HN Front Page - February 24
Text Size:   Decrease text size   Increase text size    

Google Cloud Platform is the first cloud provider to offer Intel Skylake

I’m excited to announce that Google Cloud Platform (GCP) is the first cloud provider to offer the next generation Intel Xeon processor, codenamed Skylake.

Customers across a range of industries, including healthcare, media and entertainment and financial services ask for the best performance and efficiency for their high-performance compute workloads. With Skylake processors, GCP customers are the first to benefit from the next level of performance.

Skylake includes Intel Advanced Vector Extensions (AVX-512), which make it ideal for scientific modeling, genomic research, 3D rendering, data analytics and engineering simulations. When compared to previous generations, Skylake’s AVX-512 doubles the floating-point performance for the heaviest calculations. In our own internal tests, it improved application performance by up to 30%.

We optimized Skylake for Google Compute Engine’s complete family of VMs  standard, highmem, highcpu and Custom Machine Types to help bring the next generation of high performance compute instances to everyone.

"Google and Intel have had a long standing engineering partnership working on Data Center innovation. We're happy to see the latest Intel Xeon technology now available on Google Cloud Infrastructure. This technology delivers significant enhancements for compute-intensive workloads, efficiently accelerating data analytics that businesses depend on for operations and growth.”  Diane Bryant, Intel Executive Vice President and GM of the Data Center Group
Skylake processors are available in five GCP regions: Western US, Eastern US, Central US, Western Europe and Eastern Asia Pacific. Sign up here to take advantage of the new Skylake processors.

You can learn more about Skylake for Google Compute Engine and see it in action at Google Cloud NEXT ’17 in San Francisco on March 8-10. Register today!

Close this section

Adding a SHA1 collision vulnerability test hoses WebKit's source repository

|« First Last »| « Prev Next »    This bug is not in your last search results.


|« First Last »| « Prev Next »    This bug is not in your last search results.


Close this section

Code.mil – An experiment in open source at the Department of Defense

The U.S. Department of Defense (DoD) faces unique challenges in open sourcing its code. Unlike most software projects, code written by U.S. Federal government employees typically doesn’t have copyright protections under U.S. and some international laws. This can make it hard to attach an open source license to our code.

So, we’re trying something a little different here.

We're looking for your comments on our proposed open source license agreement. You can submit a public comment by opening a GitHub issue on this repository by the end of March.

Build something with us.

The DoD is charged with protecting our citizens and national security. We have an incredibly diverse portfolio spanning from communications, logistics, education, healthcare, and even the next generation of GPS (yes, the GPS!) that supports billions of people across the globe.

We need your help in contributing to our projects to build better products and services for the American people.

Connect with us.

Meet with developers across the DoD who have been tasked with America’s highest priority missions and help build upon their work. We believe that software created by the government should be shared with the public, and we want to collaborate with civic minded peers to make this happen.

Make us better.

We’ve drafted LICENSE-agreement.md so the DoD can use widely adopted licenses, even where we may not have copyright. This lets us harness the depth and breadth of talent in the open source and free software communities to improve our software and make our code available for public use.

We want your help to make the open source agreement better. We encourage everybody to open an issue (or a pull request!) with your suggestions before we finalize LICENSE-agreement.md by the end of March and open source our projects!

Close this section

Show HN: Hasura – A Postgres BaaS and Kubernetes PaaS on Your Own Infrastructure

1

Install Hasura on your Infrastructure

Create an account on the infrastructure of your choice and add the API key to install Hasura onto it

2

Set up Backend with Data and Auth APIs

Model your data & have instant JSON APIs on your database + all your auth & social login setup

3

Deploy Custom Code

Write your frontend code + custom business logic and deploy seamlessly on the platform

Close this section

Learn Python 3 the Hard Way

When you buy directly from the author, Zed A. Shaw, you'll get a professional quality PDF and hours of HD Video, all DRM-free and yours to download and use as you see fit. Digital Download Only!

$29.99

Buy Digital Download From Zed

Or, you can read Learn Python the Hard Way for free right here, video lectures not included.

Close this section

Reports of SHA-1's demise are considerably exaggerated

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Feb 24 00:42:36 EST 2017
After sitting through an endless flood of headless-chicken messages on
multiple media about SHA-1 being fatally broken, I thought I'd do a quick 
writeup about what this actually means.  In short:

  Reports of SHA-1's demise are considerably exaggerated.

What CWI/Google have done is confirmed what we've known for a long time, that 
SHA-1 is shaky.  Using a nation-state's worth of resources and a year of time 
(https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html), 
they've shown that, with a very carefully-crafted document, you can create a 
collision.  Their presentation of the results is detailed and accurate, it's
the panicked misinterpretation of those results that are the problem.

Overall, this is a neat piece of work.  However, before everyone joins the 
headless-chicken rally, let's look at its effect on real-world protocols 
that use SHA-1.  Which ones are affected by this?

SSL: Nope.
SSH: Nope.
PGP: Nope (when used for email).
S/MIME: Nope (see above).
OCSP: Nope.
IPsec: Nope.
OpenVPN: Nope.
SCEP/CMP/CMC/EST: Nope.
<lots of others>: Nope.

So what is actually affected?

Situations where you're creating signatures that need to be valid for a long 
time, and where the enormous latency between legitimate signature creation 
and forgery isn't an issue (this is why email won't be affected, having to 
wait a year between email being sent and the forgery being received will
probably raise at least some suspicions of foul play).  

What's left is long-term document signing and certificates, as pointed out
by the shattered.io FAQ.  With certificates the chances of it being 
exploitable in practice are fairly low, through a combination of CAs having 
moved away from SHA-1, the fact that certificates are only valid for a year
which means you have to race to forge before it expires, and the fact that
any CAs that weren't already randomising serial numbers before the earlier 
MD5 forged-cert attack will be doing it now.

Even for long-term document signing, these are frequently countersigned by
a TSA to deal with the fact that the original signing certificate will 
expire after a year, in which case they're safe as well.

Finally, with other stuff (software updates, ISOs, and others), (a) why were 
you still using SHA-1, and (b) you now have about 6-12 months to finally 
move to SHA-256, and this time we mean it.

For everything else, you really do need to plan the move to SHA-256.  Think
of this as a practical application of Wright's Principle, "Security won't 
get better until tools for practical exploration of the attack surface are 
made available".

Peter (who's at the tail end of a conference and only half awake, so I'll
       need to go through the paper in more detail tomorrow in case there's
       something I missed).


More information about the cryptography mailing list

Close this section

Filecoin – A Cryptocurrency Operated File Storage Network

Earn Filecoin by renting disk space

You install Filebox -- the Filecoin mining client -- and allocate some disk space to rent. Filebox then stores others' files to mine Filecoin for you.

Store files in the network

With Filebox, you can spend Filecoin to store your files in the network. Other miners will then replicate your files.

Transact with Filecoin, just like Bitcoin

You can issue transactions and send value just like with Bitcoin and other cryptocurrencies. And by doing so, you're helping to back up the network's files!

Exchange Filecoin for other currencies, like Bitcoin

Filecoin exchanges will allow users to exchange Filecoin for Bitcoin, USD, and other currencies.

Close this section

List of Sites Affected by Cloudflare's HTTPS Traffic Leak

This is a (work-in-progress) list of domains possibly affected by the CloudBleed HTTPS traffic leak. Original vuln thread by Google Project Zero.

DISCLAIMER:

This list contains all domains that use cloudflare DNS, not just the cloudflare proxy (the affected service that leaked data). It's a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised, and sites may be compromised that do not appear on this list.

Cloudflare has not provided an official list of affected domains, and likely will not due to privacy concerns. I'm compiling an unofficial list here so you know what passwords to change.

Impact

Between 2016-09-22 - 2017-02-18 passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters. Data was cached by search engines, and may have been collected by random adversaries over the past few months.

Requests to sites with the HTML rewrite features enabled triggered a pointer math bug. Once the bug was trigerred the response would include data from ANY other cloudfare proxy customer that happened to be in memory at the time. Meaning a request for a page with one of those features could include data from Uber or one of the many other customers that didn't use those features. So the potential impact is every single one of the sites using CloudFare's proxy services (including HTTP & HTTPS proxy).

"The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests), potential of 100k-200k paged with private data leaked every day" -- source

You can see some of the leaked data yourself in search engine caches: https://duckduckgo.com/?q=+%7B%22scheme%22%3A%22http%22%7D+CF-Host-Origin-IP&t=h_&ia=web

Confirmed affected domains found in the wild: http://doma.io/2017/02/24/list-of-affected-cloudbleed-domains.html

What should I do?

Check your password managers and change all your passwords, especially those on these affected sites. Rotate API keys & secrets, and confirm you have 2-FA set up for important accounts. This might sound like fear-mongering, but the scope of this leak is truly massive, and due to the fact that all cloudflare proxy customers were vulnerable to having data leaked, it's better to be safe than sorry.

Theoretically sites not in this list can also be affected (because an affected site could have made an API request to a non-affected one), you should probably change all your important passwords.

Submit PR's to add domains that you know are using cloudflare, or remove domains that are not affected.

Methodology

This list was compiled from 3 large dumps of all cloudflare customers provided by crimeflare.com/cfs.html, and several manually copy-pasted lists from stackshare.io and wappalyzer.com. Crimeshare collected their lists by doing NS DNS lookups on a large number of domains, and checking SSL certificate ownership.

I scraped the Alexa top 10,000 by using a simple loop over the list:

for domain in (cat ~/Desktop/alexa_10000.csv)
    if dig $domain NS | grep cloudflare
        echo $domain >> affected.txt
    end
end

The alexa scrape, and the crimeflare dumps were then combined in a single text file, and passed through uniq | sort. I've since accepted several PRs and issues to remove sites that were unaffected from the list.

Data sources:

I'd rather be safe than sorry so I've included any domain here that remotely touches cloudflare. If I've made a mistake and you believe your site is not affected, submit a PR and I will merge it ASAP, I don't want to hurt anyone's reputation unecessarily.

You can also ping me on twitter @theSquashSH and I'll respond as soon as I can.

Full List

Download the full list.zip (22mb)

4,287,625 possibly affected domains. Download this file, unzip it, then run grep -x domaintocheck.com sorted_unique_cf.txt to see if a domain is present.

Also, a list of some iOS apps that may have been affected.

Notable Sites

  • authy.com
  • coinbase.com
  • betterment.com
  • transferwise.com
  • prosper.com
  • digitalocean.com
  • patreon.com
  • bitpay.com
  • news.ycombinator.com
  • producthunt.com
  • medium.com
  • 4chan.org
  • yelp.com
  • okcupid.com
  • zendesk.com
  • uber.com
  • namecheap.com (not affected)
  • poloniex.com
  • localbitcoins.com
  • kraken.com
  • 23andme.com
  • curse.com (and some other Curse sites like minecraftforum.net)
  • counsyl.com
  • tfl.gov.uk
  • stackoverflow.com (confirmed not affected by StackOverflow's @alienth)
  • fastmail.com (not affected, #2)
  • 1password.com (not affected)

Alexa Top 10,000 affected sites:

  • upwork.com
  • codepen.io
  • fiverr.com
  • thepiratebay.org
  • extratorrent.com
  • getbootstrap.com
  • jquery.com
  • laravel.com
  • laracasts.com
  • seriouseats.com
  • bitdefender.com
  • ziprecruiter.com
  • glassdoor.com
  • pastebin.com
  • fitbit.com
  • discordapp.com
  • change.org
  • feedly.com
  • zoho.com
  • irccloud.com

  • 000webhost.com

  • 1001freefonts.com
  • 101greatgoals.com
  • 10minutemail.com
  • 123telugu.com
  • 1hhhh.net
  • 1jux.net
  • 1news.az
  • 1sale.com
  • 1stwebdesigner.com
  • 24horas.cl
  • 24sata.hr
  • 2ch-c.net
  • 2ch.hk
  • 2ch.net
  • 2ip.ru
  • 3bmeteo.com
  • 4chan.org
  • 4dsply.com
  • 4pda.ru
  • 4tube.com
  • 5giay.vn
  • 800notes.com
  • 96down.com
  • abidjan.net
  • abs-cbnnews.com
  • adafruit.com
  • add-anime.net
  • addicted2success.com
  • addictinginfo.org
  • addmefast.com
  • addtoany.com
  • adf.ly
  • adfoc.us
  • ads-id.com
  • adult-empire.com
  • advfn.com
  • adxpansion.com
  • aflam4you.tv
  • aflamneek.com
  • aftabir.com
  • agilebits.com
  • ahlamontada.com
  • ahlynews.com
  • ahnegao.com.br
  • aitnews.com
  • aksam.com.tr
  • aktifhaber.com
  • al-akhbar.com
  • aleqt.com
  • alexaboostup.com
  • alfajertv.com
  • alfavita.gr
  • alhilal.com
  • alison.com
  • alistapart.com
  • aljaras.com
  • allanalpass.com
  • all.biz
  • allkpop.com
  • allmyvideos.net
  • alltop.com
  • almaany.com
  • almasryalyoum.com
  • almesryoon.com
  • alnaharegypt.com
  • alphacoders.com
  • alrakoba.net
  • alternativeto.net
  • alternet.org
  • alwafd.org
  • alwatanvoice.com
  • alweeam.com.sa
  • amadershomoybd.com
  • amarujala.com
  • amino.dk
  • anandabazar.com
  • androidauthority.com
  • androidcentral.com
  • androidpolice.com
  • angloinfo.com
  • anime44.com
  • animeflv.net
  • animeid.tv
  • animenewsnetwork.com
  • anipo.jp
  • anitube.se
  • ann.az
  • annunci69.it
  • antarvasna.com
  • antena3.ro
  • antyweb.pl
  • any.gs
  • ap7am.com
  • apherald.com
  • apne.tv
  • aporrea.org
  • appadvice.com
  • appbrain.com
  • appstorm.net
  • arabsh.com
  • archive.is
  • argentinawarez.com
  • arioo.com
  • aristeguinoticias.com
  • armorgames.com
  • arouraios.gr
  • articlesnatch.com
  • ashleymadison.com
  • ashleyrnadison.com
  • atlas.sk
  • attracta.com
  • atwiki.jp
  • authorstream.com
  • avaaz.org
  • avaz.ba
  • avazutracking.net
  • avito.ma
  • avito.ru (confirmed by @toogle from Avito.ru as not affected)
  • avn.info.ve
  • azertag.com
  • aznews.az
  • azyya.com
  • b1.org
  • bab.la
  • babyoye.com
  • backlinks.com
  • bakufu.jp
  • bancdebinary.com
  • banglanews24.com
  • barstoolsports.com
  • bbspink.com
  • bc.vc
  • bdr130.net
  • beeg.com
  • behindwoods.com
  • belboon.com
  • bestblackhatforum.com
  • bezaat.com
  • bicaps.com
  • bigrock.in
  • bikroy.com
  • billiger.de
  • billionuploads.com
  • binaryoptionsnewbies.com
  • binsearch.info
  • bitcoincharts.com
  • bitshare.com
  • bitsnoop.com
  • bizsugar.com
  • blackhatteam.com
  • blackhatworld.com
  • blankrefer.com
  • bleepingcomputer.com
  • blekko.com
  • blinklist.com
  • blip.tv
  • blockchain.info
  • blogcatalog.com
  • blogfa.com
  • blogs.com
  • boards.ie
  • boo-box.com
  • boxden.com
  • boxingscene.com
  • brainpickings.org
  • brainyquote.com
  • brandyourself.com
  • brasil247.com
  • briian.com
  • broadwayworld.com
  • bronto.com
  • brooonzyah.net
  • brusheezy.com
  • btc-e.com
  • bubblews.com
  • bufferapp.com
  • bukkit.org
  • burbuja.info
  • burnews.com
  • business2blogger.com
  • businessforhome.org
  • buzztheme.net
  • camplace.com
  • cancan.ro
  • careers360.com
  • car.gr
  • catracalivre.com.br
  • cbox.ws
  • cda.pl
  • ce4arab.com
  • celebuzz.com
  • charter97.org
  • chatrandom.com
  • cheathappens.com
  • chinavasion.com
  • chomikuj.pl
  • christian-dogma.com
  • cima4u.com
  • ciudad.com.ar
  • ck101.com
  • clasicooo.com
  • classifiedads.com
  • cleanfiles.net
  • clickbank.com
  • clickbank.net
  • clip.vn
  • clixsense.com
  • cloudflare.com
  • clubedohardware.com.br
  • cmse.ru
  • codepen.io
  • codeschool.com
  • coinbase.com
  • col3negoriginal.lk
  • colourlovers.com
  • comicbookmovie.com
  • compucalitv.com
  • copacet.com
  • cpalead.com
  • cpasbien.com
  • cpasbien.me
  • crackberry.com
  • creativecommons.org
  • cricfree.tv
  • crictime.com
  • crocko.com
  • crosswalk.com
  • crunchbase.com
  • crunchyroll.com
  • cs-cart.com
  • cssdeck.com
  • cucirca.eu
  • curse.com
  • cyanogenmod.org
  • cyberchimps.com
  • cyberpresse.ca
  • dailycaller.com
  • daisycon.com
  • dangerousminds.net
  • dardarkom.com
  • dashnet.org
  • davidicke.com
  • davidwalsh.name
  • dawanda.com
  • dawn.com
  • de10.com.mx
  • deadline.com
  • defaultsear.ch
  • defencenet.gr
  • definebabe.com
  • demandforce.com
  • demotywatory.pl
  • deperu.com
  • desidime.com
  • designboom.com
  • designfloat.com
  • designtaxi.com
  • desirulez.net
  • desi-tashan.com
  • desitorrents.com
  • desmotivaciones.es
  • destructoid.com
  • deutsche-wirtschafts-nachrichten.de
  • dev-point.com
  • dhakatimes24.com
  • diariocontraste.com
  • diariodemorelos.com
  • diario.mx
  • diary.ru
  • dicelacancion.com
  • diffen.com
  • digikala.com
  • digitalocean.com
  • digital-photography-school.com
  • digitalpoint.com
  • discuss.com.hk
  • divxplanet.com
  • divxstage.eu
  • dizi-mag.com
  • djmaza.info
  • dlink.com
  • dl-protect.com
  • dnevnik.hr
  • doba.com
  • doisongphapluat.com
  • doityourself.com
  • doostiha.ir
  • dostor.org
  • dota2lounge.com
  • downloadatoz.com
  • downloadming.me
  • downloads.nl
  • dpstream.net
  • drakulastream.eu
  • dramasonline.com
  • dreamamateurs.com
  • dreamincode.net
  • dreamteammoney.com
  • dreamtemplate.com
  • droid-life.com
  • drudgereport.com
  • dryicons.com
  • dsdomination.com
  • duedil.com
  • dumpert.nl
  • dx.com
  • eatlocalgrown.com
  • ebs.in
  • e-cigarette-forum.com
  • econsultancy.com
  • edublogs.org
  • e-estekhdam.com
  • efukt.com
  • egaliteetreconciliation.fr
  • egyup.com
  • el-ahly.com
  • elance.com
  • el-balad.com
  • elbilad.net
  • elbotola.com
  • eldia.com.ar
  • elephantjournal.com
  • elespectador.com
  • elfagr.org
  • elheddaf.com
  • elitepvpers.com
  • elitetorrent.net
  • elkhabar.com
  • elpais.com.uy
  • elshaab.org
  • elwatannews.com
  • el-wlid.com
  • emailmeform.com
  • emoneyspace.com
  • e-monsite.com
  • encuentra24.com
  • englishforums.com
  • enjoydressup.com
  • enwdgts.com
  • epidemz.net
  • erepublik.com
  • ero-advertising.com
  • ethnos.gr
  • etxt.ru
  • excellentbux.net
  • expatriates.com
  • experts-exchange.com
  • explosm.net
  • express.com.pk
  • express.pk
  • extabit.com
  • extratorrent.cc
  • extratorrent.com
  • eyny.com
  • ezilon.com
  • eztv.it
  • fabthemes.com
  • fakenamegenerator.com
  • fakku.net
  • fanpop.com
  • fansided.com
  • fansshare.com
  • fanswong.com
  • fantasy8.com
  • fap.to
  • fatakat.com
  • feedio.net
  • feedly.com
  • fenopy.se
  • ffffound.com
  • filecloud.io
  • filelist.ro
  • filenuke.com
  • filesfetcher.com
  • filgoal.com
  • filmey.com
  • filmifullizle.com
  • fishki.net
  • fiverr.com
  • fok.nl
  • fontspace.com
  • forbes.ru
  • forex4you.org
  • forexpeacearmy.com
  • forgifs.com
  • foro20.com
  • foroactivo.com
  • forobeta.com
  • forocoches.com
  • forosdelweb.com
  • forumactif.com
  • forumactif.org
  • forum.hr
  • forumophilia.com
  • forumotion.com
  • fotka.pl
  • fotolog.net
  • foundationapi.com
  • fragrantica.com
  • frandroid.com
  • freakshare.com
  • freekaamaal.com
  • freelanceswitch.com
  • freeonlinegames.com
  • freepatriot.org
  • freepornvs.com
  • free-press-release.com
  • free-tv-video-online.me
  • freewebs.com
  • freshdesignweb.com
  • fresherslive.com
  • frmtr.com
  • frombar.com
  • fsiblog.com
  • fssnet.co.in
  • fuckbooknet.net
  • fullhdfilmizle.org
  • fun698.com
  • funnyjunk.com
  • funnymama.com
  • fuskator.com
  • futhead.com
  • fux.com
  • gaaks.com
  • game321.com
  • gameblog.fr
  • game-debate.com
  • gamefront.com
  • gamer.com.tw
  • games.la
  • gamestorrents.com
  • gametracker.com
  • gamevicio.com
  • gamme.com.tw
  • geenstijl.nl
  • genteflow.com
  • geo.tv
  • getbootstrap.com
  • getcashforsurveys.com
  • getfireshot.com
  • getglue.com
  • gezginler.net
  • gezinti.com
  • gfxtra.com
  • gfy.com
  • ghanaweb.com
  • ghost.org
  • gigaom.com
  • gigporno.com
  • gistmania.com
  • glassdoor.com
  • globalewallet.com
  • globovision.com
  • gmane.org
  • godvine.com
  • gofuckbiz.com
  • gogoanime.com
  • goldenline.pl
  • goldesel.to
  • goldporntube.com
  • goldprice.org
  • gooddrama.net
  • good.is
  • goodsearch.com
  • gossiplankanews.com
  • gottabemobile.com
  • graaam.com
  • grasscity.com
  • greenwichmeantime.com
  • grindtv.com
  • gsmhosting.com
  • gsmspain.com
  • gtaforums.com
  • gulli.com
  • gun.az
  • gyazo.com
  • h2porn.com
  • hackforums.net
  • haivl.com
  • haivl.tv
  • hamariweb.com
  • hammihan.com
  • haqqin.az
  • hardsextube.com
  • hardwareluxx.de
  • hawamer.com
  • hawkhost.com
  • hayah.cc
  • hdfcbank.com
  • healthkart.com
  • heavy-r.com
  • hespress.com
  • hibapress.com
  • hightrafficacademy.com
  • hihi2.com
  • hiphopdx.com
  • hir.ma
  • hitleap.com
  • hizliresim.com
  • hkgolden.com
  • hobbyking.com
  • hockeysfuture.com
  • holiday-weather.com
  • hostgator.com.br
  • hostgator.in
  • hostingflame.org
  • hotair.com
  • hotarabchat.com
  • hotfrog.com
  • hottube.me
  • hotukdeals.com
  • howtoforge.com
  • hubpages.com
  • hugedomains.com
  • hugefiles.net
  • humblebundle.com
  • humoron.com
  • hvg.hu
  • icefilms.info
  • iconarchive.com
  • identi.li
  • idlebrain.com
  • iitv.info
  • ijreview.com
  • ikman.lk
  • ilbe.com
  • ilyke.net
  • imagecurl.org
  • imageporter.com
  • imagetwist.com
  • imgchili.com
  • imgchili.net
  • imgdino.com
  • imgserve.net
  • imgtiger.com
  • imore.com
  • impiego24.it
  • inbound.org
  • index.hr
  • index-of-mp3s.com
  • india-forums.com
  • indiafreestuff.in
  • indiangilma.com
  • indianpornvideos.com
  • indiansexstories.net
  • indowebster.com
  • inews.gr
  • infibeam.com
  • infolinks.com
  • informationng.com
  • informe21.com
  • inkedmag.com
  • inlinkz.com
  • inquirer.net
  • insight.ly
  • instantcheckmate.com
  • intercambiosvirtuales.org
  • intereconomia.com
  • internethaber.com
  • interpals.net
  • ioffer.com
  • iol.co.za
  • iphoneogram.com
  • iphones.ru
  • ipiccy.com
  • iptorrents.com
  • islammemo.cc
  • italiafilm.tv
  • it-ebooks.info
  • ittefaq.com.bd
  • ixl.com
  • jagobd.com
  • jang.com.pk
  • javascript.ru
  • jeanmarcmorandini.com
  • j.gs
  • jne.co.id
  • joemonster.org
  • johnchow.com
  • jonloomer.com
  • joomla.fr
  • joomlart.com
  • joomshaper.com
  • jotform.com
  • jquery.com
  • jquerymobile.com
  • jqueryui.com
  • jusbrasil.com.br
  • justunfollow.com
  • jutarnji.hr
  • jvzoo.com
  • kaban.tv
  • kalahari.com
  • kanui.com.br
  • karnaval.com
  • katproxy.com
  • keep2share.cc
  • khabarfarsi.com
  • khmerload.com
  • kingworldnews.com
  • kinogo.net
  • kinox.to
  • kinozal.tv
  • kleiderkreisel.de
  • klicktel.de
  • klix.ba
  • kn3.net
  • komikid.com
  • korabia.com
  • kora-online.tv
  • korben.info
  • krucil.net
  • ktonanovenkogo.ru
  • kure.tv
  • kwejk.pl
  • lankacnews.com
  • lapatilla.com
  • laravel.com
  • largeporntube.com
  • latribune.fr
  • laughingsquid.com
  • layalina.com
  • lebuteur.com
  • legiaodosherois.com.br
  • lenskart.com
  • levelup.com
  • lewrockwell.com
  • libertagia.com
  • life.com.tw
  • light-dark.net
  • liilas.com
  • lik.cl
  • like4like.org
  • likesasap.com
  • likes.com
  • limetorrents.com
  • linkbucks.com
  • linkcollider.com
  • linkconnector.com
  • linkcrypt.ws
  • linksmanagement.com
  • listcovery.com
  • listverse.com
  • livememe.com
  • lolinez.com
  • lolnexus.com
  • looti.net
  • lumfile.com
  • m5zn.com
  • mafiashare.net
  • makeameme.org
  • makeupandbeauty.com
  • makezine.com
  • malaysiakini.com
  • malwaretips.com
  • managewp.com
  • mangafox.me
  • mangahere.com
  • mangapanda.com
  • mangareader.net
  • mangastream.com
  • manoto1.com
  • maplestage.com
  • marathonbet.com
  • marketglory.com
  • marunadanmalayali.com
  • matchesfashion.com
  • mathsisfun.com
  • matthewwoodward.co.uk
  • maultalk.com
  • maxicep.com
  • mazika2day.com
  • mediapart.fr
  • mediatakeout.com
  • mediatraffic.com
  • medium.com
  • megashare.info
  • members.webs.com
  • memecenter.com
  • memedad.com
  • meme-lol.com
  • menshealth.com
  • merca20.com
  • mforos.com
  • mg.co.za
  • micromaxinfo.com
  • microworkers.com
  • mindmeister.com
  • mindtools.com
  • minecraftforum.net
  • minijuegos.com
  • minutebuzz.com
  • mitbbs.com
  • mixcloud.com
  • mixedmartialarts.com
  • mkyong.com
  • mmo-champion.com
  • mobafire.com
  • mobilism.org
  • moddb.com
  • moneymakergroup.com
  • monova.org
  • moodle.org
  • morguefile.com
  • moveon.org
  • movie4k.to
  • movie-blog.org
  • movieweb.com
  • mp3skull.com
  • mp3xd.com
  • mstaml.com
  • musavat.com
  • mybb.com
  • mybroadband.co.za
  • mydealz.de
  • mydigitallife.info
  • myegy.com
  • mygully.com
  • mylikes.com
  • mymodernmet.com
  • mynewsdesk.com
  • myorderbox.com
  • mysavings.com
  • mysmartprice.com
  • myvidster.com
  • n4g.com
  • n4hr.com
  • naijapals.com
  • naij.com
  • nairaland.com
  • namepros.com
  • naosalvo.com.br
  • nationalreview.com
  • natunbarta.com
  • ncrypt.in
  • neswangy.net
  • netbarg.com
  • network-tools.com
  • newgrounds.com
  • news.am
  • newtvworld.com
  • nexusmods.com
  • nguoiduatin.vn
  • nicozon.net
  • ninisite.com
  • niusnews.com
  • nmisr.com
  • nodejs.org
  • notdoppler.com
  • notebookcheck.net
  • noticiaaldia.com
  • noticierodigital.com
  • novafile.com
  • nowgamez.com
  • nrc.nl
  • nuevoloquo.com
  • nulled.cc
  • nullrefer.com
  • nur.kz
  • nyaa.se
  • ocioso.com.br
  • odesk.com
  • offervault.com
  • ofreegames.com
  • ojooo.com
  • omegle.com
  • on.cc
  • onedio.com
  • onlinekhabar.com
  • onlinesoccermanager.com
  • online-stopwatch.com
  • oodle.com
  • opencart.com
  • openclassrooms.com
  • opensubtitles.org
  • opinionlab.com
  • opposingviews.com
  • optimizepress.com
  • optionbit.com
  • orgasmatrix.com
  • osdir.com
  • pagina12.com.ar
  • pandodaily.com
  • paperblog.com
  • pastebin.com
  • patient.co.uk
  • paxum.com
  • pbagora.com.br
  • pcadvisor.co.uk
  • pccomponentes.com
  • pcgames.de
  • pcgameshardware.de
  • pcinpact.com
  • pdfonline.com
  • peb.pl
  • peerfly.com
  • peliculas4.com
  • peliculasyonkis.com
  • penguinvids.com
  • penny-arcade.com
  • persiantools.com
  • petapixel.com
  • phimvang.com
  • phpbb.com
  • picstopin.com
  • pijamasurf.com
  • pik.ba
  • pimpandhost.com
  • pingdom.com
  • pirateproxy.net
  • pirateproxy.se
  • piratestreaming.tv
  • pixhost.org
  • pjmedia.com
  • planetminecraft.com
  • played.to
  • playvid.com
  • playxn.com
  • plugrush.com
  • plus28.com
  • popcash.net
  • poringa.net
  • pornbb.org
  • pornerbros.com
  • pornper.com
  • porntube.com
  • porntubevidz.com
  • pornup.me
  • portalnet.cl
  • postplanner.com
  • prefiles.com
  • premiere.fr
  • premiumwp.com
  • prevention.com
  • primewire.ag
  • privatehomeclips.com
  • priyo.com
  • prlog.ru
  • prntscr.com
  • problogger.net
  • proboards.com
  • proceso.com.mx
  • promiflash.de
  • promptfile.com
  • propakistani.pk
  • proprofs.com
  • psychcentral.com
  • ptt.cc
  • pubdirecte.com
  • publika.az
  • puls24.mk
  • punchng.com
  • purpleporno.com
  • putlocker.bz
  • putlocker.com
  • putlocker.ws
  • puu.sh
  • q8yat.com
  • qafqazinfo.az
  • q-ask.com
  • qatarliving.com
  • qaynar.info
  • q.gs
  • questionablecontent.net
  • r10.net
  • racing-games.com
  • radiojavan.com
  • rahnama.com
  • random.org
  • ranker.com
  • rapgenius.com
  • rapradar.com
  • rassd.com
  • raventools.com
  • rawstory.com
  • reactiongifs.com
  • readms.com
  • realfarmacy.com
  • realitatea.net
  • redbubble.com
  • re-direcciona.me
  • reduxmediia.com
  • relink.us
  • resellerclub.com
  • residentadvisor.net
  • rghost.ru
  • ripoffreport.com
  • robtex.com
  • rockpapershotgun.com
  • roro44.com
  • rosbalt.ru
  • rozee.pk
  • rubias19.com
  • runetki.com
  • runetki.tv
  • runnersworld.com
  • rus.ec
  • ryushare.com
  • sa.ae
  • saaid.net
  • sabq.org
  • sadistic.pl
  • saharareporters.com
  • samanyoluhaber.com
  • sankakucomplex.com
  • say7.info
  • sayidaty.net
  • scamadviser.com
  • scriptmafia.org
  • sdpnoticias.com
  • searchengines.ru
  • searchere.info
  • searchquotes.com
  • sedty.com
  • seemorgh.com
  • seenive.com
  • semprot.com
  • seneweb.com
  • seozenlaunch.com
  • sergey-mavrodi.com
  • sergeymavrodi.com
  • sergey-mavrodi-mmm.net
  • serials.ws
  • serienjunkies.org
  • series.ly
  • seriesyonkis.com
  • seriouseats.com
  • serviporno.com
  • seslisozluk.net
  • sethgodin.typepad.com
  • sexytube.me
  • shahvani.com
  • shareasale.com
  • share-links.biz
  • share-online.biz
  • sheknows.com
  • shiftdelete.net
  • shoghlanty.com
  • shorouknews.com
  • shortp.com
  • shoutmeloud.com
  • sia.az
  • siasat.pk
  • siliconrus.com
  • simplyrecipes.com
  • sinembargo.mx
  • sipse.com
  • sitedeals.nl
  • sitetalk.com
  • siyahgazete.com
  • skidrowcrack.com
  • skidrowgames.net
  • skladchik.com
  • skyscrapercity.com
  • slaati.com
  • slashfilm.com
  • slate.fr
  • slimspots.com
  • sm3na.com
  • smallbiztrends.com
  • smallseotools.com
  • smartinsights.com
  • smartpassiveincome.com
  • smartprix.com
  • smosh.com
  • snapwidget.com
  • soccermanager.com
  • soccersuck.com
  • socialadr.com
  • socialblade.com
  • socialmediabar.com
  • socialmediaexaminer.com
  • socialmediatoday.com
  • socialtriggers.com
  • softarchive.net
  • solidtrustpay.com
  • someecards.com
  • somethingawful.com
  • somuch.com
  • songlyrics.com
  • songspk.cc
  • songspk.name
  • soompi.com
  • sooperarticles.com
  • sopitas.com
  • source-wave.com
  • sourtimes.org
  • spankbang.com
  • spi0n.com
  • spin.com
  • sportcategory.com
  • sportdog.gr
  • spotscenered.info
  • sprashivai.ru
  • ssense.com
  • stadelahly.com
  • stadt-bremerhaven.de
  • stafaband.info
  • stagram.com
  • standardmedia.co.ke
  • stansberryresearch.com
  • stargazete.com
  • starsue.net
  • statcounter.com
  • statmyweb.com
  • statscrop.com
  • stepashka.com
  • stereogum.com
  • stocktwits.com
  • stopforumspam.com
  • storenvy.com
  • streamhunter.eu
  • stream-tv.me
  • stuffgate.com
  • submissionwebdirectory.com
  • subscene.com
  • subtitulos.es
  • sudaneseonline.com
  • sunmaker.com
  • super.ae
  • surveygizmo.com
  • swalif.net
  • systweak.com
  • t411.me
  • talkarcades.com
  • tamindir.com
  • taringa.net
  • taxheaven.gr
  • te3p.com
  • teamliquid.net
  • techdirt.com
  • techinasia.com
  • tech-wd.com
  • tecmundo.com.br
  • teespring.com
  • telelistas.net
  • template-help.com
  • templatemonster.com
  • tfl.gov.uk
  • tgju.org
  • th3professional.com
  • thaqafnafsak.com
  • thebump.com
  • the-bux.net
  • thedailybeast.com
  • theelevationgroup.com
  • thefrisky.com
  • thehackernews.com
  • thejournal.ie
  • theladbible.com
  • themalaysianinsider.com
  • theme-fusion.com
  • theme-junkie.com
  • themelock.com
  • themobileindian.com
  • thenationonlineng.net
  • thenews.com.pk
  • thenewstribe.com
  • thepoke.co.uk
  • theregister.co.uk
  • thestudentroom.co.uk
  • thesuperficial.com
  • thethao247.vn
  • thetoptens.com
  • theync.com
  • thingiverse.com
  • thisav.com
  • thisoldhouse.com
  • tickld.com
  • tielabs.com
  • tineye.com
  • tinhte.vn
  • tipsandtricks-hq.com
  • tmart.com
  • tn.com.ar
  • tnr.com
  • todayhumor.co.kr
  • tomshw.it
  • top-channel.tv
  • topdocumentaryfilms.com
  • topix.com
  • toprankblog.com
  • torlock.com
  • torrentbutler.eu
  • torrentcrazy.com
  • torrentday.com
  • torrentdownloads.me
  • torrentfreak.com
  • torrenthound.com
  • torrentleech.org
  • torrentreactor.net
  • torrents.net
  • townhall.com
  • tracklab101.com
  • tradetracker.com
  • trafficbroker.com
  • trafficestimate.com
  • trafficfactory.biz
  • trafficg.com
  • traidnt.net
  • tribune.com.pk
  • trndsys.co
  • trojmiasto.pl
  • trueactivist.com
  • truthaboutabs.com
  • tubeplus.me
  • tukif.com
  • tunisia-sat.com
  • tureng.com
  • tutorialzine.com
  • tutsplus.com
  • tuvaro.com
  • tvboxnow.com
  • tvrage.com
  • tv-series.me
  • tw116.com
  • twentytwowords.com
  • twitchy.com
  • typepad.com
  • udemy.com
  • uludagsozluk.com
  • unitezz.com
  • uploadboy.com
  • uppit.com
  • uptobox.com
  • usingenglish.com
  • utrace.de
  • utusan.com.my
  • uwants.com
  • vanguardngr.com
  • vavel.com
  • vcommission.com
  • vecernji.hr
  • vecteezy.com
  • vetogate.com
  • vid2c.com
  • videarn.com
  • video.az
  • videomega.tv
  • videopremium.tv
  • videoyoum7.com
  • vidspot.net
  • viralnova.com
  • vivas.fi
  • vladtv.com
  • vodly.to
  • vodonet.net
  • voetbalzone.nl
  • vozforums.com
  • vr-zone.com
  • w3resource.com
  • w4.com
  • warez-bb.org
  • warriorplus.com
  • waseet.net
  • washingtontimes.com
  • watch32.com
  • watchcartoononline.com
  • watchfreemovies.ch
  • watchseries.lt
  • watchseries-online.eu
  • wattpad.com
  • waveapps.com
  • wayn.com
  • wearehairy.com
  • webconfs.com
  • webdesignerdepot.com
  • webdesignledger.com
  • webgains.com
  • webhostbox.net
  • webhostingtalk.com
  • webmastersitesi.com
  • web-opinions.com
  • webresourcesdepot.com
  • webs.com
  • wed168.com.tw
  • wehkamp.nl
  • weknowmemes.com
  • weloveshopping.com
  • whatculture.com
  • whatismyip.com
  • whatsmyserp.com
  • whirlpool.net.au
  • whocallsme.com
  • whoishostingthis.com
  • whoismind.com
  • wikiwiki.jp
  • wiziq.com
  • wiziwig.tv
  • wjunction.com
  • wmmail.ru
  • womenshealthmag.com
  • worldtimebuddy.com
  • worldtimeserver.com
  • worthofweb.com
  • wpcentral.com
  • wpengine.com
  • wphub.com
  • wplocker.com
  • wpmu.org
  • x-art.com
  • xat.com
  • xbmc.org
  • xenforo.com
  • xxxbunker.com
  • xxxkinky.com
  • yam.com
  • yazete.com
  • yepi.com
  • yeppudaa.com
  • yeslibertin.com
  • yola.com
  • yoo7.com
  • yougetpaidfast.com
  • yougetsignal.com
  • youm7.com
  • yourbittorrent.com
  • youtradefx.com
  • youtube-mp3.org
  • yucatan.com.mx
  • yuku.com
  • z6.com
  • zakon.kz
  • zalukaj.tv
  • zamalekfans.com
  • zaman.com.tr
  • zemanta.com
  • zemtv.com
  • zenhabits.net
  • zero10.net
  • zetaboards.com
  • ziprecruiter.com
  • zone-telechargement.com
  • zoominfo.com
  • zoomit.ir
  • zurb.com
  • zwaar.net

Close this section

What we found when we tested tools on the world’s least-accessible webpage

Automated accessibility testing tools can be used to identify accessibility issues on websites. As the name suggests, they are automated tools that can be run on websites and can identify a number of issues.

There are several available, such as Wave and Tenon. Many of them are free and can be accessed online.

The pros and cons of automated tools

Automated tools can be a useful and cheap way of helping you make a service more accessible. They are quick to run and provide immediate feedback. They can be run across lots of pages. Some can be integrated into the build process, so they can identify issues almost as soon as they are created.

But while it can certainly be helpful to run an automated testing tool on a service, it’s important that teams don’t rely on them too heavily. No tool will be able to pick up every accessibility barrier on a website. So just because a tool hasn’t picked up any accessibility issues on a website, doesn’t mean those issues don’t exist.

And even if they do detect a barrier, sometimes the results they give will be inconclusive or require further investigation. Or even just wrong.

A good analogy is to think of a testing tool as like using a spellchecker. It can certainly help you pick up issues, but it should never be used in isolation. To be most useful, automated tools should be combined with manual inspection and user research.

To help people understand the usefulness – and the limitations – of automated tools, and to help people pick a suitable tool, we carried out an audit of some of the most common tools available.

Choosing the tools to test with

We chose 10 automated testing tools for our audit. We wanted to test the tools that are most commonly used by developers and quality assurance testers. And we wanted to test a large enough number of tools that we would get a variety of results.

We picked all the free tools we were aware of. We also sought suggestions through the cross-government Accessibility Google Group. Here are the tools we tested:

All of these tools are free to use, apart from Sort Site, which has a free trial. Tenon and Wave also have paid versions if you don’t want to run them in your browser.

Testing on the world’s least accessible web page

Once we had decided which tools to work with, we needed a web page to test them on.

We needed a page that was riddled with accessibility problems. One that broke all the accessibility rules. One that featured all kinds of accessibility barriers.

So we built one.

A screenshot of 'the world's least accessible website', which we built to test automated tools on
A screenshot of 'the world's least accessible website', which we built to test automated tools on

I worked with Alistair and Richard, my colleagues on the GDS Accessibility team, to create a web-page full of accessibility fails. We refer to it as the world’s least accessible web page.

We filled it with accessibility barriers. At the moment it contains a total of 143 fails grouped into 19 categories.

The fails include things like images without alt attributes, or with the wrong alt attributes, and blank link text. We also put in a number of things that we thought testing tools probably wouldn’t be able to detect, but are also accessibility issues. Things like flashing content that didn’t carry a warning, or plain language not being used in content.

We knew there was no way we could put in every potential accessibility barrier, but we wanted to have enough on the page so that we could adequately test how useful the tools were.

We then ran the tools against the page, to find out how many of the fails they would pick up and how many they would miss.

You can see our findings in detail here. Here are the main things we discovered:

Lots of the barriers weren’t found by any of the tools

We found that a large proportion of the barriers we created weren’t picked up by any of the 10 tools we tested – 29% in fact.

Of the 143 barriers we created, a total of 42 were missed by all of the tools we tested. The ones that were missed included barriers such as italics used on long sections of text, tables with empty cells and links identified by colour alone.

Even when barriers were found, the error reporting process wasn’t always clear-cut. Sometimes the tools would show a warning or call for manual inspection, without explicitly saying there was an error.

There is a huge range in the effectiveness of the tools

We also found that some of the tools picked up more errors than others.

If we only count error messages and warnings, then Tenon picked up the most barriers – it found 37% of them. If we also count manual inspection prompts, then Asqatasun was the most effective – it found 41% of the barriers.

At the other end of the range, Google Developer Tools, which is quite a popular tool, only picked up 17% of the barriers.

We found that using tools in combination could help you pick up more barriers, but doing this can be harder and less cost-effective for teams.

The effectiveness of the tools is just one of the things teams need to consider

We found a big range in terms of the effectiveness of the tools. But, as well as effectiveness, we also know that there are other considerations teams will take into account when deciding whether or not to use a tool, and which tool to use.

We know that the tools have to be easy to set up and run. And the results they give have to be clear and easy to act on. As well as being used by developers they may be used by non-technical people in teams.

There are other technical considerations to take into account too. For example, some tools might not work on password-protected pages. And some might not test on mobile pages.

As part of our work, we gathered contextual information about the tools to help teams make a decision on which ones suited them best.

How best to use automated tools

Our opinion of automated testing tools is the same after the audit as it was before. We think they are very useful and should definitely be used by teams to pick up issues. But also that they cannot be relied on, by themselves, to check the accessibility of a website. They are most effective when combined with manual testing.

Our research backs this up. While the tools picked up the majority of the accessibility barriers we created – 71% – there was a large minority that would only have been picked up by manual checking.

For the most effective accessibility testing, we advise teams to combine automated tool testing with manual checking, an accessibility audit and user testing.

We hope that our result pages will help teams pick a tool that best meets their needs. And will also encourage tool creators to better document what the tools can and can't do.

Follow Mehmet on Twitter and don't forget to sign up for email alerts.

Close this section

Monzo’s Response to Cloudbleed

Last night, Cloudflare and Google’s Project Zero published details of a security incident affecting websites and apps that use Cloudflare, nicknamed “Cloudbleed.” The bug can lead to the compromise of sensitive data from websites and APIs that use Cloudflare. There is no risk to the vast majority of Monzo customers. However, we strongly believe in being transparent with our community, so we’re publishing a full report about the incident’s effect on our service.

Cloudflare sits between many web services and their users to optimise content loading speeds and mitigate attacks. Because Cloudflare is very widely used – by some estimates they see as much as 10% of all internet traffic – the problem deserves immediate attention by the internet community to safeguard users.

The Monzo apps for iOS and Android are not affected by the vulnerability because they use APIs which are not behind Cloudflare. Our two websites, monzo.com and monzo.me, as well as our beta API for external developers do use Cloudflare so we wanted to be fully transparent with the steps we’re taking as a result of this bug. Overall, we believe the risk to any of our customers to be extremely low but we’re taking steps to minimise that risk even further, detailed below.

We are publishing our technical internal incident report below for those interested. If you have any questions or concerns, please don’t hesitate to reach out! You can reach our security team directly at [email protected].


A bug in a module used by Cloudflare’s edge proxies meant that approximately 1 in every 3.3 million requests resulted in memory leaking from the edge proxy. The contents of this memory might include sensitive information from any site which uses Cloudflare.

Internal APIs for Monzo apps

Our apps (for Android and iOS) use APIs which do not go via Cloudflare. As such, there is no risk to customers or their information from use of our apps.

Websites

Our websites (monzo.com, monzo.me) sit behind Cloudflare with all traffic to those domains being proxied through them.

Monzo.com does not process any sensitive information and thus there is no risk to personal information. Monzo.me does process sensitive information (name and email) but uses an internal API that is not behind Cloudflare. Payment information entered into Monzo.me is sent directly to our payment provider Stripe, who are not affected by this vulnerability. Therefore there is also no risk to personal information.

Developer API

Our developer API does sit behind Cloudflare with all of its traffic proxied through their service. That means that apps that developers have built using this API to connect to Monzo have potentially leaked sensitive information. Data sent to and from our developer API may contain the following information:

  • Access tokens – used by API developers to identify both their apps and users who have authenticated to their apps. These tokens are only valid for a very limited period of time
  • Client secrets – used to identify an API client (not an individual user) when requesting an access token
  • Transaction information
  • Customers’ personally identifiable information

We believe the risk to customer data from use of the developer API to be very low for the following reasons:

  • Only clients of the developer API are affected.
  • We do not yet allow apps built using our beta developer API to be made publicly available, so usage is very low – specifically, only developers themselves and a limited number of users they explicitly whitelist can use the API.
  • If any access tokens were leaked, they are only valid for up to 2 days.
  • If a refresh token was leaked there is a high chance that it will be used within 2 days. A refresh token may only be used once – after it has been used, a new one is generated and the old one becomes invalid.

Despite the low risk, we have taken several additional steps to further mitigate the risk:

  1. As of 11:16 this morning, we revoked all existing access and refresh tokens for clients that used the developer API. This will affect a very small number of applications and will require their users to log in again.
  2. We have also taken steps to identify which third-party services we use and believe may have been affected to mitigate any risks. For every third party provider we use, we have checked whether they use Cloudflare, and if they do, we have rotated our credentials for these services so the old ones are no longer valid. This list includes Mailgun, Crowdcube, JudoPay, and Pingdom.

I also want to thank everyone on the Monzo team who helped with our fast response to this incident. In particular, Daniel, Priyesh, Richard, Simon, Tristan, and Matt.

Close this section

Cloudflare Reverse Proxies Are Dumping Uninitialized Memory

(It took every ounce of strength not to call this issue "cloudbleed")

Corpus distillation is a procedure we use to optimize the fuzzing we do by analyzing publicly available datasets. We've spoken a bit about this publicly in the past, for example:

https://security.googleblog.com/2011/08/fuzzing-at-scale.html
http://taviso.decsystem.org/making_software_dumber.pdf#page=11

On February 17th 2017, I was working on a corpus distillation project, when I encountered some data that didn't match what I had been expecting. It's not unusual to find garbage, corrupt data, mislabeled data or just crazy non-conforming data...but the format of the data this time was confusing enough that I spent some time trying to debug what had gone wrong, wondering if it was a bug in my code. In fact, the data was bizarre enough that some colleagues around the Project Zero office even got intrigued.

It became clear after a while we were looking at chunks of uninitialized memory interspersed with valid data. The program that this uninitialized data was coming from just happened to have the data I wanted in memory at the time. That solved the mystery, but some of the nearby memory had strings and objects that really seemed like they could be from a reverse proxy operated by cloudflare - a major cdn service.

A while later, we figured out how to reproduce the problem. It looked like that if an html page hosted behind cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output (kinda like heartbleed, but cloudflare specific and worse for reasons I'll explain later). My working theory was that this was related to their "ScrapeShield" feature which parses and obfuscates html - but because reverse proxies are shared between customers, it would affect *all* Cloudflare customers.

We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security.

This situation was unusual, PII was actively being downloaded by crawlers and users during normal usage, they just didn't understand what they were seeing. Seconds mattered here, emails to support on a friday evening were not going to cut it. I don't have any cloudflare contacts, so reached out for an urgent contact on twitter, and quickly reached the right people.

https://twitter.com/taviso/status/832744397800214528

After I explained the situation, cloudflare quickly reproduced the problem, told me they had convened an incident and had an initial mitigation in place within an hour.

"You definitely got the right people. We have killed the affected services"


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 

Close this section

Video Pros Moving from Mac to Windows for High-End GPUs

Marco Solorio (May 2016):

But as good as that juiced up Mac Pro Tower is today, I know at some point, the time will have to come to an end, simply because Apple hasn’t built a PCIe-based system in many years now. As my article described, the alternative Mac Pro trashcan is simply not a solution for our needs, imposing too many limitations combined with a very high price tag.

The Nvidia GTX 1080 might be the final nail in the coffin. I can guarantee at this point, we will have to move to a Windows-based workstation for our main edit suite and one that supports multiple PCIe slots specifically for the GTX 1080 (I’ll most likely get two 1080s that that new price-point).

[…]

Even a Thunderbolt-connected PCIe expansion chassis to a Mac Pro trashcan wont help, due to the inherent bandwidth limits that Thunderbolt has as compared to the buss speeds of these GPU cards. And forget about stacking these cards in an expansion chassis… just not going to happen.

Via John Gruber:

This may be a small market, but it’s a lucrative one. Seems shortsighted for Apple to cede it.

Timo Hetzel:

Moving my video workflow to a modern PC could save me an estimated 4-8 hours every week. I wonder if Apple knows/cares.

Previously: Getting a New 2013 Mac Pro in 2017, How Apple Alienated Mac Loyalists.

Update (2017-02-24): See also: Hacker News.

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Close this section

Fasting diet 'regenerates diabetic pancreas'

Blood sugar testImage copyright SPL

The pancreas can be triggered to regenerate itself through a type of fasting diet, say US researchers.

Restoring the function of the organ - which helps control blood sugar levels - reversed symptoms of diabetes in animal experiments.

The study, published in the journal Cell, says the diet reboots the body.

Experts said the findings were "potentially very exciting" as they could become a new treatment for the disease.

People are advised not to try this without medical advice.

In the experiments, mice were put on a modified form of the "fasting-mimicking diet".

It is like the human form of the diet when people spend five days on a low calorie, low protein, low carbohydrate but high unsaturated-fat diet.

It resembles a vegan diet with nuts and soups, but with around 800 to 1,100 calories a day.

Then they have 25 days eating what they want - so overall it mimics periods of feast and famine.

Previous research has suggested it can slow the pace of ageing.

Diabetes therapy?

But animal experiments showed the diet regenerated a special type of cell in the pancreas called a beta cell.

These are the cells that detect sugar in the blood and release the hormone insulin if it gets too high.

Dr Valter Longo, from the University of Southern California, said: "Our conclusion is that by pushing the mice into an extreme state and then bringing them back - by starving them and then feeding them again - the cells in the pancreas are triggered to use some kind of developmental reprogramming that rebuilds the part of the organ that's no longer functioning."

There were benefits in both type 1 and type 2 diabetes in the mouse experiments.

Type 1 is caused by the immune system destroying beta cells and type 2 is largely caused by lifestyle and the body no longer responding to insulin.

Further tests on tissue samples from people with type 1 diabetes produced similar effects.

Dr Longo said: "Medically, these findings have the potential to be very important because we've shown - at least in mouse models - that you can use diet to reverse the symptoms of diabetes.

"Scientifically, the findings are perhaps even more important because we've shown that you can use diet to reprogram cells without having to make any genetic alterations."


What's it like?

BBC reporter Peter Bowes took part in a separate trial with Dr Valter Longo.

He said: "During each five-day fasting cycle, when I ate about a quarter of the average person's diet, I lost between 2kg and 4kg (4.4-8.8lbs).

"But before the next cycle came round, 25 days of eating normally had returned me almost to my original weight.

"But not all consequences of the diet faded so quickly."

His blood pressure was lower as was a hormone called IGF-1, which is linked to some cancers.

He said: "The very small meals I was given during the five-day fast were far from gourmet cooking, but I was glad to have something to eat"

Peter Bowes: Fasting for science

Peter Bowes: Intermittent fasting and the good things it did to my body


Separate trials of the diet in people have been shown to improve blood sugar levels. The latest findings help to explain why.

However, Dr Longo said people should not rush off and crash diet.

He told the BBC: "It boils down to do not try this at home, this is so much more sophisticated than people realise."

He said people could "get into trouble" with their health if it was done without medical guidance.

Dr Emily Burns, research communications manager at Diabetes UK, said: "This is potentially very exciting news, but we need to see if the results hold true in humans before we'll know more about what it means for people with diabetes.

"People with type-1 and type-2 diabetes would benefit immensely from treatments that can repair or regenerate insulin-producing cells in the pancreas."

Follow James on Twitter.

Close this section

Surgeons Should Not Look Like Surgeons

Literature doesn’t look like literature –Business plans are for suckers — Donaldo Hiring practitioners –the glory of bureaucracy–teach a professor how to deadlift –looking the part

Surgeons are trying to make us forget they were barbers

Looking the Part

Say you had the choice between two surgeons of similar rank in the same department in some hospital. The first is highly refined in appearance; he wears silver-rimmed glasses, has a thin built, delicate hands, a measured speech, and elegant gestures. His hair is silver and well combed. He is the person you would put in a movie if you needed to impersonate a surgeon. His office prominently boasts an Ivy League diploma, both for his undergraduate and medical schools.

The second one looks like a butcher; he is overweight, with large hands, uncouth speech and an unkempt appearance. His shirt is dangling from the back. No known tailor in the East Coast of the U.S. is capable of making his shirt button at the neck. He speaks unapologetically with a strong New Yawk accent, as if he wasn’t aware of it. He even has a gold tooth showing when he opens his mouth. The absence of diploma on the wall hints at the lack of pride in his education: he perhaps went to some local college. In a movie, you would expect him to impersonate a retired bodyguard for a junior congressman, or a third-generation cook in a New Jersey cafeteria.

Now if I had to pick, I would overcome my suckerproneness and take the butcher any minute. Even more: I would seek the butcher as a third option if my choice was between two doctors who looked like doctors. Why? Simply the one who doesn’t look the part, conditional of having made a (sort of) successful career in his profession, had to have much to overcome in terms of perception. And if we are lucky enough to have people who do not look the part, it is thanks to the presence of some skin in the game, the contact with reality that filters out incompetence, as reality is blind to looks.

When the results come from dealing directly with reality rather than through the agency of commentators, image matters less, even if it correlates to skills. But image matters quite a bit when there is hierarchy and standardized “job evaluation”. Consider the chief executive officers of corporations: they not just look the part, but they even look the same. And, worse, when you listen to them talk, they will sound the same, down to the same vocabulary and metaphors. But that’s their jobs: as I keep reminding the reader, counter to the common belief, executives are different from entrepreneurs and are supposed to look like actors.

Now there may be some correlation between looks and skills; but conditional on having had some success in spite of not looking the part is potent, even crucial, information.

So it becomes no wonder that the job of chief executive of the country, that is, the president, was once filled by a former actor, Ronald Reagan. Actually, the best actor is the one nobody realizes is an actor: a closer look at the record and the activity shows that Barack Obama was even more of an actor: a fancy Ivy-League education combined with a liberal reputation is compelling as an image builder. (In fact much as President Trump has going for him is that he doesn’t act as a president).

Much has been written about the millionaire next door: the person who is actually rich, on balance, doesn’t look like the person you would expect to be rich, and vice versa. About every private banker is taught to overcome the image as it doesn’t match the bottom line and avoid chasing people who drive Ferraris at country clubs. I just recently experienced its manifestation: as I am writing these lines: a neighbor in my ancestral village and (like almost everyone there, a remote relative), who led a modest but comfortable life, ate food he grew by himself, drank his own pastis (arak), that sort of thing, left an estate of a hundred million dollars, a hundred times what one would have expected him to leave.

So consider next time you randomly pick a novel, to avoid the one with the author photo representing a pensive man with an ascot standing behind wall-to-wall bookshelves. Or the well-spoken person who gives what is known as a TED talk.

Next, we will get deeper into the following:

In any type of activity or business divorced from the direct filter of skin in the game, the great majority of people know the jargon, play the part, are intimate with the cosmetic details, but are clueless about the subject.

The Green Lumber Fallacy

The idea is Lindy compatible. Don’t think that beautiful apples are tasteful, goes the Latin saying: Non teneas aurum totum quod splendet ut aurum/nec pulchrum pomum quodlibet esse bonum. To the common “all that glitters is not gold”, the proverb adds the more subtle one that not all apples taste good –something it has taken consumers half a century to figure out, even then, as consumers have been continuously fooled by the aesthetics of produce.

An expert rule is in my business never hire a well-dressed trader. But it goes beyond:

Hire the successful trader, conditional on a satisfactory track record, whose details you can understand the least.

Not the most: the least. Why so?

This point I’ve introduced in Antifragile under the name green lumber fallacy. A fellow made in fortune in green lumber without knowing what appears to be essential details about the product he traded –he wasn’t aware that green lumber stood for freshly cut wood, not lumber that was painted green. Meanwhile, by contrast, the person who related the story went bankrupt while knowing every intimate detail about the green lumber, which includes the physical, economic, and other aspects of the commodity. The fallacy is that what one may need to know in the real world does not necessarily match what one can perceive through intellect: it doesn’t mean that details are not relevant, only that those we tend (IYI-style) to believe are important constitute a distraction away from more central attributes to the price mechanism. I put the green lumber fallacy as part of the Soviet-Harvard delusion, though it appears that the Soviet were much more bottom up than the Harvard approach.

In any activity, hidden details are only revealed via Lindy-style experience.

Another aspect:

What can be phrased and expressed in a clear narrative that convinces suckers will be a sucker trap.

My friend Terry B. who taught an investment class invited two speakers. One looked the part of the investment manager, down to a T: tailored clothes, expensive watch, shiny shoes, and clarity of exposition. He also talked big, projecting the type of confidence you would desire in an executive. The second looked closer to our butcher-surgeon and was totally incomprehensible; he even gave the impression that he was confused. Now when Terry asked the students who, of the two they believed was more successful, they didn’t even get close. The first, not unexpectedly, was in the equivalent of the soup kitchen for that business; the second was at least a centimillionaire.

The late Jimmy Powers, a die-hard New York Irishman with whom I worked in an investment bank early in my trading career, was successful in spite of being a college dropout, with the background of a minor Brooklyn street-gangster. He would discuss our trading activities in meetings with such sentences as: “we did this and then did that, badaboom, badabing, and then it was all groovy”, to an audience of extremely befuddled executives who didn’t mind not understanding what he was talking about, so long as our department were profitable. Remarkably, after a while, I got to effortlessly understand what Jimmy meant. I also learned, in my early twenties, that the people you understood the most were necessarily those were the bull***ters.

Best Dressed Business Plan

Literature should not look like literature. The author Georges Simenon worked as a teenager in journalism as an assistant to the famous female French writer Colette; she taught him to resist the idea of putting imperfect subjunctives and references to zephyrs, rhododendrons, and firmaments in his text –the kind of stuff one does when waxing literary. Simenon took the advice to the extreme: in a style equivalent to that of, say, Graham Greene, his style is stripped to the core, and as a result, the words do not stand in the way of conveying the atmosphere –you feel wetness penetrating your shoes just reading his accounts of Maigret spending endless times in the Parisian rain; it is as if the central character of his novel is the background.

Likewise, there prevails the illusion that businesses work by business plans and science by funding. This is strictly not true: a business plan is a useful narrative for those who want to convince a sucker. It works because firms in the entrepreneurship business make most of their money packaging companies and selling them; it is not easy to sell without some strong narrative. But for a real business, something that should survive on its own, rather than a fund-raising scheme, business plans and funding work backwards. At the time of writing, most big recent successes (Microsoft, Apple, Facebook, Google) started organically by people with skin and soul in the game and grew –if they had recourse to funding, it was to allow the managers to cash out rather than the prime source of creation. You don’t create a firm by creating a firm; nor do you do science by doing science.

A “Beautiful” Paper

How economists should dress

Which brings me to social science. I have in many instances quickly jotted down ideas on a piece of paper, along with mathematical proofs, and posted them somewhere, planning to get them published. No fluff or the ideas-free verbose circularity of social science papers. In some fake fields like economics, that is one that is ritualistic and dominated by citation rings, I discovered that everything is in the presentation. So the criticism has never been about the content, but rather the presentation. There is a certain language one needs to learn through a long investment, and papers are just iterations around that language. So I can safely say that almost all papers in economics are substance free or fake, particularly those published in “prestigious” journals.

Never hire an academic in the complex domain, unless the function is to partake of the rituals of writing papers or taking exams.

Which brings us to the attributes of scientism. For it was not just some presentation that mattered to these idiots. It is unnecessary complication.

Mediterranean societies are traditionally ones in which the highest ranking person is the one with skin in the game, the risk taker. Death on the battlefield remained the highest honor. If anything characterizes Greek culture, it is such skin in the game. And if anything characterizes today’s America, it is economic risk taking, thanks to a happy transfer of martial values to business and commerce in Anglo-Saxon society –remarkably, traditional Arabic culture also puts the same emphasis on the honor of economic risk-taking. But history shows that there were –are still are –societies in which the intellectual was at the top. The Hindus held the Brahman to be first in the hierarchy, the Celts had the druids, the Egyptians had their scribes, and the Chinese had for a relatively brief time the scholar. Let me add post-war France. But there is a remarkable similarity to the way these intellectuals held power and separated themselves from the rest: through complex, extremely elaborate rituals, mysteries that stay within the caste, and an overriding focus on the cosmetic.

Even beyond, when examining the “normal” warrior-run or doer-run societies, the class of intellectuals within them is all about rituals: without pomp and rituals, the intellectual is just a talker, that is pretty much nothing. Consider the bishop in my parts, the Greek-Orthodox church: it’s a show of dignity. A bishop on rollerblades would not be a bishop. And, as we will see in Chapter x, there is nothing wrong, even something beneficial with the decorative if it remains what it is, decorative –science and business are not to be decorative.

II

Next we examine the following points

Just as the slick fellow in a Ferrari looks richer than the rumpled centimillionaire, scientism looks more scientific than real science.

True intellect should not appear to be intellectual

The Gordian Knot

Never pay for complexity of presentation when all you need is results.

Alexander the Megalos was once called to solve the following in the Phrygian city of Gordium (as usual with Greek stories, in modern day Turkey). When he entered Gordium, he found an old wagon, its yoke tied with a multitude of knots, all so tightly entangled that it was impossible to figure out how they were fastened. An oracle had declared that he who would untie the knot would rule all of what was then called “Asia”, that is Asia minor, the Levant, and the Middle East.

After wrestling with the knot, the Megalos drew back from the lump of gnarled ropes, then made a proclamation that it didn’t matter for the prophecy how the tangle was to be unraveled. He then drew his sword and, with a single stroke, cut the knot in half.

No “successful” academic would ever follow such policy. And no Intellectual Yet Idiot: for instance it took medicine a long time to realize that, when a patient shows up with a headache, it much better to give him aspirin or recommend a good night sleep than do brain surgery, although the latter appears to be more “scientific”.

Overintellectualization of Life

Gigerenzer and Brighton contrast the approaches of the “rationalistic” school (in brackets as there is little that is rational in these rationalists) and that of the heuristic one, in the following example on how a baseball player catches the ball by Richard Dawkins:

Richard Dawkins (…) argues that “He behaves as if he had solved a set of differential equations in predicting the trajectory of the ball. At some subconscious level, something functionally equivalent to the mathematical calculations is going on”.

(…) Instead, experiments have shown that players rely on several heuristics. The gaze heuristic is the simplest one and works if the ball is already high up in the air: Fix your gaze on the ball, start running, and adjust your running speed so that the angle of gaze remains constant .

This error by the science entertainer Richard Dawkins error generalizes to, simply, overintellectualizing humans in their responses to all manner of natural phenomena, rather than accepting the role of a collection of mental heuristics used for specific purposes. The baseball player has no clue about the exact heuristic, but he goes with it –otherwise he would lose the game to another nonintellectualizing competitor. Likewise religious “beliefs” are simply mental heuristics that solve a collection of problems –without the agent really knowing how –and lead to human activity; for solving the equations of the world in order to make a decision isn’t a skill we humans can aspire to have –it is computationally impossible. What we can rationally do is neutralize some aspects of these heuristics, defang them so to speak.

The Business of Intervention

Some rules. People who have always operated without skin in the game (or without their skin in the right game) seek the complicated, centralized, and avoid the simple like the pest. Practitioners on the other hand have opposite instincts, looking for the simplest heuristics.

People who are bred, selected, and compensated to find complicated solutions do not have an incentive to implement simplified ones

And it gets more complicated as the remedy has itself a skin in the game problem

This is particularly acute in the meta-problem when the solution is about solving this very problem

In other words, Many problems in society come from the interventionism of people who sell complicated solutions because that’s what their position and training invites them to do. There is absolutely no gain for someone in such a position to propose something simple: you are rewarded for perception not results. They pay no price for the side effects that grow nonlinearly with such complications.

But also when it comes to solutions that are profitable to technologists.

Gold and Rice

Now, indeed we know by instinct that brain surgery is not more “scientific” than aspirin, no more than flying the forty or so miles between New York JFK and Newark airports represent “efficiency” although there is more technology involved. But we don’t easily translate into other domains and remain victims of what is called scientism, which is to science what a Ponzi scheme is to an investment, or what an advertisement or propaganda are to a genuine scientific communication. You magnify the cosmetic attributes.

Consider the story of the genetically modified Golden Rice. Some firms discovered the sucker problem of people’s ability to fall for (lucrative) science as a savior of mankind. There has been a problem of malnutrition and nutrient deficiency in many developing countries, which my collaborators Yaneer Bar Yam and Joe Norman attribute to a simple and very straightforward transportation issue. Simply, we waste more than a third of our food supply and the gains from simple improvement in the distribution far outweigh those from modification of supply. Simply consider that close to eighty or eighty five percent of the cost of a tomato will be attributed to transportation, storage, waste (from the rotting of unsold inventories), rather than the cost at the farmer level.

Now the “techies” saw an angle of intervention. First, you find pictures of starving children and show their pictures to elicit sympathy and prevent further discussion –anyone who argues in the presence of dying children is a heartless a**hole. Second you make it look that any critic of your method is arguing against saving the children. Third, you propose some scientific looking technique that is lucrative to you and, should it cause a catastrophe or blight, you are insulated from the long term effects. Fourth, you enlist the journalists and the useful idiots, people who hate things that appear “unscientific” in their unscientific eyes. Fifth, you create a smear campaign to harm the reputation of researchers who, not having f*** you money, are very vulnerable to the slightest blemish to their reputation.

The technique in question consists in genetically modifying rice to have the grains include vitamins.

My colleagues and I made an effort to show the following, which is a criticism of the method in general. First, transgenics, that is the type of genetic modifications thus obtained, were not analytically in the same category as the cross breeding of plants and animals that have characterized human activities since husbandry –say potatoes or mandarin oranges. We skipped complexity classes and the effects on the environment were not foreseeable –nobody studied the interactions. We even showed that there was a patent increase in systemic risk. Second, there was no proper risk study and the statistical methods in the papers in support of the argument were flawed. Third, we invoked the principle of simplicity which was called antiscience. Why don’t we give these people rice and vitamins separately? After all we don’t have genetically modified coffee that has milk with it. Fourth we were able to show that GMOs brought a bevy of hidden risk to the environment, in terms of higher use of pesticide which killed the microbiome.

The first result was an organized smear campaign Close to 1500 messages were sent to my university, which were tracked to Ketchum the public relation firm that represents Montanto. It was not just ineffectual, but brought more attention to our work, particularly among people who had interest in complexity theory and systemic risk management. Needless to say that people who engage in smear campaign are not often the smartest and toughest kids on the block –did your most intelligent or tough classmates in school dream of become smear-campaigners when they grew up?

I realized soon later that, owing to the minority rule (Chapter x), there was no point to continue. GMOs lost simply because a minority of intelligent and intransigent people stood against them.

The Compensation

Simply, the minute one is judged by others rather than by reality, the mechanism becomes warped as follows. Firms that haven’t gotten bankrupt yet have something called personnel departments, with people trained into a discipline of dealing with other peoples. So there are metrics used and “evaluation forms” to fill.

The minute one has evaluation forms distortions occur. Recall that in The Black Swan I had to fill my evaluation form asking “how many percent of days one is profitable”, encouraging traders to make steady money at the expense of hidden risks of Black Swans, consequential losses. Russian Roulette allows you to make money 5 times out of six. This has bankrupted banks as banks lose less than one in 100 quarters, but then they lose more than they ever made. My declared approach was try to make money infrequently. I tore the evaluation form in front of the big boss and they left me alone.

Now the mere fact than an evaluation causes you to be judged, not by the end results, but by some intermediary metric that invites you to look sophisticated, bring that distortion.

[Continuation to be Posted in Part II]

Close this section

Using Neutrino to jump-start modern JavaScript development

Neutrino is a tool which brings together the best parts of the modern JavaScript toolchain with the ease of zero upfront configuration. Embarking on the adventure that is JavaScript development can be daunting.

Working with the latest tools and cutting edge libraries is fun, but oftentimes results in a significant amount of setup overhead before sitting down to write an app. Facing analysis paralysis is a common threat, and the time necessary to complete a comprehensive tooling pipeline has given rise to stigmas like “JavaScript fatigue”. Neutrino was built to let you hit the ground running.

Neutrino combines the power of Webpack with the simplicity of presets to build web and Node.js projects. By encapsulating the common use cases of Webpack configuration into shareable presets, it is possible to create an application without ever needing to touch a configuration file. At present, there are presets available for creating applications for the web, React, and even Node.js. Adding testing or linting is also only a preset away. Let’s take a look at how quickly we can start a React application.

React quickstart

Throughout this guide I’ll be using the Yarn client for working with dependencies and running commands. This is merely a personal preference; you can also use the npm client if you desire.

First up, we need a space to create our React application. In your terminal, create a new directory and change it into:

❯ mkdir hacks-react
❯ cd hacks-react

Next, let’s add Neutrino and the React preset for building the app, and some other dependencies for actually developing with React:

❯ yarn add --dev neutrino neutrino-preset-react
❯ yarn add react react-dom

The React preset has a few conventions:

  • Source code lives in src
  • The entry point to the app is src/index.js
  • You can mount your application to an element with an ID of “root”

Let’s create the entry file at src/index.js, edit it with some simple content, and render it:

import React from 'react';
import { render } from 'react-dom';

render(<h1>Hacks: React!</h1>, document.getElementById('root'));

In order to run our preview app and build it, add a couple scripts to your package.json:

{
  "scripts": {
    "start": "neutrino start --presets neutrino-preset-react",
    "build": "neutrino build --presets neutrino-preset-react"
  },
  "devDependencies": {
    "neutrino": "^4.0.0",
    "neutrino-preset-react": "^4.0.0"
  },
  "dependencies": {
    "react": "^15.4.2",
    "react-dom": "^15.4.2",
    "react-hot-loader": "next"
  }
}

Run the command to start it in your console, and open the URL given:

❯ yarn start

✔ Development server running on: http://localhost:5000
✔ Build completed

Screen Shot 2017-02-17 at 12.55.05 AM

In less than 5 minutes, we have a working start to a React app! What’s more, our Neutrino preset comes with quite a bit out of the box:

  • Zero upfront configuration necessary to start developing and building a React web app.
  • Modern Babel compilation adding JSX, ES modules, last 2 major browser versions, async functions, and object rest spread syntax.
  • Support for React Hot Loader with hot module replacement.
  • Extends from neutrino-preset-web.
  • Webpack loaders for importing HTML, CSS, images, icons, and fonts directly from JavaScript.
  • Webpack Dev Server during development.
  • Automatic creation of static HTML pages, no templating necessary.
  • Production-optimized bundles with Babili minification and easy chunking.
  • Easily extensible to customize your project as needed, no blackboxes or ejecting required.

Code quality

It’s just as easy to add linting. Let’s use the Airbnb style guide as an example. By adding the Airbnb preset, we can lint our source code according to the Airbnb style guide:

❯ yarn add --dev neutrino-preset-airbnb-base

Now let’s add our preset to our Neutrino commands, but let’s move it to “presets” and out of “scripts” so it’s not so unwieldy and we reduce repetition. Also, the Airbnb preset needs to load before our build preset:

{
  "config": {
    "presets": [
      "neutrino-preset-airbnb-base",
      "neutrino-preset-react"
    ]
  },
  "scripts": {
    "start": "neutrino start",
    "build": "neutrino build"
  }
}

If we start the app again, but this time introduce something that goes against the Airbnb style guide, we can see the problems right in the console:

❯ yarn start

✔ Development server running on: http://localhost:5000
✔ Build completed

ERROR in ./src/index.js

/Users/eli/code/hacks-react/src/index.js
  5:13  error  Strings must use singlequote  quotes

✖ 1 problem (1 error, 0 warnings)

Keeping your code quality high is as simple as adding presets and following conventions. You can follow the same guidelines to add testing to the project. Just choose a testing preset and you are on your way.

With great power…

There may come a point where something in the build process needs to change to support your specific use cases. Fortunately, customizing and overriding the build process is straightforward. Neutrino does not force you to maintain the entire build configuration if you need changes, nor does it eject all its dependencies into your project. Each Neutrino preset has well-defined mechanisms for augmenting the build with a minimal but intuitive API. Creating your own presets is also a good way to unify configuration across many projects and reduce duplicating common changes. Simply publish to npm or GitHub, add as another dependency, and continue developing.

Our motivation

We created Neutrino to solve problems we faced creating front-end applications across teams within Mozilla’s Release & Productivity organization. Neutrino is currently in use by several Mozilla projects including TaskCluster, Treeherder, and Unified Logviewer. We maintain and support Neutrino because it is something we ourselves need and use, and we hope that everyone who uses it will also benefit.

Go forth and create

By bringing together great tools, Neutrino and its presets foster an environment for rapid development while eliminating some of the barriers in the way of writing applications. I encourage you to read through the comprehensive Neutrino documentation and try it out in your next project. All the source code is licensed MPL v2 and is available on GitHub. Enjoy!

More articles by Eli Perelman…

Close this section

The Untold Secrets of Grand Central Terminal

An average of 750,000 people pass through New York’s iconic Grand Central Terminal each day—but most of the 49-acre, 1913 Beaux Arts building has always remained off-limits to the general public. With the help of Cornelius Vanderbilt II’s great-great-grand-niece Consuelo Vanderbilt Costin, Grand Central Terminal director George Monasterio, and Grand Central’s senior architect Mark Saulnier, Bloomberg got an inside look at the spaces (and secrets) you never knew to ask about.

 

It’s Possible to Go Inside the Tiffany Clock

Inside the Tiffany clock, considered the jewel of the Grand Central façade.

Photographer: Pavel Bendov

Since most people lived and worked downtown from Grand Central Terminal when the building first opened more than 100 years ago, the monumental clock installed in the building’s south-facing façade in 1913 was designed to be seen by pretty much everyone in town. But few have been able to peer through it from behind, up close. Getting here requires security clearance and more than a little know-how: A secret door in the tightly guarded Operations Control Center leads the way, followed by two somewhat precarious ladders. (So few people have been given access, the tradition is to Sharpie your name onto the wall if you do get in.) 

 

There Once Was a Ski Slope on the Third, Fourth, and Fifth Floors

This was once an indoor ski run. Now it's a tennis club, open until 2:00 a.m. on some days of the week.

Photographer: Pavel Bendov/Bloomberg

Maybe you knew that there are one and a half tennis courts in GCT, one on the fourth floor and a half court above it. But did you know that the combined space was at one point part of a 60-foot-tall ski slope made out of compounded nylon? True story. It was the whimsical creation of a Hungarian entrepreneur in the 1960s, who thought he could give New Yorkers a ski fix without the two-hour drive. It was open for only a few years before Donald Trump turned it into a tennis space that he could offer to guests at his hotel next door, the Grand Hyatt.

 

The Gigantic Windows Actually Open

Inside the catwalks at Grand Central Terminal, wedged between the exterior windows and the giant walls of glass that flood light into the main concourse.

Photographer: Pavel Bendov/Bloomberg

When you’re in the main terminal, look east, south, and west. You’ll notice nine oblong windows, each spanning approximately six stories. Behind them is another set of windows that you’d never knew existed—unless you were a traveler in the early 1900s. Back then, both sets of windows could be opened to form a cross-breeze through the terminal—natural air conditioning, if you will. The wheels that open the windows are still accessible from all-glass catwalks, but energy efficiency measures mean they haven’t been used in ages.

 

The Campbell Apartment Was Never an Apartment

The old Campbell's Apartment space, which will soon be renovated by Gerber Group.

Photographer: Pavel Bendov/Bloomberg

You know the famous bar? The one that closed last summer? It was never an apartment, as its name suggests. But it was named for a famous tenant, John Campell, who conducted musical events and parties here for his business clients. Future tenants included a branch of the New York Police Department, which turned Campbell’s tall wooden chests into rifle storage and his half-height wine cellar into a holding cell for suspected criminals. As for the next tenant? It’s Scott Gerber’s Gerber Group, the force behind such bars as Whiskey Blue and Mr. Purple—which will reopen the bar on May 1. (It's reportedly paying $1.1 million a year in rent to operate the space.)

 

There Used to Be a Movie Theater … for Watching the News

This mural in the Central Cellars wine store is all that remains of the original newsreel theater.

Photographer: Pavel Bendov/Bloomberg

Back when train travel was the main way to get from, say, New York to Miami, sitting in a train terminal was similar to waiting at an airport gate today. You had time to kill while trains were cleaned and turned around and while your luggage was checked and routed. The best way to occupy yourself, back then, was at a newsreel movie theater, where world news clips were shown on loop. Little remains of the Grand Central Theater, but it occupied the space now taken up by Central Cellars wine shop in the Graybar passageway. Look up from the main doors, and you’ll see the one feature from the theater that remains: an original turquoise-colored mural meant to evoke the massive constellation painting in the main concourse.

 

The Original Light Fixtures Had Mysteriously Vanished … Until Recently

Head to the Kissing Room, shown here, to find the first of the original light fixtures that's been restored—before it moves outside to Pershing Square.

Photographer: Pavel Bendov/Bloomberg

The perimeter of Grand Central Terminal was once lined with 26 tall brass lamps—they were removed in the 1980s when the station was undergoing waterproofing. But when they were sent to storage, the lamps went missing, and nobody knew what became of them for decades. Fast forward to 2003, and all 26 lamps were found—broken down into pieces—in a Department of Transportation facility in Maspeth, Queens. Now they’re being restored one by one as funds come in—the project requires a $1 million investment. Though you can’t see it in this image, the first is on display in the old Kissing Room, shown here. (Get there by looking for track #42.) As more are restored, they’ll be moved outside to 42nd Street and Park Avenue, on either side of the Pershing Square bridge.

 

It Was Once the Hub for an Entire 'Terminal City'

The tunnel that once led to the Roosevelt Hotel.

Photographer: Pavel Bendov/Bloomberg

You think Grand Central is big? It was originally planned to be just the cornerstone of an entire complex, including three hotels, residences, a conference center, a post office, and seven underground passageways. (That doesn't include this secret train tunnel to the Waldorf.) Here’s one passageway, now closed, which led to the old Roosevelt Hotel. Some of the signage is still intact, but mostly it’s off limits for good reason. 

 

The Ceiling Paintings Are Actually Unfinished

 

The one painted archway in the Graybar passage. (It should have been one of many.)

Photographer: Pavel Bendov/Bloomberg

Head to the Graybar passageway (where the movie theater used to be), and you’ll notice a series of arches—one with a faded mural depicting 1920s infrastructure development projects. All the arches were supposed to be done in similar style as a way to boost civic pride, but after the first mural was completed in 1930, the Great Depression took hold, and the city ran out of funding for the rest of the project. The arches remain naked to this day.

 

Security Sensors Are Everywhere

 

The Operations Control Center, one of Grand Central Terminal's most secure spaces, is where technicians control movement of all Metro North trains. 

Photographer: Pavel Bendov/Bloomberg

You may not think you’re going through airport-level security when you casually waltz into Grand Central, but sensors at every street entrance are secretly sizing you up. They act like sniffing dogs, hard wired to recognize security threats. Then there’s the fact that most of the building actually requires key-card access, such as the Operation Control Center (OCC) and electrical control rooms that act as the mission control base for all train and electric rail activity across the Metro North train network. (The former is shown here.) What happens when there’s a potential security breach? An urgent meeting of police and terminal directors in the Situation Room, a board room set just above the OCC.

 

There Are Hidden Love Letters in the Main Concourse's Celestial Ceiling

See the little black patch midway up the arch on the left side? That's the exposed patch of original ceiling.

Photographer: Pavel Bendov/Bloomberg

When the terminal first opened, the main concourse sported a different version of the current celestial ceiling: It was more heroic and formal, in darker shades of green and gold. It’s commonly known that the original ceiling became so tarnished and water damaged that artists had to repaint it in the 1940s. (A tiny rectangle of the original was left exposed, as shown above.) But what most people don’t know is that the mural was also modified slightly when it was refit, and among the additions are little love notes from the artists. In subtle spots, such as Taurus’s eye, you can spot tiny dark letters. They’re actually the names of babies born and spouses married during the ceiling’s yearlong reconstruction. 

A classic shot of a famous New York City destination.

Photographer: Pavel Bendov/Bloomberg

Close this section

Cache deduplication and the SHA1 collision attack

|« First Last »| « Prev Next »    This bug is not in your last search results.


|« First Last »| « Prev Next »    This bug is not in your last search results.


Close this section

Announcing the first SHA-1 collision

A collision occurs when two distinct pieces of data—a document, a binary, or a website’s certificate—hash to the same digest as shown above. In practice, collisions should never occur for secure hash functions. However if the hash algorithm has some flaws, as SHA-1 does, a well-funded attacker can craft a collision. The attacker could then use this collision to deceive systems that rely on hashes into accepting a malicious file in place of its benign counterpart. For example, two insurance contracts with drastically different terms.

Finding the SHA-1 collision

In 2013, Marc Stevens published a paper that outlined a theoretical approach to create a SHA-1 collision. We started by creating a PDF prefix specifically crafted to allow us to generate two documents with arbitrary distinct visual contents, but that would hash to the same SHA-1 digest. In building this theoretical attack in practice we had to overcome some new challenges. We then leveraged Google’s technical expertise and cloud infrastructure to compute the collision which is one of the largest computations ever completed.

Here are some numbers that give a sense of how large scale this computation was:

  • Nine quintillion (9,223,372,036,854,775,808) SHA1 computations in total
  • 6,500 years of CPU computation to complete the attack first phase
  • 110 years of GPU computation to complete the second phase

While those numbers seem very large, the SHA-1 shattered attack is still more than 100,000 times faster than a brute force attack which remains impractical.

Mitigating the risk of SHA-1 collision attacks

Moving forward, it’s more urgent than ever for security practitioners to migrate to safer cryptographic hashes such as SHA-256 and SHA-3. Following Google’s vulnerability disclosure policy, we will wait 90 days before releasing code that allows anyone to create a pair of PDFs that hash to the same SHA-1 sum given two distinct images with some pre-conditions. In order to prevent this attack from active use, we’ve added protections for Gmail and GSuite users that detects our PDF collision technique. Furthermore, we are providing a free detection system to the public.
You can find more details about the SHA-1 attack and detailed research outlining our techniques here.

About the team

This result is the product of a long-term collaboration between the CWI institute and Google’s Research security, privacy and anti-abuse group.

Marc Stevens and Elie Bursztein started collaborating on making Marc’s cryptanalytic attacks against SHA-1 practical using Google infrastructure. Ange Albertini developed the PDF attack, Pierre Karpman worked on the cryptanalysis and the GPU implementation, Yarik Markov took care of the distributed GPU code, Alex Petit Bianco implemented the collision detector to protect Google users and Clement Baisse oversaw the reliability of the computations.

Cryptographic hash functions like SHA-1 are a cryptographer’s swiss army knife. You’ll find that hashes play a role in browser security, managing code repositories, or even just detecting duplicate files in storage. Hash functions compress large amounts of data into a small message digest. As a cryptographic requirement for wide-spread use, finding two messages that lead to the same digest should be computationally infeasible. Over time however, this requirement can fail due to attacks on the mathematical underpinnings of hash functions or to increases in computational power.

Today, more than 20 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision. This represents the culmination of two years of research that sprung from a collaboration between the CWI Institute in Amsterdam and Google. We’ve summarized how we went about generating a collision below. As a proof of the attack, we are releasing two PDFs that have identical SHA-1 hashes but different content.

For the tech community, our findings emphasize the necessity of sunsetting SHA-1 usage. Google has advocated the deprecation of SHA-1 for many years, particularly when it comes to signing TLS certificates. As early as 2014, the Chrome team announced that they would gradually phase out using SHA-1. We hope our practical attack on SHA-1 will cement that the protocol should no longer be considered secure.

We hope that our practical attack against SHA-1 will finally convince the industry that it is urgent to move to safer alternatives such as SHA-256.

What is a cryptographic hash collision?

A collision occurs when two distinct pieces of data—a document, a binary, or a website’s certificate—hash to the same digest as shown above. In practice, collisions should never occur for secure hash functions. However if the hash algorithm has some flaws, as SHA-1 does, a well-funded attacker can craft a collision. The attacker could then use this collision to deceive systems that rely on hashes into accepting a malicious file in place of its benign counterpart. For example, two insurance contracts with drastically different terms.

Finding the SHA-1 collision

In 2013, Marc Stevens published a paper that outlined a theoretical approach to create a SHA-1 collision. We started by creating a PDF prefix specifically crafted to allow us to generate two documents with arbitrary distinct visual contents, but that would hash to the same SHA-1 digest. In building this theoretical attack in practice we had to overcome some new challenges. We then leveraged Google’s technical expertise and cloud infrastructure to compute the collision which is one of the largest computations ever completed.

Here are some numbers that give a sense of how large scale this computation was:

  • Nine quintillion (9,223,372,036,854,775,808) SHA1 computations in total
  • 6,500 years of CPU computation to complete the attack first phase
  • 110 years of GPU computation to complete the second phase

While those numbers seem very large, the SHA-1 shattered attack is still more than 100,000 times faster than a brute force attack which remains impractical.

Mitigating the risk of SHA-1 collision attacks

Moving forward, it’s more urgent than ever for security practitioners to migrate to safer cryptographic hashes such as SHA-256 and SHA-3. Following Google’s vulnerability disclosure policy, we will wait 90 days before releasing code that allows anyone to create a pair of PDFs that hash to the same SHA-1 sum given two distinct images with some pre-conditions. In order to prevent this attack from active use, we’ve added protections for Gmail and GSuite users that detects our PDF collision technique. Furthermore, we are providing a free detection system to the public.
You can find more details about the SHA-1 attack and detailed research outlining our techniques here.

About the team

This result is the product of a long-term collaboration between the CWI institute and Google’s Research security, privacy and anti-abuse group.

Marc Stevens and Elie Bursztein started collaborating on making Marc’s cryptanalytic attacks against SHA-1 practical using Google infrastructure. Ange Albertini developed the PDF attack, Pierre Karpman worked on the cryptanalysis and the GPU implementation, Yarik Markov took care of the distributed GPU code, Alex Petit Bianco implemented the collision detector to protect Google users and Clement Baisse oversaw the reliability of the computations.

Close this section

S2n Is Now Handling 100 Percent of SSL Traffic for Amazon S3

by Stephen Schmidt | on | in Announcements, Encryption, Security | |

s2n logo

In June 2015, we introduced s2n, an open-source implementation of the TLS encryption protocol, making the source code publicly available under the terms of the Apache Software License 2.0 from the s2n GitHub repository. One of the key benefits to s2n is far less code surface, with approximately 6,000 lines of code (compared to OpenSSL’s approximately 500,000 lines). In less than two years, we’ve seen significant enhancements to s2n, with more than 1,000 code commits, plus the addition of fuzz testing and a static analysis tool, tis-interpreter.

Today, we’ve achieved another important milestone for securing customer data: we have replaced OpenSSL with s2n for all internal and external SSL traffic in Amazon Simple Storage Service (Amazon S3) commercial regions. This was implemented with minimal impact to customers, and multiple means of error checking were used to ensure a smooth transition, including client integration tests, catching potential interoperability conflicts, and identifying memory leaks through fuzz testing.

It was only last week that AWS CEO Andy Jassy reiterated something that’s been a continual theme for us here at AWS: “There’s so much security built into cloud computing platforms today, for us, it’s our No. 1 priority—it’s not even close, relative to anything else.” Yes, security remains our top priority, and our commitment to making formal verification of automated reasoning more efficient exemplifies the way we think about our tools and services. Making encryption more developer friendly is critical to what can be a complicated architectural universe. To help make security more robust and precise, we put mechanisms in place to verify every change, including negative test cases that “verify the verifier” by deliberately introducing an error into a test-only build and confirming that the tools reject it.

If you are interested in using or contributing to s2n, the source code, documentation, commits, and enhancements are all publicly available under the terms of the Apache Software License 2.0 from the s2n GitHub repository.

– Steve

Close this section

Analyzing Your Google Search History with Rakam

Google allows you to export your Google searches that you did since you created your Google account but doesn’t have any dashboards for analyzing your historical data. I thought that it would be an interesting case if I could download my search history from Google and analyze the data and create a dashboard for my Google search history in Rakam.

First of all, you will need to export the raw events from Google using the Takeout service. Depending on the data volume, it may take some time but if you don’t have to wait for a few hours, uncheck all the checkboxes and only select Google Search because we will only use the searches in this tutorial.

It usually takes a few minutes for Google to process your historical data and create an archive for you. Download the archive when it’s ready, extract the contents and you will see the directories in the below:

Each JSON file is an array or elements for your searches:

{  
"event":[
{
"query":{
"id":[
{
"timestamp_usec":"1183032424150752"
}
],
"query_text":"my search term"
}
},
...
]
}

In order to be able to send the events to Rakam, we need to transform the data to a proper format but before that, if you noticed that Google only includes the search term and the timestamp as part of the event and these two fields are not enough for us to analyze the data efficiently.

I looked at the API services for categorizing the search terms but couldn’t find an efficient one that supports multiple languages. Then, I remembered that Google Trends has an autocomplete feature that also shows the category of the search term. After some debugging the browser network activity, I realized that the service doesn’t use a public API but doesn’t actually require a token so it seemed to be a good fit for my use-case.

I wrote a simple event mapper for Rakam in order to enrich my events with Google Trends API and attaches category, title and mid (Google Trends ID) attributes the events. I attached the script at the end but here is how it looks like:

The full code is in google_seach_event_mapper.js file.

Login Rakam UI app, select your project and visit this link. (Settings (left corner) -> Integrations -> Custom event mappers), click add new custom event mapper, choose “Custom Event Mapper” in the list, copy the full code in google_seach_event_mapper.js file and press create button.

Now we have our custom event mapper, we should send our search history events to our Rakam API. The collect_events.py file is a simple Python script that reads all the files in your Takeout/Searches directory, transforms and sends it to your Rakam API. Do not forget to pass search_dir, rakam-write-key and rakam-api-url parameters to the script.

The script will send all our search history to Rakam (mine is 9 years of history!) and when it’s done (usually done within a few minutes) you can analyze your data on Rakam UI.

Register Rakam and build an analytics service for your personal history!

Close this section

Alphabet's Waymo Alleges Uber Stole Self-Driving Secrets

It took Alphabet Inc.’s Waymo seven years to design and build a laser-scanning system to guide its self-driving cars. Uber Technologies Inc. allegedly did it in nine months.

Waymo claims in a lawsuit filed Thursday that was possible because a former employee stole the designs and technology and started a new company.

The complaint intensifies Alphabet’s rivalry with Uber, one of the Internet giant’s largest investments, and reflects an escalating talent war in the burgeoning autonomous-driving arena as tech and auto companies alike compete for skilled engineers. Legal fights are multiplying after General Motors Co. and Uber valued upstarts -- each with just a few dozen employees -- as worth hundreds of millions of dollars in separate acquisitions last year.

Waymo accuses several employees of Otto, a self-driving startup Uber acquired in August for $680 million, of lifting technical information from Google’s autonomous car project. The “calculated theft” of Alphabet’s technology earned Otto’s employees more than $500 million, according to the complaint in San Francisco federal court.

“We take the allegations made against Otto and Uber employees seriously and we will review this matter carefully,”’ Uber spokeswoman Chelsea Kohler said in an e-mail.

Read More: Fight Over Tesla’s Self-Driving Pro Shows Talent War Escalating

The claims in Thursday’s case include unfair competition, patent infringement and trade secret misappropriation.

“Fair competition spurs new technical innovation, but what has happened here is not fair competition,” Waymo said in the complaint. “Instead, Otto and Uber have taken Waymo’s intellectual property so that they could avoid incurring the risk, time, and expense of independently developing their own technology.”

Waymo was inadvertently copied on an e-mail from one of its vendors, which had an attachment showing an Uber lidar circuit board that had a “striking resemblance” to Waymo’s design, according to the complaint.

14,000 Files

Anthony Levandowski, a former manager at Waymo, in December 2015 downloaded more than 14,000 proprietary and confidential files, including the lidar circuit board designs, according to the complaint. He also allegedly created a domain name for his new company and confided in some of his Waymo colleagues of plans to “replicate” its technology for a competitor.

“Misappropriating this technology is akin to stealing a secret recipe from a beverage company,” Waymo wrote in a blog post explaining the suit.

Levandowski left Waymo in January 2016 and went on in May to form Otto LLC, which planned to develop hardware and software for autonomous vehicles.

"These are very serious allegations, if true," said Tyler Ochoa, a professor at Santa Clara University School of Law. "The trade secret case by itself is a blockbuster."

Waymo’s complaint contains such specific information about the devices used and the dates the information was downloaded that it’s "hard to believe they’d put those accusations into print unless they had evidence," Ochoa said in an interview.

Alphabet’s venture capital arm, GV -- formerly known as Google Ventures -- is an early backer of Uber.

Waymo’s lawsuit is ill-timed for Uber, a company already mired in crisis over allegations of sexual harassment and recently beset by customer losses due to ties to President Donald Trump. Uber this week set up a commission led by former U.S. attorney general Eric Holder to investigate a former developer’s allegations of sexual harassment and discrimination by her manager. Weeks earlier, Chief Executive Officer Travis Kalanick stepped down from the president’s business advisory council after customers defected, citing his affiliation with Trump.

Confidentiality Agreement

Tesla Motors Inc., meanwhile, is suing the former head of its Autopilot program over claims he broke his confidentiality agreement with the company when he founded a startup with a former Google car engineer. In January, the electric carmaker accused Sterling Anderson of starting working last summer on the autonomous car venture, Aurora Innovation LLC, that he set up with Chris Urmson, the former head of Google’s self-driving car project. Anderson left Tesla in December.

In another dispute over intellectual property in the self-driving space, Google in December accused a former employee of breaching his contract obligations over possession and use of confidential information when he went to work for startup Drive.ai.

The Alphabet case is Waymo LLC v. Uber Technologies Inc., 17-cv-00939, U.S. District Court, Northern District of California (San Francisco).

Close this section

The Long-Shot Bid to Put Crispr in the Hands of the People

Last week, the US Patent and Trademarks Office ruled on the most-watched patent proceeding of the 21st century: the fight for Crispr-Cas9. The decision was supposed to declare ownership of the rights to the revolutionary gene editing technique. But instead, the patent judge granted sorta-victories to each of the rival parties—a team from UC Berkeley and another with members from both MIT and Harvard University’s Broad Institute. That’s great for those groups (and their spin-off, for-profit gene editing companies with exclusive licenses). But it leaves things a bit murkier for anyone else who wants to turn a buck with gene editing.

The Crispr discoverers now have some authority over who gets to use Crispr, and for what. And while exclusive licenses aren’t rare in biotech, the scope of these do stand out: They cover all the 20,000-plus genes in the human genome. So this week, legal experts are sending a formal request to the Department of Health and Human Services. They want the federal government to step in and bring Crispr back to the people.

Crispr is new, but patent laws governing genetic engineering date back decades. In 1980, shortly after the Supreme Court ruled that genetically engineered microbes were patentable, Congress passed something called the Bayh-Doyle Act. The law gives permission for universities to patent—and license—anything their researchers invented with public funds, making it easier to put those inventions back in the hands of citizens.

The law’s original intent was to patent mature discoveries, things like a genetically modified crop, or biofuel-farting yeast. Over the years, however, universities started filing patents further upstream—on everything from protein structures to bits of DNA. This frenzy of molecule-grabbing can actually work counter to Bayh-Doyle, locking up promising discoveries that don’t need help getting commercialized. “Crispr totally epitomizes that,” says Michael Eisen, a Berkeley biophysicist and long-time advocate of open science. “Everybody in the universe is chomping at the bit to use it. But patents are an obstacle to that happening right now.”

Biotech Blockades

In the 20 years after Bayh-Doyle, as scientists developed new genetic techniques, the government came up with ever-more convoluted ways to make sure publicly-funded science got to the public. In 1999, the NIH recommended that patent holders nonexclusively license research tools developed with federal funds, so more entrepreneurs could commercialize them.

Berkeley and the Broad are following that recommendation—sort of. They’re not doing anything to stop scientists who want to use Crispr for science’s sake; both have granted nonexclusive licenses to researchers at universities and nonprofit institutions. But the buck stops the moment any of those license-holders try to take a Crispr-ed product to market. At that point, the researcher needs to buy the appropriate sublicense from whichever company—Editas or Caribou or Crispr Therapeutics—holds it. These biotechs are surrogates for patent holders like Berkeley and the Broad, taking over the role of patent owner (plus the majority of profits). And that extra licensing step has the potential to stop innovative applications of Crispr.

Here’s the problem: Crispr—which can function as either a tool or a treatment—is such a powerful technique that the 90’s-era definition of ‘research tool’ can’t contain it. And three companies can’t possibly develop all of its possible applications. Jorge Contreras, a law professor at the University of Utah, says the NIH should update its guidelines to treat technologies like Crispr more like Wi-Fi or the internet, and license it on a “fair, reasonable and non-discriminatory” basis. No favorites.

He’d also like the NIH to get tougher on enforcing their recommendation. “There aren’t any real penalties for noncompliance,” he says. But something like disbarment from seeking federal grant funding for a few years? “That would turn some heads in the academic research community!”

Marching-in to Nonexclusivity

Bayh-Doyle caused the rampant university patent problem. But it might also provide the solution. If any company or public interest group believes a patent’s license agreement is too restrictive, the law says they can petition the agency that funded the patent’s foundational research. (In Crispr’s case, that’s the HHS, of which the NIH is a part.) That agency can then compel the license-holders to loosen up.

Today, James Love is spending the afternoon putting final touches on a letter to the HHS, asking the agency to intervene in the Crispr patent situation. As the director of the nonprofit Knowledge Ecology International, he’s been building a case that the federal government should ensure an open and non-discriminatory licensing paradigm for Crispr. Specifically, he’s hoping that the NIH will exercise its so-called march-in rights. “That’s the part of the act that says the research has to be made available to the public on reasonable terms,” says Love. “But it’s very rare for parties to agree on what those reasonable terms are.”

Love has filed these kinds of petitions before. They’re usually pretty anticlimactic: Since 1980, the NIH has only held march-in hearings four times, and they’ve never moved into a full march-in proceeding. But that’s fine—because threats work, too. Back in 1997 a company called CellPro petitioned the Clinton administration for a compulsory license to four patents held by Johns Hopkins University, under Bayh-Dole. The NIH held a hearing on whether to march-in or not, and while they decided against it, Hopkins eased its agreement to allow in a competitor. “March-in has never fully been used, but it has definitely created some shadow effects,” says law scholar Arti Rai, a professor at Duke University.

A director at the NIH declined to comment on Love’s petition. But the agency does have an interest in not exercising its legal leverage. If it were to start granting marching-in requests, NIH grants would look less appealing to researchers. Taking federal money would mean accepting weaker patent rights. And that could impact the agency’s ability to draw high-profile collaborators.

With the patent fight still smoldering and Berkeley contemplating an appeal, it’s not clear yet if the licensing agreements really are a barrier to development. But with Editas, Caribou, and Crispr Therapeutics all expecting to start clinical trials by this time next year, the field may soon find fresh incentive to advocate free Crispr for all.

Go Back to Top. Skip To: Start of Article.

Close this section

Linus' reply on Git and SHA-1 collision

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       git
Subject:    Re: SHA1 collisions found
From:       Linus Torvalds <torvalds () linux-foundation ! org>
Date:       2017-02-23 17:19:06
Message-ID: CA+55aFxJGDpJXqpcoPnwvzcn_fB-zaggj=w7P2At-TOt4buOqw () mail ! gmail ! com
[Download message RAW]

On Thu, Feb 23, 2017 at 8:43 AM, Joey Hess <id@joeyh.name> wrote:
>
> IIRC someone has been working on parameterizing git's SHA1 assumptions
> so a repository could eventually use a more secure hash. How far has
> that gotten? There are still many "40" constants in git.git HEAD.

I don't think you'd necessarily want to change the size of the hash.
You can use a different hash and just use the same 160 bits from it.

> Since we now have collisions in valid PDF files, collisions in valid git
> commit and tree objects are probably able to be constructed.

I haven't seen the attack yet, but git doesn't actually just hash the
data, it does prepend a type/length field to it. That usually tends to
make collision attacks much harder, because you either have to make
the resulting size the same too, or you have to be able to also edit
the size field in the header.

pdf's don't have that issue, they have a fixed header and you can
fairly arbitrarily add silent data to the middle that just doesn't get
shown.

So pdf's make for a much better attack vector, exactly because they
are a fairly opaque data format. Git has opaque data in some places
(we hide things in commit objects intentionally, for example, but by
definition that opaque data is fairly secondary.

Put another way: I doubt the sky is falling for git as a source
control management tool. Do we want to migrate to another hash? Yes.
Is it "game over" for SHA1 like people want to say? Probably not.

I haven't seen the attack details, but I bet

 (a) the fact that we have a separate size encoding makes it much
harder to do on git objects in the first place

 (b) we can probably easily add some extra sanity checks to the opaque
data we do have, to make it much harder to do the hiding of random
data that these attacks pretty much always depend on.

                Linus
[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic

Close this section

Why the sun shines for Oracle and it’s Cloudy for others

First of all, I ‘d like to mention that this draft has been put back from schedule several times over and over again. Asking myself the question, should I really do this? But then again … This is a blog, a very personal humble opinion and you should not agree with me, I can be wrong, I can be right. The truth is probably in between. So, the title “Why the sun shines for Oracle and it’s cloudy for others”, it’s kind of a metaphor that Oracle (until now) has missed the cloud-train.

Recently I came across the website of the Synergy research group and found a nice article  When you see the graph, then you immediately get why uncle Larry is doing all this stuff to beat AWS.

Synergy_cloudy_graph

You see? Find Oracle … it’s in the “Others” group. If this was the rdbms resource manager, i’d not like to be there. I think Oracle was thinking the same 🙂 If you have a look at AWS, it’s virtually no change. Personally I expected a little growth, but apparently not. Microsoft Azure, Google and IBM are taking up the share of the “others”.

Please dig around on my blog, then you’ll see that I recently worked on a project on the Microsoft Azure cloud. Even tough I’d never like Microsoft and I’m not a fan of Oracle on windows, I have to agree that doing this Azure project (apart from some other problems) was a BLAST! Full support from Microsoft, stable cloud environment, easy to configure, maintain … A very positive experience.

Then I had a look at the Oracle Cloud. A bit sceptic. The interface is fantastic! But then you dig a bit deeper and I have hit limits I wasn’t expecting. A very simple example, Oracle wants to position itself as the number #1 cloud provider. To do so, they want to migrate full datacenters to their cloud, GREAT! Wonderfull idea. I mean this.

One story from the Azure-project. Due to a miscalculation (if you want to hear all about it, find me at a conference for my presentation about the journey of a BI stack to the cloud), we needed far more powerfull servers to cope with the load. That wasn’t a problem, but they are expensive. So expensive that if we made the financial calculation again, that we decided to have a look at the other 2 players as well. AWS was easy and competitive, but about the same price, so that means that there was no reason to change. Then we had a look at the oracle cloud.

Remember the demo Larry Ellison gave at OpenWorld, he wants to lift and shift datacenters to the Oracle Cloud. I love that concept. So we went to the Oracle marketplace (I love this term!) and were looking for our windows server version. No worries our db’s are running on linux 🙂 But err … no decent windows servers available in the marketplace 🙁

Cloudy_limited_choice

Then also … I find that the interface is slow … very slow … and sometimes even unstable.

Cloudy_failure

Some friends had even difficulties to cancel their trial subscription. I can go on like this for a while, but one of the other “no-go’s” for this customer was this entry in the FAQ:

“I have hardware VPN appliance in my datacenter. Will Corente VPN work with my existing appliance?

Currently, third-party VPN appliances will not work with the Corente service. VPN endpoint locations will need to install a Corente Services Gateway.”

This Customer wanted another choice and that was impossible. That’s a pity.
EDIT (24/02/2017): The Oracle cloud, just as the others, is evolving very rapidly. Thanks to Philip Brown () for pointing me to these links about a Third-Party Gateway to an IP Network in Oracle Cloud and a Third-Party Gateway On-Premises to the Shared Network
So it seems that currently it is possible, which is good news! So hopefully the FAQ will be updated quickly.

Ok, let’s do database as a service then. It’s the #1 database company (and yes, I’m an Oracle fanboy), so that should work for a decent price. Right?

I’ll take the anonimized example I use in my presentation as well. 3 prod db’s, 35TB, 15TB and 6TB + their dataguard instances and then for each db 8 non-live versions (Dev, Dev New Release, Test, Test New Release, Int , Int New Release, Uat, Uat New Release). Then you immediately spot, WHY the cloud is an option. Treat this databases as cattle, not as pets. So automation and provisioning would be key. But for production, it should be feasible, right?
Let’s explore the options … In summary … not too much except the full blown exadata option, which was (compared to the Azure solution we had figured out) extremely expensive. Even then we left out mechanisms for cloning those databases in an automated way to non-prod systems.

It’s a bit a frustrating blogpost and I feel so sad writing and reading it. So for Oracle in my opinion, the sun is still shining on premises and I do hope for them the clouds will come, but the way it is now, I’m afraid they ‘ll miss this train. I believe more in the data on premises, but the cloud will definitely take it’s place and we should definitely embrace it. I totally agree with the statement “there will be a co-existence for the next 5 a 10 years”. Ofcourse some other hype will be there by then, but that’s another story.

But Oracle … you still can win this battle!

  • Think about the past, think “back to the future”! How did you win ground in the past? Make it EASY TO USE. So, the trial subscription, make it really free to subscribe and unsubscribe without having to provide credit card details. Have a look at your colleagues of apex, they are doing a GREAT job!
  • Support us. Support is key. If we choose to be dependent from a cloud provider, offer good support. Resolve (i don’t say respond, but really resolve ) SR’s really quick (< 0,5d in the local timezone) as speed in the cloud is key.
  • No unplanned outages please! Make it stable,no suddenly disappearing machines. Outages are acceptable, but communicate them, be very transparant.
  • Invest in a good extensive marketplace. Currently, you’re at the point of Microsoft Azure 2 years ago. You have the experience, the knowledge, the social network,… it must be feasible to fill this marketplace really quick with recent and decent software. Vendors are asking for it … hear them. Make the marketplace a shopping mall or a candy store.
  • Engage your partners! It’s lonely at the top and if you’re high you can fall very low. If the product is mature, and if partners get easy access to features-to-come (compare it to private/public preview with Azure), customers will start to trust you and dare to take the move.
  • Don’t push the “cloud-on-premise” too hard. It’s no cloud at all, it’s just an interface. People don’t get this idea. Keeping the costs of the own datacenter and pay extra for this service. It’s difficult to understand. I do believe in this mechanism as a “step to the cloud”, but make it free (or very very cheap). So that people can use the engineered systems to put their environment on, once done, call DHL/Fedex or some other partner and move them to the Oracle D.C. Done.
  • Don’t change the rules if you can’t win and don’t get agressive. Yes I’m referring to the core-factor story regarding AWS and Microsoft Azure. I heard some customers making the comparison with children “if they can’t win, they change the rules” I couldn’t think of any response at that time … it felt they were right.
  • Provide a clear cloud advantage. This can be for instance that if you are adding a compute layer to host your db yourself, the EE licenses would be included. Or change the license model (in the oracle cloud) that eg. all the options are “free” included in the EE license. If you make that cheaper than the on premises licenses, you will certainly win ground without putting the customers from other certified cloud providers in a strange position.
  • Provide an easy mechanism that customers can go back/away very easily without extra cost. This sounds very strange, but people don’t like to be in prison, so they are very scared about “loosing their data to someone else” or going through a lengthy process to get it out the cloud again (if needed for one reason or another).

Basically, it comes down to one sentence: Listen to your customers, Listen to what they want, don’t push things through their throat. It’s not too late yet. People are interested in it, engage them, don’t scare them.

Once again, this is a very personal opinion and I might be right, but I might be wrong as well. I think by discussing this, more beautiful and working (usable) clouds can be created.

Cloudy_but_sunny

And remember, when it’s cloudy, it doesn’t necessarily mean that it will rain 🙂

As always, questions, remarks? find me on twitter @vanpupi

Close this section

Cloudflare bug data leak exposed

Cloudflare founders Matthew Prince and Michelle ZatlynImage copyright Getty Images
Image caption Cloudflare founders Matthew Prince and Michelle Zatlyn

Private messages exchanged on dating sites, hotel bookings and frames from adult videos were among the data inadvertently exposed by a bug discovered in the Cloudflare network.

The firm protects websites by routing their traffic through its own network, filtering out hack attacks.

It has 4 million clients, including banks, governments and shopping sites.

Customers wouldn't necessarily know which of the online services they use run on Cloudflare as it is not visible.

The bug came to light while Cloudflare was migrating from older to newer software between 13 - 18 February.

Chief operating officer John Graham-Cumming said it was likely that in the last week, around 120,000 web pages per day may have contained some unencrypted private data, along with other junk text, along the bottom.

He told the BBC there was no evidence yet that the data had been used maliciously.

"I can't tell you it's zero probability that nobody saw something and did something mischievous," he said.

"I am not changing any of my passwords. I think the probability that somebody saw something is so low it's not something I am concerned about."

'Ancient software'

Mr Graham-Cumming has written a blog about what went wrong and how Cloudflare fixed it.

"Unfortunately, it was the ancient piece of software that contained a latent security problem and that problem only showed up as we were in the process of migrating away from it," he wrote.

The firm, whose strapline is "make the internet work the way it should", has also been working with the major search engines to get the data scrubbed from their caches - snapshots taken of pages at various times.

It was discovered by Google engineer Tavis Ormandy, who compared it to the 2014 Heartbleed bug.

"We keep finding more sensitive data that we need to clean up," he wrote in a log of the discovery.

"The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to clean up."

Dodged bullet

Cybersecurity expert Prof Alan Woodward said the bug had been caused by "a few lines of errant code".

"When you consider the millions of lines of code that are protecting us out there on the web, it makes you realise that there are bound to be other problems likely to be waiting to be found," he said.

"It's too soon to tell exactly what damage may have been done, but because of the way in which this was found the chances of individuals being compromised is relatively small.

"What it shows, bigly, is that we may have just dodged a bullet."

Close this section

Facts about migration and crime in Sweden

Claim: "Sweden had its first islamic terrorist attack not so long ago"

Facts: The only known attempt at such an attack was in 2010. No one was harmed but the attacker.

Claim: "There has been a major increase in gun violence in Sweden."

Facts: In general terms, violence has decreased in Sweden in the last 20 years. At the same time, surveys repeatedly show that people in Sweden and in other Western countries have a perception that violence is actually increasing. Perceptions of increased violence have been linked to the number of immigrants in Sweden. Nonetheless, research shows that there is no evidence to indicate that immigration leads to increased crime. Despite the fact that the number of immigrants in Sweden has increased since the 1990s, exposure to violent crimes has declined.

Data from the Swedish Crime Survey shows that in terms of lethal violence, there has generally been a downward trend over the past 25 years. Nonetheless, the level in 2015 – when a total of 112 cases of lethal violence were reported – was higher than for many years.

Studies conducted by the Swedish National Council for Crime Prevention show that lethal violence using firearms has increased within the context of criminal conflicts. The number of confirmed or suspected shootings was 20 per cent higher in 2014 than in 2006. The statistics also show that 17 people were killed with firearms in 2011, while the corresponding figure in 2015 was 33.

Figures from the United Nations Office on Drugs and Crime (UNODC) show that in 2012, 0.7 murders were committed in Sweden per 100 000 inhabitants.

Source: https://www.unodc.org/gsh/en/data.html

Claim: "There has been a major increase in the number of rapes in Sweden."

Facts: The number of reported rapes in Sweden has risen. But the definition of rape has broadened over time, which makes it difficult to compare the figures. It is also misleading to compare the figures with other countries, as many acts that are considered rape under Swedish law are not considered rape in many other countries.

For example: If a woman in Sweden reports that she has been raped by her husband every night for a year, that is counted as 365 separate offences; in most other countries this would be registered as a single offence, or would not be registered as an offence at all.

Willingness to report such offences also differs dramatically between countries. A culture in which these crimes are talked about openly, and victims are not blamed, will also have more cases reported. Sweden has made a conscious effort to encourage women to report any offence.

Read more about the legal implications of the term 'rape' (in Swedish):

Claim: "Refugees are behind the increase in crime, but the authorities are covering it up."

Facts: According to the Swedish National Council for Crime Prevention's Swedish Crime Survey, some 13 per cent of the population were the victim of an offence against them personally in 2015. This is an increase on preceding years, although it is roughly the same level as in 2005.

The Swedish National Council for Crime Prevention has conducted two studies into the representation of people from foreign backgrounds among crime suspects, the most recent in 2005. The studies show that the majority of those suspected of crimes were born in Sweden to two Swedish-born parents. The studies also show that the vast majority of people from foreign backgrounds are not suspected of any crimes.

People from foreign backgrounds are suspected of crimes more often than people from a Swedish background. According to the most recent study, people from foreign backgrounds are 2.5 times more likely to be suspected of crimes than people born in Sweden to Swedish-born parents. In a later study, researchers at Stockholm University showed that the main difference in terms of criminal activity between immigrants and others in the population was due to differences in the socioeconomic conditions in which they grew up in Sweden. This means factors such as parents' incomes, and the social circumstances in the area in which an individual grew up.

Swedish government agencies have nothing to gain from covering up statistics and facts; they seek an open and fact-based dialogue. Sweden is an open society governed by a principle of public access to official documents. This means that members of the public, e.g. private individuals and media representatives, have the right to insight into and access to information about the activities of central and local government.

Claim: "In Sweden there are a number of 'no-go zones' where criminality and gangs have taken over and where the emergency services do not dare to go."

Facts: No. In a report published in February 2016, the Swedish Police Authority identified 53 residential areas around the country that have become increasingly marred by crime, social unrest and insecurity. These places have been incorrectly labelled 'no-go zones'. What is true, however, is that in several of these areas the police have experienced difficulties fulfilling their duties; but it is not the case that the police do not go to them or that Swedish law does not apply there.

The causes of the problems in these areas are complex and multifaceted. To reverse the trend, more initiatives are required from all of society, at all levels.

Read more: The Swedish Police (in Swedish)

Claim: "The high level of immigration means that the system in Sweden is on the verge of collapse."

Facts: No. The Swedish economy is strong. Despite the high costs of immigration, Sweden recorded a public finance surplus in 2015, and the forecasts indicate that the surplus is set to grow until 2020.

Moreover, Sweden has had one of the highest rates of growth in Europe over the last two years. Youth unemployment has declined considerably and is now at its lowest level for 13 years, and long-term unemployment (12 months or longer) is the lowest in the EU.

In addition, the World Economic Forum has identified Sweden as being among the top countries in many international rankings.

Source: https://www.weforum.org/agenda/2017/01/why-sweden-beats-most-other-countries-at-just-about-everything/

A large number of people have sought protection in Sweden. In 2015, almost 163 000 people sought asylum here. The measures subsequently taken by the Government, including temporary ID checks and border controls, and the new temporary asylum legislation, have led to fewer people now seeking asylum in Sweden.

Read more: Swedish Migration Agency

Sweden needs immigration to compensate for the decline in numbers of babies being born here.

Read more: History of migration in Sweden

Claim: "Muslims will soon be in the majority in Sweden."

Facts: No. It is estimated that there are a few hundred thousand people in Sweden whose roots are in predominantly Muslim countries. But this figure says nothing about how many are religious or not.

The Muslim faith communities have approximately 140 000 members. This is about 1.5 per cent of Sweden's population. The largest faith communities are the Church of Sweden, the Pentecostal Movement and the Roman Catholic Church. Of Sweden's ten million inhabitants, 6.2 million are members of the Church of Sweden.

Prejudices and negative attitudes towards Muslims exist in many areas of society. A report published by the Equality Ombudsman in 2015 shows that Islamophobia is manifested in threats, violence, verbal abuse, media attacks, harassment in schools, unfavourable opportunities for finding a job, and in other ways.

Close this section

Embark (YC W16) Is Hiring Autonomous Truck Engineers

"; $followForm.on('submit', function(e) { var $form = $(this); var $formFollowError = $('.js-follow-company-error'); var $followWrapper = $('.js-follow-company-wrapper'); var $submitButton = $(this).find('[data-loading-text]'); $submitButton .button() .button('loading'); $.ajax({ url: $form.attr('action'), type: $form.attr('method'), data: $form.serialize(), dataType: 'json' }).done(function(data){ var resp_str; resp_str = successMessage; $followWrapper.html(resp_str); if(window._gaq) { _gaq.push(['_trackEvent', 'Follow', 'success', 'embark']); ga('send', 'event', { eventCategory: 'Follow', eventAction: 'success', eventLabel: 'embark' }); } }).fail(function(data){ var error_dict = JSON.parse(data.responseText); var resp_str; if (error_dict.email !== undefined){ resp_str = "" + error_dict.email[0] + ""; }else if (error_dict.client_id !== undefined) { resp_str = "" + error_dict.client_id[0] + ""; } $submitButton.button('reset'); $formFollowError.html(resp_str); $formFollowError.show(); }); e.preventDefault(); }); });

Close this section