2246 stories
·
14 followers

Morgan Knutson on Working as a Designer on the Google Plus Team

1 Comment

Morgan Knutson on Twitter:

Now that Google+ has been shuttered, I should air my dirty laundry on how awful the project and exec team was.

I’m still pissed about the bait and switch they pulled by telling me I’d be working on Chrome, then putting me on this god forsaken piece of shit on day one.

Air some dirty laundry indeed. This whole thread is kind of nuts — you just don’t see former employees expose dysfunctional workplaces like this very often. Here’s a real eye-opener — teams across Google were effectively bribed to integrate Google Plus, regardless if such integration made sense for their products:

If your team, say on Gmail or Android, was to integrate Google+’s features then your team would be awarded a 1.5-3x multiplier on top of your yearly bonus. Your bonus was already something like 15% of your salary.

You read that correctly. A fuck ton of money to ruin the product you were building with bloated garbage that no one wanted. No one really liked this. People drank the kool-aid though, but mostly because it was green and made of paper.

Read the whole story
jimwise
10 minutes ago
reply
...
Share this story
Delete

Latest Revision to ARM Instruction Set Includes Optimizations Just for JavaScript

1 Comment

Apple’s A12 chip is the first to support the latest ARM specification, ARMv8.3, which includes instructions specifically to make JavaScript faster. Greg Parker:

More precisely: ARMv8.3 adds a new float-to-int instruction with errors and out-of-range values handled the way that JavaScript wants. The previous [instructions] to get JavaScript’s semantics were much slower. JavaScript’s numbers are double by default so it needs this conversion a lot.

Back when the iPhone XS first shipped, people noticed that it performed seemingly impossibly well on JavaScript benchmarks. E.g., David Heinemeier Hansson:

The iPhone XS is faster than an iMac Pro on the Speedometer 2.0 JavaScript benchmark. It’s the fastest device I’ve ever tested. Insane 45% jump over the iPhone 8/X chip. How does Apple do it?!

Apple touts the new A12 as “only” 15 percent faster than the A11 at CPU tasks, and JavaScript is mostly (entirely?) CPU-bound. These new instructions make that big a difference. The iMac Pro is a professional desktop and it’s getting beaten by a phone.

Everyone can enjoy the fact that ARMv8.3 makes JavaScript faster. Comp sci nerds can further enjoy the fact that we now have CPUs being optimized for a specific weird programming language and not the other way around.

Read the whole story
jimwise
2 days ago
reply
We’ve been optimizing CPUs for a specific weird programming language — c — for a very long time.
Share this story
Delete

Sunsetting Google Plus

1 Comment

Ben Smith (Hacker News):

The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations. Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+.

To give people a full opportunity to transition, we will implement this wind-down over a 10-month period, slated for completion by the end of next August. Over the coming months, we will provide consumers with additional information, including ways they can download and migrate their data.

At the same time, we have many enterprise customers who are finding great value in using Google+ within their companies. Our review showed that Google+ is better suited as an enterprise product where co-workers can engage in internal discussions on a secure corporate social network.

Scott Perry:

Eight years ago my friends at Google were having their compensation made conditional on the successful launch of Google+. This was the outcome we all predicted, but it took much longer than expected.

Dave Winer:

Google+ was unmotivated by any need for what it did. No one loved it. It was born only to slow Facebook growth. It’s like having a kid so it can beat up your neighbor’s kid. Products, to be any good, must be motivated, have a creative purpose.

Nick Statt:

Google exposed the personal information of hundreds of thousands of users of its Google+ social network, the company announced in a blog post this morning. The news, originally reported by The Wall Street Journal ahead of Google’s announcement, means that Google+ profile information like name, email address, occupation, gender, and age were exposed, even when that data was listed as private and not public. However, Google says that it has no evidence to suggest any third-party developers were aware of the bug or abused it. The bug, affecting an API that was accessed by hundreds of developers, appears to have been active between 2015 and 2018.

The company says it closed the bug in March 2018 shortly after learning of its existence. The WSJ reports that the company chose not to report it because of fear of “immediate regulatory interest” that would lump Google in with Facebook, according to one source’s description of the incident.

Nick Heer:

That this disclosure wasn’t made until today — seven months after this breach was noticed — is unconscionable. But it is outrageous that the reason for not disclosing it in the first place was because they wanted to hide it from the law and that Pichai knew about it.

By the way, because Google tried so hard to make Google Plus work, it’s possible that your Google account — if you have one — is a Google Plus profile. You can disconnect it; Google calls it “downgrading”.

Brian McCullough:

Has anyone made this point yet? Pichai refused to testify to congress because he couldn’t. He would have either had to perjure himself or reveal this bug in real time before the committee.

Read the whole story
jimwise
6 days ago
reply
This is the online service equivalent of a celebrity death being met with "he was still alive?"
Share this story
Delete

Why Matthew Green Is Done With Chrome

1 Comment

Matthew Green (Hacker News):

In this setting, Chrome was a beautiful solution. Even if the browser never produced a scrap of revenue for Google, it served its purpose just by keeping the Internet open to Google’s other products. As a benefit, the Internet community would receive a terrific open source browser with the best development team money could buy. This might be kind of sad for Mozilla (who have paid a high price due to Chrome) but overall it would be a good thing for Internet standards.

[…]

A few weeks ago Google shipped an update to Chrome that fundamentally changes the sign-in experience. From now on, every time you log into a Google property (for example, Gmail), Chrome will automatically sign the browser into your Google account for you. It’ll do this without asking, or even explicitly notifying you.

[…]

Nobody on the Chrome development team can provide a clear rationale for why this change was necessary, and the explanations they’ve given don’t make any sense.

This change has enormous implications for user privacy and trust, and Google seems unable to grapple with this.

Chris Siebenmann:

In theory, I’m not affected by this behavior. I almost never log into any Google site in the first place and I’m basically always doing so in incognito mode, where this doesn’t (currently) apply. In practice, this has pushed me to deciding that this is a bridge too far and I no longer want to use Chrome if I can avoid it, and fortunately I can these days.

Paul Frazee:

There’s a reason people are reacting to Chrome like this. This isn’t an overreaction over one single event. It’s a delayed reaction to a pattern of bad behavior.

It’s contextualized by the very messed-up power dynamic between Google and the open Web.

Matthew Green (Hacker News):

The tech backlash even caused Google to back down, sort of. It announced a forthcoming update last Wednesday: Chrome’s auto-sign-in feature will still be the default behavior of Chrome. But you’ll be able to turn it off through an optional switch buried in Chrome’s settings.

This pattern of behavior by tech companies is so routine that we take it for granted. Let’s call it “pulling a Facebook” in honor of the many times that Facebook has “accidentally” relaxed the privacy settings for user profile data, and then—following a bout of bad press coverage—apologized and quietly reversed course. A key feature of these episodes is that management rarely takes the blame: It’s usually laid at the feet of some anonymous engineer moving fast and breaking things.

Read the whole story
jimwise
10 days ago
reply
...
Share this story
Delete

★ Bloomberg’s ‘The Big Hack’

1 Comment

Bloomberg Businessweek today published an absolutely incredible story alleging that Chinese intelligence compromised thousands of data center servers by infiltrating the supply chain to insert hard-to-detect rogue chips on motherboards from a company named Supermicro. The entire report, by Jordan Robertson and Michael Riley, is worth reading in full.

Bloomberg alleges that Apple and Amazon were both among the companies that installed the compromised hardware. Apple and Amazon both vehemently deny the report. Someone is either wrong or lying. This cannot all be true.

From Bloomberg’s report, regarding Amazon:

Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.

Regarding Apple:

Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons.

And regarding both companies’ denials:

The companies’ denials are countered by six current and former senior national security officials, who — in conversations that began during the Obama administration and continued under the Trump administration — detailed the discovery of the chips and the government’s investigation. One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim.

The companies’ denials are seemingly unequivocal, however. Apple’s statement to Bloomberg:

Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.

On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.

That statement is credited only to “Apple”, so presumably it was written by Apple PR. Amazon issued a similar statement to Bloomberg, but later published a full response, signed by Steve Schmidt, the company’s chief information security officer. Schmidt is adamant and clear:

There are so many inaccuracies in this article as it relates to Amazon that they’re hard to count. We will name only a few of them here. First, when Amazon was considering acquiring Elemental, we did a lot of due diligence with our own security team, and also commissioned a single external security company to do a security assessment for us as well. That report did not identify any issues with modified chips or hardware. As is typical with most of these audits, it offered some recommended areas to remediate, and we fixed all critical issues before the acquisition closed. This was the sole external security report commissioned. Bloomberg has admittedly never seen our commissioned security report nor any other (and refused to share any details of any purported other report with us).

The article also claims that after learning of hardware modifications and malicious chips in Elemental servers, we conducted a network-wide audit of SuperMicro motherboards and discovered the malicious chips in a Beijing data center. This claim is similarly untrue. The first and most obvious reason is that we never found modified hardware or malicious chips in Elemental servers. Aside from that, we never found modified hardware or malicious chips in servers in any of our data centers.

I see no way around it: either Bloomberg’s report is significantly wrong, at least as pertains to Amazon and Apple, or Apple and Amazon have issued blatantly false denials. You can, perhaps, chalk up Apple’s denial to it being written by Apple PR. I don’t think this would happen, but hypothetically this issue could be deemed so sensitive — either within the company or as a national security issue — that the people at Apple with knowledge of the situation lied to Apple PR. But in my experience, Apple PR does not lie. Do they spin the truth in ways that favor the company? Of course. That’s their job. But they don’t lie, because they understand that one of Apple’s key assets is its credibility. They’d say nothing before they’d lie.

Schmidt signing his name to Amazon’s response is more telling. Presumably no one at Amazon would be more familiar with the details of such a breach than Schmidt.

One way or the other, there is more to come on this story, and the credibility of either Bloomberg, or Apple and Amazon, is going to take a significant hit. Currently those are the two most valuable companies in the world.

A few other notable tidbits. From Bloomberg’s report:

One government official says China’s goal was long-term access to high-value corporate secrets and sensitive government networks. No consumer data is known to have been stolen.

And then this from Amazon’s response:

Because Elemental appliances are not designed to be exposed to the public internet, our customers are protected against the vulnerability by default.

I do not understand how, if these servers are not exposed to the public internet, they could “phone home” to Chinese servers outside the data centers.

Technical details aside, the whole central thesis of the story rings true — China cannot be trusted as a state actor, but the entire technology industry is dependent upon the Chinese supply chain. It is completely credible that the managers of Chinese factories are susceptible to bribes and threats of “inspections” that would shut down their plants. From the Bloomberg report:

Over the decades, the security of the supply chain became an article of faith despite repeated warnings by Western officials. A belief formed that China was unlikely to jeopardize its position as workshop to the world by letting its spies meddle in its factories. That left the decision about where to build commercial systems resting largely on where capacity was greatest and cheapest. “You end up with a classic Satan’s bargain”, one former U.S. official says. “You can have less supply than you want and guarantee it’s secure, or you can have the supply you need, but there will be risk. Every organization has accepted the second proposition.”

Lastly, whatever the veracity of the report, Bloomberg deserves kudos for this sentence:

Two of Elemental’s biggest early clients were the Mormon church, which used the technology to beam sermons to congregations around the world, and the adult film industry, which did not.

Read the whole story
jimwise
11 days ago
reply
a.) (!)
b.) "Two of Elemental’s biggest early clients were the Mormon church, which used the technology to beam sermons to congregations around the world, and the adult film industry, which did not."
Share this story
Delete

Chinese Supply Chain Hardware Attack

1 Comment

Bloomberg is reporting about a Chinese espionage operating involving inserting a tiny chip into computer products made in China.

I've written (alternate link) this threat more generally. Supply-chain security is an insurmountably hard problem. Our IT industry is inexorably international, and anyone involved in the process can subvert the security of the end product. No one wants to even think about a US-only anything; prices would multiply many times over.

We cannot trust anyone, yet we have no choice but to trust everyone. No one is ready for the costs that solving this would entail.

Read the whole story
jimwise
11 days ago
reply
...
Share this story
Delete
Next Page of Stories