Github can easily afford to use someone like Prolexic. And they should.
When you say things like "And it's all dependent on attackers not getting the IP of your actual servers" this makes me wonder how much you understand the subject matter. There are many, many options.
Prolexic's servers don't take the load if the attackers know where the computers behind the scrubbers are. Configuring iptables to ignore all traffic not coming from prolexic's IPs doesn't come close to fending off a DDOS.
I know this because I was told this by prolexic while configuring our servers to sit behind their scrubbing servers while we're under an equally crippling DDOS (one that took down half the customers in our datacenter, not just us). So while I haven't examined their tech stack under a magnifying glass, I'm not exactly talking out of my ass here.
Yes, there are other options but those don't take an hour to implement like signing a contract and changing a few DNS entries does. And when these conditions exist, you need an answer that can be implemented in an hour.
You are fabricating straw men. They do not need "an answer that can be implemented in an hour." They have been in business for 4 years, and this particular string of DDoS attacks has been going on for several days now. This is both a a planning failure and an incident response failure.
Your comment about iptables is odd. I don't know why iptables would be relevant here; I suspect we are talking about implementations several orders of magnitude different in size. Certainly one would drop traffic at the edges and not do filtering on end nodes.
Speaking from experience, most companies don't think to implement DDOS protection until they're under attack. It's just not on most people's checklists. Hence the need to implement something in an hour. The fact that its a problem proves my point.
Yes, it sounds like our scales here are quite different. I'm referring to a few machines in a single data center, not hundreds being geographically distributed.
If a murder happens in my home and no one notices, is it not a crime?
If fraud occurs at my business and is undetected, is it not a crime?
Politically, I am against drug prohibition. Legalize it all, and demand warrants for non-visible spectrum imagery of homes. But the idea that a crime isn't a crime if no one notices just doesn't make any sense whatsoever.
Murders are detectable outside of homes. Is someone missing? Yes? Then start an investigation.
Fraud can be detected with perfectly normal well understood investigation techniques. No literally peering through walls is required. It is an important difference because fraud investigation techniques were conceivable when the laws we run our legal system with, laws put in place to protect us from it, were created.
Nobody is proposing we deploy these sorts of technologies to patrol for these crimes. Once we are reasonably certain that a particular crime has occurred, break out the UAVs for all I care. And get a warrant first. That is how the system was intended to work; if you breach that intention you breach the implied contract citizens have with their society.
Any crime should have an effect that is noticeable in a reasonable way. If there are absolutely no other methods of even determining if a crime has happened, then it is not a crime. A crime must have an effect, and an effect is noticeable. If there are other methods, the use those.
The error in your reasoning is that all these things do have external effects, but the connection between an external effect and the source is not always apparent. To specifically use the example of fraud, a great number of business operations are under forced reporting requirements for specifically this reason. Your answer to this point is flatly incorrect, as fraud cannot and is not effectively detected in this manner today.
Regarding murder, you suggest "if someone is missing, start an investigation." Of course, the error in your logic is that we do have evidence of drug crime -- and plenty of it. There is no question that Alameda county is full of grow-ops, which produce drugs for the surrounding region. I know, because I live here. There are many, many busts every year. Mountains of evidence.
The reason to limit this sort of investigation is found in the 4th amendment, and it is more than adequate when applied here. Kyllo v. United States is very clear on this point.
You have completely missed my point. I have to wonder if you are being willfully dense; right now you are violently agreeing with me while nevertheless misconstruing everything I am saying.
My point, stated succinctly: If a law cannot be enforced without violating the 4th amendment, it is not a legitimate law.
Alternative expression of my point: "When the police cannot catch you legally, they are not permitted to catch you anyway"
Application of my point: If grow houses cannot be found without using drones, which violate the 4th amendment (or should), then grow houses should be legal. Bans on grow houses should only exist if there are legal ways of finding them. If there are legal methods of finding grow houses, than illegal methods should not be employed. Of course grow houses can be found without drones, so no drones should ever be employed.
The purpose of this rule of thumb (notice that I never claim that this principle could be effectively coded into law) would be to provide the population with an effective way of telling Sheriffs to "Fuck off" when they say "We need to violate your 4th ammendment rights to enforce this law.".
Murders are detectable outside of homes. Is someone missing? Yes? Then start an investigation.
They could be missing already, or be unregistered kids, or recently arrived unregistered migrants. Not everyone who is murdered is noticed missing. Also, very few of the people who are missing have been murdered.
So what do you propose we do, regularly search all houses looking for bodies? These hypotheticals are edge cases which we already accept will in practice go unpunished. To eliminate them would involve violating the 4th amendment.
No, just arguing against your suggestion that they are not crimes if they are not detected by straightforward means.
If someone detects a murder by extremely technological means, say while using muons from cosmic rays to image though a structure like they are doing at Fukashima at the moment http://prl.aps.org/abstract/PRL/v109/i15/e152501, then that murder is still a crime whatever the method of detection.
Now it is reasonable to argue that growing weed should not be a crime in the first place, but to argue that growing it indoors should not be a crime on the basis of the level of technology required to detect it, does not seem to make any sort of sense.
So long as that somebody is not the police actively looking for a crime without a warrant, then that should not violate the 4th amendment.
I feel that I should emphasis that I am not proposing a change to existing law. I am merely advocating the point of view that new fancy technologies should, by default, be considered unreasonable searches.
It's a classic false dichotomy. Specifically, a person can care about both issues simultaniously.
The problem is that we're not producing the radiation in the air -- it's already there. Radiation shielding is heavy and infeasible for use in current airplane technology. It's a very, very hard problem.
BackScatter scanners, in contrast, are optional. They are completely and utterly unnecessary. It's very easy to get rid of them; indeed it would have been easiest and cheapest to never have forced them upon an an unwilling community of travelers.
Because no one looking for market index returns would hold Zynga in anything other than an index fund. If you hold zynga you're looking for a homerun, or a trader.
Thus I used numbers that would appeal to the type that might hold Zynga stock. The type that had a risk profile involving losing 90% of the stock's value in 6 months.
Funding the expensive regulatory process (which includes clinical trials and all the rest) is very easy to legislate. For example, grant a company some limited exclusive rights for commerce/sale of a drug they have funded through clinical trials.
A commercial restriction on the sale of a drug would be far less onerous and legally problematic than the current patent system.
A patent is granted for the invention of a drug, not the testing. If the monopoly were tied to the approval process, it would be limited to the country where the approval was granted. So shepherding a drug through the FDA approval process would get you a monopoly in the US, but not other countries.
Also, you can patent drugs that haven't been approved, which makes it basically impossible for anyone else to do the clinical trials. Breaking the link between the research and the approval process would make it easier for effective drugs to get tested and approved.
Finally, sure, that scheme would be a lot like patents. But at the very least it would be specific to the drug industry, where they are (maybe) useful, and wouldn't distort other industries where patents are actively harmful.
If you get your drug approved by the FDA, you get 5 years of market exclusivity (12 years of it's a biologic). However, it has to be determined by the FDA to be a NCE (new chemical entity). Right now, a company called Amarin is trying to get a drug approved that has no patent and they are hope to get the FDA to recognize their drug as an NCE.
If it for a very rare disease (orphan drug), you get 7 years of exclusivity (still 12 if it's a biologic).
During that time, no other application for the same NCE and indication will be approved by the FDA, giving the first applicant de facto market exclusivity in lieu of a actual patent.
Actually it is a reflection of the law. The US government had the authority to prohibit export of crypto (at the time), but did not have the authority to limit it domestically.
If they had been given that authority things may have been different.
I always thought that the clipper chip died in the court of public opinion and not in a court of law. However, I do not understand your interpretation of circular reasoning.
Lets look at the case where X is regulate the sale of switchblades. The federal government has the authority to regulate the sale (commerce) of switchblade knives between states, the federal government does not have the authority to regulate the sale of a switchblade within a state.
> The federal government has the authority to regulate the sale (commerce) of switchblade knives between states, the federal government does not have the authority to regulate the sale of a switchblade within a state.
Let's look at the case of guns. Do you really think that Montana could say "you can sell Montana-made machineguns in Montan without satisfying federal law"? (The feds don't much care about switchblades. They care about guns.)
Well the feds did care about switchblades, that is why they passed a law banning the interstate sale of switchblades, "the Switchblade Knife Act, (Pub.L. 85-623, 72 Stat. 562, enacted on August 12, 1958, and codified in 15 U.S.C. §§ 1241–1245), prohibits the manufacture, importation, distribution, transportation, and sale of switchblade knives in commercial transactions substantially affecting interstate commerce[56] between any state."[1] Evidence for a continued interest in switchblades can be found in the recent exemption carved out for assisted opening knives in 5 USC § 1244.[2] (I think the exemptions in 1244 were passed within the last 5 years as part of a Homeland Security appropriations bill, but I'm fuzzy on the exact date.)
Wickard was 70 years ago, interstate commerce doctrine has evolved a lot in the intervening years. In fact I'm a little surprised that you used it as an example. It has been a while since ConLaw I, but I think Wickard is often used as an example of the height of the broad interpretation of the commerce clause. Are you arguing that there is no limit on the power of the the commerce clause? Or that Wickard is the controlling case? Lopez is one of many cases since Wickard where the Supremes walked back such a broad interpretation of the commerce clause.
> Wickard was 70 years ago, interstate commerce doctrine has evolved a lot in the intervening years.
The Supremes haven't overturned Wickard.
Yes, they did decide that the first version of the Gun Free School Zones Act didn't have a commerce nexus, but they seem quite content with the current version, which affects only those guns that have gone interstate.
However, the relevant question is whether the Supremes have ever decided that something sold can be exempt from the federal power to regulate interstate commerce.
Take machine guns. A Montana statute that allows unrestricted sale of machine guns made in Montana clearly affects "commerce" (in Montana at the very least) of guns not made in Montana, aka "interstate guns".
Do you really think that the Supremes would reject that argument? On what basis?
And, if they accept that argument wrt guns, why wouldn't they accept it wrt cantalope?
"Today...they simply pass a law that puts you in jail for its sale"
Today? They have always done that. Which is why the USC reads as follows:
"Whoever knowingly introduces, or manufactures for introduction, into interstate commerce, or transports or distributes in interstate commerce, any switchblade knife, shall be fined not more than $2,000 or imprisoned not more than five years, or both."
It is not circular. Interest and authority are two very different things. For example, the Federal government has the authority to wage war -- this has no bearing on a discussion as to whether they are philosophically correct in doing so.
The suggestion that policy is justified merely because it subsists upon formal authority is nonsense.
The point is that the government may not have the authority to do X or to create a law to do X. They may have the ability, but the supreme court decides if the authority exists.
The United States Constitution is the highest law, and provides for different treatment of foreign and domestic matters, so your statement is obviously false even under the most broad interpretation of "the government".
The President/Executive (closest to what many other countries would consider "the government") is also limited in most matters by the laws passed by Congress, so even assuming domestic regulation of cryptography were Constitutional (and I don't personally believe it would be), if Congress has not passed a law giving the Executive the authority to regulate it, the Executive cannot do so.
masklinn was very clear about the difference between an ivory tower example (yours) and the reality of user passwords. It appears you have missed his point.
>an ivory tower example (yours) and the reality of user passwords //
So you don't think that 'md5 is only as difficult to read as plaintext is actually hyperbole'?
If this is the case then surely someone has a plaintext for the hash I wrote - how much more real can one get. It's a simple English language password.
I can't get it for you because I have a single laptop at my disposal. However, any meagerly funded criminal enterprise which can front a few tens of thousands of dollars could tell you the answer quite easily.
It is not reliable cryptography, and if you provide an incentive to reverse that hash (rather than merely challenging people who have better things to do) then it will be reversed. When it comes to the type of enterprise which cracks systems for profit, it is as good as plaintext.
I don't doubt it could be reversed relatively easily. It doesn't appear to be in the online rainbow tables I tried. But having to look something up, have domain knowledge, making multiple computations, program a parallelised attack using GPUs or however one approaches such a problem I still contend it's significantly (though not greatly) better than plaintext.
"On your home page you imply that you can automatically OCR arbitrary handwritten receipts into an analyzable format.
No one can do that. That is your problem"
Jeez, lay off the confrontational tone. He doesn't say anything about OCR. Maybe he's using humans to do data entry? In any event, it's completely irrelevant to the topic of databases.
I notice you ignored all of my several very specific points directly related to his issues with the database system and your only comment was a criticism about the tone you perceived.
OK, maybe he is using humans to do data entry. The home page to me implies that the process is automatic, but I guess it doesn't rule out the possibility of humans doing data entry when he says 'tag and categorize'. But if he is using humans to do data entry instead of some automatic OCR, that is still his main business problem, rather than MongoDB. The application is relevant to the database discussion, and Hacker News is about all aspects of startups.
It's because I have nothing to say about the database stuff. Why are you so adversarial? I'm not here to cross swords with you; I don't have an opinion on the matter.
But I did notice your rudeness, and you're now being rude to me. Totally uncalled for.
I was not rude to the poster. I corrected him as far as his misguided complaints about MongoDB and the main problem for his business. That is the only way to help him.
I was definitely not rude to you either. You suggested that my comment was irrelevant, and I pointed out that my comment had a lot of relevant content in it whereas by your own definition of relevance your comment had none.
Frankly, your lack of belief is likely due to a lack of experience with user submitted forms with email addresses. It's VERY common for users to simply type the wrong data into a particular textarea. If you do no validation you will get things like the person's name, street address, or other confused mixups.
Anyone who deals with forms of this nature will have seen this firsthand, and with enough frequency to cause trouble with mail relay as the person above has described. It's a real problem.
When you say things like "And it's all dependent on attackers not getting the IP of your actual servers" this makes me wonder how much you understand the subject matter. There are many, many options.