Hacker Newsnew | comments | show | ask | jobs | submit | login

The first thing I do now on each Facebook open-source reveal, is to check the PATENTS file for the toxic second paragraph, to see if they've changed it. Sadly, no. I can't imagine being able to use this at any decent-sized company with lawyers. :-( https://github.com/facebook/react-native/blob/master/PATENTS

See for example the discussions at https://news.ycombinator.com/item?id=9111849 (eg. https://news.ycombinator.com/item?id=9113515)

Full disclosure: I work at Google, where many are sad to not be able to use recent Facebook code.

Please do not do it:


I'd go work somewhere else and here is why:

You can learn anywhere, why work with a bunch of people who are not going to build you up and encourage you to improve yourself and by extension, the team/project. What are you really getting from these guys if it's "every man for himself" anyways?

1. Forget that, be confident. Just focus on improving yourself and on things that can make you better at your job.

2. No. I expect my junior guys to learn on their own but am always willing to step in and provide guidance.

3. There can be some rough people in IT. If they're rotten they are probably less confident than you think they are, probably more so than you, but don't want you to realize it.

Lastly, I can tell you from experience, if you don't think it's worth it, it's not. There are fun jobs out there, go and get one.

This is an article [0] summarizes what happened. It is however in Chinese. So let me put a simple summary here:

Baidu has Baidu Analytics, a service similar to Google Analytics. In short, a website includes a javascript file from Baidu and Baidu will report some basic analytics to the site manager like how many visitors per day, how much time they spent on average per page etc.

Someone in the middle between a client outside China and Baidu, allegedly it should be the Great Fire Wall, changed the javascript file from Baidu and added some code so that any client executing the javascript file will periodically access https://github.com/greatfire/ and https://github.com/cn-nytimes/. This means any user who is accessing a site using Baidu Analytics will be an attacker to github.

Here is a simple solution: Block any javascript from Baidu if you do not use it. For chrome users, add the pattern [*.]baidu.com. See here[1].

Edit 1: Added a solution.

Edit 2: Format.

Edit 3: Oh, it's not only Baidu Analytics. Baidu Ads' javascript is also being hijacked and changed [2]. Imagine that all sites containing Google Ads use their visitors as attackers to attack github. Now it is literally what is happening to Baidu and its customers (and their customers' visitors.) The javascript is only changed for visitors outside China. This is why people believe that is done by Chinese government --- the only entity who has total access to all out-going routers in China. Since many Chinese users use VPN or other types of proxy to access Internet, they are all considered as visitors outside China.

0. http://drops.wooyun.org/papers/5398

1. http://www.howtogeek.com/tips/how-to-block-javascript-and-ad...

2. http://www.solidot.org/story?sid=43489

Let's not let the outcome of this specific case affect the idea that there is an institutional bias - conscious or unconscious - against women entering and thriving in male-dominated fields like this one.

Just as one flurry in April doesn't disprove global warming, one dismissed lawsuit doesn't disprove a deep but sometimes subtle sexism. It's the same with other powerful prejudices that have endured for centuries or millennia.

There are many factors acting against women, just as there are many working against people of color, the poor, and those who do not cleave to traditional sexual or gender norms. Please do what you can to support these people in your life, in all their endeavors.

Yes, at FedEx, we considered that problem for about three seconds before we noticed that we also needed:

(1) A suitable, existing airport at the hub location.

(2) Good weather at the hub location, e.g., relatively little snow, fog, or rain.

(3) Access to good ramp space, that is, where to park and service the airplanes and sort the packages.

(4) Good labor supply, e.g., for the sort center.

(5) Relatively low cost of living to keep down prices.

(6) Friendly regulatory environment.

(7) Candidate airport not too busy, e.g., don't want arriving planes to have to circle a long time before being able to land.

(8) Airport with relatively little in cross winds and with more than one runway to pick from in case of winds.

(9) Runway altitude not too high, e.g., not high enough to restrict maximum total gross take off weight, e.g., rule out Denver.

(10) No tall obstacles, e.g., mountains, near the ends of the runways.

(11) Good supplies of jet fuel.

(12) Good access to roads for 18 wheel trucks for exchange of packages between trucks and planes, e.g., so that some parts could be trucked to the hub and stored there and shipped directly via the planes to customers that place orders, say, as late as 11 PM for delivery before 10 AM.

So, there were about three candidate locations, Memphis and, as I recall, Cincinnati and Kansas City.

The Memphis airport had some old WWII hangers next to the runway that FedEx could use for the sort center, aircraft maintenance, and HQ office space. Deal done -- it was Memphis.

That's how the decision was really made.

Uh, I was there at the time, wrote the first software for scheduling the fleet, had my office next to that of founder, COB, CEO F. Smith.

Fun fact: we (Naughty Dog) actually had Crash Bandicoot running on SGI workstations in high resolutions using (I think) OpenGL back in 1996. You had to use the keyboard to play, though. :)

See http://all-things-andy-gavin.com/video-games/making-crash/ for more making-of details.

EDIT: And they were running 200Mhz MIPS CPUs - blazing fast!

(Someone had a post asking a good question about what this means. It got downvoted and deleted, which I think is unfortunate for a community that cares about learning about the world around it, so I'm replying here.)

There are two separate kinds of legal protection at issue here, copyright and patent. The only thing that's close to covering ideas is patent law, not copyright law. (I'm assuming US law here, since that's where Facebook and I both are, but most of this is generally true I think.)

Copyright covers a creative expression, and is automatic. If I write a story, paint a picture, compose a song, or code a program, copyright secures my ability to commercialize that creative work as I see fit. If someone else writes a similar story, paints a similar picture, etc. but does not use my words or notes or lines of code, they aren't infringing my "copy right", because they're not copying my work.

Patents cover inventions, and are very non-automatic and best acquired with lawyers. Their term is also much shorter (about a decade, instead of about a century). US law currently lets you patent an algorithm or an arrangement of computer systems, under the artifice that you're actually patenting the implementation of that algorithm on any physical computers. Patents are issued for the invention, not for a specific implementation, and any implementation that works the same way infringes the patent.

(Trademarks, for reference, cover names used in advertising, i.e., "trade marks". They're somewhat automatic, they only cover names, and they're not very often relevant to F/OSS licenses.)

Traditionally, F/OSS licenses have been primarily concerned with copyright, partly because several of them were written when software copyrights were well-acknowledged and enforced, but when software patents were rare or nonexistent. This leaves you in the unfortunate situation where e.g. Facebook can write some code (automatically gaining a copyright), get a patent on the idea, open-source the code, and then sue you for patent infringement despite your copyright license. To avoid that, Facebook has an explicit patent grant in addition to the copyright license. (Although, as other commenters have pointed out, F/OSS licenses that don't specifically restrict themselves to copyright can potentially be read as a implicit patent grant if you stare at it hard enough.)

At no point in this does Facebook claim ownership of your work. Certainly your idea isn't legally owned by anyone, either you or by Facebook, if you haven't gotten a patent on it. Facebook's patents remain Facebook's patents, with or without this clause.

Because patents cover any implementation of an invention (whether or not the implementor knew about the patent), and because patents are in stupidly dense legalese, it's super common for people to be inadvertently infringing a bunch of patents. The traditional solution for this is that large companies have defensive patent portfolios in a sort of mutually-assured-destruction scenario: if Facebook sues Google over a patent, Google will countersue over all the patents they have. So there's an armistice, at least among big companies. The explicit patent grant weakens that, because now Google can just incorporate parts of React into their React-competitor, and Facebook loses a patent from their defensive portfolio.

So a few clauses like these are normal: you get a patent grant from Facebook, as long as you don't sue Facebook over (different) patent infringement. This maintains the armistice between big companies, and it's also great for the little guy, who wasn't going to sue anyway because they don't have any/many patents (but also doesn't have a defensive portfolio because they don't have any/many patents). These clauses only cover claims of patent infringement, which are the thing that everyone is unintentionally doing en masse, not copyright infringement, which is much harder to do unintentionally, so they're pretty fair.

But the fourth clause is super weird. It means that you can't dismantle any of Facebook's patents by e.g. providing prior art, without losing your patent license. It might even mean you can't lobby for software patent reform. It solely holds up Facebook's patent portfolio and the armistice between big companies. Usually dismantling patents is a good thing for everyone, because it's disarmament, and it's unfortunate this license doesn't extend to people who do that.

(IANAL, TINLA, corrections graciously appreciated.)

Context: http://blog.samaltman.com/bubble-talk

At the same time, we should avoid using specific cases as proof that there is institutional bias, just as we should avoid using specific storms as proof of climate change.

Of course, then all we have to work with is overwhelming statistical evidence for both issues, and that never convinces anyone.

I don't feel like ordering things online makes me a shut-in at all - just the opposite.

I work a lot, and by spending less time on the drudgery of brick-and-mortar shopping, I have more time to spend on the things that matter to me. Including socializing.

Yeah, maybe I leave the house less, but are those trips to the store really "quality time?" Making a run to Wal-Mart or the supermarket to buy toilet paper is time better spent than playing with my dog or reading a book?

We're missing out on some potential fun times, sure. I have made friends, bumped into existing friends, and had some good conversations while shopping. But those experiences were and far between. One positive social experience out of one or two hundred trips to the stores, maybe.

Retail shopping is usually freaking depressing - the employees and customers are often rude, and you're bombarded from all angles with sights and sounds designed to entice (or scare) you into buying things you don't need. No thank you.

Lately my wife and I subscribed to a service that sends you 3 ready-to-prepare meals (for two or four people) per week. These aren't frozen heat-and-eat meals; they ship you fresh ingredients and easy to follow recipes. Are we shut-ins? Because cooking these meals together is generally a lot more fun (and healthier) than dining out for us.

> No financial or payment information was accessed or compromised in this attack.

This wouldn't be my first concern. It would be all of the confidential communication that happens within slack.

I read the PDFs of #39132 and #51179, and first, these are very clear and well written vulnerability reports. Props to the author for that, many times these reports can be extremely hard to follow and these are shining examples to the contrary. I found them easy to follow, enough details to reproduce, and quite valid issues.

Second, I'll put my neck out here a bit and say, I find myself agreeing with the author's stance. Namely,

1) Independently discovered vulnerabilities are not "owned" by the first to discover it. As a courtesy, you may defer to another researcher, or combine your efforts, but I don't think there's any requirement to do so.

2) 90 days notice is more than enough time to expect at least a cursory response when you say, "Has this bug been fixed? Shall I go ahead and disclose it?", and then again, "This is a heads up that I will be blogging about this on March 12, 2015 i.e 90 days after the initial disclosure unless I hear otherwise. Thanks!", and then AGAIN, "This is a reminder that this bug will be disclosed in 4 days :-)".

In Google's case, for example, it's not just 90 days notice, it's a 90 day deadline to fix. In this case, a simple, "no, we need more time, please don't disclose this" response on the 2nd issue could have avoided the whole problem.

Bug bounties, particularly a fully managed program through HackerOne, encourage Engineers to spend value time and resources investigating and writing up detailed reports of complex issues. If you sign up to run a bounty program, it's essential you give participants the time of day, like responding to their repeated inquiries about disclosing an issue.

It wasn't clear to me if the author was banned from HackerOne or just Slack's program. If the later, well, that's fine, Slack absolutely has the prerogative to invite whomever they like to participate in the program. I think they are missing out on a great contributor in this case though. If author suffered an outright ban on the platform, that would be distressing.

Lastly, if the 3rd vulnerability was unknown to Slack before author reported it, I think author should be properly compensated based on the terms of the program.

I sort of love that the person willing to take the other side of this is a Boston-area VC :)

I accept subject to verification that you really qualify as a VC, and I can't find a website for Immaculate Conception Ventures. What investments have you made and how large is your fund?

If terms from the blog post are acceptable I will enter into longbets.

> The license… will terminate… for anyone that [claims] infringement of any patent… by Facebook… whether or not such claim is related to the Software.

> The license… will terminate… for anyone that [claims] infringement of any patent… by any party if such claim arises… from any software, product or service of Facebook.

> The license… will terminate… for anyone that [claims] infringement of any patent… by any party relating to the Software.

> The license… will terminate… for anyone that [claims] that any right in any patent claim of Facebook is invalid or unenforceable.


My favorite Google "No comment" response is still their response to Randall Munroe about his analysis of how big their data centers are:


What happened in the last few years to allow our civil rights in the most forward thinking countries to unravel so easily? And why do citizens not care? How is it possible that all countries have elected such a group of corrupt, nearsighted politicians to the point where freedom is an inconvenience over them consolidating practically dictatorial power? And again, why does no one care?

At least I can make database connections as an employee in software.

I really wish that articles like this would give more context for all the numbers that inevitably get thrown around.

> China Huaneng Group Corp.’s 845-megawatt power plant

What percent of the city's electricity is that?

> Beijing plans to cut annual coal consumption by 13 million metric tons

How much less soot will actually be in the air? Will the city feel noticeably cleaner?

> China planned to close more than 2,000 smaller coal mines from 2013 to the end of this year

How many coal mines does China have?

> The level of PM2.5, the small particles that pose the greatest risk to human health, averaged 85.9 micrograms per cubic meter last year in the capital, compared with the national standard of 35.

What is considered a safe level? What is considered acceptable in Europe/the US?

I know that researching all that would take longer than just throwing up the facts from the press release. But without that context, it's hard to know whether this is really a big deal or just a normal retirement of older power plants for newer, cleaner alternatives.

File a complaint with the FCC. I have done this twice now with comcast and both times somebody from their "executive support" contacted me the next day. It seems that their "executive support" might be the only people in the company that actually can solve problems and the FCC complaint is the only way I know of to get in touch with them. Clearly a very effeciient system Comcast has over there. https://consumercomplaints.fcc.gov/hc/en-us

I'm currently in charge of answering reporters on a HackerOne program and I can tell that the way Slack is managing its own is completely unacceptable. Those reports were really high quality ones, whenever I receive a report like that I cry of joy. If you run a bounty program you should:

- Be ready to answer every single report on a short timeframe

- Be fair and provide feedback to the reporter

- Be nice, be thankful and reward the researcher if they deserve it

- Be patient with the duplicate reports and people just trying to get an unfair HoF

Otherwise it may backfire you and eventually it will.

Wow, how come Zed Shaw manages to attract so much hate? I have found his series to be absolutely delightful. Anytime something about him appears on HN I can be sure there will be users with ad hominem attacks like this:

"> is this a joke?

No, just written by Zed Shaw. Honest mistake though."

How about you let go of the hate and embrace some love instead for the work this man has put forth?

LE: For advanced Python you can read his code from the Lamson project. I am sure there are many other coders out there who are just as talented as he is but he takes the time to comment his code and also has a style of clarity so to speak. Thank you Mr. Shaw for your work and thank you to all of the amazing, talented coders out there who gave me confidence and helped me to learn.


Dropbox ToS:

"We also reserve the right to suspend or end the Services at any time at our discretion and without notice. "


And Google's:

> We are constantly changing and improving our Services. We may add or remove functionalities or features, and we may suspend or stop a Service altogether... Google may also stop providing Services to you, or add or create new limits to our Services at any time.

http://www.google.com/policies/terms/ (that's where a link to Terms of Service from Google Drive page at takes https://support.google.com/drive/answer/2450387?hl=en you, those general Google ToS)

For better or for worse, nearly every ToS you will see anywhere includes a provision like this.

If you know the principals involved, or saw everything the jury saw (including legal instructions from the judge), you might have a valid opinion on why any particular legal result is either scandalous or righteous.

But if you're just a distant spectator, cheering a team based on general affinities to the kind of people on either side, or general causes without regard to the case specifics... then you're actually part of the problem, making workplaces and communities unfair to real people based on superficialities and acquired prejudices.

Oops, the artist's source code has a bug making the 233 DVDs contain not what he thinks they contain... All his source files [1][2][3] attempt to generate the random noise with:

  // basically no wimpy numbers - only fat ones
  if (s > 0 & s < 30000) {s = (short) (s + 30000);}
  if (s < 0 & s > -30000) {s = (short) (s - 30000);}
s is a Java 16-bit signed short initialized to a random value. His intent is apparently to modify s to generate sound samples in the ranges [-32768,-30000] and [30000,32767] to make the noise "harsh" (no samples close to 0). But because shorts wrap around the boundaries -32768 and 32767, most samples will in fact be in the range [5537,32767]. See for yourself: if s=5537, he adds 30000, s wraps to -29999, he subtracts 30000, s wraps again back to 5537. s will end up in the ranges [-32768,-30000], [0] and [5537,32767], making the noise less harsh than it should have been.

Damn I would hate to have to re-burn 233 DVDs, or this set of 510(!) he produced later: http://www.jliat.com/HNW510/index.html

This type of bug, an integer overflow, is one of the many types of bugs I look for when I review source code as part of my job in info sec.

[1] http://jliat.com/HNW/HNW.java

[2] http://jliat.com/HNW/HNW90.java

[3] http://jliat.com/HNW/hnwfile.java

Some day I will write this up for real, but without going into detail, here's a summary.

The camera in Crash was on a rail. It could rotate left, right, up, and down (in Crash 2 and beyond, at least), but could not translate except by moving forward/backward on the rail. This motivates a key insight: if you're only rotating the camera, the sort order of the polygons in the scene cannot change.

This allowed us to sample points on the rail and render the frame at each sample point ahead of time, as a batch job, on the SGI using a Z-buffer. (We may have done the Z-buffer with software; I don't remember.) Then we could recover the polygon order of each frame by looking at the Z-buffer. And, even better, at run-time we could simply not render at all those polygons that weren't ultimately visible in the pre-rendered scene. This solved both the sorting and clipping problem nicely, and made the look of the game closer to 3K polygons/frame vs. the 1K polygons we were actually rendering in real time. (Many polygons were occluded by other polygons.)

The trick, though, was what exactly to do with this sort/occlusion information. In a nutshell, what I did was write a custom delta-compression algorithm tailored to the purpose of maintaining the sorted polygon list from frame to frame, in R3000 assembly language. Miraculously, this ended up being quite feasible because the delta between frames was in practice very small -- a hundred bytes or so was typical. And if a transition was too heavyweight (i.e., the delta was too big) we'd either sample more finely in that area or tell the artists to take stuff out. :)

One thing nobody talks about but which is obvious in retrospect is that without a Z-buffer you're pretty screwed: sorting polygons is not O(N lg N) -- it's O(N^2). This is because polygons don't obey the transitivity property, because you can have cyclic overlap. (I.e., A > B and B > C does not imply A > C). This is why virtually every game from that era has flickery polygons -- they were using bucket sorting, which has the advantage of being linear time complexity, but the disadvantage of being wrong, and producing this flickery effect as polygons jump from bucket to bucket between frames.

I'll leave the matter of weaving the foreground characters -- Crash himself and the other creatures -- into the pre-sorted background for another day.

"We may terminate the Agreement or restrict, suspend or terminate your use of the Service at our discretion without notice at any time, including if we determine that your use violates the Agreement, is improper, substantially exceeds or differs from normal use by other users, or otherwise involves fraud or misuse of the Service or harms our interests or those of another user of the Service."


My speculation for the next 100 years, that Wilczek does not propose, is that a notation revolution will happen.

The standard way of representing mathematics today is tedious to write and extremely non-intuitive in many ways. Unfortunately alternative representation systems of physical processes (e.g. block diagrams, Feynmann diagrams, etc.) don't yet provide a way for the user to operate on higher-level objects while staying on an abstracted level. One has to tear open all the black boxes, rewrite them as integral/sigma/matrix/bra/ket soup before they can be operated upon.

Most of the time when I read a physics paper, even in my own field of research, I spend abount 95% of my time and brain power parsing and 5% of the time understanding. This should be reversed.

In addition, a startling problem is that it now takes about 25-30 years of education from birth to the time before any individual can be productive to society in physics research. They are subsequently only productive for another 30-40 at most. As fundamental science continues to become more advanced, the increasing number of required education years to catch up with all of human history, even for a highly narrow, specialized field, is not a sustainable trend. Either modifying the brain or adopting a new framework of thought will be necessary to sustain progress; a notation revolution may facilitate the latter.

When I was 18 I worked in a call center for AT&T@Home broadband cable. This was 2000, when the business was in its infancy and there were often technical issues.

I worked the "supervisor" desk (i was not a supervisor, just a somewhat more knowledgable rep) so would take almost exclusively irate calls.

I tried to help everybody of course, but a few people stood out from time to time as having exceptionally bad service. Bury requests that were cancelled for months -- so you have to mow your lawn around a cable and it trips your kids and gets chewed by rodents. Techs that hang a "we missed you" card on your door and then run back to the truck without ever knocking. Installers napping. Installers looking at porn. Installers going through peoples things.

For those people, I gave them free service "for life".

Deep inside the GUI app that I believe was called ACSR was the service provisioning and in every market there were all the paid services and a fairly similar list of free services that were used when the equipment was just being installed and users were brought online to test it. So they had "1.0 MB Broadband" and "1.0 MB Broadband Pilot". By moving users from one to the other, their bills would just drop to $0.

I have no idea how long this benefit endured. You'd think at some point there would be an audit or migration that cleaned it up. But I hope not. Steve Roach in Memphis and the 1/2 dozen others: I hope your cable is still free.


Applications are open for YC Summer 2015

Guidelines | FAQ | Support | API | Lists | Bookmarklet | DMCA | Y Combinator | Apply | Contact