Chemistry sets were the original hardware hacker's cookbook, teaching kids about the modular nature of matter in ways that would be consistent with today's homebrew projects and mashups. But safety has trumped intellectual curiosity in recent years, neutering chemistry sets in the process.

"Kids sit and are entertained by electronics rather than going out and doing something and building something themselves," Robert Bruce Thompson has said; he literally wrote the book on chemistry sets. "There are just so few kids that actually do hands-on stuff."

But a new Kickstarter project from Kansas City chemist and maker-store owner John Farrell Kuhns could help change that. The Heirloom Chemistry Set, as it's called, is modeled after a classic A.C. Gilbert chemistry set Kuhns remembers from his own boyhood--but with a few modern twists.

The kits come packaged in plywood boxes individually hand-assembled by Kuhns, and each of the 56 chemicals included are precisely measured and bottled in his lab, he said. And each chemical's bottle comes labeled with a scannable QR code linking to an online materials safety fact sheet. That means budding scientists can look up key data on their smartphones without having to laboriously dig through paper documents like in the old days, Kuhns says.

"That's not exactly convenient when you have your gloves on, your goggles on, and you're in the lab and you say, 'I wonder what these are incompatible with,'" he says.

Before the Kickstarter began, Kuhns had already sold a few of the kits through his Parkville, Mo., store H.M.S. Beagle--named, of course, for the British Royal Navy ship that carried Charles Darwin to the Galapagos, where he made many of the observations that would inspire his theory of evolution.

"I have been able to build a few, but not enough to satisfy the demand and meet our mission to provide the sets to a larger audience," he writes on his Kickstarter page.

Kuhns believes every child should have a home laboratory by the age of 12, whether it's specializing in chemistry or robotics, paleontology, or perfume-making.

"A kid can go and get away from everything--especially away from video games--and work on things of their own and still have the supervision of parents as appropriate and needed," he says.

H.M.S. Beagle offers training and supplies in all those fields and collaborates with Make: KC, a family-friendly venue and organization in Kansas City that's part of the larger maker movement encouraging ordinary people to participate in do-it-yourself experiments, engineering, and crafts.

"We sell beginning soldering kits and beginning robotics kits, and I think it's great the kids do that," Kuhns says. "Soldering and putting things together--that's really the heart of the maker movement. You can go out and buy a robot, but why not learn how to build it yourself?"

The Kickstarter launched Nov. 11 and has already exceeded its funding goal of $30,000, but Kuhns said he doesn't intend to set any limits on the number of donors to whom he'll provide rewards, ranging from e-book editions of classic chemistry texts to the heirloom chemistry kit itself.

The chemistry include every chemical from the 1936 edition of chemistry set maker A.C. Gilbert's book Chemistry for Boys, Kuhns says.

"There are chemicals in there that when I started doing this, I didn't have access to," he says.

One example is a substance called red saunders.

"I had a vague idea of what it was, but I really didn't pay much attention to it," he says.

It's a type of wood also called red sandalwood, it turns out, and it's included in the Gilbert book in an incense-making lab.

"You don't get incense-making experiments in any of the kits today," Kuhns says.

Another chemical found in the Heirloom kit but not in many other home chemistry sets is ammonium dichromate, which produces an impressive volcano-style blaze when set on fire. That demonstration's still done in schools, but at-home kits have recently preferred the tamer vinegar-and-baking-soda volcano due to concerns about ammonium dichromate, which can be toxic if ingested or handled improperly, Kuhns says.

But every chemical in the kit is safe if handled with proper care, Kuhns says. If parents are concerned about their children using particular substances, Kuhns is happy to suggest and substitute alternatives. The kits should only be used by children 9 and up who are able to read the instructions and have proper adult supervision, according to the Kickstarter page.

But providing chemicals and proper instructions and supervision is better than leaving kids with an interest in science to find chemicals and experiment on their own, he says.

"If they don't know how to do it safely, if they have an interest, they'll acquire the ingredients and possibly hurt themselves," he says.

Kits like Kuhns' help make sure that talented, inquisitive students find their way into scientific fields, says Thompson. He markets his own kits and home science curricula aimed mostly at high-school-age students, including homeschoolers, under the brand name The Home Scientist.

"If we don't encourage our really bright kids into these fields, we're basically destroying our seed corn," Thompson says.

Magazines like Make, for which Thompson has written, and basic electronics kits serve the same purpose in other areas of science, he says.

"Before Make, kids did very little that didn't involve passive use of electronics," Thompson says. "If you don't give kids the opportunity, they're never gonna do it."

And to have a real understanding of chemistry, up-and-coming scientists should have the basic understanding that comes from doing their own low-level experiments with a chemistry set, Kuhns says.

"If you can't open it, you don't own it," Kuhns says, quoting a maker-movement adage about modern consumer electronics built to be impenetrable to tinkerers. "The same thing with chemistry: If you don't know how to make it, you don't know how to do chemistry."

Interactive maps can draw people into complicated stories in an easy-to-understand way, making them great traffic-earners for media sites. But building those maps often involves working with arcane geographical software and writing lots of JavaScript, making Internet cartography too difficult and time-consuming for many journalists and online storytellers.

The founders of Vizzuality, the company behind the cloud-based mapping tool CartoDB, intend to democratize interactive maps so that overhead is a thing of the past.

"Anybody who knows how to use Excel should be able to build a map," said Vizzuality CEO and cofounder Javier de la Torre. "We want to provide the technology so that they can do it."

CartoDB makes it possible to create interactive maps just by uploading a spreadsheet with a column of addresses or other location information.

The software, which has been used by journalists at publications including The Wall Street Journal and The Guardian, as well as humanitarian groups responding to the recent typhoon in the Philippines, will automatically turn the locations into latitudes and longitudes and plot them on a map--a process called geocoding. CartoDB can also process other commonly used geographical data formats, like the shapefiles favored by many government agencies, or slurp in and sync live data from online sources like the National Weather Service.

Then, step-by-step wizards and built-in templates let users quickly customize what gets displayed, color-coding points or shapes based on other columns in the data and designing tooltips and pop-up windows. Users can switch between mapping individual points, like which cities the Rolling Stones visited on each of their tours over their 50-year history, and creating heat maps, like one de la Torre created clustering every known meteorite strike in Earth's history.

The maps live in the cloud, so users can easily share links to them online or embed them in articles on their own sites and let CartoDB handle the scaling issues if their maps go viral.

This month, Vizzuality also announced support for geo-temporal mapping, meaning animated maps that show changes in datasets over time. One example shows minute-by-minute traffic trends in cities around the world; another compares credit card transactions in Barcelona during the Mobile World Congress and in a typical week.

To make a temporal map, users can upload a spreadsheet or other dataset with at least a location column and a time column.

"This is something we're very excited about," de la Torre said. "It hasn't been possible to do these kinds of maps where it changes over time very easily."

CartoDB's built on open-source technology, meaning users can choose between building their maps on Vizzuality's servers--they offer a variety of hosting plans, including one that's free of charge--and downloading the code from GitHub and running the code from GitHub and running CartoDB on their own machines. That option is preferred by some organizations, such as banks, with sensitive data, de la Torre said.

Behind the scenes, CartoDB's servers use the open-source PostgreSQL database and its geographical plug-in package PostGIS to store data and the Mapnik toolkit to help generate the actual map images. On the client side, JavaScript libraries CartoDB.js and Torque, used for animated maps, make the maps actually show up in the web browser, using the HTML5 canvas element where it's available and basic images where it's not.

CartoDB's interactive wizards actually generate SQL database queries and stylesheets in the CartoCSS language used by Mapnik. Power users can tweak those or write their own SQL queries, stylesheets and JavaScript code to further customize their maps, joining data from multiple tables or drawing shapes around a given point, for instance.

"Users, particularly thinking about journalists, like a lot to use our software because they can do visualizations very quickly and very easily," de la Torre said. "They start learning about it and start doing more complex visualizations."

Soon, Vizzuality is planning to add support for more intricate animations using its Vecnik JavaScript library, which, on modern browsers with HTML5 support, handles more of the map rendering in the web browser rather than on the server, de la Torre said.

The company's also looking to add more flexible payment plans letting users pay variable fees based on the amount of bandwidth and other resources their maps consume each month, similar to Amazon Web Services' pricing plans.

"We want to simplify our pricing by just giving a more elastic model, where people just pay for what they use," de la Torre said.

Right now, pricing plans named for geographical pioneers like Ferdinand Magellan and London cholera-mapper John Snow allow for certain amounts of data, address translations, and page views each month.

"There's very exciting moments coming in the next year," de la Torre said. "A lot of interactions in a lot of new technologies."

Wolfram Research's flagship program Mathematica has run on full-power desktops at science and engineering labs for 25 years. Now it's possible to run Mathematica for free on a Raspberry Pi, the credit-card-sized PC that retails for as little as $25--a sort of pilot for a new Wolfram programming language that will be able to run on cheap devices or in the cloud.

"I think in its class--symbolic computation program--I think it's the best thing that's available," Raspberry Pi cofounder Eben Upton says of Mathematica. "It felt like the right one for the platform."

The Raspberry Pi launch is part of Wolfram Research's efforts to make its new Wolfram Language--a programming language that expands on Mathematica's existing command line interface--available across a wide range of devices, from low-powered embedded computers to cloud-based servers to parallel computing clusters.

The Pi is the first device to support the new language, which aims to provide a uniform, cross-platform interface to Mathematica's core equation-solving and number-crunching functionality and to Wolfram Alpha. Wolfram Alpha is Wolfram Research's online "computational knowledge engine," sort of a cross between a high-powered graphing calculator and an almanac of facts about the world, from physical constants to baseball scores, all of which will be accessible via Wolfram Language. Wolfram Research founder Stephen Wolfram wrote in a blog post about the launch:

We've got a language that's not mostly concerned with the details of computers, but is instead about being able to understand and create things on the basis of huge amounts of built-in computational ability and knowledge.

Mathematica and Wolfram Language for the Pi were launched Thursday at the Computer-Based Math Education Summit at UNICEF's New York headquarters. The summit was organized by computerbasedmath.org, an organization founded by Wolfram Research executive Conrad Wolfram, the brother of Stephen Wolfram, to encourage the use of computers to teach math. With computers to help with calculations, teachers can be more focused on problem solving and less on mechanically applying formulas, the organization says.

"These are people who are really committed to this idea of trying to reform math education," Upton says.

With the Wolfram tools available on the Pi, Upton said it will be possible to give an entire class the tools needed to practice computer-based math for less than $1,000. The Pi was created as a simple and inexpensive device to teach computer science and engineering and has become a favorite of the maker community, running everything from automated dog feeders to full-fledged web servers.

The full graphical interface to Mathematica, with support for plotting equations and visualizing images and audio, can be "a trifle sluggish by modern standards" on the Pi, but the command-line interface to Wolfram Language is "quite zippy," Stephen Wolfram wrote in his blog post. Some Mathematica features, like predictive input, are disabled by default in the interests of speed, he wrote.

"But it's still spectacular: the first time Mathematica has been able to run at all on anything like a $25 computer," he wrote.

Wolfram Research is also working on a "course authoring platform" that will let instructors run cloud-based online courses where students can run demonstrations and do homework using Wolfram Language, according to an earlier blog post from Stephen Wolfram.

During the announcement, Conrad Wolfram demonstrated a Raspberry Pi-powered robot programmed in Wolfram Language to search for and move toward blue objects, using the Pi's camera and the language's information-processing routines. The language features a standardized, cross-platform interface to access connected devices, including the Pi's camera and other peripherals, Stephen Wolfram wrote.

Beyond that, it provides a library of more than 5,000 built-in functions, many of them quite high-level, ranging from matrix operations and calculus to face recognition, HTML parsing, and even tweeting, as Stephen Wolfram demonstrated on his own Twitter account.

Since the built-in functions operate at such a high level, the demonstration robot's program consisted of only about 10 lines of code, Upton said.

"It's very tight, and very comprehensive," Upton says of the language, which also provides typical programming features like constructs for imperative and functional programming and an interactive debugger.

Other functions pull information directly from Wolfram Alpha's databases. That information could be anything from hurricane statistics to the molecular structure of common chemicals to facts about cat and dog breeds. (The Abyssianian cat is "loyal" but "agenda-driven," and it typically weighs between 7.4 and 16 pounds, for instance.)

And, the language will soon contain built-in support for executing Wolfram Language code in the Wolfram cloud, and similar functions will allow executing programs in a private cloud or deploying them to a desktop computer or embedded device, according to Stephen Wolfram's blog.

Wolfram also plans to build a cloud-based publishing platform for documents containing embedded interactive components written in Wolfram Language. A planned data science platform would be able to automatically pull in information from other sources, run computations, and publish reports to the document platform, according to the blog.

Having a unified language across platforms should make Mathematica more versatile as well, Stephen Wolfram wrote.

"There'll be Mathematica Online, in which a whole Mathematica session runs on the cloud through a web browser," he wrote. "And on the desktop, there'll be seamless integration with the Wolfram Cloud, letting one have things like persistent symbolic storage, and instant large-scale parallelism."

And Wolfram Research intends to contribute tutorials to Raspberry Pi's official blog, Upton said, demonstrating what can be done with the new tools. The Raspberry Pi Foundation plans to focus on building tools for teaching computing in 2014 and expand further into other areas that can be taught with the devices, including computer-based math, in the following year, he said.

"I think it's inevitable that that would be a Mathematica-based and Wolfram Language-based thing," Wolfram says. "The intention is to keep Mathematica on the Pi. This isn't a one-shot deal."

Traditionally, fashion designers have had to rely on flesh-and-blood models to understand what their clothes look like on the human body, and shoppers have been wary of ordering clothes online without the chance to try them on.

But earlier this month, New York startup Body Labs announced BodyHub--a cloud-based platform that converts 3-D body scans of real-life models and consumers into virtual avatars that can be posed, animated, and dressed in simulated outfits.

Body Labs licenses technology from Brown University and Germany's Max Planck Institute and relies on data gleaned from thousands of body imaging sessions to turn laser scans from raw images into realistic digital models that behave like human bodies.

"You really don't want a scan," Body Labs CEO William O'Farrell said in an interview. "You want to be able to take it and make it into a body--you want to be able to animate and pose it."

The company's marketing its product first to apparel designers to use with fashion-oriented computer-aided design software.

"You can have all these fit models and have them in your computer rather than having them in to be draped and sampled and posed," O'Farrell said. Virtual models can be loaded into fashion CAD software, such as Browzwear and CLO3D, that already knows how to dress them and handle the physics of the clothing itself, he said.

"The texture stuff for us is actually quite straightforward," he said. "The hard part is getting the model."

Pose the avatar and the clothing will realistically bend; change its shape--height, weight, or inseam length, for instance--and the clothing's dimensions will adjust too.

"As you change a body's shape, we're automatically regenerating a pattern," O'Farrell said.

Once consumer-grade body scanning hardware similar to Microsoft's Kinect gets more accurate and less expensive, he predicts everyday users will be able to use images of their own bodies to order everything from bespoke suits to custom bicycles and skateboard gear. They could even create realistic video game avatars based on their own bodies, he said.

"We really believe in this notion of mass customization," O'Farrell said.

Body Labs would host adjustable models of customers' bodies and provide APIs for third parties, like clothing stores and online games, to access the data with permission, he said.

"We'll curate your body model for you, whatever you want to do with it," he said.

The software, which for scalability's sake runs in the Amazon Web Services cloud, works by matching points across body scans to create a realistic model of how humans are shaped, said Eric Rachlin, Body Labs' vice president of product design.

"To really do anything with scan data, you have to have some sort of correspondence between it," Rachlin said. "If point 587 is in the middle of my shoulder, then on your scan, point 587 is in the middle of your shoulder."

That process of matching points across scans is called registration. In Body Labs' system, based on published research by company founder and Max Planck Institute researcher Michael Black, points in new scans can be matched to the system's existing understanding of the human body and also used to improve its accuracy, Rachlin said. With that technique, called coregistration, an initial basic model can be bootstrapped into one that's more sophisticated, he said.

"We have this giant statistical model which we're pretty sure is the world's most accurate of 3-D body shapes and how it changes with pose," O'Farrell said. An individual model's shape can be changed, too--an interactive demo lets users tweak parameters like height, weight, and inseam length and watch the effect on a virtual model.

Using body-to-body comparisons could one day make for better online clothing recommendations than those that exist today, which tend to rely on user-submitted measurements, reports about customers' well-fitting existing wardrobe items or guidance from personal shoppers, O'Farrell said.

"We actually believe that we have a much better solution in terms of apparel," he said, matching customers to clothing that's known to fit bodies similar to theirs.

Body Labs' technology could also predict how users' bodies would change under different scenarios, ranging from pregnancy to a new gym routine, Rachlin said.

"When the last guy did the workout regimen, this is what happened, so this is what we think will happen to you," gyms might one day be able to tell customers, he said.

Studies say up to a quarter of Americans don't get enough sleep, and there's no shortage of articles about how to function better with power naps and elaborate "polyphasic" sleep-and-wake cycles.

But without actually spending the night in a sleep lab, it's hard to actually measure how much and how well you're sleeping. Warsaw-based startup Intelclinic wants to change that with a smart sleep mask called the NeuroOn that will monitor eye movements and brain waves to track when users fall asleep, how much sleep they get, and how frequently they wake during the night.

Intelclinic's raised more than $200,000 so far through an ongoing Kickstarter effort to fund production and further development of the NeuroOn masks, and the company aims to start getting masks to Kickstarter backers in Spring 2014, said founder and CEO Kamil Adamczyk.

Users will be able to monitor their sleep schedules through an iPhone or Android app. The masks will automatically upload sleep data to smartphones through low-power Bluetooth connections when users take them off. And the NeuroOn masks can automatically wake users at a light-sleeping point in their sleep cycles so they don't get up groggy, Adamczyk said.

"Our mask monitors your sleep and also wakes you up very gently," he said. "You'll feel rested, and you're not anxious and so on."

The NeuroOn can help users looking to get more hours out of the day by maintaining a polyphasic sleep schedule--that is, by sleeping less during the night and supplementing with additional, shorter sleep phases (read: naps) throughout the day.

Adamczyk said he's using a beta version of the mask to help him maintain an "Everyman" sleep schedule, with about three hours of solid sleep during the night and a few naps during the day.

"I started to sleep polyphasically a year ago," he said. "At the beginning, I started without the mask, but right now I'm the first beta tester and I'm using it constantly."

Polyphasic sleep is controversial in sleep science circles, Adamczyk acknowledged, saying getting seven to nine hours of sleep per night is still believed to be the healthiest way to rest. But even for people getting a full night's sleep, the mask can still be helpful, tracking how long it takes to nod off and helping to wake users when they'll feel most refreshed, he said.

"We can detect at which phase of sleep you are at the moment, we can wake you up 10 minutes before you're alarm clock but at a very light stage of sleep," he said.

The company's also working on code to generate individualized travel sleep plans to minimize jet lag, he said.

"The point is to plan your sleep before and after the trip to minimize the jet lag effect for you," he said. "So it depends on the start and end point of your trip--we are creating time zone maps and preparing a sleep plan for you to minimize jet lag."

The mask works by using electronic sensors similar to those found in an electrocardiogram to measure eye muscle and brain activity, he said. In current prototypes, each mask has three sensors, and Interclinic's planning to upgrade to seven for greater precision, he said.

"Our brain generates electrical activity and we can measure those electrical activity by those electrodes," he said. "It's the same story with your heart rate; we're using the same technology to measure."

But the devices are designed to be comfortable enough to wear to bed.

"On the inside, we make the NeuroOn from soft, comfortable materials, with the ability to adjust to your face, thanks to the use of viscoelastic foams--the latest version of memory foam," the company wrote on its Kickstarter page.

Those sensors will help the masks work better than other smartphone sleep monitoring apps, which typically only measure movements by using phone accelerometers, Adamczyk said. Those measure sleep phases less precisely and can also be thrown off by other movements, especially if users share their beds with partners or pets, he said.

"If you're sleeping with another person in the bed, there is no option to measure your sleep process," he said. "We decided to create a device which would be much more precise than those kinds of devices."

The masks might also be able to help trigger lucid dreaming--a phenomenon where dreamers are aware that they're dreaming and can even take control of their dream selves. In theory, the masks will be able to detect when a user starts dreaming and shine an LED light bright enough to be visible and incorporated into the dream but not bright enough to actually wake the user up, Adamczyk said. But, he acknowledged, the very existence of lucid dreaming is, like polyphasic sleep, controversial among sleep researchers.

In the future, Adamczyk said later versions of the masks might be helpful to astronauts, who need to maintain steady sleep cycles in the absence of normal night-and-day signals. And, he hopes, in a few years, the masks--which he emphasized are not now intended to be medical devices--may be able to meet regulatory standards to be used to detect sleep disorders like sleep apnea.

"It's a long story, and I think it will take another few years to get this approval," he said.

Since its launch in mid-2010, transportation-on-demand startup Uber has grown from its San Francisco roots to more than 60 cities across six continents. And according to widely circulated internal documents published by Valleywag in early December, the company is on track to beat investor expectations and bring in more than $200 million in revenue by the end of 2013.

But as popular as the service has been with investors, Uber has tangled more or less continuously with existing transportation businesses and regulators who've sought to shut the service down. In response, Uber's waged an aggressive public relations campaign to defend its business and pricing models.

The company, founded by serial tech entrepreneurs Travis Kalanick and Garrett Camp, launched its service in May 2010 under the name UberCab, offering San Francisco customers a digital cross between a taxi company and a car service. Users could summon a car through an iPhone app, Uber's website, or by text message. Then as now, the cars and drivers come from traditional car services, but Uber's system uses GPS systems to locate and dispatch a nearby vehicle and let customers track the car's approach through the app.

"Once you make a request to an UberDriver you can watch his exact moves to your arrival," the company explained on a frequently-asked-questions page posted at the time. "This means that you can count on his arrival and be confident to make your flight or meeting on time."

At the end of the ride, Uber's systems seamlessly bill the passenger's credit card based on the time and distance traveled, charging rates then advertised as being about 1.5 times the cost of an equivalent taxi ride.

From the launch, Uber made clear its plans to disrupt the taxi industry in San Francisco, where residents have often complained that the low number of taxi medallions has led to long waits and poor service.

"Garrett's big idea was cracking the horrible taxi problem in San Francisco--getting stranded on the streets of San Francisco is familiar territory for any San Franciscan," Kalanick wrote on the company blog in December 2010. The FAQ page, too, distinguished the service from other taxi-summoning apps, since it bypassed the medallion cab system altogether.

"Other apps are build [sic] upon a broken taxi system. Their customer experience regardless of how great the app is will be terrible," the page explained. "Our network of limo drivers and car services are clean and professional, providing an on-demand and elite experience."

The service quickly got rave reviews from tech luminaries like TechCrunch's Michael Arrington, who compared the service to other disruptive startups like payment processor Square and vacation rental marketplace Airbnb.

But, just as Airbnb has incurred the wrath of regulators who say it illegally circumvents hotel safety regulations and restrictions on short-term apartment rentals, Uber quickly drew the ire of the San Francisco Metropolitan Transportation Agency and the California Public Utilities Commission. The agencies alleged the company was illegally operating without either a taxi or car service license and warned of the possibility of thousands of dollars in fines and even potential jail time for Uber officials.

Uber said at the time it believed it was in compliance with the law and intended to continue operating in San Francisco. And, "to avoid confusion," the company removed"cab" from its name, after the Public Utilities Commission cited a rule barring car services from advertising their businesses as taxi companies.

"We will continue full speed ahead with the mission of making San Francisco city a great place to live and travel," the company wrote on its blog .

As Uber expanded into more markets, it faced more challenges from local transportation regulators. In Washington, the D.C. Taxicab Commission fined an Uber driver and even impounded his Lincoln Town Car in January 2012, saying that under Uber's pricing plan, car services were illegally charging by the mile, a privilege reserved for taxis.

Struggling Its Way Across The Country, Uber Wins Victories

Later that year, local and state officials in Cambridge, Mass., ticketed an Uber driver for operating without a proper license and for using Uber's GPS-based meter, which hadn't been approved by the state's weights-and-measures regulators. And in Vancouver, authorities required Uber to adhere to limousine-service regulations setting a minimum price of $75 per ride--a rule Kalanick told local media other car services ignored.

In each case, Uber and its executives responded aggressively, speaking to the media and using social media to mobilize customers to contact regulators and express their support for the company.

"Cambridge, MA home to Harvard, MIT and some of the most anti-competitive, corrupt transportation laws in the country," Kalanick tweeted after the incident in that city.

There and in D.C., the company vowed to keep operating and encouraged customers to tweet and to contact officials with their thoughts. Similarly, in Vancouver, Uber posted contact information for city and provincial officials, urging customers to tell them to "abolish taxi protectionism."

In many cases, these efforts seem to have worked: Soon after Uber mobilized its Boston-area base, Massachusetts Gov. Deval Patrick's official Twitter account announced a change in tune, with regulators determining the GPS-based meters could be legally used, since they were under evaluation by the National Institute of Standards and Technology. In D.C., the city council amended its regulations to legalize the service after hearing from constituents.

Also in 2012, Uber introduced a lower-priced service dubbed UberX, using hybrid cars rather than luxury sedans to better compete with traditional taxis, along with SUVs, which cost more but could fit more passengers and luggage. In Chicago, the company that once boasted an experience superior to the common cab added ordinary taxis to its lineup.

"Everyone thinks that Uber is the anti-TAXI, in a battle against an old system, fighting for innovation, competition and free enterprise," Uber said in a blog post. "Though that makes for exciting and controversial headlines, it's just not what drives us."

After some initial regulatory hiccups, Uber is also participating in a New York "e-hail"pilot, letting users summon the city's iconic yellow cabs through its app.

At the same time, Uber's has faced new competition from "ridesharing" services like Lyft and Sidecar that let ordinary people pick up fares in their personal cars, with rides arranged through smartphone apps. In some cities, Uber's added a ridesharing component to UberX.

In California--where Uber's resolved its disputes with state officials and new regulations legalize and regulate carsharing services--Uber's reportedly offered Lyft drivers incentives to switch to driving for UberX and even run ads mocking the distinctive pink mustache logo Lyft drivers use to mark their cars. In other places, Uber's worked to get customers used to its ridesharing feature by giving customers free rides, even as all of the ridesharing companies gear up for new regulatory battles over the service.

Even as Uber's added lower-priced services, it's faced persistent criticism that it's an inherently elitist service, one of a breed of San Francisco startups catering primarily to the type of affluent young men who work for San Francisco startups. As a Digital Trends story pointed out, a promotion offering Uber helicopter trips to the Hamptons may not have helped the company's image.

Uber's also come under fire for its "surge pricing"system, where fares go up when there aren't enough cars available to meet demand, such as on holidays like New Year's Eve or, sometimes, during bad weather. Uber argues that raising rates brings more drivers onto the street, since they're seeking a bigger payout.

"We don't just charge to make a buck though, we take a small fee of the transaction, but the vast majority goes to the driver so that we can maximize the number of drivers on the road," Kalanick wrote in a letter to an aggrieved customer he posted on his Facebook page. "The point is in order to provide you with a reliable ride, prices need to go up."

Critics say it may run afoul of state price-gouging laws and consumers' ideas of fairness. After Hurricane Sandy struck the East Coast in 2012, Uber faced widespread criticism for instituting surge pricing and, for a time, paid drivers the surge rate while charging customers the normal cost. Uber reverted to its usual surge policies a few days after the storm hit, saying picking up the difference in fares cost it more than $100,000 per day.

Still, the company's managed to win more positive attention with creative promotions, like letting app users occasionally summon ice cream trucks, holiday toy drive pickup vans, and even, for "National Cat Day,"cuddly kittens.

Earlier this month, Uber announced expansions into Abu Dhabi, New Delhi, and Hyderabad, along with a petition drive to loosen car service restrictions so the service can fully operate in Nashville.

"With this change, Nashville will join the world's leading cities that offer innovative and stylish transportation choices," according to Uber's blog.

A company called Robocoin plans to expand its Bitcoin ATMs into the Asian market, allowing people to withdraw the booming virtual currency as cash in Hong Kong and potentially Taiwan.

Robocoin, which already has a Bitcoin ATM deployed in Vancouver, says the machines make it easy for customers to buy and sell the cryptographic currency without dealing with the cumbersome online identity verification requirements of many online exchanges. The Hong Kong ATM could be online by the end of January, according to the South China Morning Post.

After TechCrunch reported earlier this week that Las Vegas company's ATMs might also be headed to Taiwan, financial regulators there said the machines wouldn't be allowed, since Bitcoin isn't recognized as a currency, according to Focus Taiwan, a local news organization.

Robocoin's ATMs take images of users' fingerprints, faces and government-issued IDs to screen out known terrorists and others on regulatory block lists and make sure users stay below anti-money-laundering regulatory limits. The Internet-enabled machines can automatically buy and sell the currency on exchanges such as Mt. Gox and either send funds to an existing Bitcoin address or generate a new virtual wallet, printing the necessary credentials on an ATM receipt.

The company said in a blog post it's processed millions of dollars in transactions through its Vancouver ATM, which lets customers of Waves Coffee Shop exchange Bitcoin and Canadian dollars.

"Over one half of the buy-transactions generated new wallets, suggesting that Robocoin continues to attract first time Bitcoin users," the company announced in November.

Robocoin sells the $20,000 ATMs to entrepreneurs who get a percentage of each transaction and, according to a recent report on Chicago news site DNAInfo, plans to have machines installed in that city and on the East Coast early this year.

Robocoin ATM owners in the U.S. need to register with the Treasury Department as money services businesses and obtain necessary state licenses, the company's said.

The cryptographic currency's value is again on the rise after prices plummeted last month, when regulators in mainland China forced the exchange BTC China to stop accepting Chinese yuan in exchange for Bitcoin.

Despite a turbulent year for Bitcoin's valuation, the cryptographic currency has proven a rich market for entrepreneurs, with API tracking site ProgrammableWeb reporting Bitcoin APIs among its hottest categories for 2013. The site lists 95 Bitcoin-related developer interfaces for developers, from Beatcoin, a toolkit for building Bitcoin-enabled jukeboxes, to Coinabul, which facilitates Bitcoin exchanges for gold.

Some services take advantage of the currency's mathematical properties for their own purposes. One, called Proof of Existence lets users mathematically prove a document existed as of a particular date by embedding its cryptographic fingerprint in the shared Bitcoin transaction record--a 21st century answer to mailing yourself a sealed copy of a time-sensitive document such as proof of an invention.

And Robocoin isn't alone in building Bitcoin ATMs--New Hampshire company Lamassu Bitcoin Ventures said last month it's received more than 100 orders for its machines that convert cash into Bitcoin from 25 different countries and shipped more than a dozen. Lamassu's highlighted the relative simplicity of its machine, though Robocoin's poked fun at makers of machines like Lamassu's that only accept cash and don't dispense it and aren't intended to be left unattended.

"Seriously, how bush league is an 'ATM' if it can't do the equivalent of deposits and withdrawals or be left unattended?" Robocoin CEO Jordan Kelley was quoted as saying on the company's blog.

Sony says it sold more than 4.2 million PlayStation 4 consoles in 2013, handily surpassing the "more than 3 million" Xbox One units Microsoft said it sold last year.

Sony Computer Entertainment CEO Andrew House announced the sales numbers Tuesday during his keynote address at CES, a day after Microsoft revealed the Xbox results. The PS4 launched on Nov. 15, giving it a week's head start on the new Xbox, which first reached consumers on Nov. 22. Sony's console is also easier on the wallet: It carries a $399 sticker price, while the Xbox One retails for $499.

Consumers also bought more than 9.7 million games for the PS4, including the latest installments in the Call of Duty and Assassin's Creed series, Sony says.

The system will soon offer streaming games through the new PlayStation Now service, which is slated to launch this summer, Sony announced at CES. Cloud-based versions of PlayStation 3 games will be available to stream on PS4 and PS3 systems as well as on Sony's portable PlayStation Vita and new models of the company's Bravia TV line.

The PS4 is now available in 53 countries, compared to just 13 for the Xbox. Microsoft has said the Xbox will become available in additional countries throughout 2014 and said the system was, for a time in November, the fastest-selling console in the U.S.

"Since our launch, demand for Xbox One has been strong, selling out throughout the holidays at most retailers worldwide,"wrote Microsoft executive Yusuf Mehdi on the Xbox blog. "We are continuing to work hard to deliver additional consoles to retailers as fast as possible."

Nintendo, the third player in the console race, said in an October financial statement that it had then sold 3.89 million Wii U consoles. The Wii U launched in November 2012 and retails for $299, offering less powerful hardware at a lower price than competing systems from Sony and Microsoft.

While that formula worked well for the original Wii, which ultimately sold more than 100 million units worldwide, it's proven less successful for the Wii U, which faces new competition from games on other low-powered devices like smartphones and tablets.

Have you ever wondered how many people are looking at your GitHub code repositories? Thanks to the service's new analytics feature, the guessing game is over.

GitHub's analytics feature, which launched on Tuesday, allows its users to view detailed, Google Analytics-style traffic graphs, referrer statistics, and unique visitor and page view counts, broken down by source code file. Members can see analytics for any repository they own or to which they have the rights to push code.

"Looking at these numbers for our own repositories has been fun, sometimes surprising, and always interesting," GitHub's Justin Palmer wrote on the company blog. "We hope you enjoy it as much as we have!"

GitHub, which provides hosting to more than 10 million code repositories including many of the web's most popular open source projects, already offers graphs and API access to statistics about contributions made to code repositories.

In the past year, the service has also added support for visualizing data files stored within hosted repositories without having to leave the web browser. GitHub added tools for viewing comma-separated value files as spreadsheets, automatically rendering geographical information from GeoJSON files as interactive maps, and even turning CAD data into rotating 3-D models.

The company also announced Tuesday that it's made its GitHub Pages web hosting platform faster and more secure by delivering pages through a global network of servers, with built-in defenses against denial of service attacks.

"Now, when someone visits a Pages site, rather than GitHub serving the content directly, the page is served by a global Content Delivery Network, ensuring that the nearest physical server can serve up a cached page at blazingly fast speeds,"wrote GitHub's Aziz Shamim in a blog post.

A new iPhone app called Confide aims to be a Snapchat for professionals, providing encrypted, disappearing messages for off-the-record communication.

The app doesn't allow for scandalous selfies--messages are strictly text only. And to prevent screenshots, the message are revealed only a few words at a time as the user swipes a virtual wand across the text. Once the whole text is seen, the message evaporates. The app was introduced Wednesday by a team led by Yext CEO Howard Lerman and former AOL executive Jon Brod.

On the Confide blog, Brod wrote that the idea for the app came after Lerman emailed him to do a reference check on a former colleague of Brod's. He preferred not do it in writing, so that meant getting in touch via telephone.

"The phone tag went on for six days," Brod wrote. "When we finally connected, we marveled at the inefficiency of the situation, and the ultimate magnitude of it."

Confide should allow users the candidness of a phone call or coffee meeting with the convenience of email, its founders say. End-to-end encryption means that only the recipient, and not Confide's technicians, should be able to decrypt the messages.

The company suggests the app will be useful for job referrals and other HR discussions, confidential deal negotiations and what Confide refers to, perhaps optimistically, as "good-natured office gossip."

Others, including the British tabloid The Daily Mail, have suggested the app might become popular with cheating spouses looking to send messages that can't be found by their partners and perhaps seeking the plausible deniability installing a business-oriented app brings over being caught with existing tools such as Snapchat.

Whatever the content may be, revealing the message a few words at a time and displaying a Snapchat-style warning against screenshots should make it difficult for anyone to surreptitiously keep a copy without, say, shooting video from another device.

"Yesterday, the world had permanence," Brod wrote in the blog post. "Today, with Confide, professionals have an off-the-record option."

Network time protocol servers tell other computers what time it is and help keep the Internet in sync. But if your NTP server isn't properly secured, it can be hijacked into joining distributed denial of service attacks and knocking other machines offline.

Earlier this month, major video gaming servers including Steam, Battle.net, and EA.com were struck by distributed denial of service attacks. Reportedly, the attackers used a vulnerability in unpatched NTP software to blast these machines with a overwhelming volume of irrelevant data from time servers across the Internet. That type of attack has seen a "significant spike" since December, according to security firm Symantec.

Ordinarily, NTP client software that ships with most major operating systems simply connects to NTP servers to ask the current time. But older servers also allow clients to request a log of the server's 600 most recent time interactions, explained a blog post by CDN provider CloudFlare's John Graham-Cumming.

The request is just a few characters long, but the log can be multiple megabytes, so instead of just hitting a victim computer with data from their own computers or bots they control, attackers forge the victim's IP address on log requests to NTP servers across the Internet. Security researchers call that an amplification attack, since the small amount of bandwidth used by the attackers to send the short requests is amplified by the servers dutifully sending the complete logs to the unsuspecting victim.

To avoid being exploited in such an attack, NTP server owners running the Network Time Foundation's standard NTP implementation need to upgrade to at least NTP version 4.2.7p26, which disables the log request command, called monlist, wrote Graham-Cumming.

"Neither of these changes are recent," he wrote. "Ntpd v4.2.7p26 was released in March 24, 2010, so upgrading doesn't require using bleeding edge code."

Allowing anyone access to the NTP connection logs can be potentially risky anyway, since it allows information to leak about connections from nonpublic computers connected to the server, according to the author of a plugin that lets the security tool nmap detect this vulnerability.

In his blog post, Graham-Cumming advised NTP server owners to read security research group Team Cymru's guide to securing time servers.

Not satisfied with the tablets available on the market? Don't rule out building your own.

Michael Castor, an evangelist for Make magazine's online store Maker Shed, did just that, putting together a Raspberry Pi-based tablet he dubbed the PiPad, complete with a handsome wooden frame that looks professional enough to take through the airport without a second look from the TSA.

"I wanted an all-in-one system that was usable, portable, and Linux based," Castor wrote in a post for Make. "Additionally, it had to look good. Since I wanted to use it on flights, the device couldn't freak out the TSA or the old lady sitting next to me."

Starting with the $40 credit-card-size Raspberry Pi Model B, Castor started putting together parts early last year, finding a Pi-compatible, 10-inch touchscreen from the Malaysian vendor Chalk Electronics. Other parts, which he helpfully listed on his blog, included a Wi-Fi adaptor, a USB hub, and heat sinks for the Pi. A 10,000 milliamp-hour battery keeps the tablet running for about six hours on a charge, and the initial prototype cost about the same as an iPad Mini.

He designed the birch wood case with the Vectric Aspire CAD package, carving it with a CNC router and adding holes for the SD memory card and USB connection. There wasn't room for the Pi's ethernet port, but the rest of the components fit into the case, held in place with a mix of hot glue, foam tape and double-sided tape.

"The display was affixed 'Apple-style' using some crazy strong permanent tape around the inside edge," Castor wrote. "I clamped the battery and screen down and allowed the tape to cure over night to ensure a good bond."

Castor wrote that he hasn't had any issue taking the PiPad on flights--the only attention he got was a compliment from a flight attendant on his choice in movies--and Raspberry Pi founder Eben Upton even autographed the tablet's carbon-fiber backing.

The PiPad isn't the first Pi-based tablet--a team from Oracle released plans and software for the $370 Java-powered DukePad last fall--but it may be the fanciest-looking.

Modern tools like GPS and cell-phone tracking make police surveillance dramatically easier and cheaper than ever before, two privacy experts say this month in the Yale Law Journal. In 2012, for instance, the FBI had about 3,000 GPS tracking devices deployed on suspects' cars across the U.S., they say--a level of vehicle surveillance they estimate wouldn't have been possible even with every FBI agent in the field tailing cars for 24 hours every day.

When new techniques make monitoring the public literally orders of magnitude cheaper, they argue, courts ought to see that as a sign that the new methods are violating traditional expectations of privacy and keep a close watch on how officers are using those tools.

The U.S. Supreme Court ruled in United States v. Jones in 2012 that police monitoring a GPS unit and transmitter they attached to a suspect's car without a proper warrant violated his Fourth Amendment rights. But the justices were divided on how to determine when a new law enforcement tool requires a warrant or other court scrutiny, argues the paper by Kevin Bankston, the policy director of the New America Foundation's Open Technology Institute, and independent privacy researcher Ashkan Soltani.

"Trying to make sense of the Jones concurrences and reduce them to a clear and administrable rule--or, alternatively, arguing that they make no sense and cannot be so reduced--has become something of a cottage industry amongst privacy law scholars," the authors wrote.

They argue that people's expectations of privacy are driven by a mix of legal restrictions and practical restrictions--like the fact that the FBI can't deploy all of its agents to follow suspects without sleep for days at a time. So, they say, when new technology makes surveillance cheaper by an order of magnitude--that is, when the dollar cost falls by a factor of 10--courts should recognize that an existing expectation of privacy is likely being breached.

"Drawing the line at an order of magnitude is admittedly somewhat arbitrary, " they write, "but is also an indisputable benchmark and easily applicable test for whether or not a particular type of surveillance has become radically less expensive, which is ultimately the question on which we are suggesting courts focus."

Automated GPS logging with a hidden transmitter that sends a car's location to a central server costs about 36 cents per hour, while actually following a suspect's car costs hundreds of dollars in agent salaries per hour, the authors estimate, so the threshold would be met.

On the other hand, switching from a standard five-agent surveillance team to using a more primitive short-range transmitter that lets one pair of agents trail the car from up to a couple miles away only cuts costs by about 60%, so it wouldn't be treated as a fundamental change.

"Using order-of-magnitude difference as a rule of thumb is just one way of using cost as a metric, and we welcome other such proposals for assessing whether a radical technology-prompted rights-shift has occurred," the authors wrote.

Until recently, venture capitalists and early-stage investors had to rely on their intuition and hand-rolled spreadsheets to know which companies were worth funding. But with a glut of new companies to screen and track, investors told Fast Company they need new ways to keep track of the movers.

"One of the biggest challenges at the seed stage is that there's an ever-increasing number of new startups founded each year," says Noah Lichtenstein, a partner at seed investor Cowboy Ventures. Ready-to-run database solutions like Amazon Web Services and backend-as-service tools like Parse are the cause. These days, he says, "early-stage investing is kind of like digging for needles in an increasingly growing haystack."

Sites like Mattermark and Dashboard track publicly available data about startups, from social media buzz to regulatory filings about new investments. AngelList works like a LinkedIn for tech companies, letting startups post their own profiles and letting people know when they're hiring or raising money. And Product Hunt provides a daily curated list of new web companies and apps, letting investors see them before they take off. And DataFox works like Bloomberg for small private tech companies.

"The amount of data and the amount of ways you can track things now are such orders of magnitude beyond what they were before," says Josh Elman, a partner at VC firm Greylock Partners. "But some of these things are really new approaches, like AngelList--you never had a directory of companies that are raising angel funding before."

And Product Hunt, which takes suggestions and comments from a limited set of in-the-know members, can help investors find startups before they blow up, he says. Elman cited the now-famous story of Lightspeed Venture Partners' Jeremy Liew, who was able to invest in Snapchat ahead of the curve after hearing about the app from a teenage early adopter.

"In the early days of a product, what's interesting to a few people who get really passionate about it is sort of what cascades into something that gets bigger later," Elman says. "By the time you track the data, it would be too late."

The tool can also draw attention to novel ideas arising from outside familiar Silicon Valley circles, says SV Angel's Abram Dawson in an email.

"A 22-year-old founder in Nebraska is going to have a much harder time connecting with a VC in the Valley since they don't have those relationships or connections," he wrote. "Now that same person can post his/her product on Product Hunt and let vetted community members critique it. It levels the playing field."

Product Hunt draws a mix of investors looking for opportunities, startup founders who want to stay abreast of the competition, and ordinary early adopters looking for apps to use, says its co-founder Ryan Hoover.

"The investors--particularly early stage investors--use it to source deals and just see what products are out there," he says. And they can turn to tools like Mattermark, Dashboard and the TechCrunch-affiliated startup directory CrunchBase to find more information about companies, he says.

Having a reliable set of company data can help investors distinguish startups working in the same general area, says Dashboard founder Paul Singh, who was formerly a partner at accelerator and seed funding firm 500 Startups.

"At the early stage, I kind of want to get a sense for what web traffic might look like for the competitors; I want to know where the competitors' founders are hanging out," he says. "I look at that via public Facebook checkins, event RSVPs, and things like that."

Many VCs are using Dashboard not only to find new opportunities but also to track and guide startups they've already invested in, he says. Since the tool pulls in social media data, they can see whether founders are actively promoting their companies--whether they're giving talks and speaking at meetups, RSVPing for industry events, and checking in at customer offices--and even whether they're checking in at a restaurant with VCs from another firm.

Public social media posts can also help founders and investors see what kind of innovations customers want, Singh says.

"Let's say you've got an idea about some sort of food startup," he says. "Twitter will be an interesting way to find out what people are complaining about within that entire market."

And seeing which companies are being tweeting about helps distinguish competitors in a crowded startup landscape, says Mattermark founder and CEO Danielle Morrill.

Mattermark collects data on companies' web traffic, app downloads, social media mentions, along with information on fundraising and hiring. When VCs hear of a potential investment opportunity, Mattermark will often already have historic information about how the company's been growing, she says.

Using Mattermark saves investors the trouble of building their own spreadsheets of company stats or coding their own in-house tools, she says. And storing historic data makes it difficult for companies to game their social media and web traffic rankings, says Morrill.

"If you gamed Mattermark, you'd probably actually be a successful company," she says."The most valuable thing that you can do is have your business actually be successful as a business."

As useful as the tools are, they're no substitute for traditional techniques like face-to-face networking with startup founders and the rest of the tech community, emphasized Cowboy Ventures' Lichtenstein.

"These tools I think are great--I use CrunchBase and AngelList and LinkedIn every single day," he says. "These are tabs that I keep open on my browser, because somebody says, 'have you heard of such-and-such?' or 'our biggest competitor is such-and-such.'"

But equally important is talking to founders and investors about new ideas and potential customers about what they need, he says.

"I think human intelligence still is the most important component of early-stage investing," he says. "It's really using your network, talking to people and trying to constantly be listening and trying to understand, what are the problems out there that people are looking for solutions to."

The folks behind WhiteHat Security weren't satisfied with the security and privacy found in exiting web browsers, so they decided to make their own--and quickly encountered a huge design challenge. The browser is always in incognito mode, which is "actually a very major design change," says Robert Hansen, WhiteHat's director of product management. "It's not as easy as it sounds, for all kinds of different reasons."

The team chose to build on top of open source project Chromium, the project that serves as the basis for Google Chrome, so its interface should be familiar to Chrome users. But it differs from Chrome by opening by default in protected mode, the equivalent of Chrome's incognito, so cookies, browser history, and other stored information are automatically purged when the browser's closed. That means sites users access will have less information about them on return visits and that others using the same computer won't have access to information unwittingly logged in browsing histories.

"We haven't seen a browser out there that's secure--and usable at the same time as being secure," says Hansen."There's nothing stopping any one of the browser companies from doing what we're doing, except that it doesn't align with their business model," since other browser makers get their money from advertising, he says.

Aviator's Hardcore Approach to Privacy: How It Works

In addition to launching in private mode, Aviator includes an ad-blocking browser plugin called Disconnect, which is also available for ordinary Chrome, designed to filter out ads and tracking cookies. This should also make the browsing experience faster, Hansen says.

Aviator also sends the Do Not Track HTTP header that asks ad networks not to track user behavior from website to website, though it's far from universally followed.

The Aviator team prefers to focus on what it calls "Can Not Track," he said, making it technically impossible to track users from site to site.

"Instead of relying on the good graces of the advertisers, we built it in a way that ensures they cannot misbehave," he said. Referrer headers, which specify where users came from when they access a site by clicking a link, aren't sent across domains when users go from one website to another, making tracking users that much harder.

Aviator uses the search engine DuckDuckGo as its default, since the company has pledged to safeguard its users' privacy. The browser also blocks access to internal IP addresses, such as wireless routers and other computers on corporate LANs, in response to reports of attacks that trick web browsers into snooping around networks without their users' knowledge.

Plugins like Java and Flash are blocked by default. That means users have to click to play videos or interactive content but prevents "drive-by download" attacks that install spyware or viruses on computers through Java or Flash exploits.

Some users might balk at the impact all these safeguards have on usability, Hansen acknowledges.

"Those users tend to choose usability over privacy and security," he says. "But there's a whole bunch of users that once they get used to it even a little bit, they're going to realize what the value is to them."

WhiteHat's business relies on its reputation for safeguarding security and privacy, so it has no incentive to compromise the safety of its browser, he argues.

"If we ever were to go anti-privacy or anti-security that would break up our business model," he says. "We would not be able to function."

A New Business Model For Browsers

WhiteHat intends to develop the browser as a tool to promote the company's security consulting services and ultimately as a customizable product for corporate customers, says Hansen. Initially created to keep WhiteHat's nontechnical employees safe from malware and tracking by advertisers, the Aviator browser is now available for any Mac user to download, and a Windows version is on its way.

"We basically want to have the first and only browser that we're aware of that has an actual support model attached to it," he says.

In the meantime, the Mac version of Aviator quickly drew tens of thousands of downloads based on social media buzz, showing there's definite interest, he says.

"We get 5 to 10 emails a day asking for the Windows version," Hansen says. "We're getting a lot of encouragement."

When Brazilian computer security expert Reginald Silva found a security hole in Facebook's servers, he quickly let the company know. And Facebook didn't just thank him--the social networking giant paid him a $33,500 reward, what the company said in a blog post is the largest single payout yet in its ongoing bug bounty program.

Bug bounties--rewards offered to anyone who finds critical defects in software--have existed at least since 1995, when Netscape cash prizes to anyone finding "significant security bugs" in Netscape Navigator 2.0. Mozilla, Netscape's successors in the browser wars, announced its own bounty program for Firefox and other products in 2004.

And since then, companies including AT&T, Etsy, Facebook, Google, Samsung, and Yahoo have all launched formal programs to offer cash rewards and public recognition for bug finders, according to a list maintained at BugSheet.com. Bug bounties help motivate hackers to disclose bugs responsibly rather than sell security holes on the black market, advocates say.

"Over the last two years, the Facebook Security Team has rolled out a successful whitehat program, paying researchers well in excess of 1 million dollars for helping us make our site more secure," wrote Facebook chief security officer Joe Sullivan in a post in August.

Facebook security engineer Collin Greene advises companies interested in starting a bug bounty program to be prepared to respond to bug reports quickly.

"Also, don't underestimate the workload," he says via email. "We received over 16,000 submissions in 2013, and each one was reviewed in depth by a security engineer. It's a lot of work, but it can also be incredibly rewarding if done well."

Researchers from the University of California at Berkeley who studied rewards offered by Mozilla and Google for bugs in Firefox and Chrome found in a paper presented last year that bug bounties can be more cost-effective than hiring security consultants to stamp out vulnerabilities.

They also offered some suggestions for companies interested in launching their own bounty programs, after estimating that Google's bounty program uncovered about 2.6 times as many bugs as Mozilla's over a three-year period, with the two companies each spending just under $600,000 on bounties.

The researchers said Google likely benefited from publicity for its bounty program, as boosted by its annual Pwnium challenge, and that researchers appreciated the company's consistently speedy approach to patching bugs. And, they said, Google's program offered a tiered system of rewards, with bigger payouts for more sophisticated bugs, which was more exciting for bug-hunters than Mozilla's standardized $3,000 payouts.

"This makes sense with an understanding of incentives in lotteries," the researchers wrote. "The larger the potential prize amount, the more willing participants are to accept a lower expected return, which, for [bug bounty programs], means the program can expect more participants."

For companies who want to offer a bounty program but aren't sure where to start, one startup called Bugcrowd advertises they'll handle the details of vetting researchers, verifying bugs, and paying out rewards.

"Bugcrowd does the grunt work while you get back to your day job," the company says.

To some extent, tech companies are caught in a bidding war with black-market exploit buyers willing to pay for backdoors into popular apps and websites for their own nefarious purposes. In a November blog post announcing an expansion of Microsoft's bounty program, senior security strategist Katie Moussouris said the program should help in "cutting down the time that exploits and vulnerabilities purchased on the black market remain useful."

And the Berkeley researchers pointed out that both Mozilla and Google have increased their bounties for browser security bugs.

"Doing so increases publicity, entices participants, and signals that a vendor is betting that their product has become more secure over time," they wrote.

But a fair share of the comments announcing Facebook's largest-ever payout to Silva for the bug he found, which exploited how Facebook processed XML data related to the OpenID shared sign-in system, argued he should have received far more.

In his own blog post, Silva jokingly cited a Bloomberg story where Facebook security director Ryan McGeehan pledged that even "a million-dollar bug" would be paid for under the program.

"Unfortunately, I didn't get even close to the one-million dollar payout cited above," Silva wrote.

Paying developers to find bugs is all the rage these days. GitHub just announced a bug bounty program offering ethical hackers $5,000 rewards for discovering vulnerabilities in its platform. This comes just a week after Facebook paid out a $33,500 reward to a researcher who uncovered a security hole.

So how can fledging hackers reap these kinds of huge rewards?

"If you're interested in getting involved in security as a field, bug bounty programs are a great way as a practical matter to demonstrate your mastery of the material," says Neal Poole, a security researcher at Facebook. He would know. Before starting his current position, Poole claimed more than 20 bounties from Facebook, Google and other tech companies.

Now that Poole's doing internal security audits at Facebook, he has the advantage of being able to access company source code to look for unusual programming styles or areas of code where special requirements force programmers to deviate from standard security practices.

But as an outside bug bounty participant, he got used to relying on "black box" analysis--having access only to the requests sent by the browser to the target server and the responses sent back.

"As an outside researcher, when you're looking at Facebook, all you have to go on is the requests and responses you see," says Poole.

To help with that analysis, he uses a free tool called Burp Proxy that sits between his browser and the rest of the Internet. It lets users replay and tweak requests from the browser to better understand how different parameters affect what the server sends back.

"It just makes the testing process that much easier," he says.

Poole occasionally uses more sophisticated vulnerability-scanning tools, but warns they can sometimes generate time-wasting false positives or lead to a false sense of security when they miss genuine security holes.

"If I run a scanner and it tells me everything is clean, it's not the same as me looking at the site and saying everything is clean," he says.

Cross-site scripting vulnerabilities, where it's possible for a hacker to inject JavaScript into the content a site shows to another user, are among those Poole sees most often, he says. Such attacks generally rely on either linking a victim to a URL with JavaScript encoded inside the address to be regurgitated to the victim's browser or circumventing restrictions preventing users from posting live code to social networking profiles or forum posts.

"When you're looking for a cross-site scripting issue, one of the things you often do is you take all these fields that are taking user input and you put in all these strings and when they come out, you see if they're being escaped properly," says Poole.

Poole's website features a number of those types of bugs that he's found, and, he says, people interested in learning more about searching for security holes can read numerous online tutorials and books like browser security expert Michal Zalewski's The Tangled Web. Aspiring bug bounty hunters can also practice with tutorials like WebGoat and Damn Vulnerable Web App that offer downloadable websites with deliberately inserted vulnerabilities for researchers to experiment with.

Once new hackers have mastered the basics, they can start looking for holes in real-world sites like Facebook and GitHub, as long as they follow accepted bug bounty practices for not interfering with site operations or other users.

"When you are trying to demonstrate your mastery of the material, the best way to do that is to find a real-world site that has these issues," he says. "Build a good report; build a proof of concept."

As the web incorporates new technologies, new classes of security holes inevitably arise, though often they're variations on bugs that have been seen in the past, Poole says. For instance, as sites move from traditional structured SQL databases to more customizable NoSQL data stores, they've seen attackers move from SQL injection to NoSQL injection, but the general principle is the same: sneaking malicious database commands into data sent to the site.

"Very often, right on the heels of those [new] technologies, security researchers are coming along and saying, 'make sure you don't forget the lessons of the past in building out these new systems,'" Poole says.

As for Poole's own activities, he's enjoying working with bug bounty participants from the other side of the fence but finding that he's spending less time actually searching after other companies' bounties than he did in his college days.

"I've been kept pretty busy here, so I haven't quite as much time to spend on bug bounty programs as I used to," says Poole. "Sometimes, I just lie down and watch some TV or read a good book."

Toronto programmer Vitalik Buterin was just 17 when he first became active in the world of Bitcoin. Now, at 20, he's one of the creators of a new currency called Ethereum, which its founders hope will be the next generation of cryptocurrency.

Just as Bitcoin made it possible to send and receive money outside of the traditional banking system, Ethereum could make it possible to set up binding contracts outside of the legal system. In addition to a virtual currency called Ether, Ethereum includes a full-fledged programming language that makes it possible to encode binding agreements embedded in the same transaction record that tracks the flow of Ether.

"I think Bitcoin really feels empowering in a sense," says Buterin, who also cofounded Bitcoin Magazine in 2011 and works as a developer on the cryptocurrency marketplace site Egora. "If you look at the way all the other different monetary technologies work, there's a lot of barriers around them--you need to have a credit card, you need to have a bank account, you need to have a merchant account and so forth."

Within the next few weeks, the Ethereum team plans to debut a version of its software including a scripting language that's Turing complete, meaning it's as expressive as languages like C, Java, and Python. Users will be able to encode automated contracts in that language, essentially represented by bots that can send and receive Ether currency when certain conditions are met.

"It'll be a client that people can use where they can actually start experimenting with some of these actual different contract types," says Buterin.

For instance, Buterin says, a banker and a customer could contract to establish a savings account that lets the customer use a cryptographic key to withdraw 1% of the balance daily and the banker withdraw 0.5% of the account every day. If both keys were used in tandem, the customer could withdraw as much as he wanted. That way, if the customer's key were stolen and he notified the banker, or the banker turned out to be insolvent or crooked, the customer's losses would be limited.

The contract establishing the account would be a piece of code executed by everyone tracking the Ethereum-shared transaction record. Other contracts could establish what Ethereum's founders call distributed autonomous corporations, where code written in Ethereum's scripting language could automatically poll company shareholders or nonprofit board members about how to spend company accounts according to predefined voting rules.

"Really any kind of organization could potentially fall under this model," Buterin said.

The scripting language would allow the contract bot to disburse Ether and could potentially even generate emails or online banking transactions, says Buterin.

"The contract itself would actually create the HTTP packet that would initiate the session with some bank," he says. "Then, that packet is already encrypted and signed, and somebody would have to take the packet and forward it to the bank, and the bank would take the packet in response and that same pass-through person would have to take the packet and send it back to the contract, and so forth."

An auction house could set up escrow accounts for its buyers and sellers, Buterin says. A two-thirds vote of the buyer, seller, and auction house would tell the contract bot to either forward the escrowed funds to the seller or return them to the buyer, letting the auction house easily function as an arbitrator for disputed purchases.

Contracts, or their human supporters, would have to pay small fees to cover the cost of their computation and data storage, Buterin says. Some of that money would go to miners of new Ether coins, and some would simply be deleted from the system, in a ratio to be determined as the currency evolves.

Buterin says that although Ethereum might seem attractive to underworld figures seeking to form anonymous binding contracts, the Bitcoin-style shared transaction record should limit many potential criminal uses. Regulators may not be able to shut down an autonomous corporation running in the Ethereum system, but they'll be able to trace where it's sending money, he says.

"The thing with the blockchain [transaction record] is that everything is still very public," he says. "The favorite currency for criminals is still cash."

Bitstamp on Tuesday became the second Bitcoin exchange to halt withdrawals in recent days after a denial-of-service attack exploiting a property of the Bitcoin protocol made it difficult to verify transactions and customer balances. But Bitcoin experts say the issue, which also shut down withdrawals at mega-exchange Mt. Gox, can be averted with a few tweaks to how exchanges and wallet services track transactions.

"No funds have been lost and no funds are at risk," Bitstamp emphasized in a statement. "This is a denial-of-service attack made possible by some misunderstandings in Bitcoin wallet implementations. These misunderstandings have simple solutions that are being implemented as we speak, and we're confident everything will be back to normal shortly."

The attack relies on a property of the Bitcoin protocol known as transaction malleability that makes it possible to make slight tweaks to records of Bitcoin being sent from user to user without making the transactions invalid or changing the amount of money sent. The changes do, however, alter the computed hash, or digital fingerprint, that's stored with the transaction record and used as a transaction ID.

"If you've got, say, one Bitcoin that you're spending in your transaction, you can write that as '1 Bitcoin,' you can write that as '01 Bitcoin,' or you can write that as '001 bitcoin,'" says Bitcoin expert Andreas Antonopoulos, who is the chief security officer of Bitcoin wallet company Blockchain.info. "All three of those are valid transactions and will spend that one Bitcoin, [and] they all have different hashes."

Since Bitcoin transaction records propagate through a peer-to-peer network of Bitcoin users, that makes it possible for attackers to make these modifications to transaction records before propagating them through the network. At some point, either the original transaction or the modified one will make it into the shared transaction record called the blockchain. If the modified transaction makes it there first, the parties to the original transaction will look for the original hash in the blockchain but won't find it.

When an exchange or wallet service fails to find the hash, it might believe the transaction didn't go through and, if a confused or malicious customer complains, it might repeat the transaction, actually sending double the amount of Bitcoin intended. Once Mt. Gox revealed it was vulnerable to malleability-based attacks, other exchanges were slammed by attempts to trick them into issuing duplicate withdrawals, Antonopoulos says.

But Antonopoulos says Bitcoin users have known for some time about transaction malleability, which was first reported in 2011, and can ultimately defeat the attacks simply by not relying on the hash as a unique and static identifier until after it's entered into the verified blockchain.

"In a few days they're going to resume withdrawals and the network will be more resilient," Antonopoulos predicts of Bitstamp, adding that Blockchain and some other exchange and wallet services, as listed in our recent Bitcoin investment guide, haven't been affected.

Neither Bitstamp nor Mt. Gox immediately offered a timeline for when customers would be able to withdraw their Bitcoin. Bitstamp said in its statement it was working on a "software fix," and Mt. Gox indicated it was working with Bitcoin developers to standardize an additional, non-malleable hash.

When the e-book subscription app Oyster launched last year, it was quickly dubbed "the Netflix of books" by the press. But since then, analytics and anecdotes have demonstrated that Oyster's customers actually consume the written word differently from the content they get on other subscription services like Netflix or Spotify.

What they've learned could have ramifications for publications and sites like ours, whose primary product is written content. So what's so different about stuff you read?

"Books are one of the best gifts to give someone," says Willem Van Lancker, an Oyster cofounder and the company's chief product officer. "People really responded fantastically to giving a gift of hundreds of thousands of books."

Van Lacker says this is something really distinctive about being a book business; feature requests for gifting starting rolling in right away. Other subscription reading platforms didn't add gift subscriptions until later in their life cycles, says Van Lancker--presumably because no one had ever considered that books were (for whatever reason) more giftable than regular media.

Oyster also learned that while customers use their iPhones for "short bursts" of reading during the day, many do the bulk of their reading on days off and in the evening before bed, which means customer service inquiries swing nocturnal.

"The biggest bulk of inquiries and questions we get are between 8 p.m. and 2 a.m. Eastern Time," he says. His customer service team rejiggered their schedules to better match their customers'.

Nighttime reading also meant Oyster's developers took pains to make sure the app works well in low light, says Van Lancker. "We took a lot of time standing in closets with our product," he says.

Different genres of literature are popular at different times of day, he says: romance novels are popular in the wee hours of the morning, while mysteries and thrillers get more reading around rush hour.

And different states have different tastes as well. History is more widely read in Michigan and New York, Van Lancker says, while romance is bigger in Texas and Georgia.

"Any given member in Georgia is about 30% more likely to read a romance book than a history book," he says.

Overall, fiction, literature and business are among the most popular categories the app offers. Starbucks CEO Howard Schultz's memoir Onward has been quite popular, says Van Lancker.

All of this information can naturally be fed into Oyster's automated recommendation system, but even in the age of big data, Van Lancker believes handcrafted editorial recommendations can be at least as important to customers.

"We've seen a connection between crafting Oyster's editorial books--how Oyster kind of feels like a corner bookstore--and people really responding to that," he says. "Books are kind of a special medium, and because you're going to be digging into it for five to 10 hours, having an extra recommendation from someone you come to trust is really important."

Oyster's also learned to heed product recommendations from its entire team, he says.

"We have people from publishing and books, and people from technology," he says. "It's a diverse team and I think it's really worked out well to build a product that has a lot of emotion wrapped up in it."

Similarly, Oyster's made sure to highlight books from a variety of authors and presses big and small, not just surefire bestsellers.

"We make a point to kind of pull in picks from all of our publishing houses and authors," he says. "Just like a great bookstore that has a table laid out to introduce people to new ideas and new stories."

The subscription model can let people explore different books a little more freely and even bring some lapsed bookworms back into the fold, he says.

"The most exciting thing for us is taking someone who isn't a reader and reintroducing them to books," he says, citing subscriber feedback. "They weren't reading books at all, and now Oyster has brought them back into it, and now they're reading a book a month."