hacker news with inline top comments    .. more ..    14 May 2017 News
home   ask   best   2 years ago   
Space-Efficient Construction of Compressed Indexes in Deterministic Linear Time arxiv.org
129 points by luu  7 hours ago   20 comments top 6
pzh 4 hours ago 2 replies      
Can somebody who read the paper in depth comment on whether the result is practical or not? Since it's a TCS paper, it's hard to gauge whether the constant factors are palatable or not, and there are many theoretical CS papers that give asymptotically optimal or significantly improved algorithms that have astronomical constant factors (e.g. matrix multiplication, etc.)
zitterbewegung 7 hours ago 0 replies      
This looks really awesome. According to google scholar it went through peer review. Seeing that it would improve compression (linear time LZ77) would be cool but not only does it do that but also compute search index data structures. https://scholar.google.com/scholar?hl=en&q=Space-Efficient+C...
wolf550e 7 hours ago 2 replies      
It will take me a while to read the paper. I saw there is no code inside. Do they have code that improves LZ parsing as used in all general purpose compressors? If they don't have code, can their algorithm be implemented to improve performance of zstd or lzma?
visarga 6 hours ago 1 reply      
I used to play with suffix arrays a long time ago. I wanted to accelerate grep on a gigabyte text file. The tool was called "sary" (short for suffix array) and still exists on a forgotten SourceForce page. Good tool, it was able to find any substring in a huge file instantly.
burntrelish1273 4 hours ago 0 replies      
Does this imply zlib and gzip may be able to be patched to reduce memory usage and runtime?
wfunction 5 hours ago 3 replies      
Anybody going to implement this and share it open-source? :)
The Brain Can Only Take So Much Focus hbr.org
197 points by prostoalex  11 hours ago   26 comments top 10
alexpetralia 9 hours ago 3 replies      
The science behind "ego depletion" is at very least controversial, namely because the effect has not been reproduced in subsequent experiments.

* Wikipedia provides a good summary of replication attempts: https://en.wikipedia.org/wiki/Ego_depletion#Reproducibility_...

* Slate covered the topic here: http://www.slate.com/articles/health_and_science/cover_story...

* And here is a recent, large replication study: http://journals.sagepub.com/doi/full/10.1177/174569161665287...

As a result, I would hesitate before using "ego depletion" as an excuse for rationalizing a lack of self-control (eg. giving into "cheat foods" or being irritable/impulsive). Whether or not "ego depletion" is real, science has not yet adequately validated the theory.

Moreover, there is a risk to accepting the theory as true: because one believes in "ego depletion," one can rationalize a lower degree of self-control, which may have been higher otherwise. This creates a self-fulfilling prophecy.

I think it is fair to assume that, given the current research, "ego depletion" is no more than a reasonable hypothesis. It is possible that willpower may not fit the "finite resource" model at all.

zitterbewegung 9 hours ago 1 reply      
I find that I will lose and gain focus throughout the day when I have a task when I don't know what to do next. When I do have energy I will try to push past it. After awhile though I start reading HN. The amount time I will read HN depends on an ever decreasing amount of energy. After about 3-5 times of losing focus and not making progress I will spend increasingly longer on the site.

From the website I am practicing mindfulness throughout the day since I have my Apple watch (through the breath app). I think mindfulness would be good for hackers. On physical tasks you could lift weights but on mental tasks your goal is probably reducing anxiety or frustration. Or preserving flow (Podmoro supposedly does this but I could never get into it).

On the other hand if I get a good flow going and I am uninterrupted I will probably forget to check HN and I will continually work until I do get stuck even if that happens.

markpapadakis 1 hour ago 0 replies      
"Focus is a matter of deciding what not to do" --John Carmack
zo7 7 hours ago 1 reply      
It's interesting to see research suggesting that this might be helpful, since I feel like I've stumbled on something similar. Lately I've had several instances where I've been completely stuck on a problem, so I'd stop everything and take a long hike on a trail or through some mountains. After taking a day of just literal wandering, I've found I'd be able to finally make progress on what I was working on once I pick it back up again, where I otherwise felt like I was hitting a wall. It's felt like my mind does some unconscious processing when I allow it to take a break, so it's encouraging to see some evidence to support that.
Imagenuity 9 hours ago 0 replies      
Having discovered some of these techniques through trial and error, it is helpful to see some research backing up and expanding on keeping the creativity flowing. Positive constructive daydreaming (PCD), exercise, taking a shower, napping, and more are helpful for getting access to more inspiration than just your conscious thinking can give you.

Others have studied this, including John Cleese, as detailed in his lecture on Creativity: https://www.youtube.com/watch?v=9EMj_CFPHYc

cammil 27 minutes ago 0 replies      
Don't believe a word of this. Test your own mind.

Don't make conclusions. Only ask questions and observe. This stuff cannot be explained. And it cannot be logically thought about. It must be seen and experienced.

Don't doubt what i have to say. Go check for yourself.

theprop 6 hours ago 2 replies      
I'd like the authors to try Vipassana's 10 day retreats -- it's free and for ten days you meditate, don't speak, and don't use any electronic devices. Not sure if there's any more focus than that! You'll survive...and afterwards probably thrive :-D.
AznHisoka 10 hours ago 1 reply      
I can relate as I always feel very fatigued mentally after a long drive, especially if it involves a route I am not familiar with, and there is lots of stop and go traffic.
marak830 6 hours ago 0 replies      
As someone who is on the last day of a 6 day 14 hours per day straight, oh I can attest to this.

The quality of the meals I'm sending out (plating and decoration wise) is nowhere near as good as it is on Mondays.

I need more chef's :-p

m3kw9 5 hours ago 0 replies      
In other words, rest.
Fwaf Machine Learning Driven Web Application Firewall fsecurify.com
7 points by Faizann20  1 hour ago   2 comments top
mcboman 1 hour ago 1 reply      
Why use a trigram as n ?
HODLR: Fast direct solver and determinant computation for dense linear systems github.com
34 points by sndean  5 hours ago   2 comments top 2
stabbles 1 hour ago 0 replies      
I believe state of the art methods aim for linear time complexity, using the Fast Multipole Method to perform matrix-vector products in O(N) operations rather than O(N^2), and applying that in an iterative solver such as GMRES, which typically requires a constant number of iterations, because the matrix is just a slight perturbation of the identity matrix.
petters 2 hours ago 0 replies      
For matrices of the form s^2 I + B, where B(i, j) depends on the distance between points i, j.
Accidentally Stopping a Global Cyber Attack malwaretech.com
1406 points by pradeepchhetri  21 hours ago   262 comments top 34
dis-sys 21 hours ago 9 replies      
Lessons learnt by ransomware developers - rather than using a single pretty arbitrary test, always rely on a more robust statistical model to detect whether your code is running inside a sandbox.

Lessons learnt by NSA - never over estimate the skill level of your network admins.

Lessons learnt by Microsoft - never under estimate the loyalty of your Chinese Windows XP users, both XP and Win10 have 18% of the Chinese market [1].

Lessons learnt by the Chinese central government - NSA is a partner not a threat, they build tools which can make the coming annual China-US cyber security talk smooth.

[1] http://gs.statcounter.com/os-version-market-share/windows/de...

nneonneo 10 hours ago 1 reply      
Sadly, the malware author(s) have updated their code and are now spreading a variant without the "kill-switch" domain check: https://motherboard.vice.com/en_us/article/round-two-wannacr...

However, MalwareTech's sinkhole intervention has bought enough time for patches to be pushed out, so at this point it is absolutely imperative that everyone apply these patches as soon as possible.

corford 12 minutes ago 0 replies      
Happy outcome but could have so easily gone the other way. Surely it would have been been more responsible to locally fake the registration of the domain first (apparently as easy as modifying /etc/hosts in this case) given he had no idea how the payload would respond? o_O

Not sure I'd be singing his praises if his rash decision had triggered the deletion of the encrypted files.

dperfect 18 hours ago 6 replies      
> the employee came back with the news that the registration of the domain had triggered the ransomware meaning wed encrypted everyones files...

Even though this fortunately turned out to be false, what if it had been true? Would the security researcher be held in any way accountable for activating the ransomware? If I were the author, I might be a bit more careful in the future before changing factors in the global environment[1] that have the potential to adversely affect the malware's behavior, but of course I'm not a security researcher, so I really don't know.

[1] I suppose a domain could probably be made to appear unregistered after being registered - depending on the actual check performed - but there are other binary signals (e.g., the existence of a certain address or value in the bitcoin blockchain) that might not be so easy to reverse.

jedisct1 20 hours ago 2 replies      
Ironically, lying DNS resolvers redirecting nonexistent domains to ads were also helpful in order to mitigate the attack.
johnchristopher 20 hours ago 7 replies      
> After about 5 minutes the employee came back with the news that the registration of the domain had triggered the ransomware meaning wed encrypted everyones files (dont worry, this was later proven to not be the case), but it still caused quite a bit of panic. I contacted Kafeine about this and he linked me to the following freshly posted tweet made by ProofPoint researcher Darien Huss, who stated the opposite (that our registration of the domain had actually stopped the ransomware and prevent the spread).

That's quite an high abstraction level programming thing to do to use a domain name registration state as a boolean. Is that a regular thing ?

ufmace 17 hours ago 3 replies      
What really amazes me about this attack is that the main attack vector seems to be exploiting a SMB vulnerability. Reasonable enough of a way to spread within an organization, but it's amazing that so many organizations seem to have this port and service open to the world for this worm to exploit.

I'm not the most diligent follower of security news, but I'm pretty sure that SMB network sharing is riddled with security vulnerabilities, latency issues, etc, and is generally wildly unsuitable for being left wide open to the entire internet. How could any institution with a competent IT department not have had this service firewalled off from the net for years?

taspeotis 21 hours ago 5 replies      
I think it's great that this was used to stop the malware, but pre-emptively registering the domain without understanding what it did seems dangerous.

The malware could have just as easily used the registration of that domain as a flag to start deleting data, no?

problems 21 hours ago 4 replies      
Honestly, how stupid were the malware authors to use standard DNS for a domain that could take down their shit when they use Tor for the actual key and address communication and everything... it's like they half understood what they were doing.

Well, I guess maybe they didn't want things to get too out of hand and now if they want they can be back up soon with that fixed.

jwilk 14 hours ago 0 replies      
"Please turn JavaScript on and reload the page."

Uh, no. Here's an archived copy:


jstoja 20 hours ago 4 replies      
Does someone know what this domain actually is?

EDIT: After looking explicitly for it I found www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.

noamhacker 16 hours ago 0 replies      
> "One thing that is very important to note is our sinkholing only stops this sample and there is nothing stopping them removing the domain check and trying again, so its incredibly importiant that any unpatched systems are patched as quickly as possible."

(A very important point at the bottom of the article)

lordnacho 15 hours ago 4 replies      
Pretty interesting, if I'm reading it correctly the existence of the domain is checked, and if is there, the program is aborted, in order to stop sandbox analysis.

I was wondering why they didn't just do a simple variant:

1) Instead of relying on DNS, which anyone can create, why not make a user account on some well known forum site. Like HN or Reddit.

2) Open the site, look for the user's page, and check his message titles by hashing them against some hash that can be in your code.

3) Detonate if you don't see the code, or the user account doesn't exist.

This would have the useful characteristic that you could start/stop the attack using just an internet browser, anywhere. And the code word that you are after would be crypto hashed, so the defenders would have to find your keyword somehow from the hash. Heck, you could confound everyone by turning the thing on or off according to location, time of day, and so on.

For extra points make it a blockchain thing. They're already using that for payment, right?

m-j-fox 19 hours ago 1 reply      
I'm curious, does anyone know what tool he uses to disassemble the program into C? It looks neat.
dorfsmay 20 hours ago 3 replies      
The author says they are doing this for a living. Who are they working for?
wand3r 15 hours ago 0 replies      
Great write-up. It's funny; a mistake/exploit allowed the malware; a mistake/bug allowed it to be mitigated...by the researchers mistaken intent that registering the domain would simply provide him with sample data.
aqsheehy 20 hours ago 3 replies      
So will companies start holding bitcoin as insurance on these kinds of attacks?
amelius 21 hours ago 3 replies      
It seems a bit scary that security researchers are relying on bugs in malware to get their job done.
rixtox 4 hours ago 0 replies      
Can someone write a patch worm that spread and fix the bug by exploiting the bug itself?
techbubble 14 hours ago 0 replies      
Wonder how much longer it would have taken to understand the impact if he had just modified the hosts file instead of registering the domain?
remx 18 hours ago 2 replies      
To mitigate, I am running Debian as the host and jailing Windows 10 in a Virtual Machine, and have uninstalled SMB1.0 on the machine by going into > Programs and Features > Add or Remove Windows Components. I have also blocked port 445 (SMB) with ufw (On Debian)

 sudo ufw deny out to any port 445
Aswell as this I am not deferring updates in any way and dutifully patching. I've always hardened Windows in this way and I've never had issues with malware, and if I did, the impact would be minimal because I've compartmentalized my files in such a way that even the worst malware would only encrypt some of my files and not all of them.

I store all my critical files in an offline environment (sandbox) so the only files that are going to be encrypted are replaceable (non important) and disposable. For example, I wouldn't cry if my C.V got encrypted because a copy of it exists in about 50 locations either offline and online.

Unfortunately I need Windows because my colleagues like to send Windows-only .DOCX files which work best in MS Word, and I don't have a Google account, so I can't open them in Docs. This is a conscious decision to permaban Google from my life, but Windows is staying.

a-dub 13 hours ago 0 replies      
Imagine how bad it would have been if someone actually competent had chosen to weaponize one of the NSA exploits? This seems to have script kiddie written all over it.
dejawu 7 hours ago 0 replies      
How reasonable is it to say that NSA are at least in part responsible for deaths resulting from the NHS crisis, since the ransomware is using their exploit?
rochak 20 hours ago 3 replies      
Does this mean that I can safely connect my outdated Windows 7 back to the internet?
patrickaljord 10 hours ago 0 replies      
Not surprising to see 14 year old unpatched software connected to the internet being hacked like that. At least, the ones in charge of budgeting these upgrades should pay a price for failing at doing so, the users are obviously innocent victims.
jecjec 1 hour ago 0 replies      
This is not accidental. Not even close!

This story, if true, details a person who profiled this malware and correctly logged the network requests it was making and then correctly identified a fundamental vulnerability in the software. This is not an accident at all - it is rather a profile in supreme competence. We should recognize it as such.

trendoid 18 hours ago 2 replies      
>In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as it it were registered (which should never happen).

Can someone please explain this? I have no idea what was said there.

shimon_e 20 hours ago 2 replies      
Now is the time to write a virus that uses the same exploit and automatically patches the vulnerable before a new version of the ransomware is released.
DrNuke 20 hours ago 1 reply      
So from a practical point of view how to disentangle infrastructures from this sort of attack?
SimeVidas 18 hours ago 1 reply      
Can a Windows laptop that doesnt have the Windows Update patch get infected just by being connected to the Internet via a home Wi-Fi network?
Safety1stClyde 11 hours ago 0 replies      
All I see here is "Please turn on Javascript and reload the page".
homero 19 hours ago 0 replies      
Was the domain ever named?

Found it www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Cole_Jontrane 14 hours ago 0 replies      
Well, it didn't really stop it. It slowed it for a little bit, and then it was modified and spread again.

I also wonder if now ransomware developers will leave red-herrings in the code where if the wrong domain is registered, it will do something more destructive.

It's like knowing which wire to cut when you're defusing a bomb!

CombinatorWhy 19 hours ago 0 replies      
Interesting timing for this cyber attack given the recent news. Are Robert Mercer and Cambridge Analytica also being investigated?
Handbrake Mac infection Proton.B: What this malware actually does cybereason.com
131 points by open-source-ux  13 hours ago   55 comments top 13
inopinatus 7 hours ago 2 replies      
"Dialog boxes asking for passwords are a very popular social engineering tactic designed to trick users into giving attackers their passwords"

Apple is extremely guilty of normalizing the frequent entry of passwords. I recently reinstalled a Mac and an iPad, and for each device I must've entered my Apple ID password seven or eight times. in the normal course of getting things done I then enter either this, or my local login password, many times a week.

When your password is twenty characters of line noise or an extended passphrase this is thoroughly irksome, especially on virtual keyboards like the iPad. It is no surprise to me that less security conscious folks, faced with this onslaught of excessive credential demand, choose shorter i.e. easily cracked passwords; and no surprise that everyone becomes less suspicious of the sham password dialog.

So when reading of yet another photographic burglary from a cracked iCloud account, we should always lay part of the blame at Apple's feet, for systematically normalizing the frequent entry of credentials.

That is not the end of Apple's social engineering enablement shame. Another glaring blunder is in Apple Mail, where the "To:" field is shown with your real name, even when the sender did not include this. The humans respond positively to the use of their given name, so this heightens the verisimilitude of scam messages.

eecc 1 hour ago 0 replies      
Mobile OS security models are bound to land on the desktop soon-ish. What does any random App have to do with anything in ~/Library that is not its own Application Support or .plist preferences?

To be honest I don't mind if all Apps are sandboxed with the exception of a couple "user super-user"; I don't really care if my machine's root account is secure if all my horses sitting in $HOME are let loose on the net.

simonhamp 9 hours ago 4 replies      
The standard macOS password prompt surely needs to change. It's become too familiar and I'm sure I've filled it in hastily before without wondering why or what for. It needs to be implemented in a way that is impossible for nefarious apps to replicate.
sleepychu 47 minutes ago 0 replies      
> Note: The domains in red were not registered at the time of my research, although they were registered last night by an unknown entity. They seem to be back up domains in case one of the first two stops working.

Or they could be domains for checking if you're in a sandbox like WanaCrypt. Why wouldn't you just use 20 well known domains otherwise?

ams6110 10 hours ago 1 reply      
I've used handbrake some time ago but not recently, and hadn't heard about this. Summmary of the situation from the handbrake website:

HandBrake-1.0.7.dmg was replaced by another unknown malicious file that DOES NOT match the SHA1 / SHA256 hashes on our website or on our Github Wiki which mirrors these: https://github.com/HandBrake/HandBrake/wiki/Checksums

The Affected Download mirror (download.handbrake.fr) has been shutdown for investigation.

The Primary Download Mirror and website were unaffected.

Downloads via the applications built-in updater with 1.0 and later are unaffected. These are verified by a DSA Signature and will not install if they don't pass.

Downloads via the applications built-in updater with 0.10.5 and earlier did not have verification so you should check your system with these older releases

bigiain 6 hours ago 0 replies      
I'm intrigued and curious about why they download your 1Password databases

I wonder if that's speculative - or if offline bruteforcing them works often enough for it to be worthwhile for the malware authors?

desdiv 9 hours ago 1 reply      
>The malware obtains the time and date by creating a new environment variable called $hcresult that contains whats being returned by sending an HTTP request to the Google hosted link by executing this command:

>curl -sL https://script.google.com/macros/s/AKfycbyd5AcbAnWi2Yn0xhFRb...

What the hell, Google? Your domain name is one of the most trusted on the internet and yet you're hosting random user submitted scripts on there? What happened to googleusercontent.com?

diimdeep 4 hours ago 3 replies      
I have been using homebrew to install handbrake. What's nice is that homebrew checks SHA256 before installing.

 $ brew cask install handbrake ==> Satisfying dependencies complete ==> Downloading https://download.handbrake.fr/handbrake/releases/1.0.7/HandBrake-1.0.7.dmg Already downloaded: /Users/wolf/Library/Caches/Homebrew/Cask/handbrake--1.0.7.dmg ==> Verifying checksum for Cask handbrake ==> Installing Cask handbrake ==> Moving App 'HandBrake.app' to '/Applications/HandBrake.app'. handbrake was successfully installed!

polygot 8 hours ago 2 replies      
This Handbrake outbreak could have been easily avoided. For instance, Handbrake could create a separate server on say, Amazon EC2 and have it download the file from their website every 30min or so, and check the checksum. If it's not right, then it flips a kill switch on the website.

Doesn't fix the root cause, but could have caught it much sooner.

onmobiletemp 3 hours ago 1 reply      
Why were they going after 1password filevaults? I assume 1password is like keypass, where all your passwords are in an encrypted file? How could they decrypt all those files? Or do they assume people use weak passwords?
grandalf 10 hours ago 2 replies      
Is there a good virus scanner for OSX?
Cole_Jontrane 11 hours ago 4 replies      
Does the Mac have any ability to warn when someone attempts to install malicious software, other than the usual warnings about unsigned software? Windows 10, for example, will scan every attachment before opening it, catching a lot of stuff before it can do any harm.
sxcurry 5 hours ago 1 reply      
Show HN: Howmanypeoplearearound Use wifi to calculate number of people around github.com
115 points by qrv3w  14 hours ago   18 comments top 5
contingencies 7 hours ago 1 reply      
Bluetooth equivalent would be cool, then pairing bluetooth and wifi MACs based on temporal correlation. If one changes you can infer from the other. Over time you could split it to howmanylocalsaround verus howmanyvisitorsaround.
flor1s 8 hours ago 3 replies      
I'm sure this is already being done at a massive scale. It seems like disabling all connectivity when you are not using it would be good for privacy.
olalonde 9 hours ago 2 replies      
Unrelated but how accurate is that 70% statistic? I would have expected that number to be much higher.
d33 10 hours ago 1 reply      
> $ howmanypeoplearearound

> Specify WiFi adapter (use ifconfig to determine): wlp4s0

> [==================================================] 100% 0s left

> Found no signals, are you sure wlp4s0 supports monitor mode?

Do I need to run airmon first?

mzakharo1 10 hours ago 1 reply      
what about about mac address randomization?????
Lisp, Smalltalk, and the Power of Symmetry (2014) insearchofsecrets.com
85 points by saturnian  12 hours ago   30 comments top 6
mark_l_watson 5 hours ago 0 replies      
Wonderful article! "Smalltalk, like Lisp, runs in the same context its written in."

I have been programming professionally in Common Lisp (off and on) since the 1980s but there is something equally magical about Smalltalk. I have often thought that Smalltalk could be the language I use after I retire (I am in my 60s and I will probably stop working in about ten years).

lispm 4 hours ago 1 reply      
> Smalltalk is powerful because all Smalltalk data are programsall information is embodied by running, living objects.

That's what Lisp systems do too. Program elements like classes, functions, methods, symbols, ... are first class objects. With something like CLOS you have a similar level of object-oriented meta-programming capabilities.

Many Lisp systems offer additionally to execute Lisp data using a Lisp interpreter and Lisp has a simple data representation for Lisp programs: Lisp data.

Smalltalk OTOH uses text as source code and usually a compiler to byte-code.

> because Lisp source code is expressed in the same form as running Lisp code

Only if you use a Lisp interpreter. Otherwise the running Lisp code might be machine code or some byte code.

> Smalltalk goes one further than Lisp: its not that Smalltalks source code has no syntax so much as Smalltalk has no source code.

That's a misconception. Smalltalk has source code. As text. It's just typically managed by the integrated development environment.

It's actually Lisp which goes further than Smalltalk, because Lisp has source as data and can use that in Lisp interpreters directly for execution.

big_spammer 8 hours ago 2 replies      
> Smalltalk doesnt need macros because it has classes instead.

I'm not sure this is true. Surely any programming language that lacks macros would be more powerful with them.

DonbunEf7 8 hours ago 2 replies      
Indeed, homoiconicity is a very powerful thing. It doesn't have to be core to the nature of the language, though; as far as I know, any Turing-equivalent language readily admits a metacircular interpreter, and so really a homoiconic language is a language with a compiler in the standard library.

As a thought experiment, imagine Lisp without macros. It's not hard; after all, "The Little Schemer" covers metacircular interpretation without ever mentioning macros. So what's going on? Apparently we don't need macros! But, we could add macros to a Lisp by reifying them in the metacircular interpreter. There's actually a feature in plain sight which makes this possible, and it's the humble (quote) special form. This is what makes code and data intermix so cleanly in Lisp.

This is why languages like Julia and Monte are not shy about using "homoiconic" to describe their language design; a standard library compiler is just as good as a compiler in the core semantics, as long as it's easy to use and meshes well with the rest of the language.

pron 3 hours ago 0 replies      
> What most of these languages seem to miss is that Smalltalks class system, like Lisps macro system, is a symptom of the power already available in the language, not its cause. If it didnt already have it, it wouldnt really be that hard to add it in yourself.

What most of these articles seem to miss is that that Java's designers were themselves expert Lispers and Smalltalkers, and they most certainly realized all that, and that Java's success is a consequence of them understanding exactly why not to repeat the same design. Design doesn't live in a vacuum. Design is shaping a product not just to fit some platonic ideal, but reality, with all its annoying constraints.

To understand why Lispers and Smalltalkers designed Java the way they did, I recommend watching James Gosling's talk, How The JVM Spec Came To Be[1], and the first 20 minutes or so of Brian Goetz's talk, Java: Past, Present, and Future[2].

[1]: https://www.infoq.com/presentations/gosling-jvm-lang-summit-...

[2]: https://www.youtube.com/watch?v=Dq2WQuWVrgQ

bitwize 8 hours ago 3 replies      
Lisp and Smalltalk actually suffer from the same problem: late-binding sucks. When I was in college a professor once pointed out to me that he didn't know of an LL(1) parser for Smalltalk. There's a reason for that: Smalltalk's syntax is late-bound! It's almost like Forth's syntax: the reader consumes words and decides what to do with them on the spot, whether they represent variables, operators, constants, or parts of a message send and once it has a subject, verb, and objects, dispatches the message also on the spot.

This plays havoc with your ability to do static analysis, and languages that hinder static analysis should not be used in real-world systems. If the earliest you find out about errors is in a running system, it's far too late and you are hosed.

This is why the Lisp and Smalltalk Evangelism Strikeforces have been met with decades of failure, while the Rust Evanglism Strikeforce is getting on with a massive project of digital tikkun olam.

Noncompete Clauses: Signing Away the Right to Get a New Job nytimes.com
422 points by mikeh1010  16 hours ago   263 comments top 33
etjossem 15 hours ago 14 replies      
Worth remembering, especially for those just entering the software field: by the time a potential employer gives you an employment agreement to sign, they've already decided they want you. At that point, it's on them to give you a palatable offer. They may include a noncompete clause for one of two reasons: 1) to prevent you from working somewhere else at the same time, which can create all sorts of conflicts of interest, or 2) because it'll keep you from looking for a new job, and they think you're too naive to argue.

Here's my suggestion. When you receive the document, read it and see if there's a noncompete clause. If so, you're going to want to send a redlined version back to them, changing the noncompete duration from "during and for 2 years following employment at the company" (or whatever they gave you) to "for the duration of employment at the company." By doing so, you show your willingness not to do any kind of work for a competitor while employed, while very clearly pointing out that you do have the right to get a new job. It may be important not to offend the person who wrote up the agreement and included something so ridiculous, so the minor nature of your modification will allow them to save face.

In the end, most employers won't bother to argue the second point, and the ones that do are probably shadily taking advantage of you in other ways.

Additional note: in California and several other states, these clauses are not legally enforceable anyway, and you should mention that when you give them the "fixed" agreement.

watertom 15 hours ago 9 replies      
Health insurance is also part of the rigged labor market.

The only reason big companies offer health insurance is because it limits employees's freedom. It would be easy for the Fortune 100 or 200 in unison agree to eliminate health care and provide a higher salaries. It would make the companies more competitive globally and it would free them from a whole lot of other nonsense, but they don't drop healthcare. The reason they don't droop healthcare is because healthcare and pre-existing conditions limit employee options and it suppresses wages. Also if there was universal healthcare it would be easier to start small companies and attract employees, those small business would be competing for employees against big companies on equal footing.

Healthcare is a racket limiting not just healthcare but freedom.

edanm 13 minutes ago 0 replies      
I'd just like to point out that there is a case to be made for noncompetes, they're not just a terrible thing that companies do because they can. I recommend reading "The Case for Non-Competes" by David Henderson (http://econlog.econlib.org/archives/2016/11/the_case_for_no....).

Here's a relevant quote (in which the author is actually quoting Aaron McNay):

"Both employers and employees would like to be able to train the employees if the cost of doing so is less than the gains in productivity. However, there is a potential collective action problem here. What happens if the employer provides the training, but the employee then moves onto another job? The employer bears the burden of the training costs, but does not receive any of the benefits. As a result, the employer does not provide the training, and a mutually beneficial trade is not made.

By preventing the employee from being able to move, a non-compete agreement eliminates the collective action problem."

I'm not saying that non-competes are necessarily good, or necessarily bad. It depends on the circumstances. But I do think that a lot of other commenters in this thread do think that non-competes are necessarily bad, and I think that's incorrect.

algesten 14 hours ago 3 replies      
I had a previous employer trying to stop me from working directly for a client. Only, I had brought in the client, I was the only one working for that client and that client didn't want anything to do with the rest of my employer.

I felt morally OK with the situation...

Only, my contract did have a noncompete. But then, this is Sweden, and noncompete clauses are almost not enforceable by Swedish law. An employer can't stop an employee to take another position. To be a valid clause, an employer must offer the same payment the new position would have had whilst riding out the non-work period, and no one does that.

A strongly worded letter from my lawyer sorted it. Never heard from them again.

bunderbunder 15 hours ago 1 reply      
My last company's noncompete had a really nice twist: Instead of banning me from seeking employment at a competitor altogether, it instead granted my employer the right, to, at their discretion, compel me to delay starting at a competitor for a certain amount of time. However, in order to do so they would also have to pay my salary over that period.
dimva 9 hours ago 0 replies      
In finance, companies will pay you your salary to not work if they decide to enforce a non-compete. It's written into the contract. I have friends who get to take year-long paid vacations when they switch jobs just because they work in HFT.

I'm surprised that this isn't law. I guess financial companies care about their employees more and/or their employees are more astute about contracts.

Companies shouldn't be allowed to prevent their ex-employees from earning a living. If it's that important for them to prevent the transfer of their proprietary information, they should be happy to pay for it.

postfacto 13 hours ago 4 replies      
If you're going to violate a noncompete, don't tell anyone you're going to work for a competitor. Keep yourself as small of a target as possible for your former competitor's legal team.

- When you quit, tell your now former employer that you're quitting to pursue something other than what was your established industry. Your (made up) lifelong dream of starting your own microbrew brand, Macrome supply business, winery, whatever. Or looking after a sick relative, or going back to school full time, etc.

- Cut off ties with all your former coworkers, at least for the noncompete duration. If you bump into them at the grocery store and you can't get away from them, tell them about how wonderful the beer business is or how your relative is doing.

- Don't put on Facebook or Linkedin that you work for the new employer.

- For the duration of the non-compete, only those closest to you who critically need to know about your new employer, spouse, etc will know.

- Avoid publicly-facing industry related activities that tie you to your new employer for the duration of the noncompete. Giving speeches, presentations, writing article, etc.

None of these are foolproof but they are all common sense. Remember the Monty Python sketch about How To Not Be Seen.

valuearb 15 hours ago 2 replies      
"California law prohibits noncompete clauses, contributing to the inveterate poaching with which the states technology industry was founded. It can be brutal for employers, but it helps raise wages and has created a situation where any company looking to hire a bunch of engineers in a hurry, be it an established giant or a start-up, feels it should locate there."
CalChris 14 hours ago 0 replies      
In the US, California, North Dakota and Oklahoma are the exceptions. NCCs are legal elsewhere.


Even in CA, trade secrets have an exception.


goatherders 14 hours ago 4 replies      
I've been sued twice over non compete language. The good news is they are reasonably hard to enforce because most judges will ultimately agree that people have a right to change employers. The bad news is it can cost a lot of money to get to the point where the judge says that.
pducks32 10 hours ago 0 replies      
It's important for software developers and in demand job applicants to push the trends. I refused the noncompete clause at my startup (still got job) and made a point of how I'm principled against themfor hurting people like the man in this article. We may be disconnected from the rest of America but maybe my little requirement can put the thought in people's heads that it's wrong.
satai 2 hours ago 0 replies      
Just for comparison: In Czech republic this clauses are legal, but their duration is limited by law and the ex-employer is required to provide you a compensation to the time that you are limited in the job market.
punnerud 10 hours ago 0 replies      
In Norway we added a law now from 2017 that the employer have to pay you the same salary for the period the non-compete is in operation. Maximum 1 year. It have you be in you contract up front, and they have to explicitly list customers and competitors.
mirimir 8 hours ago 1 reply      
If you're working in a small industry where specialized skills are required, and firms commonly collaborate, you may encounter unacknowledged/secret non-compete policies. Basically, nobody else will hire you, and they won't tell you why. If you've made some friends, they may tell you what's going on. But there's little recourse.
quizotic 13 hours ago 3 replies      
In the early 1990s, I'd co-founded an object database company, with a standard "east-coast-style" non-compete, which among other things, granted us injunctive releif. Our top developer left to work for our main competitor. We sued, and the courts ruled basically that there is no slavery in the US and our developer had every right to earn a living doing what he knew how to do. Maybe laws have changed, and maybe it varies by industry, but my experience is that noncompetes are meaningless. BTW, I don't particularly wish they had teeth, and my company was probably not significantly harmed by the outcome. Just saying I wouldn't sweat too much about signing a noncompete.
dboreham 15 hours ago 2 replies      
Since this should be illegal, or at least illegal absent some reasonable compensation for giving up the right to freely seek alternative employment (e.g. a big retention bonus), presumably our politicians offering "regulatory relief" are to blame?
solidsnack9000 13 hours ago 1 reply      
This is a kind of feudalism, where the peasants need to rely on the strength of lords and their knights (lawyers) to enjoy basic freedoms.
vostok 15 hours ago 1 reply      
The really annoying thing about noncompetes is that they're usually at the discretion of the employer. You might be in a situation where you have a 12 month noncompete and nobody wants to hire you 12 months in advance, but then your former employer terminates your noncompete within a month and stops paying you.
RcouF1uZ4gsC 15 hours ago 2 replies      
Using "poaching" to describe a company hiring someone from another company, needs to die. Companies do not own people. It is strictly a business relationship.

I think that the US as a whole should follow California in outlawing non-competes. It definitely has been shown to be workable.

burntrelish1273 5 hours ago 0 replies      
General rules-of-thumb (IANAL):

- Sign the minimum of documents

- Don't provide full, personally-identifying information unless it's absolutely required

- Negotiate terms of boilerplate agreements if they're too unreasonable / don't apply

- Don't sign a binding arbitration agreement, BA is a worthless/corrupt system that nearly always favors the employer. [0]

- For CA-headquartered companies, refuse to sign NCAs because it creates legal liabilities (ie, could they involuntarily transfer an employee to another state and then fire them to make an NCA apply?)

0. https://www.nytimes.com/2015/11/01/business/dealbook/arbitra...

anothercomment 2 hours ago 0 replies      
I think in Germany at least, employers have to pay people for the damages induced by non-compete (the loss of salary/earning potential). Ianal, though.
teddyh 7 hours ago 0 replies      
See also the classic NDAs and Contracts That You Should Never Sign, March 28, 2000 by Joel Spolsky:


thinkloop 8 hours ago 0 replies      
I've almost always been presented one, and I've always had it removed. It is a certainty I will compete, especially the more I become an "expert" in an industry, it's not a fair expectation. I work for startups, probably tougher at big corps.
EarthMephit 6 hours ago 0 replies      
In Sweden the during the non-compete period you have to pay the employee their full wage, which seems like a fair balance.

If it is that important to the company the employee should be remunerated

carvalho 7 hours ago 0 replies      
My first (and last) non-compete was when I was starting out as a web developer in a small company. By the time I fully realized what I had signed I had contractually given up my right to work for any other webdev company for 1.5 years, and even worse, the company owner stated that he believed the non-compete also extended to all our clients (and the clients of a major client) too. This meant nearly all banks, Heineken, Google, and consultancy agencies (we ran a job board).

Needless to say I am not a web developer anymore.

rch 8 hours ago 0 replies      
Keep in mind that sometimes a company will hire you into an unrelated job role (evangelist, account manager, etc) until your lockup runs out.
tomohawk 13 hours ago 0 replies      
Last time I was given one of these to sign, it was in a group setting. So, I just didn't turn it in. They never did make a stink about it.

Just because someone gives you a piece of paper to sign, doesn't mean you have to. Wait until it's unavoidable.

Mathnerd314 11 hours ago 0 replies      
brightball 14 hours ago 2 replies      
Fwiw, my understanding is that in right to work states a noncompete CANNOT prevent you from earning a living in your field. The clauses have to be defined as very specific, time limited and reasonable otherwise they don't hold up under legal scrutiny.

Stuff like, not being able to take current customers to a competing business within a mile for a period of 1 year is considered reasonable.

ThomPete 12 hours ago 0 replies      
I am not a lawyer but my advice is generally to ignore it. Most wont care and those who do mostly can't enforce it unless they paid you extra for it.
rdiddly 13 hours ago 0 replies      
This prompted me to look at my employee agreement. Sure enough, there it is. I signed it because I needed the job and wasn't asking too many questions.

But this is interesting, I work in an area of the company that isn't really part of their core competency. Meaning that the kinds of firms that would hire me are literally in another sector and wouldn't be considered competitors.

So this fact, that normally manifests as complaints that "management has no idea what we do here" and/or that they "have no business claiming they're in this business," ends up helping me out.

throwaway23421 8 hours ago 0 replies      
this shit should be illegal. even small businesses are doing this now. programmers are a dime a dozen and everyone is using open source. fuck all these tech companies they don't have jack shit TO steal and force you to sign away everything anyway
bbcbasic 10 hours ago 0 replies      
Interested to see how this plays in my jurisdiction. Seems they have quite a sane approach in NSW:


Happy nations don't focus on growth bloomberg.com
102 points by smollett  13 hours ago   36 comments top 13
Oddstrider 10 hours ago 2 replies      
The nations mentioned are some of the most advanced in the world, and their lower-than-world-average GDP growth is being used to show that "it's not all about wealth". I don't think this article makes a very good point.
chickenmonkey 6 hours ago 0 replies      
I really don't think that this article makes a very good case for nations to focus on happiness over economic growth. It is apparent that the nations that the article states are the happiest are highly developed nations which have had decades of growth which has given them the means to keep their population happy. With regard to the point about China's growth, I believe that given how rapidly China is growing, there will be a significant lag between the rate at which GDP grows and the time when the Chinese people begin receiving the benefits of this growth.

Of course, general well-being is a better metric of whether the incumbent gets voted in than economic growth in developed countries because well-being is far more tangible to the common man than the abstract concept of economic growth. OTOH, in a developing country, I'd argue growth is a better indicator of the probability that the incumbent will win since developing countries have growth rates which are in general far higher than developed, and since these high growth rates result in visible, tangible changes: bridges get built, schools are opened, and people get jobs.

Perhaps, the new thesis of the article should be that developing nations should focus on economic growth, while developed ones should focus on the happiness of their people.

tn135 1 hour ago 0 replies      
Richest nations are the happiest nations as long as they don't run out of their money. That is the proper conclusion.

I am pretty sure 10 years ago Greece would have featured as a happiest nation and Venezuela not as much as a miserable nation that it is today.

Contrary to all this India WAS super miserable 10 years and go and much more happier today though comparatively might not be as happy as the Italian.

pfranz 10 hours ago 5 replies      
I read a similar things a few weeks ago. They were saying that the U.S. (government through laws and legal system) centered on "fairness" up until recently. Sometime after WWII the focus changed to Economics and growth. I'm guessing it was saying this is the cause of crazy inequality and "the jobless recovery."

I'm not sure I buy all of it (the U.S. wasn't really a world power prior to the world wars, so they'd be dismissing that and other gains if it was their whole premise), but like this article, something to think about.

wordsarewind 9 hours ago 0 replies      
Although I'd have to poke around for the specific sources, I've read papers that showed that, in fact, subjective well-being increases continuously with wealth (per capita GDP). However, the increase is not linear, but rather logistic--which makes intuitive sense, since a $5,000 pay raise for an employee making $25,000 a year isn't the same as for one making $100,000. On the other hand, I've also read that the increase in wealth past the much-referenced $75,000 level doesn't significantly increase emotional well-being (unconscious positive/negative feelings).
easytiger 3 hours ago 0 replies      
They also have the highest suicide rates. Go figure.
ThomPete 12 hours ago 1 reply      
Denmark the most happy nation in the world cares about growth a lot. Maybe Danes don't but the nation as a whole does.
candeira 4 hours ago 0 replies      
A lot of happy millionaires have close to no income, in fact they remain happy millionaires while incurring in negative net worth growth.

Maybe poor people wanting to make more money need to rethink their strategies?

spodek 6 hours ago 0 replies      
Growth also contributes to global warming. And the many people who think it could now or eventually decrease it compound the problem.
platz 6 hours ago 0 replies      
but what if growth is required for certain scientific and medical investment, funding, and advancement even if it depresses the average happiness of a population?

If that is true, how much of suffering of individuals are we able to tolerate to keep the average of a whole up a few notches? (re: all the issues with utilitarianism)

xorfish 11 hours ago 0 replies      
Correlation does not imply causality...
Gys 12 hours ago 1 reply      
> Policymakers should care more about happiness inequality rather than mere income inequality.

Policymakers are probably very concerned with happiness. Their own ;-)

throwaway053 11 hours ago 3 replies      
This means China isn't happy at all. They need to fake that 7.0% growth every year for eternity, even though everyone knows it's all fake data, and most likely they're not even growing.
Your tl;dr by an ai: a deep reinforced model for abstractive summarization metamind.io
70 points by etiam  12 hours ago   7 comments top 3
rubyn00bie 6 hours ago 2 replies      
While this is pretty neat; FWIW-- I've always been blown away but the summarization tool built into MacOS. You just select text, hit summarize, and adjust the length. It works wonderfully-- I used it college all the time for annotated bibliographies. To be honest, I've always found it good enough and it's a wildly simple tool (or so it looks) by comparison to using AI.
du_bing 4 hours ago 2 replies      
Any open source code for trying? It's wonderful!
jasonkostempski 6 hours ago 0 replies      
That looks pretty long.
Emulating the Rust borrow checker with C++ move-only types nibblestew.blogspot.com
79 points by buovjaga  14 hours ago   15 comments top 4
pcwalton 14 hours ago 3 replies      
The Rust borrow checker checks borrows: that is, references. This doesn't emulate borrows, but rather emulates Rust-style moves.

An attempt at a more accurate statement would be that this emulates the use-after-move checking that the Rust compiler does. The problem is that that it doesn't do that either: it statically prevents copies but doesn't prevent use-after-move.

I think the accurate way to describe this pattern would be that it disallows copies and forces you to annotate moves with the move keyword. This is somewhat similar to what Rust does, in that non-Copy types are moved by default. The difference is that you don't have to write "std::move" in Rust: the compiler just infers the right thing to do.

It's a little hard to map this onto Rust semantics to begin with, since fundamentally all this is is not having a copy constructor, which is a concept that doesn't exist in Rust in the first place.

petters 2 hours ago 0 replies      
As others have pointed out, this does not really emulate the Rust borrow checker. You can still have multiple references and pointers to the same object.
throwaway91111 13 hours ago 2 replies      
Isn't this just a UniquePtr? Ie it allows moves, but references to it are not guaranteed to be valid. The latter is the borrow checker.
youdontknowtho 5 hours ago 1 reply      
And then someone heard the Rust mafia say "Form the MegaZord!!!"...and many corrections were posted.
Reverse-Engineering the Intel Management Engine puri.sm
215 points by laamalif  15 hours ago   22 comments top 4
Animats 2 hours ago 0 replies      
This is nice, but it just allows you to replace some of the the Management Engine code. What we need to know in detail is what it's doing. There's probably a backdoor in there that hasn't been discovered yet.
prodmerc 12 hours ago 3 replies      
Meanwhile I'm trying to find a way to remove the hard lock on CPU and RAM frequencies (extreme CPUs can't be overclocked, RAM is locked at 1333 MHz) :)

Looks like it can be done through Management Engine, which has access to everything apparently.

Only success so far is unlocking BCLK, but the overclock is small and unstable that way.

Another roadblock was the read only lock, which can fortunately be bypassed on POST on xx67/77 chipsets.

ReverseCold 14 hours ago 2 replies      
Hopefully we can get a fully libre boot on purism laptops soon.

I feel like there would be legal problems though...

turbohedgehog 14 hours ago 1 reply      
Did the author notify Intel about the bug they found?
The World Is Getting Hacked. Why Dont We Do More to Stop It? nytimes.com
19 points by thesagan  7 hours ago   30 comments top 10
_ph_ 1 minute ago 0 replies      
A true disaster always has more than one cause. It took many separate problems and mistakes to sink the titanic and cause such a large loss of human life. Same here. There can be endless and interesting discussions about the role of the NSA, Microsoft, the end users in this very specific incident.

But the root of the problem is, that computer security still does not get the proper awareness and attention. This starts from how we write software, but from a society point of view, mostly how we deal with computer systems. Computer systems are not toasters which you can replace easily. Often they are part of larger installations, difficult to replace as a component. We need to deal with them as with aspects of traffic or workplace safety, or hygiene. There should be a clear concept (I sincerely hope we don't require too strict state regulations) that like any professional tool, a computer system has to be reviewed in regular intervals for being fit for its intended purpose, and maintenance for security should be done as naturally, as mechanical or electrical checks.

So, for any computer-powered (and networked) device, this would mean, that either there is a maintenance contract in place, which in the end would mean, the provider has a contract with Microsoft, if Windows is used, or, like with any other device, the machine is no longer considered fit for professional use.

chpmrc 4 minutes ago 0 replies      
Because most people don't give a crap? Out of the 10 people who saw the news (on TV!) while I was there 9 reacted with "Ha! These hackers..." and 1 with "I'm pretty sure they are not interested in a guy like me, I'm safe haha".

Until people start losing personal money they won't bother educating themselves. They see these "hacking games" as, well, games.

wwwigham 50 minutes ago 2 replies      
The article states this:

> The money they made from these customers hasnt expired; neither has their responsibility to fix defects.

This is wrong. We don't ask for mandatory lifetime guarantees in any other industry I'm aware of, and perhaps more importantly, much of what is done in the field wouldn't be possible if it did (could you imagine having to continue to maintain an IE5 webpage for another twenty years?).

It goes on:

> In its defense, Microsoft probably could point out that its operating systems have come a long way in security since Windows XP, and it has spent a lot of money updating old software, even above industry norms. However, industry norms are lousy to horrible, and it is reasonable to expect a company with a dominant market position, that made so much money selling software that runs critical infrastructure, to do more.

If I buy a toaster it comes with a one year warranty, maybe. A nice car might come with a five year or two hundred thousand mile limited warranty. Microsoft sold a product at a fraction of that cost and supported it, unconditionally, for 8 years. 8. And they supported it for five more after that with appropriate arrangements with enterprises (and after a select few enterprises who somehow concluded that paying some engineering salaries at Microsoft for dedicated support was cheaper than upgrading). That's a 13+ year lifetime of support on what was an $80 a license product. Industry norms can only be "horrible" insofar as there's only been a serious industry for 30 years... And XP was supported for half of it (man, I suddenly feel old). My point is that there is no world in which the "cash-strapped National Health Service" is not the primary entity which was grossly negligent in its maintenance of critical infrastructure.

Stepping back and looking at the article as a whole and less at specific inflammatory parts, it is, well, filled with inflammatory parts. It starts as a thin attack piece on Microsoft for being slow to provide free support for a 16 year old product, offhandedly references IoT for some added scare factor, then starts calling for action (from both corporate and government actors) without any serious discussion on either the merits of the proposed actions or the impacts taking them would have on those organizations or the implications that they would create for future actors.

But hey, if you're a fan of Bruce Schneier's more recent musings, at least you'll enjoy the conclusion: That we must legislate software, and fast.

geocar 1 hour ago 1 reply      
The world gets hacked because programmers make mistakes, and their management cannot evaluate those mistakes -- if only for no other reason that sometimes it isn't even obvious they made a mistake until a couple years later.

Users have been fooled: Turn it off and on, is a reasonable and well-known troubleshooting guide, but nobody blames the software vendor. If I'm on the phone with a company and they tell me to turn it off and on, I can't even point out "so you sent me something defective?" this is normal folks.

Maybe we need to teach programming younger and younger -- and it'll take two or three generations to become common enough that management will actually understand what I'm doing. Or maybe we need awareness campaigns to keep users from putting up with shit experiences!

Or maybe someone has some other idea, but the major barrier exists: We don't know how to program computers, and saying that out loud makes a lot of people with the job-title (or description) of programmer clam right up.

louithethrid 1 hour ago 0 replies      
Cause the users dont know what they are actually buying. They go for superficial signs of quality - like weigth, design, surfacepolishing and nice UI.

Security of a object is a thing you can only evaluate the day it turns around and snaps at you.

Now the default american solution for this, would be to have a "Late-Adopter" plugin, allowing to install "Additional" Gated-Comunity-Security for the rich - and let the mob become one huge botnet, held back by aggressive campaigns of bricking whole device classes remote should they be a threat to the "devices" in the better neighbourhoods.

Unfortunatly the rest of the world is either too poor or unwilling to follow this model, which means we are going to see a regulated, securty TV checked model in europe and japan, state regulated devices in china & russia - and a wild west everywhere else.

drinchev 1 hour ago 2 replies      
Hopefully governments will one day take GNU/Linux based OS & Software. I know, I know ... Linux for Desktop is hard, but it seems like making exploits are harder than doing the same for Windows ( maybe hacker focus is on windows, who knows. ).

Anyway money equation I think is quite simple :

Why buy Windows, when you can use Linux and buy backup infrastructure.

roadbeats 1 hour ago 1 reply      
> ...started, as it often does, with a defect in software, a bug.

It all started with poor ethics. Every single version of Microsoft Windows have intentionally left backdoors for NSA and some hackers knew how to use it. This is like you pay some money and buy a house, but the previous owner keeps backup keys to watch you. And some others get the backup keys, kick you out of your own home unless you pay them.

This is such a shame for Microsoft, NSA and American government. People trusted Microsoft products and purchased them, in return, Microsoft wanted more than money; they wanted to spy them for their ideological goals.

gaius 1 hour ago 1 reply      
To howls of outrage, I have suggested to several companies that we simply disconnect from the public Internet. People programmed before cut-and-paste-from-SO was a thing after all. Obviously the web servers in the DC need to be accessible but the desktops in the office, or the critical bits of infra like DB, file servers and so on, nope.

Anyone who wants to surf can easily do so on their personal smartphone with no risk to corporate systems. No one has ever been able to put together a coherent rebuttal to my proposal, yet still the PCs remain connected and still people click things they shouldn't...

a_imho 54 minutes ago 0 replies      
There is not enough incentive to do so, carrot or stick.
fit2rule 1 hour ago 2 replies      
I would say the reason the world is getting hacked is quite simple: OS vendors are asleep at the wheel. Instead of actually improving their OS platforms, they're instead turning them into web browsers and game engines - while all the vital services that a modern OS should provide are being ignored in the rush for control.

Take for example, the Fappening. This was possible because iCloud. iCloud is only necessary - like Dropbox and other services like it - because OS vendors decided they didn't want people to have control over their content, using their local computers - that it was 'easier' to provide servers dedicated to the purpose, than to actually add dedicated file sharing to the individuals' computers.

(There are no really good reasons why your modern PC can't serve its own content - especially in this era of bandwidth and monster CPU power. We hosted the 90's Internet on far less powerful computers than your average mobile phone, with less bandwidth too.. the point is, the protocols.)

So I honestly think that OS vendors need to be forced back behind the wheel to make our computers better, and the "network is the computer" business model needs to die. This was always a terrible idea, formed on the basis of an accountants wet dream, and should be forgotten as soon as possible. Instead, lets build better computers, simple as that. Computers that are actually safe to use because they've been designed that way, from the get-go. The cloud must die.

Computer Games That Teach Assembly Language ieee.org
226 points by frostmatthew  16 hours ago   51 comments top 18
teolandon 15 hours ago 4 replies      
Have had a lot of fun with TIS-100. It's a very weird architecture, but it does teach the fundamentals of low-level coding, like using a single working register, manipulating data in a simple way and using goto statements and branches for loops.

A lot of the problems are problems due to the architecture though, not necessarily hard to implement in more conventional architectures.

The article quickly goes over it, but for those who still wanna know more about the architecture, the TIS-100 is composed of nodes that can store a small number of lines of instruction code, have a working register, and have 4 I/O ports, UP, DOWN, LEFT and RIGHT. If asking for input, they will block until input is received from the specified adjacent node, and if passing output, they will block until the specified adjacent node asks for input. There are also memory nodes, introduced later in the game, to store more data.

These nodes are on a grid. Some of them are disabled, and the memory nodes' placement differs from program/puzzle to program/puzzle. Thus, careful selection of nodes and I/O ports is required for completion. I don't know if anything similar exists in actual hardware.

There's also a built-in "debugger" which simply allows you to run the program step by step and view all values, blocked nodes, and current instructions, which really helps, and possibly teaches players how to generally debug actual machine code. The programs run on a set of unit tests, and you can see which ones fail and why.

In classic Zachtronics fashion, there's graphs explaining your performance in the end, in terms of time, and space. Users not familiar with actual hardware architecture principles won't probably be able to figure out themselves how to get the best time, because most problems require use of pipeline-like instructions, due to the blocking nature of the nodes. So while it teaches tricks and fundamentals, I don't think it teaches more advanced and important stuff. And that's not a bad thing, it's a great game.

Would recommend to anyone.

bitexploder 6 hours ago 1 reply      
No thread about games that teach assembly can be complete without a mention of Core War -- https://en.wikipedia.org/wiki/Core_War

It is perhaps the game of the genre.

remarkEon 14 hours ago 3 replies      
Somewhat off-topic:

For you parents out there...what has been your experience with/advice for teaching your kids a programming language? It's definitely something I want my kids to get comfortable/familiar with early but I get concerned about over-exposing them to too much "screen time" at a young age and the deleterious effects that might have (even ones we don't know about yet).

Don't have kids right now, or any on the way, but that's something on the horizon for me so I've been thinking about it.

zeptomu 9 hours ago 1 reply      
I always wonder why there is no 0x10c'ish game yet (it was a game prototype set on a space ship where you could program the computer), as there was a lot of hype around it and the idea seemed really nice (https://en.wikipedia.org/wiki/0x10c).

There are some games that explore that direction (e.g. space engineers has some kind of programmable block), but no successful ones in the spirit of the original 0x10c vision (which was pretty vague and maybe the hype and high expectations killed it). I still think that one could build a great game around the main idea, but probably it is hard to balance the game mechanics between "real" programming and actual game play without alienating users that want to get into programming and actual programmers that want to play a game.

dave84 14 hours ago 1 reply      
https://microcorruption.com/ is maybe not quite a game in the same way as those mentioned in the article but I enjoyed playing it.
veganjay 14 hours ago 0 replies      
TIS-100 is a lot of fun. It's quite interesting what you can do on a limited architecture.

Similar posts pop up occasionally here, such as:


A couple more lists of programming games:

- http://steamcommunity.com/app/375820/discussions/0/481115363...

- https://www.rockpapershotgun.com/2015/11/09/best-programming...

krallja 15 hours ago 0 replies      
BOX-256 is a free web-based assembly language game: http://box-256.com/
jonny_eh 15 hours ago 1 reply      
Human Resource Machine is really fun. It's also available on tablets like the iPad. I think it's a great intro to programming.
kccqzy 10 hours ago 1 reply      
It's kinda ironic that I bought TIS-100 when it first came out, played for a few hours, lost interest, and never really touched it since. But then, later I found great fun writing actual x86-64 assembler.
NKCSS 5 hours ago 0 replies      
HRM was a lot of fun; I wrote an interpreter in C# to test the scripts and test them on a pc; thought about creating a website where people could posts new challenges and create optimal solutions; some changes to hard levels take forever in the game; I could just edit a few things and have near instant results.
Houshalter 13 hours ago 0 replies      
I've had some fun solving very simple problems in brainfuck. This would be an interesting choice for a programming game because how simple it is. You can learn it in like 5 minutes. And also it's very easy to visualize the state. You can watch the program move around the tape and increment and decrement cells. Try it yourself, write a program to reverse an input string.
adamnemecek 12 hours ago 0 replies      
If this tickles your fancy, check out https://godbolt.org
mathattack 8 hours ago 0 replies      
TIS-100 looks cool but the keyboard didn't fit on my iPad. Downloaded a few other games from the provider and all has oAuth issues. Too bad - they looked good.
misingnoglic 11 hours ago 3 replies      
Is there any benefit to learning assembly now, or is it just fun to see what it was like then?
andrewke 9 hours ago 0 replies      
atroll 15 hours ago 0 replies      
assembly is awesome yet scary
analognoise 6 hours ago 0 replies      
Stop playing games and just write some damn assembly.
mrcactu5 5 hours ago 0 replies      
any good resources on 6502?
Death by Fire longreads.com
67 points by DiabloD3  14 hours ago   5 comments top 5
pdelbarba 12 hours ago 0 replies      
I live in Colorado and see the fires regularly. Just about two months ago I stepped outside on a weekend morning and smelled smoke, then saw a firebomber fly overhead towards the mountains. It's a strange thing to get used to, though I'm not near the forests, just close enough to get a tax-payer funded airshow once or twice a year.
fujipadam 4 hours ago 0 replies      
Beautifully written. While I see the horror, it read more like a romance. The author loves fire despite her ruthlessness
tomcam 12 hours ago 0 replies      
Incredibly well-written and a window onto a life I prefer not to contemplate
te 4 hours ago 0 replies      
Norman Maclean's "Young Men and Fire" tells the story of the Mann Gulch incident. Recommended.
FrozenVoid 3 hours ago 0 replies      
Perhaps the idea of having forests near population centers should be reevaluated. Clearing a few km of city-bordering forest will create a gap in which fire will not spread, if there is nothing flammable on the ground.The aesthetics of having "natural trees" nearby is not worth the risk, and polluted air from forest fires definitely doesn't help the overall health.
Cyberattacks in 12 Nations Said to Use Leaked N.S.A. Hacking Tool nytimes.com
1174 points by ghosh  1 day ago   462 comments top 69
ComodoHacker 1 day ago 6 replies      
Edit: Botnet stats and spread (switch to 24H to see full picture): https://intel.malwaretech.com/botnet/wcrypt

Live map: https://intel.malwaretech.com/WannaCrypt.html

Relevant MS security bulletin: https://technet.microsoft.com/en-us/library/security/ms17-01...

Edit: Analysis from Kaspersky Lab: https://securelist.com/blog/incidents/78351/wannacry-ransomw...

RangerScience 1 day ago 7 replies      
> "Microsoft rolled out a patch for the vulnerability last March, but hackers took advantage of the fact that vulnerable targets particularly hospitals had yet to update their systems."

> "The malware was circulated by email; targets were sent an encrypted, compressed file that, once loaded, allowed the ransomware to infiltrate its targets."

It sounds like the basic (?) security practices recommended by professionals - keep systems up-to-date, pay attention to whether an email is suspicious - would have covered your network. Of course, as @mhogomchunu points out in his comment - is this the sort of thing where only one weak link is needed?

Still. Maybe this will help the proponents of keeping government systems updated? And/or, maybe this will prompt companies like MS to roll out security-only updates, to make it easier for sysadmins to keep their systems up-to-date...?

(presumably, a reason why these systems weren't updated is due to functionality concerns with updates...?)

turnip123942 1 day ago 9 replies      
I think this is an excellent example that we can all reference the next time someone says that governments should be allowed to have backdoors to encryption etc.

This shows that no agency is immune from leaks and when these tools fall into the wrong hands the results are truly catastrophic.

mhogomchungu 1 day ago 3 replies      
I am in Tanzania(East Africa) and my father's computer is infected.

All he did to get infected was plugging his laptop on the network at work(University of Dar Es Salaam).

The laptop is next to me and my task this night is to try to remove this thing.

raesene6 1 day ago 1 reply      
One of the big problems here will be for any country which makes a lot of use of older computers using Windows XP as there is no patch for this vulnerability on that OS version.

How many systems that is, is debatable but by at least one benchmark (https://www.netmarketshare.com/operating-system-market-share...) we're looking at 7% of the desktop PC market that could be exposed with no patch available.

natch 1 day ago 1 reply      
This gives the lie to the notion that a government master key or back door scheme could be protected from leaks and abuse.
sasas 1 day ago 0 replies      
Malware tech need recongnition! By being the first to register the hard coded domain in the malware they have slowed the spread significantly ...


blitmap 1 day ago 3 replies      
The real world doesn't update in 2 months. (I wish it did.)

The NSA should have responsibly disclosed the vulnerabilities they had been sitting on as soon as they were discovered.

That protects national security - not this.

placeybordeaux 1 day ago 2 replies      
Going through their wallets it looks like they've gotten 32 pay outs, some for more than 300 USD. Are there any addresses that they are using outside of the four listed int he article?

It'd be an interesting project to try and track where these funds go and where they came from.

https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6N... - 11https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNX... - 4https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8is... - 6https://blockchain.info/address/1QAc9S5EmycqjzzWDc1yiWzr9jJL... - 11

jayess 1 day ago 1 reply      
You can keep an eye on their bitcoin wallet (or at least one of them): https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6N...
Asdfbla 1 day ago 1 reply      
One of the side effect if states participate in the proliferation of offensive tools. Won't be the last time state-sponsored tools, exploits or backdoors fall into the hands of interested third parties.

I think collateral damage like that is way underrated by politicians all around the globe that call for their respective intelligence agencies to build up offensive capabilities to be able to conduct cyber warfare and whatnot.

f2f 1 day ago 0 replies      
Cisco's TALOS team just published an analysis:


Kali909 1 day ago 1 reply      
There's the bitcoin ransom aspect, but presumably a worm like this could extract a massive amount of data from infected servers and send that back to someone/somewhere?

Bank transactions, patient medical data, stored passwords/keys/CA info, contacts, emails, configuration files, registry dumps for firewall rules etc etc. (I'm not that creative so there's probably a lot more that's been exfiltrated).

Pretty hellish knowing they'd let that quietly sit there, in the name of espionage. I'm not sure the benefits outweigh the damage they're doing, without even mentioning the chilling effect and lack of confidence this instills in IT everywhere.

WheelsAtLarge 1 day ago 0 replies      
Wow, the future is here and it's not looking very good. We need to diversify our OS's in the enterprise. This time it was MSFT next it could be linux. No OS gives an absolute guarantee. The systems are relatively dumb now what will happen when AI has gotten deeper into our everyday lives. This is a wake up call.
nyolfen 1 day ago 2 replies      
BBC says up to 74 nations now: http://www.bbc.com/news/live/39901370
Keverw 1 day ago 5 replies      
Wow, this is so insane. I really don't think the NSA should be finding vulnerabilities and keeping them to themselves.

I mean I get it is all to help stop the bad guys, but if you are keeping cyber weapons like this. You should be required to keep them as secure and locked as possible if you don't follow responsible disclosure.

Just like how a cop would keep their weapon on them, instead of sitting it down on the table while eating lunch.

EmlynC 1 day ago 2 replies      
What gets me is why we don't see more viruses that _deliver_ the patch to fix the vulnerability.

It's perhaps a little more difficult as you'd need a vulnerability to keep spreading the innoculation. Arguably, though you release the virus, let it spread and then trigger the innoculation using a mechanism like calling out to a webserver, just as the kill switch worked here.

olliej 1 day ago 1 reply      
Cyber attacks use patched exploit to attack systems running out of date software, even in large enterprises handling sensitive data?

I give a pass to individuals (bandwidth for updates can be expensive, regular users don't know about patch Tuesday etc), but enterprise scale deployment should have IT for this, and IT should have been well aware of this kind of thing happening.

nyolfen 1 day ago 1 reply      
We really are living in the future. My condolences to the NHS, but what a time to be alive.
remarkEon 1 day ago 0 replies      
If I want a deep technical analysis of what we know so far, where do I go?
JackFr 1 day ago 0 replies      
As far as I can see it hasn't moved the needle on Bitcoin/$ today though.

Ransom ware was a play for big Bitcoin holders to unwind large positions at the highs without too much downward pressure in Bitcoin market.

c3534l 1 day ago 0 replies      
It could also just be the NSA banking on everyone assuming it's someone using NSA tools.
print_r 1 day ago 1 reply      
While I can understand WikiLeaks position, I feel like it was incredibly short sighted and uninformed of them to release the code itself. Unless you believe that they are working with the Russian (and other?) governments to destabilize the west. Personally, I wouldn't be surprised if this was the case.
sasas 1 day ago 0 replies      
Here is a link to the malware sample and technical implementation details.


jgaa 1 day ago 2 replies      
If NSA made it, and failed to protect it - then NSA should be liable for law suits to pay for damages.
blackflame7000 1 day ago 0 replies      
I was debugging a private web app today when I noticed a python script agent suddenly performing a port scan on me. it was querying for something called "a2billing/common/javascript/misc.js". After googling that phrase it seems im not the only person who has seen this today. The country of origin of the IP was Britain.

After Further investigation, it appears this attack could be in relation to this http://www.cvedetails.com/cve/CVE-2015-1875/

drinchev 1 day ago 1 reply      
So If I pay how does the hackers decrypt my HD? Is there a way to sniff the key and pay once - decrypt everywhere?
gazos 1 day ago 1 reply      
Im hearing the password wncry@20l7 decrypts the zip within the PE resources. anyone confirm?
turblety 20 hours ago 0 replies      
Just to let you know in the UK we'll all be safe from things like this. The UK's banning encryption so stuff like this won't happen in the future. Phew. I feel safer!
arca_vorago 1 day ago 1 reply      
First of all, while I of all people love to pile onto the anti-NSA bandwagon (within constitutional reason that is, I don't advocate their abolishment, but that's a different conversation), there are quite a few non-three-letter related things that have contributed to this story and ones like it.

The primary issue at the heart of things like this, beyond the backdoors and 0-days is this: bad IT.

That being said though, bad IT is far too often the fault of upper management, and not the IT people themselves. After years of sysadmining, I've seen the inside of hundreds of companies, from fortune 500 oil to medium sized law firms. You know what they have all been doing over the years? Cutting costs by cutting IT. Exept... they completely fail to consider long term consequences, which end up costing more.

I blame things like this on two main groups. Boards of directors, and company executives. Far too often I ran into a situation where a company didn't even have a CIO or a CTO, and you had some senior one man miracle show drowning in technical debt reporting to a CEO or CFO and getting nowhere, and therefore getting no support, no budget, no personell, etc. I've seen exceptions too, but they are far too rare. If it's not technical debt that's drowning the company, it tends to be politics. The bottom line is forward thinking IT personell don't get heard, and inevitably companies hire people or an MSP with all the proprietary, cisco, microsoft, oracle, etc bullshit certs that make the C's feel better, but don't actually produce the wanted results. They inevitably end up providing an inferior product with inferior service at a short term cost just as high as doing it right the first time, and a much higher long term cost.

If I could say one thing that could help prevent issues like this, besides my standard whinging on about FOSS and the four freedoms and such, is that we need better CTO's and CIO's to advocate on behalf of IT departments, and I think senior sysadmins who feel they have hit a ceiling should consider going for their MBA's and transitioning to those titles.

Now, onto the NSA angle of the story. Well... all I can say is I told ya so, with an extra note that HN in the past few years has been surprisingly dismissive of FOSS proponents who have been warning about these things.

First they made fun of us for saying everything was being spied on, and then Snowden happened. (often followed by bullshit like "are you suprised?" or "what do you have to hide?"

Then we warned about proprietary systems, and then NSA/CIA tool leaks happened. (often followed by things like "but its for foreign collection only" and "but the NSA contributes to SElinux")

Ya'll aren't listening until after the fact, and that's not going to fix anything.

JohnTHaller 1 day ago 1 reply      
Medical offices are notorious for having machines out of date, not properly secured, and not backed up. Just recently I wanted to get test results from a few years earlier from a previous doctor. Nope, the machine they were on runs a proprietary GE setup and it crashed. The same test a few years earlier? The hospital lost them and had no record of them being done. A different test I had done a month ago was hooked up to an aging Windows XP machine. Yes, it was networked, though I'm unsure if it was intranet only (I doubt it).

In the US, you have to manage your own healthcare. Get every result as a hard copy or on disk (in the case of MRI etc) and save it yourself. And back it up. That way you're prepared.

nthcolumn 1 day ago 0 replies      
campuscodi 1 day ago 1 reply      
It's not 12 nations.... it's all over the world...
marcrosoft 1 day ago 0 replies      
If anyone reading this was effected by this attack, please take this as an opportunity to start the journey to become "antifragile". If you are severely effected by this (mainly speaking about ransomeware) it means you lack backups and the ability to self-heal infrastructure. These attacks will only get more frequent and more sophisticated. So, start now.
TomK32 1 day ago 2 replies      
So... I'm running Linux on all my systems, how bad will it be for me?
cryogenspirit 1 day ago 3 replies      
Q: does anyone know how to disable regular internet access in Windows except through a virtual machine (VMware or Virtualbox)?

I have set up my mom to use a live debian cd through VMware, but I would also like to disable networking through Windows Edge and Explorer. I don't know how to do this however.

Myself, I follow a similar scheme but using a linux virtual guest and host. Is it easy to disable networking for all networking except for apt/yum and vmware/kvm?

Lastly, does anyone know what it costs for a personal subscription to grsecurity?

kabes 23 hours ago 0 replies      
I hope the NSA can be hold accountable for this and we can finally all agree that a government holding on to 0-days and asking for loophole encryption always bites back to the very people they claim to protect.
soneca 1 day ago 2 replies      
"Microsoft rolled out a patch for the vulnerability last March, but hackers took advantage of the fact that vulnerable targets particularly hospitals had yet to update their systems."

What Microsoft's software should be updated now to protect against this particular attack? Windows? Windows at the end user machines? The servers?

Could someone share a "What should I do now to protect myself" guide, please?


Irreal 1 day ago 0 replies      
Is it possible to cause havoc on banks worldwide?
runesoerensen 1 day ago 0 replies      
DHS Statement on Ongoing Ransomware Attacks: https://www.dhs.gov/news/2017/05/12/dhs-statement-ongoing-ra...
jordan314 1 day ago 3 replies      
Can't law enforcement follow the transactions of the public address of the ransom bitcoin wallet until the bitcoin is sold?
rorykoehler 1 day ago 0 replies      
The entertainment system on my flight is mysteriously down. I wonder if it's connected. As a side thought does anyone know the vulnerability of critical systems such as airliners, air traffic control etc?
djanklow 1 day ago 0 replies      
Why don't telecom providers help remove devices who are requesting an exorbitant amount of requests? Wouldn't this kill bot nets, if the exponential growth effect became impossible?
hd4 1 day ago 0 replies      
We Linux people really should not miss this opportunity to bring people on board. Ubuntu is a great starting point.
mschuster91 1 day ago 0 replies      
Apparently, this has spread to Deutsche Bahn...

1) a railway dispatcher just tweeted that IT systems will be shut down (https://twitter.com/lokfuehrer_tim/status/863139642488614912)

2) a journalist tweeted that an information display of DB fell victim to ransomware (https://twitter.com/Nick_Lange_/status/863132237822394369).

I guess that #1 and #2 are related, though.

itissid 1 day ago 0 replies      
Does any one have a running list of the organizations effected so far?
mgalka 1 day ago 2 replies      
What exactly does this NSA tool do? Every story I've seen glosses over how it works.
mdkdog 1 day ago 2 replies      
It looks to me like common stupidity...people opening attachments that they should not be opening. No need to involve CIA NSA or other tree letters agency hacking tool...just old school phishing. I see this happening much to often....people opening *.pdf.js attachment. No need for another conspiracy theory...stupidity explains it all. Just my 50.
rileytg 1 day ago 0 replies      
is this supporting evidence of the us doing something "wrong" by creating these tools?

disclaimer: i hope no b/c it's like any other military tech being leaked and used, but am not sold either way.

Myrmornis 1 day ago 0 replies      
> Security experts described the attacks as the digital equivalent of a perfect storm.

Just in case there are any journalists reading - never use the term "perfect storm".

microcolonel 1 day ago 0 replies      
> The attacks were reminiscent of the hack that took down dozens of websites last October, including Twitter, Spotify and PayPal, via devices connected to the internet, including printers and baby monitors.

Lazy writing at NYTimes; what on earth does this attack have to do with the one at hand? It's not broadly the same type of attack, nor the same scale, nor the same outcome.

reviewmon 1 day ago 0 replies      
Anticiaption for an attack tied to an all time high bitcoin?
gildas 1 day ago 0 replies      
Q: could fuzzing techniques help to take down such (p2p) botnets?
pja 1 day ago 1 reply      
I see the Rust Evangelism Strike Force are out in action again.

Guys, it may surprise you, but some of this kit predates Rust :)

zyztem 1 day ago 0 replies      
12 Nations that did not apply security patches
agent3bood 22 hours ago 0 replies      
The article could have been writen in 15 lines or less. Why u do this
rdiddly 1 day ago 0 replies      
"Emergency rooms were forced to divert people seeking urgent care."

I feel like the words "urgent" and "forced" might both be a bit shy of absolutely true here?

lngnmn 1 day ago 0 replies      
Just for reminder - the second leak does not match the vault7 leak, which is supposed to be from the very same NSA.

There is not a single proof or reason to believe that the second leak was not a fake (while the vault7 leak looks more legit) .

There are reasons to think that the same people are behind the second leak and the malware, and the malware, which is said to be based on "a leaked NSA exploit", was the part of a single plan.

It is not that hard to guess who is behind the internet bullying.

Myrmornis 1 day ago 2 replies      
There's no evidence that this attack targeted the NHS or other health systems, right? Just spreading randomly by email, highest infection probabilities certain older Microsoft OSs?
anigbrowl 1 day ago 0 replies      
I'm surprised by the lack of speculation on the identity of the perpetrators.
mtgx 1 day ago 0 replies      
Is Russia being hit the most because it was the NSA the one that was exploiting this vulnerability before? Perhaps they are leveraging some other leaked NSA tool that gives them more direct access to Russian computers?
CCing 1 day ago 1 reply      
Is OSX affected ?
SomeStupidPoint 1 day ago 0 replies      
This is what blowback looks like.

The US military and intelligence communities focused hard on cyber offense, rather than improving the defensive standards and technologies practiced among allies. Because of this, several allies have important systems compromised by (essentially) US-engineered malware.

Well, at least DARPA is sort of on it: http://archive.darpa.mil/cybergrandchallenge/

(There's also work stemming from the HoTT body of work on verified systems, as I understand it. But that doesn't have a sexy webpage.)

brilliantcode 1 day ago 3 replies      
Isn't it peculiar that Russia remains the least hit or not even hit at all? It seems like the West was a clear target. Connecting the dots here, it's suffice to say Shadow Brokers serves Russian interests.

We are seeing bullet holes from what seem to have been cyber warfare between the former cold war foes.

anigbrowl 1 day ago 0 replies      
I do not believe that attacks of this scale or coordination are undertaken by private actors. This is warfare; it just isn't kinetic yet.
lukaa 1 day ago 2 replies      
Just use Linux and 90% of your problems with malware is history.Your own customization of kernel will make your even more secure.
swetabhsuman8 1 day ago 1 reply      
MASSIVE RANSOMWARE ATTACK HITS 74 COUNTRIEShttp://hackernucleus.com/eternalblue-hacker-news-massive-ran...
jansho 1 day ago 1 reply      
From the Guardian:

"He adds that the fear is that the ransonware cannot be broken and thus data and files infected are either lost or that the only way to get them back would be to pay the ransom, which would involve giving money to criminals."

The new terrorism.


dberhane 1 day ago 2 replies      
Maybe it is now the time for a major review of the NHS Microsoft software dependency and should seriously consider switching to Linux based software.

Here is the BBC news update about the NHS Cyber attack:

"NHS trusts 'ran outdated software'

Some who have followed the issue of NHS cyber security are sharing a report from the IT news site Silicon, which reported last December that NHS trusts had been running outdated Windows XP software.

The website says that Microsoft officially ended support for Windows XP back in April 2014, meaning it was no longer fixing vulnerabilities in the system - except for clients that paid for an extended support deal.

The UK government initially paid Microsoft 5.5 million to keep providing security support - but the website adds that this deal ended in May 2015."

The Right to Read (1997) gnu.org
173 points by tobyjsullivan  15 hours ago   47 comments top 9
BlindWanderer 4 hours ago 0 replies      
I remember reading this in the 90's and thinking it was yet another piece of dystopian speculative science fiction. Once or twice a decade I reread it to refresh my memory or when I cite it. Each time I'm struck by how it's gotten closer and closer to truth; and yet the story has not changed.
qntty 10 hours ago 1 reply      
On the one hand, sometimes I think that Stallman's predictions of where technology is going aren't so novel because they're just a special case of where capitalism always goes.

On the other hand, I remember reading someone who said that one property of brilliant ideas is that when other people hear them, they think "well I could have thought of that."

mjw1007 12 hours ago 1 reply      
I forgot that sell personal interest profiles to retailers line was there. As a futurologist he's not bad at all.
the_greyd 8 hours ago 0 replies      
Here's another good one about self driving cars and the right to modify its code - "Car Wars" by Cory Doctorow : http://this.deakin.edu.au/culture/car-wars
quickben 14 hours ago 1 reply      
Funny, as time goes on, that story is gaining in popularity and relevance.

Went straight from SF to Contemporary in a decade.

merpnderp 6 hours ago 4 replies      
Given the nearly hundred million people murdered by their own communist governments, people would be wise to be afraid of that word.
13of40 13 hours ago 5 replies      
Next let's talk about the right to live on a piece of land without paying someone else for the privilege.
gech 12 hours ago 1 reply      
As a conservative, your story does not obligate me to ensure other's right to read
jstewartmobile 4 hours ago 1 reply      
This thing reads like FSF for kindergarteners.

Stallman would make more headway with his politics if he had a little less contempt for his audience.

Finding an arbitrary file upload vulnerability in a filesharing script 0day.work
20 points by internetwache  11 hours ago   5 comments top 3
fake-name 2 hours ago 0 replies      
> I thought about a possible fix for a while, but in the end decided that the quickest and easiest fix would be to adjust the regular expressio

..... WHAT?

Python has a suite of facilities exactly for this very kind of problem.

Literally, the solution is "os.path.abspath(filename).startswith(os.path.abspath(dlfolder))"

This should, in all cases, return true if the filename is within the download folder directory, and false for any other case.

netsec_burn 9 hours ago 2 replies      
Nice find, I commented on your blog a method you can use to extend this vulnerability into RCE without admin interactivity.
Lessons scaling from 10 to 20 people josephwalla.com
40 points by gkop  6 hours ago   7 comments top 3
vmarsy 3 hours ago 1 reply      
I don't remember where I read it (probably on a HN post or comment) but there was a great suggestion regarding organization chart. Instead of doing one only when you scale from 10 to 20 people like this article suggests, the idea was to do one on day 1.

On day 1 every position from CEO, CFO, to mail delivery messenger is filed with one or 2 names: the founder(s). As the company grows, you hire people and start delegating the work so that they can fill the positions on the organization chart.

dodorex 1 hour ago 0 replies      
can somebody explain why posthaven is so widespread? i don't see any reason to use it over medium etc
fizixer 2 hours ago 0 replies      
Forget about scaling, tell me what are all/most of the possible worker roles (part-time or full-time) that a startup needs in its: first month, 2nd-6th month, rest of 1st year, and so on.

This kind of knowledge "beforehand" is a valuable startup insight that is not disseminated well enough IMO.

Visual Studio 2017 now fully supports Python and Django visualstudio.com
40 points by vanflymen  8 hours ago   2 comments top 2
saboot 1 hour ago 0 replies      
Main gripe I have with PTVS: Please improve doc rendering, you can use sphinx to create rendered docs as Spyder does very well. It makes coding so much easier for use mortals you have not memorized numpy and every caveat. I'm specifically talking about the very large docs in functions, rendered equations, links and references. Putting all of that in intellisense hoverbox is unusable, make a separate window box.

Otherwise it's pretty good. I actually use both Spyder and PTVS and am unhappy with both. Bad doc rendering in PTVS, no git in Spyder.

howfun 38 minutes ago 0 replies      
I don't think it is a good idea for Python development to depend on Microsoft products. Eclipse with Pydev is an amazing option for example, and many people swear PyCharm is great.
A federal court has denied a pre-trial motion to dismiss a GPL enforcement case qz.com
820 points by imanewsman  1 day ago   208 comments top 28
DannyBee 1 day ago 2 replies      
This happened a few weeks ago.But it's just a ruling on a preliminary injunction motion.

That is, it's not even a final decision of a court.

So while interesting, it's incredibly early in the process.The same court could issue a ruling going the exact opposite way after trial.

As someone else wrote, basically a court rule that a plaintiff alleged enough facts that, if those facts were true, would give rise to an enforceable contract.

IE they held that someone wrote enough crap down that if the crap is true the other guy may have a problem.

They didn't actually determine whether any of the crap is true or not.

(In a motion to dismiss, the plaintiff's allegations are all taken as true. This is essentially a motion that says "even if everything the plaintiff says is right, i should still win".If you look, this is why the court specifically mentions a bunch of the arguments the defendant makes would be more appropriate for summary judgement)

apo 1 day ago 5 replies      
To use Ghostscript for free, Hancom would have to adhere to its open-source license, the GNU General Public License (GPL). The GNU GPL requires that when you use GPL-licensed software to make some other software, the resulting software also has to be open-sourced with the same license if its released to the public. That means Hancom would have to open-source its entire suite of apps.

Alternatively, Hancom could pay Artifex a licensing fee. Artifex allows developers of commercial or otherwise closed-source software to forego the strict open-source terms of the GNU GPL if theyre willing to pay for it.

This obligation has been termed "reciprocity," and it lies at the heart of many open source business models.


The more important issue here is reciprocity, not whether an open source license should be considered to be a contract.

AFAIK, the reciprocity provision of any version of the GPL hasn't been tested in any meaningful way within the US. In particular, the specific use cases that trigger reciprocity remain cloudy at best in my mind.

Some companies claim that merely linking to a GPLed library is sufficient to trigger reciprocity. FSF published the LGPL specifically to address this point.

So I believe a ruling on reciprocity would be ground breaking.

rlpb 1 day ago 3 replies      
"Corley denied the motion, and in doing so, set the precedent that licenses like the GNU GPL can be treated like legal contracts, and developers can legitimately sue when those contracts are breached."

The GNU GPL was written on the basis that if someone does not accept its terms, then that without any other license from the copyright holder, redistribution puts that person in violation of copyright law.

Suing for damages on the basis of a breach of copyright law clearly does not require any contract.

So this is more about a technicality of the legal process in this particular case, rather than anything about whether copyleft is legally enforceable or not in general.

Specifically, because the motion denial was based on the defendant's own admission being deemed to be the agreement of a contract, this says nothing about the general enforceability of the GPL (future defendants could simply avoid making such an admission).

Further, since the ruling was in response to a specific motion, it only concerns the claims made in that motion: about whether a contract exists in this particular case. It says nothing about the "copyright violation if you don't accept the license" mechanism of copyleft.

Finally, the article does not provide any evidence that there has been any ruling that determined that the GPL is an enforceable legal contract, contrary to its title. The ruling as quoted just says that the defendant, by its own admission, did accept to enter in to the GPL-defined contract.

beat 1 day ago 1 reply      
A friend of mine, who is a software engineer turned IP lawyer, made a good point about the GPL - the reason it "has never been challenged in court" isn't about uncertainty, but about certainty. The GPL is based on the most simple, bedrock copyright law. Despite being a clever hack, there's nothing legally exotic about it.

Any judge in the country or anywhere else would laugh a GPL challenge right out of court. Any any IP lawyer reading it would tell their client that that's what's going to happen if they try to challenge it. That's why it's never been fully tested in court... no need.

ckastner 1 day ago 3 replies      
> That happened when Hancom issued a motion to dismiss the case on the grounds that the company didnt sign anything, so the license wasnt a real contract.

... so they admitted to the court that they willfully used the software without a license to do so?

dhimes 1 day ago 2 replies      
This was a ruling that the contract between the plaintiff and defendant existed, not on the validity of the contract (which is the GNU GPL license).

Defendant (Hancom) was trying to say that because they didn't sign anything they didn't have a contract.

But Hancom "represented publicly that its use of Ghostscript was licensed under the GNL GPU"

Therefore, the Judge ruled that in their own words they publicly acknowledged the contract.

AsyncAwait 1 day ago 0 replies      
This is great - love or hate the GPL, it brings something unique to the table that no other license does and developers should have the ability to license their software under the terms that fits their motivation for developing it in the first place the best - the GPL does exactly that for many.
blauditore 1 day ago 4 replies      
One thing I often wonder is how a company providing such open source software can find out (and proof) if someone is using it in a closed-source project. All I can think of is "guessing" based on behavior of the downstream tool.

Also, the article doesn't say much about how that lawsuit came to be. Did Artifex approach Hancom beforehand to notify them about the license infringement or just directly sue? I guess in this particular case, Hancom knew what they were doing, but I can imagine some (smaller) companies not being fully aware of open source license specifics and unknowingly running into a lawsuit.

pvdebbe 1 day ago 1 reply      
Excellent news.
analog31 1 day ago 1 reply      
That means Hancom would have to open-source its entire suite of apps.

Ask HN: What if the vendor had structured their product in a way that GhostScript is its own stand-alone app. Would they still be obligated to release their entire code, or just the portion that uses GhostScript?

AndyMcConachie 1 day ago 0 replies      
Here is a link to the actual opinion if anyone else is interested.


dragonwriter 1 day ago 1 reply      
Actually, a more accurate statement is thst a federal judge has ruled that a plaintiff in a case has alleged the existence of circumstances in which the GPL would be an enforceable legal contract.
carlmcqueen 1 day ago 0 replies      
while an important step, the last line of the article makes it clear it is still pretty early in this process.
faragon 1 day ago 1 reply      
In my opinion, software equivalent in functionality to Ghostscript should be written using a BSD or similar license. Is there anyone willing to sponsor it?
iamNumber4 1 day ago 0 replies      
moral of the story is, know you licences. Adhere to the license terms. Seek out projects with more permissive licenses if you plan to do closed source.

It is simple to work around licence issues with your project. You just have to put in the work. Know that your design may have to factor in extra time because you can't use lib XYZ because you have to write your own library to do the same thing. If using lib XYZ will save a bunch of time, then know that you will have to adhere to lib XYZ license. Maybe writing a wrapper application that you opensource, and your closed source application interfaces with might be a design consideration.

In the end, it's your project, your call. Just know when you make a decision you weigh the pro's and con's of going forth with that decision.

danschumann 1 day ago 3 replies      
What happens if they claim they downloaded it from somewhere else that didn't include the license.txt file? There is no proof they ever were even notified of the license. (this is why we usually have people sign contracts)
davidgerard 1 day ago 0 replies      
The GPL has been upheld many times previously, e.g. in BusyBox enforcing its copyright.


In one enforcement, the defendant defaulted and the SFLC ended up with a pile of violating televisions!


The enforceability of the GPL is in no way news. That anyone would continue to try to violate it is the real WTF.

ferdterguson 1 day ago 0 replies      
I'm not a big fan of the GPL personally, but this is great!
ljfio 1 day ago 1 reply      
This article seems to be declaring victory in war, when really only a minor battle in the war has been won.
georgestephanis 1 day ago 0 replies      
Doesn't MySQL distribute in a similar dual-licensed fashion?
iplaw 1 day ago 0 replies      
> Of course, whether Artifex will actually win the case its now allowed to pursue is another question altogether.

It's fairly clear that they will win the case in one fashion or another. I am predicting that the case will quickly be settled out of court for a lump sum plus a running licensing fee. You have a public admission from the defendant that they integrated the plaintiff's Ghostscript software into their own without either: 1) making the resulting Hancom office suite open source, or 2) paying Artifex a licensing fee for the software.

The case against Hancom was solid under copyright infringement, and now has the added sting of breach of contract.

siegel 1 day ago 0 replies      
The article somewhat overstates the significance of this case in terms of precedential value.

On a procedural level, understand that this is a district court opinion and is not binding on any other court. Of course, if other courts find the arguments persuasive, they can adopt the reasoning. But no court has to adopt the reasoning in this opinion.

On a substantive level, it's important to look at the arguments the court is addressing and how they are addressed:

1) Did the plaintiff adequately allege a breach of contract claim?

We're at the motion to dismiss phase here and the court is only looking at plaintiff's complaint and accepting all of the allegations as true.

There are essentially only 2 arguments the court addresses: A) Was there a contract here at all?; and B) Did the plaintiff adequately allege a recognizable harm?

Understand that in a complaint for breach of contract, a plaintiff has to allege certain things: (i) the existence of a contract; (ii) plaintiff performed or was excused from performance; (iii) defendant's breach; (iv) damages. So, the court is addressing (i) and (iv), which I refer to as (A) and (B) above.

As to (A), the argument the defendant appears to have made is that an open source license is not enforceable because a lack of "mutual assent." In other words, like a EULA or shrink-wrap license, some argue that an by using software subject open source license doesn't demonstrate that you agreed to the terms of that license.

The court, without any real analysis, says that by alleging the existence of an open source license and using the source code, that is sufficient to allege the existence of a contract. The court cites as precedent that alleging the existence of a shrink-wrap license has been held as sufficient to allege the existence of a contract.

But the key word here is "allege." As the case proceeds, the defendant is free to develop evidence to show that there was no agreement between the parties as to the terms of a license. So, very little definitive was actually decided at this stage. All that was decided is that alleging that an open source license existed is not legally deficient per se to allege the existence of a contract.

As to (B), defendant apparently argued that plaintiff suffered no recognizable harm from defendant's actions. The court held that defendant deprived plaintiff of commercial license fees.

In addition, and more important for the audience here, the court held that there is a recognizable harm based on defendant's failure to comply with the open source requirements of the GPL license. Basically, the court says that there are recognizable benefits (including economic benefits) that come from the creation and distribution of public source code, wholly apart from license fees.

This is key - if the plaintiff did not have a paid commercial licensing program, it could STILL sue for breach of contract because of this second type of harm.

That being said, none of this argument is new. There is established precedent on this point.

2) Is the breach of contract claim preempted?

Copyright law in the United States is federal law. Breach of contract is state law. A plaintiff cannot use a state law claim to enforce rights duplicative of those protected by federal copyright law.

So, what the court is looking at here, is whether there is some extra right that the breach of contract claim addresses that is not provided under copyright law.

In other words, if the only thing that the breach of contract claim was addressing the right to publish or create derivative works, then it would be duplicative of the copyright claim. And, therefore, it would be preempted.

Here, the court held that there are two rights that the breach of contract claim addresses that are different from what copyright law protects: (A) the requirement to open source; and (B) compensation for "extraterritorial" infringement.

The real key here is (A), not (B). With respect to (A), the court here is saying that the GNU GPL's copyleft provisions that defendant allegedly breached are an extra right that is being enforced through the breach of contract claim that are not protected under copyright law. Therefore, the contract claim is not preempted.

(B) is a bit less significant for broader application. What (B) is saying is that because the plaintiff is suing for defendant's infringement outside the U.S. ("extraterritorial" infringement), and federal copyright law doesn't necessarily address such infringement, that's an "extra element" of the breach of contract claim. I say this is less significant because it wouldn't apply to a defendant who didn't infringe outside the United States. So, if you were the plaintiff here and the defendant was in California and only distributed the software in the U.S., argument (B) wouldn't apply.

I hope this clarifies what is/is not significant about the opinion here.

cmdrfred 1 day ago 1 reply      
I wonder if this applies to non copy left licenses as well.
etskinner 1 day ago 0 replies      
"GNL GPU", must be Nvidia's new line of graphics cards.
frabbit 1 day ago 1 reply      
This is why if someone were the (usually) imaginary "Free Software zealot" that would like to prevent a private business from profiting off public work, it would be necessary for software not only to be under a Free license, but for the copyright assignment to be held by someone that agrees with said Free Software "zealot".
finid 1 day ago 0 replies      
That happened when Hancom issued a motion to dismiss the case on the grounds that the company didnt sign anything, so the license wasnt a real contract.

Hancom's CEO is a thief.

MichaelMoser123 1 day ago 0 replies      
Congratulations to Stallman. After all these years the GPL has been tested in court. The man must be drunk with joy... Three cheers for the Mr. Stallman and his gcc (joining in on his celebrations)
brian-armstrong 1 day ago 0 replies      
The GPL has such strong terms, I think there is good reason to avoid ever reading any GPL codebase. Tainting yourself may imperil any code you write for the rest of your lifetime. And to that end, I think github should place a large warning on any GPL repo before letting you see it, as well as delisting them from search results (or at least hiding the contents)
Netflix confirms it is blocking rooted/unlocked Android devices androidpolice.com
135 points by msq  8 hours ago   124 comments top 17
izacus 28 minutes ago 0 replies      
Can someone explain what is it about some crappy shows and Hollywood movies that it deserves such invasive attacks on device ownership?

When Microsoft tried Secure Boot there was a huge outcry. But when HBO/Netflix/Verizon/WB demand a complete lockdown of your device (to the point where AACS 2.0 demands you have a special CPU, Motherboard, GPU and more components that lock you out and disable themselves if you use custom software/drivers), then suddenly even on HN I see a huge amount of people defending a complete lockout from your device to the point where you're not allowed to even install a custom, better, driver.

What is it about some shows/movies that would be SO DAMAGING to whole society if a few people would be able to copy them on another device or even give it to a friend?!

techsupporter 6 hours ago 1 reply      
This sort of thing doesn't surprise me from Netflix. It has been tightening up its rules for some time.

I dropped Netflix after whoever is in the group that decides policy for Netflix decided that Hurricane Electric's IPv6 tunnels are "a VPN" that is being used to circumvent Netflix's location checks with no warning.

(I'm aware of the DNS tricks I can do to only return IPv4 addresses in response to queries for the netflix.com zone. I choose not to do them and, instead, to not avail myself of Netflix's content.)

alistproducer2 7 hours ago 7 replies      
Anyone who roots their phone, in all likelyhood, knows how to pirate the content: granted Netflix is way more convenient, that's why I pay them. I don't watch on mobile devices so this doesn't bother me. If I did watch on mobile and I had a rooted device, they would definitely stop seeing my money though. When will these companies learn to stop going after the nerds; we're the one who actually know how to get around you if you piss us off.
josteink 2 hours ago 1 reply      
That's google essentially rendering the value-proposition of their bootloader-unlockable phones to be a negative one.

Wth would I pay extra for a Nexus/Pixel if unlocking it causes all Android software which uses DRM to start failing due to "not being compatible"?

Might as well buy a Samsung then. Or even better: an iPhone.

It's no longer your device anyway.

And to think Android was once open source. Now it's infected with DRM all the way down to the bootloader.

Such a shame. There are no free devices anymore.

Edit: to clear I've always been OK with DRM in apps (as opposed to HTML) because that clearly isolates it from the general purposey bits of the platform. Seems that's no longer the case with Android.

phn 6 hours ago 2 replies      
Who is this trying to stop? People that rip their content? Because those ones certainly have other methods to do it (e.g. record video out).

If they're targeting consumers, why do they give a damn if the phone is rooted or not? As long as they pay netflix to stream the content to them?

Or is this "just" to prevent fake locations and such, to please their content producing/distributing overlords?

xkiwi 6 hours ago 0 replies      
The way this message will translate to the nerds|power users|hackers|rooted user|content creator|

"Netflix does not value your money, therefore you cannot use our services. However, you can always pirate the content on Internet for free."

thomastjeffery 5 hours ago 2 replies      
As someone with an unlocked and rooted android phone, what are they afraid of, and where can I get it?
jackewiehose 7 hours ago 5 replies      
Isn't it possible for a rooted device to fake beeing a non-rooted deviceto (selected) applications? To my understanding root means having thefull control but I fear that this definition doesn't apply to smartphones.
aidenn0 6 hours ago 1 reply      
This is particularly absurd because it's trivial to record from any device that has HDMI out; HDCP 1.x is quite thoroughly broken, and there is a steady stream of HDMI splitters that can strip HDCP 2.x
dingo_bat 5 hours ago 1 reply      
Are they going to block admin Windows accounts too?
sametmax 2 hours ago 0 replies      
This is kinda silly though. Pirates will not bother using netflix. You have stremio, pop corn time, the pirate bay and 100 of streaming websites with more content for free. If somebody is paying, let the client have the unlocked phone.
shmerl 6 hours ago 2 replies      
So they are now admitting they have gone completely insane with DRM craze. That was expected.

Now let someone come and disrupt this industry swamp with DRM-free video.

geofft 7 hours ago 4 replies      
Does "unlocked" mean carrier-unlocked or bootloader-unlocked? I'm confused by this sentence:

For example, Artem's unlocked stock Pixel is still on Widevine Level 1, the most secure level, but fails SafetyNet because it is unlocked.

(What does "unlocked stock" mean - does the Pixel ship carrier-unlocked? Was it unlocked by calling up the carrier and asking for an unlock, or in some other way?)

erikb 4 hours ago 0 replies      
What I don't understand is what Netflix has from it. Is Google paying them money for that "feature"?
ryanlol 7 hours ago 2 replies      
Why prevent installing the app when you could instead stop specific content from being played?

Surely not all Netflix content is licensed under terms which prevent it from being distributed to rooted devices.

cmurf 6 hours ago 3 replies      
rooted != unlocked

My phone is not rooted. It is unlocked. Netflix app works fine on this phone.

bitmapbrother 7 hours ago 5 replies      
There are going to be people that blame Netflix for this, but it's really not their fault. They didn't even care if people used VPN's to access their service. Pressure from the content providers forced them to do this.
Video Solves Mystery of How Narwhals Use Their Tusks nationalgeographic.com
98 points by clouddrover  16 hours ago   5 comments top 2
erikig 15 hours ago 2 replies      
I wonder how they knew whether this is just one narwhal's or one colony's modified behavior or the behavior of all narwhals'. Sea mammals are pretty intelligent, who's to say that this one or this colony hasn't adapted some use for their task that is restricted to just them?
ficklepickle 10 hours ago 0 replies      
Fascinating! I wonder if they can move the tusk fast enough to cause cavitation, which could stun the fish, making it easier to catch.
Rejection Letter antipope.org
456 points by cstross  20 hours ago   61 comments top 17
gorhill 18 hours ago 3 replies      
If "Zero Day: The story of MS17-010" is meant to be an accurate report of facts regarding MS17-010, then there is at least one inaccuracy in it:

> someone calling themselves "the Shadow Brokers" leaks a huge trove of classified NSA documents to WikiLeaks, who in turn dump it on the internet.

Shadow Brokers didn't leak to Wikileaks. Shadow Brokers uploaded the trove of NSA documents to `mega.nz`, and someone else downloaded the trove to GitHub[1]. Wikileaks merely tweeted about this after it happened.[2]

Correction: As per well-sourced Wikipedia article[3], this was not the `mega.nz` leak, this was another subsequent one. The main point still stand: Wikileaks has nothing to do with publishing the MS17-010 vulnerability.

Would be nice to stop pushing the false narrative that Wikileaks was involved in that one NSA leak.

[1] https://github.com/x0rz/EQGRP

[2] https://twitter.com/wikileaks/status/850783902616625152

[3] https://en.wikipedia.org/wiki/The_Shadow_Brokers#Fifth_Leak:...

montyboy_us 19 hours ago 5 replies      
Absolutely fabulous. Best part: "NSA hoard their knowledge of weaknesses in Microsoft Windows, a vitally important piece of their own nation's infrastructure, in case they'll come in handy againt some hypothetical future enemy. (I'm sorry, but this just won't wash; surely the good guys would prioritize protecting their own corporate infrastructure?"

Yep - way too implausible, even for hacker fiction.

Anyway, sounds like your book was Nostradamus-esque in depicting recent events. Maybe a bit too good :D

HONEST_ANNIE 17 hours ago 0 replies      
"Truth is stranger than fiction because fiction has to make sense to the author. Truth doesn't have anybody to answer to." S. John Ross
ricardobeat 18 hours ago 2 replies      
I still have vivid memories of, as a kid, stumbling upon this network of GeoCities pages about "Echelon" and how the US could read all of the worlds email and search for trigger words - and how absurd and tinfoil-hat-y it was made to sound by the rest of the internet.

Having this memory absolutely changed the way I've been viewing NSA related leaks in the past few years.

gumby 15 hours ago 0 replies      
> surely the good guys would prioritize protecting their own corporate infrastructure?"

Let us not forget the used to be part of the NSA's mission. A part that was essentially abandoned early in the 21st century.

For example, the NSA required mysterious changes to be made to the DES s-box; many assumed at the time (as did I) that the agency wanted to weaken security, but it turned out, to quote Bruce Schneier, "It took the academic community two decades to figure out that the NSA 'tweaks' actually improved the security of DES."


gumby 15 hours ago 2 replies      
It's astonishing that Brunner was not only prescient about this event in The Shockwave Rider, but also predicted sophisticated high-tech terroristic attacks in Stand on Zanzibar and The Sheep Look Up.

If you haven't read this trio of dystopian novels (you can read them in any order) you really should. Still mind blowing today.

(Admittedly he wrote them at a time, unlike today, when the US appeared to face an existential threat from terrorism. A threat that of course never materialized).

simonw 16 hours ago 1 reply      
I found this explanation pretty convincing as to why there was such a dumb kill switch embedded in the malware:

"I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know theyre in a sandbox the malware exits to prevent further analysis"

From https://www.malwaretech.com/2017/05/how-to-accidentally-stop...

iiv 18 hours ago 1 reply      
I usually like satire, but this felt too obvious. Subtlety is in my opinion a key part of good satire. Otherwise it feels too forced or too in-your-face.

But as the specialist external reader said: "Stross can clearly write workmanlike, commercial prose". I can definitely agree with that!

jseliger 18 hours ago 1 reply      
A funny allusion: "E. S. Blofeld, Editorial Director" likely refers to "Ernst Blofeld," a villain from the James Bond novels.
616c 13 hours ago 0 replies      
It is funny to me no one ever talks about Mark Russinovich of Sysinternals fame and now reigning engineer of Azure cloud systems wrote a novel about such doomsday scenarios before the trend in the last 5 years or so.


That he wrote premier system introspection tools for Windows makes me think he must have been privy to the complexity of such things by colleagues discretely long before DREAD and SDLC fruits were born out in the Vista/7 era.

mcguire 19 hours ago 1 reply      
"ETERNALBLUE was part of a release of code that also gave us such interesting names as EDUCATEDSCHOLAR, ETERNALROMANCE, and ERRATICGOPHER. Oh to be a fly on the wall at the classified NSA committee meetings discussing the deployment of their weaponized ERRATIC GOPHER ..."

Any one know what the E means in code names? There's a list somewhere, but I can't remember where now.

BugsJustFindMe 19 hours ago 3 replies      
This is fake, right? I'm pretty sure this is fake.
wbillingsley 6 hours ago 0 replies      
You know that technical reviewer's past it. Thirty years ago he was planning world war three from bunkers underneath volcanos, and holding the world to ransom with diamond-encrusted lasers in space. Whereas last year all he could come up with was a grand scheme to become a multinational government IT contractor, while moonlighting a side business clearing derelict buildings for redevelopment.
tempodox 15 hours ago 0 replies      
> ... However, instead of helping Microsoft fix them, we are supposed to believe that the NSA hoard their knowledge of weaknesses in Microsoft Windows ...

> I'm sorry, this is just silly.

This only goes to show that reality doesn't have to make sense to a literature critic. Only novels do.

ComodoHacker 15 hours ago 1 reply      
I must admit I agree with the publisher's review as a whole. What's the point in publishing a fiction hacked together so quickly that it can't withstand any artistic criticism?

Or was it an experiment aiming to show that fiction and documentary are two very different genres? Well than it was successful.

CamperBob2 11 hours ago 0 replies      
And in a matter of hours, the new malware, known as Wanna Decryptor, infects the entire British National Health Service, a Spanish cellphone company, FedEx, and over a third of a million computers whose owners had lazily failed to enable automatic security updates from Microsoft.

Besides the false association of TSB and Wikileaks that others have mentioned, I have a huge problem with this. Someone who gets kidnapped by pirates (The Shadow Brokers) while running from a press gang (Microsoft) is still a victim. Calling them "lazy" is an easy way to avoid the hard work of apportioning blame correctly.

A hell of a lot of that blame goes to Microsoft themselves, for turning an important security update service into a marketing channel. Maybe Stross gets around to pointing that out, but I stopped reading there.

csours 16 hours ago 1 reply      
In case anyone else was wondering if ETERNALBLUE was a code name from the Laundry Files, here's the list: http://thelaundryfiles.wikia.com/wiki/Category:Code_names
Why Are Economists Giving Piketty the Cold Shoulder? bostonreview.net
123 points by objections  15 hours ago   101 comments top 14
reckoner2 13 hours ago 6 replies      
Some thoughts: While working in finance I was able to talk to many people who's work was related to economics. Employees at banks and brokerages, governments and regulator bodies. Most had heard of Piketty, and many agreed with his basic premises (r>g, and all it entails). His reach actually surprised me.

But I also had contact with academics, and like the article said, it's not so much that academics are refuting Piketty, but that they simply aren't studying the same problems that he is talking about. From what I've been told, a lot of academic work in economics is focused on incredibly unique and specific problems. It isn't "fashionable" to be studying something so broad and perhaps abstract as inequality.

tormeh 13 hours ago 3 replies      
They're not. When The Economist agrees you have a point then you're pretty mainstream. True, some economists are nitpicking on his book because they don't like the conclusion, but the problem Picketty has identified is rarely denied.
ThomPete 1 hour ago 0 replies      
The primary problem economist have with Piketty is not is analysis but his solutions.
stablemap 12 hours ago 0 replies      
I thought the author would mention the new collection of essays After Piketty: The Agenda for Economics and Inequality, particularly since he is one of the editors.


11 hours ago 11 hours ago 1 reply      
enraged_camel 14 hours ago 5 replies      
I read Piketty's book, and some of the critical response. In my semi-educated opinion (I only have a Bachelor's in Economics), the criticisms failed to poke a hole in his main argument: that capitalism as a system is unegalitarian because it allows wealth to grow faster than economic output, resulting in increasing amounts of income inequality over time.

>>But perhaps the greatest rebuke of Piketty to be found among academic economics is not contained in any of these overt or veiled attacks on his scholarship and interpretation, but rather in the deafening silence that greets it, as well as inequality in general, in broad swathes of the fieldeven to this day.

The reason for this deafening silence is simple: the truth revealed by Piketty is inconvenient, and there are no easy solutions.

Mikeb85 13 hours ago 2 replies      
Very few economists I know of disagree with Piketty's conclusions. Everyone knows he's right. But it is a very inconvenient problem, and most economists and leaders have a vested interest in not solving it.
arkis22 12 hours ago 6 replies      
Piketty's idea that r > g leads to wealth inequality just makes me shrug. You can't really have it another way.

If r (the rate of return on capital) is less than g (the growth in output) that means that people have no incentive to build wealth or become more intelligent to deploy that capital more profitably. If I'm never going to make more than the growth in output, why bother with capital?

The logical conclusion to that would be that everyone wants to be an employee and nobody wants to be an employer.

If I can grow my wealth more quickly than the nations output, I'm grabbing a bigger slice of the pie. The hope with capitalism is that I'm grabbing that pie because I've earned it and the market hopes I'll be able to steward that wealth.

So yeah, capitalism may be inherently inclined to wealth inequality because some people outperform. But do you really want it another way?

There certainly is wealth inequality in the world, but it isn't actionable to blame it on r > g. It's more effective to look at things on a micro basis. Does this person have a child that is prohibiting them from saving? Why is the person being excluded from jobs? Do they have a proper education?

mtgx 13 hours ago 0 replies      
For the same reason they gave Sanders the cold shoulder, without actually doing any real analysis of his plans.



antisthenes 5 hours ago 0 replies      
This is a clickbait title and should be changed.
doggydogs94 12 hours ago 0 replies      
Professional economists are under no special obligation to study Piketty's work just because it is popular.
ewanmcteagle 10 hours ago 1 reply      
The uniformity of thought here is somewhat concerning to me. Here is a detailed review of the Piketty by an academic who disagrees: http://www.deirdremccloskey.org/docs/pdf/PikettyReviewEssay....
bpodgursky 14 hours ago 3 replies      
Why are climate scientists giving Scott Pruitt a hard time?

Saying what people want to hear does not make you a good researcher. They don't take him seriously for the same reason we don't take young-earth creationist researchers seriously. It's not good research.

Edit: I'm not an economist, and I'm not going to do justice to the criticisms (which aren't hard to find), but fine, here are links:



joeblow9999 5 hours ago 1 reply      
His work depends entirely on a normative judgement that inequality is a bad thing. Those of us who do not believe that can dismiss him.
Fuzzing Irssi irssi.org
129 points by jbisch  20 hours ago   13 comments top 3
gshrikant 16 hours ago 5 replies      
I'm new to fuzzers and fuzz testing in general so I apologise for my ignorance about the purpose of fuzzing. My understanding is that fuzzing tests the user facing side (which is what is important for most programs). Does there exist similar tooling for testing the system-facing side (i.e. the stack below your application) to check your applications error handling, for example and uncover corner cases. What I'm getting at it something like syzkaller but for userspace, so library functions beneath your application would return wrong values and you get to see how your application responds to them.

Sorry for the bad English.

Kali909 4 hours ago 2 replies      
This fuzzing is interesting stuff. Does anyone know of an in-process or otherwise lib for the JVM? Findbugs is mentioned in here but I'm not sure if that does fuzzing (maybe a plugin?).

Seems in my mind to be a nice complement to achieving code-coverage with testing i.e. whereas unit/integration testing might test the various code paths with a few good/bad values, this then throws every possible input value at them to see what breaks.

yjftsjthsd-h 19 hours ago 2 replies      
This notes that they disabled reading config files in order to own life as the default setup. I assume that with more time it would be wise to try and fuzz as many configured options as possible as well?
Report warns computers may threaten constitutional rights (1982) archive.org
96 points by dredmorbius  16 hours ago   25 comments top 10
gcr 11 hours ago 1 reply      
You can read this issue as a PDF by clicking on the gear icon. This article begins on page 296 of the PDF (page 294 as numbered by the magazine.)

Here is a direct link: https://ia801705.us.archive.org/12/items/80_Microcomputing_I...

quadhome 15 hours ago 1 reply      
noobermin 15 hours ago 2 replies      
I feel like there needs to be a serious and public debate over the bill of rights and the power of government moving forwards into the future.
marchenko 14 hours ago 1 reply      
The prescience:wordcount ratio in that article is incredible. If I may ask the OP: how did it come to your attention?
tunap 15 hours ago 1 reply      
Relevant & cogent discussion from 1981 Nightline I found on Obscure Media sub-reddit just yesterday. Jobs makes some spot on predictions but managed to avoid speaking too directly on privacy. The author is not nearly as charismatic nor accustomed to speaking on camera/in public... and makes some validated predictions, too.

Intro is a good watch for nostalgia and perspective; relevant Jobs interview starts @ 4:20.


valuearb 9 hours ago 0 replies      
32K of storage for only $299? Wow, just what my color computer needed.
mtgx 15 hours ago 1 reply      
I wonder if the people who wrote the report were also considered cuckoo crazy conspiracy theorists then (as Richard Stallman has been since around the same time).

Good thing they gutted it in 1995, I guess. Congress didn't want the public to find out about such facts.

> Criticism of the agency was fueled by Fat City, a 1980 book by Donald Lambro that was regarded favorably by the Reagan administration; it called OTA an "unnecessary agency" that duplicated government work done elsewhere. OTA was abolished (technically "de-funded") in the "Contract with America" period of Newt Gingrich's Republican ascendancy in Congress.

> When the 104th Congress withdrew funding for OTA, it had a full-time staff of 143 people and an annual budget of $21.9 million. The Office of Technology Assessment closed on September 29, 1995. The move was criticized at the time, including by Republican representative Amo Houghton, who commented at the time of OTAs defunding that "we are cutting off one of the most important arms of Congress when we cut off unbiased knowledge about science and technology".[1]

> Critics of the closure saw it as an example of politics overriding science, and a variety of scientists such as biologist PZ Myers have called for the agency's reinstatement.


dredmorbius 16 hours ago 0 replies      
"Civil rights in the future could be threatened by a bloodless adversary -- the computer.

"That's the opinion of the Congressional Office of Technology Assessment in a 116-page report released late last year.

"'Extensive data collection and possibly surveillance by government and private organizations could, in fact, suppress or 'chill' freedoms of speech, assembly, and even religion by implicit threats contained in such collection or surveillance,' the report said....

"[T]the use of an electronic funds transfer system to gather the same type of information would be far more intrusive, since much more data, some of it of a highly personal nature, could be collected in secret."

John P. Mello, Jr., writing in 1982.

blazespin 10 hours ago 0 replies      
The rich can win trials... "Before a trial, attorneys for both sides routinely obtain the names of potential jurors on the day of jury selection. Its now possible using big-data sources to flag or score potential jurors on certain factorsfiscal and social ideology, for examply, or on attitudes relevant to liability or damagesenabling lawyers to make exceedingly nuanced strikes.
dredmorbius 14 hours ago 1 reply      
For those interested in early explorations of computers, rights, and privacy, there was another large survey article published in a magazine ... sometime in the early 1970s which for the life of me I cannot find now.

It detailed government and business computer use, and was early, closeer to 1970 than 1980 as I recall. Several pages, fairly prescient and well written.

If anyon can reecognize the piece from an admittedly vague description, I'd appreciate a link. I've seen it online, if that helps.

A focus on the exceptions that prove the rule (2006) ft.com
28 points by mercer  15 hours ago   7 comments top 4
gumby 12 hours ago 0 replies      
Amazingly by Benoit Mandelbrot and Nassim Talib.

(This is from 2006 btw but quite relevant)

teddyh 4 hours ago 1 reply      
> 30m kg

Thats a weird notation. I would have preferred 30.000 metric tons.

SomeStupidPoint 9 hours ago 1 reply      
Is there a good place to read up more on the "fractal" distribution idea?

I assume at least some work has been done in the last 10 years.

Treble: A modular base for Android googleblog.com
400 points by chickenbane  1 day ago   206 comments top 28
sorenjan 1 day ago 3 replies      
Finally, can't believe it took them this long. The sorry state of the update situation is one of the worst things about Android. Next step would probably be to provide an API to the OEMs so they can add their "value add" functionality as apps, so Google can push updates to all phones regardless of hardware drivers and OEM modifications. And maybe make it possible to update emoji via the Play store, instead of needing a new system update. I don't like the blank boxes in messages from my iOS friends.

I wonder if this means that Google will lead by example and prolong the time they deliver updates to their own phones. They don't guarantee new updates to their current Pixel phones after October 2018 [0], which is not good enough.

[0] https://support.google.com/pixelphone/answer/4457705?hl=en

demarq 1 day ago 5 replies      
"device makers can choose to deliver a new Android Update"... "can choose".

Preferably they shouldn't be able to choose. Google should be in charge of updates and manufacturers should have to make a special effort to prevent an update. i.e if they are certain that an update will brick their device they would then make a formal request to google not to send the update to their devices.

ibic 38 minutes ago 0 replies      
Android finally adapted the approach of Windows on PC - OS maker dictates the software pieces on all devices, the device makers only create the hardware and write drivers (optionally, some bloatware). I believe this is the right/better approach, and it solves no only the Android update hassle, but more importantly the fragmentation issue.
slackstation 1 day ago 1 reply      
This should usher in a new era of cheap phones that upgrade immediately to the newest version of the Android OS.

It lowers the price floor for a shiny new phone. All of these additional features are expensive to create but, they are differentiators. With this, Google has the ability to push more new features on the base OS. By conforming to this standard, Google make it easier for them to compete with all of these manufacturers' features.

Now it's up to them to make compelling reasons to upgrade their phones beyond apps. I see things like Google Assistant, Mapping, etc. being more integrated into the OS so that you are always in the Google system no matter what app you are currently in.

This is a big and brilliant win if they can first pull it off technically and then pull it off with compelling services. They certainly look like they are investing heavily in both.

I look forward to a $99 or $199 (or $49 if you can stomach sketchy Chinese phones) phone that just keeps getting better and better and better for free as long as the phone works. This also makes a very compelling thing to make the phone into a computer once the battery can't hold a charge, etc. Take the guts or use some kind of USB->HDMI out and make it into a TV app or a digital mirror or another internet station somewhere.

Brilliant move Google.

cwyers 1 day ago 2 replies      
I am amused that their graphical representation of the Android version customized for a particular model of phone is "Android mascot dressed up in a really cool spacesuit looking thing" and not "Android mascot with bags of trash stapled haphazardly to him," which would probably be more accurate.
GordonS 1 day ago 8 replies      
Do vendors actually want to let users update the software on their devices though?

I would have thought new shiny software was a nice incentive to get customers to upgrade to a new phone?

therealmarv 1 day ago 1 reply      
Maybe we can benefit from this in 2 or 3 years? I'm very pessimistic... it takes LOOOOOOONG before vendors will look into Android O and the interfaces and the first generation benefiting from this will be earliest Android P updates. And do not forget: This whole process does not reduce testing time and the carriers might also look for long testing on updates ;)
julioneander 1 day ago 1 reply      
If Google actually implements a way of pushing those underlying Android updates directly to the phones then I think they might actually be successful. If Google end up still relying on the manufactures and carriers to push those updates out, then what incentive will they have to keep the phones updated?
dmitrygr 1 day ago 0 replies      
This removes one of the main excuses various vendors use for not providing Android updates. I truly hope this works in helping users always be up to date.
cjhanks 1 day ago 1 reply      
It is my opinion that Google does not view Android as simply "an operating system for phones". Android has tremendous application in IoT devices and appliances. The lifecycle of many applications is quite a bit longer than the cell phone.

As we see an increase in the diversity of applications using Android, this upgrade path will be very important. Just wait until you see your first ATM or POS system "Powered By Android ".

sandGorgon 1 day ago 1 reply      
is this a hypervisor ? I'm kinding of wondering about the abstractions here... is this replacing the bootloader with a kind of bootloader+hypervisor and the actual OS loads on top of the hypervisor ?

Their abstraction with the camera2 and hal3 was a small step in this direction. any camera with these abstractions would be able to use RAW imaging.

afeezaziz 1 day ago 0 replies      
For someone that is considering Android, coming from iOS, this is a brilliant idea that should have been implemented long ago.

For example, a lot of Android phones are running 4.4 and 5.0 in this part of the world. Those versions are pretty bad and the people that bought Android 4.4 and 5.0 actually do not know what they are missing and how to actually update their OS since there is no way for them to do that for now.

I hope that with this Treble, there will be a lot more Android phones(from Chinese makers) that can update base Android OS to the latest one much more frequently.

blinkingled 1 day ago 0 replies      
So this will get users on to the next Android Framework version but if there are security bugs in vendor implementation or underlying firmware it'll still continue to be problematic for users. But it will solve the PR problem for Google if OEMs and Carriers update the framework version quick enough - the question raised mostly by tech pundits - when am I going to get the next update to Android - will have a satisfactory answer.

Not to say this isn't a huge step forward from status quo - if vendors contribute features and fixes to MediaServer and everybody uses the same implementation it will be much easier to update it for all vendors.

What still sucks is this is not going to be Google that will update the Android framework - it's still OEMs and the carriers.

neuromancer2701 1 day ago 1 reply      
This would seem to allow security updates at a faster rate, but the linux kernel will forever be abandoned to hardware vendor whims aka still on 3.10.X
chrisballinger 1 day ago 2 replies      
Would this help projects like LineageOS (formerly Cyanogenmod) maintain ongoing support for older devices?
EddieRingle 1 day ago 0 replies      
I discovered this back in March. This is pretty exciting!

Now all we need is to have Google distribute the framework over the Play Store instead of relying on OTAs, and all will be right with the world.


exabrial 1 day ago 1 reply      
speaking of Android: How about switching to the JVM/OpenJDK to keep pace with modern Java? Maybe deliver CDI as a standard feature?

Also, how about using cgroups instead of the custom security model? Maybe we could get reuse out of Google's security patches for Linux, and they could benefit more from the community.

joshmarinacci 1 day ago 0 replies      
I think this will be pretty successful. Ultimately the manufacturers want to do as little software work as possible. If Project Treble gives them easier/less work to do, then they will adopt it quickly.
amluto 1 day ago 0 replies      
One potential side benefit of this type of work: vendor kernel drivers tend to be insecure buggy pieces of crap. Vendor Treble drivers will surely still be insecure buggy pieces of crap, but they might be sandboxable. If Google really has its eyes on the Magenta kernel, I imagine that Treble will be runnable in user mode, so I bet it really will be sandboxed. This would be a huge win.
asciimo 1 day ago 0 replies      
I wonder if this will make it easier to circumvent the vendor layer entirely--jailbreak without replacing the OS?
bsharitt 1 day ago 0 replies      
Neat, Google has release this years fix for Android updates. I can't wait to see what next years fix looks like.
drewg123 1 day ago 0 replies      
How much of the update problem is due to vendor customized UIs and apps, and how much is due to not upstreaming driver support for their hardware?

Which of these problems will Project Treble solve? Eg, have they actually added a stable driver KBI? Or pushed drivers to userspace? Or is this just about GUIs?

pasbesoin 1 day ago 0 replies      
"...they'll be no [Treble] at all!"

-- Scotty, in The Trouble With Tribbles

What was the previous "vendor integration" initiative? How long did it last? Two years? Or was it one.

Lack of vendor buy-in. Combined with Google's ADHD project support.

Nice idea, but color me skeptical.

I don't see anything that hints at a change in the fundamental cost/benefit that's driving the current mess.

Maybe I'm just projecting cynicism, because I'd actually like to be proven wrong. And bad press seems to be the only external influence on Google, that actually gets through.

ReverseCold 1 day ago 0 replies      
Took them long enough.
ocdtrekkie 1 day ago 3 replies      
It's incredible to me how long it took Google to realize this was their fault. A lot of people here have bought the "blame the OEM" nonsense for a really long time, and you can see the comments here reflect that.

But in reality, there's a huge expense to all the work of updating devices to support Google's rapid change cycle for dozens or hundreds of different models, and the problem stems first and foremost from that lack of abstraction layer.

This is likely a first step to finally catching up to Windows Mobile: Making the core OS upgrade come straight from the actual OS developer, so that the company that writes the code is actually the one that updates the code.

TwoNineA 1 day ago 3 replies      
You can't fix a business/greed problem with technology.
scotu 1 day ago 2 replies      
that's cute. It's like Google doesn't get that hardware manufacturers need to sell you hardware... Am I missing something?
tarikozket 1 day ago 2 replies      
Seems like Google is trying not to lose Samsung: https://9to5google.com/2016/06/13/report-claims-that-samsung...
       cached 14 May 2017 10:02:02 GMT