Hacker Newsnew | comments | show | ask | jobs | submit | marcinw's comments login

Proper Python would use the csv module for this operation, as your CSV export would break if `header` or `dataset[key]` contains a comma.

-----


Yeah. This was a special case for a one line CSV that was requested by my client. It was a dictionary with a bunch of single measurements.

-----


Matt Levine sheds more light on this story[1], backed by evidence whereas the NYTimes is just hearsay. Why would Barclay's screw over institutional investors who account for a large majority of their $4 billion in revenue for HFT who bring in only $3 million? Because without HFT (which is a bad, bad word to the ATG's ears), nobody would be trading on it, and nobody wants to admit that. It just doesn't make sense.

[1] http://www.bloombergview.com/articles/2014-06-26/barclays-no...

-----


Explains how HFT can bring liquidity into a market (at a cost). Useful.

-----


I don't understand how a darkpool could exist without rogue HF traders bumping up the revenue from stock trades. If the current stock market won't allow for it, what makes them think a private market will? At the end of the day whoever operates the pool has to foot the bill if they're trading outside of the official exchange.. Unless they turn it into a Ponzi-type scenario or outright lie to their investors.

-----


The basic theory of a dark pool is that by restricting who can access the other participants in the market, you can provide for your dark pool's clients better execution costs.

That is, by only allowing similar market participants (think other hedge funds, pension funds, etc) and excluding "predatory" speculative market participants (HFT, day traders, pit traders, etc.) you can match "natural" trades to each other, without paying the middle man.

In reality, this never happens. Speculative "predatory" traders are a necessary component of the market and without them there isn't sufficient liquidity for the market to operate.

In this particular case, an ibank stands accused of lying about this fundamental fact to their clients. It has nothing to do with the underlying validity of the market structure.

-----


HFT add liquidity on a second by second basis, but nothing on even a short term basis. Market makers speed up transactions slightly, but the cost for doing so is vary high.

-----


Citation needed.

-----


What about IEX?

-----


IEX is trying something slightly different to get around allowing/paying market makers into their dark pool. They are using publicity and Michael Lewis to try to convince retail investors to provide free liquidity for their backers.

It remains to be seen if this tactic will work.

-----


Not for free, liquidity providers are paying to trade in IEX (and paying the same rate as the takers).

-----


I guess "for free" was a bad phrase. I meant that IEX is hoping for retail investors to make up for the lack of market makers who get paid via the bid/ask spread.

-----


There are Market Makers on IEX. Look at the Brokers at the end of this list: http://www.iextrading.com/services/

Virtu, SUN, etc. They are market makers.

-----


The article explains why it makes sense. The institutional investors' trades don't match up that often. If you allow HFT's then they will buy/sell on other exchanges (or in other dark pools) that match the other side of your (barclays in this example) dark pool's institutional investors trades.

You don't charge the HFT firms since they allow you to charge your other investors.

-----


This is a great article. Thanks for posting it!

-----


It's actually an editorial, not a news article.

-----


Whatever part of the newspaper it appears in, the article provides a nice illustration of data presentation. Use of colours, sampling, even the choice of axes and time-scales.

-----


Matt Levine is a great writer. He comes from Dealbreaker and still retains an edge in his writing, as well as lots of footnotes.

-----


In addition to SQL injection, many "advanced search" engines will compile regular expression patterns from user input. Depending on the language, this can range from a simple Regex DoS to Code Execution (I'm looking at you PHP).

-----


Java, Python, etc don't have a DOM to consider.

When you're just an XSS away from an attacker doing:

  function encrypt(plaintext) {
    $.post(plaintext, ...);
    return plaintext;
  }
then you lose. The post talks about this, and XSS isn't the only way either.

-----


If all of the Javascript code and application functionality is bundled into the add-on, it's trivial to avoid XSS. There's no "site" to script into via the URL, and rendering of dynamic elements can be done via a sandboxed iFrame, preventing any scripts from running within dynamic data. This is fairly basic security that any add-on developer should be aware of: http://developer.chrome.com/apps/sandboxingEval.html

"XSS isn't the only way either." That's about as illuminating as saying "something bad could happen."

No one is saying JavaScript or browser security is perfect, but if you actually know what you're doing, it can be done properly.

The original "JavaScript security is doomed" Matasano article is extremely out of date at this point, and yet people keep referring to it like it's gospel.

-----


I don't like the article either, but you're wrong about it being "extremely out of date", and you'd have a very hard time defending your argument with evidence. Do try.

-----


Right, but an attacker needs access to the DOM first. If everything is packaged, this is just as difficult as being able to inject random python code.

Sure, you can set up your app to stupidly do evals everywhere, but you can program a bad app in any language.

> XSS isn't the only way either

That's very, very vague. I asked what the attack vectors are. Saying "others" doesn't really work for me.

-----


Right, like getting access to the DOM was ever a hard thing to do. I was specifically referring to web apps in that point, but because you insist, I'll just reference [1].

Another vector to get rogue JS into a user's browser is cache-poisoning, something the article also brings up.

[1] http://media.blackhat.com/bh-us-12/Briefings/Osborn/BH_US_12...

-----


Cache poisoning won't work if an extension loads all of its code from its own bundle. So I fail to see how this applies to an app that is fully self-contained within an extension (extensions themselves are signed, so it's not like you could MitM the extension bundle itself...)

-----


And that's your problem. I was the same way, though I live in NYC. With every pay raise I upgraded my lifestyle. Whether I was making $50k/year or $100k/year, I wasn't saving anything more besides the shit I was contributing to my 401k. My savings actually grew smaller over the years, until I made a conscious effort to save money. An effort so simple, I kick myself for not realizing it sooner.

Several simple ways I found to save money living in NYC (not SF, but close enough). Note these figures are on a per-year basis.

  - Scrap web hosting, move to AWS and S3 (~120 saved)
  - Get rid of cable, stick with cheap Internet (~1000 saved, Internet ~40/mo)
  - One night less at the bar each week (~2500 saved, that's just for a $40 tab)
  - Skip buying coffee every day (~500 saved)
  - Get a cheaper phone package (~120 saved)
In the end, I think a good rule of thumb is to keep your daily expenses under $20. You want to dress well? Wait for Banana Republic to have a 40% off everything sale, and buy clothes then. Buy clothes you're actually going to wear more than once (this is easy for guys, women have it harder).

I don't know your lifestyle or actually care what you spend money on, but complaining you can't save money is a bullshit excuse. I was bullshitting myself too, and I think everyone's got spending habits they can curb without impacting their lifestyle.

-----


I'm not complaining about anything, I'm just pointing out that for some people saving money isn't their first or only priority, but doesn't mean they have no priorities.

-----


Quitting social networks and using Tor and PGP isn't going to protect you from a nation-state intelligence agency. To suggest so is laughable and naive. We're not even at amateur hour yet.

You're better off reading Grugq's post[1] on developing good OPSEC, and even then you're far and away from it.

[1] http://grugq.github.io/blog/2013/06/14/you-cant-get-there-fr...

-----


I agree. First of all, what I have read so far, we the "public" don't know the capabilities of that agency, so by definition, you can't know whether some technique will protect you.

Correct me if I am wrong, but a common sense tells me, that if they are able to monitor all Internet traffic, and also can run their own Tor nodes, and also possess software to analyze those big amounts of data that the monitoring will produce, I just can't see how you cannot be ultimately tracked even on Tor.

As I see it, many of those defenses just assume that your adversary is not able to "cache" the whole Internet traffic, and that he also don't have such a strong computer to crack PGP. But relating to nation-state agency, those are already nothing more than assumptions.

Anyway, the points in the article are quite efficient against the lesser capable hackers. It never hurts to put less amount of private data to the Internet, for example.

-----


Did you read the article?! It's a straw-man pointing out that the only way to ensure privacy is with the protection of law:

>If we really want to protect our privacy on the net what we need is more than better technology, we need fundamental changes in our laws and how we enforce the privacy laws we do have. Then, and only then, will we have a fighting chance of keeping our privacy on the Internet.

-----


You're right but I don't think this very likely. I think changing your online behavior is the only real way to escape surveillance. That basically means either not using the web or only using it when you don't care about who's watching.

Changing the laws and/or enforcing them would be ideal but then it seems we'd end up right where we are again. Part of the reason for the secrecy of these programs isn't only national security but a way to circumvent the laws. From what we know about the current NSA controversy, these programs are mostly legal and being enforced just fine. Courts are ruling in favor of these things. That's not to say a debate over the 4th amendment isn't unreasonable.

Sometimes I feel there's a part of me that believes we could change the laws. The problem may not be our representatives exactly but rather the power that's been given to the military industrial complex. It's like a totally separate government unto itself, creating problems to solve to justify its own existence.

-----


Yeah, but even that is wrong. It isn't fundamental changes in our laws; it's fundamental changes in the way we interact with our governments. And that's far too much to ask a privacy advocate to do.

-----


Foreign state actors are not subject to your national laws. You need to protect your data in depth.

-----


I hear people say all the time they drink a lot of water, but when you ask them to measure it out, it's a joke.

The answer to this problem is to sit at your desk with a gallon of water. You'll find you've finished at least 3/4 before the end of the day contrast to the 2-3 cups you'd usually drink.

-----


Yeah, the difference between the amount of water I drink if I am not paying attention to it and the amount of water that I drink if I am actually making a point to drink water is fairly stunning; often up to 3 liters difference.

-----


We've solved this in the Matasano NYC office by:

* Going downstairs for coffee

* Playing a round or two of darts

-----


When I worked in machining, we all had anti-fatigue mats at our stations. Everyone wore Red Wing boots (sneakers are terrible for you), and I heard no complaints of foot pain.

-----


Shoes are huge, yeah. You can go to a local restaurant supply store and get perfectly cromulent anti-fatigue mats, btw. People in kitchens have been struggling with this longer than us nerds.

-----


For one, a built-in theme editor that exposes you to remote command execution in the presence of another vulnerability, such as cross-site scripting (XSS).

-----

More

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: