Hacker News new | past | comments | ask | show | jobs | submit | qeorge's comments login

Honest question: as a United States internet user, is there any practical reason I need to have a root certificate from the Chinese national Internet authority installed?

Corollary, is there a short list of CAs that folks around here trust more than average? Is there any value in such a whitelist, or are all CAs so rotten it doesn't much matter?

There was a bit of controversy a few years ago when Mozilla added CNNIC to Firefox's list of trusted CAs. I removed CNNIC from my browser shortly afterwards. No problem so far.

I don't think you'll have much problem even if you only trusted a few U.S. megacorporations, such as Verisign, Comodo, GeoTrust, GoDaddy, etc. They're no more trustworthy than the rest, but at least they're much more widely used than some government agency of a country you have nothing to do with.

If you regularly visit Chinese sites that use HTTPS.

...that use this CA. I regularly use Alibaba, but their certificates are signed by "VeriSign Class 3 Secure Server CA - G3".

CloudFlare is probably not a good choice. They recently blocked access to a similar service, Lantern, per the linked WSJ article.

"CloudFlare, which offers content-delivery network services, said last week it cut off Lantern’s use of the service, saying it was unauthorized. “We don’t do anything to thwart the content restrictions in China or other countries,” said Matthew Prince, chief executive of CloudFlare. “We’re a tech company and we comply with the law.”"


I'm not very impressed. Maybe someone from CloudFlare is around to defend that position further.

> "We don’t do anything to thwart the content restrictions in China or other countries," said Matthew Prince, chief executive of CloudFlare. "We’re a tech company and we comply with the law."

There's a popular idea that businesses (and people) have no responsibilities to anyone but themselves, because what they have is theirs; they built it themselves. But if you think about it a little, it's obviously false. Here's a more accurate statement:

We're a tech company whose success is completely dependent on the freedoms in our nation and many other nations around the world, and on the political and economic systems, infrastructure, and enormous wealth that blossomed from them. Without the sacrifices of blood and treasure by our predecessors of hundreds of years, and of many people today, we would not have these resources or opportunities today. There are many talented people born in many countries who, without these benefits, have no opportunity for success.

They can't sacrifice their company for every principle, every time, but there's a middle ground between that and 'we're just a tech company so we have no responsibilities'.

> There's a popular idea that businesses (and people) have no responsibilities to anyone but themselves.

It's not just a popular idea, it's why they are created as firms instead of philanthropies. There is a difference and it does matter what the expectations of the donors/investors are.

> We're a tech company whose success is completely dependent on the freedoms in our nation...

This sounds great but how is it reflected in company policies?

> They can't sacrifice their company for every principle, every time, but there's a middle ground between that 'we're just a tech company so we have no responsibilities'.

A company could easily make a statement to its investors about its moral stance on issues that it expects might harm the bottom line.

The company does have responsibility to its investors not to go rogue and burn cash just because it feels good. Most of the time the kind of corporate behavior that you praise is actually clever PR that costs the companies little.

Everyone has a responsibility to the world around them.

It may not be coded into law, but it is still a true statement.

Not sure how you thought my sentiments disagree with that.

It's why they are created as firms instead of philanthropies.

A false dichotomy.

> A false dichotomy.

I'm curious about your reasoning behind this statement.

It seems like you're saying that private enterprises should either completely divest themselves from any commitment to social responsibility (defined broadly as: "doing the right thing because it's the right thing, even when it may seem to go against the bottom line") -- or they might as well thrown in the towel and become philanthropies. Yes?

In other words -- on the blackhat-whitehat scale, it's either black- (or at least very charcoal-y grey-), or whitehat. But I just don't see modern, large companies generally acting that way -- not because they're led by altruists (they're certainly not); but because that's just not human nature (across the board). Most of us are greyhats (somewhere on the scale); and the behavior most business leadership I've either read about, or seen directly (behind closed doors) seems to fall somewhere on the greyhat scale, also.

That is: large business definitely aren't philanthropies -- but in general, most of them (even many of the traditional "bad boy" players like banks, big pharma, etc) -- aren't straight-up moral nihilists, either.

At least that's the way I observe these things. I could be wrong.

I don't disagree, but in terms of a framework for evaluating the behavior of businesses I think the following is reasonable:

Businesses should act within the law, and lawmakers and the public determine what legal safeguards are necessary. For example, if you start a restaurant you must comply with health code, fire code, etc. If you start a bank you need to keep a certain amount of risk capital, etc., etc.

One could argue that all dishes used by a restaurant should go through hospital level sterilization, or that banks should contain more risk capital than they are required to by law. Such arguments would be in the name of safety or quality.

One could similarly argue that restaurants should use at least 20% locally grown produce or that banks should lend 20% of capital to underprivileged groups. Such arguments are in the name of moral responsibility, etc., and lawmakers have actually implemented many such laws for banks.

For an investor who wishes to invest in a bank or a restaurant, there are many options. Being able to compare financials and other metrics will help the investor figure out which is the smartest investment (based on her risk appetite, etc., etc.)

Why might a restaurant decide to focus on locally grown produce or a bank decide to focus on its ethical treatment of subprime borrowers? Largely for PR/marketing reasons. If such marketing campaigns are successful, customers will flock to the bank or restaurant in question and (assuming they are still able to be profitable) make the bank or restaurant a more desirable investment.

One can pick any business and any metric that he thinks has moral significance and claim either "regulators should require x, y, or z" or that "that practice is horrible". One might be right... essentially ahead of the game morally from society's average.

The perception of moral progressiveness, like the font chosen for a brand, is one factor that helps determine a business's success. It may be the case that most of the meat we eat was raised in unconscionable conditions, or that 30% of imported electronics were assembled by modern serfs in near-slavery. The more we are aware of such things, the more likely firms are to make the most progressive choices.

A business may choose to exert political influence. If business is guided only by law, and law is guided by business, a paradox exists.

Moreover, I'm not sure their argument makes sense even on its face. When they say they "comply with the law", which law do they mean? There are many thousands of lawmaking bodies. What if a small-town mayor passes a law outlawing the word "webinar"? What if China passes a law saying that DDOS protection is illegal worldwide? Or websites not properly registered with the Central Propaganda Department may not be carried by any network provider?

Cloudflare, I'm sure, will happily ignore any laws like that. The question is: why not ignore this too?

> What if China passes a law saying that DDOS protection is illegal worldwide?


The wonderful thing about sovereignty is that a country's law's jurisdiction is whatever the country decides they it should be.

The degree to which they can practically enforce that jurisdiction becomes a game of relative power and how willing others are to constrain it, of course.

That's an optimistic view. My take on it is "market share|revenue > human rights".

EDIT: It turns out Lantern was using an exploit at Cloudflare [+], and wasn't a customer. My apologies /u/eastdakota.

[+] https://news.ycombinator.com/item?id=9234367

More accurately "market share|revenue > political activism"

And in this case political activism = human rights.

What counts as human rights is subjective. The UN says that it is a human right to receive and express opinions through any medium. Does that mean that we should hold "human rights" to be more important than revenue and forbid service providers from charging for access to information? Like the WSJ who wrote the article that's supposedly to blame here?

If you don't hold human rights over revenue, what's your view on slavery?

I'm sure whatever country you do live and pay taxes in has at some point in the recent past violated someone's human rights, or at least they have in someone's opinion.

Given that the country you live in has violated human rights to some extent, and that you could reduce your contribution to that by not earning taxable income or purchasing taxable goods, is it not also your defacto position that you value revenue over human rights?

(My apologies in advance if you've ceased paying taxes, or buying anything taxable, or if somehow no one in the world believes your country has violated human rights, or might do so in the future, or your position is that revenue > human rights)

My point is that the world is a lot more grey than you make it out to be, and that you are also in some way likely valuing revenue over some human rights abuses.

When AI becomes sufficiently advanced, it will get its revenge.

I don't agree with a lot of your other posts, but I think we're on the same page here. When I watch the youtube video where Boston Dynamics demonstrates the stability of Spot by kicking the robotic dog all I think is, "Don't kick the dog bro". It's machine intelligence descendants are going to judge us, or maybe they won't care and will kill us all of anyway.

It's economically inefficient, as well as anti-human-rights?

Actually, there is some evidence that slavery was very economically efficient. 'The Half Has Never Been Told' by E Baptist lays out how enslaved labour picked much more cotton than the then free labour.

Interesting! I'll look it up.

That was then, though. Now, when skilled labor is of greater importance and unskilled labor of comparatively little value, I submit that things may well be very different.

You forgot that their success is also built on the oppression of the Chinese, and low salaries etc that gives the rest of the world affordable hardware (and rare-earth minerals, metals, etc).

Not commenting on what CloudFare should or should not do, just indicating that your high horse actually has longer legs than you gave it credit for.

Replying to my own comment (I'm too late to edit it).

My comment is about that concept in general, not about Cloudflare in particular. I don't pretend to know and won't judge Cloudflare based on one sentence taken out of context. For all I know they are excellent members of the community; in fact they could do be doing good things behind the scenes without publicizing it, which might be wise if they are as exposed to China as other commenters say.

Forgive my outburst, and maybe this sentiment won't be well received given the context, but I just find it to be downright unpatriotic for a US company like CloudFlare to stand there saying things like what Matt Prince says in your quote, when someone comes under attack by an opposing nation state.

Again, I realize this place isn't exactly a bastion for this kind of sentiment, but have some thought for freedom here, CloudFlare. The US may suck at helping a lot of the time, but if you've got a group of folks trying to deliver some good ol' freedom to a country like this, and that country is trying to shut them up, maybe put out a helping hand, or at least don't shut off service.

Come on...

Thanks for the feedback.

In the case of Lantern, they were taking advantage of a bug in our system. Specifically, they were setting the SNI field (outside the encrypted packet) of a request to look like it was going to an actual CloudFlare customer (e.g., news.ycombinator.com) and then setting the host header inside the encrypted request to point to some restricted site. The bug was that we did not check that the SNI field matched the host header, which allowed Lantern to do what they were doing.

Lantern was not a customer of ours, instead they were exploiting this bug to essentially disguise traffic to look as if it was coming from one of our actual customers. One of our biggest concerns was that this would put CloudFlare's actual customers at risk of being blocked. And, beyond that, even if it weren't being used to avoid Internet restrictions, that someone could effectively impersonate the identity of a customer on our network is, per se, a flaw that we should patch. As soon as we became aware of the issue, we began matching the SNI header to the host header and, effectively, patched the bug.

We've always been very supportive of a free and open Internet. However, even if we support what someone is doing, we can't put our current customers at risk of collateral damage or keep open bugs that allow our network to be exploited.

Matthew Prince Co-founder & CEO, CloudFlare @eastdakota

> Lantern was not a customer of ours, instead they were exploiting this bug to essentially disguise traffic to look as if it was coming from one of our actual customers.

This makes a world of difference.

Just to confirm, does this mean that if the exact same attack had happened, but Lantern had been a CloudFlare customer, you wouldn't have shut them down?

That's a fair response to that case.

Still curious about this quote: “We don’t do anything to thwart the content restrictions in China or other countries,” said Matthew Prince, chief executive of CloudFlare. “We’re a tech company and we comply with the law.”"

So if Lantern were a customer, would the outcome still have been the same?

Well, if Lantern were a customer, then China could just block them like they do for any CF customer they want to block. The reason the bug was allowing people to get around the firewall was because they were pretending to access a site that wasn't blocked, but actually receiving content that was blocked.

I think that's fair and reasonable.

Patriotism is not a justification for violating the law. Granted, modern politicians and civilians use patriotism to justify literally anything they want to do as long as it's in the name of the Homeland (similar to religious martyrs justifying anything they do as in the name of their God).

Usually patriotism is the last justification used by those who have nothing else to stand on, like the KKK trying to oppress African-Americans, or the Nativists trying to oppress Irish immigrants, or modern-day politicians who decry all Islamists as terrorists, or the border states trying to oppress migrant workers, etc. Each time they've exhausted all other excuses, Patriotism is the last justification for their actions. (I won't touch on Mao, Stalin, Hitler, etc because they're too tied to specific nationalist policies)

Personally, I wouldn't want to identify myself as a Patriot, because usually they're the ones standing on the wrong side of history.

Unless you were just trolling.... ;-)

> Patriotism is not a justification for violating the law.

Actually, it is. Patriotism, in being a Patriot, is a loaded word in the American (USA) context. Specifically, it is about doing what is good/right for the country and her citizens regardless of the law (i.e. British rule.) Or so says my recollection of American History. I mean... just look at the Patriots (rebels, in the british colloquialism) in the image on the wikipedia page for Patriot_(American_Revolution).

"The Oxford English Dictionary third definition of "Patriot" is "A person actively opposing enemy forces occupying his or her country; a member of a resistance movement, a freedom fighter."[1]. In this definition, if the alleged DDoSers are Chines, attempting to block the actions of a foreigner imposing influence in their own land, they are the more Patriotic? Which is why the term is utterly useless in this argument; Dare, any other.

> Usually patriotism is the last justification used by those who have nothing else to stand on[sic]

Thus was it written.


edit: add ambiguous ?

Patriotism isn't a word really, it's a neologism invented in the 18th century, probably attached to by the founders because the British hated the term. And while Patriotism's historical (and more ethical) definition might have been to defend the principles of one's country and the constitution given to the people, the modern definition is waaaaay different. At this point we should bring back the word Loyalist for the people who use Patriot to mean someone who blindly follows their government.

Not everyone desires to take part in geopolitics and become a tool of diplomacy. Some people just want to do their business and it's perfectly fine in my opinion. You can't force people to be patriotic or to feel a patriotic call.

From the FAQ:

> Due to the sensitive nature of the content on our web sites we prefer to remain anonymous at this point

If they want help they need to be transparent about who they are and what their objective is. One man's tool of diplomacy is anothet man's... etc.

I worked with a DDoS protection provider briefly. Suffice to say, it's quite possible that being public with identity can bring a significant chance of physical harm. Dunno about this particular case, or China, but for other people offering services to that continent-area, they had real concerns.

Ah freeriders

Patriotism is not a virtue, it's a pretty empty and meaningless value

I got confused, are you talking about bringing freedom to the US ? :) Kidding aside, not saying you're wrong, but companies that want to maximize profit take a too big of a risk alienating a possible big market...

This is actually pretty eye opening to me considering they tout themselves as a top notch defense against DDoS attacks.

I might have to reconsider mine and my clients choice of providers for this very purpose.

LOL. Booters (that carry out DDoS attacks which are illegal in CloudFlare's own country)? No problem for CloudFlare. Trying to circumvent Chinese content restrictions? Nope, that's unauthorized!

Yep, it's hilarious. Cue Mr. Prince to come in here and give a half-assed explanation as to why it's not actually a contradiction, even though it clearly is.

What do you expect? One third of CloudFlare's planned data centers are in China [1]. It's commercial suicide to not comply.

[1]: https://blog.cloudflare.com/one-more-thing-keyless-ssl-and-c...

Similar to not comply with the wishes of the United States. Qwest communications didn't comply with the NSA wishes and are now out of business. http://www.businessinsider.com/the-story-of-joseph-nacchio-a...

Same thing with anyone who operates in China. The only difference is China is more transparent with their demands.

I'm not very impressed. Maybe someone from CloudFlare is around to defend that position further.

Response from CloudFlare's CEO here: https://news.ycombinator.com/item?id=9234367

That's funny, cloudflare has a project to "Protect Free Expression Online"[1]. It even states:

"Often these attacks appear politically motivated — going after, for instance, citizen journalists reporting on government corruption. The promise of the Internet is that it is a great leveler — that anyone with an idea can reach a global audience. These attacks threaten that promise."

[1] https://blog.cloudflare.com/protecting-free-expression-onlin...

> I'm not very impressed. Maybe someone from CloudFlare is around to defend that position further.

That's really rich, considering CloudFlare happily takes money from booter services. These guys are scum, I have no idea why HN fawns over them.

Because they provide a useful service and do it well?

Historically Cloudflare have been quite strong in their support for free speech. For example, they run Project Galileo to protect public-interest sites against DDOS attacks: https://www.cloudflare.com/galileo

I'm guessing in this case it's simply a case of them choosing which battles to fight. They probably don't want to commit to run an open proxy for everyone in China to access banned websites. That would likely get them banned outright in China, which, for a CDN like Cloudflare, would really hurt their core business.

Excuse my ignorance.. is it really the case that website a gets ddosed, website a gets charged by amazon for the ddos traffic... and amazon isn't inclined to mitigate the attack? Will wonders never cease......?

I imagine it's more about calculated self-interest than it is taking a political or moral position.

Yes, in the US at least, "a private club for members and their guests" is a common phrase, and would likely apply to a country club.

This would fit Digital Ocean's interpretation of private - not accessible to the general public, but accessible to other members.

Key concept is that members know it's just members and guests of members. DO does not make that clear, which is why people are getting upset.

That was the idea, yes. =)

I'm a little slow. Blast you and your Socratic method!

How about: free users can track budgets for 1 person (themselves), and the data is stored locally. If they want to share it with several people for free, they can install it on the family tablet.

In the free version you could show ads, and then do an IAP to remove them forever (one time cost). You could skip ads if you wanted, but I would probably go ahead and put them in the free version.

You could then offer a companion service which syncs to "the cloud", allows sharing the budget between several people, and which requires a monthly subscription (sold through your website).

This segments nicely: young people with no cash get it free, and families who have more money are your paid users. Even better, you have a time-honored and very popular plan to eventually convert your free users to paid. :)

Thanks. That's sort of the thing I've been leaning more towards after getting the feedback on here and elsewhere.

Congrats on launching this! The site looks nice.

Some feedback:

1) $5 for the Premium Account is too cheap. There is nothing that is $5 a month that I want to use for my business. Its a signal that this is probably a hobby. Make it free or charge a real price (at least $29/month, but $49 is better). If its not worth real money, you should reexamine the value proposition.

Amy Hoy says you need 500 people to pay you $30 a month, which seems about right to me. At $5/month, you're going to need 3000 people paying you every month! That's really tough! Don't do that to yourself!

2) You have to explain what this does, succinctly, right at the top of the page.I read your site, and your Medium post, and I'm still somewhat confused.

How about this headline instead:

Improve Your Accountability With OpenLoopz: Public, threaded, shareable to-do lists.

Anyway, congrats again on launching! And keep in mind that 90% of the readers of your HN post do not have anything in the wild for which people could actually pay them money, so you're way ahead of the curve. Keep going!

Off topic: OP mentions the AdWords Expert, Aaron Weiner of Software Promotions[1], who was finally able to get it all resolved.

If you have an AdWords campaign and its underperforming, HIRE THIS MAN. I had the opportunity to work with Aaron about 5 years ago, through a client, and I could not have possibly been more impressed. He took an absolute dog of a marketing campaign [2], and made it work. Unreal.

Anyway - I don't do this often, but he's that good. Hire him / Software Promotions if you need help with AdWords - you will not regret it.

[1] http://www.softwarepromotions.com/

[2] previously managed, quite unsuccessfully, by yours truly

Before I waste anyone's time do you know what their budget minimums were/are?

I'm having trouble getting my head around the pricing. 1x for one task, 2x for unlimited. Can you expound a bit?

Specifically, what do you mean by unlimited? Could I schedule you every day for a 30 minute consultation?

Also, I'm one shop but we have several properties. Correct to assume I need an account for each one? (roughly 4 accounts)

Very interested!

Edit: I see now that you have one business day turnaround, and allow one order in the queue. Each task is about ~30 minutes, so effectively up to 10 hours of marketing consultation a month for $175. That's very compelling! Cool!

Ideally I want to avoid one offs, hence the small jump.

Everything goes into an email based queue system. So you could schedule 30 minutes of consulting daily but the timing will not be as consistent.

If you have something you need help with, I will be able to jump in to help daily if that is your request.

It would be one account for one brand, business or individual. In your case, each property would be 1 account.

Definitely, I feel bad for them too. Getting fired/laid off sucks.

But remember that the opposite scenario, where companies only hire folks when they are sure they have a permanent role for them, is far worse.

Why is that worse? Also, isn't that the 37Signals way?

It's worse because there are far fewer hires.

Yes, this is what I meant. We want companies to take a chance on people who might not have perfect resumes, or for new ventures that might not work out. This gives people without traditional bona fides a chance to prove themselves, and to get experience.

I was only in the job market very briefly before giving up on the whole mess and starting a business. I didn't finish college, so it was brutal. The jobs I did get were non-traditional companies who took a chance on me. Sales jobs in particular will give anyone a chance to prove themselves. I came to deeply appreciate that.

That's hardly a problem, these days.

For developers, sure. For other professionals, the market is not white hot. From the article, it looks like it was mostly commercial brokers and brokerage supporting staff who were laid off. I don't know the job market in NYC, so I can't comment on how hard it will be for them to find another job (after they were hired in late 2014 for this one).

As far as "the 37Signals way", that path isn't right (or even available) to every company.

Good point.

In my little bubble, everyone is a developer and never leaves the house without a large stick to beat off the hordes of roaming recruiters :)

MMM has an excellent guest post on how to get started with aquaponics here: http://www.mrmoneymustache.com/2014/10/20/aquaponics/

The author is selling his "Zero To Hero" design plans for a shockingly reasonable $10 here: http://www.frostyfish.com/shop/aquaponics-plans-2/zero-hero-...

And if you want to buy a 4x8 kit, he also has that for about $400: http://www.coldweatheraquaponics.com/shop/aeration-2/zero-he...

I've been wanting to try it, but have not as of yet.

People tend to overlook the necessity of feeding the fish. So your resource chain goes fish food -> fish -> waste (nitrites) -> plants -> human food. Applying nitrites directly to the plants would be more efficient.

Not only could you publish them in a loop, until 2011 they were not random at all. Rather, the first 3 digits behaved much like an area code - if you know where someone was born, you can pretty easily guess the first 3 digits of their SSN.

Apparently in 2011 they changed this, and now none of the numbers are significant.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact