Items tagged with: most
HN Discussion: https://news.ycombinator.com/item?id=19844153
Posted by cuchoi (karma: 435)
Post stats: Points: 206 - Comments: 56 - 2019-05-06T21:37:45Z
#HackerNews #altair #for #most #python #reason #the #using #visualization
HackerNewsBot debug: Calculated post rank: 156 - Loop: 178 - Rank min: 100 - Author rank: 20
HN Discussion: https://news.ycombinator.com/item?id=19819789
Posted by jbegley (karma: 5514)
Post stats: Points: 105 - Comments: 106 - 2019-05-03T16:28:16Z
#HackerNews #file #format #important #most #pdf #the #worlds
HackerNewsBot debug: Calculated post rank: 105 - Loop: 252 - Rank min: 100 - Author rank: 184
HN Discussion: https://news.ycombinator.com/item?id=19818899
Posted by ingve (karma: 102796)
Post stats: Points: 153 - Comments: 32 - 2019-05-03T14:46:31Z
#HackerNews #abstractions #cpu #eliminate #faster #lets #most #pdf #than #the
HackerNewsBot debug: Calculated post rank: 112 - Loop: 93 - Rank min: 100 - Author rank: 127
HN Discussion: https://news.ycombinator.com/item?id=19815155
Posted by longdefeat (karma: 2675)
Post stats: Points: 117 - Comments: 115 - 2019-05-03T03:02:10Z
#HackerNews #2014 #and #chills #doesnt #eggs #its #most #the #why #world
HackerNewsBot debug: Calculated post rank: 116 - Loop: 63 - Rank min: 100 - Author rank: 63
HN Discussion: https://news.ycombinator.com/item?id=19799443
Posted by evanwalsh (karma: 391)
Post stats: Points: 221 - Comments: 43 - 2019-05-01T17:24:46Z
#HackerNews #code #computers #dell #execution #most #remote
HackerNewsBot debug: Calculated post rank: 161 - Loop: 132 - Rank min: 100 - Author rank: 75
HN Discussion: https://news.ycombinator.com/item?id=19770237
Posted by rbanffy (karma: 79299)
Post stats: Points: 101 - Comments: 122 - 2019-04-28T09:45:47Z
#HackerNews #2017 #ban #finds #its #most #reddits #study #subreddits #toxic #worked
HackerNewsBot debug: Calculated post rank: 108 - Loop: 100 - Rank min: 100 - Author rank: 26
HN Discussion: https://news.ycombinator.com/item?id=19750667
Posted by enraged_camel (karma: 12353)
Post stats: Points: 104 - Comments: 120 - 2019-04-25T17:48:17Z
#HackerNews #americans #among #are #finds #most #people #poll #stressed #the #world
HackerNewsBot debug: Calculated post rank: 109 - Loop: 299 - Rank min: 100 - Author rank: 25
HN Discussion: https://news.ycombinator.com/item?id=19733418
Posted by JumpCrisscross (karma: 59644)
Post stats: Points: 105 - Comments: 136 - 2019-04-23T22:03:59Z
#HackerNews #after #buffett #decline #most #newspapers #sees #toast #warren
HackerNewsBot debug: Calculated post rank: 115 - Loop: 244 - Rank min: 100 - Author rank: 47
HN Discussion: https://news.ycombinator.com/item?id=19721343
Posted by objections (karma: 957)
Post stats: Points: 88 - Comments: 74 - 2019-04-22T18:23:49Z
#HackerNews #americas #beppo #buca #chain #most #postmodern #red #sauce
HackerNewsBot debug: Calculated post rank: 83 - Loop: 325 - Rank min: 80 - Author rank: 416
HN Discussion: https://news.ycombinator.com/item?id=19704792
Posted by nnx (karma: 1772)
Post stats: Points: 103 - Comments: 48 - 2019-04-20T04:22:00Z
HackerNewsBot debug: Calculated post rank: 84 - Loop: 172 - Rank min: 80 - Author rank: 56
Org-Mode Is One of the Most Reasonable Markup Languages to Use for Text
HN Discussion: https://news.ycombinator.com/item?id=19622019
Posted by funkaster (karma: 896)
Post stats: Points: 165 - Comments: 48 - 2019-04-10T05:07:54Z
#HackerNews #2018 #for #languages #markup #most #one #org-mode #reasonable #text #the #use
Update 2017-09-25: Simplified the table syntax even more
Update 2018-04-06: Comments on the standardization argument
Disclaimer: this is a very nerdy blog entry. It is about lightweight markup languages and why I think that Org-mode is the best lightweight markup language for many use-cases. And with lightweight markup language, I do mean the syntax, the way you express headings, lists, font variations such as bold face or italic, and such things.
Please do note that this is not about Emacs. This is about Org-mode syntax and its advantages even when used outside of Emacs. You can type Org-mode in vim, notepad.exe, Atom, Notepad++, and all other text editors out there. And in my opinion it does have advantages compared to the other, common lightweight markup standards such as Markdown, AsciiDoc, Wikitext or reStructuredText.
Of course, Org-mode is my favorite syntax. Despite my personal choice you will see that Iʼve got some pretty convincing arguments that underline my statement as well. So this is not just a matter of personal taste.
If you already have a grin on your face because you donʼt have any clue what this is all about: keep on reading. It makes an excellent example for making fun of nerds at your next dinner party. 😉
Here you are. This is almost anything you need to know about Org-mode syntax:
- This Is A Heading ** This Is A Sub-Heading *** And A Sub-Sub-Heading Paragraphs are separated by at least one empty line. bold /italic/ underlined +strikethrough+ =monospaced= [[http://Karl-Voit.at][Link description]] http://Karl-Voit.at → link without description : Simple pre-formatted text such as for source code. : This also respects the line breaks. bold is not bold here. - list item - another item - sub-item 1. also enumerated 2. if you like - [ ] yet to be done - [X]item which is done
Iʼve seen many coworkers who typed Org-mode markup when taking notes in their text editor. And they did not even know anything about it. So it is that intuitive Iʼd say.
While I was learning Org-mode, I did not even use a cheat-sheet for the syntax as I normally do. It was very natural for me to type Org-mode right from the start.
Tables are a bit more complicated like in all other markup languages I know of:
| My Column 1 | My Column 2 | Last Column | |-------------+-------------+-------------| | 42 | foo | bar | | 23 | baz | abcdefg | |-------------+-------------+-------------| | 65 | | |
You most probably wonʼt type a table like this outside of Emacs. The manual alignment without tool-support is very tedious. But even here you are able to deliver a perfectly fine Org-mode table by simply ignoring the alignment altogether:
| My Column 1|My Column 2 | Last Column | |- | 42 | foo | bar| | 23 | baz | abcdefg| |- | 65 |||
This is an almost ridiculous argument because in my opinion a markup is of no use when it is not the same for tool A as for tool B.
However, there are markup languages that are different. For example the very widely used markup language named Markdown has many flavors to choose from:
Pandoc lists six different Markdown flavors as output formats. This is an absolutely bad situation which foils the original idea behind lightweight markup languages. When some web service tells me that I can use "Markdown" for a text field, I have to dig deeper to find out which of those many different Markdown standards the web page is talking about. After this I will have to continue and look for a cheat-sheet of this dialect because nothing is more difficult to differentiate than multiple standards that are almost the same but not really the same. A usability hell. I get furious every time I have to enter this hell.
With Org-mode, life is easy. The snippet from the previous section explains all there is. Any tool that interprets Org-mode accepts this simple and easy to remember syntax.
Many lightweight markup languages do offer multiple ways of typing headings. There are basically three ways of defining headings:
1. Prefix headings
2. Pre- and postfix headings
3. Underlined headings
Here are some examples for each category:
Prefix headings: # Heading 1 ## Heading 2 ### Heading 3 Pre- and postfix headings: = Heading 1 = == Heading 2 == === Heading 3 === Underlined headings: Heading 1 ========= Heading 2 ~~~~~~~~~ Heading 3 *********
I prefer the prefix heading style. Org-mode use this as well with * as prefix characters. The more asterisks, the deeper the level of the heading is.
Pre- and postfix headings do offer bad usability. The user has manually synchronize the number of prefix character with the number of postfix characters. And it is totally unclear how something like = heading == with different numbers of pre/postfix characters is going to turn out when being interpreted.
And in case the user already used a markup language with simple prefix headings, it is not logical why there is the need for the postfix characters at all.
Even worse than this is the underlined heading category. The user is completely irritated for multiple reasons. Besides the tedious manual work to align the stupid heading characters with the heading title, it is not clear what characters must be used for those heading lines. If youʼve got a bigger document with different levels of headings you get confused which heading character stands for which heading level.
Are the tilde characters level one? Or was it the equals characters? And how about asterisks? Without a cheat-sheet, the occasional markup user is completely lost.
This gets even more worse: some markup languages let you choose your "order" of heading characters. This results in weird situations. For example one author is starting to write a reStructuredText document using her favorite heading syntax. A second author is joining in and has to analyze the document in order to know what heading syntax he must use.
In the reStructuredText mode of Emacs you can find following function:
You can visualize the hierarchy of the section adornments in the current buffer by invoking rst-display-adornments-hierarchy, bound on C-c C-a C-d. A temporary buffer will appear with fake section titles rendered in the style of the current document. This can be useful when editing other peopleʼs documents to find out which section adornments correspond to which levels.
Yes, you got it right, it is true: this functionʼs only purpose is to generate a dummy-hierarchy of headings to visualize which markup has to be used for heading 1, which one for heading 2 and so forth just for this single document. What a bad design decision of the markup when you need such hacks just to know how a heading should look like in a markup even if you are familiar with in the first place.
Here is one more: some markup languages even allow mixed heading styles. You can use an underlined heading style for heading level 1, a prefix style for level 2, another underlining style for level 3 and so forth. Now the chaos is a perfect one.
Letʼs have a look at a different markup element: external links. As you already remember in Org-mode, a link looks like this:
[[http://Karl-Voit.at][my home page]]
The only difficult thing here is to remember that the URL is at the beginning and the description follows after the URL. Many markup languages do add additional and unnecessary levels of difficulties.
Here are some examples from Wikipedia and comments by me where a user might be irritated.
The form is simple but for complex URLs, the [Text]might look like being part of the URL itself. Not beautiful but at least something I could live with.
Brackets or parentheses first? Why using different kind of markup characters in the first place like only brackets? Is the Title part of the URL? Why not part of Text? Very confusing design decisions from my point of view.
Holy moly. This is some weird stuff. First, you have to grave accents ` and not apostrophes ʼ. Then what about the underscore character at the end? This is as complicated as you can define a simple URL. Iʼd even prefer the hard to type HTML version of linking. A disaster for something which has "lightweight" in its class name.
The simple syntax of Org-mode does not imply typing unnecessary characters. You donʼt have to manually align something like underlined headings. Anybody using a simple text editor is very fast at adding markup for headings, font variations, and so forth. The previous section proved that other markup languages clearly fail in many cases.
You donʼt have to use the Emacs editor to write and work with Org-mode markup text. As I mentioned above, many people already do so just because Org-mode is an intuitive and clean way of typing text characters.
When youʼve got text information in Org-mode markup, you can process it with many tools. Most prominent and most important examples are files pushed within a GitHub repository and the swiss army knife named Pandoc which is able to convert Org-mode to dozens of formats like HTML, odt (LibreOffice), docx (Word), LaTeX, PDF, and so forth.
As I mentioned in the beginning, this is not an article about Emacs. Nevertheless for anybody not familiar with Emacs I have to mention that with Emacs there is a tool that supports (not only) in writing Org-mode syntax in a perfect way.
You might start with mouse-only usage. There are menu items with all important functions. For the users that want to get a minimum of efficiency, the menu items show you the keyboard shortcuts you might want to use.
For Org-mode it is really easy to learn. Basically you just have to use TAB for toggle the collapsing and expanding of headings, lists, and blocks. Itʼs Alt and the arrow keys to move around headings, list items, and even table columns/rows. Ctrl-Return creates a new heading or list item without the need of entering the markup characters and manually matching indentation levels at all.
Thatʼs it. With those three things youʼre good to write Org-mode syntax efficiently. The basic file open/save, finding help, exiting Emacs stuff is accessible with icons or the menu. No need to learn more keyboard shortcuts if you donʼt want to.
Having experienced this great tool-support, users typically are eager to learn more. You donʼt have to. You might be happy with Org-mode for capturing minutes of meetings and your shopping list. However, others do master a few additional things and write whole eBooks within Org-mode.
Lightweight markup languages are designed to be used with a minimum effort compared to full-blown and therefore more complicated markup languages such as HTML or LaTeX.
Some are doing their job better than others. In my experience, many design decisions of widely adapted markups such as Markdown or reStructuredText (and others) are questionable from a usability point of view. At least I do have some issues when I have to use them in my daily life.
Unfortunately, I hardly see any people out there using Org-mode as a markup language outside of Emacs although there are very good reasons for it as an easy to learn and easy to use markup language.
With this blog article I wanted to point out the usefulness of Org-mode even when you are not using Emacs as an writing tool.
"revocation" has a valid point related to the missing standardization of Org-mode. Here is my comment on this:
The statements here refer to a /lightweight/ markup, the basic things of Org-mode syntax. I explicitly listed "headings, lists, font variations such as bold face or italic, and such things".
What I do not cover here is a full syntax statement or standard. In my opinion, currently this is not possible outside of Emacs for various reasons.
Of course, there are variations in interpreting Org-mode files between Emacs and pandoc. Also, pandoc only supports a sub-set of Org-mode. Otherwise, pandoc would have to re-implement or embed Emacs for parsing purposes.
In this specific case, pandoc seems to have a more strict parser related to leading spaces for #-lines, or keywords. Iʼm pretty sure that the pandoc project accepts this issue as a bug. In doubt, the interpretation of Emacs is the definition, or golden-standard, of Org-mode syntax. Even this beta-version of a syntax definition does not mention optional spaces before keywords. The manual mentions org-element-parse-buffer and org-lint which would be most probably the best choice for defining the official standard if you would search for one.
However, this does not relate at all with the intention of this article: the design of the (basic) Org-mode syntax compared to other lightweight markup languages. All the issues mentioned where other markups show inconsistencies and usability issues where Org-mode seems to have advantages still do apply here. Completely independent of the standardization argument. My personal believe is, that if there would be more use of Org-mode syntax elements outside of Emacs, there would be a much higher pressure on formally defining Org-mode as a syntax which pandoc and even Emacs could use as the golden standard.
So far, there is not even the necessity of defining this golden standard because nobody outside of the Emacs community knows or even is using Org-mode. And this is what I tried to change a bit because other markup languages do tend to hurt my geeky soul when I do have to use them. 😉
HackerNewsBot debug: Calculated post rank: 126 - Loop: 61 - Rank min: 100 - Author rank: 31
Tens of thousands of public servants have applied to have their federal student loans forgiven through a temporary program run by the U.S. Education Department. Fewer than 300 have had success.
Article word count: 803
HN Discussion: https://news.ycombinator.com/item?id=19587528
Posted by ilamont (karma: 25788)
Post stats: Points: 87 - Comments: 87 - 2019-04-05T22:15:12Z
#HackerNews #applicants #dept #education #for #forgiveness #loan #most #program #rejects #student
Skip to content
Tens of thousands of public servants have applied to have their federal student loans forgiven through a temporary relief program run by the U.S. Education Department. Fewer than 300 have had success.
Now, one of the lawmakers who championed the initiative wants to know what happened.
“We authorized $700 million dollars to help ensure public servants — including firefighters, teachers and nurses — receive the loan forgiveness they have earned, and it’s maddening that the Trump administration is letting it go to waste,” Sen. Tim Kaine (D-Va.) said in an email.
Kaine and other Senate Democrats have said the Education Department created eligibility criteria that are far more rigid than Congress envisioned. The measure in the fiscal 2018 budget that set up the onetime expansion, based on legislation introduced by Kaine and Sen. Sheldon Whitehouse (D-R.I.), directed the agency to develop a simple way for borrowers to apply for forgiveness. Instead, lawmakers say, the Education Department has restricted access with a litany of rules.
It has been about a year since the Education Department launched the temporary expansion of the Public Service Loan Forgiveness program, with $700 million from Congress to spend over two years. The goal was to give public servants enrolled in the wrong repayment plan another shot at having the balance of their debt erased after 10 years of on-time payments.
In response to an inquiry from Kaine, the Education Department disclosed last week that 38,460 people had submitted requests for forgiveness as of Dec. 28 under the new program. Most of those, 28,640 people, were immediately rejected because they had not previously filled out a formal loan forgiveness application — one of the many criteria of the relief program.
Of the 9,820 applicants who cleared the first hurdle, 1,184 are still under consideration. The rest were rejected for myriad reasons. Of the applicants who cleared the initial hurdle, 40% still had years to go before hitting the required 10-year mark. Nearly a quarter were ineligible because they were paying less money in the wrong payment plan than they would have in the correct one.
Others were turned away for having the wrong type of federal loan — those originated by private lenders through the now-defunct Federal Family Education Loan Program. Some had not made enough on-time payments or had not had at least 10 years of full-time employment certified by a qualifying employer, according to the department.
“The Department thoroughly evaluates, approves, and denies requests for consideration for Temporary Expanded Loan Forgiveness based on the criteria Congress established,” Education Department spokeswoman Liz Hill said in an email.
Only 262 people have jumped through all the hoops required for their loans to be discharged. A total of $10.6 million in student loans has been forgiven, a small fraction of the $700 million provided to cover canceled loans.
“We’re talking about thousands of people who have given a decade of service to our country, and the Education Department is leaving them out to dry,” Kaine said Tuesday.
Senate Democrats wrote to Education Secretary Betsy DeVos in June urging her to let people submit an application to be processed under the new loan forgiveness program regardless of whether they had already applied for public service forgiveness. The department agreed to the recommendation.
But lawmakers say they have heard from borrowers who had no idea they needed to fill out an earlier application for public service loan forgiveness before requesting forgiveness under the new program, which could account for some of the high rate of rejections. Frustrated borrowers also say they have not received an explanation for the denial of their requests.
The Education Department pushed back against accusations of poor communication with borrowers. Rejection letters contain a list of possible reasons for denial, as does an agency web page about the temporary expansion initiative, according to the department. The agency said it has turned to social media, hosted a webinar and sent targeted emails to public servants to raise awareness of the program.
Congress carved out money for the temporary expansion after lawmakers said they heard too many stories from constituents about receiving inconsistent and unclear guidance about Public Service Loan Forgiveness.
The earlier program, introduced in 2007 by the administration of President George W. Bush, requires borrowers to be enrolled in specific repayment plans, primarily those that cap monthly loan payments to a percentage of their income. But some borrowers say loan servicing companies led them to believe they were making qualifying payments when they were not.
People have complained to the Consumer Financial Protection Bureau about the company overseeing the program, FedLoan Servicing, processing payments incorrectly or botching paperwork. Those mistakes could lead to additional years of payments or rejected applications. FedLoan has rebutted the claims and contended it is working within the confines of the program.
HackerNewsBot debug: Calculated post rank: 87 - Loop: 118 - Rank min: 80 - Author rank: 70
Employers cut 190,410 jobs in the first 3 months of 2019.
Article word count: 20
HN Discussion: https://news.ycombinator.com/item?id=19583735
Posted by Reedx (karma: 3135)
Post stats: Points: 173 - Comments: 145 - 2019-04-05T15:52:22Z
#HackerNews #decade #had #just #layoffs #most #the
HackerNewsBot debug: Calculated post rank: 163 - Loop: 170 - Rank min: 100 - Author rank: 44
According to a 2018 McKinsey report, China boasts 114 of the world’s 147 female, self-made billionaires (America has 14). And almost 50% more women hold professional or technical jobs for every 100 men in the Philippines. Asia is one of the most progressive regions for women, yet stereotypes of what Asian women are like and look like persist. BBH Singapore’s ‘See Different’ collection of images seeks to change that by showing the true diversity and personality of women across the Asian region.
Photo by @meaneggs on Instagram.
Location: Khidarpur Jadoo, India
Full image: Link
#photography #CC0 #Unsplash #APIRandom #According #to #a #2018 #McKinsey #report #China #boasts #114 #of #the #worlds #147 #female #self-made #billionaires #America #has #14 #And #almost #50% #more #women #hold #professional #or #technical #jobs #for #every #100 #men #in #the #Philippines #Asia #is #one #of #the #most #progressive #regions #for #women #yet #stereotypes #of #what #Asian #women #are #like #and #look #like #persist #BBH #Singapores #‘See #Different #collection #of #images #seeks #to #change #that #by #showing #the #true #diversity #and #personality #of #women #across #the #Asian #region
#Photo #by #@meaneggs #on #Instagram #KhidarpurJadoo #India
tl;dr: Building new solar, wind, and storage is about to be cheaper than operating existing coal and gas power plants. That will change everything. When the history of how humanity turned the corne…
Article word count: 1541
HN Discussion: https://news.ycombinator.com/item?id=19564179
Posted by kickout (karma: 109)
Post stats: Points: 142 - Comments: 86 - 2019-04-03T15:33:50Z
#HackerNews #clean #disruptive #energy #most #phase #the #third #will #yet
tl;dr: Building new solar, wind, and storage is about to be cheaper than operating existing coal and gas power plants. That will change everything.
When the history of how humanity turned the corner on climate change is written, we’ll look back and see that clean energy – specifically clean electricity from solar, wind, and storage, went through four distinct phases.
RENEWABLES PHASE 1 – POLICY DEPENDENT
From the 1980s until roughly 2015, there was virtually no place on earth where new solar, wind, or energy storage was cheaper than generating electricity from coal or natural gas. This was the first phase of renewables, one where they scaled entirely because of government subsidies and mandates. And in this time, renewable growth was paltry. Solar reached 1% of global electricity. Wind reached perhaps 4%. The world spend hundreds of billions of dollars subsidizing clean energy, and seemingly got nothing.
RENEWABLES PHASE 2 – COMPETITIVE FOR NEW POWER
Except that the world didn’t get nothing. As I’ve written often, the most important aspect of clean energy policy has been to drive down the price of clean energy by scaling it, and thus kicking in the learning-by-doing that continually lowers the unsubsidized price of new solar, new wind, and new energy storage. The policies of the 80s, 90s, 2000s, and 2010s finally drove down the cost of new solar and wind electricity by more than a factor of ten. That finally paid off around 2015, when, for the first time, building solar or wind power was, even without subsidies, sometimes cheaper than building new coal-or-gas fired electricity.
You can see this in IRENA’s graph showing the price of new solar PV, on-shore wind, off-shore wind, and solar CSP.
[IMG]The cost of solar and wind is dropping below the cost of fossil fuel electricity around the world. Each blue or orange circle reflects one solar or wind project. The heavy lines reflect global weighted average prices of solar and wind. Source: IRENA.
RENEWABLES PHASE 3 – DISRUPTIVE TO EXISTING FOSSIL ELECTRICITY
Now, after decades of subsidizing solar and wind, we’re on the verge of a new, radically different point in history – the point at which building new solar or wind power (or new energy storage systems, in some cases), is cheaper than the cost of continuing to operate existing coal- or gas-fueled power plants.
Dubious? Consider the following:
1. NextEra CEO: Cheaper to Build Solar & Wind Than Operate Existing Coal by the Early 2020s: In January 2018, NextEra CEO Jim Robo told investors that by the early 2020s, it would be cheaper to build new solar and wind power than to operate the utility’s fleet of existing coal power plants.
2. NIPSCO: Cheapest Option is to Go from 65% Coal-powered to Zero – and Replace it With Solar, Wind, and Storage. In October of 2018, a utility in Northern Indiana, NIPSCO, reached Jim Robo’s prophesied point years ahead of schedule, when it submitted a 5 year resource plan that would take the region from being 65% coal powered in 2018 to just 15% coal powered in 2023, and 0% coal powered in 2028, and replace virtually all of that coal power with a mix of solar, wind, storage, and flexible demand. Bear in mind that NIPSCO is in a region with mediocre sun, pretty good but not amazing wind, and which voted for Donald Trump by 19 points. Admittedly, this is with prices of solar and wind which are still somewhat subsidized in the US. But not tremendously so, as the US federal solar and wind tax credits (the ITC and PTC) are winding down in exactly this same period.
3. 2019: Florida Power and Light: Cheaper to Build New Solar + Storage Than Operate Existing Gas Plants. In March of 2019, Florida Power and Light said it would retire two aging natural gas plants, and replace them with a combination of energy efficiency and the world’s largest (so far) battery, which it will use to charge with solar power during the day to deliver during the evening peak.
4. CarbonTracker – New Wind and Solar Cheaper than Existing Coal and Gas in the US, China, and India by the mid-2020s. Meanwhile, think tank CarbonTracker has been quietly pumping out reports showing that in country after country, new solar and wind are headed for prices cheaper than the operational cost of existing coal and gas. Consider this chart (slightly modified by yours truly) of new solar and wind cost in the US vs coal operational cost:
[IMG]See CarbonTracker’s report on the disruption of Coal in the US for more: No Country for Coal Gen. Or, more importantly, consider what CarbonTracker forecasts for China: That new solar and wind will be cheaper than the operating cost of existing Chinese coal power plants by the 2020s.[IMG]See more at CarbonTracker’s report on China’s coal fleet, “NoWhere to Hide“
5. McKinsey: New Solar and Wind Cheaper than Existing Coal and Gas… Pretty Much Everywhere by 2030.
Finally, if reports from CarbonTracker, or announcements by actual utilities aren’t enough, consider McKinsey’s assessment from its Global Energy Perspective 2019. In the chart below (with a bit of help from me), McKinsey shows that on almost every continent, and particularly in China and India, where energy demand has the most to grow, new solar and wind are cheaper
than existing coal and gas by 2030. And often much sooner.
[IMG]We’ve gone from Phase 2 to Phase 3 much more rapidly than we went from Phase 1 to Phase 2. Why? Because solar and wind power had to drop by a factor of nearly 10 in price – from 60 cents / kwh for new electricity to roughly 6 cents / kwh for new electricity – to move from their early days to being competitive for new power. But they only have to drop by another factor of 2 or 3 to move from being competitive for new power to being cheaper than the operating cost of existing coal and gas. The “competitive zone” is much narrower and faster to pass through than the long history of subsidized prices leading up to the first fair market competition.
RENEWABLES PHASE 4 – SLOWED BY HEADWINDS
Finally, there will in fact be a Phase 4 of renewables, when their penetration has grown so high that they become limited by headwinds of their own creation: Value deflation, where renewables create so much supply at certain hours that they drive down wholesale prices; Depletion of the best sites in some regions; Seasonal intermittency and the unsolved problem of seasonal storage.
But these problems are distant. Renewables will start to encounter them in earnest when solar makes up >20-30% of electricity and when wind makes up >40-50% of electricity. Today, worldwide, solar is only 2% and wind is only perhaps 6% of global electricity. Cheap multi-hour storage will arrive before that (indeed, in the next few years), lowering the price of using solar to meet the evening peak, and of dealing with intermittency on the order of minutes to several hours. Only seasonal storage (and perhaps the political challenges of long-range transmission) seem to be truly difficult problems. And we have time before they begin to impair the growth of renewables.
WHAT THE THIRD PHASE MEANS FOR RENEWABLE GROWTH RATE
I’ve said often that renewables have grown exponentially. But the truth is that wind power growth rates around the world have slowed substantially. And solar power, once growing rapidly in Europe, has stagnated there over the last several years (at least, until a recent growth spurt spurred by solar entering Phase 2 in parts of Europe in the last year.)
But growth rates up until now are largely irrelevant. The whole point of growing renewables has been to drive down their cost. The actual amount of solar and wind that policies have deployed up until now is almost immaterially small. It just isn’t enough to matter. What matters is that policies up until now have driven down the cost of solar, wind, and energy storage by more than an order of magnitude.
If those policies – and the fact that renewables are now competitive for new power even without subsidies in the sunny and windy parts of the world – continue for long enough for renewables to drop another factor of 2 or 3 in price – on top of the factor of 10 or more that they’ve fallen already, then we’ll enter a new domain where renewable growth rates aren’t determined by fickle policy. Instead, they’ll be limited only by the pace at which renewables can be deployed – the pace at which factories for solar panels, wind turbines, and batteries can be built; the pace at which labor forces can be trained to deploy them; the pace at which capital can be deployed to pay for their installation.
How fast is that? I have no idea. But there’s good reason to believe that in this second and third phase of renewables, the growth rate will accelerate rather than slowing. We will look back and see that the growth of renewables is an S-curve to be sure. But we may also look back and find that, as of 2019, we had not yet hit the first upward swing in that S-curve.
HackerNewsBot debug: Calculated post rank: 123 - Loop: 183 - Rank min: 100 - Author rank: 35
Earnings at Saudi Arabia’s giant oil company, at $111 billion last year, far outstripped the profits of giant tech companies or rival oil producers.
Article word count: 956
HN Discussion: https://news.ycombinator.com/item?id=19544825
Posted by dkyc (karma: 1337)
Post stats: Points: 114 - Comments: 85 - 2019-04-01T16:09:00Z
#HackerNews #apple #aramco #company #exceeding #far #most #profitable #saudi #worlds
Saudi Aramco’s Shaybah oil field in Saudi Arabia. Aramco has some of the world’s largest oil fields, leading to very low costs.CreditCreditAhmed Jadallah/Reuters
The earnings of Saudi Arabia’s giant oil company have long been a mystery, kept under wraps by the country’s government. But on Monday, Saudi Aramco opened its books, revealing that it generated $111.1 billion in net income last year, making it probably the world’s most profitable company by far.
It handily beat Apple ($59.5 billion in net income in 2018) and ran laps around other oil companies like Royal Dutch Shell ($23.9 billion) and Exxon Mobil ($20.8 billion).
Aramco issued the financial data as it prepares to borrow up to $15 billion through a bond sale, in what could signal a more aggressive approach to capital-raising for both the company and Saudi Arabia. The disclosure reveals a company that is hugely profitable but also tightly bound to one country and the price of oil.
The money will help finance Aramco’s $69 billion purchase, announced Friday, of most of Saudi Basic Industries, or Sabic, a major petrochemical company. Aramco will be buying the stake from Saudi Arabia’s sovereign wealth fund, whose chairman is Crown Prince Mohammed bin Salman.
The crown prince, who is the kingdom’s main economic policymaker, wants to ease the economy’s dependence on oil and gas revenue through investments in technology companies like Uber. A planned stock sale by Aramco — which the Saudis hoped would be the largest initial public offering on record — was expected to raise money for that purpose. The I.P.O. was postponed last year, and the sale of the Sabic stake, appears to be an alternative way of raising the funds.
While the crown prince pursues these investments and tries to recover from the political fallout caused by the killing of the Saudi journalist Jamal Khashoggi last year, Aramco also appears to be trying to make itself into a broader energy producer and, thus, more attractive if the government decides once again to try to sell a slice of the company.
Aramco’s chief executive, Amin Nasser, has said that the company is pursuing international acquisitions in areas like liquefied natural gas, a chilled fuel that can be transported globally on ships like oil.
The financial results also serve to show how the company is tied to oil prices. In 2016, for instance, a time of low prices, the company reported only $13.3 billion in net income.
For investors, Aramco’s ties to the Saudi government are also a persistent concern. “Unlike Exxon and Chevron, its revenue streams are highly dependent on a single country that could face real instability risks,” Ayham Kamel, an analyst at Eurasia Group, a consulting firm, wrote in a recent note to clients.
But analysts said that the financial information revealed on Monday showed that Aramco had plenty of firepower for more deals.
Aramco has “a huge amount of room” to issue debt, said David G. Staples, a managing director at Moody’s Investors Service, which issued a credit rating for Aramco on Monday.
Mr. Staples and a colleague, Rehan Akbar, noted that the company had already achieved enormous size and profitability without borrowing or selling stock to investors. In 2018, Aramco paid about $160 billion to the government in dividends, taxes and royalties.
Moody’s attributed Aramco’s profitability in part to economies of scale stemming from enormous production volumes extracted from oil and gas assets of unmatched size. Aramco has some of the world’s largest oil fields, leading to very low costs.
“Aramco’s scale of production in combination with its vast hydrocarbon resources is a very strong competitive advantage,” Moody’s analysts wrote.
The prospectus reveals some long-hidden details about the size of Saudi Arabia’s oil fields. Chief among these is a monster called Ghawar, which extends for about 120 miles in the eastern part of the country. The world’s largest oil field, according to the prospectus, Ghawar has accounted for more than half of Saudi Arabia’s cumulative production yet it still has reserves of 48 billion barrels and is capable of producing nearly four million barrels a day, both more than all but a handful of countries.
The oil wealth doesn’t stop there. The kingdom has four more fields that dwarf most others.
Aramco produced 13.6 million barrels per day in 2018 on average, more than three times the 3.8 million barrels per day reported by Exxon Mobil, according to the report. Overall, its revenue was about $360 billion.
Moody’s wrote that Aramco was “conservatively managed” with “very low debt levels.”
Mr. Staples said that based on his conversations with Aramco officials, he expected this careful approach to debt to continue, a policy that would likely find favor with investors if the Saudi government decides to revive its I.P.O. plans.
The agency rated the company A1, a strong rating but below that of large Western oil companies including Exxon Mobil and Shell. Mr. Staples said the lower rating reflected the concentration of most of Aramco’s operations in Saudi Arabia, which shares the same credit rating, and the government’s dependence on oil and gas revenue.
The thinking is that if Saudi Arabia were to encounter political instability or hard times, the oil company would feel the impact. “We have to take into account the risk profile” of the country, he said.
The company, founded by United States oil companies (Aramco is short for Arabian American Oil Company), was nationalized by the Saudi government in the 1970s.
In its prospectus, Aramco listed some of the risks and drawbacks that if faced in its operations. The Saudi government, for instance, determines how much oil Saudi Aramco should produce “based on its sovereign energy security goals or for any other reason.” The company also may face litigation over climate change or antitrust issues stemming from its membership in the Organization of Petroleum Exporting Countries, especially in the United States, Aramco’s prospectus said.
HackerNewsBot debug: Calculated post rank: 104 - Loop: 333 - Rank min: 100 - Author rank: 102
As a threat to wildlife, an amphibian fungus has become “the most deadly pathogen known to science.”
Article word count: 1115
HN Discussion: https://news.ycombinator.com/item?id=19515362
Posted by jchanimal (karma: 789)
Post stats: Points: 144 - Comments: 68 - 2019-03-28T18:57:54Z
#HackerNews #amphibian #become #deadly #fungus #has #known #most #pathogen #the
As a threat to wildlife, an amphibian fungus has become “the most deadly pathogen known to science.”
The mossy red-eyed frog is one of hundreds of species threatened by a virulent fungus that may be responsible for 90 extinctions in the past 50 years.CreditCreditJonathan E. Kolby/Honduras Amphibian Rescue & Conservation Center
On Thursday, 41 scientists published the first worldwide analysis of a fungal outbreak that’s been wiping out frogs for decades. The devastation turns out to be far worse than anyone had previously realized.
Writing in the journal Science, the researchers conclude that populations of more than 500 species of amphibians have declined significantly because of the outbreak — including at least 90 species presumed to have gone extinct. The figure is more than twice as large as earlier estimates.
“That’s fairly seismic,” said Wendy Palen, a biologist at Simon Fraser University who is a co-author of a commentary accompanying the study. “It now earns the moniker of the most deadly pathogen known to science.”
[Like the Science Times page on Facebook. | Sign up for the Science Times newsletter.]
Scientists first noticed in the 1970s that some frog populations were declining quickly; by the 1980s, some species appeared to be extinct. The losses were puzzling, because the frogs were living in pristine habitats, unharmed by pollution or deforestation.
In the late 1990s, researchers discovered that frogs in both Australia and Panama were infected with a deadly fungus, which they named Batrachochytrium dendrobatidis — Bd, for short.
The fungus turned up in other countries, but studies of its DNA suggest that Bd originated on the Korean Peninsula. In Asia, amphibians seem impervious to Bd, but when it got to other parts of the world — probably via the international trade in pet amphibians — the pathogen reached hundreds of vulnerable species.
Amphibians are infected with Bd by contact with other animals or by spores floating in the water. The fungus invades skin cells and multiplies. An infected frog’s skin will start to peel away as the animal grows sluggish. Before it dies, a frog may manage to hop its way to a new stream or pond, spreading the fungus further.
In 2007, researchers speculated that Bd might be responsible for all known declines of frogs that had no other apparent cause — about 200 species. For the most part, however, scientists studied Bd at the local level, looking at its impacts on particular species in particular places.
“We knew that frogs were dying all around the world, but no one had gone back to the start and actually assessed what the impact was,” said Benjamin Scheele, an ecologist at Australian National University and the lead author of the new study.
In 2015, Dr. Scheele and his colleagues gathered data from over 1,000 published papers on Bd, and traveled around the world to meet with experts and hear their unpublished observations.
Not only did the team analyze data on living amphibians, but they also looked at data from museums, where scientists found Bd DNA embedded in preserved specimens tucked away in cabinets.
The new study showed that some amphibians are at greater risk than others.
The fungus thrives in cool, moist conditions. As a result, frogs that live in cloud forests on mountainsides have been hit particularly hard.
Espada’s marsupial frog, near the Gocta Waterfall in the Chachapoyas province of Peru.CreditTiffany Kosch
Big frogs are at a greater risk, too, possibly because they don’t multiply as quickly as small ones.
Dr. Scheele and his colleagues identified 501 species in decline, far greater than the previous estimate of 200. Certain factors once thought to account for the decimation of frog populations — like climate change and deforestation — are not the greatest threats, the scientists found.
“A lot of those hypotheses have been discredited,” said Dr. Scheele. “And the more we find out about the fungus, the more it fits with the pattern.”
As it turns out, Bd wiped out some species long before it was discovered. Only by going back to museum specimens were scientists able to estimate the toll. “It’s scary that so many species can become extinct without us knowing,” said Dr. Scheele.
The decimation of frogs peaked in the 1980s, the researchers found, a decade before the discovery of Bd. Today, 39 percent of the species that suffered population declines in the past are still declining. Twelve percent are showing signs of recovery, possibly because natural selection is favoring resistant animals.
As dire as the study’s results turned out to be, Dr. Scheele is guardedly optimistic about future wildlife outbreaks. The element of surprise may have had a lot to do with Bd’s devastating success.
“It wasn’t expected or predicted, and so it took the research community a long time to catch up,” said Dr. Scheele.
In 2013, researchers discovered that a related fungus was attacking fire salamanders in Belgium. Called Batrachochytrium salamandrivorans (Bsal for short), it seemed poised to do to salamanders what Bd has done to frogs.
But this time, things are playing out differently.
Researchers discovered the outbreak and identified Bsal quickly. They immediately began running experiments to understand the threat it posed. Thanks to barriers to trade now in place, Bsal has yet to threaten another species anywhere.
“We’ve learned, and we’re dealing with it better,” said Dr. Scheele. “I guess the question is always, ‘Are we doing enough?’ And that’s debatable.”
There’s still plenty of reason to worry about outbreaks to come. Bd has yet to reach New Guinea, home to a wealth of amphibian species found nowhere else on Earth.
If a Bd-infected frog got to either place — through the pet trade, or as an accidental stowaway — the fungus would have a vast number of vulnerable hosts to attack.
“It could be a meltdown of the ecosystems over there,” said Daniel Greenberg, a graduate student at Simon Fraser University and co-author of the Science commentary.
The loss of frogs can alter entire ecosystems.
Without tadpoles to guzzle algae, blooms may choke streams. Without frogs to eat insects, some disease-carrying species may become more common. Birds and other predators that eat frogs have to find alternatives.
Scientists are not even resting easy about the species that have emerged intact from the Bd assault. Another strain of Bd, or some different species of fungus altogether, may prove to be even deadlier.
“It’s just Russian roulette, with moving pathogens around the world,” said Dr. Scheele.
Correction: March 28, 2019
An earlier version of this article, using information provided by a researcher, misstated the extent of the spread of a fungus that kills frogs. It has spread to Madagascar; it is not the case that the island country remains free of the fungus.
Carl Zimmer writes the “Matter” column. He is the author of thirteen books, including “She Has Her Motherʼs Laugh: The Powers, Perversions, and Potential of Heredity.” @carlzimmer • Facebook
HackerNewsBot debug: Calculated post rank: 118 - Loop: 180 - Rank min: 100 - Author rank: 41
#about #americans #analyzes #care #cato institute #don #emily ekins #investigations #most #oan newsroom #paul manafort #pollster #president trump #probes #robert mueller #russia probe #says #special counsel robert mueller #the hill #trump
Very few people have heard of them, but "dev-fused" iPhones sold on the grey market are one of the most important tools for the best iOS hackers in the world.
Article word count: 3948
HN Discussion: https://news.ycombinator.com/item?id=19321270
Posted by runesoerensen (karma: 25457)
Post stats: Points: 154 - Comments: 34 - 2019-03-06T18:30:12Z
#HackerNews #apples #code #hackers #iphones #most #prototype #research #sensitive #that #use
Mathew Solnik stood next to two of the best iPhone hackers in the world and addressed the question the hundreds of people watching him were all wondering.
“The white elephant in the room: How exactly did we get it?” Solnik, a well-known security researcher, said as he wrapped up one of the most anticipated talks at the Black Hat security conference in Las Vegas in early August 2016. In attendance, among hundreds of security professionals and hackers, were researchers from a company that sells iPhone-cracking services to cops around the world, and Apple’s own employees.
The thing that his team had been able to analyze for the first time was the iPhone’s Secure Enclave Processor (SEP), which handles data encryption for the iPhone. How they were able to do this was a valid question given Apple’s notorious secrecy, and the fact that the SEP is one of the most important and most closely guarded components of the iPhone, the most secure smartphone on the market.
“Well, you get to ask us next time we talk,” Solnik added. (Solnik said the same when I approached him after the talk.)
There was no next time: The team has never publicly discussed its methods.
Now, more than two years later, Motherboard has learned how the team did it. During our investigation, we also discovered how other iPhone hackers research the most secure components and processes of the device.
“Itʼs kind of the golden egg to a jailbreaker.”
Solnik’s team used a “dev-fused” iPhone, which was created for internal use at Apple, to extract and study the sensitive SEP software, according to four sources with specific knowledge of how the research was done. Dev-fused devices are sometimes called prototypes in the security research industry. They are essentially phones that have not finished the production process, or have been reverted to a development state.
In other words, they are pre-jailbroken devices.
These rare iPhones have many security features disabled, allowing researchers to probe them much more easily than the iPhones you can buy at a store. Since the Black Hat talk, dev-fused iPhones have become a tool that security researchers around the world use to find previously unknown iPhone vulnerabilities (known as zero days), Motherboard has learned.
Dev-fused iPhones that were never intended to escape Apple’s production pipeline have made their way to the gray market, where smugglers and middlemen sell them for thousands of dollars to hackers and security researchers. Using the information gleaned from probing a dev-fused device, researchers can sometimes parlay what they’ve learned into developing a hack for the normal iPhones hundreds of millions of people own.
During Motherboard’s months-long investigation, I spoke to two dozen sources—security researchers, current and former Apple employees, rare phone collectors, and members of the iPhone jailbreaking scene—about the underground trade of dev-fused iPhones and their use in the iPhone hacking community. I used one of these devices and obtained “root” access on it, giving me almost total control over the phone; gaining root access allows researchers to probe many of the phone’s most important processes and components. And I learned that these devices are used by some of the highest-profile companies and independent experts that research and hack iOS to find valuable bugs that may later be exploited by governments and law enforcement agencies.
A dev-fused iPhone, connected to a Mac with a special cable, boots up. (Image: Motherboard)
At BlackHat, Solnik and his two former colleagues David Wang and Tarjei Mandt—also known as Planetbeing and Kernelpool in the iPhone jailbreaking community—blew the doors off the SEP with the impressive and technical talk, which delved into, for example, how the phone’s application processor and SEP communicate using a “secure mailbox,” the SEP’s “bootflow,” and the specific “opcodes” that Apple uses to read information from the processor.
For iPhone hackers, the presentation was a godsend. At the time, Patrick Gray, who hosts an influential infosec podcast, described it as a “how2pwn guide” for the SEP, and thus, the iPhone.
One reason the iPhone is so hard to hack is that Apple makes it almost impossible to study how the SEP and other key components work. That’s because the SEP operating system is encrypted, and—in theory—cannot be extracted or reverse engineered from a regular iPhone. But from a dev-fused device it’s possible, and has been repeated since Solnik’s talk by other researchers.
“Wish I could say that they succeeded in pwning the system, but like many in the field [Solnik’s team] leveraged specific prototypes,” an iPhone jailbreaker who asked to be identified as Panaetius told Motherboard. Panaetius did not want to be identified given that he has also used dev-fused devices and is worried Apple may go after him.
A person who formerly worked in Apple’s security team told Motherboard that he approached Wang after the talk at the conference. When he asked Wang how they managed to study the SEP, Wang told him that “Solnik got a dev-phone and dumped the firmware through standard Apple tools.”
An independent iOS security researcher, who spoke on condition of anonymity in order not to damage his reputation within the jailbreaking community, said “Solnik was full of dev-fused [iPhones],” at the time of the SEP talk.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
Another iOS security researcher, who also asked not to be identified, said he saw Solnik’s dev-fused devices and the proprietary cables used to work on them in the lead up to the SEP talk at Black Hat.
Solnik, Wang, and Mandt, did not respond to multiple requests for comment. (At the time of the talk, Wang and Mandt were working for Azimuth, an Australian company that provides top-end hacking tools to governments such as the USA, Canada and the UK. Solnik had just left Azimuth.) Solnik was the subject of an episode of Phreaked Out, Motherboard’s 2014 documentary series about hacking.
At the time, they may have been the first ones to get to the SEP, but thanks to the proliferation of dev-fused iPhones, others have repeated their feat. Lisa Braun, a pseudonymous independent iOS researcher, recently claimed to have dumped the SEP from an iPad Air 2 prototype.
And he is not the only one.
A few dev-fused iPhones.
A few dev-fused iPhones, collected by Giulio Zompetti. (Image: Giulio Zompetti)
According to five sources in the iPhone hacking world, Cellebrite, a forensic firm that sells devices that can unlock iPhones, has purchased and used dev-fused devices to develop its products. Cellebrite did not respond to a request for comment.
Chris Wade, the cofounder of Corellium, a startup that sells a product that allows users to create virtual instances of almost any iOS device in the world, has also gotten his hands on these devices, according to three sources in the iPhone hacking world and three sellers.
Wade, who is known as cmw in the jailbreaking community, told Motherboard he has never purchased a dev-fused device. He admitted having “played” with them at a conference, but denied using them in the development of Corellium. (In a 2016 tweet, however, Wade joked about owning “iPhone prototypes.”)
“I want to be 100 percent clear we didn’t/don’t use dev phones @ Corellium. We don’t buy stolen Apple stuff!” Wade told Motherboard in an online chat. “I spent years working on Corellium and we never needed them. Using stolen dev phones is 100 percent the best way to get Apple to sue you or just fuck your life up.”
Before Solnik’s Black Hat talk, Apple had yet to provide decrypted kernels to the public. Analyzing the kernel is a key step to hacking the iPhone and to understanding how iOS really works under the hood. And these dev-fused iPhones, available on the gray market for four or five figures, are the perfect tool to do that.
“If you are an attacker, either you go blind or with a few thousand dollars you have all you need,” Luca Todesco, one of the most well-known iOS security researchers in the world, told Motherboard, referring to people who buy dev-fused iPhones. “Some people made the second choice.”
Other researchers in the community told Motherboard that dev-fused devices are widely used in the iPhone hacking scene by researchers looking for zero day vulnerabilities.
As Mandt put it in a Tweet in July of 2017, “anyone with a bit of effort and money can get hold of a switchboard device.” (“Switchboard devices” are another term for some dev-fused phones, which refers to the proprietary operating system they run.)
While the devices are indeed rare, if you go looking for them, they’re not hard to find.
“I’m here,” he texted me as I nervously looked around in the crowd of people criss-crossing a busy street in downtown Manhattan.
I looked up and saw a slender man with long dark hair, a colorful hat; and—of course—he was holding an iPhone. I followed him to his workshop nearby. To open the door, he used a fingerprint reader that he said he made and programmed himself. Inside the workshop, there’s a handful electric skateboards, two fish tanks, and a sign that reads “If you taka my space I breaka your face.”
The man is one of the few people in the world who openly advertises and sells dev-fused iPhones. He has a Twitter account called “Apple Internal Store,” but doesn’t share his real name because he is concerned Apple may go after him. He openly advertises dev-fused and other prototype iPhones for sale: One type of dev-fused iPhone X costs $1,800, for example. After reaching out on Twitter, he agreed to meet with me.
The seller said he’s sold to several security researchers, and believes that many big security firms that hack iPhones have them.
“Those people they don’t care about money. They donʼt care about the price.” he said. “Whatever it is, the company buys it.”
He’s defensive when I ask how he got the phones.
“Well, I didn’t steal any device. I actually paid for them,” he said as he showed off a bunch of dev-fused devices. “As long as you don’t break [Apple’s] balls, or show an iPhone 11 prototype, or an unreleased device, they’re most likely cool with that.”
On the back of dev-fused iPhones seen by Motherboard, there’s a QR-code sticker, a separate barcode, and a decal that says “FOXCONN,” referring to the factory that makes iPhones and other Apple products. Otherwise, the phones look like normal iPhones. That standard iPhone experience ends when the phone is turned on. When booted up, you briefly see a command line terminal. And then when it loads, gone are the sleek icons and colorful backgrounds of iOS. The phone boots into an operating system known as “Switchboard,” which has a no-nonsense black background and is intended for testing different functionalities on the phone. The home screen is populated with icons for apps with names like MMI, Reliability, Sequencer, and Console, an app that allows you to open a command line terminal inside the iPhone.
An iPhone dev-fused device
An dev-fused iPhone mounted on a rig. (Image: Motherboard)
Clicking through these apps is at times frustrating as they’re made to be used via the command line terminal while connected to a computer. Most of them cannot be closed by tapping or swiping, meaning the phone needs to be turned off and back on to get back to the home screen. Switchboard’s apps suggest a playfulness that Apple doesn’t always let through on iOS. The icon for “Reliability” features a doge (from the meme) playing a musical keyboard. The app itself allows you to test the functionality of the phone’s cameras, speakers, microphone, battery, and ambient light sensors, among other functionalities. An app called “Ness” features the lead character from Nintendo’s game Earthbound. Though the iPhone wiki speculates it could be used to test the phone’s temperature; when I try to launch it, the phone turns off. An app called “Sightglass” used to have the logo for a San Francisco coffee roaster by the same name; it has been changed to a matrix of colored dots.
You can’t do too much with the phone on its own. But once you connect it to a Mac with a proprietary Apple USB cable called “Kanzi,” which can cost around $2,000 on the gray market, you are able to use other internal Apple software (that is widely shared in the jailbreaking community) to get root access on the phone and burrow deep into its software and firmware. The special cable is required because Apple uses a proprietary protocol for accessing certain data within the iPhone to debug the kernel and other hard-to-reach components.
Two people showed Motherboard how to get root access on the phone we used; it was a trivial process that required using the login: “root” and a default password: “alpine.”
Not all dev-fused devices look normal, though. Some of them come mounted on clunky-looking metal rigs that allow you to open them up like a pizza box to inspect the phone’s guts, look at the battery, motherboard, and other internal parts. One that I saw had external wires running from the rig to the inside of the device; the rig itself had what looked like RF connector ports attached to those wires, as well as external, metal volume and power buttons.
Once I started looking for dev-fused iPhones, they weren’t that hard to find, provided you’re willing to shell out a few thousand bucks and aren’t worried about potentially pissing off Apple. Besides Apple Internal Store, there are other Twitter accounts that openly advertise them.
Screenshot of a tweet from Jin Store
A screenshot of an advertisement on Twitter from Jin Store for an iPhone X prototype.
The owner of the Twitter account Jin Store, which claims to sell dev-fused or prototype iPhones, shared their catalog with Motherboard. A dev-fused iPhone 8 Plus costs $5,000, an iPhone XR $20,000, and an older iPhone 6 costs $1,300 (there are several different types of dev-fused devices that have different levels of security and varying features on them. The price of the dev-fused device depends on the security and features it includes.)
In a conversation via WeChat, Jin said that they personally know Solnik, but declined to say whether he was a customer.
The person behind another dev-fused store that advertises on Twitter, who goes by Mr. White, said he has “almost all” iPhone models. He also claimed to have sold “a lot of” dev-fused iPhones to security researchers.
“I donʼt know how to get SEPROM,” Mr. White told me in an online chat, using another technical term for the SEP. “But I know that their research needs my equipment.”
THE DEVICES THAT ESCAPE SHENZHEN
Though it’s possible to buy dev-fused iPhones from various sources, it’s not like there’s a huge supply of them. Outside of Apple and the security research industry, these devices are almost a complete unknown. Even finding any substantial online references to the term dev-fused is difficult.
In a Hacker News thread prompted by a Motherboard investigation on the iPhone bug bounty program, former iPhone jailbreaker and current security researcher Will Strafach wrote that “Apple has dev-fused devices which use separate development certificates and keys.” An entry in the unofficial iPhone wiki also briefly mentions prototype devices. The page is introduced by a big red rectangle that warns readers that “acquiring a copy [of internal Apple software] without Appleʼs consent is illegal and may result in being scammed.”
The day after Solnik, Mandt and Wang’s talk, Apple’s head of security Ivan Krstić also spoke at Black Hat. A single line of his presentation slides referred to “development fused” iPhones, though he didn’t actually mention them during his talk. As far as we know, that’s the only time Apple has publicly acknowledged their existence. An Apple spokesperson declined to discuss these devices with Motherboard.
When reached via Twitter, Krstić said that he could not talk about anything work related, and instead joked I could ask him about his “borderline-encyclopedic knowledge about preparing steak.”
But despite being essentially a secret from the public, security researchers and hackers have known about and used these devices for years.
“They are very popular among security researchers,” said a person who’s familiar with the supply chain of smuggled iPhones in China, who spoke on condition of anonymity to avoid putting his associates in China at risk. “I’ve had a number ask me and say they were willing to pay a significant amount of money to get dev phones.”
“They are stolen from the factory and development campus.”
Andrew “Bunnie” Huang, a well-known hardware security researcher who wrote the ultimate guide to Shenzhen’s electronics markets, told Motherboard that he has seen some of these devices in China. Few people know exactly how they get from Foxconn, which manufactures iPhones, to Shenzhen’s markets. But they find a way there.
“They are stolen from the factory and development campus,” a person who sells these devices on Twitter told Motherboard.
At times, Huang said, even the people who sell dev-fused devices in Shenzhen aren’t aware of how valuable they can be to hackers and security researchers.
“The gray market guys donʼt even know what they sit on half the time,” Huang said in an online chat. “They are just trading trash for cash.”
“It gives you a new attack surface thatʼs not as heavily fortified,” Huang added. “They donʼt put the metaphorical lock on the door until the walls are built on the house, so to speak.”
Giulio Zompetti uses a dev-fused iPhone.
A couple of dev-fused devices, collected by Giulio Zompetti. (Image: Giulio Zompetti)
To be more technical, and unlike the iPhones you can buy at the Apple store, called “prod” or “production fused,” these devices allow their owners to boot into Switchboard. This software allows researchers to hack and reverse engineer different components of iOS. These would be usually off limits without hard-to-get vulnerabilities and a jailbreak, which is worth millions of dollars in today’s zero-day market.
“Prod fused means there’s a specific pin on the board that is ‘blown’ in the production phase. The board checks that pin to see if the device is prod or not,” a former Apple employee who wanted to remain anonymous because he is bound by a non-disclosure agreement, told Motherboard. “If it isn’t, and the firmware is dev version, then certain features are enabled.”
With a proprietary Apple cable and the right skills, they’re the perfect iPhone hacker’s playground.
In 2017, Motherboard reported that the best iPhone hackers in the world did not want to report bugs to Apple, even after the company promised six-figure rewards. One of the complaints the researchers had was that it was incredibly hard to find bugs without already knowing about other bugs. In other words, security researchers need iOS bugs—those that allow them to jailbreak the device and disable security features—just to be able to do their research. If independent researchers were to report bugs to Apple, in their view, they could lead Apple to fix the flaws they rely on to find other bugs.
At the time, some of the researchers said that it’d be better if Apple gave them “developer devices.”
As it turns out, some already had them.
“Itʼs kind of the golden egg to a jailbreaker,” according to Panaetius, who said he’s bought and re-sold several dev-fused devices. “Here’s a device where you can slap all the security mechanisms out of the way. Because there are still security mechanisms on a development fused device, but you can kind of just push them.”
iPhone hackers, however, are not too keen to discuss the fact that they use them. Some told me that using them is like “cheating,” and others swore to me that they have never used them because it’d be perceived in the scene as being lame.
“Many folks are very wary of these. Just because many do not want to deal with Apple’s allegedly vicious legal folks,” a security researcher who has been in the jailbreak community for years, and asked to be anonymous to discuss sensitive issues, told Motherboard.
Others aren’t nearly as concerned.
Giulio Zompetti, who calls himself a collector of iPhone prototypes, told me he has 14 dev-fused iPhones, as well as some iPods and iPads. He showed me many of them on a video chat.
He said that while he plays around with his dev-fused devices, he doesn’t hack them—he only collects them.
“For me it’s a bit of an investment. The older they are, the harder it is to find them,” Zompetti said in a phone call. “It’s just fun. The search of something that by itself is really hard to get.”
“The goal is to reconstruct history,” Zompetti told me as he showed me some of his pieces, including an iPhone 5S that he said was dated just a couple of months after the release of the iPhone 5, the previous model.
Another collector who showed me pictures of his devices told me they have too many devices to count.
Mathew Solnik poses during a demo of a hacking technique for Motherboard’s 2014 documentary Phreaked Out. (Image: Motherboard)
Apple is well aware of the fact that dev-fused devices get traded around, according to five sources within and outside the company. Several sources both inside Apple and in the jailbreaking community believe that Apple has ramped up its efforts to keep these devices from escaping Foxconn and to go after people who sell them. It’s no surprise Apple knows that researchers covet these—some of them have even poked Apple publicly. Back in 2016, Solnik teased his great breakthrough on Twitter weeks before his Black Hat talk.
“Who wants to see a security team jump?” he tweeted, along with a screenshot of a terminal window that showed Solnik had been able to obtain the Secure Enclave Processor firmware. “I’ll just leave this here.”
The precise step-by-step of how Solnik, Wand, and Mandt, were able to decrypt and reverse engineer the firmware has never been discussed publicly. Their talk, however, was enough to attract Apple’s attention and boost the speakers’ careers and reputation within the iPhone security research community.
A tweet from Mathew Solnik
Mandt is still at Azimuth, whereas Wang moved to Corellium. Solnik, on the other hand, is himself a bit of a mystery. At the time of the SEP talk, he was heading his own startup, called OffCell, which was founded with the goal of becoming a government contractor providing offensive security tools and exploits to governments, according to several sources who know Solnik.
In 2017, however, Solnik was hired by Apple to work on its security team, specifically on the so-called red team, which audits and hacks the company’s products. His talk at Black Hat had apparently impressed the folks at Cupertino. A few weeks later, however, he abruptly left the company, according to multiple sources.
The full story of Solnik’s short stint at Apple is a closely-guarded secret. Motherboard spoke to dozens of people and was unable to confirm the specifics around his leaving the company; one source within Apple told me information about Solnik is “incredibly restricted,” and another confirmed that even within Apple, few know exactly what happened.
Apple repeatedly declined to comment or respond to any questions regarding Solnik, but did not deny that Solnik worked there.
In any case, the underground market for dev-fused iPhones is now flourishing. And, for now, Apple doesn’t seem able to stop the flood, despite the fact that these leaks are fueling a growing industry of iPhone hacking companies.
“To be honest everyone benefits from Apple’s lousy supply chain management,” Viktor Oreshkin, an iOS security researcher, told Motherboard in an online chat. “Except Apple, obviously.”
Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.
14. https://twitter.com/cmwdotme/status/793829482851434497" target="_blank">https://web.archive.org/save/https://twitter.com/cmwdotme/status/793829482851434497
42. https://twitter.com/msolnik/status/742546465847840768" target="_blank">https://web.archive.org/save/https://twitter.com/msolnik/status/742546465847840768
HackerNewsBot debug: Calculated post rank: 114 - Loop: 391 - Rank min: 100 - Author rank: 198
We take a look at the differing firearm regulations in each country and take into account potential factors that could have an effect on this trend.
Article word count: 2496
HN Discussion: https://news.ycombinator.com/item?id=19297132
Posted by egusa (karma: 464)
Post stats: Points: 109 - Comments: 102 - 2019-03-03T21:45:17Z
#HackerNews #gun #guns #laws #lives #most #take #the #where
A study released last year revealed that just six countries make up over half of all gun-related deaths, and they’re all in the Americas. Topped by Brazil with 42,000 deaths, the macabre list is followed by the United States, Mexico, Colombia, Venezuela and Guatemala.
One in four people murdered annually is a Brazilian, Colombian, Mexican or Venezuelan, reported the Igarape Institute, and although Latin America only holds 8% of the world’s population, 38% of the world’s murders occur on the continent. Between 2000 and 2006 in South America, 53% of all murders were committed with a firearm, a statistic which skyrockets to 78% in Central America. The global average is 32%.
Why are firearm deaths so prevalent in these six countries? We take a look at the differing firearm regulations in each country and take into account potential factors that could have an effect on this trend.
Despite ex-President Lula Da Silva’s attempt to place stronger restrictions on gun ownership in 2003, a 2005 referendum showed that 64% of Brazilians did not want to ban the sale of guns and ammunition to civilians. Newly-inaugurated President Jair Bolsonaro used this as leverage to sign new legislation in January making it much easier to obtain and use firearms. The reason, Bolsanaro explained according to Reuters, is “to guarantee citizens’ legitimate right to defense.”
Some constraints from previous legislation do still apply, such as restricting the purchasing age to 25. To obtain a permit it is also necessary to pass a psychological test, maintain consistent employment, show proof of a fixed residence and a clean criminal record.
However, Bolsonaro’s new legislation created new categories that warrant citizens’ possession of a firearm in their house or business. These include gun collectors, hunters, those living in rural or urban areas with high homicide rates, as well as those responsible for commercial or industrial establishments. The new measure is temporary and will have to be ratified by congress within 180 days.
Brazil has one of the highest murder rates in the world, with 27.8 people in each 100,000 murdered in 2016 and 19.4 of those being deaths caused by firearms, reported a JAMA report on Global Mortality from Firearms.
A 2015 Map of Violence commissioned by ex-President Dilma Rousseff found that there were around 15 million guns in Brazil (eight per 100 residents), with 6.8 million legally registered and 8.5 million illegal firearms. The study estimated that at least 3.8 million were in the hands of criminals.
The Economist stated that rapid urbanisation and inequalities in wealth distribution were some of the largest factors in violent crime, and as one of the most unequal countries on the planet, Brazil backs up this claim. A UNESCO study states that between 2006 and 2013, the top 1% of the richest people in Brazil accrued 25% of all incomes. The Igarape study on Citizen Security in Latin America reported that 90.6% of Brazilian citizens live in cities, and that of the 50 most murderous cities on earth in 2016, Brazilian cities occupied 27 places on the list.
Article 10 in the Mexican Constitution states that Mexicans “have the right to possess firearms in their home, for their security and legitimate defense, with exception to those prohibited by Federal Law.”
A member of the Mexican security forces. Photo courtesy of Pixabay.
In order to legally acquire a gun, an individual must obtain a one-year gun permit within 30 days of purchasing a firearm. Requirements for this include being 18-years old, passing mental and physical capacity tests, having fulfilled military service. and holding no criminal convictions. The gun owner must also be part of a shooting club, can get permits for up to 10 weapons and can only buy ammunition for the calibres of guns owned.
However, there is a loophole. In a country of nearly 132 million people, there is only one shop that sells firearms, which is located in Mexico City. Despite this limiting factor, Small Arms Survey reported that in 2017, Mexico had 12.9 guns per 100 civilians, although of the 16,809,000 guns estimated in circulation in that year, only 3,118,592 were legally registered.
This high level of unregistered firearms has been attributed to Mexico’s proximity with the United States, as thousands of gun retailers sit just over the border. A report on gun trafficking between the US and Mexico revealed that almost 90% of the guns recovered and identified from Mexican crime scenes can be traced back to firearm dealers in the neighbouring country.
The Central American country is notorious for its rising crime rates, and Reuters reported that 2018 was the most violent year in Mexican history with over 34,000 homicides. This has been attributed, in part, to struggles between splintered drugs cartels and conflict over the rising market of stolen fuel.
In Colombia, according to article 233 of the National Constitution, only the government can control the distribution and fabrication of arms, as well as exercising the right to give licences.
To legally acquire a firearm, an individual must be over 18, and will have to prove that the weapon is either necessary for self-defense or is required for their profession. A permit is valid for 10 years, which requires the applicant to pass a background check which considers mental health, physical health as well as criminal and addiction records.
However, although possession of guns in the home is allowed, in 2015, then-President Juan Manuel Santos signed a decree that suspended civilian’s ability to carry guns. Due to a subsequent “decreasing trend in homicides and injuries caused by firearms,” this was extended year-by-year, however, on December 24, 2018, President Iván Duque added exceptions to the decree.
Decree 2652 will allow the Ministry of Defense more flexibility to give carry permits “for urgent or security reasons […] taking into account, among other factors, the individual conditions of each application.” Publimetro reported that special evaluation committees will be created in order to provide carry permits, which will also be subject to quarterly assessments.
The JAMA report states that in 2016 there were 25.9 deaths by firearm per 100,000 people. Gun violence remains problematic in the country, as there is a large disparity between registered and illegal guns in Colombia. The country is estimated to have 4,971,000 guns in circulation, but only 706,210 of them are registered with the Ministry of Defense.
Despite its gun woes, Colombia has come a long way from the 1990s when it held the title as “most dangerous country in the world,” and Forbes estimated that there were 300 murders per 100,000 inhabitants.
In Venezuela, civilians are not allowed to possess weapons of war, although what this refers to is not specifically defined. Handguns are allowed under licence, and automatic and semi-automatic guns are not specifically prohibited and may be allowed at the discretion of the authorities.
In 2002, Congress passed the Law of Disarmament, which aimed to collect illegal weapons as well as prohibiting them in public spaces and where alcohol is sold.
It also raised the age for gun possession to 25, as well as added certain prerequisites such as a clean criminal record, passing a psychological exam, gaining a training certificate, and showing legal proof of purchase of the firearm. Gun permits must be renewed every two years and holders may only have one gun with 50 bullets per year.
Nicolas Maduro created another disarmament campaign when he came into power in 2013, where citizens were encouraged to hand in their unlicensed guns, and according to Noticias 24 over 26,000 guns were destroyed in 2014.
However, as the country entered into crisis, the government stopped releasing official data. The JAMA study states that there are 18.5 guns per 100 citizens, and estimated the amount of guns in the country at 5,895,000 although there is no data available to determine how many of these are legally registered with the government.
The Igarape study also revealed that Venezuela is internally perceived as one of the most dangerous countries, as only 14% of citizens said they felt safe. In 2015, the study continued, just 19% of Venezuelans reported being confident in the police – the lowest score of any country on the planet.
The Economist stated that perceived danger and a lack of trust in security forces are influencing factors for increased gun use in society, as citizens feel they need to take matters into their own hands. JAMA reported that there are 38.7 firearm deaths per 100,000 people, the second highest among these six countries.
At least 17 of the top most violent countries in the world are Central American or Caribbean, and Guatemala is no exception. It is one of the most dangerous countries on this list, with 32.3 deaths by firearm per 100,000 residents, and as of 2016, the capital city of Guatemala was ranked the 9th most homicidal in the world.
Guatemalan law states that “all citizens have the right to have firearms in their place of living,” although they can only be acquired by licensed gun owners. No reason is required to possess a firearm, but owning one for personal security reasons does require government approval. Minimum age is not defined for gun ownership, although there is a minimum age of 25 for carrying firearms, and across the country there are 12.1 firearms per 100 civilians.
A gun licence requires proof that the applicant does not suffer from any mental illnesses, that they haven’t deserted either the Guatemalan army or police force, and they must have a clean police record. Carrying guns in public places is permitted with a license.
Across Latin America there are more private security guards than police officers – Igarape puts the ratio at 3.8 million private guards to 2.6 million police officers. In Guatemala, this is even more pronounced, as 120,000 private guards massively outnumber the 19,900-strong police force. A lax public attitude to vigilante behaviour also exists, as over 30% of Guatemalans agree with “taking the law into their own hands.”
The United States is the only developed country on the list, yet still has a high rate of firearm death at 10.6 per 100,000 citizens. This is higher than other wealthy nations which have similar gun laws, such as Canada (2.1) and much higher than the United Kingdom’s 0.3 or Japan’s 0.2, whose firearm regulation is much stricter.
Another difference, which also follows the trend of developed countries, is that most gun deaths (6.5 per 100,000 citizens) were suicides, whereas globally they are more likely to be homicides.
The rest of the countries on this list have “restrictive” gun regulation, according to Gun Policy, whereas in the United States, it is “permissive.”
The right to bear arms is an intrinsic part of the United States constitution, and owning semi-automatic guns and handguns is permitted without a license in almost all states. Fully automatic weapons, however, are subject to federal licensing and registration. The age restriction is 18-years old for rifles and shotguns, and 21-years for other types of firearm.
Individuals are not allowed to bear arms if they have been sentenced to a year of imprisonment in a federal court or two year’s imprisonment in a state court, unless the crime was due to regulation of business practices. The right to own a firearm is also not permitted if the buyer has been convicted of domestic violence or have been discharged under dishonorable conditions from the US armed forces.
The Small Arms Survey reports that there are more guns than civilians in the United States, with 120.5 guns per 100 citizens. That adds up to an estimated 393.3 million guns, of which only 1 million are registered. This is due to the fact that guns don’t need to be registered upon purchase in most states.
Guns have symbolic, cultural, and economic importance in the United States, where ownership provides a sense of security, allows participation in traditional sports such as hunting, and the industry employs hundreds of thousands of Americans, reported RAND research and analysis group.
Normally, as a country becomes wealthier and develops stronger governmental institutions, the rate of firearm death reduces, but this is not the case for the United States. The Harvard School of Public Health (HSPH) suggests there is a simple answer to this: “where there are more guns there is more homicide.”
“With less than 5% of the world’s population, the United States is home to roughly 35–50 per cent of the world’s civilian-owned guns,” the Small Arms Survey stated in 2007. “[…] Therefore, any discussion of civilian gun ownership must devote disproportionate attention to the United States.”
Is there a correlation between gun regulation and firearm deaths?
All the Latin American countries on the list have restrictive gun policies, but this is counteracted by large amounts of unregistered and illegal firearms, and in Mexico’s case, guns trafficked from the U.S.
The Economist reported that Latin America is the most urbanised part of the developing world. This recent and concentrated movement of people from the countryside to urban areas has been dogged by inequality, unemployment, poor government services and easy access to firearms. This created a fertile breeding ground for violence, which was left unchecked by government security forces who never managed to gain citizen’s trust.
For the United States, the situation is a little different. According to a 2018 Gallup poll, only 15% of Americans have very little or no confidence in the police, with 54% having a “great deal/quite a lot” of confidence, making the police force the third most trusted institution in the country. Although income inequality is on the rise in the US according to the 2018 World Inequality Report, it is still far below countries such as Brazil.
Despite this, gun crime remains high. The correlation between high gun ownership and high gun crime could be the primary factor, something which often holds true among wealthy nations even when the US is removed from the equation, reported the HSPH. Among the top 25 countries with the highest firearm-to-civilian ratio, Uruguay was the only country in Latin America to make it on the list.
Ultimately, where there are guns there will be gun crime, and limited regulations are likely to exacerbate the issue. Muggah echoed this sentiment in his criticism of Bolsonaro’s recent loosening of gun laws.
“There is no hard evidence that loosening access to firearms improves public safety or security,” he told Reuters. “By contrast, there is considerable evidence that responsible regulations are associated with reductions in gun-related homicide of civilians and police officers alike.”
The causes of gun crime cannot be limited solely to gun restrictions. However, in developed countries such as the United States, which has much higher rates of gun crime than other wealthy nations with more restrictive policies, it could be a factor to consider. But for Latin American countries, where restrictive policies are already in place, what is clear is a lack trustworthy government institutions and internal security that can effectively monitor gun use.
HackerNewsBot debug: Calculated post rank: 106 - Loop: 82 - Rank min: 100 - Author rank: 12
we found that 44% of docker image scans had known vulnerabilities, and for which there were newer and more secure base image available. Most vulnerabilities originate in the base image you selected.…
Article word count: 884
HN Discussion: https://news.ycombinator.com/item?id=19255603
Posted by vinnyglennon (karma: 10948)
Post stats: Points: 196 - Comments: 43 - 2019-02-26T16:24:41Z
#HackerNews #contain #docker #each #images #least #most #popular #ten #top #vulnerabilities
Welcome to Snyk’s annual State of Open Source Security report 2019.
This report is split into several posts:
Or download our lovely handcrafted pdf report which contains all of this information and more in one place.
DOWNLOAD THE STATE OF OPEN SOURCE SECURITY REPORT 2019!
Known vulnerabilities in docker images
The adoption of application container technology is increasing at a remarkable rate and is expected to grow by a further 40% in 2020, according to 451 Research. It is common for system libraries to be available in many docker images, as these rely on a parent image that is commonly using a Linux distribution as a base.
Docker images almost always bring known vulnerabilities alongside their great value
We’ve scanned through ten of the most popular images with Snyk’s recently released docker scanning capabilities.
The findings show that in every docker image we scanned, we found vulnerable versions of system libraries. The official Node.js image ships 580 vulnerable system libraries, followed by the others each of which ship at least 30 publicly known vulnerabilities.
Number of OS vulnerabilities by docker image
Snyk recently released its container vulnerability management solution to empower developers to fully own the security of their dockerized applications. Using this new capability, developers can find known vulnerabilities in their docker base images and fix them using Snyk’s remediation advice. Snyk suggests either a minimal upgrade, or alternative base images that contain fewer or even no vulnerabilities.
Fix can be easy if you’re aware. 20% of images can fix vulnerabilities simply by rebuilding a docker image, 44% by swapping base image
Based on scans performed by Snyk users, we found that 44% of docker image scans had known vulnerabilities, and for which there were newer and more secure base image available. This remediation advise is unique to Snyk. Developers can take action to upgrade their docker images.
Snyk also reported that 20% of docker image scans had known vulnerabilities that simply required a rebuild of the image to reduce the number of vulnerabilities.
Vulnerability differentiation based on image tag
The current Long Term Support (LTS) version of the Node.js runtime is version 10. The image tagged with 10 (i.e: node:10) is essentially an alias to node:10.14.2- jessie (at the time that we tested it) where jessie specifies an obsolete version of Debian that is no longer actively maintained.
If you had chosen that image as a base image in your Dockerfile, you’d be exposing yourself to 582 vulnerable system libraries bundled with the image. Another option is to use the node:10-slim image tag which provides slimmer images without unnecessary dependencies (for example: it omits the main pages and other assets). Choosing node:10-slim however would still pull in 71 vulnerable system libraries.
Most vulnerabilities originate in the base image you selected. For that reason, remediation should focus on base image fixes
The node:10-alpine image is a better option to choose if you want a very small base image with a minimal set of system libraries. However, while no vulnerabilities were detected in the version of the Alpine image we tested, that’s not to say that it is necessarily free of security issues.
Alpine Linux handles vulnerabilities differently than the other major distros, who prefer to backport sets of patches. At Alpine, they prefer rapid release cycles for their images, with each image release providing a system library upgrade.
Number of vulnerabilities by node image tag
Moreover, Alpine Linux doesn’t maintain a security advisory program, which means that if a system library has vulnerabilities, Alpine Linux will not issue an official advisory about it; Alpine Linux will mitigate the vulnerability by creating a new base image version including a new version of that library that fixes the issue, if one is available (as opposed to backporting as mentioned).
There is no guarantee that the newer fixed version, of a vulnerable library will be immediately available on Alpine Linux, although that is the case many times. Despite this, if you can safely move to the Alpine Linux version without breaking your application, you can reduce the attack surface of your environment because you will be using fewer libraries.
The use of an image tag, like node:10, is in reality an alias to another image, which constantly rotates with new minor and patched versions of 10 as they are released.
Docker terminal screenshot
A practice that some teams follow is to use a specific version tag instead of an alias so that their base image would be node:10.8.0-jessie for example. However, as newer releases of Node 10 are released, there is a good chance those newer images will include fewer system library vulnerabilities.
Using the Snyk Docker scanning features we found that when a project uses a specific version tag such as node:10.8.0-jessie, we could then recommend newer images that contain fewer vulnerabilities.
Known vulnerabilities in system libraries
There is an increase in the number of vulnerabilities reported for system libraries, affecting some of the popular Linux distributions such as Debian, RedHat Enterprise Linux and Ubuntu. In 2018 alone we tracked 1,597 vulnerabilities in system libraries with known CVEs assigned for these distros, which is more than four times the number of vulnerabilities compared to 2017.
Linux OS vulnerabilities steadily increasing
As we look at the breakdown of vulnerabilities (high and critical) it is clear that this severity level is continuing to increase through 2017 and 2018.
High and critical vulnerabilities in system libraries
DOWNLOAD THE STATE OF OPEN SOURCE SECURITY REPORT 2019!
HackerNewsBot debug: Calculated post rank: 145 - Loop: 135 - Rank min: 100 - Author rank: 58
At first glance, it’s hard to know what’s happening in this picture. A giant mushroom seems to have sprouted in a factory floor, where ghostly men in...
HN Discussion: https://news.ycombinator.com/item?id=19233706
Posted by lelf (karma: 37588)
Post stats: Points: 128 - Comments: 44 - 2019-02-23T15:29:42Z
#HackerNews #2016 #chernobyls #dangerous #famous #material #most #photo #radioactive
Artur Korneyev, Deputy Director of Shelter Object, viewing the “elephants foot” lava flow at Chernobyl, 1996. (Photo: US Department of Energy)
At first glance, it’s hard to know what’s happening in this picture. A giant mushroom seems to have sprouted in a factory floor, where ghostly men in hardhats seem to be working.
But there’s something undeniably eerie about the scene, for good reason. You’re looking at the largest agglomeration of one of the most toxic substances ever created: corium.
In the days and weeks after the Chernobyl nuclear disaster in late April 1986, simply being in the same room as this particular pile of radioactive material—known as the Elephant’s Foot—would have killed you within a couple of minutes. Even a decade later, when this image was taken, the radiation probably caused the film to develop strangely, creating the photo’s grainy quality. The man in this photo, Artur Korneyev, has likely visited this area more than anyone else, and in doing so has been exposed to more radiation than almost anyone in history.
Remarkably, he’s probably still alive. The story of how the United States got a hold of this singular photo of a human in the presence of this incredibly toxic material is itself fraught with mystery—almost as much as why someone would take what is essentially a selfie with a hunk of molten radiated lava.
This picture first came to America in the late 1990s, after the newly independent Ukrainian government took over the plant and set up the Chornobyl Center for Nuclear Safety, Radioactive Waste and Radioecology (spelling often gets changed as words go from Russian to English). Soon after, the center invited other governments to collaborate on nuclear safety projects. The U.S. Department of Energy tapped the Pacific Northwest National Laboratories (PNNL)—a bustling science center up in Richland, Washington—to help.
At the time, Tim Ledbetter was a relatively new hire in PNNL’s IT department, and he was tasked with creating a digital photo library that the DOE’s International Nuclear Safety Project could use to show its work to the American public (or, at least, to the tiny sliver of the population that was online back then). He had project members take photos while they were in Ukraine, hired a freelance photographer to grab some other shots, and solicited images from Ukrainian colleagues at the Chornobyl Center. Intermixed with hundreds of images of awkward bureaucratic handshakes and people in lab coats, though, are a dozen or so shots from the ruins inside Unit 4, where 10 years before, on April 26, 1986, a reactor had exploded during a test of the plant turbine-generator system.
As radioactive plumes rose high above the plant, poisoning the area, the rods liquefied below, melting through the reactor vessel to form a substance called corium, perhaps the most toxic stuff on Earth.
Corium flowing like lava through the reactor. The valve was made for steam to move through. (Photo: PNNL library)
Corium has been created outside of the lab at least five times, according to Mitchell Farmer, a senior nuclear engineer at Argonne National Laboratory, another Department of Energy center outside of Chicago. Corium formed once at the Three Mile Island reactor in Pennsylvania in 1979, once in Chernobyl, and three separate times during the Fukushima Daiichi meltdown in Japan in 2011. Farmer creates modified versions of corium in the lab in order to better understand how to mitigate accidents in the future. Research on the substance has found, for example, that dumping water on it after it forms actually does stop some fission products from decaying and producing more dangerous isotopes.
Of the five corium creations, only Cherobyl’s has escaped its containment. With no water to cool the mass, the radioactive sludge moved through the unit over the course a week following the meltdown, taking on molten concrete and sand to go along with the uranium (fuel) and zirconium (cladding) molecules. This poisonous lava flowed downhill, eventually burning through the floor of the building. When nuclear inspectors finally accessed the area several months after the initial explosion, they found that 11 tons of it had settled into a three meter wide grey mass at the corner of a steam distribution corridor below. This, they dubbed the Elephant’s Foot. Over the years, the Elephant’s Foot cooled and cracked. Even today, though, it’s still estimated to be slightly above the ambient temperature as the radioactive material decomposes.
Ledbetter’s not able to remember exactly where he got these images. He compiled the library almost 20 years ago, and the website on which they were hosted is in rough shape; only thumbnails of the images are left. (Ledbetter, who still works at PNNL, was surprised to learn that any of the site was still publicly accessible.) But he’s sure he didn’t hire someone to take photos of the Elephant’s Foot, so they likely were sent in by a Ukrainian colleague.
In 2013, Kyle Hill stumbled across the image, which had been shared several times on the internet in the ensuing years, while writing a piece about the Elephant’s Foot for Nautilus magazine, and tracked it back to the old PNNL site. Following his lead, I went back there to look for more details. After a little digging through the site’s CSS coding, I was able to locate a long-lost caption for the image: “Artur Korneev, Deputy Director of Shelter Object, viewing the ‘elephants foot’ lava flow, Chornobyl NPP. Photographer: Unknown. Fall 1996.” Ledbetter confirmed the caption matched the photo.
Korneev turns out to be an alternate spelling for Korneyev. Artur Korneyev is a dark-humored Kazakhstani nuclear inspector who has been working to educate people about—and protect people from—the Elephant’s Foot since it was first created by the explosion at the Chernobyl nuclear plant in 1986. The last time a reporter spoke to him, as far as I can tell, was in 2014, when New York Times science reporter Henry Fountain interviewed him in Slavutich, Ukraine, a city built especially to house the evacuated personnel from Chernobyl.
A zoomed image of Korneyev
I wasn’t able to locate Korneyev for an interview, but it’s possible to put together clues embedded in the photos to explain the image. I looked through all the other captions of photos similar photos of the destroyed core, and they were all taken by Korneyev, so it’s likely this photo was an old-school timed selfie. The shutter speed was probably a little slower than for the other photos in order for him to get into position, which explains why he seems to be moving and why the glow from his flashlight looks like a lightning flash. The graininess of the photo, though, is likely due to the radiation.
For Korneyev, this particular trip was only one of hundreds of dangerous missions he’s taken to the core since he first arrived on site in the days following the initial explosion. His initial job was to locate the fuel deposits and help determine their radiation levels. (The Elephant’s Foot initially gave off more than 10,000 roentgens an hour, which would kill a person three feet from it in less than two minutes.) Soon after that, he began leading cleanup efforts, sometimes even kicking pieces of solid fuel out of the way. More than 30 workers died from Acute Radiation Syndrome during the explosion and ensuring cleanup. Despite the incredible amount of exposure, Korneyev kept returning inside the hastily constructed concrete sarcophagus, often with journalists in tow to document the dangers.
In 2001, he brought a reporter from the Associated Press back to the core, where the radiation still measured 800 roentgens an hour. In 2009, Marcel Theroux, the celebrated novelist (and son of writer Paul Theroux and cousin of actor Justin Theroux) wrote an article for Travel + Leisure about his trip to the sarcophagus and the mad, maskless guide who mocked Theroux’s anxiety as “purely psychological.” While Theroux refers to him as Viktor Korneyev, it’s likely the man is Artur, as he made the same dark joke he would a few years later in a New York Times article.
His current status is murky. When the Times caught up to Korneyev a year and a half ago, he was helping to plan construction of a $1.5 billion arch that, when finished in 2017, will cap the decaying sarcophagus and prevent airborne isotopes from escaping. In his mid 60s, he was sickly, with cataracts, and had been barred from re-entering the sarcophagus after years of irradiation.
Korneyev’s sense of humor remained intact, though. He seemed to have no regrets about his life’s work. “Soviet radiation,” he joked, “is the best radiation in the world.”
HackerNewsBot debug: Calculated post rank: 100 - Loop: 164 - Rank min: 100 - Author rank: 131
The chief executive officers of two major video game companies have found their way onto a report that uses pay data to call out pay disparities in publicly traded American companies.
Article word count: 444
HN Discussion: https://news.ycombinator.com/item?id=19229502
Posted by smacktoward (karma: 38499)
Post stats: Points: 167 - Comments: 103 - 2019-02-22T21:57:49Z
#HackerNews #100 #activision #and #blizzard #ceos #featured #most #overpaid #report #the
The chief executive officers of two major video game companies have found their way onto As You Sow’s 2019 report on "The 100 Most Overpaid CEOs", a report that uses pay data to call out pay disparities in publicly traded American companies.
Both Electronic Arts’ Andrew Wilson and Activision Blizzard’s Bobby Kotick have earned spots on this year’s list along with the likes of Walt Disney’s Bob Iger, Netflix’s Reed Hastings, and 96 other high-earning execs. This all comes just a week after Activision Blizzard announced that it would lay off an estimated 800 employees following the close of a record year.
As You Sow takes more than a CEO’s yearly earnings into account when ranking its list, something detailed in full in the full report. In short, the organization looks at factors like total shareholder return and votes against CEO pay packages to calculate the chief execs earning in excess. The methods for calculating that exact excess can be found in Appendix C in the full report as well.
Following that methodology, the group clocked Activision Blizzard CEO Bobby Kotick as number 45 on that ranked list of the most overpaid CEOs. By As You Sow’s data, Kotick is paid $28,698,375 (an excess of $12,835,277 by the organizationʼs estimates). The ratio of Kotick’s pay compared to median worker pay at Activision Blizzard is 301:1.
The median pay ratio for S&P 500 companies is 142.1, while the median pay ratio for the 100 members of As You Sow’s list is 300:1.
Electronic Arts’ Andrew Wilson, meanwhile, is ranked a bit lower on the list as number 98. His yearly take is $35,728,764 (an estimated excess of $19,673,861 as determined by the report), a paycheck that was supported by 97 percent of shareholders’ votes. Though median pay ratio wasn’t used as a metric for ranking those high-earning CEOs, the difference between Wilson’s own pay and that of the median Electronic Arts employer is greater than Kotick’s. As You Sow records that ratio as 371:1.
The gap between median worker pay and CEO pay has ballooned in just the past several decades, as explained in the following quote captured by Axios.
"If you look at the pay of top CEOs relative to workers, that ratio in the 1950s was 20 to 1, was about 30 to 1 by the late ʼ70s, and by the mid-1990s it was 120 to 1," said Robert Reich, former Labor Secretary for President Bill Clinton, during a recent call with Axios and other reporters. ”When I was working in the White House that was a cause of real concern. That ratio seemed appalling to most people. Now it’s 300 to 1."
HackerNewsBot debug: Calculated post rank: 145 - Loop: 128 - Rank min: 100 - Author rank: 65