New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom

A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer Inc. in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., according to a security expert working for the telecom company.

The security expert, Yossi Appleboum, provided documents, analysis and other evidence of the discovery following the publication of an investigative report in Bloomberg Businessweek that detailed how China’s intelligence services had ordered subcontractors to plant malicious chips in Supermicro server motherboards over a two-year period ending in 2015.

Appleboum previously worked in the technology unit of the Israeli Army Intelligence Corps and is now co-chief executive officer of Sepio Systems in Gaithersburg, Maryland. His firm specializes in hardware security and was hired to scan several large data centers belonging to the telecommunications company. Bloomberg is not identifying the company due to Appleboum’s nondisclosure agreement with the client. Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server’s Ethernet connector, a component that’s used to attach network cables to the computer, Appleboum said.

The executive said he has seen similar manipulations of different vendors’ computer hardware made by contractors in China, not just products from Supermicro. “Supermicro is a victim — so is everyone else,” he said. Appleboum said his concern is that there are countless points in the supply chain in China where manipulations can be introduced, and deducing them can in many cases be impossible. “That’s the problem with the Chinese supply chain,” he said.

Supermicro, based in San Jose, California, gave this statement: “The security of our customers and the integrity of our products are core to our business and our company values. We take care to secure the integrity of our products throughout the manufacturing process, and supply chain security is an important topic of discussion for our industry. We still have no knowledge of any unauthorized components and have not been informed by any customer that such components have been found. We are dismayed that Bloomberg would give us only limited information, no documentation, and half a day to respond to these new allegations.”

Bloomberg News first contacted Supermicro for comment on this story on Monday at 9:23 a.m. Eastern time and gave the company 24 hours to respond.

Supermicro said after the earlier story that it “strongly refutes” reports that servers it sold to customers contained malicious microchips. China’s embassy in Washington did not return a request for comment Monday. In response to the earlier Bloomberg Businessweek investigation, China’s Ministry of Foreign Affairs didn’t directly address questions about the manipulation of Supermicro servers but said supply chain security is “an issue of common concern, and China is also a victim.”

Supermicro shares plunged 41 percent last Thursday, the most since it became a public company in 2007, following the Bloomberg Businessweekrevelations about the hacked servers. They fell as much as 27 percent on Tuesday after the latest story.

The more recent manipulation is different from the one described in the Bloomberg Businessweek report last week, but it shares key characteristics: They’re both designed to give attackers invisible access to data on a computer network in which the server is installed; and the alterations were found to have been made at the factory as the motherboard was being produced by a Supermicro subcontractor in China. 

Based on his inspection of the device, Appleboum determined that the telecom company’s server was modified at the factory where it was manufactured. He said that he was told by Western intelligence contacts that the device was made at a Supermicro subcontractor factory in Guangzhou, a port city in southeastern China. Guangzhou is 90 miles upstream from Shenzhen, dubbed the `Silicon Valley of Hardware,’ and home to giants such as Tencent Holdings Ltd. and Huawei Technologies Co. Ltd.

The tampered hardware was found in a facility that had large numbers of Supermicro servers, and the telecommunication company’s technicians couldn’t answer what kind of data was pulsing through the infected one, said Appleboum, who accompanied them for a visual inspection of the machine. It’s not clear if the telecommunications company contacted the FBI about the discovery. An FBI spokeswoman declined to comment on whether it was aware of the finding.

AT&T Inc. spokesman Fletcher Cook said, “These devices are not part of our network, and we are not affected.” A Verizon Communications Inc. spokesman said “we’re not affected.””Sprint does not have Supermicro equipment deployed in our network,” said Lisa Belot, a Sprint spokeswoman. T-Mobile U.S. Inc. didn’t respond to requests for comment.

Sepio Systems’ board includes Chairman Tamir Pardo, former director of the Israeli Mossad, the national defense agency of Israel, and its advisory board includes Robert Bigman, former chief information security officer of the U.S. Central Intelligence Agency.

U.S. communications networks are an important target of foreign intelligence agencies, because data from millions of mobile phones, computers, and other devices pass through their systems. Hardware implants are key tools used to create covert openings into those networks, perform reconnaissance and hunt for corporate intellectual property or government secrets.

The manipulation of the Ethernet connector appeared to be similar to a method also used by the U.S. National Security Agency, details of which were leaked in 2013. In e-mails, Appleboum and his team refer to the implant as their “old friend,” because he said they had previously seen several variations in investigations of hardware made by other companies manufacturing in China. 

In Bloomberg Businessweek’s report, one official said investigators found that the Chinese infiltration through Supermicro reached almost 30 companies, including Inc. and Apple Inc. Both Amazon and Apple also disputed the findings. The U.S. Department of Homeland Security said it has “no reason to doubt” the companies’ denials of Bloomberg Businessweek’s reporting. 

People familiar with the federal investigation into the 2014-2015 attacks say that it is being led by the FBI’s cyber and counterintelligence teams, and that DHS may not have been involved. Counterintelligence investigations are among the FBI’s most closely held and few officials and agencies outside of those units are briefed on the existence of those investigations.

Appleboum said that he’s consulted with intelligence agencies outside the U.S. that have told him they’ve been tracking the manipulation of Supermicro hardware, and the hardware of other companies, for some time. 

In response to the Bloomberg Businessweek story, the Norwegian National Security Authority said last week that it had been “aware of an issue” connected to Supermicro products since June.  It couldn’t confirm the details of Bloomberg’s reporting, a statement from the authority said, but it has recently been in dialogue with partners over the issue.

Hardware manipulation is extremely difficult to detect, which is why intelligence agencies invest billions of dollars in such sabotage. The U.S. is known to have extensive programs to seed technology heading to foreign countries with spy implants, based on revelations from former CIA employee Edward Snowden. But China appears to be aggressively deploying its own versions, which take advantage of the grip the country has over global technology manufacturing.

Three security experts who have analyzed foreign hardware implants for the U.S. Department of Defense confirmed that the way Sepio’s software detected the implant is sound. One of the few ways to identify suspicious hardware is by looking at the lowest levels of network traffic. Those include not only normal network transmissions, but also analog signals — such as power consumption — that can indicate the presence of a covert piece of hardware.

In the case of the telecommunications company, Sepio’s technology detected that the tampered Supermicro server actually appeared on the network as two devices in one. The legitimate server was communicating one way, and the implant another, but all the traffic appeared to be coming from the same trusted server, which allowed it to pass through security filters.  

Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones. The metal is necessary to diffuse heat from the chip hidden inside, which acts like a mini computer. “The module looks really innocent, high quality and ‘original’ but it was added as part of a supply chain attack,” he said.

The goal of hardware implants is to establish a covert staging area within sensitive networks, and that’s what Appleboum and his team concluded in this case. They decided it represented a serious security breach, along with multiple rogue electronics also detected on the network, and alerted the client’s security team in August, which then removed them for analysis. Once the implant was identified and the server removed, Sepio’s team was not able to perform further analysis on the chip.

The threat from hardware implants “is very real,” said Sean Kanuck, who until 2016 was the top cyber official inside the Office of the Director of National Intelligence. He’s now director of future conflict and cyber security for the International Institute for Strategic Studies in Washington. Hardware implants can give attackers power that software attacks don’t.

“Manufacturers that overlook this concern are ignoring a potentially serious problem,” Kanuck said. “Capable cyber actors — like the Chinese intelligence and security services — can access the IT supply chain at multiple points to create advanced and persistent subversions.”

One of the keys to any successful hardware attack is altering components that have an ample power supply to them, a daunting challenge the deeper into a motherboard you go. That’s why peripherals such as keyboards and mice are also perennial favorites for intelligence agencies to target, Appleboum said.

In the wake of Bloomberg’s reporting on the attack against Supermicro products, security experts say that teams around the world, from large banks and cloud computing providers to small research labs and startups, are analyzing their servers and other hardware for modifications, a stark change from normal practices. Their findings won’t necessarily be made public, since hardware manipulation is typically designed to access government and corporate secrets, rather than consumer data.

National security experts say a key problem is that, in a cybersecurity industry approaching $100 billion in revenue annually, very little of that has been spent on inspecting hardware for tampering. That’s allowed intelligence agencies around the world to work relatively unimpeded, with China holding a key advantage.

“For China, these efforts are all-encompassing,” said Tony Lawrence, CEO of VOR Technology, a Columbia, Maryland-based contractor to the intelligence community. “There is no way for us to identify the gravity or the size of these exploits — we don’t know until we find some. It could be all over the place — it could be anything coming out of China. The unknown is what gets you and that’s where we are now. We don’t know the level of exploits within our own systems.”

Google hardware. Designed to work better together.

This year marks Google’s 20th anniversary—for two decades we’ve been working toward our mission to organize the world’s information and make it universally accessible and useful for everybody. Delivering information has always been in our DNA. It’s why we exist. From searching the world, to translating it, to getting a great photo of it, when we see an opportunity to help people, we’ll go the extra mile. We love working on really hard problems that make life easier for people, in big and small ways.

There’s a clear line from the technology we were working on 20 years ago to the technology we’re developing today—and the big breakthroughs come at the intersection of AI, software and hardware, working together. This approach is what makes the Google hardware experience so unique, and it unlocks all kinds of helpful benefits. When we think about artificial intelligence in the context of consumer hardware, it isn’t artificial at all—it’s helping you get real things done, every day. A shorter route to work. A gorgeous vacation photo. A faster email response. 

So today, we’re introducing our third-generation family of consumer hardware products, all made by Google:

  • For life on the go, we’re introducing the Pixel 3 and Pixel 3 XL—designed from the inside out to be the smartest, most helpful device in your life. It’s a phone that can answer itself, a camera that won’t miss a shot, and a helpful Assistant even while it’s charging.
  • For life at work and at play, we’re bringing the power and productivity of a desktop to a gorgeous tablet called Pixel Slate. This Chrome OS device is both a powerful workstation at the office, and a home theater you can hold in your hands.
  • And for life at home we designed Google Home Hub, which lets you hear and see the info you need, and manage your connected home from a single screen. With its radically helpful smart display, Google Home Hub lays the foundation for a truly thoughtful home.

Please visit our updated online store to see the full details, pricing and availability

The new Google devices fit perfectly with the rest of our family of products, including Nest, which joined the Google hardware family at the beginning of this year. Together with Nest, we’re pursuing our shared vision of a thoughtful home that isn’t just smart, it’s also helpful and simple enough for everyone to set up and use. It’s technology designed for the way you live.

Ivy Ross + Hardware Design

Our goal with these new products, as always, is to create something that serves a purpose in people’s lives—products that are so useful they make people wonder how they ever lived without them. The simple yet beautiful design of these new devices continues to bring the smarts of the technology to the forefront, while providing people with a bold piece of hardware.

Our guiding principle

Google’s guiding principle is the same as it’s been for 20 years—to respect our users and put them first. We feel a deep responsibility to provide you with a helpful, personal Google experience, and that guides the work we do in three very specific ways:

  • First, we want to provide you with an experience that is unique to you. Just like Google is organizing the world’s information, the combination of AI, software and hardware can organize your information—and help out with the things you want to get done. The Google Assistant is the best expression of this, and it’s always available when, where, and however you need it.
  • Second, we’re committed to the security of our users. We need to offer simple, powerful ways to safeguard your devices. We’ve integrated Titan™ Security, the system we built for Google, into our new mobile devices. Titan™ Security protects your most sensitive on-device data by securing your lock screen and strengthening disk encryption.
  • Third, we want to make sure you’re in control of your digital wellbeing. From our research, 72 percent of our users are concerned about the amount of time people spend using tech. We take this very seriously and have developed new tools that make people’s lives easier and cut back on distractions.
A few new things made by Google

With these Made by Google devices, our goal is to provide radically helpful solutions. While it’s early in the journey, we’re taking an end-to-end approach to consumer technology that merges our most innovative AI with intuitive software and powerful hardware. Ultimately, we want to help you do more with your days while doing less with your tech—so you can focus on what matters most. 

From Academia to Industry

Academia to Industry

In 2014, I entered the University of Toronto as an undergrad with a burning passion for physics. In 2018, I left the academic world to start a career in industry machine learning.

This is how I transitioned from academia to industry.


My Story


Discontent with Academia

I had loved physics ever since I read Stephen Hawking’s A Brief History of Time in the seventh grade. After studying the subject passionately in high school, I decided to go to the University of Toronto to study physics. My plan was to graduate with solid marks and excellent research experience, break into a top-tier physics PhD program and become a world-renowned physics researcher.

The only problem was that I didn’t like physics research.

It took two research internships in physics for me to realize that research was not the daily stream of intellectual delight that I had imagined it to be. Research was a grind. It was slow gruelling work that progressed inch by inch, and 90% of my time was spent programming.

I discovered that learning about a topic and doing research in that field were two completely different things, and although I loved to learn physics in a classroom, I disliked doing physics research.

In addition, I grew increasingly disillusioned with academia. It seemed that many STEM undergraduates would rush into PhD programs out of sheer inertia, without exploration of other options, and spend five, six years of their prime youth down the rabbit hole of academic research. This resulted in frequent burnouts. Many PhD graduates turned, in the end, to industry after acquiring a distaste for academia in grad school. Those who continued in academia were met with fierce competition for limited amounts of tenure-track positions, and must go through several rounds of postdoctoral research stints before being accepted for a faculty position, if they were accepted at all.

Academia is a pyramid, and tenured professors are at the top. For each professor, there are a handful postdocs, numerous graduate students, and many undergraduates to fill in the gaps, all wanting to climb the ladder. And I didn’t want to play this game.

Profzi Scheme

At the end of the summer after my second year, I decided that research wasn’t for me. After that came a harder decision: what was I going to do next?

Initial Interest in Data Science & Machine Learning

I began by asking myself a simple question: What made me passionate about physics? I loved physics because it described the world mathematically and allowed us to make useful predictions about physical phenomena.

Then I asked myself: What other field allows me to make useful predictions about the world with mathematical models? After some exploration, I discovered that data science and machine learning (ML) satisfied my desire to mathematically describe the world. Compared to physics academia, it was more widely-applicable, and I didn’t need to commit years of my life in graduate school (and beyond) to make an impact. Furthermore, these highly technical fields were constantly covered in the media, and were even described by Harvard Business Review as ‘the sexiest job of the 21st century’. I decided to dig deeper.

I started learning ML with Andrew Ng’s Coursera course, which taught me high-level ML concepts. However, in order to really understand the fundamentals of ML, I needed to dive deeper into the theory and code. Stanford’s CS231n: Convolutional Neural Networks for Visual Recognition allowed me to do just that. The coding assignments, in which I implemented low-level neural networks in Python, gave me a solid understanding of the fundamentals of deep learning. I supplemented this course with another Stanford online course, Statistical Learning, which taught me the statistical side of ML.

What I discovered, surprisingly, was that the most widely-used ML techniques were quite simple and completely accessible to undergraduates with a basic background in mathematics and statistics. Other key components of data science, such as data preprocessing, exploration and visualization, were already familiar to me through past research experience.

Learn more about the resources I used here.

data science skills

Additional skills include: Cloud computing, Statistics and Problem-Solving

Projects & Competitions

After acquiring the basic ML foundation, I wanted to apply what I had learned to solve real-world problems with real-world datasets. I first turned to kaggle competitions, doing them by myself initially and then together with the UofT Data Science Team.

Kaggle competitions were tough! Not only were the problems difficult, but the competition was fierce, and a lot of time must be devoted to compete for the top prizes. To me, an undergraduate student trying out ML, I decided not to invest large amounts of time in an attempt to win a competition, and simply treated kaggle as a learning opportunity.

Around this time, I discovered a cool, new data science hackathon in Toronto called HackOn(Data) that was to take place in a couple of weeks. HackOn(Data) was unique in that they organized hands-on workshops leading up to the hackathon, in which the participants implemented entire ML workflows, from data preprocessing to model validation, with industry datasets on Apache Spark. These small-classroom workshops not only taught me valuable, real-life skills, but also introduced me to the data science community in Toronto.

Then came the actual hackathon. Long story short, facing stiff competition from PhDs and industry professionals, my teammate and I finished third in the competition. More importantly, we made valuable connections with prominent industry leaders that resulted in internship opportunities the next summer.

hackondata award wide

My teammate Chris and I winning third place at HackOn(Data) 2016

Here, I learned an important lesson: Networking and community involvement are extremely important to career success, especially in hot, new fields such as ML and Data Science. Often, academics like me focus too much on domain skills and knowledge, and forget about the people in the domain, but the people are just as crucial to your career, if not more.

The rest of the story at HackOn(Data) 2016 here.


During my third year, I decided to try out industry by looking for an industry internship next summer. Through a contact from HackOn(Data), I found a summer internship opportunity at an industry lab called Zero Gravity Labs, which was the semi-independent, innovation arm of LoyaltyOne, the loyalty marketing company known for AirMiles. It sounded like a great way to test out industry life while working on cool projects, and I joined the Zero Gravity Labs team.


I love the spaceman

At Zero Gravity Labs, I explored decentralized loyalty programs on blockchain and created a loyalty blockchain Proof-of-Concept. I also worked with massive amounts of client data on Apache Spark and Microsoft Azure. Though the project did not contain ML, it gave me my first taste of working with large industry datasets, and I realized that it was much more difficult and cumbersome than working with the curated kaggle datasets.

During the same time, I worked on a side project in which I used xgboost to make residential real estate predictions. To increase my involvement in the data science community, I created data science workshops for UofT students with the UofT Data Science Team, gave a talk on setting up Spark with AWS, and served as a mentor and judge at HackOn(Data) 2017.

Industry or Grad School

At the end of summer, I realized that careers in industry could be just as fulfilling as careers in academia, and certainly lucrative. When I started my final year, I made the decision to go into the data science and machine learning industry. I would be the only one in my program to not continue in academia.

Many asked me if I would consider graduate school down the road. I responded that if I found an area that I passionately wanted to research, I would consider it. However, I would not go to graduate school out of sheer inertia, which is the current trend among undergraduates. In my view, many undergraduates go to graduate school simply because they have nothing better to do, and end up wasting years of their youth in prolonged over-education. The opportunity cost of that is huge: compare the five years it takes to complete a PhD versus five years of industry experience and wages, and ask yourself which is the better option? For me, it was the latter.

Job Search

When my fourth and final year began in September, I began my search for full-time, post-graduation employment. It was a long journey with many obstacles and deadends, that lasted all eight months of my final year.

This was how it went.

September, October — Light Searching and Reconnaissance

  • Surveyed the career market for ML and Data Science
  • Attended career fairs and networking events at UofT
  • Polished resume and LinkedIn profile
  • Started applying for new grad roles at big companies

I began my search by identifying interesting companies and gathering information on them: positions available, requirements and deadlines. Starting early before applications even began gave me a head start in surveying the landscape of career opportunities in Silicon Valley, Seattle, NYC and Toronto.

Having learned about the importance of networking, I attended various career events aimed at UofT new graduates, hosted by big companies like Microsoft, Google and Uber ATG. This gave me insight on role expectations and hiring processes.

I polished my resume and LinkedIn profile by following the advice in this article, written by the former SVP of People Operations at Google, Laszlo Bock. He taught me how to frame my achievements to make them stand out.

And by mid-October, when big tech companies started opening up applications for new graduate roles in May 2018, I was ready to start applying.

November, December — Applying, Interviewing, Pivoting

  • Low response rate from online applications
  • Realized online application was a black hole
  • Pivot to people-oriented approach

During November, I concentrated mainly on the big tech companies: Facebook, Google, Microsoft, Amazon, Airbnb, etc., with little success. These companies were simply not responding or giving automatic rejections. The only mild success was through the internal referral of a friend, which led to an interview for a Data Scientist role at a big Silicon Valley tech company. I passed the initial screen, but got stopped at the technical interview.

Frustrated and dejected, I realized that my current method of online applications was simply not working. Due to the huge volume of applications, I would be lost among the masses or be automatically filtered due to my lack of a graduate degree.

One day, I shared my troubles with a close friend that had good success in the tech industry, and asked him how he looked for career opportunities. To my surprise, he told me that he did not even bother with applications at all. Instead, he found all his opportunities through networking or cold calls.

Upon reflection, I realized that all the positive responses I have received were a result of personal connections and referrals. Attempts to make personal connections were more fruitful than online applications.

As a result, I decided to pivot to a people-oriented approach for job hunting, and invest more time in attending networking events and connecting with employers through email and LinkedIn.

People Oriented

January, February — Interviews, People-Oriented Approach

  • People-Oriented approach with focus on Toronto companies more successful
  • Completing technical challenges and interviews

I tested out my new strategy in the new year — the peak hiring stage for many companies.

With the new people-oriented approach, I received better responses and more interviews with big companies and startups in Toronto. Although this success may be partially attributed to my shift of focus towards Toronto companies (which are easier for Toronto candidates to enter), the new approach still made a difference in the quality of response.

Through a personal introduction, I could explain my situation and desires clearly, and have my achievements and experience in your profile for the other side to see. I found LinkedIn to be more successful than email as it offered a more in-depth profile and a sense of social familiarity. I did not neglect valuable face-to-face talks, and incorporated them in my process as well.

The downside to this approach was that it was more unstructured and disorienting than simply sending out applications. There was no set path of engagement, I had to define it myself.

By this time, it seemed unlikely that I was going to be able to break into the U.S. tech industry with my current skillset and experience, especially during a time of political uncertainty in the U.S. for high-tech work visas. I decided to switch my focus entirely to companies in Toronto.

March, April — Negotiation, Decisions

  • Waiting for offers
  • Evaluating market expectations for compensation
  • Negotiation and decisions

By March, I had finished all remaining interviews. In the next few weeks, the offers and rejections started rolling in, and I began to evaluate each offer. In order to discover the market expectations for each role, I researched comparable roles and their compensation levels, mainly by using online tools and surveys, such as Glassdoor and LinkedIn Salary, to find information for the tech industry in Toronto.

Then, I negotiated offers with company representatives, which worked well in some cases, poorly in others. Regardless of the outcome, negotiation was an important part of my job hunt, and I used this opportunity to try it out and hone my skills.

In the end, I decided to accept a Machine Learning Engineer position at a Toronto AI startup called Dessa. At Dessa, I would be working at the ground-level to develop and deploy ML models in big companies over disparate industries, such as finance and telecommunications. The biggest draw to Dessa for me was the ability to see how hyped ML techniques were actually implemented in large, complex enterprises. Additionally, I believed that the experience gained here would accelerate my knowledge and career growth.

Dessa Team

Dessa discovers, develops and deploys AI solutions in enterprise


Attempting to transition from a completely academic role to an industry role is a daunting task. What makes it particularly disorienting is that there is no well-defined path, and therefore, you will need take initiative and explore many options.

So how can you get started? These key points, refined from my story, will help you.

Career Advice

Personal Projects

The age-old paradox of ‘How to get work experience if work requires experience?’ can easily be solved in the tech industry with projects (and internships). Personal projects can take many forms: kaggle competition, hackathon hack, capstone project, etc. Ultimately, it needs to demonstrate your curiosity and self-motivation to implement a novel idea, outside of regular coursework. I also recommend writing a blog post on your experiences and posting the project to github to give it more visibility.

Personal projects allow you to gain valuable experience — notches on your belt — that is crucial to getting your first job. You also will get a glimpse of what it is like to work in this field.


Do not fall into the trap of believing that just because you are in a technical field, that you can forgo networking. Who you know is just as important as what you know.

Nowadays, companies are increasingly looking towards universities for fresh talent, and are eager to meet students who are looking for a career in industry. In addition, reach out to professors, alumni and other students to get advice and information about career opportunities.

The value of these connections is high: You never know who may be the key to getting your foot in the door.

Job Hunting

The first job is always the hardest. Compared to an experienced candidate, you are perceived by companies to have lower value and higher risk. It gets easier once you have your foot in the door with that first job.

The Job Hunt

Start Early

Job hunting is a full-time job. Start early.

Starting early doesn’t mean sending out applications for jobs a year in advance. There is a lot of preparation you have to do before you can start applying. First, research industries and companies that you would like to join, and map out their roles and application timelines (new grad application deadlines are pretty early). Get in contact with company employees through LinkedIn and email to make a proper introduction, and express genuine interest in the work that they do.

Refine your resume to suit your desired companies. I recommend framing your achievements as ‘I accomplished [X] as measured by [Y] by doing [Z] (source).’This format is powerful in that it allows you to state your accomplishments and how they resulted in measurable benefits.

Looking for a job itself is a full-time job. And it’s exhausting. Giving yourself a head start will allow you to explore more opportunities without being stressed. My job search, from initial scouting to signing the offer, took nearly all 8 months of my last year at university. Had I not started early, I would have explored less options and realized key mistakes too late.

Have Options

Don’t put all your eggs in one basket.

It is almost certain that you will be rejected by at least one company. Cast out a wide net, explore different options, and don’t aim for a single dream company. In tech, big companies in Silicon Valley, such as Google and Facebook, are very attractive to new graduates, but there are plenty of other excellent companies, some of which may even be a better fit for you.

Having choices at each stage of the job-finding process is crucial. At the start of your job search, staying flexible allows you to broaden the scope of your search and discover opportunities that you otherwise would not known. At the end, having multiple job offers gives you more career choices, as well as an increased ability to negotiate.

People-Oriented Approach

Don’t focus on applications, focus on people.

Companies receive massive amounts of online applications, and yours is likely to get lost in the masses. How do you stand out?

Given that you have a polished resume and presentable LinkedIn profile, find people in hiring roles or in roles similar to your desired one, preferably in a position of seniority or leadership — hiring managers, senior managers, senior engineers, etc. Then, contact them on LinkedIn or email to make a quick introduction and demonstrate interest in their work. In addition, try to get a better understanding about the company culture, the pace of work and opportunities for career development. Be genuinely excited at the opportunity to work at their company.

During my job search, I reached out to an AI lab to talk about a cool paper that they had published and asked about career opportunities there. To my surprise, they responded quite warmly to my genuine interest in their paper and scheduled a face-to-face chat. I was amazed at the level of response to personal messages, even from CEOs and CTOs (of startups), and I discovered career opportunities otherwise inaccessible.

So, go for it. Reach out to new people. And don’t forget about your existing network: The best career opportunities often come from the connections you already have, such as former classmates and co-workers.


Disagree without being disagreeable.

Many people dislike negotiation because of its implicit association with antagonism and bullying, the kind they see in TV dramas, or in street haggling. People feel especially uncomfortable in the very personal case of negotiating their own worth.

However, real, merit-based negotiation does not have to be a rude or unpleasant experience. You can make strong, level-headed cases about the market value of your skills and experiences based on other offers with similar roles. Resources, like compensation surveys (e.g. Canada New Grad Offers 2017-2018) and online tools (Linkedin Salary, Glassdoor) will help you to critically evaluate your market value.

If you observe a discrepancy between your perceived market value and the company’s value assessment of you, don’t be afraid to address it. Negotiate for the appropriate job responsibilities and compensation.

Here are two beginner books on negotiation that very job candidate should read:

  • Getting to Yes, Fisher and Ury, Harvard Negotiation Project
  • Never Split the Difference, Voss and Raz, FBI hostage negotiator


My transition from academia to industry was long and gruelling. There were times during the long stretch of job rejections when it was difficult to see the light at the end of the tunnel. I was exhausted and dejected, but I pushed on, hoping that it would eventually pay off. In the end, through non-conventional methods, I was able to find a great position at a local AI startup where I could gain valuable experience on applying ML in big enterprises.

Now, I look back on my experiences as a tremendous learning opportunity and a crucial part of my career journey: The realization that I was not suited for academia, the decision to go into industry and the strenuous search for a job after graduation. I have shared with you what I learned in past two years, from the importance of personal projects to the importance of networking, from resume improvement to negotiation tips, from low-value online applications to high-value personal contacts, and more …

Now I continue into the next chapter of my career.

I hope you find this useful.

The Death of Google

The Death of Google
Lauren Weinstein
8 October 2018

Google Docs:

Google is dying. It may be possible to save the patient, but it’s also quite possible that Google has already passed the point of no return, especially with the array of forces now attacking it from all sides and from within. Since this situation has been largely enabled by unforced errors committed by Google itself, the prognosis can only be described as bleak.

Unfortunately, I have strong doubts that Google is capable at this time of making the kinds of “lifestyle changes” that would be required to truly save themselves. I would love to have these doubts proven to be incorrect.

A company named Google and its parent Alphabet will continue to exist for the foreseeable future, but for all practical purposes the Google that we all know appears to be in a kind of terminal decline, even as the money continues rolling in for now.

How can this be?

Today’s announcements of a Google+ security breach and the upcoming shutdown of consumer Google+ are but immediate symptoms of a malignancy that has been creeping through Google for years.

As a big fan of Google, spending a significant amount of my time retorting the mischaracterizations and lies of the Google haters via my written posts and radio interviews, I take no pleasure in this kind of diagnosis.

I’ve watched the death throes of other major technology firms over the years, who originally seemed nothing short of invincible. 

AT&T for one. Digital Equipment Corporation (DEC) was another. Their declines took time — these are processes rather than events. It’s actually a fairly long list if you go far enough back. DEC was assimilated into other firms and its talent siphoned off in various directions. AT&T today is still large and powerful but in many ways is but a shadow of its former self, with its gems like Bell Labs long since morphed into meaningless.

The forces that are ripping Google apart are somewhat different in kind, but all the more tortuous and painful to behold.

For at its core, Google is suffering a complex and multifaceted ethical dilemma that not only threatens to decimate the firm from the inside over time, but has opened up vast gaping wounds that legions of politically-motivated Google haters are using to further evil agendas.

I’ve traveled quite the arc when it comes to Google. In their earlier days starting some 20 years ago, I was a rather intense critic — various of their early data collection and privacy practices seemed to be driven by a cavalier attitude that I viewed as unacceptable.

My first direct physical contact with Google occurred in 2006, when I was invited to Google’s L.A. offices to give a talk that I entitled “Internet & Empires” (the video of that presentation by a significantly younger version of myself is here: 

I believe it was the first talk they’d ever recorded at that office. There was no podium yet — I just sat on the edge of a table for the presentation.

My interactions with Googlers that day — both from the Q&A and our later discussions before I headed home — yielded me an immediate epiphany of sorts.

Googlers are probably the best people I’ve ever met or worked with in tech — or anywhere else for that matter. It was an honor to consult to Google internally and work directly with them for a significant period several years ago.

They’re intelligent. They care. Many of them are pretty nerdy — but I certainly plead guilty to that myself. I’ve nearly never met a Googler that I didn’t like.

But it became immediately clear that day back in 2006 that something of a discontinuity existed between “rank and file” Googlers and some individuals in Google’s upper management. Even on that first day of contact, Googlers expressed to me their frustrations in this regard, relating to the very issues that I had discussed in my talk.

Over the years since, a wide range of issues related to Google have changed dramatically for the better. Google has become a world-class leader in privacy, security, and artificial intelligence policies. This doesn’t mean that Google is perfect in these respects, and bugs can still occur, but they have excellent people working on those teams — I know many of them personally — who put their lives into this important work. 

However, in key respects it seems that the chasm between Google’s management and other Googlers has grown from a disconnect to a gaping chasm.

Google has always had what I’d charitably call “blind spots” in various areas. Over the years I’ve written publicly about these many times, and I won’t go into detail about them again here, but we can briefly review a few.

Customer service has been an ongoing problem since day one. It has certainly made significant positive strides over time, but still is massively lacking in important respects, especially when dealing with growing populations of non-techie users who depend on Google products and services, but are increasingly left behind by Google user interface designs and available help resources.

When it comes to user interfaces, readability, and similar areas, we again see a sort of “split personality” from Google. They have excellent and rapidly evolving resources for persons with severe conditions like blindness, but continue to deploy low contrast fonts and confusing user interfaces that drive many users with common visual deficiencies absolutely nuts.

Proposals to create the kinds of roles at Google that have been so successful elsewhere — such as Ombudspersons and Consumer Advocates — have continually and routinely hit brick walls at Google whenever I’ve suggested them. I’ve probably written a hundred thousand words or more on this topic alone in my various essays about Google issues.

It has been very clear that Google’s style of public communications has became a major part of their ongoing problems — because in my experience so many common false claims about Google are easily refuted when you take the time to actually do so in a way that non-techies will appreciate.

Yet Google PR has always had a tendency to clam up when something controversial occurs — until the situation has escalated to the point that silence is no longer an option, and matters have become much worse than they would have been if dealt with publicly in a prompt fashion. Google’s deeply entrenched fear of the “Streisand Effect” — the idea that if you say anything about a bad situation you will only draw attention to it — has not served them well.

Today’s belated announcement of a security breach related to Google+, which appears to be the handy excuse for Google to shut down consumer Google+ over a period of 10 months — a process that Google also announced today — encapsulates much of what I’ve said above.

Though the practical impact of the breach seems to be negligible, Google played directly into the politically-motivated hands of the lying Google haters, who have already been screaming for Google’s blood and for its executives to be figuratively drawn and quartered. 

These kinds of Google communications strategies are giving the evil haters even more ammunition to use for false accusations of political user censorship, they give the EU additional excuses to try fine Google billions extra to enrich EU coffers, and they give massive energy to the forces who want to break up Google into smaller units to be micromanaged for political gain by politicians and those politicians’ minions and toadies. 

In the case of Google+, while I don’t have any inside information about today’s announcements, it’s pretty easy to guess what happened.

I’ve been a very active user of Google+ since the first day of beta availability in 2011. But it was obvious from the outset that Google management’s view of the platform was significantly different from its many dedicated users — and there are many millions of them despite the claims of naysayers. I have a wonderful core following of Google+ users who are absolutely great people, and the loss of Google+ will make me both sad and yes, extremely angry. It’s difficult to consider this to be anything short of loyal users being betrayed by Google itself.

Because it didn’t have to happen. Google+ has obviously been operating on very limited internal support resources for quite some time — this was apparent to anyone who used G+ routinely. And there were some terrible executive decisions made along the way — perhaps mostly notably an ultimately abandoned integration of G+ and the YouTube commenting system, which cross-contaminated completely different spheres of interest with disastrous effects. I advocated against this both publicly and internally, but even though it was ultimately rescinded the damage was already done.

Another Google self-inflicted injury is the new controversy over purported plans for Google to again provide Chinese government censored search in China, a concept that Google abandoned many years ago. I’ve written a lot about this recently — I believe it’s a terrible idea and plays into the hands of Google’s adversaries — but I won’t get into the details again here, other than to note the great distress that these moves and the ways that they were handled internally have caused many Googlers who have spoken out publicly.

And yet as I’ve also recently written, when we view that leaked Google TGIF video where Google executives discuss this matter, you won’t see any evil intents, and in fact you’ll find execs emphasizing the need to continue preventing any political bias from finding its way into Google search or other Google products. So their hearts are clearly in the right place overall.

But even the best of intentions are not enough.

With the opening words of Google’s 2004 IPO Founders Letter, Larry Page and Sergey Brin wrote:

“Google is not a conventional company. We do not intend to become one.”

I can’t help but be reminded of that classic scene in “Citizen Kane” where Charles Foster Kane takes the “Declaration of Principles” that he’d written many years earlier and rips them to pieces, declaring them to now be antique.

It is indeed possible, even likely, that Google can continue onward without the kinds of changes that I and other Google supporters have advocated over the years, and still make bushels of money.

But it won’t be the same Google. It will have become the “conventional company” kind of Google, not the firm of which so many Googlers are so rightly proud, and that so many users around the globe depend upon throughout their days.

The Google that we’ve known will be dead. And with its passing, we’ll be entering into a much darker phase of the Internet that many of us have long feared and have worked so hard to try prevent.

And that loss would be terrible for us all.

One of Bloomberg’s sources told them Chinese spy chip story “didn’t make sense”

Bloomberg said that its sources were key to its decision to run the Chinese spy chip story, the site writing that ’17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks.’

However, one of the named sources – a security researcher who seemingly backed the claims – has said that his comment was taken out of context, and he actually told the site that what it was describing to him “didn’t make sense” …

Hardware security expert Joe Fitzpatrick was quoted in the piece saying “the hardware opens whatever door it wants.” But speaking on the podcast Risky Business, he painted a very different picture.

Fitzpatrick says that he spent a lot of time explaining to Bloomberghow such attacks could, in principle, be carried out. When the piece was published, he was expecting to read about how this specific hack was achieved. Instead, he said, Bloomberg appeared to be parroting the precise theory he had outlined.

I spent a lot of time going back and forth explaining how hardware implants worked. And as any researcher is excited to talk about their work, I was delighted to have someone who seemed interested to actually learn about how things worked as opposed to only looking for the buzzword byline that you wanted to throw into a story […]

But what really struck me is that like all the details that were even remotely technical, seemed like they had been lifted from from the conversations I had about theoretically  how hardware implants work and how the devices I was making to show off at black hat two years ago worked […]

It was surprising to me that in a scenario where I would describe these things and then he would go and confirm these and 100% of what I described was confirmed by sources.

He said the same was true of the image Bloomberg provided of the supposed spy chip.

In September when he asked me like, “Okay, hey, we think it looks like a signal amplifier or a coupler. What’s a coupler? What does it look like?” […] I sent him a link to Mouser, a catalog where you can buy a 0.006 x 0.003 inch coupler. Turns out that’s the exact coupler in all the images in the story.

When reporter Jordan Robertson outlined more of the story he planned to run, he told them it didn’t make sense.

So late August was the first time Jordan disclosed to me some of the attackers in the story. I heard the story and It didn’t make sense to me. And that’s what I said. I said wow I don’t have any more information for you, but this doesn’t make sense. I’m a hardware person. My business is teaching people how to secure hardware. Spreading hardware fear, uncertainty and doubt is entirely in my financial gain. But it doesn’t make sense because there are so many easier ways to do this. There are so many easier hardware ways, there are software, there are firmware approaches. There approach you are describing is not scalable. It’s not logical. It’s not how I would do it. Or how anyone I know would do it.

[He wrote to Robertson] Are you sure there is actually an additional hardware component […] It’s trivial to modify the firmware of most BMC and many of them are trivial to exploit remotely because of the poor quality outdated software they run. The attack you describe could easily be implemented in BMC firmware. Would be just as stealthy and far less costly to design and implement. If they were really implants, are you sure they were malicious?

Fitzpatrick explained to Robertson several more likely theories for what the site’s sources were claiming to have seen, all of them perfectly normal.

He also explained the context of the one-line quote Bloomberg used.

His overall take on the piece is that the technical details are ‘jumbled’ and ‘they’re not outright wrong, but they are theoretical […] I definitely have my doubts on this one.’So let’s make that not five or nine reasons to doubt the story, but ten …

Related stories:

The Long, Weird Story Explaining Why I Bid $700 For a Stolen PSN Account

$1,200. That’s how much someone is asking for a PlayStation Network account I’ve been investigating for the past few weeks. “Secure,” the person calls it, claiming the account will “never be touched” by the original owner again. “He won’t be getting it back,” they claim. More than a thousand dollars? That’s a little rich for my blood, and so I counteroffer: $700.

“Btc?” they respond, accepting my bid. (BTC refers to bitcoin. The majority of transactions like this take place using cryptocurrency; it’s generally harder, but not impossible, to trace.)ADVERTISEMENT

I didn’t purchase the account, of course. But I could—anyone could, if they only knew where to look. This account wasn’t on a shady market because someone was clumsy with their digital security. They had a strong password and two-factor authentication. When they were notified about problems with their account, they called Sony and asked for help.

Despite all this, despite proving their identity over and over, they lost access to their PSN account, including any trophies earned or any games purchased. It was gone…well, sort of. The original owner no longer had access, but this person—the individual asking for $1,200 but who quickly and without hesitation dropped to $700—did.

“Right now it feels like Sony’s system is protecting the people who stole my account and not me, the legit account owner of that account for almost 12 years,” said Justin, who asked to keep his identity and PSN name anonymous for reasons that’ll become increasingly clear.

Sony did not respond to my multiple requests for comment about this story.

To prove Justin owned the account in question, he forwarded me several PSN receipts with the username attached to the email, and various correspondence with Sony.

Roughly a month after the launch of the PlayStation 3 and PSN, Justin did what a lot of people were doing: registered a username. There was nothing special about the username; it was the same one he’d been using online for years. And for a while, everything was normal. He played games, mostly single-player ones. Eventually, someone tried to gain access to his account, prompting an email from Sony thanking him for calling into customer service, but nothing more came of it. A fluke, surely?ADVERTISEMEN

It was not.

Instead, it proved to be the opening shot in a ongoing struggle for Justin. This tug-of-war began in 2015, and escalated in recent weeks, where people would gain access to his PSN account, then he’d wrestle it back. Justin would add new security measures, figuring the digital wall would prove too high, or they’d get bored and move on—and they’d get it again.

The moment Sony added two-factor authentication to PSN, Justin did, too.

“I’ve had at least one or two instances,” he said, “where they got far enough where the two-factor prevented them, it stopped them. I was like ‘OK, that’s what two-factor is supposed to do.’”

Nothing is completely secure on the Internet, but there are steps you can take to make life harder for anyone trying to access your stuff. Two-factor authentication, where after entering a password the user is asked to paste a randomly generated code sent to an email account or device of their choosing, is one of the easiest steps one can take. It means an intruder requires access to your device or multiple accounts. It’s helpful, and it took far too long for Sony to add two-factor authentication to PSN, despite the service’s massive hack in 2011. Microsoft added two-factor to Xbox Live in 2013. It didn’t hit PSN until 2016, five years after the personal details of 77 million users were potentially exposed to hackers.

Two-factor authentication is enough for most people, though increasingly, companies are offering more complex security layers, including dedicated authentication apps. (I use Authy.)

Until this point, what Justin was experiencing was annoying but tolerable. The two-factor notifications told him people were trying to gain access, but all he had to do was change his PSN password. Things changed last month, however, when he was getting ready for school.

“I got a text message on my phone,” he said, “from the two-factor service saying ‘Your two-factor authentication has been deactivated. Please be careful, you don’t have that protection.’ I won’t say I’m a security expert, but I like to believe I’m security conscious. I knew I was screwed. I tried to log in, but it wouldn’t let me log in, so I called Sony.”

After proving he was the account owner, control reverted to Justin, but he was confused. Justin told me Sony’s customer service representatives couldn’t explain what happened, but noted they could flag the count as “sensitive or something”—he couldn’t remember the exact phrasing—which would invite extra scrutiny by future representatives.

Justin pressed on. He registered a brand-new email account, one that hadn’t been associated with anything yet, and used the respected password management software LastPass to generate a 30-character password for his PSN account.

“I would go longer but I hate manually typing it in the PS4,” he said.

“Right now it feels like Sony’s system is protecting the people who stole my account and not me, the legit account owner of that account for almost 12 years.”

For the email address itself, however, he applied a 100-character, randomly generated password with two-factor authentication. After logging in, the name associated with the account (not the username) had changed. He didn’t take much note of it. Fear-something?

“I changed it all back,” he said, “and I was like ‘OK, this happened before. It’s never gotten this far, but it was probably a one-off. Sony said they’d keep an eye on it. I have a new email address. I have a new password. Everything should be fine.”

Narrator: It wasn’t.

When Justin woke up the next morning, it was like Groundhog Day; another text message saying two-factor had been flipped off. After calling Sony, he learned the damage was more serious: whoever hijacked the account changed the email address it was associated with, punched in a new password, and set up their own form of two-factor for a phone number.

When he tried to regain access through customer service, the said the account was now flagged as “protected.” Protected? This was different than “sensitive,” apparently. Protected turns on automatically, when the information on an account changes enough times to be considered erratic, and isn’t controlled by the representatives. Though the representatives confirmed Justin was the account holder, it was now, as Justin tells it, out of their hands. Another team was supposed to contact him in three days with more information.

During this phone call, something weird happened: someone texted Justin with messages he described “vaguely threatening,” promising to make things “worse” if he didn’t give up the account. (He deleted the text messages before I’d gotten in touch, when I asked him to start documenting everything.) If he didn’t give up the account, this person would make things worse at their job at Earthlink. They also made vague allusions to his wife and child.

Here’s the problem: Justin never worked at Earthlink. Earthlink was his old internet service provider during the PlayStation 3 era, and there was an old Earthlink email address attached to a PSN child account he’d made for a reason he couldn’t remember. The hijacker, it seems, used these scant details to infer he worked at Earthlink, and had a family worth threatening.

This was actually comforting to Justin. There was no family to be threatened. Plus, when he’d been thinking through the other ways someone might be getting access to his information—cloning his phone’s SIM card, a hidden keylogger tracking the movements on his keyboard, a fully compromised email account—it was potentially much worse. Had then been true, though, why hadn’t anyone used his credit card? Accessed a website that could do more financial damage than his lowly PSN account?

The fact that two-factor was disabled on Justin’s account is an important, complicating point. In order to disable two-factor, you’d theoretically have to have full access to the account, which also means access to the email (or device) the two-factor code is being forwarded to.

In such a case, wouldn’t the hijacker have access to more information than the misleading details on the PSN account, such as an old email address? Something wasn’t adding up.

Who, then, was disabling two-factor on his account? A key piece of evidence to consider: Sony had told him someone had called about his PSN account a whopping 12 times in the past 48 hours. A few of those were Justin, but the vast majority of calls were someone else.

“I assume he’s wasting an hour or two [on the phone with Sony], at least?” said Justin. “It takes me half an hour to sort it out, and I have all the information. [laughs] So I’m just going off how long it takes me, and I hope it takes him at least as long. I hope he’s not calling up and getting it done in 10 minutes.”

A potential culprit, then, is social engineering, a now-pervasive technique where someone uses pieces of information to trick someone, usually customer service representatives, into gaining access to another person’s account. This would explain the volume of phone calls. If you don’t succeed with one representative, call back and see if another will be more willing.

Though Sony asked Justin a series of personal questions to re-establish identity—the primary email address on the account, serial number of his first console, first city he logged in from—they also asked for details, like recent purchases, that could be found by punching in the account into any number of websites and seeing what trophies had recently unlocked.

(I asked multiple individuals who recently spoke with Sony’s customer service over similar issues, and several mentioned Sony asking for recent purchases as one of their identity metrics.)

Once you know one piece of information, it’s not difficult to start punching that into Google and find other pieces of information that might be just enough for a more lax representative.

Whatever happened, the end result was the same: When Justin finally heard back from Sony, they didn’t apologize and promise to protect the account. Instead, they said it—an account Justin has had for more than 13 years, with a history of trophies and purchases—was gone. There was nothing he could do, no process to appeal, no way to get any of his games back.

“I couldn’t get any confirmation on if the person who ‘hacked’ it is locked out, but I sure as shit am,” he said. “From what I can gather I have lost that account and Sony can’t or won’t do jack shit about it. If the person who stole it is also locked out that is one thing, but I couldn’t get a concrete answer on that piece of info.”

That’s when I went looking for answers, and how I’d end eventually end talking someone down from a $1,200 asking price for Justin’s account to only— only—$700. My first tip came from one of Justin’s friends, who, in a fit of frustration, looked up Justin’s account on PSN, and found someone was actively using it, and had changed a bunch of information on it.

Importantly, it listed an active Twitter account in the “about me” section of the profile, an account that featured a (now deleted) screen bragging about access to Justin’s PSN name:

A reply mentioned another account, who also bragged about nabbing Justin’s PSN name.

When I contacted the first person, who had open direct messages, they pleaded ignorance, and repeatedly claimed it was their account. “What makes you believe the account was stolen?” they asked. Not long after, they locked their account—and deleted the screen shot.

It’s at this point that I contacted a source close to the hacking and piracy community, who pointed me towards a popular message board for sharing, selling, and buying “OG,” aka original, accounts across a variety of platforms, including Fortnite, Snapchat, Steam, Twitter, and, of course, PlayStation Network.

I’m declining to name the message board due to the sensitivity of the information on it.

On the board, there are guides to “secure” a PSN account in case “someone attempts to get the account back,” albeit with the important caveat “there’s no way to secure a PSN 100%.” One of the key suggestions is to quickly change the account to Japanese, which you’ll notice happened with Justin’s account. One of the screen shots listed the language as “Japanese.”

It was easy enough to register an account on this message board. There’s no vetting process. You also don’t have to pay anything to search the database, either. Once I was in, I plugged Justin’s PSN account into the search field and voila. There was a thread selling his username for $1,200.

In the thread, the seller promises the account is “secure.” There’s scattered and disputed discussion about whether the account has been sold before, but the seller claims it hasn’t. Importantly, there’s a discussion over whether the “og owner,”—Justin—could regain access.

“He won’t be getting it back,” argued the seller.

“Are you going to have a pull war with him or what,” asked another user.

“Not really a pull war when he not gonna pull lol” retorted the seller.

Pull war is a reference to the cat-and-mouse game Justin had been playing with this person, or possibly someone else, and Sony’s customer service department. The seller was boasting there’s no way it’ll switch hands, a claim bolstered by what Justin was told by Sony: the account is lost. In this case, though, it’s not “lost” because Sony locked it down, it’s lost because the user apparently had pulled enough tricks to make sure it’s out of Justin’s hands.

The seller even referenced the text message conversations he had with Justin:

Soon after, another user vouches for the seller’s authenticity, but is called out by someone as being a duplicate account for the seller—a violation of the board’s rules. He’s now banned, amid speculation from other users the seller cannot back up claims of securing the account.

“Use your brain a lil bit,” said another user. “There are ways to make sure og owner doesnt get it back. If you dont know then you dont.”

The other user concedes the point.

The seller continues to bump the thread— it’s been on sale for nearly a month—but no one’s biting. That’s when I decided to send a message, asking for proof about the account. He agrees to add me as a friend on PSN, and after registering a new account, I send a request.


A screen shot from a burner PSN account I made.

You’ll notice we’re now friends, as evidenced by the “your friend” note in the corner. The avatar is the same as the one referenced in the screenshot from Twitter a few weeks back.

This is when I decided to negotiate. Nobody had bought the account at $1,200, so maybe he’d go a little lower. Like I mentioned, I picked $700 out of thin air, thinking we’d settle somewhere in the middle, but they immediately agreed to my asking price. No negotiation.

“No one actually pays real money for accounts, so I bet he’s thrilled,” said the hacker who’d tipped me off to the forum in the first place.

I haven’t paid any money for the account, of course. Nor has anyone else.

More than likely, Sony itself is a victim of a clever social engineering scheme, in which a user, or series of users, repeatedly spammed their representatives, until it found someone willing to accept the limited information they did have, and calculated the system would eventually lock the account in their favor. Even a “failed” social engineering attempt can be a success, if the person calling comes away with new information about the account. Every company in the world can fall victim to social engineering, as there are no true fail safes. But Sony’s setup seems especially ripe for it.

Why didn’t the system get flagged as “sensitive” sooner? Why can a user flip off two-factor authentication over the phone? How can an account get abandoned, when it’s still active?

There are ways Sony could have prevented this from happening.

As I mentioned before, Sony did not respond to my request for comment about this story. They didn’t respond to my request for comment in 2017 when I investigated the shady world of PSN account resellers, either. PSN has a long, troubled history of putting their users in compromising situations. There are always exceptions, and no digital security is completely safe, but when someone follows all the rules, shouldn’t the company go above and beyond?

In this case, Sony most definitely did not—at first, anyway.

Though Sony did not officially respond to me, a few days after being alerted to the situation, in which I outlined everything that had happened to Justin’s account, he got a phone call. A week after Sony told Justin he was screwed, he was magically being handed the account.

“Sony promised that there were going to set it up so no reps could make any changes,” he said, “but they are still investigating how this happened.”

Sony did not respond to my request for comment about this new development.

There’s evidence the seller truly did believe they had the account “secured.” There was a new name and address associated with the account, and $15 in credit had been added. The seller even purchased some new games. This was an account someone intended to use, or allow someone else to use, if they’d agreed to an asking price of $1,200. (Or, uh, $700.) It’s also possible the purchases were made to establish a new purchase history, one of the identity metrics Sony’s customer service uses to establish who is the owner of an account.

Justin was also given a specific phone number to call in the future, if he has new problems.

“I have my account all set up now,” he said. “We shall see how well Sony can protect it.”

As for the seller, I called their bluff and asked for evidence they still had the account. They demurred, accused me of trying to waste their time (fact check: true), and asked for their money. They’ll have to keep waiting.

boltons – over 160 BSD-licensed, pure-Python utilities (

Boltons is a set of over 160 BSD-licensed, pure-Python utilities in the same spirit as — and yet conspicuously missing from — the standard library, including:

Full and extensive docs are available on Read The Docs. See what’s new by checking the CHANGELOG.

Boltons is tested against Python 2.6, 2.7, 3.3, 3.4, 3.5, 3.6, 3.7-dev (aka nightly), and PyPy.


Boltons can be added to a project in a few ways. There’s the obvious one:

    pip install boltons

Then, thanks to PyPI, dozens of boltons are just an import away:

    from boltons.cacheutils import LRU
    my_cache = LRU()

However, due to the nature of utilities, application developers might want to consider other options, including vendorization of individual modules into a project. Boltons is pure-Python and has no dependencies. If the whole project is too big, each module is independent, and can be copied directly into a project. See the Integration section of the docs for more details.

Third-party packages

The majority of boltons strive to be “good enough” for a wide range of basic uses, leaving advanced use cases to Python’s myriad specialized 3rd-party libraries. In many cases the respective boltons module will describe 3rd-party alternatives worth investigating when use cases outgrow boltons. If you’ve found a natural “next-step” library worth mentioning, see the next section!


Found something missing in the standard library that should be in boltons? Found something missing in boltons? First, take a moment to read the very brief architecture statement to make sure the functionality would be a good fit.

Then, if you are very motivated, submit a Pull Request. Otherwise, submit a short feature request on the Issues page, and we will figure something out.

Solving Tech Addiction Is an Underappreciated Market Opportunity

Smartphones have made us superhuman by bestowing on us the intelligence of the world’s information at our fingertips persistently; however, few would disagree that our omnipresent devices also create undesirable outcomes. We spend so much time on our phones that we ignore the real world and real people around us. Studies have suggested that technology addiction contributes to unhappiness and higher rates of suicides because we have fewer meaningful relationships.

At Loup, we often debate the effects technology has on humans. While we agree that no technology is purely good or evil — all things come with tradeoffs — I argue that technology doesn’t create new problems per se, it amplifies existing problems inherent to the human psyche. The point of technology is to augment the human experience, so it would stand to reason that such augmentation will happen in both positive and negative ways.

Humans are biologically incentivized to seek pleasure and avoid pain. This is the basis for not only our survival instinct, but also all addiction, technology included.

Defining the Problems Caused by Tech Addiction

The research says that technology makes us unhappy and most attribute that to our smartphones; however, it isn’t our smartphones alone that make us unhappy, it’s the information we consume on our smartphones. The device is a conduit for content. On Instagram, we’re bombarded with beautiful people living perfect lives. On Twitter, we’re bombarded with short, angry arguments about politics among other things. On YouTube, we’re bombarded with endlessly interesting videos that keep playing until we stop them.

The constant stream of notifications and information we receive gives us a pleasurable hit of dopamine, entices us to return, and feeds our addiction even though it isn’t constructive or healthy. There seem to be three core content-related mechanisms that contribute to unhappiness: inferiority, anger, and distraction.

  1. Inferiority. The idea of “Keeping up with the Joneses” has been a human psychological reality probably since we were jealous of our neighbor’s four-bedroom cave in the Stone Age. Technology has brought the world closer. On some platforms, Instagram in particular, everyone seems beautiful, glamorous, and rich. We feel like everyone is our neighbor, and we have to keep up with all of them, which is impossible. We also risk feeling left out if we see our friends having fun, and we’re not there.
  2. Anger. Unfortunately, anger is more engaging than rational discussion. When we’re angry, we feel the need to respond and defend our opinions. Then we share that response with everyone we know so they can respond too. If the world agrees with us, our anger is justified. If the world disagrees with us, we engage in moral combat and get even angrier. Because media platforms monetize primarily through advertising, which is sold by engagement, facilitating discussion that is based on emotion instead of logic is more profitable.
  3. Distraction. Distraction is a direct byproduct of the aforementioned search for pleasure. Every time we get a notification or the next auto-play video starts, it’s a chance for pleasure, and if we miss out, that could be perceived as pain. By responding to every notification, we can’t focus, which causes procrastination, poor performance, and stress.

We Can’t Rely on Tech Giants to Fix Tech Addiction

To meaningfully reduce technology addiction, Apple, Google, and Facebook could just eliminate the stream of notifications we get from their products. We don’t need to know every time someone posts a new picture on Instagram or see the stories curated for us from Google News on Chrome or even get a new email.

Unfortunately, eliminating apps or notifications would hamper the paramount metrics to each of these businesses: device sales, platform engagement, and paying customers. These companies are some of the most socially conscious companies in the world, but they’re still beholden to shareholders and employees that survive on profit. While Apple, Google, and Facebook are beginning to offer tools to better understand how much we use their devices and services, those companies can’t viably fix technology addiction because their businesses prevent them from doing so.

So, What Do We Do About Tech Addiction?

As with anything deemed a problem by society, particularly when addiction is a risk, there is the potential for government regulation. We tried prohibition in the early 1900s. More recently, we’ve had attempts to limit the size of soft drinks in New York.

Protecting people from themselves never seems to work well. Freedom and safety are an eternal tradeoff. Most rational individuals would rather not have others make decisions for them in the name of their safety but at the cost of their freedom. We want to decide what’s best for ourselves, even if we choose incorrectly.

The real answer to solving technology addiction is the answer to sustainably solving most problems: innovation spurred by capitalism. A new group of businesses needs to emerge that gives us the choice to help ourselves and rediscover the benefits of disconnection.

Dieting may be the most helpful analogy here. In the US, many of us have poor diets either on occasion or frequently. Few of us have the discipline to eat well for long periods of time to optimize our health. When we gain too much weight, we pay for a personal trainer or a diet program or a book or an app to get us back on track.

We are all severely overweight with how much we use technology, and we need a diet.


We see two types of solutions for solving tech addiction: software-based solutions and experience-based solutions. Software-based solutions are software tools that help us understand how much time we’re spending using technology and even block us from using certain technology. Major tech companies are providing some of these tools now like Apple on iOS with Downtime. Third party companies provide even more aggressive versions of time-management apps. Experience-based solutions are rarer, but examples include one-on-one counseling for addiction and locations that ban smartphone use.

To date, solutions to tech addiction are posed as limiting a negative. We track or limit how much time we spend. However, just as we noted with government intervention, “don’t do this because it’s bad for you” is a poor sales pitch. Companies that deliver meaningful solutions to address tech addiction need to sell benefits first and may not even talk about tech addiction.

People pay for diets and exercise because there are real physical, mental, and social benefits to being healthy and looking better. People will pay to disconnect from technology for two core benefits: happiness and prosperity. Happiness is most connected to the elimination of feelings of inferiority and anger. Prosperity happens through focused effort that avoids distraction.

In summary, we see two types of solutions: software-based solutions and experience-based solutions, each able to provide two core benefits: happiness and prosperity. We can think of the opportunities in managing tech addiction in a matrix:

Source: Loup Ventures

The opportunities listed in each quadrant are examples and non-exhaustive. There are ideas in each category we’ve seen or would like to see. The best ideas aren’t likely included, but here are some additional thoughts on a few of the concepts above that we think are the most interesting:

  • Limited devices. Putting limitations on the devices we use can circumvent addictive behavior at the source. This would happen at the OS layer; however, as noted above, it’s unlikely Apple and Google put true restrictions beyond the tracking and alert features they’ve implemented recently. Phones similar in function to ones from a decade ago can make sense. A phone that is only capable of making calls, texting, and a handful of other features may help increase happiness. Laptops without internet, or with heavily restricted internet access established at the OS layer, can offer focused productivity that leads to prosperity. If someone can’t engage in addictive behavior, they won’t. At least not on their restricted devices.
  • Incentivized motivation. Incentives drive action. The incentive of excitement you get from the ding of a notification keeps us coming back to our phones, but we can turn that concept around to make us stop using our phones. An application could provide a user frequent alerts to get back to work or put the phone down if they’ve been using it for 10 minutes or more. Taking the idea further, there could be some financial or other incentive (maybe the user escrows some money toward buying something they want) if they hit their goal. By breaking the spell of or adding friction to whatever non-productive activity we’re engaged in, we have an opportunity to exercise willpower to channel our focus elsewhere. We may not be able to make productivity as addicting as Instagram, but we should be able to get close.
  • Focus rooms. Every coworking space and office should have a room where phones are prohibited and internet is restricted — a sort of productivity oasis amidst the office desert of distraction. Enforcement is the key problem to solve here, which might require a monitor to make sure that customers aren’t loose with adherence to device restrictions. A focus room can also serve as a social proof reminder to others, encouraging them to act to curb their addiction to being connected.


Our phones aren’t going away; neither are our social networks. A full technological lobotomy isn’t even desirable since it would remove the good with the bad. Humans always find ways to evolve and the solution to tech addiction will be no different. Ingenuity spurred by the freedom of markets will create various solutions that help us manage tech addiction. People that use those solutions to effectively curb negative habits will end up happier and more prosperous than others, just like it’s always been. How’s that for incentive?

Disclaimer: We actively write about the themes in which we invest or may invest: virtual reality, augmented reality, artificial intelligence, and robotics. From time to time, we may write about companies that are in our portfolio. As managers of the portfolio, we may earn carried interest, management fees or other compensation from such portfolio. Content on this site including opinions on specific themes in technology, market estimates, and estimates and commentary regarding publicly traded or private companies is not intended for use in making any investment decisions and provided solely for informational purposes. We hold no obligation to update any of our projections and the content on this site should not be relied upon. We express no warranties about any estimates or opinions we make.AppleGooglePhilosophy

Netlify raises $30M to replace webservers with a global ‘Application Delivery Network’

SAN FRANCISCO, California, October 9, 2018 ー The workflows and technologies required for modern web development are undergoing dramatic reinvention. Netlify, a San Francisco based company serving a large base of passionate web developers, has seen the transformation first hand. They’ve engineered a new platform for the web where content and applications are created directly on a global network, bypassing the need to ever setup or manage servers.

Today, Netlify announced they have raised an additional $30m led by Kleiner Perkins’ Mamoon Hamid with Andreessen Horowitz and the founders of Slack, Yelp, GitHub and Figma participating.

“We’ve wanted to dump webservers for a while, but the tooling was missing. Netlify now gives us instant global delivery, with no infrastructure required.” said Vitaly Friedman, founder and owner of Smashing Magazine and Smashing Conf. “As content gets updated, it’s automatically built by Netlify’s bots before being deployed worldwide to every major cloud provider. For us, Netlify replaced the need for a CDN, a lot of servers, a lot of management headache, and a lot of duct tape.”

Pre-building and distributing apps ahead of time is the core concept behind the JAMstack, a modern approach to web applications. It’s an idea borrowed from mobile development that’s catching on with the web developer community. “Running any web property without origin servers is an arresting concept, but the clear future of the web platform,” adds GitHub founder Tom Preston-Werner. “In less than five years, you’ll build your next complex web application this way.”

To pull off the new architecture, Netlify needed to give developers a git-centric workflow, something that supports the move away from server applications towards APIs and microservices. Netlify’s Application Delivery Network removes the last remaining dependency on origin infrastructure, allowing companies to host the entire application globally.

“It’s an ambitious goal,” said Kleiner Perkins’ Mamoon Hamid, commenting on their investment in Netlify. “In a sense, they are completely rethinking how the modern web works. But the response to what they are doing has been overwhelming. Most of the top projects in this developer space have already migrated their sites: React, Vue, Gatsby, Docker, and Kubernetes are all Netlify powered. The early traction really shows they hit a nerve with the developer community.”

Netlify believes all sites on the internet will be powered by application delivery networks as the technology advances.

“The cloud made it faster, easier, and cheaper to provision servers, vms, and containers.” said Mathias Biilmann, Netlify Founder and CEO. “But more devices always bring more complications. Customers have come to us with AWS environments that have dozens or even hundreds of them for a single application. Our goal is to remove the requirement for those servers completely. We’re not trying to make managing infrastructure easy. We want to make it totally unnecessary.”

“This is where the web is going,” commented Chris Coyier, CSS expert and co-founder of Codepen. “Netlify is just bringing it to us all a lot faster. With all the innovation in the space, this is an exciting time to be a developer.”

Google GKE vs Microsoft AKS vs Amazon EKS

There have been many comparisons done between these cloud hosted Kubernetes providers already. However, probably none as honest as this one.

Below is a screenshot of the Google sheet comparing GKE, AKS and EKS. You may notice that some of the cells have comments in already. These comments link to the place I got the information from.

If anything is incorrect please add a comment to the sheet or drop me a message below.

This is going to be a brutal comparison and I’m happy to change my mind if somebody can present some factual evidence.

As it stands today I’ve personally used EKS, and AWS in general a lot. I’ve used GKE a bit but only with my own personal credits doing Kubernetes The Hard Way and spinning up a very quick GKE test cluster a while ago. I’d like to use it more but we’re on AWS at work.

Azure is something I’ve avoided since using it for a few months last year. I was working as a Microsoft partner so it was unavoidable back then. Parts of it are alright but the user experience coming from an Amazon background is worlds apart.

I’ll split my recommendation up into a few categories based on scenario.

Greenfield Projects

I’ve been trying to weigh up whether to advise people to review all of the services across Google, AWS and Microsofts clouds. Kubernetes is a single component of a larger system and other factors will come into play. However, there really isn’t much difference between what each cloud offers nowadays.

Marketing teams may claim otherwise but when you look at what most companies need in the way of features they all pretty much have it covered.

So let’s simplify things and say you only want to run Kubernetes. The answer is clear. Go with GKE every time.

Why? It’s cheaper, faster and better in almost every single measurable way than the competition.

You may look at the 3 minutes vs 20 minute cluster creation time and think it’s not a big deal. How many times do you really build a cluster anyway? Well, not very often if they take 20+ minutes and sometimes fail because you will change your entire workflow to fit around it.

If, however, clusters only take 3 minutes to create you will find yourself using disposable test infrastructure and working in an entirely different way.

Networking is the other reason. Google is miles ahead of everyone here. Similar story with HA and scaling.

I won’t call out every row from the spreadsheet as a reason as I think the data speaks for itself.

We’re already locked into AWS

You probably don’t have much of a choice. Kubernetes on its own isn’t reason enough to do a cloud migration.

Hopefully, you’ll see this comparison and know that life could be worse. EKS is still new and the Amazon teams iterate quickly. I doubt Amazon will ever match Google for network speed or VM boot times but your life will still be tolerable.

It would be nice if they could enable the default Admission Controllers on the masters. Also, I have no idea why cluster creation is so slow. I’ve measured cluster build times at work and they always take around 20 minutes to build to the point I can run integration tests on them.

The other annoyance is the lack of worker management. Hopefully the EKS guys can package this up like how GKE does it.

An interesting thing I noticed was that EKS supports i3.metal instances so this is the only Kubernetes solution that supports bare metal workers. This may be useful for some people.

My company is looking at Azure

Again, not really much you can do. My advice is to setup a demo with AKS and GKE and try to convey the developer experience to the decision makers.

Show them how some things on Azure need to be done in a clunky web UI, other things need Powershell and other random stuff uses the CLI. Try to get people to account for the slowness of operations and how that effects the design of DevOps pipelines and automation in general. Yes, you can make it work, but why make life hard for yourself.

It’s possible you’re locked in with something like Active Directory as a requirement which means you’re probably out of luck.

I’m being serious when I say this: if the company I’m working for decided to migrate to Azure I’d find a new job. By the way, this wouldn’t have always been the case. Back in my youth I managed Windows servers, I fixed broken TFS installations and I walked into server rooms and replaced tapes every week.

Nowadays I want to programmatically control infrastructure. It needs to be fast and bug free so that I can build cool automation on top. Working on something like Azure, especially after having worked on AWS for years, would be extremely depressing.

To all of you who are moving from on-premise into Azure it could be a step up in terms of agility so I wish you the best of luck.

So there you have it! This site needed a comparison of Kubernetes options that run in the cloud. My recommendation is go with Google GKE whenever possible. If you’re already on AWS then trial EKS but it doesn’t really give you that much currently. You may be better off looking at Kops or some other cloud installer until they add managed workers and other integrations.

Additional Reading

More information about each cloud offering from Kuberiter :

Another good comparison although a bit out of date now:

The guys at Caylent provide some nice bullet points:

Good cost comparison article: