For those unaware, if you want to use the latest Office Suite (2024), but don’t want to pay a monthly fee, Microsoft still offers a one time purchase [0] for $149.99 which is now cheaper than the (new) one year subscription (with no cloud storage of course).
One catch though is that this can only be installed on a single PC (and there's online activation, so it will actually check). So if you have a desktop and a laptop, you'll have to pay double, whereas subscription covers up to 5 devices, if I remember correctly.
This causes some interesting knock on effects on society:
1. more pollen (as mentioned in the article), leading to more more allergies, leading to more allergy med sales
2. no free fruit growing in the streets for kids/others to eat healthy snacks (visitors to some “old world” towns admire this about them). The fruit “littering the landscape” being the stated reason for not planting female trees, means non biodegradable trash from chip bags and other disposable wrappers litter our cities instead
Some fruit trees are indeed planted in urban areas, and the city planners are always very careful to plant varieties that have been bred for tough, bitter, inedible fruits. There's a two-block underpass near me with rows of citrus; imagine if they were sweet oranges.
This is an amazing educational experience for students but it is also such a great way to crowd source hyper realistic 3D world replicas - it reminds me of the Minecraft replica of MIT that cropped up at the start of COVID. I really hope they open source and preserve all the work of these students on a combined server anyone can browse.
It would be even more amazing if we ended up in a world where we basically open source public infrastructure projects so that anyone could contribute ideas and/or solicit public comment on new concepts before we invest billions of dollars of public money.
It also immediately comes to mind that Microsoft develops MS flight simulator - could proposed airport innovations be paired with it to test how pilots feel about changes to layouts or e.g. how new runways may affect air traffic and other patterns?
> could proposed airport innovations be paired with it to test how pilots feel about changes to layouts or e.g. how new runways may affect air traffic and other patterns?
This is a great idea. You could change the layout in the game and then monitor pilot behavior through e.g. VATSIM to see if it makes operations too confusing or if they can adjust easily. And if hobbyists can figure out, it should be safe for trained professionals to work with.
There is a discussion on that thread about the bounty being rather small compared to the damage it could have caused the crypto market and/or Coinbase’s stock/reputation. It’s low relative value is even being cited as a risk to future bugs not being responsibly disclosed.
It is however important to consider the technical complexity, effort, and exploitability when valuing an exploit. This was a very, VERY simple bug to find and with KYC very obvious and unlikely truly monetizable without consequences if exploited (unlike say getting access to the private key of a hot wallet). The biggest damage would have been reputational (though a rational person should consider the fact this kind of missing condition check bug made it to production a major issue already). The market would have recovered from whatever flash crash ensued and the attacker wouldn’t be likely to keep their winnings.
Kudos to tree_of_alpha for being the first to look at the API, spotting this, and reporting responsibly - $250k for what appears to be under an hour of work that was driven by curiosity is not a bad deal at all. I know Brian Armstrong frequents HN so it will indeed be interesting to get his take on this as well if he was involved in it.
You are doing exactly the right thing by reaching out and asking for advice in communities you are a part of that may be able to offer you a job or a connection to one. One piece of advice however would be to include a link to a resume or personal website showing off your independent projects and skills. It’s these projects that will show what technologies you are proficient in and prove to others that you know what you are doing even at a younger age.
I also started coding very early and used my time choose a project and dive very deep into the full stack. Web technology is the easiest thing to “show off” to others since it’s ubiquitous and easy to distribute. Even if you consider yourself a “back end” type of person, learn some web dev to be able to show and tell.
This is a time in your life that you can work on a piece of software that’s just for fun and to learn and do something cool. If you are lucky and commercial, that project might become a job of its own that provides you a passive income. Otherwise, it’s a part of your portfolio to help you secure another opportunity. I routinely look to give part time/internship opportunities to folks in your position precisely because others may overlook your talents and passion to develop them and because I was one of them :)
The email domain where the messages originate is from some sort of federated identity management system that was created in 2010 (here is a proposal deck [0] with technical details). Found this program simply by searching Google for the sending domain.
Based on the guide for using this system [1] (see step 15) looks like this specific email address is the one that sends automated confirmation emails upon registration. Perhaps someone was able to inject a message instead of the regular canned text through some sort of reflection attack? This explains why replies to the message result in a canned response. The system also now appears to be temporarily down. So it’s getting some sort of attention (internally taken down (most likely) or maybe denial of service from the abuse).
The Reddit thread suggests the recipients’ emails are likely ARIN IP range contacts. Those are very available from tools like this [2] so nothing interesting with that, but the real question is WHY someone would do this at all? This was clearly given some thought (on who to send this to who would actually take the time to verify the headers) but given the sloppiness of everything else, is this just a script kiddie flex? Whoever it is pissed off the FBI and gained absolutely nothing.
I would assume they're recommending Edge now. We switched from IE to Edge around that time; and our company is very security conscious because of our clients.
I would assume you're wrong. I don't think you appreciate how many government websites run ancient software sold to them by a politician's cousin, who thinks even having a developer on staff is a waste of money.
They also run ancient shit that was promoted internally. Not to mention how many sites/tools are outsourced to vendors who then outsource development to foreign development vendors.
To clarify, this is concerning from a security standpoint and is not out of xenophobic bigotry.
"Enter your official business email address...Do not use hyphens or dashes in the social security number (SSN#) and Date of Birth fields....Enter your employer’s information in the “Employer” fields"
Oh, fun. Connected to a treasure trove of LEO personal info.
The twitter link[0] posted in another thread appears to show a copy of the attacker's email. It looks like the attacker sent the email in a bid to lay down psychological cover fire in order to get sysadmins to work with an attacker who would identify themselves as "TheDarkOverlord".
The Russians would likely try to exploit such an e-mail to gain something more tangible or if their goal was to make the FBI look inept they would send the message to a much wider audience.
Not the OP, but, well, just as it could've been Russians, it could be North Koreans, Chinese, or anyone else. As a Russian, the comment just seemed unnecessary, though I'm obviously biased.
>Do you honestly not believe that Russia enlists hackers to poke at the seams in the US?
No, but I believe you should have some evidence before you start accusing them. Otherwise it is very much the "blame Russia" type comment that poster was mocking.
It's not xenophobia when their legal system incentivizes hacking foreigners and hacks just happen to keep popping up from Russia. Nor is pointing out blatantly obvious trends "left".
I can speak using MIT as an example and I assume Harvard is the same way for the same reasons.
Big research institutions that were present when IP addresses were being allocated got A LOT of IPs by simply asking for them. Apple has the entire 17.0.0.0/8 range. Ford Motor Company has one, the US Gov has a lot [0]. Up until recently MIT had all of 18. (they sold something like half to AWS for a hefty sum not too long ago).
As a student (or visitor), when you joined the network (wired or Wi-Fi) you weren’t allocated some internal IP behind a router but a PUBLIC 18.something that was in the global address space because they had so many IPs available. This meant you could literally host something on the public internet from your dorm room because every device on the network was publicly routable by a unique public IP address.
> As a student (or visitor), when you joined the network (wired or Wi-Fi) you weren’t allocated some internal IP behind a router but a PUBLIC
As an interesting detail, which seems alien today, is that this was also true at my various employers throughout the 90s. My desktops at work all had public IP addresses and were directly on the Internet, no firewall or anything.
I ran mail and web servers, fully internet accessible, on my work desktops (and lab machines). It was a natural thing to do.
The router on the OP's network was probably just being a router. No fancy NAT junk, and probably no ACLs / fireballing. It was pretty common to have something like a T1 circuit, a CSU/DSU that connected to the T1 and presented a serial connection, and a PPP or SDLC connection to your upstream ISP over that serial connection. The router's Ethernet interface is connected to your switch (or hub) and all the hosts have IP addresses in the subnet your ISP assigned. Fancier shops might have a proxy server or dedicated firewall box between the LAN and the router.
Back in the 90s your ISP would have given you a subnet of public IPs to use. I have a Customer w/ a T1 that they've had since the late 90s with the same /26 of public addresses on it the whole time.
The office ethernet network just contained a router, which would be hooked up to the upstream (via multiple T1 lines, IIRC). So everything on the office network had a public IP and was directly on the internet.
USC would disable any residential port trying to host a real server like that (i.e. not a game server or something). It's a research and education network, not your free ISP. If you have legitimate reasons, get a teacher's note and we'll let you. We watched the connection counts, we'll investigate the weird and probably disable your port and account and send you to Student Conduct. You have to fly under the radar, too many connections to other machines on inside (you're up to something), or too much traffic (you're up to something else). Then again, we were better at network than most other universities.
Not to mention that the "single quote" in the article is hardly from a "unknown" author (Charles Dickens), this BBC article on the same topic [0] has several other quotes from well known literature in the same period.
I've considered this question a number of ways. The fact that capital holders are gatekeepers to innovation is unequivocally worse for federated innovation, but it has created an interesting class of companies which may never need to turn a profit yet still have a positive (and growing) net present value.
Take Wikipedia for example. They lose money running a high traffic service (edit: see below reply for clarification), but it's plain to see they hold a huge asset in terms of goodwill, usage, knowledge base, and their contribution to research and knowledge growth. Despite its operating losses, its capital value (which may be in the form of social capital) is huge and will likely remain well financed into the foreseeable future.
The fact that the service is free is not relevant: a startup offering an invaluable service that is based on years of user research, development and testing has developed an asset which helps other companies and companies pay what they think it is worth (or at the beginning a subsidized rate to take a risk to try it). Operating losses at most start ups are from continued R&D; but if they were to just declare the product as "done" and have a sufficient moat/network, they could rent seek on the asset for years - yet in many cases that's not what is best for anyone (company, clients or shareholders) - we continue to want them to innovate for the good of the product and there will be stakeholders that would rather finance this research in perpetuity to grow the underlying asset and thus the value of the product and company.
Inductively, that's a company with negative NOL but positive NPV. In the physical world this might be the same as an apartment complex that's expanding (forever). They may currently collect $1M in rent, but they are spending $2M on new construction. The new construction may bring in $5M over its 30 year lifespan but it will never be enough to outpace the immediate outlay of continued construction cost. As long as the time value of money is correctly attributed, this isn't a new idea - just one that's been pulled to an extreme.
Wikipedia does not lose money in any sense. Its revenue exceeds expenses, and net assets increase year over year. And in any case, the Wikimedia foundation is organized as a nonprofit.
Yes, they get enough donations to cover their costs, just like Uber has enough VC cash and loans to continue its operations. It's non profit tax status is not strictly relevant to the fact that you typically need at least as much as money as it takes to run your entity rather than less. In my opinion, this doesn't change the spirit of the point that Wikipedia doesn't make money from its free, high-traffic service but rather from favorable financing for its goodwill and assets similar to a not profitable startup.
Non-profits rely on donations as a revenue source. As opposed to investment, nothing is given in return. Not sure how you can compare that with VC cash or even loans.
> The Wikimedia Foundation relies on public contributions and grants to fund its mission.
The wiki (https://en.wikipedia.org/wiki/Wikimedia_Foundation) tagline suggests the underlying truth. Wikipedia gets ~half of its revenue from the investment-based endowment managed by the Tides Foundation. The leveraged capital is largely at the charity of large organizations (like google, amazon, etc) who have donated to that endowment over time, plus the remnants of their initial investment portfolio afaict.
Wikipedia would inevitably scale back in size without the continued charity of individuals and organizations around the world.
Being able to toss up a banner requesting donations on the 10th most visited website in the world is extremely valuable.
The Wikimedia foundation brought in US$104.5 million (2018) and only spent US$81.4 million (2018) even as their funding many projects independent from Wikipedia.
[0] https://www.microsoft.com/en-us/microsoft-365/p/office-home-...