heycar | London, UK | Onsite (currently everyone is working remotely)

heycar is a startup automotive marketplace, backed by VW and Daimler. We're working to make buying vehicles easier for customers in the UK.

Recruiting for: * Frontend engineers * Senior backend engineers

https://www.linkedin.com/company/heycar-uk/jobs/

This is great! I assume most of your customers will be businesses, so why not offer a bulk "@domain" subscription for $999 (lifetime) so that anyone in the business can use it without restriction. Restrict the other packages to personal use and you should be able to drive up your income.

Most customers are indeed businesses. Great shout on some sort of team/business plan - it's on my to-do list!

How do they plan to beam energy back to Earth?

Presumably lasers.

A small part of me wants to see this turn into China deploying a solar powered death laser under the guise of a green energy initiative.

Its in the article

>China's proposal, meanwhile, appears to suggest converting solar energy into electric energy in space, before beaming back to Earth using a microwave or laser and feeding into the grid via a ground receiving system.

If the country is small enough they can fry that too. I can think of a likely candidate already.

Lasers? Microwaves? I'm just speculating but I don't see another way.

Do they need to? I wonder how feasible it would be to put large computational centers in space and have space solar farms powering these computational centers. So if we want to test complex or long-running programs/models/algos, we can just beam it to the computational centers orbiting earth and wait for the results when it's finished.

How do you cool them in space?

Radiators. Need pretty big ones if the computers want to run cool.

Probably would be better to manufacture most of the stuff on some asteroid or on Mercury and have the computation radiation shielded by a significant mass.

You have gotten it exactly backwards. Vacuum is a great insulator, getting rid of waste heat is a huge problem in space.

What do you mean? The lack of 'gas' aka material to dump heat into is exactly the issue.

They'll recharge batteries that they'll then return to earth on a cheap BFR-like reusable launcher. /joke

Internet points to anyone who computes:

- how expensive that makes the marginal kWh returned to earth likes this.

- how low launch and return-to-earth costs must go for this to become competitive with current kWh costs.

First you build a space elevator to geosynchronous orbit, then you can use full batteries as counterweight for lifting empty batteries. That way you only have to overcome friction losses.

Even better! Now it's less of a joke idea. You still have a small shuttle transfer from geosync orbit to wherever the solar farm is (heliosync or a lagrange point to avoid earth shadow), but the delta-v for that is tiny.

However space elevators are still soft SF (still missing a material with enough tensile strength), whereas BFR cheap reusable launchers are hard SF, achievable with current known tech.

Only on the US store, unfortunately.

It looks impressive, but I wonder what the power requirements are? What is this in equivalent LED bulbs or cost per year?

People are leaving at 2/3AM? Hope this was an office event!

How are chip and pin cards "completely unsuitable for ecommerce and mobile payments"? I can manage both of these fine in the UK.

Yeah, Chip and PIN (EMV) in the UK is much better for security, we have a lot lower rates of card fraud here than in the US. In fact most of the world has now switched to EMV, the US is the only major country that I can think of which is still on swipe payments.

The problem goes further than the cards themselves though, I think the big problem with them is that you have to give companies all of the details needed to make a charge when you buy things online, and those details are stored. Other comments here are right, the main way to deal with this is single use card numbers that can be revoked individually.

I think a good way would be to implement something similar to what OAuth does. When you want to make a payment to Amazon for example, you tell your bank who you are and after authenticating you, they would provide a token to Amazon who can store that to use for purchases. If at some point in the future Amazon were 'hacked', the bank could revoke charging authorization for all tokens given to Amazon, immediately protecting all of their customers.

Chip and PIN should be better, except they fucked up the crypto such that anyone who stole your card could use it without knowing your PIN but still make it look like a PIN transaction - so you'd be liable for the fraudulent transaction since obviously you didn't take sufficient care to keep your PIN secret.

Isn't that kind of what Verified By Visa/MasterCard SecureCode tries to do (but implemented amazingly badly)

Although there are some problems with the implementation, I've come to like it for a couple of reasons:

(1) It authenticates features of your browser (like user-agent, IP address) to score the transaction. These are somewhat hard for an attacker to duplicate.

(2) With some UK banks, it is combined with a hardware one-time password generator to form a reasonably robust two-factor authentication.

Now there are certainly problems, such as it appearing in a frame, and not appearing as a subdomain of your bank, and those should be fixed.

The main problem with Verified By Visa (and whatever MasterCard calls it) is that in using it, you agree to be liable for it as if it were a card-present transaction, which is ludicrous for online purchases. Whenever I'm stopped to sign my card up for "Verified By Visa," I immediately switch to a different card because of the reduced protection I would have to agree to with "Verified" transactions. It's simply a way to shift responsibility onto the purchaser with no additional protection.

I used to run into the VBV screen when ordering from NewwEgg. It's been a while so I don't know if things are the same. I refused to consent to the terms for the reasons you gave. Instead, I just closed the browser. The funny part is that my purchase would still go through.

MasterCard SecureCode / "3D Secure" or whatever they call it, has been active on my card for many years and I never had any problems whatsoever. Always worked like a charm.. And the upside, nowadays I don't worry anymore about anyone storing my CC number on their unsecured servers.

I think 3D Secure only prevents doing transactions without double auth in "3D Secure enabled" online shops. In the shops that don't have that implemented, the transactions can go through (though probably those shops pay higher provisions).

Correct. The payment gateway usually has a setting to enable/disable 3D secure as a feature.

You also get a failed transaction report, some people can have 4-5 goes before giving up on their purchase. Sometimes to countries somewhere abroad the customer gets a form to fill in to apply for having this extra check on their account (because there is no 3D secure in the country where they have their card registered or it is not customary to use it).

It would be nice to use 3D secure as an extra feature, and, as a retailer, set it on a case by case basis, e.g. to an order that is for somewhere overseas or over a certain value.

In the UK a fraudulent order is a fraudulent order, as a retailer you are on your own dealing with it. Putting someone's card address in Google Street View and seeing how big their house is often turns out to be a good way of deciding whether to 'ship' or not.

Address verification is a 'soft fail' if you want it to be. It will compare the address by numbers, so someone entering 'Flat 2' in the primary address line will fail the system if the address is actually 'Flat 2, 34 Church Street' as '34' is expected for the match.

There is no system guaranteed to work, except Paypal, that you pay for in fees.

These matters aside, the system of swipe only in the US just gives most people in the UK scary feelings.

> In the UK [..] putting someone's card address in Google Street View and seeing how big their house is often turns out to be a good way of deciding whether to 'ship' or not.

Having lived in the UK for 3 years, I'm not sure anyone's "house size" over there is a good indicator for, well, pretty much anything ;D

> implemented amazingly badly

The implementation I can live with. That fact that its opt-in is entirely fatal though. Criminals just need to find a website without it. So the only person inconvenienced by it is me.

Verified by Visa and Mastercard 3D Secure were an attempt to implement something similar to this, but were a disaster. I recommend the paper "Veried by Visa and MasterCard SecureCode: or, How Not to Design Authentication" by Steven Murdoch and Ross Anderson, who have been involved in quite a lot of the security research surrounding EMV.

http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf

EMV has it's problems. I've worked with a few researchers who have targeted the security of it in several ways and found some quite serious issues, so I'm quite aware of the security implications. However in terms of practical criminal use, having the challenge and response mechanism with the card is a significant improvement over the static data of a magstripe.

That said, an interesting piece of British law is the fact that a signature forgery is never the responsibility of the victim. This means that if someone fraudulently signs for a payment, you are not responsible for the charges at all, whereas if someone watches you enter your PIN, or you tell it to someone and they subsequently use it to make payments, this is your responsibility. The grey area for a while was that the companies behind EMV said it was 'uncrackable' (never a good idea) and refused to take responsibility of charges that some users claimed had been made without their PINs being revealed by them. Anderson, and the Cambridge security researchers demonstrated a proof of concept a few years ago that showed how it could be used without knowing disclosure of the PIN, and since then card companies and banks have been a little more receptive to taking on the responsibility.

I was interested in using the expanded range, but it needs to access administrator privileges which I can't use on my locked-down work laptop. The normal version is a lifesaver though!

I really like this, made a quick one with snaps from Angkor Wat in Cambodia: http://www.chromatic.io/lTOfsdP

Do you have links to any good tutorials about programming (in any language) for this purpose?

Though I haven't read it (I'm a programmer myself), I've always liked the idea of this book: https://leanpub.com/scrapingforjournalists