I just wanted to put some thoughts out on the acquisition... and this clearly was an acquisition (as opposed to the typical acq-hires in the past ).

So as a point of interest this will be a great opportunity to actually see how well Facebook can integrate Instagram with their own services. Are we still going to be using the Instagram name in two years from now (contrast to FriendFeed now) which has has every single featured integrated into Facebook and is essentially totally redundant now. 

A few other points of interest which totally amazes me is how this news has taken practically everyone by suprise. It appeared that no one knew negotiations were underway. Ten minutes after Zucks and Systroms announcement every news/tech publication was rushing to put out a single sentence on the acquisition. There clearly wasn't any news embargo and Alexia Tsotsis was utterly shocked since for the morning she was writing up a story on Instagrams funding (I'll get to that in a second).

So the fact that Zuck could be the one to make this announcement is just sheer amazement. 

Now, onto another shocker from all of this. The $1B acquisition. Unlike most other industries, tech companies have a nack for inflating their valuations (in both acquisitions and funding rounds) without regard to any revenue (think YouTube, OMGPOP more recently etc). So it's not like this is some unprecedented acquisition, it's happened before and will continue to happen. OMGPOP for example was able to drive up such high acquisition value because of what it represented as an obstacle to Zynga. 

Equally, you can bet that Kevin Systrom was able to drive up the price in negotations with Facebook because of the value which it represents to other social networks. Was there a bidding war? Most likely. ( 35 million~ potentially new users would be nice. )

Robert Scoble summed up a possible idea quite nicely. 

Mark Zuckerberg knows that social graphs equal lockin. I certainly am locked into both Facebook and Instagram. Letting Instagram get into Google or Microsoft's hands would be dangerous for Facebook. I sure would love to interview Mark or Kevin Systrom about this. But I doubt they will go on record.

But in addition to a potential bidding war, Instagram had also *just* closed a $50 million Series B round (with Sequoia leading it with a reported $20M). This round put the valuation at $500 million for Instagram. 

So, a day after closing the round, Instagram get acquired. If someone has previous precedent for this happening before please point me to it. It's crazy. 

Kevin would presumably have been trying to drive up the valuation of Instagram for the raising funds and could have been using a looming acquisition as a way of doing so. Equally, in reversal (and more likely) he could of increased the valuation of the acquisition by dangling the financing rounds in front of Facebook. So then you would be left with the situation where Instagram would delay on closing the round by one day to avoid dilution and then sell to Facebook. But for both to happen? It does not make sense in such short duration. Clearly a smaller piece of a bigger pie equal more pie! But for this to happen within such a short period makes it impossibly hard to believe. 

You have to take your hat off to Kevin though, either Facebook and Instagram commenced acquisition negotiations after closing the round, or Kevin was multi-tasking both financing and acquisitions at the same time. 

In which case, this leads onto the next strange thing. 

$1B is a clear x2 multiple of $500M from the financing round. It's just all too perfect. 

It's as if there was some kind of gentlemans handshake whereby Sequoia knew that there would be a high probability that they might be getting a x2 return immediately and a stupidly large IRR (internal rate of return). 

In which case, why did Instagram close the funding round. It's like they were playing a game of chicken with Facebook, and Facebook didn't think they would pull the trigger. 

It's odd.

(And congrats to Instagram). 

Instragram photo kindy provided by Max Woolf. 

Beyond any shadow of a doubt, a shit storm of epic proportions has just gone down. Something which had the potential to affect practically every coder. (Top four stories on HackerNews all related to this crisis).

 Every GitHub repository was vulnerable to attack and absolutely nothing was safe. 

If you are one of those <sarcasm>strange coders</sarcasm> that don't use GitHub and think you are in the clear because you use SVN, well the potential damage from the ripples of this vulnerability would of eventually reached you. When the large portion of the technical world all depends on a single service, and that service is vulnerable to a variety of attacks, that makes *anyone* who consumes these services also vulnerable. 

So what happened?

Lets cut to the chase and explain what's with all this hyperbole... The outcome from all of this is that we are all going to survive, zombie apocalypse has been averted, but the way that this episode has been handled is a face-palm fail of epic proportions. 

- Every GitHub Repository could be access by anyone as if they had full administrator privileges.

- This means that anyone could commit to master. 

- This means that anyone could reopen and close issues in issue tracker. 

- Even the *entire* history of a project could be wiped out. Gone forever. 

You can see in this commit history, that @homakov (who has now been suspended by GitHub???!) commited directly to the rails master. 

This was possible because of the way that rails handles mass assignment of attributes. You can read a summary here 

The simple way of explaining it, is that if developers don't protect against mass assignment, it means that a malicious user can set any value in your models. There are a few solutions that are being thrown around such as using whitelists/blacklists to prevent accessible attributes, but this solution would not be ideal.

When @homakov brought this issue to the attention of the Rails, (which GitHub runs from), his issue got closed. After discussing the issue, the conclusion was that this isn't an issue in Rails, and that it's up to the developer to secure his code, not Rails.

The last comments on @homakov's initial ticket is from a Rails maintainer saying that "We disagree about his proposal".

I can't see how there can be any confusion on this matter. When the majority of Rails applications are going to be vulnerable, how can this not be regarded as a core issue.

Put another way, do you think that GitHub didn't read the documentation?

Anyway this brings me to the failings. And clearly there has been some massive failings. Rarely does a single story hit #1, #2, #3 and #4 spot on HN. 

Firstly, Rails. You clearly messed up. You ignored someone who was trying to be vocal about a gaping vulnerability. Closing issues isn't fun.

So what alternatives are left? Some people have said that the way @homakov handled this was poor, and that he should of quietly reported the issue to GitHub. 

Well, GitHub isn't the only project that depends on Rails. What about all of the other applications out there? You can bet that over the next few days the ripples from this shitstorm will reach them faster than it would have otherwise. 

And lets be clear, that while this vulnerability left every Repository open to attack, do you know what @homakov actually did after having his issues inadequately dealt with? 

He posted by showing off the mass assignment exploit in style, by overriding date created timestamps in the forms to post issues 1001 years in the future. 

But this is where we get to GitHub. 

Firstly, you are a company who are pivotal and central to so so so many companies, and the way you have handled the scenario is atrocious. As I said earlier, your report on how things went down, is a shocking portrayal of the actual occurences. 

Your post-mortem report, titled "Public Key Security Vulernability and Mitigation" is a hazy truth of what actually happened. The title is a clear misnomer, or in the least red-herring, because while this might have now been patched, we also don't know of how many other people knew of this vulnerability. Additionally, companies like Google, Firefox, and Facebook, all have bug hunt bounties where they reward people who discover exploits. 

Instead, the reward you landed to @homakov is a suspension. Homakov found a vulnerability in a project used by hundreds of thousands of applications, and his issue is ignored. The liklihood of this vulnerability reaching the ears of developers everywhere is extremely low and Rails clearly weren't taking it seriously. So instead he demonstrates the vulnerabilty in an attack which is clearly the "whitest" of white, and gets a suspension. 

So what should the next person do who discovers a vulnerability?

GitHub, make it sound like @homakov was being seriously malicious.

As soon as we detected the attack we expunged the unauthorized key and suspended the user.

Well GitHub, This is a shocking portrayal of the actual occurrences.

You make it sound like you were always a step ahead and had everything always under control.

You didn't really "detect" anything. You were informed. It also wasn't an attack. If it was an attack, you wouldn't have seen it coming, or in the very least more damage would have been done.

As far as attacks go, this was probably the "whitest" of white that has ever gone down. Not only did the "attacker" not do any actual damage, but he was continually ignored.

This is a shameful handling of the actual events, more so that he was suspended as a result of drawing attention this devastating attack.

(Should add, however, that your quick fixes is obviously commendable and great. But this isn't transparency. Transparency would be drawing attention to something not already known. We all know what really happened just by reading the rails commit log).

epistasis, sums up the perfect conclusion to all of this GitHub-gate, 

I have lost all trust in GitHub, and not because of the vulnerability, but because of their response. With their suspension of hamakov's account and deceptive blog post about the extent of the hole, GitHub has guaranteed that they won't be the first to know about the next vulnerability (and there's always another).

UPDATE#1

GitHub have released another blog post titled "Responsible Disclosure Policy"

This is the post they should of originally written. 

UPDATE#2

For those interested in the widespread-ness of this vulnerability, check out how my comments have been hacked, with timestamps 8 years in the past and 1000 years in the future. 

You can subscribe to me on  Facebook or Twitter.

Image Mosaic of Websites against SOPA

Find below a Live Zooming Stitched Mosaic. If the iFrame does not load, then refresh your browser, and it should load the second time. (If you want to view the mosaic in full screen, you need to view it in Gigapan - Feel free to embed it yourself, just please send some views and attribution this way.) All images are licenced freely under WTFPL (which I know doesn't cover images but really just DWTFYWWT).

Earlier today I took screenshots of about 20 websites which are against SOPA.

The twelve hours after this initial post has shown thousands more websites showing their support against SOPA and I've collected around 7000 unique URIs which are against SOPA. After I pruned the list of all Facebook pages, this left me with 3000 unique websites. (Massive thanks to SOPASTRIKE as I wouldn't have been able to make such an impressive mosaic without their list). 

With this list of websites (here for websitelist.txt  ) I created a script to screenshot every website (this took hours to run). 

Once I had the thousands of website screenshots, I started stitching them together in another script. 

So far I'm still rendering several images and uploading as we speak, so I won't be able to show off all of the great mosaics just yet. If you also can think of a great "poster-boy" idea for an anti-SOPA render, let me know. I can also provide the .zip file of all websites screenshots if someone needs them.

Unfortunately, since I relied on user submitted web addresses, some images aren't for anti-SOPA websites, and I don't have the time to remove these mistakes. 

SOPA Mosaics

Keeping in mind, that I've generated stitches which are 200MP and 100Mb+ in size, I have tried to think of some of the best ways to share the mosaics, so will supply several different versions.

SOPA Mosaic Version 1

Click to View in Another Page.

  (Select the Quality that you are most interested in Viewing)

4800px - 3200px ( 5.8MB ) - Small Version

8000px - 5333px ( 11MB ) - Medium Version

17300px - 11500px ( 44MB) - Large Version

I have insanely large versions on request. (We're talking several Gigapixels).

SOPA Mosaic Version 2

4800px - 3200px ( 5.0MB ) - Small Version

8000px - 5333px ( 9.2MB ) - Medium Version

17300px - 11500px ( 54MB) - Large Version

(When generating the mosaics, I allowed for a 30% "cheat" blending of the original image in order to smoothen the shapes, and I also allowed images to repeat a maximum of 3 times. Naturally, multiple sites used the same SOPA blackout script (such as Tumblr) which meant that the same style of screenshot was used multiple times). 

 List of Sites Against SOPA

UPDATE: New Post with Enormous Mosaic Image of anti-SOPA Websites

There has been a pretty loud outcry from the web against the fundamentally flawed SOPA and PIPA legislation... unless you have been living under a rock, you should be seeing protests against the acts all over the net. And clearly the worst thing ████ SOPA is █████████ ████████████. 

Here is an early roundup, which I will edit and add to as more are submitted and become spotted. 

MoJang / Minecraft

Google

BoingBoing

XKCD

Flickr Blog

GNU

DuckDuckGo

WordPress

TechCrunch

Reddit

Firefox

4Chan (Not a chance In hell I'm linking to this site - Totally offtopic, but they should permanently censor everything... still it's the thought that counts). 

Scribd

Imgur

Wired

FroKnowsPhoto

RockPaperShotgun

StopSoap (This one made me laugh hard)

Craigslist

Mendeley

Twitterpix

Buzzfeed

NameCheap (Impressed by this one)

Rackspace

O'Reilly

PHP (Pretty pleased I run a local mirror cause I needed this today)

NewGrounds

TheOatmeal (Animated GIF)

Other mentions:

TryBloc

Fark.com (Has gone "white")

Let me know if you have spotted any prominent sites that have gone dark.

It was quite comical  when Jimmy Wales tweeted giving everyone a heads up of the notice that Wikipedia will be going dark for 24 hours (telling everyone to do their homework a day early), and it's clearing a trending topic.

But just in case any of you are actually struggling with getting any of your work done, research for your important masters or pHD... just remember, you can always disable JavaScript. 

(And the even easier option, that I have just learnt through Twitter, is to hit escape in the split second that the article pops up. This is confirmed and working) 

Option 1) Disable JavaScript

Option 2) Spam the Escape  button immediately upon page loading. 

Use Netbeans Song

I wrote these lyrics to replace the Baz Luhrmann - Everybody's free to wear Sunscreen. I always loved this song when I was younger and thought it would be a great tune to write a developers life style song to.

Everybody's Free to Use Netbeans.

Use Netbeans.

If I could offer you, one piece of advice for the future – NetBeans would be it.

The long term benefits of NetBeans has been proved by Rockstar developers, whereas the rest of my advice has no basis or reliable than my own meandering experience. I will dispense this advice, now.

Enjoy the power and control of your IDE. Oh, never, you won’t understand the power and control of your IDE until you use Dreamweaver, but trust me within 20 minutes, you’ll look back at your Dreamweaver projects and recall in a way you can’t quite grasp now how horrendous that application really is. You are not as nooby as you imagine.

Don’t worry about scalability, or worry, but know that worrying about scalability is as effective as trying to solve a fizz buzz problem by forgetting modulus.

The real troubles in your life are apt to be things that never crossed your worried mind, the kind that blindsides you at 8am on a Monday morning during some unannounced Scrum meeting.

Code one thing every day that is Open Source.

Refactor.

Don’t be reckless with other people’s code; don’t put up with people who are reckless with yours.

DRY.

Don’t waste your time on Internet Explorer. Sometimes you’re in scope, sometimes you’re not. Race conditions are a bitch, and in the end, it’s normally just that trailing comma.

Backup your MySQL databases; delete your /dev/null logs. (if you succeed in doing this, tell me how).

Keep the first application you coded; delete and uninstall Visual Basic.

Namespace.

Don’t feel guilty if you don’t know if you want to use Dojo or jQuery. The most interesting startups that I know didn’t know during a $1M seed round what their product even was; some of the most interesting $1B valued companies still don’t.

Get plenty of TechCrunch. Be kind to your fingers — you’ll miss them when they’re gone.

Maybe it’ll compile, maybe it won’t. Maybe you’ll have followers, maybe you won’t. Maybe you’ll sell at $800M; maybe you’ll prove Euler’s theorem was wrong and Pi is actually 42.

Whatever you do, don’t commit your code too much, or rebase either. Your choices are bug fixes, patches, or new features – so is everybody else’s.

Enjoy you API docs, use them every way you can. Don’t be afraid of commenting code or what other people think of it; correct indentation is four spaces, always.

Dance… even if you have no where to do it but your own bedroom.

Read the fucking manual (even if you don’t follow it).

Do no read w3schools; it will only make you feel clever.

Get to know your IRC friends; you never know when they’ll be gone for good.

Format your StackOverflow answers: it’s an easy way to get upvotes and the most likely way to be an accepted answer.

Understand that contributors come and go, but that a certain few you should hold on to. Work hard to learn new technologies and web standards, because the older you get, the more you realise that knew less today than you did when you were young.

Live in Palo Alto once, but leave before it makes you hard.

Work at Apple once, but leave before it makes you soft.

Google.

Accept certain inalienable truths, advertising costs will rise, Facebook will change their API and Microsoft will release an IE 13; and when they do, you’ll fantasize that when Mosaic was around, hyperlinks were new, stylesheets didn’t exist, and the back button was a game changer.

Viva la Ubuntu.

Don’t expect anyone else to debug for you. Maybe you will have a sympathetic colleague, or Unit Test everything, but you never know when either might run out.

Don’t mess too much with your code, or by the time you are in production, it will be unintelligible.

Be careful of eLancers, but be patient with new employees. Perfect interviewing techniques; They are a way of recruiting new talent, discarding of the old, and not paying too much for what they are really worth.

But trust me, on the NetBeans.

So I just finished reading a post on HackerNews which was titled “God and Design Patterns”, which asked:

In programming there are many levels of abstraction as well as predefined structures, functions, variables and alot of other stuff. Through the detailed analysis of a program, routine, or algorithm we can see and apprehend a creator/programmer. Such organization and complexity all working together demand that we infer an originator of that unique line of instruction. Is it possible that we can infer that a creator exist through similiar measurements of the complexities in the earth?

I didn’t really pay attention to anything that was asked in the question (i’m not even religious), but the title of the question was actually pretty neat. “God and Design Patterns”.

This made me think about what design patterns do we see in nature, I’m not talking so much about the golden ratio, dominant genes or DNA, but actual GOF design patterns.

Firstly, before I get into the design patterns, it’s clear that this “God” would be an object oriented programmer. This is pretty obvious from the amount of inheritance and same properities that are shared by things in nature. Everything in real life is an object that might have extended the eventual super class Thing { }, and the amount of subtype/polymorphism that goes on for everything demands the use of classes and interfaces. For example all mammals, reptiles, fishes, etc, all implement at least the bare minimum breaths() and poops() methods.

Also, if I was to pick God’s main weapon of choice, between:

• Java
• C++
• VB.NET
• Smalltalk (only added since it was the first OO)
• COBOL; and
• PHP

I would have to say that he would be PHP hacker. I thought about C++ and even Java, but I don’t believe all that nature crap (in the nature/nature argument).

…And if I don’t believe in nature then that would mean anything which requires pre runtime compilation would have it’s destiny set in stone upon compile/build. So I think the better analogy might be to say that because we all presumably have free will, he would be a PHP hacker who likes to throw things in the mix by being entirely compiled on the fly (allowing for a much more flexible environment). Plus PHP is ugly and full of utter chaos which is a more aptly suited analogy to the universe, than the beauty of Java. Anyway, now we know he’s a PHP developer, on to the Design Patterns.

Design Patterns ( as per GOF)

Command Pattern

This one is probably my favourite analogy, so I thought I would start off. The command pattern if you aren’t familiar with it, can be used to encapsulate everything needed to come back to a particular state at a later time. (But this isn’t the exclusive use of the Command pattern, in fact it’s only a small subset of it).

So it is said that, energy can neither be created or destroyed, and the command pattern would be used to encapsulate this cascading transactional behaviour in our universe.

In programming, you might be used to using the command pattern by doing things like:

• Open a file, read the contents, close the file.
• Allocate a block of memory, use it for something, free it.
• Load the contents of a memory address into a register, modify it, store it back in memory.

(Examples taken from http://prog21.dadgum.com/121.html who I think doesn’t spot the Command Pattern).

And in real life, you will be used to things like:

• Go to work, do something, go back home.
• Put the key in the door, open it, then take the key out of the door.

Singleton Pattern

One of the most overused/wrongly used patterns by hackers. God did it correct.

$universe = Universe::getInstance();
$universe->bigBang();

Strategy Pattern/Factory Pattern

When “creating” new life, this would be done by using the factory pattern, such that two arguments are passed which are the two adults, and these would then resolve into a Strategy which would be used to create the new person. (Don’t ask me how creatures such as worms (hermaphrodites) would work out in this system… that would be chaos).

Decorator Pattern

I probably don’t need to go into much detail on this one. God would love the decorator pattern. Looking through the GOFs' book, it’s pretty clear that nearly all patterns could be analogized some how to patterns in nature, at least in some abstract sense.

How about you?… Can you suggest any others?

(Incidentally, if God were a hacker, he wouldn’t use a RDMS for sure. Something NoSQL would have to be used. Probably MongoDB because that is UniverseScale).