Also, be aware that many non-expert attempts to develop compression algorithms turn out to be flawed. However, it sounds like you've developed a compression pre-processor specifically targeting JSON-like structures, which seems like a much more plausible accomplishment than a non-expert developing a brand new general-purpose compression algorithm that can beat LZW.
All that said, if I were considering hiring you I would be much more interested in your ability to rigorously analyze the strengths and limitations of your algorithm (rather than the algorithm itself). Plus, without that rigorous analysis it makes it much more difficult for me to judge the quality of your algorithm.
From the article: "Should the mantle of 'creator' lie with the program or the programmer?"
Strangely enough, this was the exact dilemma that Clarissa faced in in Episode 29 of Clarissa Explains it All, "Poetic Justice," in which she developed a program that generated poetry. When her program's poetry won the school's contest, she decided to publicly relinquish her award to her computer. http://en.wikipedia.org/wiki/List_of_Clarissa_Explains_It_Al...
My winner is Veronica Mars's Mac whose scheme to get a new car was downright evil genius (scalable too, but she chose to limit herself). Of course, Burn was right, RISC changed everything, though not yet in desktop PCs.
Node.js and client-side JavaScript should treat security issues differently because they face different risks. E.g. A DoS against client-side Javascript is not a big deal (because it might slow down a single browser, or even just a single tab within a browser). However, on the server side, a DoS could take down an entire service which is much more significant.
Thus you could say that V8 is "secure" on the client side but "insecure" on the server side because of the different risk assessments. It is poor security practice to take software designed for one security environment and assume it will be secure in other environments. If Node.js wants to have a secure system they will need to take these security issues into consideration and harden their system appropriately.
He's saying it's FUD because the headline is misleading, not because he's trying to downplay the security issue. You and grandparent are likely in agreement with respect to your comment.
(The headline is misleading because the issue affects several major language runtimes, V8 included – yet only Node.js is mentioned.)
If you really wanted to attack their vuln-investigation processes, you would simply let them conduct business as usual since it seems they don't know how to triage potential vulnerabilities. If you force the issue by conducting a DDoS, they will respond by developing a better triage system that de-prioritizes crank vuln reports more quickly. Not only will this defeat your DDoS attempt, but it will make them more effective at handling vuln reports going forward.
Those two "reported vulnerabilities" are clearly not vulnerabilities. Whoever spent 5 days investigating these "vulnerabilities" should be embarrassed instead of blogging about it. The blogger, Raymond Chen, is somehow claimed to be "Microsoft's Chuck Norris" http://microsoftjobsblog.com/blog/raymond-chen/
Add together these three statements the author made:
(1) The vulnerability report exists in the "shadowy ground between the reports that are clearly crackpot and the reports which are clear enough that you can evaluate them with confidence" (from the blog)
(2) "Oh, we recognized it immediately. But it was so obviously wrong that we began to fear that we were missing something." (from the comments)
(3) "this entire investigation took five days to complete, plus another day or two to complete the necessary paperwork." (from the blog)
This blog post paints a picture that Raymond's organization does a bad job triaging reports and prioritizing investigations. It's a waste of five days to analyze an "obviously wrong" vuln report, just on the off chance that there is something deeper. How about spending five minutes emailing the author of the vuln report, explaining why it doesn't appear to be a vulnerability, then asking if there is anything deeper?
It's also crazy to spend a day or two filling out TPS reports on a crank vulnerability alert.
If an organization takes security seriously then it should spend increasing amounts of time on increasingly plausible vulnerability reports.
Those 'five days' and 'another day or two' could easily include time spent waiting on a queue, of course. In which case, it could be only a few tens of minutes of actual time would be spent on the report.
They do say they couldt find the vulnerability right away, that doesn't mean or doesn't exist though. If they don't investigate even the flimsiest of claims, it could cost quite a bit in cleanup.
And from the HN article "intellectual honesty requires bending-over-backwards to provide any evidence that you might be wrong."
The article is so close to a direct Feynman quote that it makes me wonder if the author was subconsciously plagiarizing Feynman. Normally, I wouldn't mind (subconscious plagiarism is everywhere). But in an article about intellectual honesty I would expect the author to "bend over backwards" to identify and declare potential sources of plagiarism. ;-)
I don't credit the creators of fire, and indoor heating, every time I turn the thermostat up. I similarly see no reason to try to credit the "original" speaker or author unless I'm using a sizable chunk of their work verbatim.
Especially as while Feynman said that I highly doubt he was the first to think it. He was, very likely, merely distilling things he'd heard before much as the current author was.
The problem with the Python documentation is that it does not adequately explain the value of it's more obscure features (such as coroutines). And since coroutines are obscure in general, programmers won't even know how to appreciate them once they find them (say in PEP-0342 http://www.python.org/dev/peps/pep-0342/).
Posting articles such as this one is very helpful because it pushes useful esoteric knowledge into our consciousness. HN is particularly suited because the community's up-votes convince us that our time will be well spent looking into such articles.
New business idea: Setup proxies in Switzerland. Customers pay a subscription to download pirated content from their Swiss account. From there, you can transfer the customer's data to their home account in the US (or wherever). Seem perfectly legal to me. For extra value added you can do AV and other quality control to make help customers find and safely download pirated content.
I wonder if Switzerland foresaw such businesses...
Also, be aware that many non-expert attempts to develop compression algorithms turn out to be flawed. However, it sounds like you've developed a compression pre-processor specifically targeting JSON-like structures, which seems like a much more plausible accomplishment than a non-expert developing a brand new general-purpose compression algorithm that can beat LZW.
All that said, if I were considering hiring you I would be much more interested in your ability to rigorously analyze the strengths and limitations of your algorithm (rather than the algorithm itself). Plus, without that rigorous analysis it makes it much more difficult for me to judge the quality of your algorithm.