1. 5

Hi, Lobste.rs! Founder here (on my 2nd “startup”).

I strongly believe in the need for private communication, especially in the context of doctors-patients, clients-lawyers or sources-journalists.

PGP has done a great job of allowing private communication between two parties, but it places a heavy burden on both the sender and the recipient. Often though, the person who needs to send the private communication is less tech-savvy than the recipient. Private Forms removes the burden from the sender, and places it squarely on the recipient.

With Private Forms (https://privateforms.com) you can create an embeddable web form (with custom fields) that encrypts messages client-side, before being sent to the server (and emailed to the recipient). These messages are encrypted using the recipient’s PGP public key, which can only be decrypted using their private key—this way, not even we can view the form submissions. We can help less technical users by generating a keypair for them (again, client-side), or they can upload their own public keys.

Recipients can view form submissions on the web (using their private key, which is never transmitted to our server), or via their own email client that supports PGP decryption.

This is very much a MVP, with regards to the interface and the number of features, but I wanted to get this out in front of as many people as possible!

1. 2

What prevents an attacker from injecting code into the page to scoop data on the client side before it’s encrypted?

If the answer is ‘https’, what security benefit does this scheme give over https with no client-side encryption?

1. 2

“https” is the answer you’re looking for!

Beyond that, it gives an extra layer of security, in that the host (me) can’t read it, and that the data is never unencrypted, at rest.

1. 4

The problem is that you can read it: all you need to do is inject JS to extract the message. The users have to trust you not to do this, but in that case they can just trust you not to look at the messages.

Similarly, an attacker who can break TLS can do the same thing, so this provides no additional security layer beyond TLS…

1. 4

I found these slides while wandering around (in a daze) after watching this video: https://www.youtube.com/watch?v=w-I6XTVZXww

It seemed completely baffling that doing a sum: 1 + 2 + 3 + ... could yield -1/12. After reading Everything and More, it is as interesting to hear peoples' reactions to notions of infinity as it is to ponder the mathematics itself. I’m also less willing to trust my intuition when it comes infinity. The Wikipedia page about the sum of the natural numbers starts off easily enough, but then veers off into some really heady reasoning by Ramanujan & finally pulls in the zeta function.

1. 6

FWIW, I think it’s a mistake to think of the equation

1+2+3+… = -1/12

as relating to notions of or intuitions about infinity. Rather, we begin by studying the complex-valued function

\sum_n n^{-s}.

Where is this defined? Whenever the series converges, i.e., when the real part of s is greater than 1. Next, by a process called analytic continuation, we define a function, the Zeta function, which has the property that

Zeta(s) = \sum_n n^{-s}

whenever Re(s) > 1. A key fact of complex analysis is that any two smooth (complex-differentiable) complex functions which agree on any disk, no matter how small, must be equal everywhere they are defined. This tells us that there is only one possible extension of our series to the entire complex plane, namely the zeta-function we defined.

Finally, one can show that Zeta(-1) = -1/12. If we were to plug in s = -1 to our series, we’d get

1+2+3+…=-1/12,

giving the “formula” we wanted, but this doesn’t have much to do with notions of infinity. It’s just a way to assign a value to a power series.

P.S.: Thanks for posting this — it’s great to see the string-theory perspective on the number theory.

1. 0

That does it. Math is broken.

Edit: Indeed it is broken! From Wikipedia:

In particular, the step 4c = 0 + 4 + 0 + 8 + · · · is not justified by the additive identity law alone. For an extreme example, appending a single zero to the front of the series can lead to inconsistent results. [1]

That paragraph is followed by some insanity, then this:

A summation method that is linear and stable cannot sum the series 1 + 2 + 3 + … to any finite value. (Stable means that adding a term to the beginning of the series increases the sum by the same amount.) […] The methods used above to sum 1 + 2 + 3 + … are either not stable or not linear.

The idea that 1 + 2 + 3 plus more non-zero numbers sums up to something less than zero is simply utter nonsense.

Wikipedia has yet another gem:

In the primary literature, the series 1 + 2 + 3 + 4 + ⋯ is mentioned in Euler’s 1760 publication De seriebus divergentibus alongside the divergent geometric series 1 + 2 + 4 + 8 + ⋯. Euler hints that series of this type have finite, negative sums, and he explains what this means for geometric series, but he does not return to discuss 1 + 2 + 3 + 4 + ⋯. In the same publication, Euler writes that the sum of 1 + 1 + 1 + 1 + ⋯ is infinite.

So there you go, 1 + 2 + 3 + … is a negative number, but 1 + (1 + 1) + (1 + 1 + 1) + … is infinite.

Right. Yeah.

If some system of math tells you otherwise, I think it’s more likely the case that there’s some sort of logical error in reasoning within that system.

1. 2

This is a joke? I looked at 1 + x + x^2 … = 1/(1-x) which I know to be wrong. Then the next slide has it’s derivative with the minus sign missing and it gets more bizarre after that.

1. 3

No, it’s all correct. 1 + x + x^2 … is indeed 1/(1-x) and differentiating gets an extra - sign due to the -x.

1. 1

It’s not true for all values of x for sure. x=2, for example. Is the restriction -1 <= x <= 1 ?

You are right about d/dx (1-x)^-1. I did (1+x) in my head by mistake.

1. 3

It’s an equality of formal power series. The left-hand side converges for |x|<1. Moonshine theory is indeed quite bizarre, though.

1. 1

Wow! Thanks for the link. It’s interesting that we can have a restricted equality! I must have been taught this at some point, but it’s amazing for me to see this today.

1. 5
Papers
• Function field sieve method for discrete logarithms over finite fields, Adleman-Huang 1999

• The function field sieve is quite special, Joux-Lercier 2002

• The function field sieve in the medium prime case, Joux-Lercier 2006

• On the function field sieve and the impact of higher splitting probabilities: Application to discrete logarithms in ?_{21971} and ?_{23164}, Göloğlu-Granger-McGuire-Zumbrägel 2013

• A new index calculus algorithm with complexity $L(¼+o(1))$ in very small characteristic, Joux 2013

• A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic, Barbulescu-Gaudry-Joux-Thomé 2013

• On the powers of 2, Granger-Kleinjung-Zumbrägel 2014

Books:
• Between the World and Me, Ta-Nehisi Coates

This is a phenomenally beautifully written book.

“You must resist the common urge toward the comforting narrative of divine law, toward fairy tales that imply some irrepressible justice. The enslaved were not bricks in your road, and their lives were not chapters in your redemptive history. They were people turned to fuel for the American machine.”

• Some of Borges' short stories, in Ficciones

• Kill Anything That Moves: The Real American War in Vietnam, Nick Turse

• Seeing Like A State, James C. Scott

1. 9
1. 7

I don’t really mind for me personally, but I could see someone with an extremely low internet quota, on cellular or a holiday wanting to choose when an update is downloaded at least. That would annoy me if I went to another country with my laptop, got a new mobile connection and blew it in the first hour because something wanted to update.

Windows does it as well and does actually annoy me. I don’t mind them downloading the update on my wired connection and even installing as much as possible, but don’t show a dialog that say, Reboot now, in 10 mins, 1 hour, 4 hours. I often delay it once but am not there to delay it again. It’s my computer, let me control it, why isn’t there a “Apply updates during my next reboot”? Why can’t that just be the default behaviour and we can get rid of the dialog? Windows could even wait and see if I reboot in the next 3 days say and then suggest that it is time to reboot, they could even show me the uptime and shame me into rebooting my poor, poor consumer hardware!

1. 6

I’ve also had this problem, so I have this mess of running around trying to turn off everything that auto-updates without asking, but then also making sure I don’t forget to occasionally update it. On phones themselves the problem is solved well enough: Both iOS and Android can time their own updates, of both the OS and apps, to download over wifi and not blow through your data quota. But laptops are still assuming that all data connections are equal and unmetered, and don’t have a way for you to mark some wifi connections as not suitable for unnecessary data transfers.

I could imagine Apple doing something about this in the future within their own ecosystem. For people who use both a Mac laptop and an iPhone, they’ve been moving to smarter handling of the connection via their “Continuity” features (e.g. phone-call hand-off between devices), so they could conceivably also apply a more unified data policy.

1. 5

+1 for macs knowing when they are tethered and not downloading software updates over 3G data. I recently had this happen to me. Now I turn off the tethering as soon as I’ve finished, but this doesn’t stop the machine using extra bandwidth while I use the connection.

1. 3

Windows lets you specify a connection is metered as well, though it doesn’t automatically know when it’s tethered to an iPhone.

2. 6

Chrome in particular uses efficient delta-encoding to reduce the size of updates into the tens of kilobytes. Meanwhile, “it takes 87 requests and 7MB of data transfer to read The Verge’s 1600-word article on why the mobile web sucks.” And, Chrome’s autoupdates are silent, never presenting the user with an annoying Windows nag dialog telling them to reboot.

So neither of these complaints really apply to Chrome. Indeed, Chrome is really the model of how to ensure that users are protected against security flaws from obsolete software: keep the software up-to-date without getting in their way.

1. 2

Aside from the reading for my thesis (a bunch of papers on variations of the function field sieve), I’ve been reading Jeremy Scahill’s Dirty Wars and James C. Scott’s Seeing Like A State.

1. 19

Mac only and not free software :-(

1. 2

What did this add to the conversation?

1. 9

I think of my comment as like a seed, or a droplet of water. Putting the ideas of cross platform free software as a nagging nugget in the back of the reader’s mind. This software seems pretty great and it is too bad it isn’t cross platform and free software.

I don’t see anything on the website to suggest it couldn’t be otherwise.

If you look at the other comments, they have a similar sentiment. In the small it adds nothing, but as a group of comments, it is revealing. And as users of software, we should demand these things, even if it is a pain in the ass to developers.

I try my best not to be a hypocrite. My own software that I publish should be held to the same standards, and I try. It is a major pain in the ass, but I try.

EDIT:

This can add to the conversation

http://forums.gitup.co/t/cross-platform-support/134

Why are developers doing a poor job of engineering these things to be so locked down and hard to change?

1. 2

Tau is clearly wrong since adopting it would mar the most beautiful equation of all: Euler’s Identity

https://en.wikipedia.org/wiki/Euler%27s_identity

1. 6

I guess I should have put the smiley at the end of this post. I didn’t realise people took this tau thing so seriously. 4 people bothered to mark a humorous observation as incorrect :)

1. 4

This is addressed on the site. e = 1 is not any less beautiful than e = -1.

1. 1

eiπ = -1 implies eiτ = 1, but not the other way around.

2. 2

Now don’t get me wrong, I like Euler’s Identity as much as the next guy, but I think there are prettier results around.

Ignoring for a moment that making substantive choices based purely on elegance (or lack thereof) is foolish at best, here are some aesthetic arguments about why Euler’s Identity is pretty meh in context.

Firstly, it’s a very mechanical / arithmetical sort of identity, isn’t it? I don’t know about your experience in mathematics, but for my part, these sorts of identities don’t really make my socks roll up and down – I much prefer something with a bit more meat on it. Something like a Pappus' Theorem in projective geometry, or the theory of Space Filling Curves. See, to me, Euler’s identity is beautiful only in the same way a single color – not yet put to canvas – is beautiful. It’s a component of a bigger thing. Burnt Sienna or Deep Red are beautiful colors, but the “Happy little tree” that they make – that’s the art.

So while tau might alter the color of this (admittedly very nice) pigment, I’m less concerned about that, and more concerned about how it effects the whole painting. Tau doesn’t substantively improve the beauty of mathematics as a whole, and indeed may mar it were we try to transition from one ‘color’ to the other. That’s why – if at all – it’s “clearly wrong.”

1. 2

I look at Euler’s Identity and marvel how you can make -1 simply by combining 3 numbers that can’t be written down using natural numbers.

1. 7

If the only good thing about vim is the user interface, why not try Emacs with evil-mode? I made the switch recently and I’m enjoying it: the vim bindings are very, very complete, and you have an incredibly scriptable environment to work in.

1. 5

I’ve been considering making this switch for a while now, but the main thing stopping me has been the fact that while evil-mode might duplicate the vim interface, it won’t duplicate all my vim plugins (I use a handful of custom text objects and ‘verbs’ quite often). So I’m really excited about the idea of a better vim that still has plugin compatibility.

1. 2

Yeah, that’s a good point — I agree that neovim is really exciting.

(of course, the best solution to your problem would be to write a vimscript interpreter in elisp, no? :p )

1. 1

Do you need your vim plugins as they are? Considering the number of Emacs packages, you could probably find something that provides more-or-less the same functionality. As for custom text objects, I have seen a couple in the MELPA package archive, and if those don’t do, you could embark in an Elisp hacking adventure.

1. 1

This is true. In fact, it might be easier to write these plugins for evil-mode than it was for the original authors to write them in vimscript, depending on how evil-mode plugins work. On the other hand, it’s always going to be easier for me to just do nothing, and having to find or reimplement plugins doesn’t help me overcome my inertia. Still, it might happen one day, but I think the prospect of neovim is only increasing my vim inertia.

1. 6

The fact that swatting is 1) incredibly easy to do once the necessary information about a person has been found out, and 2) so dangerous to the person being swatted, leads me to agree with Krebs about the necessary charging. Looking at “War Comes Home,” the ACLU’s report on police militarization, it becomes clear that a SWAT attack is a seriously dangerous situation. I hope that the Lizard Squad members (and anyone else who engages in swatting and is arrested) are punished with serious force commensurate to the heinous nature of the crime, which puts the lives of innocents in danger at the hands of unwitting law enforcement officers.

1. 4

Those two facts would lead me to different (though perhaps orthogonal) conclusion: It should not be standard operating procedure for police forces to endanger innocent people’s lives by carrying out raids with heavily armed, untrained soldiers.

I disagree with the characterisation of law enforcement officers as ‘unwitting’. The officers who participate in raids (with results like this — no charges for the police who attacked a two-year old with a grenade, of course) also need to be held responsible for their actions.

1. 1

You’re right. The fact that police regularly engage in armed raids with little evidence on civilians is a problem. However, there is also a compelling societal interest in protecting against imminent attack. The question then becomes how the decision to use SWAT is evaluated. While I don’t think SWAT should be eliminated, I do think it should be used far less often than it is today.

On the second point, what I meant by “unwitting” is simply that the officers are acting on the arguably reasonable assumption that the information they have is credible, and are thus acting in good faith to protect the people. However, they are unwittingly participating in a coercive and criminal action to intimidate an innocent individual. I agree that officers need to be held responsible for their actions, but as I said above, I don’t think engaging in a SWAT raid is inherently an irresponsible action.

1. 1

No, let’s not replace census data with Twitter-derived ‘statistics’.

1. 4

I can’t tell if it is a joke or not… Too much work put in to be a joke, but come on: ‘As we already know, a name or axis (which of course applies to all nouns, not just cores) is a limb. A list of limbs is a wing.’

Another example, ‘Nock’s data model is simple: a noun is an atom or a cell. An atom is any natural number. A cell is an ordered pair of any two nouns.’

So a ordered list of integers? They have to be trolling.

1. 8

Reading in the tutorial for the Hoon programming tutorial (http://doc.urbit.org/doc/hoon/tut/3/) it becomes even stranger. Here some excerpts:

[..] Think of learning Hoon as learning to program all over again. If nothing else, it’s a sort of eccentric adventure sport. Or even a mystery - can a language be esoteric, yet useful? [..]

[..] It’s actually worse than that - learning Hoon is learning to read all over again. Again, Hoon is a reserved-word-free language - any text in the program is part of the program.

So we’ve renamed them:

 ace  space      gal  <          per  )
bar  |          gar  >          sel  [
bas  \          hax  #          sem  ;
buc  $hep - ser ] cab _ kel { sig ~ cen % ker } soq ' col : ket ^ tar * com , lus + tec  doq " pam & tis = dot . pat @ wut ? fas / pel ( zap !  You just have to memorize these names. Sorry. We accept that they are vile, barbaric and loathsome. So is life. [..] So they use 33 three-letter artificial names for commonly known symbols to make you be able to spell the programs?! But wait there is even more craziness .. [..] But is this at least enough symbols? Alas, nowhere near. ASCII’s glyph supply is not the greatest, but we can make all the squiggles we need by forming digraphs, or runes. For example: bartis, ie, |=. [..] [..] Hoon has almost 90 digraphic runes. Worse, “Hoon runes” are inevitably shortened to “hoons” - a ridiculous non-English word due originally to Wallace Stevens, which also has the unique property of reducing Australians to convulsions. None of this should scare you. First, 90 symbols is not a lot compared to, say, Chinese. Second, hoons are easier than you’d expect to organize in your head, because the choice of glyph is not random. Third, no one lives in Australia and nobody cares. [..] So we have composition for those names, called runes. And so it goes on. I did not read yet further. But I guess it would cost quite an involvement to learn Hoon and you have to learn it completely from scratch, without being able to benefit from whatever languages you have learned before. Why did the designer chose to obfuscate it so much? 1. 6 Why did the designer chose to obfuscate it so much? Making people spend an enormous amount of effort to join a cultcommunity means that once they do, they’re invested enough to not leave. I wouldn’t make that judgement about any programming language, but I would (tentatively) make it about this one, after seeing who’s involved in its creation. 1. 6 I almost have also the feeling that this might be an attempt to develop a Stockholm syndrome in the followers, but I am not sure though. I went through the Nock tutorial (http://doc.urbit.org/doc/nock/tut/1/) and with some effort was able to follow and understand it. Went on with Hoon and there I will stop, there - it asks too much involvement from me. And I do not know if this is not a wrong investment. However compiling and making the system run was straight forward, just by following the instructions on the github page. So, who knows, they are maybe out for something interesting. 2. 3 The video (and this document) both have strong smells of Timecube and Poe’s Law on them, but with a distinctly Ayn-Randian twist. 1. 4 What Apple gets and what no one else in the industry does is that using your mobile device for payments will only work if it’s far easier and better than using a credit card. I’m not sure that Apple “gets” anything here. Apple Pay is still far more cumbersome than pulling a credit card from my wallet. It seems that the companies who actually get it are those like Final (no relation). 1. 1 Apple Pay is still far more cumbersome than pulling a credit card from my wallet. Really? This is a bit surprising to me. I’ve not used Apple Pay yet, but have seen it used by a friend. It looked ridiculously easy. What have you found that makes it more cumbersome? 1. 3 I have a zipper on the pocket I keep my phone in and a pin on the phone itself. If the system can be used without the pin, that’s a complete dealbreaker right there. Also, and this is obviously a personal thing that doesn’t apply to everybody, I don’t think Apple (or Google, or really any non-bank) have any business storing any of my financial information, and I absolutely refuse to allow them to spend money on my behalf. 1. 4 You should give https://www.apple.com/apple-pay/ a quick skim. It uses Touch ID on the phone: One touch to pay with Touch ID. Now paying in stores happens in one natural motion — there’s no need to open an app or even wake your display thanks to the innovative Near Field Communication antenna in iPhone 6. To pay, just hold your iPhone near the contactless reader with your finger on Touch ID. You don’t even have to look at the screen to know your payment information was successfully sent. A subtle vibration and beep let you know. And it stores info in the secure element of the phone, not on Apple servers: Every time you hand over your credit or debit card to pay, your card number and identity are visible. With Apple Pay, instead of using your actual credit and debit card numbers when you add your card, a unique Device Account Number is assigned, encrypted, and securely stored in the Secure Element, a dedicated chip in iPhone, iPad, and Apple Watch. These numbers are never stored on Apple servers. And when you make a purchase, the Device Account Number, along with a transaction-specific dynamic security code, is used to process your payment. So your actual credit or debit card numbers are never shared by Apple with merchants or transmitted with payment. And as some have pointed out in various places, Apple provides less identifying info to the merchant than they would have gotten with a regular credit card … 1. 3 Every time you hand over your credit or debit card to pay, your card number and identity are visible. I don’t understand this. When I pay with my credit or debit card, the merchant never sees or touches my card, and they have no opportunity to get its information thanks to chip+pin or NFC. How is Apple Pay better than this? 1. 5 In the United States NFC is still a novelty. Lots of people didn’t know it was possible before Apple Pay. Chip cards and readers are practically nonexistent in the US. When they do roll them out, they’re going to be chip&sign instead of chip&PIN. Apple Pay might be more secure than this. It’s not so clear what the benefits will be in the modern world (you know, places with the metric system). At the very least: 1. Supposedly a different PAN is used for each transaction, so merchants can’t use it to track your purchases. 2. You get a list of transactions on your phone. If your bank has a crappy app this might be useful. 1. 5 Americans don’t do chip+pin, that’s why. Apple Pay is basically PayWave, the NFC version of chip+pin that’s everywhere in .au, but without the$100 limit because you use a fingerprint.

1. 4

I guess I’m sort of confused, but what’s the advantage of using Apple Pay over a normal credit card?

1. 1

It’s rare that I don’t have both, but if I only have one, I have my phone and not my wallet. Sometimes accidentally; I’ve turned around halfway to the store without my wallet a few times, but never seem to forget my phone. (More practically, I notice its absence more quickly when I go to listen to music.)

Sometimes purposefully, like if I go for a run or to the gym. Ironically, those are the situations I’m most likely to want to pick up a drink from a store like CVS.

If even 25% of the places I buy things from started taking apple pay, I’d probably start leaving my wallet at home more often. And then the places that take apple pay would quickly become 100% of the places I go.

1. 2

I am still waiting for my new phone but there is a simple fix to this problem.

Get one of those 2 card cases for your phone. I have my debit card ($300/day limit) and my drivers license. I call it my drinking wallet. Then if I forget the regular wallet, I still have something to help things along if I’m out running. Just a low tech solution to the “crap forgot my wallet at home” problem. 1. 7 So one version (init version) handles more configuration parameters (loaded via sysconfig files), edge cases (missing binaries, missing env vars), makes aliases itself, and handles reloading. The other version (systemd conf file) farms out work to a couple makefiles to create aliases (hides some amount of work in external callable), omits some edge case handling (maybe it wasn’t necessary), and doesn’t handle reloading. Not sure what this is trying to show, other than the fact that one version is long, and the other is short. Gotcha. 1. 3 Um, the init script calls make too, so it’s a little unclear why that counts as hiding work in an external callable – also, a shell script is made of external callables. It doesn’t handle reloading, since reloading systemd services is done in a consistent way by systemd rather than repeatedly implemented ad-hoc across every init script. 1. 6 Rearranging optimisation passes reveals a bug. Not really ‘terminal’. The only thing that seems terminally broken in this story is Linus' ability to communicate on LKML without verbal abuse. 1. 1 Reading some things on neural networks, since one of my friends got me excited about them. I’m hoping to make an actually usable version of a hack I made two years ago for decrapifying cellphone photos of handwritten notes. If you want to help me get diversity in my training set and you have some handwritten notes, you could email me some photos of them :) 1. 2 Could you daemonize something in this way? Run something you want to be permanently running, and then exit trap to run the same script. I have a few long running bash scripts and use cron jobs currently to make sure they keep operating, but this looks like an interesting replacement. 1. 1 You could, but it wouldn’t necessarily be very robust; for example, a SIGKILL will prevent the exit trap from executing. You’d also have no way of doing health checks. 1. 1 If you have the option to use a modern service manager like systemd, you’d be much better to just use the existing service management tools than reimplement your own adhoc ones. I can’t speak in detail to other systems, but systemd unit files are incredibly painless to write and run and are very robust. 1. 6 $TAILS_terms=word('tails' or 'Amnesiac Incognito Live System') and \
word('linux' or ' USB ' or ' CD ' or 'secure desktop' or ' IRC ' or 'truecrypt' or ' tor ');
[...]
fingerprint('ct_mo/TAILS')=
fingerprint('documents/comsec/tails_doc') or web_search(\$TAILS_terms) or [...]
`

That seems very broad. A web search for “tails cd” is enough to trigger this fingerprint. I guess only terrorists like Lisa Loeb CDs.

1. 2

Given past disclosures, do we really think ‘very broad’ is a downside to the NSA?