
Hulbee – A Safe, Smart, Innovative Search Engine - doener
https://hulbee.com/
======
captaincrunch
My previous comment didn't get so much attention, perhaps this will...

[https://hulbee.com/?query=perl%20-e%20'print%20%22%3CIMG%20S...](https://hulbee.com/?query=perl%20-e%20'print%20%22%3CIMG%20SRC%3Dhttp%3A%2F%2Fkt-
media.knowtechie.netdna-cdn.com%2Fwp-
content%2Fuploads%2F2014%2F12%2Fhacker1.jpg%3E%22%3B'%20%3E%20out&region=en-
CA&uiLanguage=browser)

 _Edit: I had an example of displaying the IP address back to the user from my
server, but it went over capacity in a few short minutes, so I took it down
and removed the link. I am sure everyone gets the point, specially with a lot
of the other examples provided by other HN users below._

Here is a screen shot for future reference:
[http://imgur.com/PkAGhqn](http://imgur.com/PkAGhqn)

~~~
eevilspock
Red herring. Serious bugs have been found in lots of respect worthy software
and service efforts. It just needs to be fixed. You are holding a toddler up
to the standards of a pre-teen (which is the highest I'd put Google).

The question here is whether this is a respect worthy effort at privacy
protection.

EDIT: Flaws or holes have been found in Tor. Does that mean we reject the Tor
effort outright? If anything, the holes found in Tor are more serious and
fundamental, because they raise doubts about Tor's approach and whether their
goal can ever be achieved. An HTML injection hole in Hulbee is simply an issue
of incomplete execution of their vision, which may or may not be forgivable
depending on the technical and non-technical circumstances (which none of us
here know yet).

~~~
pjc50
_whether this is a respect worthy effort at privacy protection_

If they've launched with an HTML injection vulnerability, their security
infrastructure is not sufficient to protect your privacy. Game over.

~~~
karussell
If they don't store your IP (or personalized info) they probably do not need
that high security standards ;)

------
captaincrunch
You lost my interest when I saw an ad manager in your HTML source:
adannonce.com. I'll stick with DuckDuckGo thanks. You can't be privacy focused
when you're already giving away data to a 3rd party.

I see a "Clear my activity" link, why would it keep my activity at all?
[https://hulbee.com/Utils/ClearSettings?returnUrl=%2F%3Fquery...](https://hulbee.com/Utils/ClearSettings?returnUrl=%2F%3Fquery%3Dnsa%26region%3Dbrowser%26uiLanguage%3Dbrowser)

Surly you could have afforded a better certificate than a C+ graded GoDaddy
one? Sure, its 2048 bit SSL, but that is quite the SSL chain for being privacy
focused.

[https://www.ssllabs.com/ssltest/analyze.html?d=hulbee.com](https://www.ssllabs.com/ssltest/analyze.html?d=hulbee.com)
-vs-
[https://www.ssllabs.com/ssltest/analyze.html?d=duckduckgo.co...](https://www.ssllabs.com/ssltest/analyze.html?d=duckduckgo.com)

Offering advertising on a privacy focused search engine? Could work, but when
you're marketing to privacy focused individuals, you've just lost them.

In the end, I'm from Canada, my connection routes through New York (like most
North American connections). My privacy is still being abused by greater
forces whom likely have at least one of the private keys for one of the many
certificates that make up that GoDaddy certificate, so I'll likely just stick
with Google, or perhaps even DuckDuckGo.

~~~
Hermel
> You lost my interest when I saw an ad manager in your HTML source:
> adannonce.com

Are you aware that adannonce.com belongs to Hulbee? Loading ads from
adannonce.com should not bother you more than loading ads from hulbee.com .
And the fact that it contains ads is no secret.

Please do your research before crying wolf in future.

~~~
captaincrunch
Thanks for the info, care to dive into my other concerns?

~~~
Hermel
While an SSL certificate from GoDaddy is not ideal, attacks are still
detectable in theory by verifying the public key of Hulbee independently of
the chain of trust.

What I personally would be more concerned about is the fact that DuckDuckGo is
hosted by Amazon. As an US company, Amazon is required to collaborate with US
three letter agencies by law. Thus, whatever is hosted by Amazon is within
reach of the NSA. In contrast, Hulbee is hosted in Switzerland on servers
which are under physical control of Hulbee.

~~~
captaincrunch
Doesn't really matter where its hosted when most North American connections go
through New York when we're talking about the NSA... does it.

This should make you feel a lot better about the site... ignore the perl
stuff, it was just part of my test.

[https://hulbee.com/?query=perl%20-e%20'print%20%22%3CIMG%20S...](https://hulbee.com/?query=perl%20-e%20'print%20%22%3CIMG%20SRC%3Dhttp%3A%2F%2Fkt-
media.knowtechie.netdna-cdn.com%2Fwp-
content%2Fuploads%2F2014%2F12%2Fhacker1.jpg%3E%22%3B'%20%3E%20out&region=en-
CA&uiLanguage=browser)

~~~
Hermel
> Doesn't really matter where its hosted when most North American connections
> go through New York

Actually, it does matter. Https is end-to-end encryption. An eavesdropper in
New York would have to crack SSL in order to see anything meaningful beyond
the fact that you exchanged some data with hulbee.com .

~~~
captaincrunch
I would bet that the NSA has access to most root certificates... specially
when they've had access to hard drive firmware for the last few years...

[http://www.wired.com/2015/02/nsa-firmware-
hacking/](http://www.wired.com/2015/02/nsa-firmware-hacking/)

~~~
astrange
If you used a CA certificate to sign a new SSL cert for any popular domain,
it'd be detected by certificate fingerprinting and you'd burn the CA. Not
worth it over public networks.

------
FractalNerve
Is this an A/B test?

See for yourself: [https://hulbee.com/imprint](https://hulbee.com/imprint) |
[https://swisscows.ch/imprint](https://swisscows.ch/imprint)

These sites `appear` to be exactly the same, I wonder what the difference is
other than the design, branding and domain.

I've been using [https://swisscows.ch](https://swisscows.ch) for almost 6
months now. and was sharing it with my friends and family. Even made it the
default on a lot of devices from friends and family. No negative feedback so
far! I also shared it with you:
[https://news.ycombinator.com/item?id=9628904](https://news.ycombinator.com/item?id=9628904)

So far there are only one two things that make me go back to google.com in
rare occassions. On google "<search-term>" strictly gives me results with that
term, that's appears not working similarly on hulbee/swisscows. If only I
could sort search results by date and `strip results older than x` I would
have no more reason to "google". What I really like about swisscows is the
image and music search.

One questions bugs me: How does it work? I mean the results have the same and
sometimes even higher quality than google. BIG +: No self-/government-/geo-
censored results like on google/bing, I can find so called "illegal URLs"
(links that don't appear on the big sites like DMCAed links and results for
certain stopwords)

#bug: There is a bug on Firefox on Android in the image search. Clicking
results opens a modal window with the resulting image below the viewable
region. Screenshot:
[http://i.imgur.com/KClGfUO.png](http://i.imgur.com/KClGfUO.png)

------
jevgeni
> Safe. Smart. Innovative.

The minute any business describes itself as "innovative", I assume they write
everything in PL/SQL.

~~~
willu
I don't get it. Because truly innovative companies don't write SQL? Is this
some kind of ORM or NoSQL snobbery?

~~~
TeMPOraL
No. It's just that the word "innovative" spoken by a company is the dead
canary that tells you the company is so full of bullshit that the methane
vapours are creating a fire hazard.

------
mda
A -meta- search engine.

"In partnership with Bing" "Powered by Yandex" etc etc

~~~
0942v8653
Looks like it gives almost the same results as DuckDuckGo -- which is to be
expected given DDG also uses Bing and Yandex. I like it a lot less, though,
with the animations and ad on the side of the screen.

------
briholt
how tall is mt everest?

[https://hulbee.com/?query=how%20tall%20is%20mt%20everest%3F&...](https://hulbee.com/?query=how%20tall%20is%20mt%20everest%3F&region=browser&uiLanguage=browser)

vs.

[https://encrypted.google.com/search?hl=en&q=how%20tall%20is%...](https://encrypted.google.com/search?hl=en&q=how%20tall%20is%20mt%20everest%3F)

Hulbee can correlate the words "mt everest" to "Nepal," but it can't give me
the actual answer. That's weak for a engine that claims to be "the first
intelligent answer engine because it is based on semantic information
recognition and offers users intuitive help in their search for answers."

------
bobajeff
I wonder if it would be possible for a nonprofit organization to fund such a
"hybrid search engine" with wikipedia scale donations.

If so that would be better than trusting all of these small companies to not
sell you out a week before IPO.

~~~
eevilspock
Of course it is possible. But the forces that work against it are incredibly
powerful.

Consider this: If before Wikipedia existed someone proposed to create an
online encyclopedia that anyone in the world could anonymously edit, that it
be funded by donations and that it become _the_ encyclopedia that most people
refer to, nearly 100% of us would have rolled on the floor and laughed out
loud.

~~~
bobajeff
It might not even be possible if Google, Bing, Yandex had TOS that required
the use of their ads networks (negating the point of it being funded by
donations).

------
zeeed
also try [https://hulbee.ch/](https://hulbee.ch/) (they are a swiss company,
after all) for entertainment.

~~~
simon_vetter

      hulbee.ch uses an invalid security certificate. The 
      certificate is only valid for the following names: 
      *.hulbee.com, hulbee.com

------
putzdown
I'm too bad of a typist to use this. Intending to search for xcworkspace I
typed wcworkspace. Google gracefully corrects me. Hulbee stares at the blank
wall of no results. I want to like it, but if you want to replace my
entrenched tools you've got to start by matching their basic functionality.

------
rocky1138
Is there a search engine which returns only https results? Meaning all of the
results are https sites.

~~~
anc84
I dont know that but you can force HTTPS Everywhere to only allow HTTPS
connections.

~~~
klapinat0r
HTTPS Everywhere only forces HTTPS when it's possible.

Force-TLS and HTTP Nowhere does what you describe.

~~~
anc84
I know and I kinda hate its name for it...

I could have sworn it also had an option to only allow HTTPS connections with
error as fallback. But I guess I saw that in some other add-on. Sorry for the
false information!

------
AstroChimpHam
It's 2015, and this is a search engine. Why is there no autocomplete? You guys
should check out [https://www.constructor.io](https://www.constructor.io)

------
QUFB
This looks advertisement supported?

It appears that a visual advertisement for Coke appears in the left frame, no
matter what the search term is.

~~~
Kenji
Franky, I'm a fan of how those advertisements are tied into the site. Not
flashy or obstructive, classy, embedded into the tile grid. No garbage
tracking scripts loading, no plugins, just a simple colour image (from the
same domain!!). If all ads were like that, I'd throw away my uMatrix and
Adblock.

~~~
dfc

      >  I'd throw away my uMatrix and Adblock.
    

Well you should throw one or the other away. Why do you use both at the same
time?

~~~
Kenji
I use both in conjunction because AdBlock removes ads while simultaneously
fixing the flow of the site, while uMatrix leaves gaps and holes in the site.
But I need uMatrix to be safe from XSS (unfortunately, most websites include
jQuery from a different domain, what a stupid practice). Also, uMatrix breaks
a lot of sites (especially sites using content delivery networks on multiple
domains) so if I really want to access the content, I open it in an incognito
window and disable uMatrix temporarily on that site (it's tedious to figure
out what exact request broke the site. I only do those manual exceptions for
my most favourite sites). Like that, the site works but most of the tracking
and the ads are still blocked ;)

Yes, it is sad that the state of the internet has degraded so much that this
is necessary.

~~~
dfc
I ran adblock+noscript for many years for the same reason. Thats why I am
suprised you would want to deal with two extensions when you could just use
umatrix. What "flow" does adblock fix?

Like I said, I have had a similar setup for probably a decade now. So no, I
don't think that it is a sad state of affairs that adblock/noscript/umartix
are necessary. Did the "state of sexual intercourse" need to degrade to a
certain level in order for condoms to be necessary?

~~~
Kenji
Let me illustrate my problem with a little image of the youtube homepage (top
image is with both activated, bottom is with only uMatrix):

[http://i.imgur.com/RQ7VM0z.png](http://i.imgur.com/RQ7VM0z.png)

 _Did the "state of sexual intercourse" need to degrade to a certain level in
order for condoms to be necessary?_

No, because the risks have always been around and thus predated condoms. Still
sad and worthy of improving, if possible.

~~~
dfc
I dont have that issue:

[http://i.imgur.com/W05ZxpC.png](http://i.imgur.com/W05ZxpC.png)

But I still use noscript with umatrix, so it might be a noscript surrogate
"fixing my flow.". Do you have "hide placeholders" selected in umatrix?

Risks have always been around.

~~~
Kenji
No, I don't want the "Collapse placeholder of blocked elements" uMatrix option
activated because then, if a website embeds e.g. youtube videos or soundcloud
songs I have no visual cue of their existence, whereas, if the option is
disabled, I see it greyed out with a link that I can click to watch it in a
separate window. I feel like our discussion is at this point a clash of
personal preferences and would not like to continue. Have a nice day :)

------
Aoyagi
Eh... if I compare this
[http://puu.sh/jqh03/af70af5769.jpg](http://puu.sh/jqh03/af70af5769.jpg) and
this [http://puu.sh/jqh3V/56749ce4cc.png](http://puu.sh/jqh3V/56749ce4cc.png)
, I think I'll stay with DDG.

~~~
dfc
You make it seem as if the reason for your DDG preference is self evident.
What is the big difference to you? Is it that the first result's info box is
so far to the right?

~~~
Aoyagi
Less bloat, instant results, lack of images nobody asked for, and yes, it
doesn't waste screen space by trying to fit into a narrow noodle to the middle
of the screen.

~~~
Hermel
I prefer Hulbee for its in my opinion more appealing design. In particular, I
like that the search results are in the center of the screen and not on the
left half.

~~~
Aoyagi
It's not like you can't change that in DDG's settings :P

[http://puu.sh/jrd5U/09515744a5.png](http://puu.sh/jrd5U/09515744a5.png)

------
kungfooman
Alerta alerta, it's censoring more than Google, try searching for a pussy!

------
KirinDave
_sighs_ , _looks at old Powerset swag from 2008_ , _sighs again_

------
kolev
The animation with the mosaic is just terrible - a visual distraction and
slowness no search engine needs.

