It sounds very much like the parent is running a business model very similar to the "one last draw" model Warren Buffet was so successful with earlier in his career.
It might make a lot of sense for the right type of investor, too. The growth won't likely be there in the long term (minus an unlikely resurgence), but revenue will come early, meaning a fast if limited return.
I'd be interested to know what kind of revenue Nasty Gal is doing now, obviously it's not anything like $85m on a price of $20m.
(File under sama's warning about founders falling in love with personal press? http://blog.samaltman.com/the-post-yc-slump)
With regards to market price for a successful attack, I don't think any hash function stands close to SHA-256. And for that reason I think it would be the right choice.
- Truncating to 160-bits still has a birthday bound at 80-bits. That would still require a lot more brute force than the 2^63 computations involved to find this collision, but it is much weaker than is generally considered secure
- Post-quantum, this means there will only be 80-bits of preimage resistance
(Also: if he's going to truncate a hash, he use SHA-512, which will be faster on 64-bit platforms)
Do either of these weak security levels impact Git?
Preimage resistance does matter if we're worried about attackers reversing commit hashes back into their contents. Linus doesn't seem to care about this one, but I think he should.
Collision resistance absolutely matters for the commit signing case, and once again Linus is downplaying this. He starts off talking about how they're not doing that, then halfway through adding a "oh wait but some people do that", then trying to downplay it again by talking about how an attacker would need to influence the original commit.
Of course, this happens all the time: it's called a pull request. Linus insists that prior proper source code review will prevent an attacker who sends you a malicious pull request from being able to pull off a chosen prefix collision. I have doubts about that, especially in any repos containing binary blobs (and especially if those binary blobs are executables)
Linus just doesn't take this stuff seriously. I really wish he would, though.
The first paper from Wang et al, which should've put SHA1 to rest, was published in 2004, the year before the first ever Git version was released. It could have been easy: Just take a secure hash from the beginning.
If he believes that, why does git allow signing tags and commits and why does Linus himself sign kernel release tags? Isn't that the very definition of "using a hash for security"?
* The end of SHA-1 on the Public Web
As announced last fall, weve been disabling SHA-1 for increasing numbers of Firefox users since the release of Firefox 51 using a gradual phase-in technique. Tomorrow [Feb 24th], this deprecation policy will reach all Firefox users. It is enabled by default in Firefox 52.
SHA1 is busted. That impacts some git users. The fix is not invasive. Fix the bug. Make the transition. Move on.
(Yeah, I know this will be read as a plea for monarchy and downvoted. It simply proves my point: people are WAY too subject to errors in the classes (1) "I hate him because he said something 'bad' about something 'good'." and (2) "I hate him because he said something 'good' about something The Tribe now knows is 'bad.')
You just cannot expect everyone to "earn" money while expecting technological progress to continue unabated.
Don't want so many people? Mandate reversible sterilization at birth.
Don't want so many disgruntled and unemployed people? Endorse some form of guaranteed income, or incorporate basic housing, meals, healthcare and internet into the list of undeniable human rights.
We often do not realize how many layers of wealth we had to stand on to possess our current wealth.
If anything they need to get to work developing their country; those shacks are not going to be built by robots.
Fully developed countries on the other hand may face the situation where their country is so well run and have such a high level of automation and specialisation that there is too little work left for the population to be fully employed.
And thus they may lower their pension age, experiment with 30 hour work weeks, sabbaticals, maternity leaves, basic income and so on.
The countries that are closest to this are probably the Scandinavian countries. However at the moment they are all moving towards lower social transfers and higher pension age.
This will go on for a few decades until there is an uprising of sorts, then those with the money will return to giving everyone else crumbs, or just enough to quell the uprisings. This will probably go on perpetually.
Public policy whether implemented by governments or by organizations should test, innovate, change, not just pick an approach and run with it as seems to happen with the largest programs here in the U.S. As far as I can tell there's not been much innovation in the implementation of the safety net since Johnson.
Like anything else humans try to do, there will be bugs, there will be blind alleys, there will be mistakes. Small scale testing is a necessary step so that a working model is ready for larger-scale testing or maybe it'll be found that the implementation will have to have configurations that vary according to local conditions and even just preferences.
I'm a Pacific Northwest guy perhaps out of touch with what Silicon Valley is up to, sometimes I'm critical, but for this initiative, I say thank you. I have no clue how I'd thank anyone for this so just in case anyone involved is reading my comment I would like to express gratitude for doing work that has a high probability of playing a part in making the world a liveable place for my young son and the rest of humanity in the years to come.
By the way, if you've got the chops to beta test UI any chance you could save the Amazon Basin?! Please.
That was my immediate reaction after reading this. What about after the twelve years, when the donors ride off into the sunset? There are some encouraging stories there of participants using the money wisely, but not all will do so. You could argue that nobody is forcing them to participate, but it does seem at least a little ethically questionable. Particularly given the targeted demographic of a rural Kenyan community with (presumably - I could be wrong) low education levels.
Oh, really? Where do we sign up? I'd love to be able to build my business(es) without taking investor funds.
I think that in addition to the money they should help with the following:
1)Education and the ability to get it at will. Financial education should be a priority.2)Entrepreneurship, make sure anyone that wants to start a business knows what to do.3)Security and the enforcement of the law thru a judicial system, both criminal and civil.4)A working financial system. Make sure businesses and people can borrow money.5)A way to go bankrupt that will let people start over. It should not be too painful for both creditors and borrowers.6)A political system that works for the majority.7) Community leadership that works towards the betterment of the town.8)A tax system that will let the town provide items that no single person can provide on their own. It's a reality as painful as they are taxes and their prudent use help improve the community's standard of living.9) Secure property rights. If someone owns something they should do with it what they want without infringing on the community's well being and no one should be able to take it away from them by force.
What gets me railed up is the inability to use the town's human capital. Giving free money will not help forever. If you could get people to work together they would eventually get out of poverty. Maybe the current generation might not but eventually they would be able to do it.
This is not the situation I think of when I hear "basic income." Why Kenya?
> GiveDirectly wants to show the world that a basic income is a cheap, scalable way to aid the poorest people on the planet.
I was under the belief that only the middle class protested for basic income. It would have been more interesting if the "beta test" was done on educated/ first world persons, so we can finally get progress (or a full stop) on this debate.
I believe this idea wasn't thought out past the "we want to put on airs" phase. Is injecting capital into a system that relies on crime to keep afloat, really the best idea GiveDirectly could have come up with?
This is similar to the Toms fiasco where they would donate a pair of shoes to Africa for every pair bought -- it crippled the local fabrics businesses.
Perhaps if one wanted to fix the African economy, one would invest into economic think-tanks and their executionary tandems, instead of over glorified tax shelters.
Liberals believe that the poor are too dumb and helpless to figure out what they want, so the government should do it, both domestically and in foreign aid.
Conservatives believe that the poor are poor because they are unintelligent and lack good values (or they are acting rationally in response to liberal welfare programs), and domestic and foreign programs should be eliminated in favor of religious missions.
What programs like this are finding is the the poor are intelligent and well-motivated, and they just need an opportunity to get out of the hole they are stuck in.
Let me add that, from what I understand, foreign aid programs can be very helpful in areas like public health.
So, yeah machines are a big black hole and our jobs are doomed asteroids spiraling into the black hole. As they spiral into the singularity, humans will be displaced at an accelerating rate, and it will take more ingenuity and effort for humans to maintain "work". And, for what? In the asymptotic limit, the outcome should be no more jobs and "work" in a the way we currently define them, and humans will be truly free to creative pursuits. Never shall a beautiful human mind be wasted on labor which a machine can do.
At some point, machines will be the dominant species pushing civilization forward, not us.
Until then, we're forced to work, we're forced into employment because our world does not simply give us what we want. Food and spears don't fall out of the sky, so we will waste our time hunting and farming until we figure out how to make those things "fall out of the sky".
I think history has proven that we can live in extremely wretched conditions. By giving money to people, are we going to be increasing their living standards or just creating more mouths to feed?
Note that the basic income only applies to whoever registers at the beginning of the program. Would that amount of basic income cause the population to explode, so that the per-capita amount of goods/money remains constant?
Source is available here: https://github.com/standardnotes/collab-editor
The editor relies on an impressive client-side library called ChainPad, which uses blockchains as inspiration for determining the authoritative document after conflicts or many simultaneous edits. Typically operational transformation algorithms and systems to manage conflicts are handled by the server, precluding the possibility for end-to-end encryption.
However, ChainPad runs completely on the client-side, and is oblivious to the underlying text, thus allowing us to encrypt text client-side before broadcasting to other participants and the broadcast server. This is the first major effort I've seen for a real time client-side collaboration algorithm, and its use of a blockchain type structure is ingenious.
More info on ChainPad here: https://github.com/xwiki-contrib/chainpad
It has more functions like a presentation mode .The edit resolution is done client side and the "server" only relays encrypted messages. Alternative transports are in works, including WebRTC. Everything is open source on .
: https://cryptpad.fr: https://cryptpad.fr/slide/#/1/view/xQOAr26XzkbKDNuXvXwL4Q/E-...: https://github.com/xwiki-labs/cryptpad/
So what is the mitigation if someone manages to XSS the website and start snarfing the encryption keys for everyone's messages?
Really cool idea BTW.
I confess to being a bit uninformed about how chainpad resolves editing being done in the exact same area by multiple people all at once. Treedoc handles this elegantly and with good performance. Does ChainPad?
I'd test myself, but since I lack friends it's difficult to do correctly.
- Add a button in the main page that generates the page in-the-spot.
- Add a button in the middle page that generates the page when clicked.
Edit: removed dupe link so added more content
I've been using Standard Notes for my normal note taking for a while now. Cool stuff.
Please, help me explore how this is significantly different than the Russia vs US election issue on the other side of the pond.
Literally almost every piece of useful financial information is available via bloomberg. And I don't mean relatively basic info like "What's the current yield the Apple 3.85% of 2043?" or "What's the current CDS spread for Citibank?" that you can easily google for but also stuff like "Which oil tankers are in for repair right now, and what are their capacities?" and similar info on power plants, international agriculture, equities, interest rates, etc.
Experienced bloomberg users have their most-used keystrokes in their muscle memory. Less experienced users can hit F1 twice and immediately be connected to a live bloomberg rep who will research your question for you (although it may take 20 minutes for them to figure it out).
Bloomberg Chat is also extremely important, as others have mentioned.
The reason they're still a monopoly is because knowing how to navigate a Bloomberg is a critical skill for most finance professionals, and now that they have that skillset, they can be very productive moving around in it. A different (better?) UI would require they re-learn everything, which is not going to happen. And when financial professionals are making half a million a year, paying $24k/year for a terminal so that they can be productive isn't a bad investment.
(Source: have a couple friends at Bloomberg. One is in their UI department, and keeps having his proposals for better UIs shot down for business reasons. Also married a financial professional who had to use a Bloomberg in her days as a bond trader.)
Mike Bloomberg started the company because while working at Merrill Lynch (in the 80ies) he thought the computer terminals banks used at the time to see stock and bond prices where ridiculous. He got funded by Merrill Lynch and disrupted the industry, overtaking rivals like Reuters (which well into the 90ies was usually considered the most trustworthy source for stock data)
You needed their special hardware only until the late nineties (the "Bloomberg box" - consider that up until around 96 or 97, only few employees would have internet access on their desktop, even inside "bulge bracket" investment banks): nowadays, you can get Blooomberg terminal on their workstation or on your own hardware. Likewise, you can run in on a dedicated connection, or on your normal internet line.
The key element of Bloomberg terminal is reliability: it feeds data you can usually trust and price feeds you can almost certainly trust. When you are checking prices changing several times a second across exchanges in different part of the world that's no easy feat). That's crucial when millions of dollars are at stake.
Second is the ability to access 80% of the data and information you would ever want to check wihout leaving the terminal.
Third ingredient is ease of use.
Fourth is incredible customer service.
Fifth is innovation: they continuously innovate, improve old features, add new features, introduce access to new data/information.
Once you remove the cost of the underlying live price feeds (from stock exchanges), The Bloomberg terminal is not that expensive for what it does. Bear in mind its customers are people that spend their day optimizing their financial decisions: if there was something cheaper working as well, they would go for it. If there was something working even better, they would go for it, probably even at a higher price point (because that's how the economics in the banking and investing world work).
Data brokers. Not a regular thing in comp.sci, but very much so in the world of finance.
- news articles
- economic data releases
- historical and live market data
- asset pricing
- charts and analytics
- click trading
- trade execution and transaction cost analysis
- trade order management and post trade processing
- portfolio and risk management
- Excel integration
- amazing stuff like DINE<GO>, FLY<GO>, and POSH<GO> (lol)
there's probably a ton more stuff that i don't use and don't know. bloomberg is a mile wide and a mile deep in some areas.
you can get any of these features individually from plenty of service providers in the market. some are less specialized and cheaper and some are more specialized and more expensive. if you don't want to manage fifty different contracts with different service providers bloomberg provides a one-stop shop.
bloomberg is more than just data now. it wants to be absolutely everything that a financial firm needs - front office, middle office, back office.
Another aspect is trust. If you are trading billions you want the information/trade data "currency" everyone else uses. I built backends converting MBS bid to yield and if it wasn't tuned to a 1/16 or better of Bloomberg, it wasn't usable.
Bloomberg also offers custom studies like "fear/greed" which may have some value.
TR/Thompson Reuters also has a competitive product for much less and you can't really go wrong with either for 99% of use cases.
There are also many stand alone news sources you could use. Benzinga comes to mind as one example.
Interesting note - Bloomberg is highly protective of their IP and has been know to write takedown notices of screenshots posted online.
// built 2 SaaS Fintech systems
I suppose at the end of the day even though they do all this I'm not 100% sure they do it very well. I don't use the terminal or claim to know how, but it seems to have have become an essential tool for many people in the finance industry.
Although after all that I know there is a joke going around that the main reason most people fork out for the terminal is for the chat functionality.
* It is a well accepted reference. You will often see a screenshot of a bloomberg terminal as "proof" of something
While I guess there are APIs, I don't get the impression they're easy to just integrate into any old workflow if the terminal is down the hall or even on the other side of your desk. It's all linked to that terminal, no? Pretty annoying if you ask me, from a programmers standpoint. Not to mention another case of closed, proprietary tech in the financial sector.
You can find some background here on what it does:
The ability to trade is perhaps no so important these days given the advent of algo trading/stat arb, but it serves to emphasize the point that there is more to the terminal than just viewing the data.
$ apt install wallstreet
I created that for Ubuntu, as a follow-on to:
$ apt install hollywood
Purely for fun. Try it!
Pulls up a global map with "near-realtime" locations of cargo ships, offshore oil derricks and wind farms, tropical depressions and hurricanes, uranium mines, all kinds of crazy stuff.
You can zoom in on the Panama Canal and see which oil tankers under whose flag are waiting in line to pass through, where they're going and how much oil they're carrying.
You can sort the world's ocean-going cargo vessels by commodity, to see where all the orange juice is."
> it's just a portal that gives the news
A portal? Bloomberg News has its very own reporters (and jourobots). They investigate and write original content. People usually don't buy the terminal (~2000 USD/month) only for that, but if they do, they can read everything directly in the terminal.
> What I don't get is why have a custom monitor, keyboard?
The monitor is, these days, only about branding. Ten to fifteen years ago, Bloomberg offered good-quality LCD screens with integrated mounting arms for 2 or 4, at a time when that was a pretty high-end setup. As LCD screens became cheap and ubiquitous, many users don't have the Bloomberg ones, but they still have the Bloomberg keyboard. It's useful because it has special labels for a few hotkeys, plus some of them have extras like fingerprint readers. If you lack the special keyboard you can press Alt+K on any keyboard and the terminal will show you a graphic of the special keys for reference.
But to really understand why they have a special keyboard, you need to look back a good long while. That's covered here: https://www.fastcompany.com/3051883/behind-the-brand/the-blo... - the gist is that a "Bloomberg terminal" used to be a real terminal, connected to a magic box on the customer premises (which served several terminals). There have been many, many iterations of the terminal hardware, from a dedicated proprietary box, to software running on Sparc workstations, to software running on Windows, with the keyboard becoming more like a PC keyboard around the turn of the century.
> is it a VPN
No. Traditionally, customers connect their terminals back to the Bloomberg service via leased lines (i.e. not the internet). But for many years now you have the option of using the internet, though not everyone wants that.
> The cost of the product is ridiculous.
The cost of the product is much less than what some customers would be willing to pay. Most customers pay about the same monthly fee, regardless of where they are in the world, regardless of their corporate income statement, etc. So yes, it seems expensive to people who wouldn't get that much out of it. Some schools get a discount.
> Is there a cheaper alternative that does not require specialised hardware?
Bloomberg does not require specialized hardware at all. You can install it on any Windows laptop, and you are more than welcome to do so. As for cheaper--yes, there are lots of things which are cheaper, but you will be hard-pressed to find any combination of those which is still cheaper and yet does most of what Bloomberg does (i.e. has similar quantity and quality of data, and applications built up).
> I know Bloomberg is a politician
He is now, but he was not when his company went from 0 users to 100,000 users.
"Potential users dont want to get onboard unless all the other people in their ecosystem are on the service. That dynamic obviously keeps most people from joining Symphony. Most everyone working in financial markets is already on Bloomberg, and it would take virtually everyone leaving at the same time to give Symphony critical mass.
I think Facebook is the best comparison, Ayzerov says. If Facebook had only one fourth of your friends, you wouldnt use it. The advantage of Bloomberg is that every financial person has it."
See http://www.institutionalinvestor.com/article/3572874/banking... for some of the obstacles that Symphony faces
Phones are personal devices. Plenty of time is spent on smoothly machined surfaces, wood cases, etc. A little biosphere is a beautiful idea, and likely cost a fraction of the overall project.
But to be serious here are some of the other modules they planned on:
And yeah some look pretty cool, a scale, iris detector, a better microphone and speaker, laser range finder, smoke detector (but could imagine perhaps other hazardous materials). Might think of other specialty application, but the problem is in any of those fields, there are probably higher quality tools already available not tied to an experimental expensive phone. They'd have to first make the phone as ubiquitous as an iPhone then start selling add-ons. Not make add-ons as as a major feature of the phone.
But tardigrades just seems like a way to get someone in management to notice and say "Wait wut, we are spending the money on this? Somebody, please defund this project".
Can the biological processes of these simple organisms be modeled as checmical equations and all you need to do is balance them out and solve for the mols of everything you need to pour in?
Forget the aquarium, how about a really strong microscope. Or a portable testing lab or a television or some kind of art project.
Google should have pursued a less ambitious and more practical version of the idea. Instead of making everything replaceable, maybe just identify one component that would be. Like the camera. Why do I have to buy a new phone if all I want is a new camera? Would a phone with only one or two replaceable components be feasible to build, and not impose too many tradeoffs?
The Ara team pursued the "everything should be replaceable" dream for too long, and failed. I wonder if a limited version would have been feasible.
It doesn't make sense that you should buy a new smartphone, priced at as much as 80K ($1000) even if all you want is one new component. Imagine if you had to buy a new laptop for more storage for your movies, and external hard discs didn't exist. Or a bigger screen, when you could use an external monitor. And so on.
Just kidding, they'd be killed by the dangerous conduction from the phone. The little guys can't handle the rapid heat changes caused by the battery and CPU.
Few people are willing to take the risk on a phone with an entirely new form factor, let alone an entirely novel premise, and no one would carry two phones around in their pocket.
It seems like they missed an opportunity to position this as a customizable mobile computing platform. Or perhaps they did and thought it was too niche.
The people coming in now are completely different from Balkan refugees, Persians and Lebanese. In the case of the Balkan refugees, they were European. And the Persians were fleeing from an Islamic theocracy - they didn't share their values. Ironically, it was a women of Christian Lebanese descent who was murdered by these new arrivals:https://en.m.wikipedia.org/wiki/Killing_of_Alexandra_Mezher
Bildt mentions Spotify and Minecraft, but the new arrivals are making a different use of modern technology: http://www.independent.co.uk/news/world/sweden-facebook-gang...
Carl Bildt has his head in the sand. Look at these most-wanted pictures from Sweden and Denmark:https://www.interpol.int/notice/search/wanted/(RequestingCou...
Try not to notice any patterns, since that would be crimethink.
I don't know how they came to this number, but at least it's something to point to when the c-level executives decide password security is something that they can just skip doing. Obviously part of that 20% is are just dead accounts but still, something to show next time you're in this situation.
The right fix would be to either always fail a site load that doesn't serve the right intermediate certificate, or do what Chrome and IE do and always find and load the intermediate certificate.
I think you need to be more realistic, sorry but you sound a bit like a child, everybody is dumb and doing useless things except you the little snow flake who comes to save the world and will be a billionaire if only he was recognized.
Consider giving up the big money requirement and your options will open up significantly. At companies like Google and Facebook where you get the good pay, there are very few roles that get to work on the super interesting problems so they are hard to get. Most likely you will end up working on data migration tools, front end interfaces for existing systems, account life cycle tooling, etc that may be interesting at first, but they aren't that satisfactory in the long run because you'll realize you're a very small cog that can be easily replaced.
If you give up big money and join a startup (even mid sized), your impact can be a lot more tangible and satisfying. Programming for government/industry research can also be pretty satisfying but the pay is much lower (e.g. I worked for an academic consortium on HPC networks and really felt like I was improving tooling for cutting edge science).
Preferably, this will be someone at work. Either someone in your job who's as stuck as you are, someone in the next layer up who needs a boost, or someone in the next tier down who needs a hand. It will be your next big challenge, to recognize that someone else needs help, to determine what kind of help that is, and to offer what you can.
Your only measure of success is whether that person succeeds.
The three benefits to taking this approach are:
1) it's easier to objectively measure whether what you're doing is working 2) you get to practice helping yourself, on someone else! 3) it will help you stop being an asshole, which is probably something you're doing
Let's just say that the worst leaders I've worked under have had the certainty that they were Leaders, that they were somehow born to it, and that they were surrounded by idiots.
If you truly are surrounded by idiots, get out fast. This will work out well no matter the true situation:
1. If they are idiots, you'll be pushing a rope. You can't save them. Do your best elsewhere. Unless you're an investor, who the heck cares? Just another ship going down.
2. If they aren't idiots, but you only think they are, it will end badly, and it's best ended early.
The only way that a King of the Idiots gig ends well for you is when they pay you a pile of money to leave because they can't fire you because of bad press or something, and most people won't even be in a room with people who are at that level.
Second, as you noted you can find challenges outside of work (particularly with all the free time your automation has given you. |-D
You could try for getting into MIT or Stanford, but you could also simply take the courses you are interested in. Learning something new if a great motivator, I've found.
Then again, so is crushing your enemies, seeing their men flee before you, and hearing the lamentations of their women.
But I digress.
Another possible creative outlet & source of inspiration is participating in open source, up to and including starting your own project (which might be part of your automation platform, or something completely different).
Or get a non-tech hobby. Drawing, painting, knitting, dancing, a sport, volunteering at an animal shelter, gourmet cooking, write a novel, learn a new language etc. I personally find gardening to be a great way to recharge my mental and emotional batteries.
Fuck motivation. its a fickle and and unreliable little dickfuck and isnt worth your time.
Better to cultivate discipline than to rely on motivation. Force yourself to do things. Force yourself to get up out of bed and practice. Force yourself to work. Motivation is fleeting and its easy to rely on because it requires no concentrated effort to get. Motivation comes to you, and you dont have to chase after it.
Discipline is reliable, motivation is fleeting. The question isnt how to keep yourself motivated. Its how to train yourself to work without it.
Motivate yourself by either pulling up those around you or leave for what you really want to do.
Viktor E. Frankl, Man's Search for Meaning
> I need to find something with purpose,big money, and satisfaction.
> I have tried being altruistic,but I ended up on the receiving end. I now presume that everyone is selfish and will not think for a second they get better deal. Hunt or be hunted - Frank Underwood
I guess you believe that you where meant for something greater here in life and that people should treat you like the natural leader you are. Am I right?
I'll say that there is a very big risk that your have narcissistic tendencies and looking at your comments from an employer's perspective, I would be very, very worried.
I wonder why you mentioned "job" as your first driver for motivation and happiness. What about other parts of your life besides the job? Now I imagine since this is HN your probably only shared about that part, but I hope there is more to it - relationships with family, friends, significant other and so on. Hobbies (go to local meetups about your favorite technology), maybe other interests like sports. Someone mentioned other stuff like helping others: mentoring perhaps, a soup kitchen (I did that for a while, it really changes your perspective on a lot of things and challenges some assumptions).
That won't sit right with a lot of people. It is good you are honest though. But be prepared for people to focus on that. So you already make good money it seems but you feel you deserve big money? Why do you think you deserve to be in a leadership position and making big money?
> was hired for a position that has no decision making power at all. Everyone here seems dumb and working on a few useless things.
Now imagine if you made big money and still had no decision making power? What if you made less money but had decision making power? Which one would make you happier?
Don't spread yourself thin serving two masters. Serving one, often brings the other, but both should not be your goal.
If you do things for love, and also seek out money, your art will suffer. If you do things for money, but try to do more of the things you like doing, you will fail to do the hard things that bring you financial success.
Pick one. Love or money. Commit to that.
Complete lack of motivation is the result of mental congestion.
Start emptying your mind! Delete all good and bad memories! Don't worry about the past and don't be afraid of the future.
What you have right now is not what you really want! That's why you are not happy!
Just empty your mind and you'll find what you really want!
And we always have motivation for the things we TRULY want!
Are you focused too much on work? When is the last time you took a week or two off just to mentally reset? How is your social life? I was interested in a specific field a few years back, but I had zero friends or connections in said field. I started a meetup group around the topic, grew it to 1500 members in just over a year, learned a TON about the field in the process, and made invaluable and exclusive connections that would have been otherwise very difficult. It was a beautiful blend of social and professional advancement and I highly recommend something similar.
Last point: if you're considering grad school, be aware that this is much more accessible and palatable early in your career vs. late. If you have a shot at getting into an MIT or Stanford, why no give it a whirl? It isn't necessarily the degree that is of value, but the high-end network you'll obtain in the process.
Keep your head-up -- motivation will ebb and flow throughout your life. This is normal and a sign that change is in order.
Go seek out a good conversation. About anything. What you should be doing now is finding ways to dream bigger.
I can think of 3 options in your case. 1)keep your job and find fulfillment doing something else on the weekends and free time such as hitting a hobbie hard. 2)Keep your job and figure out how to get to the top. This option means you'll have to become a master at social skills. Learning more techie stuff will not help you. Top decision makers are NOT the most technology savvy but they are the best at managing people and getting the most out of the team.3) Start finding the job you want. It might be less money or not as safe but at least it's something you enjoy.
"I need to find something with purpose,big money, and satisfaction."
That's what we all want but you won't get it unless you are willing to take some big chances. So decide what to do and do it. You can't start at the top but you can get there and find all 3. You might fail but there's a possibility of hitting it big. If you go this route make sure you make a plan and decide now how to deal with adversity.
I'm currently going through what would probably tear many people apart - out of money (literally had no money last week since I sold the last of my bitcoin to stay afloat and it didn't hit my bank account quickly enough), applied to several jobs in SV, all turned down because "they're looking for someone more senior", tried to start a company, couldn't find funding, can't finish some biochemistry work that I've been doing because I can't pay for the equipment I need... The part time coding job I took on still hasn't paid me for january's work...
But I have a bunch of small projects that keep me going and while it is slightly harder to get up in the morning, I am still productive. (I just wrote a library that transpiles Julia into Verilog)
We can't get everything in life. Your idea of the "perfect job" is unrealistic.
If you're doing something that doesn't interest you then it doesn't matter how good the other benefits are since you constantly have to use energy to motivate yourself. Then you won't produce something you're proud of which helps neither you or the company.
What will you do differently once you are leader to avoid similar demotivation of talent? Leadership is not just decision making, it is also dealing with issues like this. They won't tell you, so self awareness now will go long way later.
I don't know what would motivate me besides the idea that things could be a lot better than the way they are.
"I wanted a leadership position at THEIR company..." (fixed that for you)
It's not YOUR company, but THEIRS.
Incorporate your own company (couple hundred bucks) and list yourself as "President" on your linkedin.
Put together a bullshit website about your consulting services.
Start acting like a leader in your own affairs.
Mind YOUR OWN business.
Money solves almost all problems. For the remaining issues time and good health covers everything. I challenge anyone to show a convincing argument to the contrary.
Better get to $300k/year asap and let the other chumps have their "leadership position"
You can start by working on your attitude.
The way I've dealt with burnouts and demotivation has been to identify the actual root cause and then take a decision;
- Option 1; leave it be (and maybe whine about it).
- Option 2; give up & move on to something else.
- Option 3; bite the bullet and work my way out of it.
9 times out of 10, I pick option 3.
As an example, I've been dealing with business development for a while, but I'm naturally more interested in product development and R&D.
I got stuck on option 1 for a while and tried a couple time (unsuccessfully) to go for option 2.
And for the past 6 months I've been working on option 3.
It's not glamorous and it requires a good deal of patience, but the opportunity to get to a place where I can automate/document/delegate myself out of it has kept me motivated enough.
I'm writing a business playbook , created a few sales decks and refined techniques on clients and colleagues to the point that I can train others. I have automated, documented and understood enough  that I can finally bring in a BD person and hand over my responsibilities.
I recommend you have a hard look at what really makes you unhappy and list your options.
From the limited understanding of your current situation, I'd say;
- Deal with it. You stay where you are and find a way to be ok with not being passionate about your job.
- Give up. Find another occupation, either now or after a while once you acquired new skills.
- Work your way out of it. Find a way to change your role at your company. Maybe you can automate, document and delegate. Maybe you can make yourself valuable enough to another team to force a promotion or re-assignment.
Additionally, I don't think I would recommend you to go back to school. I'm a lot more likely to trust and respect somebody who went on to learn new things on their own, especially considering you can virtually learn anything online these days.
having a job with big impact and big money is a sizable goal that you won't reach overnight. you might not even reach it in a year, or several years, who knows. it's a big goal that's easy to lose motivation on. but reframing it into daily goals, and focusing on taking one step at a time, could be a source of motivation. just my 2
This sentence alone signals that you are not ready to be a leader. Contrary to what you probably think right now, being a leader sucks in many ways:
- You should be empowering to those around you. This starts by being constructive instead of judgemental. Find out what are their strengths and weaknesses, and tell them how you think they can improve instead of poking at their weak spots. You should strive to always keep this attitude, even when under pressure and/or during bad personal times.
- You must be a good listener. Try to understand your team member's motivations and desires, and how they think/react to what's coming to them. Be prepared to accept that other people's thought processes are very different from yours, and your job is to understand them instead of trying to change them. Even if you possessed the absolute truth about everything, trying to shoehorn that truth into their minds wouldn't work. They need to see that truth by themselves, so you can only try to steer them towards finding it. In some cases the way to do that is by providing arguments. Other times arguments won't do it and you must show them. Later on, once you're actually seen by them as a leader you'll be able to appeal to trust. Don't overuse that though because you are not perfect and will make mistakes, which will erode your trust if you used that to impose your opinion onto others.
- You should be prepared to deal with the worse bullshit that's thrown to your team. You don't need to deal with all bullshit, but your team should be confident that you'll be first in line if/when shit hits the fan, and that you'll do your best to cover them.
- You should lower your expectations about others. You must demand the highest standards from yourself, but not from others. Do what you can to help them improve instead.
- Don't overreact when you get stabbed in the back (which will happen at some point). Attribute any bad situation to ignorance/stupidity before malice. Always try speaking with people first, and over time you'll develop a "sense" to discern bad actors from misunderstandings. In any case, being stabbed is an opportunity to improve that "sense", and is always a better situation than initiating work-warfare against a person who acted in good faith.
In case you haven't noticed, you don't need any "leadership position" to put all that to practice. You can start doing it right now, and I assure you that leadership will follow naturally. People will start turning to you when they need help. People will start wanting and valuing your opinion much more. This will make you feel important and purposeful, but it will also be stressful and demanding. Be up to the task and the pay will follow.
If you are good at your job and they pay you well enough, just keep it. Keep doing well at your job. In your leisure time, start working on passion projects. Something that you have been thinking about for a long ago and/or understand well. If this passion project turns into something amazing that you can run-away with, profit from, and bring you more power to change, do it.
There are a million things to be motivate by. There are people with serious problems in the world, like dying from thirst.
Just find out what you what to achieve and find out if you are capable of doing it.
Watch the real news. Find out about how terrible things are. Ask yourself if there is any small thing that you can do.
I'm not saying you shouldn't keep seeking something, but the aforementioned might help you to decouple your happiness from it.
Otherwise you need to rethink your career choices. Good luck man!
"I need to find something with purpose,big money, and satisfaction"
Hold yoga poses long.Take strong patent medicine herbs.Knitting.Volunteering at an animal shelter.Cold showers.Realistic goals on the bench press.Scuba diving.
The answer has become clear.
Go for the money.
If you feel a loss of motivation, the worst thing you could do is feel guilty about it. Feel like you're somehow bad or inferior because everyone around you seems to have this drive to move forward and you don't.
It's completely OK to not feel particularly motivated. Your job is not your life; sometimes it's fine to just work 9 to 5 and put only the effort required, nothing extra. Spend your nice salary on things that you like. Excersize because you like it, not because you have to. Do something else with your time. Meet friends. Watch TV shows. Don't care about wasting your time, just enjoy wasting it.
And please, when you see the people with "TED speaker", "self-motivated", "energetic" image, take it with a grain of salt. This happens to everyone, it's OK.
Spend some time not only looking for good compensation but also balancing it with a good culture.
Startups are usually early technology adopters, and you may be giving more responsibility and autonomy than in a large company. You might enjoy it more there.
Most interviewers may ask you: "Do you have questions for me?". Ask them: "who are the most valued engineers in your company and why?"
If the most valued engineer is a warm body whose only purpose is to suggest places for lunch to their managers or some fake wine snob continue looking.
Talk to your boss.
I would caution though that usually when people say "Everyone here is stupid" it's usually not everyone else that's really the problem. This goes for my younger self as well.
See for example: https://www.johndcook.com/blog/2010/01/19/dont-invert-that-m...
Don't get me wrong, having working code to play with is key, but when you don't fully grasp the concepts behind it, an explanation can become so valuable.
That being said, you've included names, so research can be done. Great work and I hope you're enjoying it!
idx = np.random.choice(range(n_features), size=self.max_features, replace=False)
One vital improvement suggestion to make that path attractive would be if the Jupyter notebook format were used. It would be easier to add more documentation and references.
But in any case, thanks for sharing!
this is for people who don't just want to tune parameters but build the whole thing from scratch
I can buy buy a pie all the fix-ins from a bakery, or I can buy the ingredients myself, and make it to exactly my liking. it may not be a professional.
Delivering value trumps painting every day
> As you may be aware, Cloudflare incurred a security breach where user data from 3,400 websites was leaked and cached by search engines as a result of a bug. Sites affected included major ones like Uber, Fitbit, and OKCupid.
> Cloudflare has admitted that the breach occurred, but Ormandy and other security researchers believe the company is underplaying the severity of the incident
> This incident sheds light and underlines the vulnerability of Cloudflare's network. Right now you could be at continued risk for security and network problems. Here at Dyn, we would like to extend a helpful hand in the event that your network infrastructure has been impacted by today's security breach or if the latest news has you rethinking your relationship with Cloudflare.
> Let me know if you would be interested in having a conversation about Dyn's DNS & Internet performance solutions.
> I look forward to hearing back from you.
"I am not changing any of my passwords. I think the probability that somebody saw something is so low it's not something I am concerned about."
Original post: https://news.ycombinator.com/item?id=13720199
For example, https://coinbase.com is on that list! If they haven't immediately invalidated every single HTTP session after hearing this news this is going to be bad. Ditto for forcing password resets.
A hijacked account that can irrevocably send digital currency to an anonymous bad guy's account would be target number one for using data like this.
And the disclaimer right at the top:
This list contains all domains that use cloudflare DNS, not just the cloudflare SSL proxy (the affected service that leaked data). It's a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised.
At least change the cookie name so the token stops working. For example, in ASP.NET - change the "forms-auth" name in the web.config file
I question Pirates (https://github.com/pirate) motives for even doing this? Karma? Reputation?
> In our review of these third party caches, we discovered data that had been exposed from approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.
Does this jive at all with the Google or Cloudflare disclosures? They are claiming that across all caches they only found and wiped data from ~150 domains, can that be true?
Were the 2 things running on the same process? If they were not, there's no way that the buffer overrun could read an other process memory, right? it would have failed with a segfault type of error.
If so, shouldn't Cloudfare consider running the sensitive stuff on a different process, so that no matter how buggy their caching engine is, it would never inadvertently read sensitive information?
There probably aren't many but with something this serious it could be important. I'm not sure how one would go about finding the sites that use the CNAME option. If it helps, they use a pattern like:
www.example.com --> www.example.com.cdn.cloudflare.net
One interesting thing: the raw dump that's linked from the list's README doesn't seem to include a couple of notable domains from the README itself, like news.ycombinator.com or reddit.com. I may be mangling the dump or incorrectly downloading it in some way.
EDIT: disclaimer, be responsible, audit how the dump is generated, etc etc etc
Sorry for the index.html, trying to figure out how to get index file to work on cloudfront.
You can also run the python script on the website anonymously on your computer to dig sites out of your email, which is a good indicator that you have an account with them.
Anyway, I'm OK with them being on this list, as I believe understanding the scope of the problem is important to figuring out how we prevent these kinda problems in the future.. (For example, answering this question requires understanding who uses CloudFlare: Why are so many sites concentrated on a single infrastructure?)
Welp, time to change all my passwords.
> When the parser was used in combination with three Cloudflare featurese-mail obfuscation, server-side excludes, and Automatic HTTPS Rewritesit caused Cloudflare edge servers to leak pseudo random memory contents into certain HTTP responses.https://arstechnica.com/security/2017/02/serious-cloudflare-...
> Hi [Username],
> A bug was recently discovered with Cloudflare, which Glidera and many other websites use for DoS protection and other services. Due to the nature of the bug, we recommend as a precaution that you change your Glidera security credentials:
> Change your password> Change your two-factor authentication
> You should similarly change your security credentials for other websites that use Cloudflare (see the link below for a list of possibly affected sites). If you are using the same password for multiple sites, you should change this immediately so that you have a unique password for each site. And you should enable two-factor authentication for every site that supports it.
> The Cloudflare bug has now been fixed, but it caused sensitive data like passwords to be leaked during a very small percentage of HTTP requests. The peak period of leakage is thought to have occurred between Feb 13 and Feb 18 when about 0.00003% of HTTP requests were affected. Although the rate of leakage was low, the information that might have been leaked could be very sensitive, so its important that you take appropriate precautions to protect yourself.
> The actual leaks are thought to have only started about 6 months ago, so two-factor authentication generated before that time are probably safe, but we recommend changing them anyway because the vulnerability potentially existed for years.
> Please note that this bug does NOT mean that Glidera itself has been hacked or breached, but since individual security credentials may have been leaked some individual accounts could be vulnerable and everyone should change their credentials as a safeguard.
> Here are some links for further reading on the Cloudflare bug:
> TechCrunch article: https://techcrunch.com/2017/02/23/major-cloudflare-bug-leake...> List of sites possibly affected by the bug: https://github.com/pirate/sites-using-cloudflare/blob/master...
> If you have any questions or concerns in response to this email, please contact support at: firstname.lastname@example.org
/* generated code */if ( ++p == pe ) goto _test_eof;
"The root cause of the bug was that reaching the end of a buffer was checked using the equality operator and a pointer was able to step past the end of the buffer. This is known as a buffer overrun. Had the check been done using >= instead of == jumping over the buffer end would have been caught."
"2017-02-18 0011 Tweet from Tavis Ormandy asking for Cloudflare contact information
2017-02-18 0032 Cloudflare receives details of bug from Google
2017-02-18 0040 Cross functional team assembles in San Francisco
2017-02-18 0119 Email Obfuscation disabled worldwide
2017-02-18 0122 London team joins
2017-02-18 0424 Automatic HTTPS Rewrites disabled worldwide
2017-02-18 0722 Patch implementing kill switch for cf-html parser deployed worldwide
2017-02-20 2159 SAFE_CHAR fix deployed globally
2017-02-21 1803 Automatic HTTPS Rewrites, Server-Side Excludes and Email Obfuscation re-enabled worldwide"
Seems like a pretty good response by cloudflare to me.
this is despite (or maybe because) of my best efforts to secure systems as a major part of my job.
Sites using Cloudflare, really. However, Cloudflare say that only sites using three page rules were affected - email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites. 
Is this over-estimating the impact, perhaps?
addepar's a cool place, and i learned a ton there and made some good friends.
that said, my overwhelming impression of asset managers is that most capture more value than they add. fee-bearing mutual funds, family offices, financial advisors, hedge funds: few are worth their fees.
hedge funds, with their standard two-and-twenty fee structure, are especially bad. you could hardly design worse-aligned incentives, short of outright betting against your own clients.
two-and-twenty means 2% of assets under management every year plus 20% of any profit and 0% of any loss. why people agree to those terms is beyond me.
for example, running a strategy similar to a martingale, a negative-EV fallacy when done in a casino, can be incredibly positive-EV when you're a hedge fund manager. it produces streaks of above-market returns, where you keep doubling your AUM and rake in the fees, for however long that lasts.
when the crash happens, the managers walk away unscathed.
if you're interested in an entertaining story that starkly illustrates this dynamic, check out Long Term Capital Management.
Okay, I've been publishing this advice for 20 years now, to the annoyance of any number of financial advisors:
The WSJ dartboard contest makes the same point:
He then goes on to show how that's been true, and that a standard index fund outperforms almost every hedge funds even before extra fees to the hedge funds are taken into account.
It's not the first time this has been pointed out, and it suggests that for non-multimillionaires, an index fund is always the most rational choice.
You get close to the return you'd get by investing in real estate, with the added benefit of index funds being much more easily liquifiable.
Our efforts to materially increase the normalized earnings of Berkshire will be aided as they have been throughout our managerial tenure by Americas economic dynamism. One word sums up our countrys achievements: miraculous. From a standing start 240 years ago a span of time less than triple my days on earth Americans have combined human ingenuity, a market system, a tide of talented and ambitious immigrants, and the rule of law to deliver abundance beyond any dreams of our forefathers.You need not be an economist to understand how well our system has worked. Just look around you. See the 75 million owner-occupied homes, the bountiful farmland, the 260 million vehicles, the hyper-productive factories, the great medical centers, the talent-filled universities, you name it they all represent a net gain for Americans from the barren lands, primitive structures and meager output of 1776. Starting from scratch, America has amassed wealth totaling $90 trillion.
I don't often see this sort of pride in America. Normally the flavors I do observe are hyper-nationalistic and filled with bravado, while the tone here is lauding yet reserved. There's a sense of authenticity delivered in the way Warren Buffett - an extremely humble, yet successful man - talks about the way his country has helped him succeed. It's austere.
This isn't part of the regularly scheduled programming for threads about his letters (mostly we like to champion index funds or debate the utility of active investing), but it's what really struck me this time around. Juxtapose his words here with the same category of conversation about America in many other contexts and contrast the integrity involved. In a time when America appears to be experiencing quite a bit of social and political volatility, it is refreshing to hear optimism from a source that does not appear to use it as an instrument of control.
EDIT: Well this has since ignited a debate about America's cultural identity and history of imperialism...not really the spirit of what I was going for but here we are I guess...
"Unfortunately, I followed the GEICO purchase by foolishly using Berkshire stock"
"It was, nevertheless, a terrible mistake on my part"
"Despite that cautious approach, I made one particularly egregious error"
I bet you don't find that sort of thing in many other annual shareholder letters.
I.e., I agree with Buffett's general premise, and have since the 1980s.
30,450 pages holy crap
So stop by for a quote. In most cases, GEICO will be able to give you a shareholder discount (usually8%). This special offer is permitted by 44 of the 51 jurisdictions in which we operate. (One supplemental point:The discount is not additive if you qualify for another discount, such as that available to certain groups.) Bringthe details of your existing insurance and check out our price. We can save many of you real money. Spend thesavings on other Berkshire products.
I need to get hooked up with my shareholder discount!
Is he basically saying that the insurance business is structured in such a way to never payout catastrophic amounts? Is this a harmful thing for the insurance claimants?
buffett profited off the housing bubble and should not betrusted. he owned huge stakes in the ratings agencies thatwere giving AAA+ ratings to these awful mortgage products,even as publically he was decrying the financial productsinvolved as 'mass destruction' he was making money on it.
he is doing the same with his stock market push. ifa million people listen to him and go buy stocks, whatdo you think happens to his index funds? They go up of course.
absolutely hilarious and sad to watch people worship thisguy. if his secret is really to buy index funds, thenwhy do people listen to his speeches and newsletters?you could just go buy index funds and be done with it.
like every other con artist, his genius is to get peopleto buy in to his story.
He's smart, honest, humble, generous, witty and a great communicator. And he's the best investor in the world.
Normally these letters have some new brilliant insight or dive into a business I know nothing about. This one feels shorter and more peremptory. I see the financials for the major sectors and the same boilerplate explanation of insurance and railroads that's in every letter.
What's up? It's not like nothing happened with Berkshire Hathaway this year.
"See around me," indeed.
There are already reports of Intel CPUs getting price cuts, so this looks good for now at least.
I'm not an AMD hater (actually own AMD stock), just cautious.
Looks like AMD has made a real performance breakthrough here. When is general availability expected?
AMD mentions some AI technology to improve the perf. If one runs the same software many times, will the performance change? It could be good if it learns and improves the performance, but results might not be reproduce. Is it like the Pentium 4 with its long pipelines that ideally result in better performance but meant more misses?
Good that AMD has something in peto to compete with Intel again.
Those 4 cores are stronger than the first 4 cores of the 1700X or the 1800X. If you are a gamer, then most if not all of your games will use 4 or less cores. Why pay more money for worse gaming performance?
Namely do these processors support ECC and what virtualisation capabilities do they have (for KVM with full GPU access).
- It was "human error" that the programmers who designed the self-driving AI failed to properly implement red-light detection and braking.
- It was also "human error" that the human driver in the front seat failed to notice the red lights and stop the car.
Uber's statement is effectively true, if you hideously twist the meaning of words. I fully believe that's what they did in their statement. There's similar wordplay for the word "natural", i.e. claiming "All pollution is natural", because humans are part of nature and everything we do is natural, so all consequences of our actions are also "natural". Deceiving yet ultimately, effective.
 Uber says self-driving car ran red light due to human errorhttps://techcrunch.com/2016/12/14/uber-looking-into-incident...
SF has a database of their traffic signals, and this signal is listed. It's object #902. Apparently Uber gets their data from somewhere else.
 https://goo.gl/maps/dzxEaaqWaAC2 https://data.sfgov.org/Transportation/Map-of-Traffic-Signals...
Let me backup my claim with examples:
GitHub AirBnB Uber CloudFlare
- 2000 engineers
- 1000 services
- 8000 git repositories
I can understand fast growth but on the services and git repository side considering that most of the engineers are new it struck me not as fast but more as out of control growth.
At the beginning you may not control so much but you hire people that are disciplined. Later one needs a certain amount of structure.
The stories from the legal front, financial front and handling of public relations are very consistent with what I observed on the technical side.
Even with those low numbers these days, a lot of women who are interested in programming and computer science are chased away early on, or they quickly move into more welcoming fields. So it's true that among senior staff, women are even less well represented.
This isn't just a bad thing for the women who are harassed, mistreated, or just made to feel unwelcome. It's a bad thing for the industry. If women are unwelcome, we're throwing away half of the talented engineers before they even get started.
For all those reasons, Rob is right that role models are important. But even more important: we need to stop chasing women from the field. You have to stop the bleeding before you can start improving. The recent stories out of Uber make it clear that the technology industry is at risk of moving backwards if we aren't already.
They don't need to be chosen "just because" :/ they should be chosen based on merit, otherwise, how good of a role model would that person become?
I.e. women can start computing companies, and hire women. Women do not need permission from men to do this, nor do they need favor from men.
Merit is equal parts nature and nurture. "Pushing women into positions of influence" can also be interpreted as identifying high-performers capable of filling senior roles and then helping them get there.
This does mean giving them an unfair advantage, but only in the sense that life is unfair in general. Ultimately they are the most capable individuals for the roles they assume, and lifting them to that level pays dividends for our entire industry.
If you believe in both bolstering the meritocracy and furthering gender equality (as I do), this should be your reaction. Positioning a meritocratic ideal as in opposition to equal representation is just veiled misogyny.
'Just because' what? You're asking for 'more women excelling in the field' but promoting somebody just because isn't going to make them excel.
If, on the other hand, brilliant women were not being promoted 'just because' that would suggest a problem. But is this so?
I find the idea that we should "push them into positions of influence" abhorrent. These are zero sum games, to give them a special advantage over any other demographic is to disadvantage another. This is antithetical to everything most people believe about fairness and equality. And what of the girls who learn that their role models have been given a handicap, pushed upwards beyond their skill by well-meaning but naive men? What sort of message will that send to them?
None of this is even mentioning the basic question of, what do we even get out of trying to "correct" disparities in employment demographics? How do we even know that women as a demographic have an equal interest in computer science to men? If they don't, what do we get out of "correcting" the disparity by given them special treatment, handicaps, incentives, etc?
Pushing people into positions of influence based on their gender is nothing other than deeply sexist, discriminatory to people who don't need to be pushed, and should be absolutely unacceptable to anyone who actually cares about equality.
> It may take proactive behavior, like choosing a women over a man when growing your team, just because, or promoting women more freely.
Doing this would violate the Civil Rights Act, which prohibits hiring discrimination based on, "race, color, religion, sex, or national origin". I'm also sure such a practice would be extremely counterproductive.
Back when I was contracting I visited a lot of sites, my heart would sink when it was an all male team, you just knew the tone would be different.
 if you don't see his story as a parody, intentional or otherwise, look again...
But if diversity is your yardstick, then it's surprising how much better the military services are at it than tech. Indeed, if I were an ambitious woman, I am not sure that's not the path to take for tech.
feminine social primacy != equality
Why is this part of the narrative of women in STEM? Do people not realize this language is counterproductive?
what does wallflowers mean here?
definition 3 ? http://www.urbandictionary.com/define.php?term=wallflower
I feel exactly the same way. After undergrad, I assembled a board game group with my male friends. Some girls (girlfriends, invited drop-ins) became regulars, and for a long while, the group was pretty much 50/50. It had never been so good.
Eventually some things happened, people moved away, and eventually the group became 100% male, nerdy guys. It was a pale shadow of its own self. I eventually lost interest in it altogether, and we get together very infrequently now.
It had nothing to do with dating or romance. I never bothered figuring exactly what it was that made the group better. As far as I'm concerned, diversity for the sake of diversity is a noble goal.
Many other professional and educational anecdotes contribute to this last belief, not just this board game example, but it is representative.
1. Add red-tinted water to the jar to counter-balance the existing blue-tinted water in the jar.
2. Add more clean water to the jar to dilute the blue-tinted water.
Question: Which solution would result in clearer water?
Can we please just stop all this PC bullshit. Robo Pike obviously doesn't realize that the reason these women attending that meeting are so excellent is because there are so few of them. I.e. only those survived/came so far who have actual skills.
The same goes for computer science. The women who are really skilled and who really want to work in this field WILL work in this field. Which, of course, means there will be less of them. I mean, we already got enough incompetent men in sotware engineering/computer science. Do we really need to flood the field with incompetent women? And on top of that, celebrate their non-achievement of being a woman?
Regarding role models: why can't women simply choose a male role model? Is the gender of their role models really that much more important than their achievements? Shouldn't you look up to someone because, let's say, they are especially skilled in their field instead of their genitals? (Same goes for men choosing a female role model)
Look at it from the other way around: has any man in fashion ever complained about there not being enough male role models in fashion (a field clearly dominated by women)?
And the only ones who ever complained about impoliteness are women and effeminates. If you judge people by hurt feelings instead of actual skills, then you end up with shit like being banned from the golang community for pointing out that someone's English is incomprehensible!
If women have something to contribute to the respective field, then they are more than welcome. If not, then they can simply fuck off (just as all those incompetent men).
I am all for equality in chances for all people, men and women, black and white, gay and straight, anything really, but this affirmative action "promote X because she is a women" (or black, or XXX) is something I will fight against with all my being and all my forces until the day I die.
I strongly feel this type of insidious thinking is the most dangerous thing facing humanity today, worse than global warming, the united states, or global war. I will never be silent against this rampant so-called-positive sexism.
This really stood out for me. I'm always tempted, while writing something specific, to generalize it. I try to resist that, when I recognize it. Writing a ThingThatImWritingFramework risks ThingThatImWriting never seeing the light of day, or never being used.
It is easy to slide into an OCD mindset when programming, to make things tidy and proper. It feels dirty to make stuff just work, to make stuff disposable, but evolution operates a lot like this - many little, reversible mistakes that add up to big improvements quicker than any other method.
This one is also nice, especially for mid to large software houses. As long as a common denominator is respected, I guess.
I disagree with this so much, prototypes and proof of concepts teach you so much but usually they are crap you will always write it better a second time. Throw away the prototype and re-write it as a much better implementation.
These are achievements beyond belief.
Because I had previously read that it was a myth:
Both this guide and Use The Index Luke seem to be good resources. Later I realized that maybe the guide had listed this optimization tips in order of importance. After all "1. Leftmost rule" and "2. Ranges to the right" are the ones that affect the most the usability of the index. Then the seemingly opposite viewpoints converge.
I'll be expanding it in the coming months as the new features in MySQL 8.0 are released. On my TODO is descending indexes, improvements to OPTIMIZER TRACE, Window functions, CTEs and expanding the info on character sets.
Brazil has a very high crime rate. Our northeast capital cities (where Uber started to accept cash as customers were asking for this) are among the most dangerous in the world regarding murder rate.
The "express kidnapping" is very very common here in So Paulo.
If you consider the crime problem in Brazil, Uber is quite irrelevant on all of this. And it is fairly obvious that if have a big enough operation here, crime will happens to you too.
I am not saying that Uber has no responsibilities in supporting its drivers and passengers (preventing before and supporting after the crime). But this story seems to just want to capitalize on Uber bad reputation.
And the title is quite exagerated and click baity
At least Uber gives the police more to go on during their investigation (GPS logs, ID info).
Uber is under pressure to do something, so they did something that is both ineffective and frustrating!
Name + CPF + birthdate is not an effective security measure in Brazil because anyone can find a valid combination on the web. And visitors to Brazil obviously won't have CPF numbers, so this security measure is going to be a hassle for them.
I'll explain a little bit more about why the CPF is so easy to discover and misappropriate:
Brazilians are asked for their CPF number everywhere. (The CPF is the Brazilian equivalent of the U.S. social security number.) You're asked for it when taking an inter-city bus, special ordering a book at a bookstore, or signing the register in a building lobby. Birthdate is asked less often but still much more commonly than in the U.S. The reason is often not for security but to disambiguate people.
In Brazil, 10% of the population has Silva as a last name. An incredibly large percentage of people have Maria, Ana, Jose, Joao as first names. If you're American, a name like "John Smith" sounds so common that it's the subject of jokes ("you made up that name?"), yet you might not actually know any John Smith's. But a Brazilian probably knows a bunch of Maria Silva's, Jose Da Silva's, and Ana DaSilva's.
You need a way to reliably differentiate between two Maria Silva's, so Brazilians ask for the CPF (and sometimes birthdate). And universities and governments regularly publish lists with peoples' full names and their CPF numbers to show graduations, admissions, fines, licensing info, whatever. All you need to do is google for <any name> + CPF, and you can find thousands of PDFs files with thousands of CPF numbers and birthdates (examples: ).
Furthermore, this is terrible for law-abiding visitors to Brazil because it becomes impossible to use services that demand a CPF number. For instance, as a visitor, you can't buy a ticket on any of the Brazilian airlines through the web. The only exception is TAM (now LATAM) that has a portal for foreigners that charges 50-100% more than a Brazilian would pay for the same flight. I don't know how Uber has implemented their new security procedure, but I'm betting that it won't be convenient for visitors!
Basically, each PDF contains a single large (421,385-byte) JPG image, followed by a few PDF commands to display the JPG. The collision lives entirely in the JPG data - the PDF format is merely incidental here. Extracting out the two images shows two JPG files with different contents (but different SHA-1 hashes since the necessary prefix is missing). Each PDF consists of a common prefix (which contains the PDF header, JPG stream descriptor and some JPG headers), and a common suffix (containing image data and PDF display commands).
The header of each JPG contains a comment field, aligned such that the 16-bit length value of the field lies in the collision zone. Thus, when the collision is generated, one of the PDFs will have a longer comment field than the other. After that, they concatenate two complete JPG image streams with different image content - File 1 sees the first image stream and File 2 sees the second image stream. This is achieved by using misalignment of the comment fields to cause the first image stream to appear as a comment in File 2 (more specifically, as a sequence of comments, in order to avoid overflowing the 16-bit comment length field). Since JPGs terminate at the end-of-file (FFD9) marker, the second image stream isn't even examined in File 1 (whereas that marker is just inside a comment in File 2).
tl;dr: the two "PDFs" are just wrappers around JPGs, which each contain two independent image streams, switched by way of a variable-length comment field.
B = 3,116,899,000,000,000,000
G = 9,223,372,036,854,775,808
Every three seconds the Bitcoin mining network brute-forces the same amount of hashes as Google did to perform this attack. Of course, the brute-force approach will always take longer than a strategic approach; this comment is only meant to put into perspective the sheer number of hashes calculated.
Release the clean one and let it spread for a day or two. Then join the torrent, but spread the malware-hosting version. Checksums would all check out, other users would be reporting that it's the real thing, but now you've got 1000 people purposely downloading ransomware from you- and sharing it with others.
Apparently it costs around $100,000 to compute the collisions, but so what? If I've got 10,000 installing my 1BTC-to-unlock ransomware, I'll get a return on investment.
This will mess up torrent sharing websites in a hurry.
Edit: some people have pointed out some totally legitimate potential flaws in this idea. And they're probably right, those may sink the entire scheme. But keep in mind that this is one idea off the top of my head, and I'm not any security expert. There's plenty of actors out there who have more reasons and time to think up scarier ideas.
The reality is, we need to very quickly stop trusting SHA1 for anything. And a lot of software is not ready to make that change overnight.
We're at the "First collision found" stage, where the programmer reaction is "Gather around a co-worker's computer, comparing the colliding inputs and running the hash function on them", and the non-expert reaction is "Explain why a simple collision attack is still useless, it's really the second pre-image attack that counts".
Collision attack: find two documents with the same hash. That's what was done here.
Second-preimage attack: given a document, find a second document with the same hash.
First-preimage attack: given an arbitrary hash, find a document with that hash.
These are in order of increasing severity. A collision attack is the least severe, but it's still very serious. You can't use a collision to compromise existing certificates, but you can use them to compromise future certificates because you can get a signature on one document that is also valid for a different document. Collision attacks are also stepping stones to pre-image attacks.
UPDATE: some people are raising the possibility of hashes where some values have 1 or 0 preimages, which makes second and first preimage attacks formally impossible. Yes, such hashes are possible (in fact trivial) to construct, but they are not cryptographically secure. One of the requirements for a cryptographically secure hash is that all possible hash values are (more or less) equally likely.
No need to wait. The option to reject SHA-1 certificates on Firefox is `security.pki.sha1_enforcement_level` with value `1`.
Other configs worth doing:
`security.ssl.treat_unsafe_negotiation_as_broken` to `true` and `security.ssl.require_safe_negotiation` to `true` also. Refusing insecure algorithms (`security.ssl3.<alg>`) might also be smart.
and his Master Thesis, whose quality is approaching a PhD thesis is here:
Note that they also only mention MiniSat as a footnote, which is pretty bad. The relevant paper is at
All of these are great reads. Highly recommended.
$ls -l sha*.pdf -rw-r--r--@ 1 amichal staff 422435 Feb 23 10:01 shattered-1.pdf -rw-r--r--@ 1 amichal staff 422435 Feb 23 10:14 shattered-2.pdf $shasum -a 1 sha*.pdf 38762cf7f55934b34d179ae6a4c80cadccbb7f0a shattered-1.pdf 38762cf7f55934b34d179ae6a4c80cadccbb7f0a shattered-2.pdf
$shasum -a 256 sha*.pdf 2bb787a73e37352f92383abe7e2902936d1059ad9f1ba6daaa9c1e58ee6970d0 shattered-1.pdf d4488775d29bdef7993367d541064dbdda50d383f89f0aa13a6ff2e0894ba5ff shattered-2.pdf $md5 sha*.pdf MD5 (shattered-1.pdf) = ee4aa52b139d925f8d8884402b0a750c MD5 (shattered-2.pdf) = 5bd9d8cabc46041579a311230539b8d1
* DHT/torrent hashes - A group of malicious peers could serve malware for a given hash.
* Git - A commit may be replaced by another without affecting the following commits.
* PGP/GPG -- Any old keys still in use. (New keys do not use SHA1.)
* Distribution software checksum. SHA1 is the most common digest provided (even MD5 for many).
Edit: Yes, I understand this is a collision attack. But yes, it's still a attack vector as 2 same blocks can be generated now, with one published, widely deployed (torrent/git), and then replaced at a later date.
See https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2013... and https://bitcoinchain.com/block_explorer/address/37k7toV1Nv4D...
and it's super effective: The possibility of false positives can be neglected as the probability is smaller than 2^-90.
It's also interesting that this attack is from the same author that detected that Flame (the nation-state virus) was signed using an unknown collision algorithm on MD5 (cited in the shattered paper introduction).
Pretty close in his estimation.
It says "Upload any file to test if they are part of a collision attack."
When I upload either of their two sample collision documents, it says they are "Safe."
Is there a rough calculation in terms of today's $$$ cost to implement the attack?
I know the attack isn't practical today, but the writing is on the wall.
Actually a serious question. How do we communicate something like this to the general public?
And this, my friends, is why the big players (google, Amazon, etc) will win at the cloud offering game. When the instances are not purchased they can be used extensively internally.
In their example they've created two PDFs with the same SHA-1. Could I replace the blob in a git repo with the "bad" version of a file if it matches the SHA-1?
I don't expect one overnight. For one, as noted, this is a collision attack, one which took a large scale of power to achieve. In light of that, I don't think the integrity of git repos is in immediate danger. So I don't think it'd be an immediate concern of the the Git devs.
Secondly, wouldn't moving to SHA-2 or SHA-3 be a compatibility-breaking change? I'd think that would be painful to deal with, especially the larger the code base, or the more activity it sees. Linux itself would be a worst-case scenario in that regard. But, it can be pulled off for Linux, then I'd think any other code base should be achievable.
As for what I think in general about it: I'm not concerned, worried, or even scared about the effects. If anything, inelegance of brute-force aside, I think there's something very beautiful and awe-inspiring in this discovery, like solving a puzzle or maths conjecture that has remained unsolved for many years.
I remember when I first heard about MD5 and hash functions in general, and thinking "it's completely deterministic. The operations don't look like they would be irreversible. There's just so many of them. It's only a matter of time before someone figures it out." Then, years later, it happened. It's an interesting feeling, especially since I used to crack softwares' registration key schemes which often resembled hash functions, and "reversing" the algorithms (basically a preimage attack) was simply a matter of time and careful thought.
There's still no practical preimage for MD5, but given enough time and interest... although I will vaguely guess that finding SHA-256 collisions probably has a higher priority to those interested.
Is this correct?
Huh? It's been around a lot longer than 10 years.
Pretty impressive, though. And worrying, because if Google can do it, you know that state-level actors have been probably doing it for some time now (if only by throwing even more computing power at the problem).
That part from the original article seems to be missing something?
> A picture is worth a thousand words, so here it is.
This picture is meaningless to me.Can someone explain what's going on?
What this means is for all of you [developers], is to start new projects without SHA1 and plan on migrating old ones (if it's totally necessary, normally don't unless you use SHA1 for passwords).
A Great resource for those who still don't know how or what hash to use, is paragonie: https://paragonie.com/blog/2016/02/how-safely-store-password...
I think Microsoft tried to do it too early on, but eventually agreed to a more aggressive timeline.
The biggest risk I see with this is how torrents are affected:
There's also a problem with git, but I don't see it being that as susceptible as torrents:
I wonder why they did not use the 2^52 operation attack that Schneier noted in 2009?
Give me the sha1 and md5, rather than one or the other. Am I wrong in thinking even if one or both are broken individually, having both broken for the same data is an order of magnitude more complex?
My understanding of crypto concepts is very limited, but isn't this inaccurate? Hash functions do not compress anything.
They have an image too which says "<big number> SHA-1 compressions performed".
Seems weird to see basic mistakes in a research disclosure.
BTW quine relay is impressive: https://github.com/mame/quine-relay
Why? Was it in anticipation of this attack specifically?
It looks like the did the same thing or something similar in 2^57.5 SHA1 calculations back then versus 2^63 SHA1 calculations this time.
wasn't SHA-1 introduced in the 90's?
Like a NURBS based sudoku multi-hash...
That is mathematically impossible when reducing an N bit string to an M bit string, where N > M.
All hashes have collisions; it's just how hard are they to find.
The internal state would play back the same sequence from there on, just like two random number generators starting from the same seed.
Here is a comparison of internal state sizes:
SHA-256 is susceptible to this same flaw, it would just take longer because it has about about 128 bits of security instead of less than 80 for SHA-1. It looks like only SHA-3 really "gets it" with a 1600 bit state size.
After all of the effort put into making highly pseudo-random hash functions, it's a wonder that the state size was only the size of the hash. By comparison, Mersenne Twister's state size is 19937 bits (624 words of 32 bits minus 31 bits):
Does anyone know why hash algorithms keep using such small state sizes, leaving us vulnerable to this same issue?
I actually feel that this can be even more generalized: At some point people learned to create unbreakable algorithms.There is literally no mainstream crypto algorithm beyond the 2000s that has seen any significant breakage. And very likely there never will be, with one exception: quantum computers will break modern ECC.
I think there's simply a dark age of crypto research with 90s algos and earlier. Which isn't surprising: Back then people were fighting whether it's even legal to do that kind of research.
I am not very experienced with this, but isn't this clearly wrong?
If I have a controllable collision (like SHA1), I can get someone to sign document A, then destroy all evidence of document A's existence and claim they signed document B.
Isn't it essential that a digital signature scheme is immune against such an attack?
I believe that's an error: the official site puts "collision resilience" in the list of features.
The actual statements are available here https://www.fcc.gov/document/fcc-addresses-unnecessary-accou...
The sad fact is, this is yet another grim attack on net neutrality by nefarious agents who see the web as something to be dominated and bent to their will exclusivley for political and economic gain.
Like it or not, the work we do is going to become highly politicised. Are we ready for this? Do we have the moral fortitude to resist the influence that fuzzy, sloppy, and emotive politics seeks to have on our discussions?
I think back to how we handled the Brendan Eich debacle. I (regretfully) came down on the punitive side of that argument. And I participated in that debate with a level of anger and vitriol that embarrasses me now. But whichever side you took, there's no doubt that for a brief moment we were deeply divided. The Brendan Eich story was a flash in the pan compared to what is about to happen.
Should we engage in political debate, or should we avoid it? Can we buck the trend and participate in political debate in way that doesn't tear us apart, or should we ignore it as it happens around us and impacts upon our lives and work? Or is there a path between the extremes, where we can be neither ignorant to our political leanings nor beholden to them?
I don't dare offer any advice on how we should prepare ourselves for what is about to come, I just hope we can all think about how we hope to respond before it happens.
One thing I will say though, being someone prone to highly emotional reactions in all aspects of my life; developing software in teams has taught me the value of "strong opinions, weakly held".
In the tech community I see people rising up against any kind of movement against net neutrality. And I do not want to see it erode. But I worry that by becoming averse to any reversal, any compromise, the communities stance will eventually be so politicized that it is just another part of the unreasonable and ultra biased political landscape that grinds progress to a halt.
Isn't more competition among providers what we want? Shouldn't we be doing everything we can even if it's saving 6.8 hours per year in regulatory compliance to help these smaller guys be able to take on these horrible behemoths like AT&T and Comcast?
ERROR: TechCrunch is not part of your Internet Service Basic Web pack. For an extra $29.99 a month you can upgrade to Internet Service Extreme, offering access to over 50 more web sites!
Deregulation of access to consumers will result in cheaper internet and most likely faster internet speeds. However, it will concentrate power to those who already have it. Large ISPs will charge heavy bandwidth companies and only the largest heavy bandwidth companies will be able to afford the fees.
Those heavy bandwidth companies paying the fees will recoup the money through advertising. Remember newspapers and large TV media companies make the majority of their money through advertising. When companies rely on advertising, the users are no longer the customers. They are the product.
Further protecting the companies which rely on advertising will allow those companies to focus less on the customers and more on the advertisers. Companies relying on the allegiance of advertising will naturally shape their political standing to views of the advertisers. Remember also that advertisers are not paying for just eyeballs, but they are all paying for control. If a company starts moving away from their advertisers' political ideology they will lose revenue. Net Neutrality will ultimately give more control to companies that already hold power.
Just my two cents...
If provider A starts providing terrible bandwidth, incredibly high prices, and terrible service, it means that that provider X has a lucrative opportunity to provide better bandwidth, better prices, and great service.
I hope these rules aren't used to help entrenched monopolies, but provide an ripe opportunity for the space to innovate.
I hope these rules will be on the wrong side of history, but there is little stopping anyone from using the free market to their advantage.
Mine connects to yours which connects to his which connects to hers. Eventually we'll have formed a network.
I'm left hoping that's close enough to branch out wireless service in short order.
Otherwise, I'm left screwed, between an AT&T that refuses to upgrade its local network (and it's a dense, accessible, suburban neighborhood -- hardly the boonies), and a Comcast that has doubled its rates for basically the same service. Both with caps that will quickly look increasingly ridiculous in the face of the wider world of data transfer.
We'll be back to them insisting on big bucks for assymmetric streaming of big-brand content, with increasing pressure to make that their content (a la data-cap exemptions, etc.)
The headline got me sorta terrified, imagining what sort of repugnant, monstrous creature was being grinded and mixed into my Subway sandwich. Good to know at least it's just soy.
It's not a surprise that they use soy. It's just unfortunate that they have to get to this point.
I don't know if it's universal but my local subway has reduced the diameter of the bread rolls. Yes, they are 12 inches in length but they are smaller over all. Another cost cutting step that will eventually hurt them.
This story is quite inconclusive and that result could mean anything.
Another thing - I'm not sure I understand what "50 percent chicken DNA" means. It can't be literally DNA - specifically DNA is a minuscule percentage of the overall cell mass. Do they mean of all DNA samples 50% are chicken DNA and another 50% is other DNA? That'd ignore all ingredients that don't have DNA at all. Or do they mean 50% of the whole piece is chicken cells which are identified by their DNA, and another 50% of the mass is something else? I'd very much like to know what exactly they tested and how.
Maybe I'm a little dense here, but that reads very strange to me and does not seem to make any sense. A burger made of 50g chicken and 50g poly styrene would still contain 100% chicken DNA.
How much DNA (in what metrics?) does a gram of chicken contain compared to a gram of soy?
Always a challenge when the fitness test becomes 'cost' rather than 'quality' how many things can be snuck in there.
-95% of soy in the US is GMO, lacking any genetic variance and little make-up of microorganisms (good bacteria.)
-It's also a horrible source of fats, and more in particular the omega-6 to 3 ratio is incredibly hostile to basic function on the cellular level. There's also next to zero amino acids. (Think cancer risk, immune diseases, hormone disruption.)
-It's basically a carbohydrate. Considering a significant number of most of these soy-containing foods are carbs to begin with, it's just another contributor to our diabetes/obesity, cancer and most importantly, MENTAL HEALTH health epidemics. (Mental health pertaining too the poorly balanced diets, poor fats and lack of good gut microflora.)
It's alright to look at these foods as an once-in-a-while treat, but when you consider that nearly every processed food item is 'enhanced' with soy to make it cheaper and still some-what satiating is a concerning thought to just have these every so often. Rice's from Uncle Ben's, Kraft peanut butter, margerines and nearly all processed meats and cheeses contain significant amounts of soy("Vegetable Oils."
This is the current state of food created by the lobbyist-run FDA and various companies like Monsanto controlling the market for their own greed under the excuse of 'feeding the growing population.'
I wish they had tested Chick-Fil-A.
But then I got bad food poisoning at a Subway, and the weird Subway "bread" smell makes me gag still to this day.
Instead, I'll buy a veggie sandwich and bake a chicken breast myself.
I then came to the US to study 10 years ago, ate a chicken sandwich in a subway, got sick and since then I can't eat any kind of chicken without being disgusted. So, yes, it doesn't surprise me.
When I was a kid, my dad would tell me about our clan's origin story.
Basically, as Pashtuns (and some other ethnicities mixed in there), we trace our origins to Ancient Greece, and not just that, but as descendants of great greek conquerors who came and eventually settled on that land. Our origin story is all oral, (since my dad told me, and his dad told him, etc etc down the generations), so I am not sure how to corroborate them, but various things of the Afghan culture are linked to practices from Greece, etc.
I remember listening to his stories as a kid and not really caring, but now that I am older, they are really quite interesting!