Shared posts

25 Jun 06:06

Berlusconi sentenced to 7 years in prison

by Cory Doctorow
Assaf Lavie

In prison, you're the bunga.

Silvio Berlusconi, the disgraced former prime minister of Italy and billionaire media baron, has been sentenced to seven years in jail for having sex with an underaged prostitute. The woman, Karima 'Ruby' el-Mahroug, was paid to have sex at Berlusconi's infamous "Bunga Bunga" parties, and at one point, he lied to Italian police about her to keep her from going to jail for theft -- Berlusconi told the cops she was Hosni Mubarak's niece and that arresting her would cause an international diplomatic incident. Berlusconi sounds like he plans on appealing:

After the verdict, Berlusconi said in a message posted on Facebook that he believed he would be acquitted "because in the facts there is really no possibility to convict me."

He called the sentence "incredible, of a violence never seen or heard before, to try to eliminate me from the political life of this country." He pledged to "resist this persecution, because I am absolutely innocent, and I don't want in any way to abandon my battle to make Italy a truly free and just country."

Elected officials from Beppo Grillo's Five Star movement are insisting that the Italian state must do everything in its power to put Berlusconi behind bars.

'Bunga bunga' busted: Berlusconi convicted of hiring underage girl for sex [Colleen Barry/Associated Press]

(Image: Berlusconi, a Creative Commons Attribution (2.0) image from spiritolibero85's photostream)


25 Jun 05:57


24 Jun 15:31

You Won't Believe This Is Just One Photograph

It looks like a mosaic of four different photos. Mindblowingly, it isn’t.

This is the work of photographer Bela Borsodi. He achieved the mosaic illusion by spending hours carefully arranging the items through the viewfinder of his camera.

Source:  /  via:

Here's the exact same arrangement of items, photographed from a different angle.

View Entire List ›


24 Jun 14:04

Danny MacAskill's Imaginate

Assaf Lavie

Just... wow..

Pro street trails rider, Danny MacAskill, performs bike stunts straight out of a child's imagination.


24 Jun 13:36

Does Medical Care Cost Too Much in the United States? Posner

by Richard Posner

A New York Times article of June 1 called “Paying Till It Hurts,”, by Elisabeth Rosenthal, presents disturbing data concerning prices of medical procedures in the United States relative to the prices in other wealthy countries. The article reports that the average price of an angiogram is $914 in the United States and $35 in Canada, of a colonoscopy $1185 in the United States and $655 in Switzerland, of an MRI scan $1121 in the United States and $319 in the Netherlands, of a hip replacement $40,364 in the United States and $7731 in Spain, and of Lipitor (probably 90 mg., although the article doesn’t state the quantity) $124 in the United States and only $6 in New Zealand—a greater than 20 to 1 difference.


This is not actually the correct way to compare U.S. and foreign prices: picking a different nation to compare the United States with for each procedure. For what if (for example) in Canada though the average price of an angiogram is very low the average price for a colonoscopy is very high? Nevertheless the comparisons are illuminating, and are consistent with the fact that the United States devotes some 18 percent of GDP to health care, twice that of most other countries. (The second most expensive nation for health care is Switzerland, which spends 12 percent of its GDP on health care.) The significance of the article is that it plausibly assigns much of the cost differences to higher prices for standard medical procedures and excessive use of those procedures, rather than to demographic differences, such as greater inquality of income in the United States than in the other wealthy nations of the world, let alone to higher quality of U.S. medical care. 

According to the article, the difference in cost between the U.S. and the foreign medical procedures is unrelated to quality but has a lot to do with the fact that the foreign countries regulate the price of medical procedures and the United States does not. The difference is between a regulated and a free market, and the free market does not show up well in the comparison. It is not just the bottom line—the relative costs—that illuminates the difference, but the competitive practices that the article describes that, together with absence of price regulation, may explain the difference. 

Free-market competition is supposed to optimize quality and price; if quality is the same, price should be lower under competition than under regulation. Quality includes availability. A traditional and well-documented complaint about price ceilings is that they create shortages, resulting, in the medical sphere, in long and potentially dangerous delays in treatment. But at least if the Times article is to be believed, the longer delays in foreign countries (if they are longer, which the article doesn’t discuss) do not result in poorer medical outcomes.

The evidence of market failure in our medical care system is reinforced by data presented in the article of large price differences for identical procedures in the same U.S. states, and even in parts of the same state, southern California for example, where according to the article a colonoscopy costs on average $2041 in San Diego and $5559 in Los Angeles.

It appears that in a market in which buyers have poor information, in part because the products and services sold in the market are highly technical and the market itself is pervaded by uncertainty and its products and services are constantly changing and being reevaluated and discarded or improved, and in which extensive private and public insurance obscures prices, and in which on top of everything the consumption decision is often blurred by pain and fear, a private, unregulated market does not operate efficiently. Of course there is government regulation of the U.S. health system, but it is nothing like the public-utility type health regulation found in most other countries. There is in the U.S. regulation in the form for example of malpractice liability, but malpractice liability doesn’t deal with overpricing or (with rare exceptions) unnecessary procedures. Medicaid sets tight payment limits, but Medicare, for most medical procedures, does not—for fear that too many physicians will stop taking Medicare patients. 

There is an approach to inefficiently competitive markets that is in between regulation or nationalization (as pioneered by the British national health service), on the one hand, and free-market competition on the other. It is the professional model of providing services, about which Becker and I blogged on December 10 of last year, as distinct from the competitive, or business, model. In the professional model, which is the traditional model in which health services like legal services used to be provided, which persists to some degree, but which is rapidly giving way to the competitive model, the physician or lawyer in effect trades the very high incomes earned by those who succeed in business for a reduction in financial risk, brought about by legal or ethical restrictions on competition. With lower rewards for engaging in sharp practices, those practices, involving exploitation of consumers in markets pervaded by consumer incompetence, can be expected to be less frequent.

The professional model can thus, in principle anyway, enhance market efficiency. For example, in a medical system governed by the professional model, physicians’ incentive to establish “surgical centers” in their offices in which to perform colonoscopies for which they can charge much higher prices, though there is no need for such centers, is weakened, because physicians imbued with the professional model do not think of themselves, or behave, as profit maximizers. 

The professional model remains dominant in career government service, where employees are salaried and have secure tenure, thus trading the possibility of a much higher income for job security and the benefits, which are not merely financial, that come with it, such as not having to compromise ethical standards to succeed. In contrast, free-market competition is Darwinian: the presence of rapacious and unprincipled competitors will often limit the ethical options of the other firms in the market, and of their employees. 

The outstanding example of the professional model of medical care in American government appears to be the provision of medical care to veterans, in VA hospitals and medical centers. VA physicians are salaried government employees. A number of studies, including a study by the RAND Corporation, have found that the medical care provided by the Veterans Administration is superior to private health care and costs less. See Arthur L. Kellerman, “’Socialized’ or Not, We Can Learn from the VA,” The RAND Blog, Aug. 8, 2012, Although there is no reason in principle why the professional model should be limited to government employees—and traditionally it was not—it may be that the competitive model has made such inroads in medicine that the professional model cannot survive in the market. It may be worth considering whether the VA model can be extended as part of an effort to improve health care in the United States and at the same time reduce its cost.

24 Jun 05:48

The Man Who Knew Moses But Not His Own Son

"Nissim", a 64 year old man, knows that the word for the eldest son in a family is the "firstborn", but he says that snow is pink and that we wear coats on our feet. A stroke left him unable to talk about anything except abstract concepts. The case of Nissim is reported in a fascinating new paper from Israeli psychologists Gvion and Friedmann: A selective deficit in imageable concepts. The patient had no known psychiatric or neurological problems, until he suffered a stroke affectin
19 Jun 06:43

Japanese Toilet Candy

18 Jun 06:08

Journalists Need To Start Asking About Storage, Not Access

by Michael Arrington

It’s becoming pretty clear, particularly from today’s Snowden Q&A and the partial transcript from President Obama’s Charlie Rose interview, that we’re zeroing in on how the government accesses private individual data.

If you’re not a “U.S. person,” there are few restrictions on what the U.S. government can do to monitor you. If you are a U.S. person then there are at least some restrictions, and the involvement of at least the secret FISA court, before that data can be accessed.

What’s also clear are that these are just policy decisions, as Snowden puts it, and that things may have been different in the past and can be different in the future.

My guess is that most journalists will continue to dig into the FISA court stuff. This quote alone is a gold mine for arguing that there is no true judicial oversight on any of this stuff:

Charlie Rose: But has FISA court turned down any request?

Barack Obama: The — because — the — first of all, Charlie, the number of requests are surprisingly small… number one. Number two, folks don’t go with a query unless they’ve got a pretty good suspicion.

In other words, “trust us.”

But here’s what journalists should be asking at this point: What data does the government store? How long have they been storing it? Do they ever delete it?

All of the government arguments around 4th Amendment protections center on policy decisions regarding what the NSA and FBI can look at. But as they make these arguments they imply that the data is already sitting on government servers. Snowden, of course, doesn’t imply this, he says it flat out.

This is what scares me the most. Not that today’s government is using this data improperly today (although the IRS scandal certainly shows that the government is quite willing to use data improperly). Rather, I’m much more concerned with what the government will do with this data down the road.

Knowing that the government will start surveillance on you if you do something wrong is one thing.

But knowing that you are constantly being watched, with everything you do being stored in a database somewhere, is something else. It doesn’t matter if anyone is looking at it today. Knowing that anything you do now, innocently, may be evidence of a crime in 5, 10 or 30 years, is the opposite of freedom. No matter how you look at it.

I don’t understand how the government can argue that storing, possibly forever, every phone call and every email and our location and everything else can somehow be consistent with the rights acknowledged under the 4th amendment. Until journalists start asking these questions, however, they won’t even be forced to make those arguments.

16 Jun 10:28

Hell no.

by Lydia Marks
16 Jun 10:28

Good choice.

by Lydia Marks
The smell of death might spoil your appetite.
16 Jun 10:25

Now that's service.

by Lydia Marks
16 Jun 10:20

I told yall !

by skeeter


15 Jun 06:58

25 Movies That Will Destroy Your Faith In Humanity

If you’re feeling good about life, steer clear of any of the movies on this list. These are 25 films that will leave you raw, empty, and in desperate need of a shower.

Salò, or the 120 Days of Sodom (1975)

Salò, or the 120 Days of Sodom (1975)

I first heard about Salò from an Italian professor who quickly cautioned, "Do not watch it. Ever." Naturally that made me seek it out faster. For those who haven't seen it — or read the book by the Marquis de Sade — the Pasolini film focuses on a group of fascists who kidnap, torture, and sexually abuse 18 teenagers. The most repulsive scene involves coprophagy. And this time, I must warn you: DO NOT LOOK IT UP.

Via: United Artists

Dancer in the Dark (2000)

Dancer in the Dark (2000)

We usually think of musicals as escapist entertainment, but that's not the case with Dancer in the Dark, which is the bleakest musical you will ever endure. If the ending doesn't leave you feeling completely empty, you might be dead inside. Björk stars as a blind Czech immigrant who has to do terrible things to pay for surgery that will save her son's sight. Things do not end well for her, or for the audience.

Via: Fine Line Features

Funny Games (1997)

Funny Games (1997)

This psychological thriller has been remade (both by its director Michael Haneke and as obvious rip-offs) but the original is still the hardest to watch. Why do the two young men take a family hostage and torture them with sadistic games? Unclear! That makes it so much worse — as do the direct addresses to the audience, reminding you that you're taking part in the voyeuristic thrills.

Via: Madman Entertainment

A Serbian Film (2010)

A Serbian Film (2010)

Commonly regarded as the most depraved movie of all time, A Serbian Film is horrifying enough that even reading the Wikipedia description will leave you feeling dirty for days. Suffice it to say the plot involves a porn star tricked into making a snuff film, complete with necrophilia and horrible things done to children. Steer clear. Those who have seen it say it's not worth the trauma.

Via: Invincible Pictures

View Entire List ›

14 Jun 13:40

via lcjsn6O.jpg (1700×1065) A intact pool between the dirty water of a f...


via lcjsn6O.jpg (1700×1065)

A intact pool between the dirty water of a flood in Germany.

[Reposted from JohnnySixarms via szczygiel]

14 Jun 13:39


13 Jun 19:05

Chris Christie Slow Jams The News With Jimmy Fallon

“Take it from my man, the love guv…”

13 Jun 13:38


by Chauncey Plantains
12 Jun 16:16


11 Jun 12:28

The 10 Deadly Sins Against Scalability

by Todd Hoff

In the moral realm there may be 7 deadly sins, but scalability maven Sean Hull has come up Five More Things Deadly to Scalability that when added to his earlier 5 Things That are Toxic to Scalability, make for a numerologically satisfying 10 sins again scalability:

  1. Slow Disk I/O – RAID 5 – Multi-tenant EBS. Use RAID 10, it provides  good protection along with good read and write performance. The design of RAID 5 means poor performance and long repair times on failure. On AWS consider Provisioned IOPS as a way around IO bottlenecks.
  2. Using the database for Queuing. The database may seem like the perfect place to keep work queues, but under load locking and scanning overhead kills performance. Use specialized products like RabbitMQ and SQS to remove this bottleneck.
  3. Using Database for full-text searching. Search seems like another perfect database feature. At scale search doesn't perform well. Use specialized technologies like Solr or Sphinx.
  4. Insufficient Caching at all layers. Use memcache between your application and the database. Use a page like cache like Varnish between users and your webserver. Select proper caching options for your html assets.
  5. Too much technical debt. Rewrite problem code instead of continually paying a implementation tax for poorly written code. In the long run it pays off.
  6. Object Relational Mappers. Create complex queries that hard to optimize and tweak.
  7. Synchronous, Serial, Coupled or Locking Processes. Locks are like stop signs, traffic circles keep the traffic flowing. Row level locking is better than table level locking. Use async replication. Use eventual consistency for clusters.
  8. One Copy of Your Database. A single database server is a choke point. Create parallel databases and let a driver select between them.
  9. Having No Metrics. Visualize what's happening to your system using one of the many monitoring packages.
  10. Lack of Feature Flags. Be able to turn off features via a flag so when a spike hits features can be turned off to reduce load.
09 Jun 19:02

האנשים שלא רוצים שהציבור יידע

by שאול א.

בשבועות האחרונים אני מקבל תשובות משונות ממשרדי ממשלה שונים כשאני פונה אליהם בשאלות לגבי לוחות זמנים של תהליכים מסוימים. אף אחד מהדברים האלה לא מחזיק לי כתבה בפני עצמה, אבל הצירוף שלהם יחד גרם לי להחליט לכתוב את הפוסט הזה. כל הדוגמאות שמובאות כאן הן מקריות, ופשוט נאספו בשבועיים-שלושה האחרונים.

1. משרד החינוך – לאן בדיוק הולך הכסף?
תקציב משרד החינוך יעבור השנה את ה-40 מיליארד שקלים. זהו התקציב השני בגודלו אחרי תקציב הביטחון. ובכל זאת, במשרד החינוך לא יודעים עד הסוף לאן הולך כל שקל. היעדר המידע הזו נובע, בין היתר, מהמבנה הבלתי אפשרי שבו בנוי המשרד שמותאם לתקופה העותמאנית.
בשביל להתמודד עם המחסור במידע החליטה הממשלה באוגוסט 2011 להטיל על משרד החינוך ליצור מערכת מחשב שתאסוף את כל השקלים שמפזרים כל האגפים והיחידות במשרד החינוך לתמונה אחת מלאה, בשביל שמישהו סוף סוף יידע איפה הכסף (בחוק ההסדרים הקרוב הממשלה תנסה לחייב את הרשויות המקומיות להעביר למשרד החינוך את התקציבים שהן משלימות על התקציבים הממשלתיים בשביל שהמדינה תוכל לתתקצב באופן דיפרנציאלי את התקציבים שלה – כלומר לתת פחות לרשויות חזקות יותר).
אלא שמאז החלטת הממשלה באוגוסט 2011 חלפו כמעט שנתיים. עד שתקציב המדינה יאושר בכנסת אלה יהיו שנתיים בדיוק. ואיפה המערכת? שאלה טובה. אני אישית רודף אחריה כבר חודשים רבים. למעשה, לפני תחילת שנת הלימודים הנוכחית הבטיחו לי במשרד החינוך שהיא תופעל כבר עם תחילת השנה. בינתיים, שנת הלימודים תסתיים בתוך חודש, ומערכת עדיין אין.
או שאולי יש? נודע לי שהמערכת כבר מסוגלת לנפק נתונים. אז פניתי למשרד החינוך וביקשתי נתונים. נתונים ספצייים בחתך ספציפי. וביתר פירוט, שלחתי רשימה ארוכה ביקשתי לדעת כמה המדינה מתקצבת בדיוק כל ילד במגזר הממלכתי, הממלכתי דתי, הערבי, החרדי וכו’ וכו’.
ואז קיבלתי ממשרד החינוך תשובה, בזו הלשון:

“המשרד יפרסם את הנתונים באופן מסודר בזמן הקרוב”.

התשובה הזו הייתה כל כך סתומה עד שלא התאפקתי ושאלתי שאלה נוספת:
1. למכ הכוונה בקרוב? בימים הקרובים? בחודשים הקרובים?
2. אם אין הכוונה לימים הקרובים, האם אפשר פשוט להשיב לשאילתא?
ואז המשרד השיב את התשובה הבאה:

“הנושא מצוי בדיונים שצפויים להסתיים בזמן הקרוב (שבועות בודדים).

2. משרד החינוך – איך אפשר לדעת איפה יש תוכניות לימוד במימון מסחרי?
במאי לפני שנה, בעקבות דוח מעניין לאללה של מבקר המדינה בעניין, פרסמתי כתבה על תוכניות הלימוד המסחריות שחדרו עם השנים למערכת החינוך. זו לא כתבה ראשונה בעניין, כמובן. תהל פרוש וחיים ריבלין פרסמו בזמנם כתבות דומות, רק שמאז התופעה התגברה עד שאפילו מבקר המדינה נדרש לעניין.
איך זה עובד? רשת הריבוע הכחול, למשל, יוצרת תוכנית לימוד במימונה ללימוד צרכנות נבונה וכו’, ומחדירה אותה לבתי הספר. בחלק מהמקרים, כמו במקרה של הריבוע הכחול, זה נעשה באישור משרד החינוך, בהתאם להיתר שמעניקה הוועדה לאישור פרסומות. בחלק אחר מהמקרים, כפי שמצא מבקר המדינה, זה קורה בדרג השטח, בדרג בית הספר, מבלי שמישהו שואל בכלל את משרד החינוך, מבלי שמשרד החינוך יודע.
בניסיון להתמודד עם התופעה הזו, בדצמבר 2010, לפני כמעט שלוש שנים, הכריז משרד החינוך באופן רשמי כי הוא עומד להשיק אתר אינטרנט ייעודי שיאפשר למורים והמנהלים לראות בדיוק איזה תוכניות לימוד במימון מסחרי מוצעות לבתי הספר, בשביל לעקוב אחרי העניין וכו’. אנחנו במאי 2013, ואתר אינטרנט עדיין אין.
פניתי למשרד החינוך בפעם השנייה בעניין הזה בשבועות האחרונים. תהיתי איפה האתר ואולי יש סיכוי שגם הציבור הרחב יוכל להיחשף אליו, כלומר שגם ההורים יוכלו לדעת האם הילדים שלהם לומדים תוכניות לימוד שחברות מסחריות מממנות.
הנה התשובה שקיבלתי ממשרד החינוך (יממה לאחר שכבר פירסמתי משהו בעניין, 48 שעות לאחר שפניתי אליהם לראשונה):

“במהלך שנת הלימודים תשע”ד, המשרד יפרסם באתר האינטרנט שלו את הבקשות שהוגשו (הכוונה לבקשות להשיק תוכנית לימוד מסחרית – ש”א), תוך פירוט לאילו ניתן אישור ולאילו לא ניתן אישור”.

תשע”ד כבר בפתח. מי יודע, אולי שלוש שנים לאחר ההחלטה ההיא אולי באמת יקרה משהו בעניין.

3. משרד התחבורה – סינית למתקדמים
במסגרת הכתבות שהכנתי בשבוע שעבר על ענייני ועדת צמח והגז הטבעי, נתקלתי בסיפור משונה. סיפרו לי שהסיבה שוועדת צמח הביאה בחשבון ביקושים נמוכים יחסית לגז לצורכי שימוש בתחבורה היא משום שלפני כמה שנים נערך ניסוי בפיצוץ אוטובוס ציבורי שמונע בגז, בשביל לראות עד כמה גדול ההרס, ומאז אין הסכמה לגבי הממצאים של אותו ניסוי.
בינואר 2013, לפני חצי שנה, החליטה הממשלה להטיל על משרד התחבורה להסדיר את הנושא אחת ולתמיד תוך… חצי שנה. פניתי למשרד התחבורה להבין איפה עומד המשרד בעניין הזה. שאלתי בעיקר מה לוחות הזמנים.
הנה התשובה שקיבלתי ממשרד התחבורה, לא נגעתי:

“משרד התחבורה מופקד על שלומם ובריאותם של מיליוני אזרחים, כמו גם על ניהול יעיל של צרכן האנרגיה מהגדולים במדינה, מחובתנו לעודד אמצעים טכנולוגיים שנמצאו כיעילים ושעשויים להטיב עם הציבור, תוך שמירה על בטחון הציבור וצמצום הסיכונים הכרוכים בשימוש בהם. קיימת הסכמה מלאה כי הנעת תח”צ באמצעות גט”ד הינה ההנעה החלופית היעילה ביותר לעת עתה ובמהלך עשור הקרוב. במקביל, החשש מפני נזק כבד שייגרם כתוצאה מפיגוע טרור באוטובוס הוא שמעקב את השימוש בגט”ד להנעת תח”צ.
לאור הדרישה הלאומית למיצוי הפוטנציאל של תחליפי נפט לתחבורה כמתחייב מהחלטת ממשלה 5327, והיתרונות המוכחים של השימוש בגט”ד להנעת תח”צ הורה מנכ”ל משרד התחבורה, עוזי יצחקי, לאגף הרכב להוביל פעילות להסרת החסמים הביטחוניים המונעים את השימוש בג”ט להנעת תח”צ. הפעילות מתבצעת בשיתוף עם מדור החבלה במשטרת ישראל והמל”ל, ובהתייעצות עם מומחי חבלה ומפעילי תח”צ.
משרד התחבורה פועל לבחינתם של אמצעים קונפיגורטיביים פשוטים שעשויים לצמצם נזקי פיגוע חבלני באופן משמעותי ולאפשר תחילת שימוש בגט”ד להנעת תח”צ. גורמי מקצוע מתחום החבלה והרכב הביעו אופטימיות לגבי האמצעים הקופיגורטיביים שהציע אגף הרכב.
בהתקבל מסקנות בדבר מידת הנזק, ובהתחשב בחוות דעת משטרת ישראל, משרד התחבורה ייבחן את מכלול ההשלכות של השימוש באוטובוס המונע בגט”ד (כלכליות-ביטחוניות-סביבתיות) ויגיע להחלטה בדבר רמת הסיכון אל מול התועלת”.

אם אתם מתקשים להבין מה כתוב פה, אתם לא לבד. כלל ראשון בתגובות שאתה מקבל הוא – כאורך התגובה, כך הניסיון לא לענות לך על השאלה. והפעם מדובר בתשובה ארוכה מאוד ביחס לשאלה די קצרה – מתי כל זה אמור לקרות?

אז שאלתי שוב, מה לוחות הזמנים. והנה התשובה שקיבלתי:

“מאז התקבלה החלטת הממשלה, נעשה ניסיון ללמוד מהן החלופות האופטימליות לצמצום הנזקים, וכן נעשה התכנון ההנדסי הדרוש. כלומר, שלב האפיון הושלם. משרד התחבורה פועל כעת מול משטרת ישראל במטרה לבצע סדרת בדיקות בהתאם לקונפיגורציות הנבחרות.משרד התחבורה יסיק את המסקנות במהרה, ויפעל בהתאם לתוצאות”.

4. משרד ראש הממשלה – אלה שבכלל לא עונים
ומלבד כל אלה, יש גם את משרד ראש הממשלה. אני לא יודע אם זה אישי – למרות שניסיתי לברר ואמרו לי שזה לא אישי – אבל במשרד ראש הממשלה מזה תקופה ארוכה פשוט לא עונים לי לשאילתות. לא עונים בכלל. אפילו לא – “לא נתייחס”. סתם לא עונים.
הנה כמה שאילתות שהפניתי אליהם בזמן האחרון, בסדר יורד מבחינה כרונולוגית:

  • אמש התפרסם בעיתון גלובס כי שר האנרגיה והמים סילבן שלום הגיש המלצותיו בנושא עתיד משק הגז הטבעי לראש הממשלה לקראת דיון בממשלה בעניין. מבדיקתי עולה כי לא הוגשו המלצות כאלה. אנא תגובתכם בעניין (לא רק שלא קיבלתי שום תשובה, למחרת הוציא פתאום לשכת ראש הממשלה סמס לכתבים על כך שראש הממשלה נועד עם שר האנרגיה והמים בנושא וכי העניין יובא לדיון בממשלה בקרוב)
  • האם המלצות ועדת צמח ונושא משק הגז עומדות לעלות לדיון בממשלה ביום ראשון הקרוב?
  • אחת מההמלצות של ועדת טרכטנברג הייתה להקים צוות ממשלתי שיבחן את נושא ההפרטה בשיטת מיקור חוץ של משרדי הממשלה. להבין מה ההיקף של התופעה ולבחון האם יש לקבוע כללי עבודה מנחים למשרדי הממשלה בעת הוצאת שירותים ממשלתיים למיקור חוץ. ככל הידוע צוות בראשות אודי פראוור החל לעסוק בעניין לפני כמה חודשים. ברצוני לדעת מה כוללת עבודת הצוות בחודשים האחרונים ובאיזה סטטוס נמצאת עבודה המטה הזו? האם הולכות להתגבש מסקנות בעניין? אשמח כמובן לקבל גם שיחה עם האנשים המתאימים לצורך הכתבה
  • מחר הייתה אמורה לעלות על סקר היום של הממשלה הצעת החוק הממשלתית להקמת קרן לאומית לקליטת תקבולי הגז. ביום שישי ההצעה הוסרה מסדר היום. במשרד האוצר טוענים כי מזכירות הממשלה הודיעה על הסרת הנושא אולם במשרד האוצר לא ידעו להסביר למה. ברקע הדברים מחלוקת בין משרד הביטחון לאוצר שמעוניין לקבל תקציב מתוך הקרן לכיסוי עלויות אבטחת מתקני הגז בניגוד לעמדת משרד האוצר ובנק ישראל. אבקש התייחסותכם מדוע משרד רהמ משך את ההצעה מסדר היום

ומה מוסר ההשכל? לא לגמרי יודע. אני רק יודע שבמשרדי הממשלה השונים לא מאוד אוהבים למסור לציבור מידע ששייך לציבור. אין לי דרך אחרת לתאר את זה. אני משתדל לעשות את העבודה שלי ולהמשיך לתחוב את האף להיכן שלא רוצים שאנשים יתחבו את אפם, אבל לעיתים הדרכים לגמרי חסומות כל עוד אין מישהו מבפנים שידליף משהו.
ֿהרבה מאוד זמן אני תוהה ביני לבין עצמי איך אפשר היה לשנות את המצב הזה. מצטער שהגעתם עד לכאן ואין פואנטה. בפעם הבאה אשתדל שתהיה.
שבוע טוב.

08 Jun 06:49

How is it even *my* company anymore if “the market” tells me what to do?

by Jason


Isn’t entrepreneurship about having an amazing idea and building a living around it?

…yes, except every advisor and blogger admonishes ”your idea sucks,” you prima donna pompous asshole, so your job is to use an “idea” as a foil to find out what is actually an amazing idea and then go follow that path, whatever that might be. The only thing we’re sure of is that you’re wrong and you need get that fixed.

…OK, except how is that even “your company” anymore?  Those are someone’s else’s ideas, not your idea.

Isn’t the fun of a company to build a product you know the world needs, even if (especially if!) they don’t even know they need it? Something they couldn’t ask for, because you can’t ask for an iPad to be invented until it’s placed in your hands?

…yes, except every advisor and blogger proclaims that you couldn’t possibly have insight in a vacuum, so instead you must conduct 50 ego-busting interviews in which a pack of clueless “end users” with no experience building products or companies, and certainly no experience providing constructive insight, will somehow coalesce under your non-directed, open-ended line of questioning into a brilliant roadmap to success.

…OK, except how is that even “your company” anymore?  That’s the culmination of everyone else’s product ideas, a design-by-committee which we all know typically leads to shit.

Aren’t some of the greatest moments of a startup’s life the point where you pick a name, create a logo, write your headline on your new home page, craft your teaser and your bi-line, stamp your personality on every page, and implement your own philosophy on pricing, service, language, and exposition, attaining your own voice and not the collective voice of the Marketing Department?

…yes, except every advisor and blogger directs you to A/B tests and landing page experiments and advertising alternatives and failing fast where “failing” means 3% fewer people clicked X than clicked Y, because when it comes to pricing your “philosophy” doesn’t mean shit if rearranging the tiers and using unholy language gets you $20/mo more revenue per customer, and your clever tag lines don’t mean shit if language designed for 7-year-olds and written like a 2am-infomercial means a 1% lift in click-through rate.

…OK, except how is that even “your company” anymore?  That’s not your voice, that’s a million monkeys slapping keyboards hoping that one stumbles upon a better conversion rate.

Is your startup an expression of your own identity and vehicle by which you are master of your destiny, or are you randomly iterating into a different identity, some other destiny?

Are you an inventor, or an explorer in a world you didn’t ask for?

I love the Lean Startup movement because it demands introspection and honors data.  It defines “progress” even in the ineffable mode that progress is achieved in the messiness that is early-stage startups, where it’s nigh-impossible to separate the paths of success and failure.

But I worry that the pendulum can swing too far.  Mantras prevail that amount to “guess and check,” because it’s easier for advisors and investors to drive by metrics rather than by insight, by funnels rather than by a strong point of view.

So what’s the answer?  I refuse for the answer to be “it’s a balance” or “it depends.”

It’s this:

You create children in your own image, literally.  You can’t help it — half their variable DNA is yours. After rebellion, as they age, they “find themselves” and of course discover you were lurking there all along.

At the same time, what kind of parent intentionally molds their kid into their own notion of what the “perfect child” should be?  Well, what kind of startup parent are you to stubbornly mold it to your preconceptions rather than exploring the synthesis of your ideas, your values, your perspective against what is actually true in the world – facts you simply haven’t yet uncovered?

What kind of parent takes pleasure in preventing a kid from fulfilling their own destiny rather than noticing what their kid is naturally drawn to and encouraging and feeding that nature?  Well, what kind of steward of your startup’s destiny are you to predetermine its course, ramming its assigned future down its throat, rather than being the guiding light, helping it find its own way, even while sharing your DNA at its core?

What kind of parent allows a kid to indulge in unhealthy behavior that of course a 3-year-old desires but which isn’t acceptable? Well, what kind of startup builder are you to focus on the easy stuff, the safe stuff, rather than tackling the parts you’re not good at and challenging the assumptions that haven’t been vetted?

If you believe you’re the master and the startup is your slave, then I do believe you’re almost surely destined to fail, because that’s not what a startup is, and that’s not how the world works outside the little bubble where you’re convinced that your ideas are amazing and your product is salable and the world will know it when the homepage is unveiled.

Rather, you are a parent. A shepherd, a steward, a guide, a mentor, a director for what is almost a new life — a thing that has to live and grow and thrive and interact with the real world.

It’s not an amalgamation of other peoples’ notions, but an imperfect copy of yourself that needs guidance as it finds its own way to success.

It’s your startup.

01 Jun 04:47

'Anchorman 2' Official Trailer

01 Jun 04:37

Who is the Highest Paid Employee of Your State?

by Lisa Wade, PhD

Hint from Dmitriy T.C.: he probably wears shorts to work.

Here’s the infographic, sent in also by sociologist Michael Kimmel, revealing the highest paid employee in each state.  Yellow, orange, and green states are all ones in which the most money goes to an athletic coach.  More details at DeadSpin.


Lisa Wade is a professor of sociology at Occidental College. You can follow her on Twitter and Facebook.

(View original at

01 Jun 03:40

Lesson from Airbnb: Give Yourself Permission to Experiment with Non-scalable Changes

by Todd Hoff

If you are stuck drowning in too much data and too many options and are dazzled by all the possibilities of code, here's a helpful bit of advice from Airbnb's rags to riches origin story: it's okay to do things that don’t scale

A corollary is the idea of paying attention to and learning from what your users are actually doing and let that lead you without out that annoying voice in your head second guessing you, yelling but that will never scale! Worry about building something good, then worry about making it scale.

In Airbnb's case they noticed people weren't booking rooms because the pictures sucked. So they flew to New York and shot some beautiful images. This is a very non-scalable and non-technical solution. Yet it was the turning point for Airbnb and sparked their climb out of the "trough of sorrow." Previously they had been limited by the Silicon Valley idea that every feature had to be scalable. Not every solution can be found behind a computer screen.

For the full story please read How design thinking transformed Airbnb from a failing startup to a billion dollar business.

Related Articles

30 May 15:02

Youtube - Page load progress bar in Chrome changes to Youtube...

Youtube - Page load progress bar in Chrome changes to Youtube red.

29 May 00:09

China’s Tilt Toward the Private Sector? Becker

by Gary Becker

In a speech this month to Communist party officials (reported in yesterday’s New York Times), Li Keqiang, the recently chosen Prime Minister of China, called for greater reliance on the private sector and reduced dependence on governmental regulations and oversight of the economy. In a remarkable admission he said “The market is the creator of social wealth and the wellspring of self-sustaining economic development.” Several troubling developments in the Chinese economy led to Li’s speech.

China has had very rapid economic growth during the past 30 years that lifted many hundreds of millions of Chinese out of dire poverty. However, during the first quarter of 2013, China’s GDP expanded by “only” 7.7% compared to a year earlier. Although China’s rate of growth is still fast compared to other nations, it is considerably lower than its growth during earlier years. For example, from 2003 to 2011, China’s GDP grew at rates that ranged from about 9% to over 14%. While the last quarter may be only a temporary decline in China’s growth rate, it is consistent with a slowing of growth during the past several years, and with other adverse developments in the Chinese economy.

The Chinese economy has used low wages to specialize in labor-intensive products for the export market. This model is breaking down because wages have risen greatly during past decade, and export markets have shrunk because of reduced demands from the sluggish economies of the European Union, Japan, and the United States.

Chinese growth has been very uneven, as urban areas have prospered much more than rural areas. This has greatly increased income inequality, especially between farmers and factory workers. The increase in inequality has been magnified by China’s policy of restricting migration from farms to cities, and by not providing the same education and health care to these migrants that is available to other city residents.

China has encouraged investment and discouraged consumption by allowing the state-run banking system to provide investors with low interest rates and easy credit terms, and by price controls and other restrictions on the provision of consumer goods. As a result, private consumption accounts for only about 35% of China’s GDP, compared with over 70% in the United States. Since China’s exports are expected to rise more slowly in the future, in part because its currency will appreciate in value relative to the dollar and other major currencies, the domestic market will become a more important destination for China’s production.

These are some of the problems that explain Prime Minister’s Li desire to unleash the power of the private sector to galvanize China’s economy. A good place to start is with the state-owned enterprises (SOEs) that are still very important in manufacturing, banking, energy, and telecommunications. These SOEs frequently have protected economic positions because competitors are not allowed to enter; for example, three state-operated enterprises divide up the telecom sector. Studies indicate that SOEs are on the whole considerably less efficient than private companies, partly because SOEs get many subsides, including loans on subsidized terms from the state-run banking system, and soft budget constraints.

Therefore, it is particularly important to curtail the lending and other practices of state-owned banks, and to allow private domestic and foreign banks to become more important providers of credit. This would encourage private enterprises by giving them access to credit on terms that are market driven, and that are more comparable to the terms available to the SOEs.

The many millions of migrants from rural sectors to urban areas should be fully legitimatized, so that they have the same rights to education, health, and credit as persons born in cities. This would help reduce inequality and increase productivity by speeding up the migration out of the less efficient parts of the rural sector into more efficient factories and service activities.

The financial crisis and major recession that was brought about in part by excesses in the private banking sector in the United States and some other developed countries led to a widespread reaction against capitalism and the private sector. This happened as well in China for a couple of years as the state sector expanded relative to the private sector.

China’s new leaders have now made clear that the country needs to rely much more on the creativity and resourcefulness of the private sector if it is to move beyond middle income status, and become a major economic power as measured not only by aggregate GDP, but also by per capita GDP. It remains to be seen whether even the new leaders can overcome the strong opposition of SOEs and other special interest groups to the implementation of a major shift toward the private sector.






28 May 23:04

Storm Chaser Captures What It’s Like to Sit In the Middle of an EF4 Tornado

by Michael Zhang

During the 2013 Moore tornado last week, a young man named Charles Gafford III stuck his cell phone through a hole in his storm shelter and captured close-up footage of the EF5 tornado as it passed by. If you thought that video was crazy, check out the footage above — it shows what it’s like to get hit directly by a massive EF4 tornado!

Storm Chaser Captures What Its Like to Sit In the Middle of an EF4 Tornado wedge

A photograph of a wedge tornado in Oklahoma that was nearly a mile wide. Casey and Ivey sat through one that was about half that size.

The footage was captured by veteran storm chasers Brandon Ivey and Sean Casey, who hunted down the tornado when it touched down in Smith County, Kansas yesterday afternoon.

Despite what you might think, the duo wasn’t trapped in the tornado by accident — they intentionally rode through the storm while sitting in a custom made tank-like Tornado Intercept Vehicle (TIV) designed by Casey:

Storm Chaser Captures What Its Like to Sit In the Middle of an EF4 Tornado Tornado intercept vehicle

The TIV is like an ugly version of the new Batman Tumbler. It’s based on a Dodge Ram 3500, weighs 14,300 pounds, has 625 horsepower, can travel over 100MPH, has a range of 750 miles, is protected by a 1/8-inch steel skin covering a 2-inch steel frame, and is covered by a bullet-resistant 1.63-inches of polycarbonate sheets and glass.

Here’s a video in which Casey introduces the TIV:

Casey is an IMAX filmmaker who appears in the Discovery Channel series “Storm Chasers.” The vehicle he design is built to withstand EF-5 tornadoes with winds of over 200 miles per hour. The tornado captured in the video above was measured at half-a-mile wide and with winds of 150-175MPH, classifying it as an EF3/EF4 tornado.

The force of the wind was so powerful that a hatch and door on the vehicle both blew open, instruments were ripped off the exterior, and a piece of wood flew inside. Luckily for the two cameramen, the TIV did stay on the ground. Luckily for us, they kept their cameras rolling.

28 May 22:49

Together, we can eradicate taxis…

by Bryan Goldberg


I remember a story from four years ago, when UberCab was the newest thing. That was before it had a massive valuation, before Travis Kalanick was CEO, and before it changed its name to escape one of its countless legal brouhahas.

I was riding in an airport taxi — it was the first time in weeks that I had taken one. The driver, a hefty bearded man in his 50s, asked me if I had downloaded the TaxiMagic app yet.

“No,” I said, “the only taxi app that I use is UberCab.”

“Ha, you won’t be using that for much longer. We’re taking care of those guys.”

“What do you mean?” I got a little bit nervous — remember, this was before Uber was big and powerful and able to fight back.

“They claim to be taxis, but they’re not fooling anybody. They are just a bunch of towncar drivers trying to get fares. It’s not safe. It’s not legal. And we’re about to shut ‘em down.”

“Who is we?”

“All of us. The cab drivers association, the taxi commissioner.”

“And why do you guys prefer TaxiMagic?”

“Because, it plays by the rules and works with the system.”

That was four years ago. Some people may still use TaxiMagic. In the meantime, Uber is much more alive than that grizzled old taxi driver would have had us believe.

Uber does offer a taxi-dispatching service option, but I have only used it once out of the 500+ Uber rides that I have enjoyed in the last two years.

The one time that an Uber-dispatched taxi cab picked me up, the car smelled like vomit. Not a little bit — the cab literally reeked, as though it had been forged of vomit-infused steel from the fiery furnace of Mount Puke. It made me want to vomit. If I weren’t late for a VC pitch, I would have told him to pull over and gotten out of the car.

The other 499 rides have been either Uber or UberX. And I am proud that in each of those cases it meant that a San Francisco taxi driver was being denied a fare that he might have received from me in the pre-iPhone era.

Because, you see, I want to put San Francisco taxi drivers out of business. That’s one of the reasons I use Uber. That may not be Uber’s goal — but it is mine.

Why? Because taxi drivers don’t value the comfort and convenience of their passengers, and they view the taxi system as a livelihood for themselves rather than a mutually-beneficial service for the people of San Francisco.

I’m stereotyping, right?

No, actually, I’m not. It’s right here in the SFMTA’s official survey of taxi drivers:

The surveys of taxi users found that passengers want [credit card payment] capabilities. A majority of drivers surveyed (53%) do not agree with requiring units that have this capability. A lesser number (35%) agree with the requirement. Driver support would improve if it can be shown that net customer tipping rises with good

implementation (37% of drivers believe that credit card users are poor tippers), and if drivers could count on being paid their credit card charges at the end of their shift, instead of waiting a sometimes lengthy period for company processing…

That’s right — only a small minority of taxi drivers is in support of the credit card systems in the back of their cabs.

Why? Because they don’t want to be inconvenienced. They don’t like the idea that they will have to wait to get their money… Evidently, these cab drivers do not realize that the rest of us have to wait two weeks to get our hard-earned money each payday, regardless of how much or how little we make. They also don’t seem to care about our convenience.

If they did care about our convenience, then they wouldn’t ask us our destination before agreeing to pick us up. They wouldn’t talk on their phones the entire ride, which is both obnoxious and unsafe. They wouldn’t ignore the dispatcher when he sends them to our house. They wouldn’t constantly rant about politics. They wouldn’t insist that we give them cash, even when their credit card machine is working fine.

These problems are getting worse, not better — there was a 13 percent increase in passenger complaints last year according to SFMTA.

Are the taxi drivers working hard to improve the situation? Do they think that better customer service could improve taxi demand? No. When the MTA asked drivers to describe their greatest concern:

The most common response heard from drivers was their dissatisfaction with the SFMTA’s regulatory and enforcement activities in relation to…shared ride services.

Taxi drivers spend their days griping about how Government can’t stifle innovation and bring back the glory days of artificially-suppressed competition. Why attract satisfied customers when you can destroy popular competitors? That’s how they view the world.

For years, we San Franciscans clamored for more taxis, but at this point, I can’t think of a single friend who cares about the issue anymore.

Because none of my friends ride in taxis.

There are plenty of Ubers and Lyfts to go around, and we are helping solve our generation’s own underemployment problem by letting our friends (who drive for Lyft) pick us up in their cars and make money doing it. (This compares to the taxi system, which uses an archaic 15-year waiting list  to force young people out of the industry.)

Uber and Lyft — no unions, no crazy regulations, no bullshit. And when I occasionally leave my phone or wallet in an Uber, I actually get it back.

There has been a lot of talk lately about whether Silicon Valley actually solves real problems. Fine publications and crappy tabloids alike beg the question — are we building the next Genentech, or are we simply creating fun toys for rich kids to play with? Most would point to Uber as an example of a toy — it brings nothing more than convenience to a select group of “haves” who can afford the premium service.

I view Uber and Lyft as much more than that.

In my opinion, they are doing a great service for the world: proving that the corrupt, broken systems of yesteryear will not survive in this new era. If you treat people like crap, no government agency will save you. No bribe or manipulation will get you out of your own self-created mess. We won’t confront you — we will find an efficient way around you.

For those of us who spent years putting up with the bullshit of the San Francisco Taxi drivers, dispatchers, and regulators, the rise of car sharing has given us the power to boycott. Together, we can put the medallion-wielding taxi drivers out of business for good.

And they will deserve it.

Some people may look at Uber and see a bunch of rich kids riding in style. That’s fine. I see it as accomplishing a much greater mission — destroying corrupt civic institutions. There is no mission more worthwhile.

[Image credit: atomicshark on Flickr]

Bryan Goldberg

Bryan is an entrepreneur in San Francisco. He founded Bleacher Report, and currently advises several startups. Previously, he was a failed investment banker. You can follow him on Twitter.


25 May 23:12

צד שלי – צד שלה

by vandersister

אחותי מאושפזת מאז אתמול. היום אני נמצאת איתה בבית החולים. פציינטים נורמליים נחים במיטה כשאומרים להם לנוח. אחותי, לעומת זאת, הציעה שנכתוב פוסט משותף, שבו כל אחת מאיתנו תספר את הצד שלה בחוויה. הנה הוא לפניכם.


כבר יומיים שאני מרגישה מן כאב מוזר בצד ימין.

כאב כזה כאילו משהו נתפס שם. אמרתי לעצמי שזה בטח בגלל כל המזגנים האלה, שאולי זה גזים, שנתפס לי איזה שריר.

עד אתמול בלילה – אתמול כשהלכתי לישון, נשכבתי על הצד (כהרגלי), ופתאום הכאבים נהיו חזקים כל כך עד .שלא הצלחתי לנשום

אחת התחושות הכי מפחידות בעולם, זו התחושה שאין לנו אוויר. הרגשתי שאני נאבקת על כל נשימה. חשבתי לעצמי: “מעניין אם ככה מרגיש הסוף”… וזה הבהיל אותי נורא.

חיכיתי 2 דקות כדי לוודא שלא מדובר באיזו היסטריה רגעית, ואז אמרתי לבעלי שמשהו לא בסדר איתי.

כשאת חולה בסרטן (ואני ממש מקווה שאת לא, ואף פעם לא תהיי), כל מיחוש קטן בגוף הוא סיבה לסטרס. את מוצאת את עצמך שואלת את עצמך: “זה מטוס? זו ציפור? זו גרורה? זה התקף לב?” וכו’…

ורוב הזמן זה לא… זה סתם מיחושים כמו שיש לכל אחד מאיתנו.

אבל הפעם זה היה שונה . הפעם הרגשתי שמשהו ממש ממש לא בסדר. משהו השתבש. וצריך להגיע לבית חולים, ומהר.

ועכשיו לדילמה – את מי להעיר כדי שיבוא לשמור על הילדים? למי אני הולכת לדפוק את הלילה? את מי אני הולכת להלחיץ?  לקחתי החלטה שהכי טוב להעיר את אמא שלי. זה לא יפה מצדי, אבל אני סומכת עליה, ובטוחה שהיא מעדיפה להיות מעודכנת במתרחש…

אז הזמנו אמבולנס (זה תמיד דרמטי, נכון?), קיבלתי קצת חמצן בדרך, ושעטנו לכיוון בית החולים.

בחדר המיון, אחרי שהתעלמו ממני כשעתיים, ניגשה רופאה חביבה להפליא ולקחה בדיקות דם. אחר כך נשלחתי לצילום חזה (אין דלקת ריאות), ואז לסיטי.

האבחנה הגיעה די מהר – תסחיף ריאתי. נשמע ממש גרוע, הא? מדובר בעצם בקריש דם שישב לו לפוש על הריאה הימנית שלי.

בקיצור – אני מאושפזת במחלקה פנימית, ומקבלת מדללי דם. להבנתי אצטרך להמשיך לקבל מדללים (בזריקות לבטן – אאוצ’) במשך כמה חודשים. לא כיף!

החיים מזמנים לי אתגרים כל הזמן. אבל הם גם מספקים לי הוכחות לכמה שאני מוקפת באהבה ואיכפתיות.

הנה – עכשיו הגיעה אחותי לבלות איתי את היום. אולי היא תרצה לספר קצת איך זה נראה מהצד שלה:


דבר האחות:

יום רביעי, אחת בלילה. אני פוצחת ברוטינה הרגילה של הליכה לישון, דהיינו, צחצוח שיניים-פיפי-ציוץ תמונה משעשעת של ארנב לטוויטר עם ברכת ליל מנוחה, והופ למיטה. בעודי מהרהרת במשמעויות הפילוסופיות העמוקות של הפרק האחרון ב”משחקי הכס”*, נשמע פתאום צפצוף מהסלולרי. מי מסמס לי בשעה כזו, אני תוהה. בעיניים עצומות למחצה ופיהוק עצל, אני מרימה את המכשיר ובודקת.

שבריר שנייה אחר כך, אני ערנית לחלוטין, ומוכנה לשעוט מביתי כפנתר שטוסטר משולשים נסגר לו על הזנב בבת אחת. אחותי כתבה שהיא בחדר מיון. כאלף תסריטים שונים חולפים בראשי בעוד אני מנסה לקושש פרטים נוספים: היא התעלפה? התמוטטה? נחנקה? יש לה חום? יש לה קור? יש לה אבעבועות משונות בצבע סגול? בינתיים מתברר שיש קשיי נשימה, אחותי וגיסי במיון, וואן-דר-אמא הוזעקה לשמור על הילדים.

ואז מגיע החלק הקשה ביותר. מצד אחד, כל תא בגופי מוכן לשים על גבו תרמיל זערורי ולשעוט אל בית החולים. מצד שני, סביר להניח שאת כרגע האדם המיותר ביותר שיכול להימצא שם. אלה השעות שבהן הרופאים צריכים לברר מה בדיוק קורה ומה צריך לעשות, וגיסך כבר שם, כך שהיא לא לבד, ואם תסתובבי לרופאים ולאחיות בין הרגליים, זה לא יגרום להם לאהוב יותר אותך או את הפציינטית. וגם לא יקצר את התור למעבדה או למכשיר ה- CT.

אחרי שאחותי מבטיחה לי בטלפון שאכן אין צורך שאגיע, והיא נשמעת יחסית בסדר – מפוחדת וקצרת נשימה, אבל בסדר – אני מורה לתאים לפרוק מעליהם את התרמילים הזעירים, כי אנחנו ננסה לנוח כדי שנוכל להיות לעזר מחר. אני מתעלמת מקולות המחאה והקיטורים שלהם, ושוקעת במן שינה-לא-שינה, שמופרעת מדי פעם על ידי צפצופי המכשיר שמעדכן בהתפתחויות. הגיעה הרופאה מהמחלקה – צילום ריאות תקין – בדיקת דם אחת לא תקינה – חשד לתסחיף בריאות. פה ושם אני נרדמת למחצה ושוקעת בחלום הזוי עד מאוד. למשל, חלמתי שאני ועוד חברה הולכות לחנות צעצועים בשביל להביא למירב את הצעצוע שהיא רוצה לבית החולים, אבל הצעצוע חסר בחנות, ואני נכנסת להיסטריה כי מה מירב תעשה בלי הצעצוע, ופתאום עולה בדעתי שהיא בכלל לא צריכה צעצוע, כי היא בבית חולים ומה הקשר עכשיו, צעצוע? ואז אני מתעוררת ונוזפת בעצמי על חלומותיי האוויליים.

בינתיים, הדיאגנוזה מאושרת: יש תסחיף בריאה. כל התאים בגופי נושאים לעברי מבט של ציפייה: “כן, חברים”, אני עונה להם, “הפעם אנחנו יוצאים לדרך”. למודת ניסיון, אני מצטיידת בכל מה שדרוש למבקרת בבית החולים: סלולרי, מטען לסלולרי, עוד מטען לסלולרי (שיהיה), מחשב מחברת, מטען למחשב מחברת, בקבוק מים, וכמובן, עוגת שמרים עם שוקולד. עם כל הכבוד לאוכל של בית החולים, הבעיה היא שהפציינטים גם צריכים לאכול, אז אני לא לוקחת סיכונים.

אז עכשיו אנחנו כאן במחלקה הפנימית. שתינו נושמות קצת יותר טוב, משתמשות במגוון מכשירים אלקטרוניים כדי להעביר את הזמן, ומקוות שהזריקות מהבוקר יעשו את מלאכתן נאמנה. בינתיים הגיעו לכאן שתי אחיות ורופא אחד שניסה לברר פרטים על מה שקרה אמש. “אז מה הרקע לזה, בעצם? קרה לך משהו יוצא דופן בזמן האחרון?” – “אתה מתכוון, חוץ מזה שאני מטופלת בכימותרפיה בגלל סרטן שד גרורתי?” אחותי משיבה בחיוך.

אז לכל מי שמתעניין ודואג, יש לי הוכחות לזה שאחותי אכן מתלוצצת עם רופאיה. תהיו לי בריאים.

*כלומר, מפנטזת על השחקן החתיך החדש.**
** מי שעדיין לא צפה/תה בפרק – איזה שחקן חדש, מה פתאום שחקן חדש? תתעלמו.***
*** מי שכן צפה/תה בפרק החדש – נכון הוא חתיך?

25 May 23:01

Hack yourself first – how to go on the offence before online attackers do

by Troy Hunt

The unfortunate reality of the web today is that you’re going to get hacked. Statistically speaking at least, the odds of you having a website without a serious security risk are very low – 14% according to WhiteHat’s State of Web Security report from a couple of weeks ago. Have enough websites for long enough (as many organisations do), and the chances of you getting out unscathed aren’t real good.

There’s this great TEDx talk by Jeremiah Grossman titled Hack Yourself First where he talks about the importance of actively seeking out vulnerabilities in your own software before the evildoers do it for you. In Jeremiah’s post about the talk, he makes a very salient point:

Hack Yourself First advocates building up our cyber-offense skills, and focusing these skills inward at ourselves, to find and fix security issues before the bad guys find and exploit them.

I love this angle – the angle that empowers the individual to go out and seek out risks in their own assets – as it’s a far more proactive, constructive approach than the one we so often see today which is the “after it breaks, I’ll fix it” approach. Perhaps that’s not always a conscious decision but it all too often turns out to be the case. It also advocates for the folks writing our apps to develop the skills required to break them which is a big part of what I’ve been advocating for some time now and features heavily in many posts on this blog as well as throughout the Pluralsight training I recently released. If developers do not understand the risk – I mean really understand it to the point where they know how to exploit it – then you’re fighting an uphill battle in terms of getting them to understand the value of secure coding.

It’s not just the dedicated security folks talking about hacking yourself first. The other day I was listening to Scott Hanselman talking about WordPress security on his podcast and he made the following point:

I know when I’m writing code I’m not thinking about evil, I’m just trying to think about functionality.

Which of course is perfectly naturally for most developers – we build stuff. Other people break stuff! But he goes on to say:

When was the last time I sat down and spent a day or a week trying to break my site?

And we’re back to hacking yourself first or in other words, making a concerted attempt to find vulnerabilities in your own code before someone else does. As Jeremiah referred to it, building up cyber-offense skills for developers. Developing the ability to detect these risks is easy once you know what to look for, in fact many of them are staring you right in the face when you browse a website and that’s what I want to talk about here today.

Let me share my top picks of website security fundamentals that you can check on any site right now without doing anything that a reasonable person would consider “hacking”. I make this point for two reasons: firstly, you really don’t want to go messing up things in your own live site and testing for risks such as SQL injection has every chance of doing just that if a risk is present. The other reason is that by picking non-invasive risks you can assess them on other peoples’ sites. I’ll come back to why I’m saying this and the context it can be used in at the end of this post, the point is that these are by no means malicious tests, think of them as the gateway drug to identifying more serious risks.

This is going to be a lengthy one so let me give you a little index to get you started:

  1. Lack of transport layer protection for sensitive data
  2. Loading login forms over an insecure channel
  3. Secure cookies
  4. Mixed mode HTTP and HTTPS
  5. Cross Site Scripting (XSS)
  6. Password reminders via email
  7. Insecure password storage
  8. Poor password entropy rules
  9. Denial of service via password reset
  10. HTTP only cookies
  11. Internal server error messages
  12. Path disclosure via robots.txt
  13. Sensitive data leakage via HTML source
  14. Parameter tampering
  15. Clickjacking and the X-Frame-Options header
  16. Cross Site Request Forgery (CSRF)

Remember, every one of these is remotely detectable and you can find them in any website with nothing more than a browser. They’re also web platform agnostic so everything you read here is equally relevant to ASP.NET as it is PHP as it is Java – there are no favourites here! I’m going to draw on lots of examples from previous posts and live websites to bring this back down to earth and avoid focussing on theory alone. Let’s get into it.

1. Lack of transport layer protection for sensitive data

We’ll start off one that’s easy to observe and manifests itself in several different ways. When we talk about HTTPS, we’re talking about a secure transport channel and as I’ve written before, it’s about more than just encryption. In fact HTTPS gives us assurance of identity (we know who we’re connecting to), it ensures data integrity (we know the content hasn’t been modified) and finally, it gives us privacy (the data is encrypted and can’t be read by others).

Observing HTTPS is simple as it’s right up there in the address bar:

A website with an HTTPS scheme

Any time any of those three HTTPS objectives are required – assurance, integrity, privacy – HTTPS needs to be there. There are several common HTTPS-misuse scenarios but clearly the most obvious one is when it simply doesn’t exist at all. We saw this recently with Top CashBack where they allowed for registration – including password transmission – without any transport layer protection whatsoever:

Registration page on Top CashBack without HTTPS

Confidential information such as bank account info, passwords and other data which should not be publicly accessible must be sent over HTTPS. Failure to do this opens up the requests to interception and eavesdropping by a third party at many, many points in the communication chain. Have a read of my post on The beginners guide to breaking website security with nothing more than a Pineapple if you’re not quite sure how that might be possible.

2. Loading login forms over an insecure channel

As OWASP talks about in part 9 of the 10, HTTPS is about more than just “do you or don’t you have it”, it’s about doing it properly. Indeed this is why they refer to it as “insufficient transport layer protection”. If a page isn’t loaded over HTTPS then you have no confidence in the integrity of it. In the aforementioned link, I pointed out how the Tunisian government had harvested Facebook credentials because the logon form could be loaded over HTTP. This meant that the state run ISPs could inject their own script into the page to siphon off credentials on submit. Nasty.

Detecting insufficient use of HTTPS is easy – you won’t see the HTTPS scheme in the address bar! If you see a logon form and the address starts with http:// then that’s wrong. Here’s an example courtesy of Singapore Airlines:

Singapore Airlines loading the login form over HTTP

This may look the same as the previous section but here’s the difference:

<form id="headerLoginForm" action="" method="post" autocomplete="off">
It posts to an HTTPS path. Strictly speaking, the credentials are encrypted when they’re posted but by then it’s too late – the login form has already been loaded over an insecure channel and an attacker has already (potentially) injected their own keylogger into the page.

On occasion, you’ll also see a form loaded into an iframe within an HTTP page. The problem, of course, is we come back to integrity again: there is no guarantee that the HTTP page that embeds the iframe hasn’t been manipulated. Sure, when everything goes just right then the login form is loaded from a secure server, but when it doesn’t then you end up with an attacker loading their own login form that looks just like the real one and the victim is none the wiser.

3. Secure cookies

The thing about HTTP is that it’s stateless which means that each request is a new connection totally independent of previous requests. To maintain state (i.e. some knowledge about the user and their previous activities on the site), we most commonly use cookies and one of the most common uses of cookies is that after logging on, we set what’s referred to as an “auth cookie”. The auth cookie is verification that the user has indeed successfully logged on.

Now, if an attacker can obtain that auth cookie then they can impersonate the victim simply be sending it in a request to the target site. I showed how this works in part 9 of the OWASP Top 10 for .NET developers where I very easily sniffed out an auth cookie from a public network and hijacked the session. Consequently, all authenticated requests must be made over an HTTPS connection. If you can load a page that displays personal information while authenticated and the address starts with http:// then that’s almost certainly wrong.

For example, take a look at Qantas:

Qantas sending auth cookies over HTTP

Get your hands on that auth cookie and suddenly you’re viewing my travel history, booking flights on my behalf, buying stuff with my frequent flyer points and so on and so forth.

The fix is easy and twofold: Firstly, you obviously don’t want to be loading pages over HTTP which need to show personal info once you’ve logged in, that’s quite clear. The other thing is that those auth cookies need to be flagged as “secure”. I wrote about this in detail recently in the post titled C is for cookie, H is for hacker – understanding HTTP only and Secure cookies but in short, cookies have an attribute called “secure” which when set disallows the browser from sending them over an insecure connection. Here’s what Qantas’ cookies look like in Chrome’s developer tools after I've logged in:

Qantas with no secure cookies after authenticating

No secure cookies! Some of them shouldn’t be because they relate to browsing habits outside of my authenticated session, but some of them definitely should be and that includes the multiple auth cookies that are passing my frequent flyer account number around.

4. Mixed mode HTTP and HTTPS

Continuing with the HTTPS theme, another improper implementation is when a page loaded securely over HTTPS then embeds content insecurely over HTTP. This was one of the many (many, many) things that Tesco got wrong as it means you present your users with a rather disconcerting message like this:

Mixed content warning from Chrome

That’s pretty clear – “Don’t load”! Not particularly reassuring, but assuming you do load the page, here’s what you’ll see:

Tesco's Safe Shopping Guarantee with a security warning

The usual assurance provided by the HTTPS scheme and the padlock has a great red cross through it. Nasty (particularly on a page designed to convince you of their security!)

What’s so bad about this? I mean the three HTTPS objectives I outlined earlier – assurance, integrity, privacy – still apply to the page, right? To the page itself as loaded over the wire, yes, but unfortunately things go downhill from there.

Here’s a scenario: a page is loaded over HTTPS which therefore means an eavesdropper cannot modify the contents. However, that page then embeds JavaScript which is loaded insecurely over HTTP which means that it can be intercepted and modified. So that’s just what an attacker does and the modification includes embedding JavaScript to siphon off credentials just like the Tunisian government did earlier. It’s that simple.

The easiest way to identify mixed mode is just to look for the browser warnings you see above. Different browsers will present the warning in different ways, for example in Internet Explorer:

Internet Explorer's mixed mode warning

You can also often see more information by clicking on the padlock icon, here’s Chrome (sorry Qantas, I’m calling you on bad security again!):

Chrome's mixed mode warning

But that doesn’t tell you what was loaded insecurely. To do this, all we need to do is look at the requests made by the browser and the Developer Tools in Internet Explorer (just hit F12) are a great way of doing this. Here I’ve simply looked at the network requests made to load the Qantas website and identified the request that was sent over the HTTP scheme:

Network view showing insecure request on an HTTPS page

And there we have it; a single request designed to set a tracking cookie and now you’re being told the whole page can’t be trusted!

5. Cross Site Scripting (XSS)

This is the one area where some folks might argue a little exploring is no longer playing nice. However, assuming we’re talking about reflective XSS (the kind you only see when they payload is passed in via the request) and not persistent XSS (the kind you put in the database and gets served to everyone), I reckon, in my humble opinion, there’s no harm done assuming you don’t then go out and leverage it in an attack.

Moving on, you can observe reflective XSS when content such as HTML tags and JavaScript is able to be passed to a page (usually via query string or form post data) and rendered into the markup thus changing the way the page behaves. Take a page such as Billabong’s registration page:

Billabong's registration page

Now let’s manipulate a few query string parameters and the page can be modified to include Bugs Bunny and Miranda Kerr:

Registration page manipulated by query string parameters

Clearly this is pretty innocuous but it demonstrates that an attacker can modify the page behaviour if they can engineer a victim to click on a carefully crafted link to the site. That link may rewrite the page contents to something quite different, serve the victim malware or even steal their cookies and hijack their session. There are many, many ways that XSS can be used to do nasty things and the detection of the risk is very simple.

Usually it takes nothing more than wrapping untrusted data (remember, this is the stuff your users provide to the system), in an italics tag to confirm the presence of XSS. For example, if I search for “Earth-shattering <i>kaboom!</a>” on a website and it then says “You searched for Earth-shattering kaboom!”, we have a problem. Instead of correctly output encoding the angle brackets into &lt; and &gt; it has rendered them exactly as provided to the source code and thus changed the actual markup rather than the content.

It’s a similar (although arguably more prevalent) problem with untrusted data rendered to JavaScript. What you need to remember is that encoding differs from context to context; you can’t encode angle brackets like you would for HTML, instead they become %3Ci and %3E. Developers often make the mistake of doing this very manually (“if char is < then replace with %3Ci”) which inevitably leads to gaps in the encoding logic so testing a range of different characters often yields results where the obvious ones won’t.

6. Password reminders via email

Nothing of a sensitive nature goes into email, it’s that simple. You should never, ever receive an email like this:

Password sent in plain text by

There are a couple of reasons why and the first one is that email is simply not a secure transport mechanism. Whilst it’s possible to secure the connection to an outbound SMTP server using SSL (SMTPS), there’s a lot that happens downstream from there with no guarantee that transport layer encryption is present on each downstream node. Of course there are options like PGP Email but I’ve never seen this used in a password reminder from a website. Ever.

The other issue is that your mailbox is simply not a secure storage facility. Of course there are many different mail providers with many different implementations but the only safe assumption is not to store sensitive data in there. Websites that email credentials put users at risk not just on their own site, but also on other sites due to the (unfortunate but real) propensity for people to reuse passwords. We’ve seen password reuse exploited before through cases like the Gawker Acai berry tweets. It’s a real risk.

The only suitable way for a website to assist a user who has lost heir password is to provide a secure password reset feature. This means emailing a time-limited, single use token that allows a new password to be set on the account and a confirmation email sent to the user afterwards. That’s a pretty simple mechanism but there are still numerous sites doing the wrong thing and sending the original password in email.

7. Insecure password storage

The previous point around emailing passwords is only possible because passwords are not stored correctly to begin with. Let that just sink in a bit and allow me to repeat: if a website is even able to email you your password then they’re not satisfactorily protecting it. You’ve got three common ways of storing passwords:

  1. In plain text
  2. Encrypted
  3. Hashed

The first point is pretty clear – there is no cryptography involved in the storage of the password. One little SQL injection risk let alone disclosure of the database and you’re toast – every password is immediately readable.

Encryption is at least some attempt at secure storage but as I’ve often said before, the problem with encryption is decryption. Once you’re talking encryption you’re talking key management and that’s not something we do well enough, often enough, particularly when it comes to websites (keys in config files, anyone?). What it usually means is multiple points of potential failure when a system is breached.

The most appropriate means of storing passwords is with a strong hashing algorithm. That doesn’t mean a single hit of MD5 or SHA1 (or any other SHA variant for that matter) and it also doesn’t mean just salting it before it’s hashed. I go into a lot more detail about this in Our password hashing has no clothes but in short, we’re often doing hashing wrong and what you really want is a computationally expensive algorithm designed for password cryptography.

Here’s why this is important:

AMD Radeon HD 7970

This is an AMD Radeon 7970 consumer-level graphics card. You can buy it for a few hundred bucks and it can crack up to 7.5B hashes per second. Yes, that’s with a “B” so in other words 7,500,000,000. Crikey! Without delving into the nuances of cryptographic hashes here (the “no clothes” post above covers that), the point is that you have to choose the right hashing algorithm. Cracking is still possible, but what if we could bring that rate down by, say 99.99% then it poses a very different value proposition to an attacker.

In the context of this post though, there’s a very easy way to tell when a password hasn’t been stored as a hash – you can see it. That’s usually via the previous risk where it’s emailed to you but sometimes it’s also represented in the UI (more on that a little later). Another common way that poor password practices are disclosed is when an operator knows it, for example when you call up for support. Now identity verification is just fine and there are multiple ways to do that, but using the same credentials for web login and customer service verification is fraught with problems, not least of which is the fact that your personal credentials are visible to other humans whether that be by them looking at them in the system or people verbally providing them to operators.

You start to understand more about why this is a problem when you see stats like these:

Reuse of passwords between Sony and Yahoo! Voices

When 58% of people are reusing credentials (and many studies will show far higher levels than that), the risk of sloppy password management by a website starts to have much greater reach than just their own site, they’re jeopardising customers’ other sites because rightly or wrongly, there’s a pretty good chance those credentials have been reused elsewhere.

8. Poor password entropy rules

Here is a very simple password fact: the longer it is and the more characters of different types it contains in the most random fashion possible, the better it is.

Conversely, the more constrained a password is whether that be by length or particular characters or even entire character sets, the more likely it is to be cracked if push comes to shove.

Consequently, this is bad:

St. George bank not allowing spaces or special characters in the password

But this is even worse:

ING Direct using a four digit PIN

These are examples taken from my 2011 post on the Who’s who of bad password practices – banks, airlines and more where an alarming number of websites were placing arbitrary constraints on passwords. A follow-up post found 3 major reasons why these constraints exist and frankly, they’re all pretty weak excuses.

We need to come back to why this is so important: in the last risk above about password storage I mentioned cracking 7.5B passwords per second with a consumer level graphics card. Now, imagine you bank with ING Direct using a 4 digit password, their database gets breached and the hashed accounts are leaked – the hash is now the only thing between the password being protected and an attacker gaining access to it and using it anywhere it’s still valid, either on the original site or places it’s been reused. An attacker can compute the entire key space of hashes in 1/750,000th of a second. Clearly ING felt this might be a risk so since this post they strengthened their password policy… all the way up to 6 digits, or in other words, 1/7,500th of a second. Your password is toast. But strength increases exponentially so the longer a password becomes and the more characters it contains, the stronger it gets. It’s that simple.

Constraints of any kind on password fields (short of perhaps just one on a very long length) are just not on – there’s simply no good reason for it today. In fact I also made the point a little while back that you should expressly allow XSS in your passwords – no sanitisation at all! The thing is that per the previous risk on storage, passwords should never be redisplayed in any context anyway so let customers go nuts.

9. Denial of service via password reset

Here’s one that you often see gotten wrong: password reset processes that immediately disable the old password. It looks like this:

Aussie Farmers Direct disabling accounts on password reset

Now that might not seem too bad, but the problem is that it poses a denial of service risk (there’s also that mixed mode HTTP / HTTPS warning we looked at earlier). Here’s an example: you know someone who uses the Aussie Farmers Direct website and you want to make life a bit hard on them so you reset their password and bingo – they can no longer log in. Now of course they can go and grab the new password from their inbox (or junk mail) and log themselves in again, but they’ll probably want to then change it which adds another layer of inconvenience. This sort of practice can be used as an attack, for example it can take someone out of the running just before the end of an auction so the impact can extend beyond the realm of just mere inconvenience.

The correct way to issue a password reset is to send a time-limited, single use token to the recipient. This gives only the legitimate owner the ability to change their password and it does so without breaking the earlier rule of emailing a password that can then be used beyond the reset process. You can read more about this and other aspects of password resets in Everything you ever wanted to know about building a secure password reset feature.

10. HTTP only cookies

People often don’t think a lot about cookies but those little bytes of information in the header have hidden depths. They can also be pretty damn important to the security of the website and thus need to be appropriately protected. For example, it’s usually cookies that are used to persist a user’s authenticated state across requests. If an attacker can get hold of that cookie then they can hijack the session or in other words, immediately take on the identity of the victim.

I wrote about this recently in C is for cookie, H is for hacker – understanding HTTP only and Secure cookies, the latter part of which we looked at in the third risk in this post. For now though, the important thing to understand is that cookies may have an attribute set that is referred to as “HTTP only” which you can easily view from any tools which can inspect cookies such as Internet Explorer’s developer tools:

Test cookies set in the response

Here’s the party trick that HTTP only cookies have: they can’t be read by JavaScript on the client. Keeping in mind that there are cases where you want JavaScript to be able to access cookies, in many situations it’s only the server that needs to access those cookies. For example, when you logon to a website it’s usually an auth cookie that’s returned by the server and then automatically sent back again with each new request. This is what enables the website to see that you’re still authenticated.

This is what also enables session hijacking; if an attacker can get that cookie then it’s all over red rover – they can now become you. A popular means of session hijacking is to leverage an exploit such as XSS to send the cookies to an attacker. For example, an attacker may socialise a link which causes JavaScript to be embedded in the page which accesses document.cookie and makes a request to a resource which they own whilst passing the cookies along in the query string.

When we look at the response after logging into a site which doesn’t properly protect cookies with the HTTP only flag – such as Aussie Farmers Direct (again) – we see something like this:

Aussie Farmers Direct with a non-HTTP Only session cookie

What we can see here is that the PHPSESSID cookie is not flagged as HTTP only. All it would take is one little XSS risk to be combined with this and things would start to get very ugly.

11. Internal error messages

I’ve written a bunch about disclosure of internal error messages in the past. For example, there was Kogan with their massive leakage last year:

Django debug info from

This included everything from framework versions to code locations to database credentials. This was running on Django but I’ve written about equally bad practices in ASP.NET, such as the masses of exposed ELMAH logs that are easily discoverable via Google. There were 11,000 easily discoverable ELMAH logs exposing authentication cookies when I wrote about this early last year:

Google search for inurl:elmah.axd ASPXAUTH

It’s, uh, kinda gotten a bit worse since then:

44,300 ELMAH logs in a Google search

Of course the problem with internal error messages is that they can give an attacker a massive head start when it comes to compromising a vulnerable website. Naturally this will depend on the nature of the data exposed in the error, but in a case like those ELMAH auth cookies it makes session hijacking an absolute cinch. Other examples of exposed information can include anything up to and including connection strings to database servers that are publicly accessible. Ouch!

How you tackle this will differ by framework but the simple message that’s relevant across the stacks is this: keep internal errors internal! Configure your app to return generic error messages that don’t leak any info about how the app is put together. It’s not only more secure, it’s a whole lot more user friendly.

In terms of detection, there are enough times where an error message will just reveal itself during the organic use of the website. That was the case with Kogan above but you can often cause an internal error simply by a minor change to the request structure. For example, replacing “id=123” with “id=abc” and an exception is raised when the parameter is attempted to be converted to an integer without the appropriate error handling. Or simple appending an illegal character to a URL – an angle bracket will often cause an exception.

12. Path disclosure via robots.txt

Everybody know what robots.txt does? Here’s a quick recap: when search engines come knocking to discover what’s on a website so that it can be indexed and made easily searchable, in theory the search engine will look for a file named robots.txt in the root of the site. This file contains information which complies with the Robots Exclusion Standard and the idea is that it helps search engines with both what to index and what not to index.

The reason why the “what not to index” bit is important in the context of web security is that often developers will use the “Disallow” syntax to prohibit the search engine from making information on their site discoverable. For example, they may have some sensitive documents or administrative features they don’t want people stumbling across via carefully crafted Google searches (everyone is aware of Google Dorks, right?) so they politely ask the search engine not to crawl that particular piece of content.

The problem is that you end up with sites like GoGet and their robots.txt file which looks just like this:

User-agent: * 
Disallow: /administrator/
Disallow: /cache/
Disallow: /components/
Disallow: /editor/
Disallow: /help/
Disallow: /images/
Disallow: /includes/
Disallow: /language/
Disallow: /mambots/
Disallow: /media/
Disallow: /modules/
Disallow: /templates/
Disallow: /installation/
Disallow: /bookings/secret/

See the last one – “/bookings/secret/”? The problem, of course, is that just naming a path “secret” does not make it so! Now GoGet isn’t immediately disclosing anything of risk (although they might want to review the earlier point on insufficient use of TLS), but there are many examples where that isn’t the case.

The thing about robots.txt is that it very often gives an attacker a starting point. It’s one of the first things to look for when trying to understand how a site is put together and where features that are intended to be private might exist. But most importantly, a disallow declaration in the robots.txt is never a substitute for robust access controls. Regardless of how much obfuscation you throw at a path, you absolutely, positively need to implement access controls and work on the assumption that all URLs are public URLs.

13. Sensitive data leakage via HTML source

Everyone knows how to view the HTML source of a page, right? It’s always a variation of the classic right-click –> view source or for the keyboard ninjas, CTRL-U in browsers such as Chrome and Firefox. But of course that’s not the only way to view source, you can always proxy the traffic through tools like Fiddler or Charles and inspect the page contents at that point. The point is that HTML source, for all intents and purposes, is readily viewable and not the place to store any sensitive data. Yet we have examples such as doing this in the browser:

My Dish web interface showing a password field

Which is driven by this in the source:

My Dish source code with the password re-typed

Now this is clearly just crazy stuff – there’s absolutely no reason to pre-populate this field and of course just the fact they can also means that they’re not storing the password correctly as a secure hash to begin with. Whilst this risk only discloses your own password, if an attacker could hijack the session then they could easily grab it from the HTML source (and then leverage everywhere it’s been reused on other sites).

This is a rather extreme example but I’ve seen many, many others which expose data they shouldn’t in the source. Just viewing the source code of various pages in a site can disclose a huge amount of information about how it’s put together and often disclose risks in the design. On many occasions now I’ve seen comments in the source which disclose varying levels of information about the internal implementation of the source. In fact commenting of code itself can be very revealing, particularly if it points to paths that may not be properly secured or contain their own vulnerabilities.

Another angle is the nature of the information disclosed through source in the legitimate function of the website. On occasion I’ve seen SQL statements in hidden fields which not only discloses the structure of the database but also opens the site up to parameter tampering and potentially SQL injection. Speaking of which…

14. Parameter tampering

Here’s an interesting one – when you search Action Recruitment for jobs you’ll notice a URL a little like this:*%20,%20'1'%20AS%20Score%20FROM%20posting%20WHERE%20%20%20%20(%20CategoryID%20LIKE%20'%')%20%20%20ORDER%20BY%20Title%20&start=10

Can anyone see the problem with that? Let me break out the important bit and remove the URL encoding:

SELECT * , '1' AS Score FROM posting WHERE    ( CategoryID LIKE '%')   ORDER BY Title

That’s right, you’re looking at SQL statements embedded in the query string. For the sake of posterity should the site design change in the future, here’s what that page looks like right now:

Action Recruitment with SQL in the query string

The problem here is that should this site indeed just take the query string parameter and execute it as an entire SQL statement, well, it actually poses two problems. The first is that tampering can produce results outside the intended function of the app. This could be minor – such as returning more records – or more significant such as returning someone else’s records. The second issue is that it could be at risk of SQL injection if manipulating the parameter changes the structure or behaviour of the database query itself. This is where things become a lot less grey and a lot more black…

The intention of this post is to draw attention to detecting risks which don’t step into the realm of what most reasonable people would deem “hacking”. Probing for SQL injection flaws very quickly descends into that realm and that’s not somewhere you want to go anywhere near on someone else’s site if you’re trying to play nice.

15. Clickjacking and the X-Frame-Options header

A few days ago I wrote about Clickjack attack – the hidden threat right in front of you and showed just how easily a clickjacking attack can be launched. In essence, this attack boils down to placing the target site in an iframe and whacking the opacity of it down to zero so that the site underneath that shows through. The underlying site is then structured to show tempting links which line up perfectly underneath the target site so whilst the victim thinks they’re clicking on a link on the hoax site, they’re actually clicking a hidden link on top of that which is served by the victim site above it.

Imagine this scenario:

Win an iPad website showing the banking website on top of it

This image shows the victim site sitting at 50% opacity (it would normally be at 0% therefore hidden), so you get a sense of how everything lines up. The impact of the clickjacking attack is commensurate with the action being performed by a simple click; it could range from a social media endorsement such as a “like” all the way through to performing a banking action.

The mitigation is simple to implement and also simple to observe, you just need to look for the response header. By example, here’s what you’ll see on ASafaWeb (my own site we’ll come back to shortly) using the Chrome developer tools:


As you’ll read in the post above, there are a few different possible values for this header, the main thing is that unless you’ve got a good reason to allow the site to be embedded in a frame absolutely anywhere, there should be an X-Frame-Options header returned along with each request. You can also check this with ASafaWeb, this test has been added to the software just this week.

16. Cross Site Request Forgery (CSRF)

In many ways HTTP is quite clever. For example, you can authenticate to a website and then in unison with the web browser it will happily send your auth cookie back to the website with each request automagically.

In other ways HTTP is rather foolish. For example, you can authenticate to a website and then in unison with the web browser it will happily send your auth cookie back to the website with each request automagically. Oh – even when you didn’t actually intend to make the request!

It’s that last bit that CSRF exploits. The risk here is that if an attacker can trick a victim’s browser into making a request to a website they’re already authenticated to and modify the parameters of the request to do the attacker’s bidding, we might have a bit of a problem. For example, if a banking website allows an authenticated user to make a request such as “/transfer/?amount=500&to_account=1234567890” and it actually impacts a change (such as transferring money), then we have a CSRF risk. That’s a very simplistic example and I do go into a lot more detail in part 5 of the OWASP Top 10.

Let me give you a real world example. When you’re logged in to Toys R Us, if you make a POST request like this:

And you send the following form data:

productid: 1675220
quantity: 1
injectorder: true

You will add one of these to your cart:

Lego Star Wars X-wing model

Now of course there is nothing wrong with a Lego Star Wars X-wing model, assuming you actually wanted one! The problem is that all an attacker needs to do is trick your browser into reproducing the same request pattern – just the URL and form data – and you’ll have one of these in your cart. This execution of this can be extremely simple, for example, visit an attacker’s page where there are hidden form fields reconstructing those three pieces of data I showed earlier on and set the action to the URL which adds the item to the cart. Now give them a big “Win free stuff” button (which is how the attacker lured them in to begin with) and badaboom – they’ll submit the request along with their authentication cookie to the Toys R Us website and have a shiny new Leo model in their cart! The attacker might even target a hidden frame so that the victim can’t see the response from the Toys R US server.

That’s a very simplistic example in a low-risk scenario. There are more complex executions and obviously more risky scenarios and they’re possible because the CSRF attack is able to reproduce the appropriately structured HTTP request which, of course, also sends off the authenticated user’s cookies because that’s just how HTTP works.

The mitigation is detailed in the post I mentioned earlier and it’s all about using an anti-forgery token in the form with a corresponding cookie. If both of these values don’t reconcile when the request is made then it’s considered to be forged. This works because an attacker cannot simply recreate the correct form data without grabbing the token from the website which is unique to the user. The anti-forgery cookie will be sent automatically – that’s fine – but its mate from the form won’t be.

What’s important in the context of this post though is what a secure request should look like. Here’s what happens when I logon to ASafaWeb and there are two important bits of info I’ve highlighted:

Anti-forgery token being sent

This is the anti-forgery token in both a cookie then further down in the hidden field. This is the way ASP.NET names them, other web platforms may show slightly different names but the point is that the token exists and without it, the request fails. This should be in every location where an inadvertent request could have an adverse impact for the user. If you don’t see it – like on Toys R Us – then a CSRF risk is almost certainly present.

Scorecarding websites with ASafaWeb

There’s a lot to remember when securing websites and indeed what’s listed above only even scrapes the surface. However it’s a good starting point and these are all risks that have many precedents of being exploited for an attacker’s gain. They’re also all risks that as I stated from the outset, can be remotely detected without stepping into the evil hacker realm. You can be responsible in detecting these risks.

I often see tweets like this:

@StartupNomads just set up account & you emailed me my password - are you not aware of security implications of this?

Clearly this is somewhat of a rhetorical question as it’s very unlikely the culprit is aware of the risk. Moving on, rather than just having people point website owners to a lengthy post covering multiple issues as is the case above, I wanted to provide something more succinct that talks about specific risks then provide further reading from there. Given the sort of risks I’ve outlined throughout this post, I wanted to provide an easy mechanism for assessing, recording and sharing them so here it is – the ASafaWeb Scorecard:

ASafaWeb scorecard

This is very simple mechanism and it works like this: first you enter the URL of the site you’re assessing. Next, for each of the 16 risks outlined above there’s an entry on the ASafaWeb Scorecard along with “Pass” and “Fail” buttons. You then go through and self-assess the site, clicking the appropriate button as you go (you can click the same button again to de-select the risk).

This is not a dynamic analysis tool like the ASafaWeb scanner is and that’s simply because for the most part you need to be a human to detect these issues. For example, you actually need to do a password reset and assess the resulting email in order to discover that it’s not being stored satisfactorily.

As you complete the assessment you’ll see the results appear in a hash in the URL. What this means is that a completed assessment has a URL something like this:

When the URL is received by someone and they open it up, the Scorecard appears with a little summary and the risks in read only mode so that they can’t be directly edited again:

ASafaWeb Scorecard in read only mode

Mind you, it’s easy just to change the URL and as a result the Scorecard values, but this isn’t intended to be a tamperproof rather it’s a means of sharing information via URL alone. When the Scorecard is opened up it won’t show any risks that haven’t been given a pass or a fail grade so you can elect exactly what data you want to share. Only want to raise one risk – fine, just select that. Only want to alert someone to failing risks – likewise, just send those. You choose.

There are two reasons I’ve done this and by far the most important is that I don’t want to be building up a repository of vulnerable sites! By persisting the risk in the URL parameter the address contains all the information that’s required to understand what’s going on. Secondly, because that URL is so self-contained it’s easy to pick up and send to someone so it’s very transportable.

Ultimately that’s the goal – to create a mechanism to easily report on risks and share them around. I’d love to see this tool being used in place of trying to explain risks via Twitter and engaging in the banter that often ensues in an attempt to try and explain things in only 140 characters a shot. It would be great if this gains some traction and I’d love feedback on the effectiveness of it, including if there are further risks that should be included in an attempt to encourage people to seek them out.

And that brings us back to where this post started out – hacking yourself first. Using the Scorecard above, the chances of you finding at least one risk in your own site is very high and if you can do that and mitigate it before someone exploits it then that’s a very good thing indeed. And likewise, if you do find issues in someone else’s site, the risks above should keep you out of trouble if you detect and report on them responsibly. Hopefully the Scorecard feature helps this process and makes the web, well, ASafa place!

More hacking yourself

The risks outlined above are ones I tend to use as a starting point either to assess sites I’m involved in building or to get a sense of the relative security position of someone else’s site. They’re not exhaustive though and as I said at the outset, there are other risks such as SQL injection which are serious, prevalent and will very likely cause damage if probed a little further.

A good resource for further probing is the OWASP Testing Guide. This will take you through hundreds of pages of steps that go into a lot more detail than what this blog post alone covers. If you want to get really in depth then there’s my recent Pluralsight video training which gets right down into the guts of how these risks are exploited and mitigated across just over eight hours of material.