I work for Nook as a Rails developer in Palo Alto. I'm not authorized to speak on behalf of the company, blah blah blah, but I just wanted to post a quick comment saying that this news should NOT be interpreted as Nook going out of business. In fact, we're actively hiring devs here in Palo Alto and also in New York: http://www.nook.com/careers/locations
I really wish I could provide details, but I'll just say that I would be extremely surprised if Nook wasn't around and doing well in five years. My coworkers and I really enjoy working here, and none of us worry about job security.
'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function(c) {
var r = Math.random()*16|0, v = c == 'x' ? r : (r&0x3|0x8);
return v.toString(16);
});
That should be pretty good, right? Well, it's pretty good depending on your needs. If you need a UUID that is (practically) guaranteed to be unique within a single HTML document, and that UUID never leaves the scope of that page, then this function is a great solution. But if your client-side-generated UUID is sent to the server where it meets up with many other UUIDs generated from the same JavaScript code that ran in other browsers, then this function won't cut it. Why not? Because generating a random UUID in JavaScript relies on the use of Math.random(), which in most browsers uses the current datetime as a seed, and that's only a fine seed if you're building Tetris.
Given enough time, two browsers will eventually generate a UUID at the same moment, meaning they both use the same seed and therefore generate the same UUID.
So, why not seed a pseudo-random number generator in JavaScript yourself with something better than the current time? Because client-side JavaScript doesn't have access to good sources of entropy. Within the browser, your sources of entropy are limited to things like the current time, the window dimensions, the user agent string, the number of plugins installed, etc. You could capture mouse movements and keyboard clicks over time, but it would take a while to generate sufficient entropy for a cryptographically secure random number. Also, if you need to generate a UUID on page load you can't wait for the user to jiggle their mouse.
Meanwhile, the server has access to better sources of entropy. For example, many /dev/random implementations use the time between hard drive seeks as a source of entropy. Of course this entropy pool would be exhausted quickly, but you could replenish the pool with outside sources of entropy such as white noise from a radio ( https://www.random.org/history/ ) or even radioactive decay ( http://www.fourmilab.ch/hotbits/ ).
I don't know what sources of entropy http://uuid.me is using to generate random UUIDs, but it might be better than what JavaScript is capable of on its own. If uuid.me served its UUIDs in JSON, then you could make a JSONP call in JavaScript, providing you with a UUID that is much less likely to ever collide with another client's UUID.
At least v4 will use Java's SecureRandom, and my server is running a recent Oracle JVM7, so I would argue that the randomness should be decent enough. Maybe not perfect, but good enough to make collisions extremely unlikely.
That being said, this service really was written as joke. Particularly the JSON and XML outputs.
As to /dev/random, no, it's not simply derived from time between hard drive seeks (at least for the operating systems I care about).
Given that this bug was likely there for at least 12 weeks in Beta and Aurora releases, it sort-of makes you question if the release schedule couldn't be even faster by skipping one of these or at least try to encourage much more people (certainly the ones who can pull off the above) to try Betas. Having 18 weeks of lead-time for a release clearly doesn't do much good when nobody tries it beforehand.
There were chemspills for Firefox 13, 14, 15 and now 16. None of those seemed to be caused by the rapid development schedule, they were (IIRC) all issues discovered because the release had much wider exposure compared to beta.
On the other hand, Firefox now does silent updates, so if there hadn't been so much publicity about the Firefox release (or on the update being blocked), it might have been a non-event. In a few hours everyone will be on 16.0.1. I'm not sure if this would have happend to a non-open-source project, if we'd even hear about it.
Maybe we can make it clearer that "Beta" is really Mozillian for "Release Candidate"?
FWIW, I have experienced this in all my real life work experiences too. Dev+staging before production always appeared to catch exactly the same bugs as any additional number of steps in between.
I guess people who are willing to run aurora would still run beta, while people who didn't run beta are likely not running aurora either.
The additional step just splits the testers in two areas.
I agree. Chrome does well with just three channels: Dev, Beta, and Release (ignoring the Canary channel as a special case of Dev).
I support shortening the release cycle (to maybe 4 weeks) and increasing the number of Beta users. Having two channels (Aurora and Beta) between dev and release is useful because it widens the user population as the release stabilizes. As you point out, some bugs can only be found by increasing the test population, rather than the test time. Early adopters that install Aurora or Beta are not representative of the "Joe User" population, who probably suffer from malware, anti-virus software, and older hardware.
Chrome does well with just three channels: Dev, Beta, and Release (ignoring the Canary channel as a special case of Dev)
Like Aurora is a special case of Nightly? What's the difference? (I'm not familiar with the Chrome dev process)
I support shortening the release cycle (to maybe 4 weeks)
How many bugs are backed out in Beta? It's surprisingly many, which suggests that 12 weeks is quite short.
Having two channels (Aurora and Beta) between dev and release is useful because it widens the user population as the release stabilizes
I'm not sure I agree on this. I mean, are there people running Beta that would run Release if Beta wasn't available? I'd think those people would be on Aurora.
Early adopters that install Aurora or Beta are not representative of the "Joe User" population, who probably suffer from malware, anti-virus software, and older hardware
I'm afraid you're right and this makes chem-spills unavoidable, though this particularly one is sad as it looked entirely avoidable.
AFAIK, Canary is like Nightly and Dev is a state snapshot of Canary updated once or twice per week.
Rereading your original comment, I see that by "faster"releases you meant to increase the number of testers sooner, not uplift the channels sooner. If Mozilla did that, the Nightly channel might need more stabilization before
As a developer, I agree that captchas can be a drag on users, and I think we should put serious thought into whether or not their UX-cost is justified. Personally, I try to avoid using them on sites I build.
It's a clever way to digitize books (and now street signs) while keeping out spambots, and when I combine that knowledge with my affinity for Luis von Ahn as a person I find myself less annoyed every time I have to prove I'm not a robot.
> It's a clever way to digitize books (and now street signs)
It used to be a cool idea when it benefited everyone, because it was used to ditigize public domain books that everyone could retrieve. Now, it's only a clever way for Google to use your brain to do stuff for their own purposes.
From the filing: We experienced security breaches in the corporate network in 2010 which were not sufficiently reported to Management.
In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System (“DNS”) network. Information stored on the compromised corporate systems was exfiltrated. The Company’s information security group was aware of the attacks shortly after the time of their occurrence and the group implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks. However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information. In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future.
The occurrences of the attacks were not sufficiently reported to the Company’s management at the time they occurred for the purpose of assessing any disclosure requirements. Management was informed of the incident in September 2011 and, following the review, the Company’s management concluded that our disclosure controls and procedures are effective. However, the Company has implemented reporting line and escalation organization changes, procedures and processes to strengthen the Company’s disclosure controls and procedures in this area. See Item 4 “Controls and Procedures” in Part I of this report.
It's interesting to note that the SEC issued guidelines on the reporting of security breaches on October 13th, 2011 ( http://www.sec.gov/divisions/corpfin/guidance/cfguidance-top... ) and VeriSign's SEC filing was released about two weeks later on October 28th, 2011. It could be the case that the security breach wasn't actually a major one, but because the SEC guidelines were so new they thought it prudent to mention even a minor security breach.
From this filing, there's no way to know the severity of the breach, which is why I think it's unfair for reuters to make this seem like a bigger deal than it might actually be. (They mention the RSA security breach which was a huge deal, and they suggest the attack was done by a "nation-state".) It reads like an article written by Nancy Grace.
Of course it could be the case that this was a major attack carried out by China, but it could also be a mundane attack on a public web server that wouldn't have made the news if not for the timing of the recent SEC guidelines. There's just no way to know from the information available.
"I think it's unfair for reuters to make this seem like a bigger deal than it might actually be"
The filing says:
"the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers"
The headline was:
"Key Internet operator VeriSign hit by hackers"
This wasn't the lead story on the nightly news. It was a Reuters article with a fair headline for what happened. The mere fact that they reported it in their filings but didn't disclose it to company management is a problem right there.
This delightful fear-mongering quote from a former DHSer is in the article:
"Oh my God," said Stewart Baker, former assistant secretary of the Department of Homeland Security and before that the top lawyer at the National Security Agency. "That could allow people to imitate almost any company on the Net."
The point is that this was a small attack that affected a very small part of the company that they don't believe has any lasting implications to their business. You get an article with quotes like that from such a small attack, and it makes you raise an eyebrow.
This doesn't make sense. It is company management who writes the filings, not the network admins. How can it be in the filings but not go through management?
>He said he hoped new legislation on cybersecurity, expected to reach the Senate floor this month, would call for more disclosures and bring more aid to companies under attack.
Uh huh.
Interesting that a large argument against SOPA was that it would break the security of the internet. Now we are getting stories claiming that the internet is already broken and we'll need new laws to fix it.
Expect the laws needed to fix the security of the internet to also include fixing the "evils" of copyright "theft".
Tangent: I'm extremely frustrated at how ephemeral web pages are. I googled the story to provide a reference, and the most reputable sources for the story are dead. I found 404s on Salon.com, Fox News, the Pittsburgh Tribune-Review, and PBS.org. Sadly, I found some of these links on a racist forum. It sucks that Storm Front keeps bytes around longer than these other sites.
Anyway, I just donated $25 to archive.org to support what they're doing. I've been using the Wayback Machine for years and always took it for granted. I'm not sure what made things different about tonight's frustration at broken links, but for the first time I just became worried about the preservation of history.
Making money is not the only goal of a for profit organization. Being public certainly doesn't help but if "don't be evil" is still ingrained in Google's culture, I would expect them to support archive.org's effort.
And the only way to stop future SOPAs is to make the system less corrupt, which means taking money out of politics.
This is why Lawrence Lessig left the fight against intellectual property craziness to focus on the underlying problem of corruption.
It's been years since I heard Lessig was shifting his focus to fight corruption, and recently SOPA got me curious about what he's been up to and if SOPA had brought him back out of "retirement". That led me to this article, "Why Is Lawrence Lessig MIA In The Great SOPA Piracy Debate?" http://m.paidcontent.org/article/419-why-is-lawrence-lessig-...
which led me to his iniative to fight political corruption through campaign finance reform: http://www.rootstrikers.org/
I'm actually glad to see that Lessig isn't letting SOPA distract him from his fight against corruption which is the root of the problem. Stopping SOPA would be a huge win, but it would only be a battle win, and as long as we're losing the corruption war there are going to be many more SOPAs to fight in the future.
But Lessig is fighting the wrong battle, as long as the government is doling out piles of money, picking winners and losers through regulations and bailouts it will make sense to try and influence them, and there is no way to stop "corruption", we should note that this isn't taking bribes etc, without hampering legitimate forms of speech.
Lessig seems to be willing to limit our ability practice political speech through regulations and limitations, and to entrench the current political system by focus on government funded elections in which of course only major parties will be able to speak.
I strongly encourage you to develop a (much) better understanding of what Lessig has been arguing. A good place to start is here: http://www.youtube.com/watch?v=AxCo2bE9Gtk
Also worth noting: the problem you describe (corrupting influences on the economy originating in Washington, as opposed to private interests capturing Washington) is something Lessig addressed in his recent appearance on Jon Stewart's program. There, he pointed out that these apparently divergent forms of corruption are entirely compatible, and that they actually share the same root, which is the obscene reliance of elected officials on a vanishingly small number of campaign donors.
Depending on the day of the week, these donors can find themselves initiating bribes, or being shaken down for bribes by officials wanting to increase their takes. The stink flows both ways. And it ensnares people who, left to their own devices, would have nothing to do with 'the trade' whatsoever.
Accordingly, Lessig is illuminating the entire economy of corruption, correctly observing that you cannot choose to attack one branch instead of another. Instead, you have to ignore all the branches, and go straight for the root. If any good comes from SOPA, it will be in generating a backlash strong enough to go after the root directly. The nerds, for what it's worth, are the people to lead this. Why? Because we are, by nature, systems thinkers. And this is a systemic problem of the very severest degree.
I have a good understanding of what Lessig has been arguing; when I saw your comment, I figured that I must of missed something so I watched the video and it's exactly what I thought it would be. I'm a fan of his in a lot of ways, but I often disagree with him when it comes to specifics -- we both see the same problems but have different takes on their solutions.
He's not attacking the root, he's attacking the branches. If government did not have the power to dole out favors no one would spend money trying to influence it. That, however , is incompatible with his worldview. He wants a strong federal government intervening a wide variety of issues - so that his will can be imposed upon others (I say his, because it would be odd if he was fighting so that someone could impose their will on him).
I completely agree with him on all the "corruption" claims, and on how they get compensated when they leave - there is no disagreement there. Though he does conflate 2 funding issues: 1. campaign funding 2. personal wealth. His attack is only focused on #1, whereas #2 also exists and is mentioned in his talk about former congressmen ending up @ K street or in large corporations. Nothing in his proposal would address problem #2, for a congressman can pass all sorts of bullshit laws and then go and work at Disney or Monsanto.
As for being systems thinkers, I agree - and in fact I think that's why pushing power from the federal to state makes a lot of sense. It increases stability, allows for experimentation and reduces the effects of corruption. Personally, I abhor politics because it's all about violence and force and not about consensus and compromise. Right now, we are stuck with a winner takes all system with government when everywhere else in our lives we are seeing an abundance of choice, the book Declaration of Independents has some good ideas on this topic, if you're interested http://www.amazon.com/Declaration-Independents-Libertarian-P...
Here's a franklin quote: "When the people find that they can vote themselves money, that will herald the end of the republic."
Even if by some miracle you could make it happen, "taking money out of politics" won't work, either, unless you somehow include, e.g., AARP, both public- and private-sector unions, and every "underrepresented" minority voting bloc, not to mention anyone rich enough to own a media company. That isn't remotely an exhaustive list, and in any case I fear that the savviest special interest groups are far too clever to be stopped by mere campaign finance reform. Unfortunately, the root of the problem is one level deeper than Lessig, et al., are prepared to dig.
I hate to get all political on HN, but I saw this week that Bernie Sanders (a socialist, even) introduced an amendment that would explicitly state that constitutional rights apply only to citizens, not corporations, and also prohibit corporations from making political contributions.
Between this post and comments from startup school along the same lines, there seems to be a lot of people complaining about founders looking to make a quick buck without having to work hard for it.
I live in SF. I'm running a startup, and many of my friends are as well. Where are these lazy, get rich quick people I keep reading about? Am I just lucky to only be surrounded by hard-working entrepreneurs who are trying to build long-term viable businesses, or is this problem being overblown a little?
This is me genuinely asking, not making a statement in question form.
There's no rules, you can do whatever you want. But i think a lot of people have realized history shows the get rich quick type of folks tend not to actually contribute anything to human progress and more often than not are looking to take advantage of others for their own gain (allowing them to save time to riches). My question: Why would I ever want to deal with anyone like that, and why would anyone else?
"Rocks That Crackle and Sparkle and Glow: Strange Pre-Earthquake Phenomena"
http://www.scientificexploration.org/journal/jse_17_1_freund... [PDF]