manager...
Warren Buffett's Annual Letter to Berkshire Hathaway Shareholders [pdf] berkshirehathaway.com
349 points by grellas  21 hours ago   290 comments top 23
otalp 21 hours ago 6 replies      
"In Berkshires 2005 annual report, I argued that active investmentmanagement by professionals in aggregate would over a period of years underperform the returns achieved by rank amateurs who simply sat still. I explained that the massive fees levied by a variety of helpers would leave their clients again in aggregate worse off than if the amateurs simply invested in an unmanaged low-cost index fund.

He then goes on to show how that's been true, and that a standard index fund outperforms almost every hedge funds even before extra fees to the hedge funds are taken into account.

It's not the first time this has been pointed out, and it suggests that for non-multimillionaires, an index fund is always the most rational choice.

You get close to the return you'd get by investing in real estate, with the added benefit of index funds being much more easily liquifiable.

dsacco 20 hours ago 13 replies      
There's one particular passage I'd like to point out, on page 5:

Our efforts to materially increase the normalized earnings of Berkshire will be aided as they have been throughout our managerial tenure by Americas economic dynamism. One word sums up our countrys achievements: miraculous. From a standing start 240 years ago a span of time less than triple my days on earth Americans have combined human ingenuity, a market system, a tide of talented and ambitious immigrants, and the rule of law to deliver abundance beyond any dreams of our forefathers.You need not be an economist to understand how well our system has worked. Just look around you. See the 75 million owner-occupied homes, the bountiful farmland, the 260 million vehicles, the hyper-productive factories, the great medical centers, the talent-filled universities, you name it they all represent a net gain for Americans from the barren lands, primitive structures and meager output of 1776. Starting from scratch, America has amassed wealth totaling $90 trillion.

I don't often see this sort of pride in America. Normally the flavors I do observe are hyper-nationalistic and filled with bravado, while the tone here is lauding yet reserved. There's a sense of authenticity delivered in the way Warren Buffett - an extremely humble, yet successful man - talks about the way his country has helped him succeed. It's austere.

This isn't part of the regularly scheduled programming for threads about his letters (mostly we like to champion index funds or debate the utility of active investing), but it's what really struck me this time around. Juxtapose his words here with the same category of conversation about America in many other contexts and contrast the integrity involved. In a time when America appears to be experiencing quite a bit of social and political volatility, it is refreshing to hear optimism from a source that does not appear to use it as an instrument of control.

EDIT: Well this has since ignited a debate about America's cultural identity and history of imperialism...not really the spirit of what I was going for but here we are I guess...

tyingq 21 hours ago 4 replies      
The transparency and humble tone is pretty unique.

"Unfortunately, I followed the GEICO purchase by foolishly using Berkshire stock"

"It was, nevertheless, a terrible mistake on my part"

"Despite that cautious approach, I made one particularly egregious error"

I bet you don't find that sort of thing in many other annual shareholder letters.

Radle 16 hours ago 0 replies      
"Some years, the gains in underlying earning power we achieve will be minor; very occasionally, the cash register will ring loud. Charlie and I have no magic plan to add earnings except to dream big and to be prepared mentally and financially to act fast when opportunities present themselves. Every decade or so, dark clouds will fill the economic skies, and they will briefly rain gold. When downpours of that sort occur, its imperative that we rush outdoors carrying washtubs, not teaspoons. And that we will do."
CurtMonash 2 hours ago 0 replies      
I was a #1-ranked stock analyst. And I indeed outperformed the market on my and my parents' accounts. I also know a small hedge fund manager who I believe could consistently outperform the market. But in each case the strategy was to know a small portfolio of underfollowed stocks very very well. It's not something that could scale. He eventually just dumped his clients and managed his own money. I stopped investing in anything except index funds after I stopped being a stock analyst.

I.e., I agree with Buffett's general premise, and have since the 1980s.

defenestration 20 hours ago 2 replies      
It took me 30 minutes to read the complete letter. It was time well spent. I learned why the property/casualty insurance business has a really good business model. It also reminds me to walk away from deals where the financial fundamentals are wrong, but our competition is eager to sign. And finally, I feel that his humble tone is honest and that he is trying teach by showing his considerations, successes and failures.
ryanmarsh 20 hours ago 2 replies      
"This team efficiently deals with a multitude of SEC and other regulatory requirements, files a 30,450-page Federal income tax return"

30,450 pages holy crap

cbanek 8 hours ago 0 replies      
One hilarious thing I learned, and I can't wait to put into action:

So stop by for a quote. In most cases, GEICO will be able to give you a shareholder discount (usually8%). This special offer is permitted by 44 of the 51 jurisdictions in which we operate. (One supplemental point:The discount is not additive if you qualify for another discount, such as that available to certain groups.) Bringthe details of your existing insurance and check out our price. We can save many of you real money. Spend thesavings on other Berkshire products.

I need to get hooked up with my shareholder discount!

digitalmaster 12 hours ago 0 replies      
"Americans have combined human ingenuity, a market system, a tide of talented and ambitious immigrants, and the rule of law to deliver abundance beyond any dreams of our forefathers." - W. Buffet
ambicapter 18 hours ago 2 replies      
> We may in time experience a decline in float. If so, the decline will be very gradual at the outside no more than 3% in any year. The nature of our insurance contracts is such that we can never be subject to immediate or near-term demands for sums that are of significance to our cash resources. This structure is by design and is a key component in the unequaled financial strength of our insurance companies. It will never be compromised.

Is he basically saying that the insurance business is structured in such a way to never payout catastrophic amounts? Is this a harmful thing for the insurance claimants?

NuDinNou 19 hours ago 0 replies      
I liked HBO's documentary on him, "Becoming Warren Buffett", https://www.youtube.com/watch?v=70nGRBvqFNw
kennyma 20 hours ago 0 replies      
Here's an annotated version of the letter by Bloomberg https://www.bloomberg.com/news/features/2017-02-25/lessons-f...
gillianlish 7 hours ago 1 reply      
that is assuming the stock market doesn't crash. if you bought an index fund in 1928 you would still be broke AF in 1935 and wouldn't get your money back until the 50s.

buffett profited off the housing bubble and should not betrusted. he owned huge stakes in the ratings agencies thatwere giving AAA+ ratings to these awful mortgage products,even as publically he was decrying the financial productsinvolved as 'mass destruction' he was making money on it.

he is doing the same with his stock market push. ifa million people listen to him and go buy stocks, whatdo you think happens to his index funds? They go up of course.

absolutely hilarious and sad to watch people worship thisguy. if his secret is really to buy index funds, thenwhy do people listen to his speeches and newsletters?you could just go buy index funds and be done with it.

like every other con artist, his genius is to get peopleto buy in to his story.

crb002 18 hours ago 0 replies      
What Buffet left out. The massive windfall from OPIC, a U.S. Government insurance program not audited by the GAO, in the buy of Mid American. https://www.opic.gov/sites/default/files/docs/claim_mid_amer...
mrfusion 20 hours ago 4 replies      
Has anyone ever attended a shareholder meeting? Sounds kind of fun.
MarkMc 16 hours ago 0 replies      
I have more respect for Warren Buffett than any person outside my family.

He's smart, honest, humble, generous, witty and a great communicator. And he's the best investor in the world.

jedberg 14 hours ago 0 replies      
The "Annual meeting" section is the most entertaining. It sounds like woodstock for capitalists.
glbrew 20 hours ago 0 replies      
"Come to Omaha the cradle ofcapitalism on May 6th and meet the Berkshire Bunch."
fovc 19 hours ago 2 replies      
Does anyone know why it is that their insurance businesses post underwriting profits? Is there anything structural? Why does GEICO have such a cost-driven moat?
ahh 17 hours ago 0 replies      
Anyone else a bit disappointed?

Normally these letters have some new brilliant insight or dive into a business I know nothing about. This one feels shorter and more peremptory. I see the financials for the major sectors and the same boilerplate explanation of insurance and railroads that's in every letter.

What's up? It's not like nothing happened with Berkshire Hathaway this year.

perseusprime11 10 hours ago 0 replies      
Buffet is so modest and humble. It comes through in this comment:"A few, however these are serious blunders I made in my job of capital allocation produce very poor returns. In most cases, I was wrong when I originally sized up the economic characteristics of these companies or the industries in which they operate, and we are now paying the price for my misjudgments. In a couple of instances, I stumbled in assessing either the fidelity or ability of incumbent managers or ones I later put in place. I will commit more errors; you can count on that. Fortunately, Charlie never bashful is around to say no to my worst ideas."
psyc 15 hours ago 0 replies      
All that cheerleading for capitalism, and the only micro-nod to inequality is this: "However our wealth may be divided, the mind-boggling amounts you see around you belong almostexclusively to Americans."

"See around me," indeed.

DiabloD3 21 hours ago 3 replies      
There's going to be a day where there won't be any more annual letters from him.
AMDs $499 Ryzen 7 1800X Beats $1700 i7 6950X with 1-Click OC on Air Cooling wccftech.com
248 points by antouank  14 hours ago   162 comments top 21
actuator 12 hours ago 3 replies      
I just hope this lives up to the hype. I built my last machine using Phenom II X6 1090T but I always regretted it after; as the 6 core advantage that I thought future games will use, never materialized and per core performance of that was not as good as the Intel CPUs of the same generation. Most of the benchmark leaks have focussed on top of the line Ryzens, I would be interested in seeing how the mid level Ryzens are comparing to Intel I5s.

There are already reports of Intel CPUs getting price cuts, so this looks good for now at least.

jychang 14 hours ago 1 reply      
Just a reminder that wccftech.com is notoriously pro-AMD. I would caution against taking their word as proof.

I'm not an AMD hater (actually own AMD stock), just cautious.

haswell 14 hours ago 3 replies      
I won't be replacing my i7 6800K build any time soon, but I'm very happy to see AMD looking competitive again. There hasn't been much excitement about the recent generations of i7 for good reason, and hopefully this forces them to start pushing the envelope again.
SG- 14 hours ago 2 replies      
This article doesn't actually list any benchmarks and the link/URL is totally broken for the "Ryzen offers even better single-threaded performance per clock than Intels Kaby Lake." - http://single-threaded/
kchoudhu 14 hours ago 3 replies      
That TDP is unreal. 95 Watts?

Looks like AMD has made a real performance breakthrough here. When is general availability expected?

vinayan3 10 hours ago 1 reply      
If you were thinking of this as being a cheap CPU for a GPU training rig. It only has 24 PCI Express lanes. It might be better to stick with Xeon CPUs because most have 40 lanes.
aabajian 12 hours ago 1 reply      
Lots of skeptical comments below. I tend to believe the result, given that Intel has slashed prices on its Kaby Lake/Skylake processors in anticipation of the Ryzen launch:


frik 3 hours ago 0 replies      
How is the single core performance in real world beside benchmarks?

AMD mentions some AI technology to improve the perf. If one runs the same software many times, will the performance change? It could be good if it learns and improves the performance, but results might not be reproduce. Is it like the Pentium 4 with its long pipelines that ideally result in better performance but meant more misses?

Good that AMD has something in peto to compete with Intel again.

Zekio 13 hours ago 1 reply      
I can't wait to see the result this will have on the CPU market especially with the rest of their CPU line up coming later this year
romanovcode 9 hours ago 0 replies      
Finally some competition. I'm sick of Intel monopoly. Good job AMD!
tzakrajs 4 hours ago 4 replies      
Micro Center is selling Intel i7 7700k for $299

Those 4 cores are stronger than the first 4 cores of the 1700X or the 1800X. If you are a gamer, then most if not all of your games will use 4 or less cores. Why pay more money for worse gaming performance?


vorticalbox 2 hours ago 0 replies      
Meaningless, oh look our overclocked cpu beat an non-overclocked one that could have been overclocked.
ChuckMcM 8 hours ago 0 replies      
While I recognize it is a 'what is there to lose' kind of move, I think it is really awesome that AMD is unlocking all of their Ryzen parts. Seems like a when for the "I want to smoke my own processor thank you very much" generation.
vegabook 13 hours ago 0 replies      
If the 32 core Naples server Zen, due Q2, has anything like this kind of price/perf versus Xeon, Intel is in trouble.
locusm 7 hours ago 0 replies      
The AMD strategy seems to just be "give the customer what they want".Revolutionary indeed.
ibgib 11 hours ago 1 reply      
I'm maybe the only amd fan who is going to miss my power/$ of my 8350 for 150$ (or was it even cheaper?...)
floatboth 11 hours ago 0 replies      
Beating a 10 core doesn't sound real, but it sure kicks the Intel 8-core's ass
gigatexal 10 hours ago 2 replies      
What're the chances Apple puts ryzen into their lineup?
jbmorgado 13 hours ago 2 replies      
Anyone knows where can I get detailed information about the processor? I tried to search in AMD page but the information is very scant.

Namely do these processors support ECC and what virtualisation capabilities do they have (for KVM with full GPU access).

clircle 12 hours ago 0 replies      
Fake news?
awqrre 10 hours ago 0 replies      
Intel probably have something ready to go from 5+ years ago (that was never released because they didn't need to)...
A self-driving Uber ran a red light last December, contrary to company claims theverge.com
159 points by KKKKkkkk1  11 hours ago   61 comments top 10
tristanj 9 hours ago 3 replies      
Back when this originally came out, Uber claimed "this incident was due to human error" [1]. Well technically, if you really twist the meaning of words, Uber could interpret this as "human error", considering:

- It was "human error" that the programmers who designed the self-driving AI failed to properly implement red-light detection and braking.

- It was also "human error" that the human driver in the front seat failed to notice the red lights and stop the car.

Uber's statement is effectively true, if you hideously twist the meaning of words. I fully believe that's what they did in their statement. There's similar wordplay for the word "natural", i.e. claiming "All pollution is natural", because humans are part of nature and everything we do is natural, so all consequences of our actions are also "natural". Deceiving yet ultimately, effective.

[1] Uber says self-driving car ran red light due to human errorhttps://techcrunch.com/2016/12/14/uber-looking-into-incident...

Animats 4 hours ago 0 replies      
It's clear how Uber botched this. That traffic signal is not at an intersection. It's a heavily used mid-block crosswalk.[1] It's a very well marked crosswalk, with six redundant full size traffic signals all visible in the direction the Uber vehicle was traveling. This indicates Uber's system only looks for mapped traffic signals.

SF has a database of their traffic signals, and this signal is listed. It's object #902.[2] Apparently Uber gets their data from somewhere else.

[1] https://goo.gl/maps/dzxEaaqWaAC2[2] https://data.sfgov.org/Transportation/Map-of-Traffic-Signals...

nodesocket 7 hours ago 8 replies      
I'm not defending Uber, but there seems to be a pattern of startups that at first everybody is in love with. The startup explodes and grows to become widely successful and morphs from startup to corporation. An incident happens, and then everybody jumps on the bandwagon and bashes them mercifully. Boycotts insue. Clone competitors pop up proclaiming to be "not-evil" and the cycle starts again.

Let me backup my claim with examples:

 GitHub AirBnB Uber CloudFlare
Who is the next unicorn to join the PR nightmare show?

heisenbit 1 hour ago 0 replies      
A little while ago I looked at micro services and the Uber story stuck in my mind (April 2016 numbers):

- 2000 engineers

- 1000 services

- 8000 git repositories

I can understand fast growth but on the services and git repository side considering that most of the engineers are new it struck me not as fast but more as out of control growth.

At the beginning you may not control so much but you hire people that are disciplined. Later one needs a certain amount of structure.

The stories from the legal front, financial front and handling of public relations are very consistent with what I observed on the technical side.

waqf 8 hours ago 0 replies      
mattcantstop 3 hours ago 1 reply      
I think I have personally ran three or four red lights or stop signs accidentally in my 18 years or so of driving. The fact that a self-driving car running a red light makes the news is exciting to me. We will be much safer with computers driving.
tobeportable 36 minutes ago 0 replies      
The pedestrian was already engaging on the crosswalk and would have required the car to stop too.
orthoganol 1 hour ago 0 replies      
Since some are saying "this is just one incidence" recall that there was a second blown red light around the same time in SF, and all this just on the first day of the program. There are also potentially other incidents that did not, by chance, have a bystander recording. Their autonomous driving has many years left in the development. I just hope they aren't pushing it on us now because they are pacing 3 billion in losses/ year.
lindner 5 hours ago 0 replies      
Even though this was clearly a red light being run, it was this AI's first offense, so we should just give it a warning and a stern talking-to....
searealist 8 hours ago 3 replies      
The anti Uber PR campaign is now in full swing.
The power of role models commandcenter.blogspot.com
179 points by max_  16 hours ago   289 comments top 23
skywhopper 15 hours ago 8 replies      
Programming used to be a field with significant numbers of women, including true pioneers like Grace Hopper. IIRC, female computer science majors peaked in the 80s, and have been declining since.

Even with those low numbers these days, a lot of women who are interested in programming and computer science are chased away early on, or they quickly move into more welcoming fields. So it's true that among senior staff, women are even less well represented.

This isn't just a bad thing for the women who are harassed, mistreated, or just made to feel unwelcome. It's a bad thing for the industry. If women are unwelcome, we're throwing away half of the talented engineers before they even get started.

For all those reasons, Rob is right that role models are important. But even more important: we need to stop chasing women from the field. You have to stop the bleeding before you can start improving. The recent stories out of Uber make it clear that the technology industry is at risk of moving backwards if we aren't already.

throw_away_777 15 hours ago 2 replies      
In my opinion, the solution proposed in the article of: " choosing a women over a man when growing your team, just because" is counter-productive. These kind of suggestions cause people to question why a minority got promoted, if it was because of qualifications or because of reverse racism. Reverse racism is still racism, and it breeds resentment.
mzzter 15 hours ago 1 reply      
> It may take proactive behavior, like choosing a women over a man when growing your team, just because, or promoting women more freely.

They don't need to be chosen "just because" :/ they should be chosen based on merit, otherwise, how good of a role model would that person become?

skookumchuck 15 hours ago 3 replies      
The article suggests that power in computing is something men have to give. It isn't. Computing is a market based economy. Anyone can start a computing company, and run it as they please.

I.e. women can start computing companies, and hire women. Women do not need permission from men to do this, nor do they need favor from men.

DelaneyM 12 hours ago 1 reply      
To those expressing concern that this proposal represents "reverse sexism" or is anti-meritocratic:

Merit is equal parts nature and nurture. "Pushing women into positions of influence" can also be interpreted as identifying high-performers capable of filling senior roles and then helping them get there.

This does mean giving them an unfair advantage, but only in the sense that life is unfair in general. Ultimately they are the most capable individuals for the roles they assume, and lifting them to that level pays dividends for our entire industry.

If you believe in both bolstering the meritocracy and furthering gender equality (as I do), this should be your reaction. Positioning a meritocratic ideal as in opposition to equal representation is just veiled misogyny.

factsaresacred 15 hours ago 1 reply      
> It may take proactive behavior, like choosing a women over a man when growing your team, just because, or promoting women more freely.

'Just because' what? You're asking for 'more women excelling in the field' but promoting somebody just because isn't going to make them excel.

If, on the other hand, brilliant women were not being promoted 'just because' that would suggest a problem. But is this so?

rdtsc 15 hours ago 0 replies      
Great point on role models. I like https://en.wikipedia.org/wiki/Grace_Hopper. I can't tell how much she appeals to women but I find her inspiring. One thing I like about her is she worked within an a huge bureaucratic organization, the Navy, and she figured out how to get things done. She is the one who came up with a principle of "It is easier to ask forgiveness than get permission".
Oxitendwe 15 hours ago 9 replies      
>The best way to improve the representation of women in the field is not to recruit them, important though that is, but to promote them. To create role models. To push them into positions of influence.

I find the idea that we should "push them into positions of influence" abhorrent. These are zero sum games, to give them a special advantage over any other demographic is to disadvantage another. This is antithetical to everything most people believe about fairness and equality. And what of the girls who learn that their role models have been given a handicap, pushed upwards beyond their skill by well-meaning but naive men? What sort of message will that send to them?

None of this is even mentioning the basic question of, what do we even get out of trying to "correct" disparities in employment demographics? How do we even know that women as a demographic have an equal interest in computer science to men? If they don't, what do we get out of "correcting" the disparity by given them special treatment, handicaps, incentives, etc?

Pushing people into positions of influence based on their gender is nothing other than deeply sexist, discriminatory to people who don't need to be pushed, and should be absolutely unacceptable to anyone who actually cares about equality.

chroma 14 hours ago 1 reply      
The idea of publicizing more role models seems fine, but Pike crossed a line here:

> It may take proactive behavior, like choosing a women over a man when growing your team, just because, or promoting women more freely.

Doing this would violate the Civil Rights Act, which prohibits hiring discrimination based on, "race, color, religion, sex, or national origin".[1] I'm also sure such a practice would be extremely counterproductive.

1. https://www.law.cornell.edu/uscode/text/42/2000e-2

srssays 15 hours ago 2 replies      
Is 'diversity' selfish? Perhaps women/teenage girls aren't interested in becoming programmers, because they don't find it to be an interesting or fulfilling career.
tonyedgecombe 15 hours ago 1 reply      
"In my long career, I had never before been in a room like that, and the difference in tone, conversation, respect, and professionalism was unlike any I have experienced."

Back when I was contracting I visited a lot of sites, my heart would sink when it was an all male team, you just knew the tone would be different.

hd4 15 hours ago 11 replies      
This is a fine and good idea, as long as the central pillar is that we remain meritocratic first, everything else should come after that.
codewiz 2 hours ago 0 replies      
No mention of Margherita Hack?


ArkyBeagle 15 hours ago 1 reply      
The problem isn't gender per se; the problem is how we define success and how leadership works. We're up to our neck in all sort of hubris sprung from the cultural emphasis on ambition at any cost. As Charlie Sheen might say, "Winning."[1]

[1] if you don't see his story as a parody, intentional or otherwise, look again...

But if diversity is your yardstick, then it's surprising how much better the military services are at it than tech. Indeed, if I were an ambitious woman, I am not sure that's not the path to take for tech.

chrismealy 15 hours ago 0 replies      
If you look at what happened in law and medicine (IIRC they're at about parity now, up from nearly zero women 50 years ago), things can change incredibly fast.
hkon 15 hours ago 5 replies      
I never hear people speak about fixing the nursing gender gap....
jeffdavis 13 hours ago 0 replies      
Do aspiring computer scientists and engineers look up to managers? If not, then how does promoting them help?
ryanmarsh 15 hours ago 0 replies      
"but it seemed to me that the difference stemmed from the demographics"

feminine social primacy != equality

Why is this part of the narrative of women in STEM? Do people not realize this language is counterproductive?

dominotw 15 hours ago 5 replies      
>Nor were they wallflowers.

what does wallflowers mean here?

definition 3 ? http://www.urbandictionary.com/define.php?term=wallflower

RodericDay 15 hours ago 1 reply      
> In my long career, I had never before been in a room like that, and the difference in tone, conversation, respect, and professionalism was unlike any I have experienced. I can't prove it was the presence of women that made the difference - it could just be that astronomers are better people all around, a possibility I cannot really refute - but it seemed to me that the difference stemmed from the demographics.

I feel exactly the same way. After undergrad, I assembled a board game group with my male friends. Some girls (girlfriends, invited drop-ins) became regulars, and for a long while, the group was pretty much 50/50. It had never been so good.

Eventually some things happened, people moved away, and eventually the group became 100% male, nerdy guys. It was a pale shadow of its own self. I eventually lost interest in it altogether, and we get together very infrequently now.

It had nothing to do with dating or romance. I never bothered figuring exactly what it was that made the group better. As far as I'm concerned, diversity for the sake of diversity is a noble goal.

Many other professional and educational anecdotes contribute to this last belief, not just this board game example, but it is representative.

alphapapa 14 hours ago 0 replies      
An interesting analogy: a workplace or professional field is like a jar of water. Injustice is like tinted water (injustice being hiring or promoting someone less qualified at the expense of someone more qualified). Some blue-tinted water has been added to the jar. There are two proposed solutions to fix the problem:

1. Add red-tinted water to the jar to counter-balance the existing blue-tinted water in the jar.

2. Add more clean water to the jar to dilute the blue-tinted water.

Question: Which solution would result in clearer water?

nielsabel 14 hours ago 2 replies      
Science has been done without women for centuries, and it obviously worked. Lubo Motl

Can we please just stop all this PC bullshit. Robo Pike obviously doesn't realize that the reason these women attending that meeting are so excellent is because there are so few of them. I.e. only those survived/came so far who have actual skills.

The same goes for computer science. The women who are really skilled and who really want to work in this field WILL work in this field. Which, of course, means there will be less of them. I mean, we already got enough incompetent men in sotware engineering/computer science. Do we really need to flood the field with incompetent women? And on top of that, celebrate their non-achievement of being a woman?

Regarding role models: why can't women simply choose a male role model? Is the gender of their role models really that much more important than their achievements? Shouldn't you look up to someone because, let's say, they are especially skilled in their field instead of their genitals? (Same goes for men choosing a female role model)

Look at it from the other way around: has any man in fashion ever complained about there not being enough male role models in fashion (a field clearly dominated by women)?

And the only ones who ever complained about impoliteness are women and effeminates. If you judge people by hurt feelings instead of actual skills, then you end up with shit like being banned from the golang community for pointing out that someone's English is incomprehensible!

If women have something to contribute to the respective field, then they are more than welcome. If not, then they can simply fuck off (just as all those incompetent men).

4ad 15 hours ago 9 replies      
> The best way to improve the representation of women in the field is [...] to promote them. [...] To push them into positions of influence.

I am all for equality in chances for all people, men and women, black and white, gay and straight, anything really, but this affirmative action "promote X because she is a women" (or black, or XXX) is something I will fight against with all my being and all my forces until the day I die.

I strongly feel this type of insidious thinking is the most dangerous thing facing humanity today, worse than global warming, the united states, or global war. I will never be silent against this rampant so-called-positive sexism.

Id Software Programming Principles felipe.rs
250 points by philix001  20 hours ago   50 comments top 7
a3n 14 hours ago 9 replies      
> Write your code for this game only - not for a future game. Youre going to be writing new code later because youll be smarter.

This really stood out for me. I'm always tempted, while writing something specific, to generalize it. I try to resist that, when I recognize it. Writing a ThingThatImWritingFramework risks ThingThatImWriting never seeing the light of day, or never being used.

lubujackson 13 hours ago 0 replies      
It reads like a "get shit done" manifesto, and good rules of thumb for most programmers tasked with doing just that. Worth remembering that iD had some of the most advanced 3D and networking code for years and really pushed the envelope and the industry forward in many ways (first huge shareware company, first big company to allow mods, first big company to make code open source, etc.)

It is easy to slide into an OCD mindset when programming, to make things tidy and proper. It feels dirty to make stuff just work, to make stuff disposable, but evolution operates a lot like this - many little, reversible mistakes that add up to big improvements quicker than any other method.

kensai 14 hours ago 1 reply      
> Programming is a creative art form based in logic. Every programmer is different and will code differently. Its the output that matters.

This one is also nice, especially for mid to large software houses. As long as a common denominator is respected, I guess.

tluyben2 14 hours ago 0 replies      
Some of these things, like focusing on the task at hand and trying to be as simple as possible, not thinking too much about the potential futures is important to me. If all would do that maybe there would not be 1000s of weird half baked npms and such.
eps 12 hours ago 2 replies      
I'd very curious to hear Carmack's take on this. After all Romero was making game levels, not the engines.
Hansi 12 hours ago 5 replies      
> "No prototypes. Just make the game. Polish as you go. Dont depend on polish happening later. Always maintain constantly shippable code."

I disagree with this so much, prototypes and proof of concepts teach you so much but usually they are crap you will always write it better a second time. Throw away the prototype and re-write it as a much better implementation.

partycoder 5 hours ago 0 replies      
He described how literally hundreds of projects were successfully completed in C, targeting multiple platforms, while being first to market with innovative technology, with a small team in a pre-Internet world,

These are achievements beyond belief.

Unofficial MySQL 8.0 Optimizer Guide unofficialmysqlguide.com
150 points by digitalnalogika  17 hours ago   17 comments top 8
javitury 14 hours ago 2 replies      
I was conflicted when I read "3. Most selective columns to the left":


Because I had previously read that it was a myth:


Both this guide and Use The Index Luke seem to be good resources. Later I realized that maybe the guide had listed this optimization tips in order of importance. After all "1. Leftmost rule" and "2. Ranges to the right" are the ones that affect the most the usability of the index. Then the seemingly opposite viewpoints converge.

morgo 11 hours ago 1 reply      
Author here. Thanks for linking to my guide :)

I'll be expanding it in the coming months as the new features in MySQL 8.0 are released. On my TODO is descending indexes, improvements to OPTIMIZER TRACE, Window functions, CTEs and expanding the info on character sets.

Suggestions/comments welcome!

wolf550e 15 hours ago 2 replies      
Does anyone have a good comparison between MariaDB 10.x and MySQL 8.0? Also, when will MySQL 8.0 be out? (The current version is "Not yet released, Development Milestone").
GrumpyNl 15 hours ago 0 replies      
That's some great info, thanks for the effort.
alashley 15 hours ago 0 replies      
Thank you for posting this, I've been wanting to further my knowledge of databases and database design.
caleblloyd 8 hours ago 1 reply      
Great write-up! Which of these features are new in 8.0 and not in 5.7?
compuguy 15 hours ago 1 reply      
I'm guessing this may also apply to MariaDB (MySQL fork) as well?
snissn 8 hours ago 0 replies      
I expected to see a postgresql migration guide
Brazils Love Affair with Uber Has Been Ruined by Kidnapping, Robbery and Murder vice.com
110 points by MilnerRoute  12 hours ago   33 comments top 5
soneca 10 hours ago 2 replies      
I dont like Uber as a company, but I feel this journalist is trying to hurt the Uber brand more than reporting the facts and inform people.

Brazil has a very high crime rate. Our northeast capital cities (where Uber started to accept cash as customers were asking for this) are among the most dangerous in the world regarding murder rate.

The "express kidnapping" is very very common here in So Paulo.

If you consider the crime problem in Brazil, Uber is quite irrelevant on all of this. And it is fairly obvious that if have a big enough operation here, crime will happens to you too.

I am not saying that Uber has no responsibilities in supporting its drivers and passengers (preventing before and supporting after the crime). But this story seems to just want to capitalize on Uber bad reputation.

And the title is quite exagerated and click baity

aianus 10 hours ago 1 reply      
I don't see how Uber is special in this regard vs. traditional taxis. If you're willing to rob a taxi driver you can rob an Uber driver too and vice versa.

At least Uber gives the police more to go on during their investigation (GPS logs, ID info).

aml183 10 hours ago 2 replies      
I took Uber while I was in Rio. It was perfectly safe. Uber Black is much different in Brazil than it is in the United States. You aren't getting into an Escalade, but typically a Toyota or Honda. Also, you could only pay via credit card. Maybe this is limited to Sao Paulo, but most Brazilians I spoke to were happy that Uber was in Brazil.
alister 7 hours ago 3 replies      
> Recently, Uber announced that another layer of security would be added. Users who want to pay in cash must also provide their date of birth and CPF.

Uber is under pressure to do something, so they did something that is both ineffective and frustrating!

Name + CPF + birthdate is not an effective security measure in Brazil because anyone can find a valid combination on the web. And visitors to Brazil obviously won't have CPF numbers, so this security measure is going to be a hassle for them.

I'll explain a little bit more about why the CPF is so easy to discover and misappropriate:

Brazilians are asked for their CPF number everywhere. (The CPF is the Brazilian equivalent of the U.S. social security number.) You're asked for it when taking an inter-city bus, special ordering a book at a bookstore, or signing the register in a building lobby. Birthdate is asked less often but still much more commonly than in the U.S. The reason is often not for security but to disambiguate people.

In Brazil, 10% of the population has Silva as a last name[1]. An incredibly large percentage of people have Maria, Ana, Jose, Joao as first names. If you're American, a name like "John Smith" sounds so common that it's the subject of jokes ("you made up that name?"), yet you might not actually know any John Smith's. But a Brazilian probably knows a bunch of Maria Silva's, Jose Da Silva's, and Ana DaSilva's.

You need a way to reliably differentiate between two Maria Silva's, so Brazilians ask for the CPF (and sometimes birthdate). And universities and governments regularly publish lists with peoples' full names and their CPF numbers to show graduations, admissions, fines, licensing info, whatever. All you need to do is google for <any name> + CPF, and you can find thousands of PDFs files with thousands of CPF numbers and birthdates (examples: [2][3]).

Furthermore, this is terrible for law-abiding visitors to Brazil because it becomes impossible to use services that demand a CPF number. For instance, as a visitor, you can't buy a ticket on any of the Brazilian airlines through the web[4]. The only exception is TAM (now LATAM) that has a portal for foreigners that charges 50-100% more than a Brazilian would pay for the same flight. I don't know how Uber has implemented their new security procedure, but I'm betting that it won't be convenient for visitors!

[1] https://en.wikipedia.org/wiki/List_of_most_common_surnames_i...

[2] https://www10.trf2.jus.br/ai/wp-content/uploads/sites/3/2015...

[3] https://www.esteio.rs.gov.br/documents/Editais/secretaria/SM...

[4] http://brazilsense.com/index.php?title=Booking_a_domestic_fl...

grumpynumpy 10 hours ago 2 replies      
Seems like Brazil is in dire need of electronic payments systems, like wechat.
Announcing the first SHA-1 collision googleblog.com
2993 points by pfg  2 days ago   484 comments top 73
nneonneo 2 days ago 5 replies      
The visual description of the colliding files, at http://shattered.io/static/pdf_format.png, is not very helpful in understanding how they produced the PDFs, so I took apart the PDFs and worked it out.

Basically, each PDF contains a single large (421,385-byte) JPG image, followed by a few PDF commands to display the JPG. The collision lives entirely in the JPG data - the PDF format is merely incidental here. Extracting out the two images shows two JPG files with different contents (but different SHA-1 hashes since the necessary prefix is missing). Each PDF consists of a common prefix (which contains the PDF header, JPG stream descriptor and some JPG headers), and a common suffix (containing image data and PDF display commands).

The header of each JPG contains a comment field, aligned such that the 16-bit length value of the field lies in the collision zone. Thus, when the collision is generated, one of the PDFs will have a longer comment field than the other. After that, they concatenate two complete JPG image streams with different image content - File 1 sees the first image stream and File 2 sees the second image stream. This is achieved by using misalignment of the comment fields to cause the first image stream to appear as a comment in File 2 (more specifically, as a sequence of comments, in order to avoid overflowing the 16-bit comment length field). Since JPGs terminate at the end-of-file (FFD9) marker, the second image stream isn't even examined in File 1 (whereas that marker is just inside a comment in File 2).

tl;dr: the two "PDFs" are just wrappers around JPGs, which each contain two independent image streams, switched by way of a variable-length comment field.

m3ta 2 days ago 4 replies      
To put things into perspective, let the Bitcoin network hashrate (double SHA256 per second) = B and the number of SHA1 hashes calculated in shattered = G.

B = 3,116,899,000,000,000,000

G = 9,223,372,036,854,775,808

Every three seconds the Bitcoin mining network brute-forces the same amount of hashes as Google did to perform this attack. Of course, the brute-force approach will always take longer than a strategic approach; this comment is only meant to put into perspective the sheer number of hashes calculated.

mabbo 2 days ago 15 replies      
One practical attack using this: create a torrent of some highly desirable content- the latest hot TV show in high def or whatever. Make two copies, one that is malware free, another that isn't.

Release the clean one and let it spread for a day or two. Then join the torrent, but spread the malware-hosting version. Checksums would all check out, other users would be reporting that it's the real thing, but now you've got 1000 people purposely downloading ransomware from you- and sharing it with others.

Apparently it costs around $100,000 to compute the collisions, but so what? If I've got 10,000 installing my 1BTC-to-unlock ransomware, I'll get a return on investment.

This will mess up torrent sharing websites in a hurry.

Edit: some people have pointed out some totally legitimate potential flaws in this idea. And they're probably right, those may sink the entire scheme. But keep in mind that this is one idea off the top of my head, and I'm not any security expert. There's plenty of actors out there who have more reasons and time to think up scarier ideas.

The reality is, we need to very quickly stop trusting SHA1 for anything. And a lot of software is not ready to make that change overnight.

cesarb 2 days ago 3 replies      
On a quick scroll of the comments, I haven't seen this posted so far: http://valerieaurora.org/hash.html

We're at the "First collision found" stage, where the programmer reaction is "Gather around a co-worker's computer, comparing the colliding inputs and running the hash function on them", and the non-expert reaction is "Explain why a simple collision attack is still useless, it's really the second pre-image attack that counts".

lisper 2 days ago 4 replies      
This point seems to be getting re-hashed (no pun intended) a lot, so here's a quick summary: there are three kinds of attacks on cryptographic hashes: collision attacks, second-preimage attacks, and first-preimage attacks.

Collision attack: find two documents with the same hash. That's what was done here.

Second-preimage attack: given a document, find a second document with the same hash.

First-preimage attack: given an arbitrary hash, find a document with that hash.

These are in order of increasing severity. A collision attack is the least severe, but it's still very serious. You can't use a collision to compromise existing certificates, but you can use them to compromise future certificates because you can get a signature on one document that is also valid for a different document. Collision attacks are also stepping stones to pre-image attacks.

UPDATE: some people are raising the possibility of hashes where some values have 1 or 0 preimages, which makes second and first preimage attacks formally impossible. Yes, such hashes are possible (in fact trivial) to construct, but they are not cryptographically secure. One of the requirements for a cryptographically secure hash is that all possible hash values are (more or less) equally likely.

necessity 2 days ago 2 replies      
> If you use Chrome, you will be automatically protected from insecure TLS/SSL certificates, and Firefox has this feature planned for early 2017.

No need to wait. The option to reject SHA-1 certificates on Firefox is `security.pki.sha1_enforcement_level` with value `1`.


Other configs worth doing:

`security.ssl.treat_unsafe_negotiation_as_broken` to `true` and `security.ssl.require_safe_negotiation` to `true` also. Refusing insecure algorithms (`security.ssl3.<alg>`) might also be smart.

mate_soos 2 days ago 0 replies      
I am a bit saddened that Vegard Nossum's work, which they used for encoding SHA-1 to SAT, is only mentioned as a footnote. The github code is at


and his Master Thesis, whose quality is approaching a PhD thesis is here:


Note that they also only mention MiniSat as a footnote, which is pretty bad. The relevant paper is at


All of these are great reads. Highly recommended.

amichal 2 days ago 3 replies      
Linked http://shattered.io/ has two PDFs that render differently as examples. They indeed have same SHA-1 and are even the same size.

 $ls -l sha*.pdf -rw-r--r--@ 1 amichal staff 422435 Feb 23 10:01 shattered-1.pdf -rw-r--r--@ 1 amichal staff 422435 Feb 23 10:14 shattered-2.pdf $shasum -a 1 sha*.pdf 38762cf7f55934b34d179ae6a4c80cadccbb7f0a shattered-1.pdf 38762cf7f55934b34d179ae6a4c80cadccbb7f0a shattered-2.pdf
Of course other hashes are different:

 $shasum -a 256 sha*.pdf 2bb787a73e37352f92383abe7e2902936d1059ad9f1ba6daaa9c1e58ee6970d0 shattered-1.pdf d4488775d29bdef7993367d541064dbdda50d383f89f0aa13a6ff2e0894ba5ff shattered-2.pdf $md5 sha*.pdf MD5 (shattered-1.pdf) = ee4aa52b139d925f8d8884402b0a750c MD5 (shattered-2.pdf) = 5bd9d8cabc46041579a311230539b8d1

anilgulecha 2 days ago 5 replies      
Big things affected:

* DHT/torrent hashes - A group of malicious peers could serve malware for a given hash.

* Git - A commit may be replaced by another without affecting the following commits.

* PGP/GPG -- Any old keys still in use. (New keys do not use SHA1.)

* Distribution software checksum. SHA1 is the most common digest provided (even MD5 for many).

Edit: Yes, I understand this is a collision attack. But yes, it's still a attack vector as 2 same blocks can be generated now, with one published, widely deployed (torrent/git), and then replaced at a later date.

Aissen 2 days ago 0 replies      
I love the fact that there is a tool for detecting any collision using this algorithm:https://github.com/cr-marcstevens/sha1collisiondetection

and it's super effective: The possibility of false positives can be neglected as the probability is smaller than 2^-90.

It's also interesting that this attack is from the same author that detected that Flame (the nation-state virus) was signed using an unknown collision algorithm on MD5 (cited in the shattered paper introduction).

korm 2 days ago 1 reply      
[2012] Schneier - When Will We See Collisions for SHA-1?


Pretty close in his estimation.

0x0 2 days ago 4 replies      
I'm trying to play with this in git. Added the first file, committed, and then overwrote the file with the second file and committed again. But even when cloning this repository into another directory, I'm still getting different files between commit 1 and 2. What does it take to trick git into thinking the files are the same? I half expected "git status" to say "no changes" after overwriting the first (committed) pdf with the second pdf?
SamBam 2 days ago 3 replies      
I'm confused by the "File Tester" at https://shattered.it/

It says "Upload any file to test if they are part of a collision attack."

When I upload either of their two sample collision documents, it says they are "Safe."

mikeash 2 days ago 3 replies      
For those of us who are totally clueless about the construction of these hash functions, what is the fundamental flaw in SHA-1 that allows this attack? How do newer hash functions avoid it?
mckoss 2 days ago 2 replies      
Computing a collision today costs about $100K from my reading of the paper. So most uses of SHA1 are protecting documents of far lower value, and would not be likely attack targets (today).
jasode 2 days ago 5 replies      
>Nine quintillion computations; 6,500 years of CPU; 110 years of GPU

Is there a rough calculation in terms of today's $$$ cost to implement the attack?

jeffdavis 2 days ago 1 reply      
Does git have any path away from SHA1?

I know the attack isn't practical today, but the writing is on the wall.

jgrahamc 2 days ago 7 replies      
How am I going to explain this to my wife?

Actually a serious question. How do we communicate something like this to the general public?

matt_wulfeck 2 days ago 0 replies      
> We then leveraged Googles technical expertise and cloud infrastructure to compute the collision which is one of the largest computations ever completed.

And this, my friends, is why the big players (google, Amazon, etc) will win at the cloud offering game. When the instances are not purchased they can be used extensively internally.

koolba 2 days ago 8 replies      
What's the impact to something like git that makes extensive use of SHA-1?

In their example they've created two PDFs with the same SHA-1. Could I replace the blob in a git repo with the "bad" version of a file if it matches the SHA-1?

korethr 2 days ago 2 replies      
So, since Git uses SHA-1, does this mean we're going to see a new major version number of Git that uses SHA-2 or SHA-3 in a few years?

I don't expect one overnight. For one, as noted, this is a collision attack, one which took a large scale of power to achieve. In light of that, I don't think the integrity of git repos is in immediate danger. So I don't think it'd be an immediate concern of the the Git devs.

Secondly, wouldn't moving to SHA-2 or SHA-3 be a compatibility-breaking change? I'd think that would be painful to deal with, especially the larger the code base, or the more activity it sees. Linux itself would be a worst-case scenario in that regard. But, it can be pulled off for Linux, then I'd think any other code base should be achievable.

userbinator 2 days ago 0 replies      
It's interesting to note that when the first MD5 collisions were discovered a bit over a decade ago, they were computed by hand calculation. Next came the collision generators like HashClash/fastcoll (remember these?) which could generate colliding MD5 blocks within a few seconds on hardware of the time. I wonder how long it will be before the same can be done for SHA-1, because it seems here that they "simply" spent a large amount of computing power to generate the collision, but I'm hopeful that will be reduced very soon.

As for what I think in general about it: I'm not concerned, worried, or even scared about the effects. If anything, inelegance of brute-force aside, I think there's something very beautiful and awe-inspiring in this discovery, like solving a puzzle or maths conjecture that has remained unsolved for many years.

I remember when I first heard about MD5 and hash functions in general, and thinking "it's completely deterministic. The operations don't look like they would be irreversible. There's just so many of them. It's only a matter of time before someone figures it out." Then, years later, it happened. It's an interesting feeling, especially since I used to crack softwares' registration key schemes which often resembled hash functions, and "reversing" the algorithms (basically a preimage attack) was simply a matter of time and careful thought.

There's still no practical preimage for MD5, but given enough time and interest... although I will vaguely guess that finding SHA-256 collisions probably has a higher priority to those interested.

rnhmjoj 2 days ago 2 replies      
About tor: if an attacker produces a public key that collides with the SHA-1 hash of someone else's hidden service, then he would still need to generate the corresponding RSA-1024 private key, which is infeasible as of today.

Is this correct?

orasis 2 days ago 2 replies      
"Today, 10 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision."

Huh? It's been around a lot longer than 10 years.

Asdfbla 2 days ago 0 replies      
Maybe just writing 2^63 would have been easier to interpret than that huge number in the context of cryptography. (Unless you assume this targets a non-technical audience, which I doubt.)

Pretty impressive, though. And worrying, because if Google can do it, you know that state-level actors have been probably doing it for some time now (if only by throwing even more computing power at the problem).

manwithaplan 2 days ago 1 reply      
Seeing how they ridicule MD5, I think they should have spent a bit more time on the proof PDFs, and have their MD5 digests collide also.
sah2ed 2 days ago 2 replies      
> "Today, 10 years after of SHA-1 was first introduced, ..."

That part from the original article seems to be missing something?

jwilk 2 days ago 3 replies      
> How did you leverage the PDF format for this attack?

> A picture is worth a thousand words, so here it is.

> http://shattered.io/static/pdf_format.png

This picture is meaningless to me.Can someone explain what's going on?

SadWebDeveloper 2 days ago 0 replies      
It's still quite impractical, m sure with some quantum computer or a custom ASIC built by those "super nerds" at the NSA its possible but but for you general adversary aka "hackers" (skiddies IMHO) it will be infeasible.

What this means is for all of you [developers], is to start new projects without SHA1 and plan on migrating old ones (if it's totally necessary, normally don't unless you use SHA1 for passwords).

A Great resource for those who still don't know how or what hash to use, is paragonie: https://paragonie.com/blog/2016/02/how-safely-store-password...

mtgx 2 days ago 1 reply      
Never forget: when Facebook, Twitter, and Cloudflare tried to slow-down SHA-1 deprecation:




I think Microsoft tried to do it too early on, but eventually agreed to a more aggressive timeline.

mrb 2 days ago 0 replies      
Related: someone claimed a 2.48 BTC (~2800 USD) bounty by using this SHA1 collision data: https://news.ycombinator.com/item?id=13714987
ktta 2 days ago 4 replies      
Here's a good blog about how SHA-1 works:


The biggest risk I see with this is how torrents are affected:


There's also a problem with git, but I don't see it being that as susceptible as torrents:


zurn 2 days ago 1 reply      
Anyone have back of the envelope calculations for the cost of the CPU and GPU time?
yeukhon 2 days ago 0 replies      
How do you actually create a collision? The paper is beyond my level of comprehensions. Are we going to see someone writing up an open source tool to allow one to generate another file with the same hash?
divbit 2 days ago 1 reply      
So good timing to have just started working on a sha3 version of git I guess...
wfunction 2 days ago 1 reply      
It's kind of odd that over 9 months ago it was known that Microsoft would stop honoring SHA-1 certificates starting from 1 week ago. Anyone know if this is just a pure coincidence? See https://blogs.windows.com/msedgedev/2016/04/29/sha1-deprecat...
tjbiddle 2 days ago 0 replies      
It should also be noted that their examples files also have the same file size, in this case 422435 bits, after creating the collision - which I find fascinating!
polynomial 2 days ago 0 replies      
It appears they are using a 2^63 hash operation attack that has been well known for nearly a decade. (Brute force of SHA-1 is 2^69.)

I wonder why they did not use the 2^52 operation attack that Schneier noted in 2009?


mysterydip 2 days ago 2 replies      
Forgive my ignorance, but it seems a solution to collision worries is to just use two hashing algorithms instead of one. We have two factor authentication for logins, why not the equivalent for hashed things?

Give me the sha1 and md5, rather than one or the other. Am I wrong in thinking even if one or both are broken individually, having both broken for the same data is an order of magnitude more complex?

dingo_bat 2 days ago 1 reply      
> Hash functions compress large amounts of data into a small message digest.

My understanding of crypto concepts is very limited, but isn't this inaccurate? Hash functions do not compress anything.

They have an image too which says "<big number> SHA-1 compressions performed".

Seems weird to see basic mistakes in a research disclosure.

ratstew 2 days ago 1 reply      
I got a chuckle out of the binary diff. :)


Aissen 2 days ago 2 replies      
Anyone good enough in AWS pricing can reproduce the $100k pricing for one collision ? Using EC2 g2.xlarge instances I'm more at $2.8M.
mrybczyn 2 days ago 0 replies      
SHA-1 isn't broken until someone makes a multi step quine that hashes to the same value at every stage!

BTW quine relay is impressive: https://github.com/mame/quine-relay

bch 2 days ago 2 replies      
I wish there were sample documents, but if one had two computed hashes would this mitigate this SHA1-shattered flaw ? e.g. good_doc.pdf sha1=da39a3ee5e6b4b0d3255bfef95601890afd80709, md5=d41d8cd98f00b204e9800998ecf8427e ? With the sample project I'm looking at (GraphicsMagick) on Sourceforge for example, it provides both SHA-1 and MD5 hashes...
RealNeatoDude 1 day ago 0 replies      
> Google has advocated the deprecation of SHA-1 for many years, particularly when it comes to signing TLS certificates.

Why? Was it in anticipation of this attack specifically?

jqueryin 2 days ago 0 replies      
What's funny is Google still promotes SHA-1 in some of their APIs: https://developers.google.com/admin-sdk/directory/v1/guides/...
bobbyyankou 2 days ago 2 replies      
Can someone help me understand what the major distinction is between this accomplishment (SHAttered) and the same team's The SHAppening (2015)?

It looks like the did the same thing or something similar in 2^57.5 SHA1 calculations back then versus 2^63 SHA1 calculations this time.

imron 2 days ago 2 replies      
I wonder if there are any 2 single commits on Github from different repositories that have the same SHA1 hash.
RyanZAG 2 days ago 4 replies      
Is a 30 day disclosure period really enough for something like this? It's obviously not possible to 'fix' big systems that rely on SHA-1 such as git or github in only 30 days. Hardware devices that use SHA-1 as a base for authenticating firmware updates?
ianaphysicist 2 days ago 0 replies      
This is one of the reasons it is important to have multiple hash algorithms in use. Even when a collision can be triggered in two systems, it becomes markedly harder to trigger a simultaneous collision in other systems at that same point (payload).
goncalomb 2 days ago 1 reply      
https://security.googleblog.com : "This website uses a weak security configuration (SHA-1 signatures), so your connection may not be private."
icedchai 2 days ago 2 replies      
> "10 years after of SHA-1 was first introduced"

wasn't SHA-1 introduced in the 90's?

wickedlogic 2 days ago 0 replies      
Would providing multiple SHA-1's from both the whole and N subsections (or defined regions) of the byte stream make this impractical... or at this point is the cost just going to drop and make this not relevant?

Like a NURBS based sudoku multi-hash...

kyleblarson 2 days ago 0 replies      
What's the over/under on how long ago the NSA accomplished this?
rodionos 2 days ago 0 replies      
0xcde4c3db 2 days ago 2 replies      
If you trust a signer, does this attack do anything to invalidate their SHA-1-based signatures? Or is the scenario strictly an attacker generating both versions of the message?
e0m 2 days ago 0 replies      
10 million GPUs is not insane when you have a billion dollar security cracking infrastructure budget. Especially when you compare it to the rest of the cyber warfare budget.
pavfarb 2 days ago 1 reply      
Now I really wonder what will happen to Git we all know and love.
jmartinpetersen 2 days ago 0 replies      
Is it coincidental that this GPUs on Compute Enginge were announced recently? This seems like a nice burn-in test and it being completed should free up ressources.
wapz 2 days ago 0 replies      
I don't know too much about hashing/encryption, but if you salt the sha-1 will this still be able to find a collision?
macawfish 2 days ago 0 replies      
So is this why Google asked me to type in my password this afternoon? Cause I was kinda cautious about that, but still did it...
Siecje 2 days ago 1 reply      
Is Mercurial impacted?
donatj 2 days ago 2 replies      
So from a security standpoint if my hash was a sha-1 concatenated to an MD5, how long would it be before they found a collision?
pix64 2 days ago 0 replies      
Is there any merit to using two hashing algorithms simultaneously particularly if the algorithms are very different in nature?
nurettin 2 days ago 0 replies      
"as google, we spent two years to research a way of generating sha-1 collisions and made quintillions of computations to generate an example" <- not very convincing or practical. It's like those japanese animes where the nerdy kid boasts about having computed your every move.
Lord_Yoda 2 days ago 1 reply      
As I consumer how do I identify sites which are vulnerable? What should I do to protect my data?
madhorse 2 days ago 1 reply      
"But MD5 is still okay right?" -Laravel Developer
kazinator 2 days ago 1 reply      
> In practice, collisions should never occur for secure hash functions.

That is mathematically impossible when reducing an N bit string to an M bit string, where N > M.

All hashes have collisions; it's just how hard are they to find.

yuhong 2 days ago 0 replies      
identical prefix, not chosen prefix. I was more interested in an SHA-1 collision ASIC.
Zhenya 2 days ago 0 replies      
It's telling/ironic that the google security blog will not display the text without javascript enabled.
bekimdisha 2 days ago 0 replies      
but ... but .... half of the web is no longer secure? ... :D
Lessons from the History of Attacks on Secure Hash Functions z.cash
104 points by luu  16 hours ago   27 comments top 5
zackmorris 15 hours ago 6 replies      
From what I understand, the Feb 23rd SHA-1 attack was possible because they figured out how to get the internal state (160 bits or 5 words of 32 bits) to match from two separate pieces of data. After that, additional data could be appended to the first two pieces as long as it was identical.

The internal state would play back the same sequence from there on, just like two random number generators starting from the same seed.

Here is a comparison of internal state sizes:


SHA-256 is susceptible to this same flaw, it would just take longer because it has about about 128 bits of security instead of less than 80 for SHA-1. It looks like only SHA-3 really "gets it" with a 1600 bit state size.

After all of the effort put into making highly pseudo-random hash functions, it's a wonder that the state size was only the size of the hash. By comparison, Mersenne Twister's state size is 19937 bits (624 words of 32 bits minus 31 bits):


Does anyone know why hash algorithms keep using such small state sizes, leaving us vulnerable to this same issue?

hannob 16 hours ago 3 replies      
> Another interesting pattern that I perceive in these results is that maybe sometime between 1996 (Tiger) and 2000 (Whirlpool), humanity learned how to make collision-resistant hash functions,

I actually feel that this can be even more generalized: At some point people learned to create unbreakable algorithms.There is literally no mainstream crypto algorithm beyond the 2000s that has seen any significant breakage. And very likely there never will be, with one exception: quantum computers will break modern ECC.

I think there's simply a dark age of crypto research with 90s algos and earlier. Which isn't surprising: Back then people were fighting whether it's even legal to do that kind of research.

tromp 15 hours ago 1 reply      
The broken SPHINCS links should perhaps point to the paperhttps://sphincs.cr.yp.to/sphincs-20150202.pdf
chronial 10 hours ago 2 replies      
> Hash-based digital signatures are secure (resistant to forgery) as long as the hash function they are built on has second-pre-image resistance

I am not very experienced with this, but isn't this clearly wrong?

If I have a controllable collision (like SHA1), I can get someone to sign document A, then destroy all evidence of document A's existence and claim they signed document B.

Isn't it essential that a digital signature scheme is immune against such an attack?

loup-vaillant 8 hours ago 0 replies      
ed25519 is listed as sensitive to hash collision.

I believe that's an error: the official site puts "collision resilience" in the list of features.

(1) http://ed25519.cr.yp.to/

FCC weakens net neutrality rule in a prelude to larger rollbacks techcrunch.com
534 points by vivekmgeorge  1 day ago   297 comments top 24
guelo 1 day ago 3 replies      
I hate these types of articles that provide extensive quotes and even a screenshot of part of the pdf, but refuse to link to the actual documents. It's probably an advertising thing where they don't want people to leave the site.

The actual statements are available here https://www.fcc.gov/document/fcc-addresses-unnecessary-accou...

tomelders 1 day ago 3 replies      
Undersandly, the conversation in here revolves around the technicalities and semantics of net neutrality. But this isn't an issue of technology. It's a political issue, or worse, an ideological issue. It's not about the empirical truths of net neutrality, or the collective intent of those who created, and those who continue to develop the technology that has woven itself into the fabric of humanity. It's about idealouges imposing their ideals on every facet of our lives, regardless of the facts.

The sad fact is, this is yet another grim attack on net neutrality by nefarious agents who see the web as something to be dominated and bent to their will exclusivley for political and economic gain.

Like it or not, the work we do is going to become highly politicised. Are we ready for this? Do we have the moral fortitude to resist the influence that fuzzy, sloppy, and emotive politics seeks to have on our discussions?

I think back to how we handled the Brendan Eich debacle. I (regretfully) came down on the punitive side of that argument. And I participated in that debate with a level of anger and vitriol that embarrasses me now. But whichever side you took, there's no doubt that for a brief moment we were deeply divided. The Brendan Eich story was a flash in the pan compared to what is about to happen.

Should we engage in political debate, or should we avoid it? Can we buck the trend and participate in political debate in way that doesn't tear us apart, or should we ignore it as it happens around us and impacts upon our lives and work? Or is there a path between the extremes, where we can be neither ignorant to our political leanings nor beholden to them?

I don't dare offer any advice on how we should prepare ourselves for what is about to come, I just hope we can all think about how we hope to respond before it happens.

One thing I will say though, being someone prone to highly emotional reactions in all aspects of my life; developing software in teams has taught me the value of "strong opinions, weakly held".

morgzilla 1 day ago 4 replies      
I can see how a bit of outrage about this is how the NRA got to the place it is today. This by itself isn't that meaningful, but anything can be politicized, turn public opinion and gain momentum. That's why the NRA's position is to say NO to any kind of gun regulation, because they know that's how you ensure guns are made available and gun culture is for sure secure.

In the tech community I see people rising up against any kind of movement against net neutrality. And I do not want to see it erode. But I worry that by becoming averse to any reversal, any compromise, the communities stance will eventually be so politicized that it is just another part of the unreasonable and ultra biased political landscape that grinds progress to a halt.

jerkstate 1 day ago 13 replies      
Does anyone with a strong understanding of internetworking, peering and transit contract negotiation actually believe that "net neutrality" is possible? traffic shaping of saturated links seems like a necessary outcome to not undermine the smaller users (i.e. low bandwidth communications) that are impacted by heavy users (i.e. video streaming) if two peering parties can't come to terms on cost sharing for link upgrades.
seibelj 1 day ago 3 replies      
I know several people who are highly involved with the FCC, telecom industry, and telecom law that think that "network neutrality" is just 2 words. Until 1970, and only because of lawsuits, it was illegal to connect anything to your phone line. You could get any phone you wanted from Ma Bell as long as it was black.[0] If you wanted a different color you had to pay extra. It took force to make Ma Bell and the FCC allow you to plug in your own phone, your own computer, etc. The FCC supports monopolies, if you want competition you should applaud the deregulation of telecom.

[0] https://en.wikipedia.org/wiki/Model_500_telephone#Ownership_...

woah 1 day ago 1 reply      
I asked this in another thread a few days ago, but why are edge servers and CDNs not a violation of "net neutrality"? If you've got an edge server on an ISP, and are paying extra for a leased line from your main data center to that server, you are effectively paying the ISP an additional fee for priority over other traffic on their hardware.
subverter 1 day ago 9 replies      
This raises the limit on the number of subscribers a provider can have before regulation kicks in. In other words, a larger number of smaller providers have one less regulation to worry about.

Isn't more competition among providers what we want? Shouldn't we be doing everything we can even if it's saving 6.8 hours per year in regulatory compliance to help these smaller guys be able to take on these horrible behemoths like AT&T and Comcast?

ryandrake 1 day ago 0 replies      
Article didn't load for me:

ERROR: TechCrunch is not part of your Internet Service Basic Web pack. For an extra $29.99 a month you can upgrade to Internet Service Extreme, offering access to over 50 more web sites!

Crye 1 day ago 1 reply      
Let me put my hat in the ring here.

Deregulation of access to consumers will result in cheaper internet and most likely faster internet speeds. However, it will concentrate power to those who already have it. Large ISPs will charge heavy bandwidth companies and only the largest heavy bandwidth companies will be able to afford the fees.

Those heavy bandwidth companies paying the fees will recoup the money through advertising. Remember newspapers and large TV media companies make the majority of their money through advertising. When companies rely on advertising, the users are no longer the customers. They are the product.

Further protecting the companies which rely on advertising will allow those companies to focus less on the customers and more on the advertisers. Companies relying on the allegiance of advertising will naturally shape their political standing to views of the advertisers. Remember also that advertisers are not paying for just eyeballs, but they are all paying for control. If a company starts moving away from their advertisers' political ideology they will lose revenue. Net Neutrality will ultimately give more control to companies that already hold power.

Just my two cents...

rebase 15 hours ago 0 replies      
I'd like to add the only optimistic response I can think of. The only benefit of deregulation is the opportunity for disruption of monopolies. Especially so in a landscape of tech.

If provider A starts providing terrible bandwidth, incredibly high prices, and terrible service, it means that that provider X has a lucrative opportunity to provide better bandwidth, better prices, and great service.

I hope these rules aren't used to help entrenched monopolies, but provide an ripe opportunity for the space to innovate.

I hope these rules will be on the wrong side of history, but there is little stopping anyone from using the free market to their advantage.

dopamean 1 day ago 3 replies      
Why is the FCC against net neutrality?
Pica_soO 1 day ago 0 replies      
I wish we had a slow, but high bandwith alternative to the web in public hands. The problem is the infrastructure.. if there was a way to create a gnu add-hoc wifi network between every home hotspot - at least within a city, the web neutrality could be restored.
VonGuard 1 day ago 3 replies      
This is the end. If we think this guy's gonna listen to the people, we're completely wrong.
wav-part 1 day ago 1 reply      
Is not net-neutrality better handled by IANA ? If you are going to call your router "internet", you must treat all IP packets equally. Seems like reasonable terms to me. Afterall this is the property that made Internet what it is today.
fallingfrog 1 day ago 1 reply      
I suppose one way to enforce net neutrality might be to route all traffic through TOR.. that might mess up the caching for a service like Netflix though. (Could someone who knows more than I do comment on that?)
lacroix 1 day ago 0 replies      
The FCC won't let me be
rocky1138 1 day ago 2 replies      
Can't we just create our own local Intranets using Ethernet cables running around cul-de-sacs?

Mine connects to yours which connects to his which connects to hers. Eventually we'll have formed a network.

bobbington 1 day ago 0 replies      
Internet is plenty fast. Companies need to disclose what they are doing to customers, but government shouldn't regulate it
beatpanda 1 day ago 3 replies      
How long until access to the open internet costs extra?
pasbesoin 1 day ago 0 replies      
Google Fiber got to a couple of nearby communities before they put the brakes on.

I'm left hoping that's close enough to branch out wireless service in short order.

Otherwise, I'm left screwed, between an AT&T that refuses to upgrade its local network (and it's a dense, accessible, suburban neighborhood -- hardly the boonies), and a Comcast that has doubled its rates for basically the same service. Both with caps that will quickly look increasingly ridiculous in the face of the wider world of data transfer.

We'll be back to them insisting on big bucks for assymmetric streaming of big-brand content, with increasing pressure to make that their content (a la data-cap exemptions, etc.)

transfire 1 day ago 0 replies      
This issue could well turn out to be Trump's Achilles heal. If they go too far, the engineers that actually make the Internet work can easily bring the whole shebang down in protest -- and the world is so addicted to the Internet at this point the outrage would be deafening. And if Trump is too proud to back down...
nicnash08 1 day ago 3 replies      
bobbington 1 day ago 0 replies      
Leave it alone. Stop demonizing the companies that give Internet.
boona 1 day ago 1 reply      
If Trump also continues with his plan to deregulate as well, I'm of the opinion that this is great news. This could make Google Fiber and other similar undertakings much more viable. It always gives me the hibby-jeebies when government takes strong control over an industry. This is especially true in the case of the FCC where their original mandate went from regulating airwaves, to regulating the content of said airwaves.
Using Ordered Markov Chains and User Information to Speed Up Password Cracking fsecurify.com
138 points by Faizann20  19 hours ago   50 comments top 6
mattcoles 17 hours ago 1 reply      
Seems like randomly generated passwords kept in a password manager are the way to go then, too much risk in letting our personal details bias password choices.
Faizann20 18 hours ago 0 replies      
geezk7 16 hours ago 0 replies      
Another way is to use probabilistic graphical models. The paper "Personalized password guessing: A new security threat" addressed this threat several years ago.


matrix2596 18 hours ago 3 replies      
Nice idea! Can anyone point the data. May be we can try RNN to generate the passwords.
gravypod 14 hours ago 1 reply      
Can we make a characteristic scoring metric to help order password cracking attempts? Is there a standard distribution of characters in passwords that can be analyzed?
Faizann20 19 hours ago 2 replies      
Apologies guys.The link will be up within a few minutes.
DNA tests show Subway sandwiches could contain just 50% chicken cbc.ca
209 points by sigmaprimus  13 hours ago   202 comments top 31
TheCoreh 12 hours ago 10 replies      
> The majority of the remaining DNA? Soy.

The headline got me sorta terrified, imagining what sort of repugnant, monstrous creature was being grinded and mixed into my Subway sandwich. Good to know at least it's just soy.

WheelsAtLarge 12 hours ago 3 replies      
Subway has become the supplier of subs at the lowest cost. What this means is that bean counters dictate what the subs contain. It's never top line products and they add fillers where ever they can without killing the flavor 100%.

It's not a surprise that they use soy. It's just unfortunate that they have to get to this point.

I don't know if it's universal but my local subway has reduced the diameter of the bread rolls. Yes, they are 12 inches in length but they are smaller over all. Another cost cutting step that will eventually hurt them.

jacquesc 12 hours ago 3 replies      
As someone who eats these fake chicken sandwiches occasionally, cant say I'm surprised. I always assumed these things were the equivalent of chicken hot dog patties or something. Don't know why people eat these things... oh ya -- it's the only food place open in SF SOMA late night.
averagewall 1 hour ago 0 replies      
50% of the DNA is soy doesn't mean 50% of the mass of food is soy or 50% of the volume is soy. It could be that the DNA is the major part of the soy that's included while the chicken has all sorts of non-DNA components like the rest of the cells and fat.

This story is quite inconclusive and that result could mean anything.

minaguib 12 hours ago 2 replies      
What exactly are people expecting when they order these things ? Are they unable to tell the texture is plasticky and highly processed, unlike normal "stringy" chicken meat you prepare at home ?
smsm42 11 hours ago 5 replies      
Well, soy is not the worst it could be. If it doesn't affect the taste too much, I wouldn't actually mind it. OTOH, I've eaten in some vegetarian places which make faux chicken, faux beef, faux shrimp etc. which taste pretty much like (at least some variations of) the real thing. As a meat lover, I was surprised how close they are to the real thing, I now believe with some effort at least most of the common meat usage can be substituted away. Of course, there's still a difference - they are not as good as a real quality juicy steak - but they are closer than I thought they could be.

Another thing - I'm not sure I understand what "50 percent chicken DNA" means. It can't be literally DNA - specifically DNA is a minuscule percentage of the overall cell mass. Do they mean of all DNA samples 50% are chicken DNA and another 50% is other DNA? That'd ignore all ingredients that don't have DNA at all. Or do they mean 50% of the whole piece is chicken cells which are identified by their DNA, and another 50% of the mass is something else? I'd very much like to know what exactly they tested and how.

TamDenholm 12 hours ago 0 replies      
i'm certainly not surprised, i dont have an issue with them putting soy in the chicken, the only issue i have is them advertising as just "chicken", if they instead advertised it as chicken + soy, then i'd be totally fine with it.
isaac_is_goat 11 hours ago 0 replies      
Subway chicken is absolute garbage. When my Gardein Vegan mock-chicken (made of mostly soy, no less!) tastes better than their "actual chicken", there's a problem.
ashildr 11 hours ago 1 reply      
> only about half chicken DNA.

Maybe I'm a little dense here, but that reads very strange to me and does not seem to make any sense. A burger made of 50g chicken and 50g poly styrene would still contain 100% chicken DNA.

How much DNA (in what metrics?) does a gram of chicken contain compared to a gram of soy?

tyteen4a03 12 hours ago 0 replies      
In the UK, the chickens contain 84% chicken wth starch fillers: http://www.mirror.co.uk/news/weird-news/subway-employee-reve...
noobermin 12 hours ago 0 replies      
Before I had a heart attack, finding out the rest soy gave me a little more sanity. I'd hate to find out it was something more sinister. Not that false advertising isn't bad.
pkaye 12 hours ago 1 reply      
Ack just a few months back I started getting IBS symptoms and figured out I'm intolerant to soy, dairy and some spicy stuff. I end up having make a lot of stuff myself because I can't trust what is made in restaurants.
tomcam 10 hours ago 0 replies      
This is actually excellent news. If you're vegan, just eat half the sandwich and you're still OK!
ChuckMcM 10 hours ago 0 replies      
Its interesting that corporate had a different notion. So perhaps down on the line somewhere, someone is mixing in big bags of tofu into the chicken parts grinder and boosting their profit by selling it as 100% chicken. At least one of the Parmesan/sawdust suppliers was the culprit (that and lax oversight by the buyer).

Always a challenge when the fitness test becomes 'cost' rather than 'quality' how many things can be snuck in there.

WildUtah 3 hours ago 0 replies      
Recipe inspired by Buffy The Vampire Slayer. Lots of hinting that fast food demons were eating people, but the eldritch secret of the Doublemeat Palace episode (2001) was that the Doublemeat Medley sandwich contained no meat whatsoever.
Coincoin 8 hours ago 0 replies      
Does 50% chicken DNA means it's proportionally made of 50% chicken? I would be very surprised if DNA concentration was in any way proportional to actual volume or weight concentration, especially if you compare plant DNA to animal DNA.
_Codemonkeyism 3 hours ago 0 replies      
One is reminded of the "The Wing or the Thigh" scene in the food factory.
Drumlin 12 hours ago 2 replies      
I've only been to a Subway outlet once and was amazed by how much of it was processed meat - a relative said the same recently. Go into a good independent sandwich shop and all the meat will be unprocessed (except where expected) and you get more options like unusual cheeses. Subway has taken what was already a fast food (the sandwich) and made it even more generic.
Preemo 12 hours ago 5 replies      
I'm amazed so many people are fine with the other ingredient being soy; I could go on for hours as to why that's among the worst things to be substituted with.

-95% of soy in the US is GMO, lacking any genetic variance and little make-up of microorganisms (good bacteria.)

-It's also a horrible source of fats, and more in particular the omega-6 to 3 ratio is incredibly hostile to basic function on the cellular level. There's also next to zero amino acids. (Think cancer risk, immune diseases, hormone disruption.)

-It's basically a carbohydrate. Considering a significant number of most of these soy-containing foods are carbs to begin with, it's just another contributor to our diabetes/obesity, cancer and most importantly, MENTAL HEALTH health epidemics. (Mental health pertaining too the poorly balanced diets, poor fats and lack of good gut microflora.)

It's alright to look at these foods as an once-in-a-while treat, but when you consider that nearly every processed food item is 'enhanced' with soy to make it cheaper and still some-what satiating is a concerning thought to just have these every so often. Rice's from Uncle Ben's, Kraft peanut butter, margerines and nearly all processed meats and cheeses contain significant amounts of soy("Vegetable Oils."

This is the current state of food created by the lobbyist-run FDA and various companies like Monsanto controlling the market for their own greed under the excuse of 'feeding the growing population.'

jhwhite 11 hours ago 0 replies      
When I do go to Subway I get the roasted chicken sandwich. Doubt I'll be doing that anymore.

I wish they had tested Chick-Fil-A.

LoonyBalloony 11 hours ago 0 replies      
Reminds me when Taco bell had to call their meat "b33f" until they added more meat to their meat.
kevin2r 6 hours ago 0 replies      
And you need a DNA test to know this, just by how it looks isn't comparable with a real piece of chicken meat.
ArtDev 1 hour ago 0 replies      
When I used to eat at Subway, I liked that the meat was mostly soy. It is very obvious.

But then I got bad food poisoning at a Subway, and the weird Subway "bread" smell makes me gag still to this day.

elchief 11 hours ago 1 reply      
Well at least they got rid of the yoga-mat compound azodicarbonamide in the bread
musesum 11 hours ago 0 replies      
Would rather have my chicken vat grown. Will try any cloned meat up to by not including "Wendy Meat" (as per Rudy Rucker's novel Freeware)
shmerl 5 hours ago 0 replies      
The title reminds me the scene in Demolition Man.
mrfusion 10 hours ago 1 reply      
Think about it. If this tastes ok it might be a really easy way for everyone to become 50% vegetarian with no effort.
dopeboy 11 hours ago 0 replies      
I've stopped buying their chicken. Now I know why.

Instead, I'll buy a veggie sandwich and bake a chicken breast myself.

sersi 11 hours ago 0 replies      
Just an anecdote. I used to love chicken as a kid but lived in the countryside and my parents used to buy free range chicken at the next door farmer.

I then came to the US to study 10 years ago, ate a chicken sandwich in a subway, got sick and since then I can't eat any kind of chicken without being disgusted. So, yes, it doesn't surprise me.

horsecaptin 7 hours ago 0 replies      
Reminds me of Chris Porter's routine about Taco Bell:https://www.youtube.com/watch?v=JuBGPylPVIU
andrewclunn 9 hours ago 0 replies      
Why would you mislead me Jared? I trusted you!
Why is there ancient Greek text on Afghan banknotes? llewelynmorgan.com
91 points by blinskey  16 hours ago   15 comments top 3
kalamaya 5 hours ago 1 reply      
Afghan here.

When I was a kid, my dad would tell me about our clan's origin story.

Basically, as Pashtuns (and some other ethnicities mixed in there), we trace our origins to Ancient Greece, and not just that, but as descendants of great greek conquerors who came and eventually settled on that land. Our origin story is all oral, (since my dad told me, and his dad told him, etc etc down the generations), so I am not sure how to corroborate them, but various things of the Afghan culture are linked to practices from Greece, etc.

I remember listening to his stories as a kid and not really caring, but now that I am older, they are really quite interesting!

coldtea 15 hours ago 1 reply      
Err, because Afghanistan was conquered and became part of the hellenistic kingdoms created by Alexander the Great?
dsfyu404ed 5 hours ago 0 replies      
TL;DR It had something to do with a random dude named Alex
       cached 26 February 2017 11:02:02 GMT