It's probably better, and not more work, to create a security group that only allows:
* UDP on port 1194 (Openvpn server)* TCP on port 3389 (Remote Desktop)* ICMP (for ping)
There's one problem though, and it's latency, even 50ms will feel very laggy. We need more decentralized data centers! With a data-center in each city you could get latency down to less then a millisecond.
I think the next digital revolution will be low latency, and a flora of new services coming with it.
I was a little surprised by the cost as well. At the rate that I'm gaming these days it would be like $10-20 per month, that's pretty damn good (price of games not included obviously).
While I respect and find the technology fascinating and cool, it feels like leasing a car I'll never own versus owning and evening buying a new one every few years at a much lower price. For those who game a few hours a week however, I can see this being a cheap alternative to a gaming rig.
However, one thing I would be extremely wary of is running your Steam account from AWS or any other server environment. The last thing you want is to get flagged as a bot or VPN abuser and banned; Valve customer support isn't exactly known for being particularly understanding or responsive. Personally I would just load up a throwaway Steam account with a few games and use that.
Does anybody know much about the EC2 hyper-visor schedulers or in the case of large instances, does it even run with a serious hypervisor?
But don't they pull the instance out from under you if someone outbids you? Does anyone have experience with that?
And one more question - how is the performance? The OP shows screenshot of game running in 1280*800, but that might be because of the macbook resolution. Can it do fullhd or 4k?
I wrote a simple script (https://github.com/zachlatta/dotfiles/blob/master/local/bin/...) to really easily spin up and down the machine I set up for game streaming.
Has anyone managed to script something where you just press a button/run a local script and it does all the work, including saving your image to EBS before you turn the thing off and stop paying for the instance?
It uses the same in home streaming feature of steam.
This is such a cool idea, makes me realize what other creative solutions are just lurking, ready to slap me across the face.
I also applaud Reddit's announcement for calling the community out on their childish BS:
> As a closing note, it was sickening to see some of the things redditors wrote about Ellen.  The reduction in compassion that happens when were all behind computer screens is not good for the world. People are still people even if there is Internet between you. If the reddit community cannot learn to balance authenticity and compassion, it may be a great website but it will never be a truly great community. Steves great challenge as CEO  will be continuing the work Ellen started to drive this forward.
All in all, a good day I think.
Even if she wasn't the right person (I don't know), all the worst elements of the site are going to see this as a victory for their awful behavior and it's going to get worse.
The people who attacked her with sexism and comments about her personal relationships. The people who supported FPH even though they were attacking people in real life and off Reddit, not just posting comments in their personal corner of 'discussion'.
She didn't do a good job of it, but at least she tried to stand up against some of the worst of Reddit.
I worry heavily that if the new person doesn't draw a clear line at the start things are going to get a lot worse in terms of hate/abuse/harassment.
EDIT: After posting this I saw Nilay Patel tweeted basically the same thing: https://twitter.com/reckless/status/619620964658245632
What exactly "phenomenal" has she done? Reddit works pretty much the same as it worked several years ago, but in the meantime she managed to piss off the majority of community, which is the only reason Reddit exists
> So why am I leaving? Ultimately, the board asked me to demonstrate higher user growth in the next six months than I believe I can deliver while maintaining reddits core principles.
This is believable because there have been odd business decisions under her watch, not just policy decisions. RedditMade, one of the intended revenue-generating models for Reddit, failed while she was interim CEO. Alienating /r/IAMA probably did not help.
I personally don't believe she had the right qualifications to lead a community-driven site like reddit as it is today, but would have the right qualifications if reddit was going to start making a serious pivot to a more lucrative money making direction via commercial partnerships, advertising, etc.
Reddit may still go that direction, but Huffman won't have the same baggage weighing him down.
(note: this will also likely feed the conspiracy that her turn in the head office was a convenience for her lawsuit, now that she lost, she has no reason to stay in that position)
I agree with other comments chastising the community for the racist/sexist/whatever nature of lots of the negative comments against her. It was childish and dangerous. She had enough issues worthy of reasonable criticism that it wasn't even necessary.
I think this is a good thing for reddit.
From where I was sitting, it seemed like no one actually learned the full story, which might be confidential or take time to contextualize/safely explain, and everyone immediately threw it on Pao's lap and downvoted any holding maneuvers she and the rest of the staff tried to attempt. It was poorly handled, sure, but it seems like there was a lot of finger pointing before anyone knew what was actually happening. For that matter, do we even know now?
If I'm wrong, though, happy to correct my ideas here. (grammar edit)
This is clearly nonsense, otherwise there wouldn't have been a grassroots campaign to remove Ellen Pao from her role.
If Sam Altman honestly believes that Ellen did a "phenomenal" job, he should reconsider his own position at YCombinator.
With the exception of a few niche subreddits and the (few) incredibly moderated major subreddit's the whole place has become a negative pit with horses beaten so badly to death Findus put them in their lasagna.
Twitter often feels the same way as well (I'm pretty much at the unfollow as soon as someone acts like an idiot stage now).
Ironically the only social network I don't hate is Facebook and that's because I have about 20 people I consider true friends on there, all signal no noise.
So she made a bad decision. Big fcking deal.
"She's killing the community!". Well, if your idea of 'community' is making public rape threads (while you use a throwaway) and threaten to kill a person, then maybe your community deserves to die.
Reddit has a lot* of good. I've been there long enough to see it. But it has a lot of absolute low-lifes clogging its sewers as well.
Time will tell. IMO, the problem at hand is that reddit is still trying to make advertisers their bread and butter. And advertisers will never be overly attracted to censorship-free spaces.
Even though I may not agree with her aggressively politically-correct agenda (nor does most of reddit), I think it may have been a smart move from a business dev. perspective.
Does this mean that the board thought Pao was being too aggressive in pushing growth or not aggressive enough? If it's the latter then the Reddit community is in for a shock.
Reddit has enough data and skill to identify approximately the percetage of users who engaged in this type of behaviour at the very least.
I'd rather see the numbers myself than read a press release simply stating something and being asked to believe it.
Cool, I guess. But after having spent some time on voat.co I think reddit will get less and less of my attention (not that anyone gives a shit about me but I suspect I'm not alone).
Reddit's management has destroyed any sense of trust I had in Reddit (I'm looking at you /u/kn0thing, it's not just Ellen, my understanding is you fired Victoria, right? And then grabbed popcorn [I know, cheap shot, but it appears like you really fell out of touch]).
It appears that it is all about making money which I think is going to be the end of Reddit for some of us. Reddit could have a decent revenue stream on reasonable ads but that wasn't enough, it had to be more. That is really troubling because the next thing you might decide to "monetize" is what each of your users reads. That would make the NSA look amateurs and would be a massive invasion of privacy. It would also be very easy to monetize. Given all that has been going on, it would appear to be just a matter of time before "user optimized marketing" appears.
Welcome back but the existing management has dug you a mighty big hole. I don't trust you any more.
Notice how they didn't mention anything about reverting the bad changes to the website. ;)
@sama, how do you explain this claim without ignoring the community's enormous support for Victoria Taylor?
Response to material:http://www.buzzfeed.com/charliewarzel/reddit-is-a-shrine-to-...
Food for thought:https://www.facebook.com/psiljamaki/posts/10153334440110516?...
Now, if Victoria is coming back too - that's would be 200% right move for reddit!
But neither of these stories really fit the information we have right now. Both of them fit some of it, and look realistic unless you look at the whole picture.
The best conclusion we can have here is that we don't actually know what's _really_ going on, just a bunch of facts and a couple of theories.
I didn't even know who she was until "the last few months." Which have been a parade of increasingly-negative press and idiotic behavior. And that's from reading Reuters and the NY Times -- I don't even use Reddit.
Sam Altman, a member of Reddits board... Ellen has done a phenomenal job, especially in the last few months, he said.
(note: there is nothing about her sex here - just read the case materials and you'll see that she behaved just like a jerk at Kleiner - for God sake she complained there that some assistant was using company fax to send brain scans of dying from cancer mother)
When do we hear "so and so CEO did a horrible job and was forced out by the board."? Never. So are we to believe there is no such thing as a terrible CEO? Will we hear Sam saying "We made a terrible decision putting her in charge."? Never. Even if it was the actual truth.
Pao does not get a pass on this dynamic for being a woman.
Reddit users just wore it on the their sleeves and trying to suppress them was silly.
It might turn into DIGG 2 pretty fast and might not recover.
The investors and the "community" are just too far a part on this.
Friendly reminder that if you are using downvotes for disagreement than you are doing it wrong.
Is everyone using the same source? There's a lot of doge in there along with that bird that always pops up. Why are faces so prominent? Is that an artefact of the training data or inherant in the algorithm. I would guess the former.
(link to youtube version below)https://www.youtube.com/watch?v=oyxSerkkP4o
if this is correct, I guess that means passwords were stored in cleartext or reversibly encrypted. that is either epic stupidity, or someone wanted to keep passwords of potential employees so they could use them elsewhere
Remember folks, this is only the torture that we know. There are dozens of CIA black-sites around the world about which we know next to nothing. It is not too hard to imagine a regime that can torture people via waterboarding can also torture people by, say, forced heroin withdrawal and then just kill them.
Just goes to show, the only morality is that of the victor.
Why I Am Not a Member of theAmerican Psychological Association - http://www.chalquist.com/apa.html
EMAILS REVEAL CLOSE RELATIONSHIP BETWEEN PSYCHOLOGY GROUP AND CIA - https://firstlook.org/theintercept/2015/04/30/emails-show-cl...
It's because of people like him that we know about this at all.
He put his life on the line for us. Only he was imprisoned. The torturers [1,2] are still free.
Until there are consequences to torture it will continue to happen, and Kiriakou's sacrifice will be in vain.
Think about what the pizza delivery man has done for you, and compare that to what Kiriakou did for us all.
Consider sending him a monetary thank you for his service to you, to our country, and to humanity. I did.
> The APA official who led this behind-the-scenes coordination with the DoD officials was the Ethics Director, Stephen Behnke, and the key DoD official he partnered with was Morgan Banks, the chief of psychological operations for the U.S. Army Special Operations Command and the head of the Army SERE Training program at Ft. Bragg. During the task forces premeeting communications, during its three-day meetings, and in preparing the task force report, Behnke and Banks closely collaborated to emphasize points that followed then-existing DoD guidance (which used high-level concepts and did not prohibit techniques such as stress positions and sleep deprivation), to suppress contrary points, and to keep the task forces ethical statements at a very general level in order to avoid creating additional constraints on DoD. They were aided in that regard by the other DoD members of the task force (who, for the most part, also did not want ethical guidance that was more restrictive than existing DoD guidance), and by high-level APA officials who participated in the meeting.
> Other leading APA officials intimately involved in the coordinated effort to align APA actions with DoD preferences at the time of PENS were then-APA President Ron Levant, then APA President-Elect Gerald Koocher, and then-APA Practice Directorate chief Russ Newman. Then-APA Board member Barry Anton participated in the selection of the task force members along with Levant, Koocher, and Behnke and in the task force meeting, but was involved substantially less than the others. Other members of the APA executive management groupnamely, CEO Norman Anderson, Deputy CEO Michael Honaker, General Counsel Nathalie Gilfoyle, and communications director Rhea Farberman were involved in relevant communications, as described below.
> The other DoD official who was significantly involved in the confidential coordination effort was Debra Dunivin, the lead psychologist supporting interrogation operations at Guantanamo Bay at the time who worked closely with Banks on the issue of psychologist involvement in interrogations. At times, they were coordinating their activities with the Army Surgeon Generals Office. There is evidence that Banks was consulting with other military leaders, likely in the Army Special Operations Command and the Joint Task Force Guantanamo, although this was not the focus of our investigation, in part because of our limited ability to access DoD documents and personnel. Another important DoD official involved in some coordination with Behnke was PENS task force member Scott Shumate, a former CIA official who was head of behavioral sciences for a newly-created counter intelligence unit (CIFA) within DoD, which reported to the Under Secretary of Defense for Intelligence.
> For Banks, Dunivin, and others at DoD, the attention on the abusive treatment of detainees as a result of the media disclosures of Abu Ghraib, the torture memos, the DoD working group report, and other related events created uncertainty and worry about whether the involvement of psychologists in interrogations would be deemed unethical. Some in DoD, such as civilians Shumate and Kirk Kennedy at CIFA, were pushing APA to move forward with action that would show support for national security psychologists and help end the uncertainty by declaring that psychologists participation in interrogations (with some then-undefined limits) was ethical. Others, like military officers Banks and Dunivin, reacted to APAs movement toward the creation of the task force with concern that APA could head in a negative direction if the task force was not properly set up and controlled, and with awareness that this was an opportunity for DoD.
Stephen Behnke. Morgan Banks. Ron Levant. Gerald Koocher. Russ Newman. Barry Anton. Norman Anderson. Michael Honaker. Nathalie Gilfoyle. Rhea Farberman. Debra Dunivin. Scott Shumate. Kirk Kennedy.
* Classifying incoming requests based on various signals to detect DDOS patterns and moving those requests into different request limit zones. It's used in production at a bigger hosting provider.
* Rewriting incoming requests to a certain path of an existing website to a different shared blog hosting provider and changing back HTML/CSS/JS so everything worked. It didn't end up going into production, but it was pretty easy to build in under 100 lines of Lua code.
So when you're bored and want to learn something useful, have a look at http://wiki.nginx.org/HttpLuaModule. It might help you someday.
Story time: Some time ago we developed a CMS for a large art/production company. One of the requirements was that everything must be access controlled including all assets (eg. images, videos). The site went live and all was good until one day when, for no apparent reason, our monitoring alreted extreme load and then the site went down. Not so good for a company that sells its tickets online... I got on the phone with them and turns out that they started using the CMS to store images used for newsletters, which they sent out to some 200K people that morning. Now normally this wouldn't be such a big problem, but since all images were ACLd, this meant that instead of serving static files all requests went to the backend and pretty much killed it. The solution we came up with was to move the initial access control check for assets directly to OpenResty using Lua and Drizzle. So whenever a request came in for an image Openresty checked if it's public and only if it was not did the request hit the backend, otherwise it was served directly. Once we pushed this live the load disappeared and never came back.
Also I wrote an init script for it (as we needed one for a DRBD setup). Maybe someone will find it useful, here it is:https://gist.github.com/pwm/d3260804b4ade0d81f29
More on this from dotScale 2015:https://youtu.be/LA-gNoxSLCE?t=7m40s
I've had normal nginx with all the plugins (using the nginx-extras package, I think, from the ppa). No problem with Lua and SPDY at least in my use case (sending rendered HTML snapshots for anything with an HTML mime type).
these can be sampled using Wilson's algorithm for Loop-Erased Random Walks https://en.wikipedia.org/wiki/Loop-erased_random_walk#The_un...
Here is a nice visualization of Wilson's algorithm using d3.js by Michael Bostock (NY Times) http://bl.ocks.org/mbostock/11357811
Either direction is of course the same in theory, of course.
More excitingly than that, you may be able to contribute to OEIS now, if you can work yourself out a few more terms: https://oeis.org/search?q=1%2C1%2C28%2C12600&sort=&language=...
Many brownie points!
If you had privacy concerns about using IPv6 before, they remain, and (presumably) you can still disable it at a systemwide level.
Personally, if you're sophisticated enough to be using a VPN for privacy purposes, you can probably figure out whether or not your given solution supports IPv6.
In addition, I disagree that IPv6 is some sort of abject reduction in privacy. Many households already have a single member, so IPv4 wasn't providing much cover there. And (speaking from some experience) IP addresses aren't the best resource when doing tracking: that's what evercookies and supercookies are for.
It uses the tiles from their online satellite map, and can output images in increments of 1x1, 2x2, 4x4, 16x16 tiles (each tile being 550px by 550px). Here is an example with 2x2 
If you have any suggestions or bugfixes, feel free to fork or comment.
EDIT: Also works for a single tile, also clarity.
They do have a cloud service for disseminating the imagery, but only for "official use":
"Until Himawari-8 becomes operational, NMHSs wishing to release Himawari-8 data and products to the public are requested to consult with JMA beforehand."
Edit: Here is at least a tile-zoomer with some sort of realtime access to high-res imagery: http://himawari8.nict.go.jp/
The US has two geostationary weather satellites, which are usually parked roughly over Panama and Hawaii. Neither has good coverage of Japan. Korea's COMS satellite does, though. China has several, including one that's usually pointed roughly at Taiwan. Right now, you can see the hurricane that's due east of Shanghai.
I saw GOES-R http://www.goes-r.gov/ and the pronunciation I heard in my head made me think of Ghostbusters.
It won't because these are geostationary satellites (if I read the post correctly). So you'd need at least 3 of these to get a good image and that's not even considering some of the bigger issues with this. I also don't think the resolution is on par. But the images will be really cool to see.
Link to space labs. https://www.planet.com/story/
a) What would happen if we embraced this and just made all information freely available?
b) Is one of the likely/possible end or transitional states of the human race, all information being freely available and presumably along with it, a more enlightened approach to dealing with it?
c) Are there any good sci-fi books where this is explored?
It makes me mad, but it is not at all surprising. The negligence on government software is crazy. That is on top of the regulations that basically don't allow developers to use new/open source technology.
While new technologies wouldn't have prevented this by themselves, they might have made it easier to encrypt data so the devs would have said, "oh yeah we can do that". Or they might have had defaults that prevent simple things like cross site scripting.
Pretty sure this is unproven and, regardless, had nothing to do with the hack.
On the other hand, if personal and important information about the activities (behind the curtain) of all those politicians, banksters and big corporations, american or not, was accessible to the public, perhaps things would change.
How can you expect the Fed. Govt. to handle things competently when some of the best paid private contractors F' things up too. Security is hard.
What IS a bit surprising is not the fact that they were hacked, but that they actually found out they were hacked. From what I understand, the Fed. Govt. has lost even more important data (like designs for weapon systems), and not even realized it till like years later when the technology shows up in foreign weapons.
This is apparently a living document.
I always felt cryptography was treated as a back room kind of operations. We are all so busy making iOS apps. The real computer science has always taken a back seat.
Hopefully MORE such breeches occurs and investment in security recieves the kind of investment and respect it deserves.
We are all so focused on this MBA growth bullshit. Time to do some real computer science !
The only way to get ahead of it is to make it so that all private data is public and thus devalued. Privacy creates liability. Visibility creates value.
The problem we have right now is the idea that one entity should have domain over any information. That's what we need to get over. It should be shared- all of it, from bank security cameras down to what you're doing in the shower. When all surveillance is shared, you find that people suddenly get a lot more tolerant, because throwing stones in glass houses isn't helpful.
The Earth is a closed system. We have finite, shared resources. Privacy creates the fiction that it's not a closed system. You think that's how the space station works? Is that how you want it to work? No, you want cameras on everything, because if someone decides to experiment with the CO2 scrubbers, it affects everyone.
The same is true here on Earth. We're now in an age where one person or company or government can single-handedly change the habitability of the entire planet, such as Exxon did in the 80s. That's dangerous.
And meanwhile, there's incredibly valuable, life-saving services and conveniences we can all enjoy if we are open with all our surveillance data. How many lives could be saved or improved if we all had a smartwatch measuring our vitals and our food intake and toilet waste were monitored? That one change could single-handedly resolve most of our healthcare issues in the US.
What we really need instead of privacy is complete visibility coupled with a code of conduct that emulates the benefits we expect from privacy. Just because we can see everything doesn't mean we have a right to bother people with what we know. That's the issue we need to address. By all means, check out whomever in the shower, but that doesn't give you a right to interfere with that person's life by commenting on their genitalia. That's the key ingredient we're missing from the privacy conversation. We like privacy because we equate it with civility and thus freedom.
If someone doesn't know something, then they can't make you miserable with it. But that doesn't really work anymore. Even if someone doesn't know something, big data techniques can interpolate what it is they're not supposed to know. What you're really signing up for with "privacy" is granting visibility to only a privileged few- the spy agencies, the multinational companies, the hackers, and anyone willing to pay for the information.
The title is very much click bait.
But neither of those details changes the fact (I guess, the author does not try to dispute it) that on this stroll, Watt hit upon the key idea which eventually changed the world from muscle- and wind-powered to machine-powered.
A very intellectually stimulating endeavour no doubt, but I expect some more tests before I would call this good science. Claiming that "the new additions appear to improve the alphabet" is simply extrapolation to the nth degree. 
Oh and by the way, when the article claims that
> "the three-biopolymer system may have drawbacks, since information flows only one way, from DNA to RNA to proteins"
that is not correct either. For more information, read up on epigenetics.
 Note that this quote comes from the article, not the original paper. The original paper is not quite as cocky (at least not in the abstract, but I don't have full access).
However, if you assume all sequences are length 3, you still get 64 combinations.
We only use 20 out of that space. And if you look at how base pairs encode to amino acids, for half of them, only the first two base pairs even matter - since it's prefix-free you can guess the amino acid if you see those two and even ignore the third.
Given how underutilized this space is, I'm not convinced that increasing the domain to 216 will lead to much more than the ability to express our current amino acid space with only two base pairs.
(I think I did my math right, but maybe not.)
(edit: thanks duaneb, had my basic bio facts wrong - codons code for amino acids, not proteins.)
Of course, teaching ribosomes to handle them and etc will take a lot of additional work, but identifying promising new amino acids would be a nice and major first step.
Probabably will be very useful for synthetic purposes where there isn't too much concern about fidelity after 10 million years of copying.
And as a point of fact, three-base segments of DNA to not have a one-to-one mapping to amino acids. I also believe that a non-standard use of one of the three stop codons can change an encoded methionine to selenomethionine, with similar special cases for other proteins using rare amino acids.
Furthermore, 6^3=216, but that doesn't mean that adding a new base pair can code for that many amino acids. The original set of 4, with 64 possible codons, usually encode for 20 amino acids (excepting special cases as with selenomethionine). mRNA also employs uracil and tRNA adds hypoxanthine. These lead to "wobble pairs" which in turn allow a single tRNA to match several different-but-synonymous codons.
As it stands now, every codon without a matching tRNA would be a different variety of stop codon.
Now, what would be interesting to me is if the P-Z pairs could match some tRNA anticodons that translate stereoisomers of the standard 20 amino acids (or actually just the 19 that are chiral). That way, the D-(KLAKLAK)2 apoptosis promoter sequence could be synthesized directly by the ordinary transcription-translation mechanics of a cell.
>Why nature stuck with four letters is one of biologys fundamental questions. Computers, after all, use a binary system with just two letters 0s and 1s. Yet two letters probably arent enough to create the array of biological molecules that make up life. If you have a two-letter code, you limit the number of combinations you get, said Ramanarayanan Krishnamurthy, a chemist at the Scripps Research Institute in La Jolla, Calif.
This simply isn't true. Even with regular DNA, the word size is 3 nucleotides long... giving you 64 instructions. If I remember my highschool biology, only some of these are even used, the rest are duplicates or unused.
Binary would work too, assuming ribosomes and mRNA could expand the word size... you only need 6 bits to do the same as natural DNA.
Is there something I don't know that fixes word size at 3 nucleotides?
How's that going? Seems like progress has slowed.
the moral of this story is - the number of layers and abstractions between our code (even our shell scripts - cron jobs in this case) and the network layer is so large.. the most subtle of bugs in one of these layers is a massive pain to track down.
i am in awe of the tenacity of these bug hunters.
The article is pure opinion... and I have trouble believing that a trio of SFU / Okanagan College professors are the top researchers.
Sometimes people are just evil and trying to sugar coat the notion that someone can be evil doesn't make it easier to cope with it. All it does is delude people into thinking we should have respect or love for someone when they do wrong by us and betray our trust. I think it's better to treat a so-called psychopath as an adult (if they are one) rather than as some broken down piece of machinery. At least then, you won't find yourself with your guard down and your judgement clouded by false sympathies.
"even though that flow is unproven in the scientific literature on psychopathy"
So, a lot of speculation with no evidence to back it makes the existence of psychopaths a myth. Further, the article intentionally ignores research that supports the existence of people with their alleged traits, even neurological differences. Pop psychology and religious rhetoric are far from the only things that went into it. So, the article's claims are unbalanced, weak, and defeat themselves for now with above quote.
1. 2 years ago - 340 comments - https://news.ycombinator.com/item?id=69411712. 4 years ago - 109 comments - https://news.ycombinator.com/item?id=3094824
All it takes to convert them into adult psychopaths is lack of guidance by parents and a ruthless outside environment.
I would state, without proof, that the number of people who would be labeled as psychopaths (by their behavior, violent nature and lack of empathy) would be larger in third world countries as compared to, say, US, Norway or Sweden... this is going by my personal experience.
> If you're just starting out with a new web application, it should probably be an SPA.
Your reasoning for this seems to be performance (reloading assets), but IMHO the only good reason for using a single-page app is when your application requires a high level of interactivity.
In nearly every case where an existing app I know and love transitions to a single-page app (seemingly just for the sake of transitioning to a single-page app), performance and usability have suffered. For example, I cannot comprehend why Reddit chose a single-page app for their new mobile site.
It's a lot harder to get a single-page app right than a traditional app which uses all the usability advantages baked in to the standard web.
You should instead have a security audit with people who have experience in security, so they can help you identify where and why you're system is vulnerable. If no one exists on your team/company that does, then hire a consultant.
Security is a hairy issue, and no single blog post/article is going to distill the nuances down in an easy to digest manner.
The thing that everybody seems to overlook here: this has serious legal consequences.
You are demanding of your users that they agree to a set of TOS from a third party, that does not have either their or your best interests at heart, and that could have rather disturbing things in their TOS - such as permission to track you using widgets on third-party sites.
Not to mention the inability to remove an account with a third-party service without breaking their authentication to your site as well.
Always, always offer an independent login method as well - whether it be username/password, a provider-independent key authentication solution, or anything else.
> When storing passwords, salt and hash them first, using an existing, widely used crypto library.
"Widely used" in and of itself is a poor metric. Use scrypt or bcrypt. The latter has a 72 character input limit, which is a problem for some passphrases, as anything after 72 characters is silently truncated.
heres a compressed version: https://www.dropbox.com/s/bw606t7znouxpj1/photo-141847963101...
A CDN seems nice in theory. Reality is: Does the browser have the library cached? Is the library cached from the CDN that I'm using? The browser is making more HTTP requests, which sometimes takes more time to request than to download the library.
I agree that using CDNs is a good speed boost. I'm trying to figure out if hoping for a library cache hit out weights a library cache miss.
> If you can get away with it, outsource identity management to Facebook / GitHub / Twitter / etc. and just use an OAuth flow.
Questionable advice. At the very least neither of these two are some kind of automatic "best practice" everyone should just follow.
> it can be helpful to rename all those user.email vars to u.e to reduce your file size
Maybe even append HMAC signature to that parameter with user IP and timestamp. Might be an overkill, but still be careful with craftable redirects, they might become vulnerability one day.
OAuth isn't identity management, it's for authorization.
Each of those platforms does provide it's own identity management, but that isn't OAuth.
This is terrible advice. Don't do this. Remember what happened when Adobe did this?
... well, no. Technically you don't have to. But you almost certainly should.
ALWAYS USE CRYPTOGRAPHY for communication! Simply doing HTTP to HTTPS redirects is not sufficient. The origin request must be via HTTPS. Also make sure the app is properly validating the HTTPS connection.
Sorry I had to shout, but I'm growing tired of downloading the latest cool app that is marketed as secure only to find that it doesn't use HTTPS and as a result I can hijack the application UI to ask users for things like their password, credit-card number, etc., all without them having any way to tell if they are being asked by some bad guy.
1. Use a widely-accepted framework.
2. Implement your application using that framework's methods.
Why a beginner would implement even 1/3 of this list manually is beyond me.
I'm curious, why is this good? Sure, sending an email to them so they confirm they have the correct email, but what is the benefit of the verification step? Is it to prevent them from proceeding in case they got the wrong email? It would be nice if this was justified in the article.
I would also add, that changing a password should send an email to the account holder to notify them. Then when changing the email address, the old email address should be notified. This is so a hijacked account can be detected by the account owner.
> Forms: When submitting a form, the user should receive some feedback on the submission. If submitting doesn't send the user to a different page, there should be a popup or alert of some sort that lets them know if the submission succeeded or failed.
I signed up for an Oracle MOOC the other day and got an obscure "ORA-XXXXX" error and had no idea if I should do anything or if my form submission worked. My suggestion would be to chaos monkey your forms because it seems that whatever can go wrong can. Make it so that even if there is an error the user is informed of what is going on and if there's something they can do about it.
I don't know much about web development, but shouldn't those resources get cached? Isn't the disadvantage of SPAs that you are unable to link to / share a specific piece of content?
Yes there is. It's called Transport Layer Security (TLS).
Smells like an information discolsure highway. I usually 404 all requests that hit "unauthorized" content.
Internet was built on the premise that you can trust other organisations such as good willed universites, it was not built for a landscape of internet crime and state sponsored hackers.
BGP and central certificate authorities is flawed in princicple and this sense. Its very easy to create fake certificates for big organisations if you have the power of a state.
Diginotar is such an Epic fail of CA which shows exactly why you cannot trust central trust when there is state hackers at work.
So you either hijack BGP, DNS or Central certificate authority then you steal peoples cookies. Since most does not use two factor authentication that is enough to take ownership of their email accounts. Once the email accounts is compromised all other accounts can be compromised through password resets.
"You remember the RAT we sold you? Yea... That's broken because ... Help us or people might notice." If that's it.. Wow. This whole story gets more fishy by the minute.
Just FYI, this book literally teaches you how to identify security vulnerabilities in modern cars and exploit them.
You can purchase it from Amazon here, or download the book for free in EPUB or PDF.
Many folks have mentioned how the Tesla Model S at least is more of a supercomputing cluster on wheels than a car with some ECUs. I don't know how armored their CAN bus(es) are, but I'm sure the "Attacking ECUs and other embedded systems" is giving some safety engineers white hair.
(of course, everything I've said about Tesla is just about equally applicable to other high-end vehicles. It's just that Tesla are a bit more connected to the traditional software world)
I would have bought the Kindle e-book for sure - Does Amazon allow pay-what-you-want?
To do this on a fresh Ubuntu EC2 g instance there are a lot of steps- but I have tested them and put them all in one place (with links to the original sources and guides). I have CUDA up but not CUDNN as I haven't found how to legitimately download CUDNN without registering on the NVIDIA website.
Again: credit to the actual creators and all the original guide authors.
You'd also think people rendering movies would input and output PNG instead of JPEGs at 75% quality.
But you'd be wrong.
I appreciate the excitement around this but the people on the fringe hacking this shit together really should be ashamed of themselves. The core is so great! The script kiddie stuff wrapping it is SO BAD! This is perhaps the 15th attempt I've seen at it. Maybe the dumbest one yet.
We have Docker. We have AMI. We have scripts. And... we have people spinning up servers at $2.60/hr where you have to wait an indeterminate amount of time for some marketing intern to enable your NVIDIA developer application.
Google anything related to this technology and you'll immediately see a ton of people having the same three problems over and over. All due to sloppy packaging by people who basically Googlebombed keywords with their half-baked github experiments.
Slapping some half-baked shit onto Github isn't open source. It's littering.
And everyone knows "here's how to install!" walkthroughs never work for more than a week. STOP DOING IT.
It's not about faking anything, it's a question of what information you want to leave for posterity. And frankly I come down pretty strongly against preserving warts for warts sake. As a rule of thumb, commits should be as fine-grained as possible without breaking the build. In my experience more detail than that gives diminishing returns in utility as the signal-to-noise ratio drops and you get overwhelmed with details which only represent a brain fart on the part of the developer, and never had any measurable impact on the project.
"!git checkout `git rev-list --bisect --first-parent`"