Other than that I just googled the hell out of things, Stack Overflow was, as always, a valuable resource. Chances are that whatever you're trying to do, particularly when learning, somebody else has already done.
This practice is in violation of FB's ToS, and ethically questionable - but there's just enough money in it to make this worthwhile for the likefarmers.
I recently created a US company. Here's what I learned:
Most companies are set up in Delaware, because of Delaware's taxation and advanced corporate legal system. Setting up (and shutting down) a company in Delaware is very simple and streamlined, and most big US corporations are technically Delaware corps.
If there's a chance of raising US VC capital in the future, you will want to create a Delaware "C" Corporation, specifically. Many VCs will demand that you create a "C" Co. and transfer IP/business if you had another Co. previously. Ownership in a "C" Co. is based on shares, and the "C" Co. can later release and sell new shares to VCs: that's how investment deals happen in a nutshell.
To set up the company, we used a lawyer. After shopping around, $300/hr is what you should be prepared for, with about 10-20 hr to set up the "C" Co., another 10-20 if you want to transfer IP. Also, if your existing Co. is located in say Egypt, you'll need Egyptian legal council to cover your ass on that end (VCs will demand egyptian legal opinion for transfer of IP).
Once you have the company, you will need an EIN. That is simple and can be completed using a website for a Delaware Co. Then you need to open a bank account. In our case a US based partner did that at his local bank. There's an outfit called Bank of Silicon Valley who seem to be helpful in cases like yours and you can open an account with them, over the phone. Then you will need a virtual office and mail forwarding services, such services exist for Delaware Co's for a low yearly fee (~$50/mo), your lawyer will set you up. You'll also need a US accountant. Btw. your US lawyer will give you all this information. Overall you should expect to spend $10-20K on this.
In practice, the whole thing is pretty simple, and can be managed through email (scans for signatures), and US businesses are used to this. The whole thing can be completed in 1-2 weeks from the point of making initial contact with the US lawyer. Although lawyers have a bad reputation, I found that most lawyers are usually very professional and upfront about what they will charge and what the process will be, what to expect. If you need a contact try http://wsglegal.com is who we were recommended, used, and were very happy with. (I'm not affiliated).
So far so good, what sucks is the accounting / tax issues. That's where you will waste most of your time, esp. if you are based in Egypt. In our experiences, while lawyers are pretty professional about what they do, accountants are less so, and accounting/tax issues are the worst offenders for wasting valuable time. That's where you should be prepared for shit to hit the fan initially, esp. for international issues where neither side (US/Egypt) will have complete legal/accounting/tax knowledge. Your cheap plain vanilla local accountant will be useless.
Finally, you should know that the USA is a very litigious country, meaning people are more likely to sue you if they feel you owe them or you've wronged them. So once you have a US presence (a US Co.), customers and business partners, sooner of later shit _will hit the fan_ and you will probably get sued. It's the cost of doing business.
Overall, in my experience, if you don't want to raise US capital, I would suggest you do _not_ set up a US Corp. Staying local, and having to only deal with local legal/accounting/tax issues is _much_ simpler for you. Also, if your company is based in Egypt it's probably harder to sue you. I would invest major energies is trying to figure out how to take payments as an Egyptian entity, although admittedly I don't have much experience in this. You could also look into setting up a UK Co., I know people who did that to take payments.
The EverWrite guys have a nice writeup here:
Anyway, the issue is that no merchant account will accept your US company, even if it has an EIN and a bank account, without a personal guarantee. And they won't accept a personal guarantee unless they can either:1. Pull your US credit report (which you don't have)2. Be assured you have some assets that are within reach of the US judicial systemor 3. take a huge rolling reserve off of your payments.
I would strongly suggest using 2CO, Paypal to get started. Too often we get involved in the paperwork and other stuff without proving the MVP.
Good luck from due east.
The company corporation exists to provide most of the services you need. You can find them at www.incorporate.com They are good about reminding you of everything you need to file, and they also provide registered agent services. Every company needs to have someone in the state where they are incorporated who is there to receive process (e.g.: if someone sues you you have to have an agent who is identified publicly so you can get the court papers.)
They provide registered agent services and will facilitate incorporating in many of the states.
If you decide you need a mailbox in the USA, then there's earthclassmail.com which will offer you addresses in many states. I'm not sure what they require for non-american citizens to set up an account.
The way I branched out my company into unknown territories is to find a reseller there. Let them take care of the regulatory stuff. In this economy it should be easy enough to find someone who already has the company in place and needs some extra work on the side.
You can set up the contracts in such a way that you retain the option to buy them out and set up your own company at some point in the future.
1) Ask yourself WHY you need a company in the US. It might not be worth it.
I registered one so that 1)it would be easier to accept payments from the US through their native gateways, because in my country, all of them suck.But if I had known the pitfalls first, I would rather have integrated with Paypal.
2)An American company's products are always perceived to be better than the rest.
I registered an LLC and every year, I'm required to pay an annual fee of $250 USD as Franchise tax. Mine is in Delaware so its just $250, if its in California, its going to be approx. $800 or so. $250 might not sound like a big deal, but for companies like mine, that are bootstrapping, it really is.
You are required to pay some more money as tax, apart from the Franchise tax on your ECI. ECI is effectively connected income - ie, The income generated by doing business with the US. This is going to get complex if you have an online internet business model.
You are required to have a registered agent to represent your company in Delaware. They charge anywhere from $50 to $200 a year.
The total tax you might end up paying for the same revenue stream is:
Franchise tax + tax for your ECI + registered agent fee + your local country's tax.
The situation gets even more complex when you hire more people.
Also, the organization's taxation methods change depending on the number of members (single/partnership/multi-member, etc.)
More on this:http://www.irs.gov/businesses/small/article/0,,id=98277,00.h...
The worst part is, if someone decides to sue you, suddenly you are answerable to the American government, which you were not before. Your liability is also increased (unsure of this though).
Travelling to the US becomes a nightmare when you own an American company. Visa officers think you have a higher probability of settling there, rather than returning and it becomes increasingly difficult to get to the US, which I'm pretty sure is not what you want.
I registered through a known friend, but the best place to get it done, if you ask me, is through Harvard business services (www.delawareinc.com). They have a lot of benefits (total cost to set up an LLC is under 600-700$ USD) and MANY of my friends have registered through them. They also are very transparent and their registered agent fee is only $50 a year! (I'm not their salesman though, for god's sake)
Anyway, If I had known these disadvantages first, I might as well have gone with a local organizational structure. Just keep these in mind while registering your new company... my 2 cents.
It's more geared towards Canadians but I'm sure many things apply.
Law firms help do this. A few grand you can get someone like http://www.grellas.com/ do it 100% venture capital ready in Delaware.
If you're really just looking for a merchant account, make an LLC and get one in the name of that. Far cheaper, but will require the redo when/if you want investment.
Make sure you file the paperwork to do it's taxes like a C corp instead of a disregarded entity (Form 2553)http://www.irs.gov/pub/irs-pdf/f8832.pdf
If you are looking for a lawyer I received good recommendations for:
- Ryan Roberts @ http://startuplawyer.com/contact
- Scott Edward Walker @ http://walkercorporatelaw.com/
- Grellas Shah LLP @ http://www.grellas.com/
There are some useful info on that article. Nevertheless if someone has more info I would like to know different perspectives on that topic.
as I am preparing the switch to a static site, I hope, there are interesting answers waiting out here.
Juvia is interesting, but - as you said - a bit overweight. ;-)
So I hope, that there do exist interesting alternatives, but till now, I didn't find any.
What you need, instead, is a mindset: when you are at the supermarket checking out with one of those self-checkout machines, does some part of your brain start figuring out mistakes made in the mechanism that might allow someone to steal items?
If not, that is the kind of thought process that you need to get yourself to start doing: you need to keep asking yourself "if I were evil, could I do something evil here?", and you need to make it fun enough that you are doing it constantly.
With this mindset, finding exploits in software just becomes "teach me to program", as the kind of devious backchatter in your brain will just see things popping out "wait, what's to keep someone from cheating here and doing the opposite of what you say?".
The really epic hacks then just come from many years (the stereotypical 10,000 hours) of experience programming and trying things: it isn't because they read some magazine or learned from someone else. Instead, their midset just got better.
Think of it this way: it makes a lot of sense to ask "how do I learn how to use a violin", but "how do I learn musical taste" and "how do I learn to hear music in everything that surrounds me" are more awkward. The former is a skill, the latter two are mindsets.
Recognise that a lot of hype and circus has built up around around the field of ICT security. Linus made a very public and passionate argument in mid 2008 on the topic. Some sample quotes:
So I personally consider security bugs to be just "normal bugs". I don't cover them up, but I also don't have any reason what-so-ever to think it's a good idea to track them and announce them as something special. ... To me, security is important. But it's no less important than everything *else* that is also important!
Part of Linus' argument stems from the bazaar model for developing software. A separate security ecosystem that works in secret and controls the distribution of source code is a throwback to the cathedral model. Linux continues to be a success because it does not use the cathedral model.
Linux development occurs in the open amongst many selfish parties that sit anywhere on the scale between not caring at all about security to being paranoid about security at the exclusion of all other interests. In the middle of this disorder is someone like Linus who is trusted by the community to balance interests. On one side of the debate is PaX/grsecurity (or similar projects) lobbying for more controls and security features in the kernel. This party is generally happier to trade off factors such as performance and ease of kernel maintenance to gain additional security. The other side of the debate may be supercomputing users or embedded platforms who are not willing to trade off performance.
The security hype and circus around security-related bugs can be very dangerous to the ongoing health of open source software projects. I will use the personal example of Mantis Bug Trackerâ€"a project I have contributed to for the past few years. Many of the contributions I have made to the project are security relatedâ€"XSS, CSRF, access control, cryptography and more. The CSRF protection in particular is a disgrace within Mantis Bug Trackerâ€"for reasons unrelated to security. A few years ago, some forms within MantisBT were protected by CSRF nonces. Obviously this is not a good situationâ€"every form which results in changes to state or data should be protected. I went through every form (grep -PRn "<form") and added nonces. Great! MantisBT was secure. But it was also very much broken. Numerous users started complaining about security error messages informing them of invalid tokens and the the incorrect possibility that they submitted a form twice. The cause? PHP session time-outs were invalidating CSRF nonces and not only prevented users from submitting lengthy bug reports and comments but also led to the loss of that user supplied information. The trade-off between security and usability was (and sadly, still is) broken.
When usability is broken to the detriment of security, the natural and completely understandable user decision may be to disable form CSRF security altogether or switch to another piece of bug tracking software that is less secureâ€"but also more usable. This is a security failure worth being concerned over.
The bazaar model calls for these issues to be thrown out in public on project mailing lists, bug trackers and source code repositories in the hope that a maximum number of eyes will look over the issue and feel a compulsion to assist with patches in the shortest period of time. Hopefully usability issues about any proposed patches are considered as part of this process, preventing the problem I mentioned above with CSRF nonce time-outs. The cathedral model on the other hand prefers to keep these issues secret amongst a select group of self-titled â€śexpertsâ€ť (core developers or otherwise). The chance of a quick resolution amongst this small group is smaller than if the issue was public with hundreds of eyes looking upon it. There is also a much greater chance that a small highly biased group will fail to correctly consider all the trade-offs.
* Recognise that security is a trade-off against other factors and a balance needs to be struck. Bruce Schneier has been repeating this statement for over a decade on his blog. Linus has been proclaiming it on the Kernel mailing list. It is important.
* Know what the bazaar model of software development is, how it works and why the concept of secret walled-garden development communities in a much larger open source project can be considered offensive.
* Software developers have many â€śmost importantâ€ť problems to deal with at any time and are often volunteering their time. A bad, demanding attitude from a security researcher will not help.
* Security patches do not warrant a Millennium Prize any more-so than a patch to resolve a severe performance regression, data loss bug or major usability issue. Standing on top of a security pedestal in the sky is the antithesis to gaining respect from open source communities.
* Study the work of programmers who are well respected for their knowledge and experience with creating secure software. Some examples are Daniel J. Bernstein (djbdns amongst numerous other projects), Chris Evans (vsftpd), Timo Sirainen (Dovecot), Wietse Venema (Postfix) and Igor Sysoev (Nginx). If you want to make a contribution to ICT security there is no better way of doing it than creating your own secure-by-design software that is relied upon by billions of Internet users each day. The adversarial mindset is important but is not worth much without an ability to practically implement constructive changes.
 Refer to firstname.lastname@example.org, email@example.com, http://www.mantisbt.org/bugs/search.php?project_id=0&cat...
You'd be surprised to see the amount of apps that accept a single non-breaking space (alt + 0160) as an username.
Don't assume that a disabled, unchecked checkbox in a registration form can't be enabled/checked.Don't expect that you'll receive a value from a <select> element that is actually contained within that dropdown's options.
When your app breaks horribly, your curiosity will hopefully throw you into a night of reading and hacking.
You can read more about fuzzing at Jesse Ruderman's blog. He wrote very interesting fuzzers for Mozilla's JS, DOM and CSS parsers.
Sometimes, a friend of mine would ask me to check out his project. I proceed to act like an incredibly malicious user, then have this friend get mad at me.
It all clears out after explaining that he would always run into someone trying to break things. Even someone just trying to get a laugh!
Sorry for the shortness of this response, if people are interested I can throw together a couple of blog posts.
Once you've read that, I highly recommend going through Stanford's CS 155 practice assignment on the subject. Unfortunately I really can't find the assignment anymore but perhaps a more thorough search of their archives would reveal it.
However, here is a blog which details the answers to all of the problems and includes the problem themselves. It explains why they work, and how to get to them. Very helpful if you are interested in looking at more advanced techniques: http://blogs.hulmahan.com.ph/archives/category/hack-101
That takes care of the basic C sploits. Beyond that, it really depends which level you want to attack at. You can attack at the stack level for almost all programs.
For web applications, you can go at a much higher level with stuff like SQL Injection, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and Session Hijacking.
Lastly, I highly recommend "Grey Hat Hacking, The Ethical Hacker's Handbook." This book does a fantastic job of giving you a taste of hacking at all levels. It covers OS attack possibilities, network level attacks, exploit generation and more. It also does a great job of introducing you to a lot of tools that help get the job done. From there, you'll at least be able to think of what you want to learn about next.
Sometimes you're dealing with completely open source apps. These are more secure but the plus side is that you have access to all uncompiled source code.
Sometimes you're dealing with all or part of the stack that is proprietary. These are sometimes less secure but you don't have access to easily readable source code so you need to use special tools to figure out what the creator has done to protect the system.
If you're trying to get into a specific system, intuition often helps you choose where to spend your energy first. You'll have a feel for what code has the least eyeballs on it or the less competent developers writing it, or less frequent updates so you look there first.
FYI there are two kinds of zero day exploits. The first is one you just discovered and no one knows about it. I think of that as true zero day. The second is one that fits the classical definition of the developer having zero dev days to fix it because they haven't been told yet, but many other folks may know about it. Discovering a true zero day security hole is very hard and getting harder because of the bounties being offered now. Often regular zero day holes are discovered by others who got hacked using it and simply back-tracked the hackers steps.
Hope that helps. I'm the developer of Wordfence, a security plugin for WordPress. Also disclosed the timthumb wordpress vulnerability last year and fixed the hole by rewriting timthumb.
I knew from past experience that the company had hired someone to basically just make a separate site to host the damn file...in other words, the PR department had minimal knowledge/care about the technical details of the website.
And knowing how contract developers worked...that is, they know that if their client no longer sees a visible link to a file, than that file has been "deleted"...I just tried something like "list1.xml"...and voila
I know buffer overflow hacks are incredibly interesting but how many of the most significant hacks have been done through plain out guessing the target? I don't even mean social engineering...take, for example, the update_attributes hack on Github's rails setup. The vulnerability was well known and dismissed., so the hacker guessed how a project team might slip up and perpetuated an amazing and thankfully benign hack.
So I guess, a good start is to just be a decent programmer yourself, and to have understood why you follow the best practices
"keygen" sort of thing (reversing):
writeup: https://www.cs.cmu.edu/afs/cs.cmu.edu/academic/class/15213-f...,tarball: https://www.cs.cmu.edu/afs/cs.cmu.edu/academic/class/15213-f...
Exploiting a variety of buffer overflows:
writeup: https://www.cs.cmu.edu/afs/cs.cmu.edu/academic/class/15213-f..., tarball: https://www.cs.cmu.edu/afs/cs.cmu.edu/academic/class/15213-f...
In the end I don't think there is too much to say about "exploit development" per se, it's all about identifying those assumptions that could be fruitfully abused, once you find a way, writing the exploit should be the easy part. So, I would take some amateur ftp server, or maybe something famous for its insecurity (I know wuftpd used to have a bad rep) and then basically try writing a FTP client that tries to break some restriction the server or protocol intended to keep. From there, you just have to learn to identify more assumptions, by studying programming languages, operating systems, network protocols etc., whatever might be helpful (and it always amazes me what kinds of crazy details people in security can take advantage of). Another aspect is exploring the assumptions of software you don't have the source code of, so basically reverse engineering.
I am more of an admirer of security work than a practitioner, so maybe other people can elaborate some more, but I hope this is a valuable starting point.
The Shellcoder's handbook is a good starting point too but is getting a bit long in the tooth. Attacking the core is a good starter on kernel bug dev. Both should be available on Amazon.
It's also worth pointing out that if you have a local Def Con chapter it's worth going at least once or twice to see whether or not you like it. Same if there's a local BSides event - these are free events, wildly variable in quality but run by the community for the community. There's also other cons like 44Con, Brucon, Cansec, Defcon etc. if you really want to get into it but these can be quite expensive.
I'm not sure where you're based, but if you're in or near London the local Def Con chapter DC4420 is on tuesday downstairs at the Phoenix, Cavendish square near Oxford Circus. I'll be there and will be more than happy to have a chat with you and introduce you to people.
 - http://www.securitytube.net/groups?operation=view&groupI...
 - http://www.corelan.be/index.php/articles/
 - http://44con.com/training/vivek-ramachandran-hacking-with-py...
 - http://dc4420.org/
You create a toy exploitable program, and you start exploiting that
But before that, brush up on C and assembly (the basics of assembly at least). x86 is "easier" (more human readable I'd say but lots of quirks if you want to write, but easier than x86 in 16bit) but if you want to study exploits in other platforms they have some quirks.
That's "exploits 101" lets's say. That will cover the most basic tools you'll need and trying that is a great exercise
See the links other posted for "smashing the stack for fun and profit"
After that, you could try old programs and studying known exploits for specific versions (say program X has a certain exploit that works like that, so you could try making an exploit for that)
Charlie Miller is a well known example of this - he famously markets himself as a reliable exploit writer, his background came from doing the same work at the NSA.
In most cases it's a very technically challenging effort, beyond what most people will self teach. Simply finding the bug is often the easy part as compared to reliable exploitation.
The best publicly accessible sources of learning are security conference papers and university theses, though they don't usually explain the basic techniques or high level techniques. "Underground" sources like 2600 for the most part publish rather poor or incomplete material, though they occasionally do have some top notch stuff.
I assume this is related to the old Andy Greenberg article that's on HN right now. While I wouldn't say those prices are an outright fabrication, it is definitely misleading. It is very rare for those kind of prices to get paid, at least reliably. It's much more common for prices to be in the four or low five figures ranges when sold and often go completely unsold. It has a lot to do with who the buyer is and what their budgets are like and how well known you are and on and on - not totally unlike a traditional governmental procurement process.
What that article really was was an advertisement for that broker - the price list was there because he's trying to say hey you're getting screwed come to me! I would guess that the reality of working with him is significantly more middle class.
I'm surprised that no one mentioned my class yet, where I have some of the best people in the world talk about exactly how to learn this stuff.
You can start reading the classics (although most of them not applicable today) like Smashing the Stack for fun and profit by Aleph One, 7350 (teso security group) papers on format-string exploitations as well as various other techniques on heap-over flow techniques, double free()'s etc. A very good book for all round exploitation with some advanced techniques is "The Shellcoders Handbook" which I highly recommend. The Phrack magazine (before the editing team changed) has some really juicy techniques on exploiting various platforms.
Other than that, you should browse through A LOT of source code trying to identify bugs in open source software and subscribe to various security bulletins so you can read advisories and try to exploit them. GDB is your best friend for that job since analyzing core files is the beginning of everything.
Finally you should get involved in security communities (the more under the ground they are, the better) and attend security cons (HAL, Defcon, CCC).
I used to do some heavy exploit writing back in high-school and I can tell you it's really REALLY fun but time-consuming and frustrating sometimes. Exploiting software is a form of puzzle solving.
Have a look at http://www.securityfocus.com/archive/1
and if you can get some sample exploit code and study it.
Then perhaps study some of your own programs with a more devious mindset and figure out what you have forgotten to take into account.
To start, I'd say have a good C manual (K&R), have a good book for computer systems (Computer Systems by Randy Bryant, but there are other good ones) and a good documentation on gdb. gdb is where it begins.
You can't make a list of resources that will get you to your goal, you can make one that will give you the foundational knowledge you need to start, but after that you just need to live in the right mindset and start doing it.
I'm not and exploit developer, but I'd imagine that the following would be useful practice:
1) Find a famous exploit, and read about what it accomplished but not how it was done. Then attempt to redo it. When you get stuck, look at what the original exploit did and continue from there.2) Do the above on a heavily exploited technology, but only read about a few of the exploits. While attempting to exploit in one way, keep your eye out for other holes that you can exploit and develop an exploit that you hadn't even heard of before. It's probably already been done, but you came up with it independently.3) Now try the same on something less exploited, but still with at least one exploit that you can follow along with. Try to develop a completely original exploit in this way.4) Now find something unexploited and dig around for an exploit. Now you have enough practice that you should have the ability to identify a potential exploit when confronted with it.
Of course, you should repeat each of the above steps at least a few times before moving on to the next.
1. The Shellcoder's Handbook2. Hacking: The Art of Exploitation3. Gray Hat Hacking4. w00w00 Exploiting Heaps
Basically memory exploits all boil down to overwriting the EIP with an address that points to some code that does something.
Of course there are all sorts of exploits, some simply send bad data to crash the server as a Proof of concept.. others are more sophisticated, either way if you can program all you need to do is learn a few methods and then writing the exploit shouldn't be so bad..
After that I started studying my own programs to see if there were any obvious patterns that someone else could guess. This was before the days of CGI on the web.
My curiosity continued when CGI was growing and I learnt first how to fool a guest counter, and then how to build a more secure one. I started learning peel and read all the man pages. There was a lot of stuff in there that was like "don't do this because it's insecure". To that end I owe a lot to Larry, Randall, and Tom.
What I learnt from there helped me protect myself against XSS attacks, but also taught me what to look for without needing the source. It wa a while before I heard about CSRF attacks. At this point I was interested enough to see what OWASP listed as the top exploits and did some studies on each of them.
At no point have I ever used what I know for malicious purposes.
But that's not the reason, why I'm writing here. Since I started to get better at anything I'm doing, I realised that it's always about the little things. If you see someone do one thing that is small, great and everybody loves it, then what actually happened was that this person did millions of small steps that where stupid before. You just didn't see it. Millions, it's not a joke! And of all these things, a lot of them are about just learning boring things. If you want to become a cracker (I'm morally neutral, so I don't really care WHAT you want to become), then you should start out with learning to code and to learn to code quite well. Then you should learn all about how the internet works. That means learning to code more, and then to also learn all about the network protocols and layers and also about how the hardware is wired. Learning all this will automatically show you the limits of what security can achieve (for example you will understand naturally that there can't be a perfect code. Every code must contain the information it tries to hide, some where. So every code will be broken some day.) and also where people did mistakes. And if you have the right mindset you will find ways to hack systems, that actually don't even involve to circumvent security systems.
To make a long story short: You need both, mindest and a lot of knowledge.
1. Understand what a program is. How the architecture of your computer allows it to run programs. How to look into the guts of a program - currently running or while dormant - and figure out how it processes any and all input you are able to feed it. What mechanisms are in place to prevent exploits.
2. Study bug classes and exploitation techniques. Information leaks are often important to remotely exploit code protected by ASLR. Build fuzzers. Use a tool like the absolutely incredible Vivisect recently released by visi at SummerCon a few days ago to see whether it is possible to get to a vulnerable code segment from the entry points you are able to find. Craft input to reach the identified bug, and leverage it to achieve arbitrary code execution. Never forget that while your focus may be zoomed in on a handful of opcodes that there is in fact an entire system environment in place and potentially at your disposal.
It's a daunting amount of information. Many of the best have been taught via something reminiscent of oral tradition, and like anything you wish to achieve mastery of you will learn faster with feedback from those with more experience. Most public hacker forums are about downloading tools for SQLi and have nothing to do with exploit development at all. But make some friends who are good at it and seek their feedback.
I guess start off by reading the corelan exploit tutorials, which go pretty deep pretty fast and may be a good start for somebody with programming experience. Simultaneously work through the reversing tutorial by lena on tuts4u. I think that may be a good start.
Lets start off with Web-application security - the most common of attack vectors are detailed as part of OWASP top 10 - you can read more about specific attacks with simple google searches, there are loads of articles that do the same. In order to write exploits you can try the wargames which are present online, or download intentionally vulnerabile operating systems/applications and practice on them(DVL, DVWA etc). The techniques involved in finding these vulnerabilities include fuzzing, vulnerability scanning, source code audit and manual blackbox testing.
Another area of exploitation is that of binaries that run on a particular operating system. Such exploitation usually requires you to find the vulnerability using reverse engineering/source code audit and/or fuzzing. Writing exploits requires you to have at least a good understanding of the stack layout, calling conventions, asm and shellcode. Of course, in this case I am referring to "overflow" vulns and not logical errors.
In order to practice exploitation, you can try out wargames as they are an excellent resource. There are wargames for binary exploitation(smashthestack.org, overthewire.org), webapp hacking(hacking-lab, hackthissite.org, DVWA, and LOADS more) and crypto(overthewire.org and smashthesite.org have crypto wargames), linux admin hacking(hacking-lab has a few every now and then).
Exploit development requires one to have strong fundamentals and understand how exactly stuff works under the hood. There are quite a few books that you might find interesting based one your interests. If you are into webapplication hacking Id suggest "the tangled web" and "the web application hackers handbook". If you are into binary hacking id suggest "the shellcoders handbook"(there are so many more awesome ones but this ones the best to start off with IMO).
Please note that here I have answered the question "How to develop exploits" rather than questions such as "How do i develop the security mindset" and "How do I find security vulnerabilities".
Hope this helps.
For purposes of learning do NOT use scanners(such a sqlmap), automation frameworks(for eg: msf for generating shellcode). While I think these tools are AWESOME, they should only be used once you have learnt how they work and when you reach a level that you feel you are unnecessarily doing work that could be automated.
if you need some hints, search "wuftpd remote root" to see the form they often take
This happened because they lost primary power AND had a generator fail AND had a distribution breaker fail. I wonder how often any two of those happen without us ever knowing about it...
There's nothing like that yet as far as I know. Most hotels and B&B will indicate whether they've got wifi access. Typically, if wifi isn't mentioned, it means no wifi.
But knowing that wifi is available isn't actually all that helpful. You'll often find that wifi is available but costs more than the room itself. Or, even more often, it just doesn't work or is unusably slow.
So we always try to get a place with wifi but also always carry an unlocked MiFi with us. In the UK, you can get one for ÂŁ50 on PAYG on Three and unlock it for a few quids. PAYG data topups in the UK on Three are reasonably priced (ÂŁ15 for 3GB of data). When we go abroad, we first check this wiki to find local operators with decent PAYG data plans and we buy a local SIM card as soon as we land: http://prepaidwithdata.wikia.com/wiki/Prepaid_SIM_with_data
It's a hassle but if you really need internet access, that's the only option at the moment I'm afraid. There is definitely a niche for a way to identify hotels and B&B with free / reasonably priced and reliable wifi connection (and also cafĂ©s while we're at it - it's an incredible pain to find cafĂ© with working wifi).
Do a search, then look on the right side of the page for the "Amenities" widget (you have to scroll all the way down). You could also add "beach" and/or "ocean" as a keyword in the widget right under that.
Given that your using tools used to sellbed and breakfasts on the internet chances are high that the proprietor has both breakfast AND wifi.
I don't think relying on the information the Owners give can be a solution.They want to sell and they'll consider their shared wifi connection always "fast", whatever that means.
We have developed a niche platform for vacation rentals which would allow you to build a website dedicated just to vacation rentals with internet connection.(some call it an Airbnb builder, but this is not accurate for many reasons. One of them is that we don't do peer to peer).
Anyone wanting to open a small business to fill this niche could use our CMS to build the site and select the accommodations from the thousands we have.We have local Managers who visited personally most of these Owners and Accommodations, so they can provide you with hard data such as Actual Internet Speed. SpeedTest.net results for instance.
This is different from letting the Owners check that "wi-fi" checkbox.
I had the "only fast internet accommodations" idea long time ago, but we're waiting for the right person/team to come in and do it.
The system is http://www.adormo.com and these are some other niches we built already just to give you an idea:http://www.topfamilyhomes.comhttp://www.kitesurfsleep.comhttp://www.petfriendlystays.com
If anybody is passionate to solve this problem with us, please send us an email!
A site full of hotel wifi ratings, speeds and passwords would be so awesome. Kind of like bugmenot or maybe hipmunk with an agony rating for hotels.
Better than searching through sites when a lot of the time they don't have that info on it.
It should be listed though... it should.
So, it's probably worth more to complain to BedAndBreakfast.com to be doing this since they likely already pay someone to pursue details like the one's they already do have. They probably just don't think it's very important and nobody is telling them otherwise.
There is currently some amount of anti-immigration sentiment in many EU countries, mainly because of the recession. Governments can do nothing to restrict intra-EU migration, so tend to make life hard for non-EU migrants to look tough on immigration. The current British government is tightening quotas on non-EU immigration.
A British company is unlikely to even look at your CV if there's another qualified applicant in the pile, because of the cost and complexity of employing a non-EU worker.
There is no shortage of generalist developers in the UK and wages are significantly lower than in the US. Unless you have some specialised skills, your job search is likely to be quite arduous.
As others have pointed out, it's near impossible to find an employer willing to assist you in the process in gaining the appropriate visas. Time and effort aside, immigration law in the UK is a legal minefield and unless the company has a previous history of hiring non-EU nationals then they probably won't even look at your CV unfortunately.
jdietrich it is good to know about those things, actually i have been struggling to find news about this but i think is just a general sentiment and not a guideline..
ig1, and jacknews you both are right for sure, i've got this feeling from the companies, they are really looking for exceptional skills and not hiring anyone who can be replaced by a local talent.
thanks for clarifying even if it's a almost no hope effort.
When I started learning to program the greatest joy was code=some result. The greatest misery was installation, configuration and bizzaro error messages. In this regard I think Haskell comes out far far ahead. When I first learned Haskell I remember installing Hugs was simple and the REPL worked immediately.
I think that the number one consideration for a first time programming language is the ease with which you can get working software that does something and gives feedback. Clojure has too many leaky abstractions and is not nearly as simple to get up and running. (Aside, I like Clojure)
I think that what I am reading as an implicit question of "should a programmer be initially exposed to the greatest type system known to man in Haskell or the one-true programming language in Lisp" is taking the wrong approach. We should ask "how can I expose a programmer to the joy of making things using only a brain and a keyboard". I suspect that many of the best Haskell and Lisp hackers we have got started on Visual Basic because it was so accessible.
I apologise if my characterisation of your question was wrong. It's not my intention to be offensive or stir up trouble. Those are two great languages to choose from, if you can capture the mind and imagination of a first time programmer with either of them they will be off to a great start.
However, I don't think that clojure is quite as great for teaching functional programming, because it is an eager language unless you explicitly tell it to be lazy exactly where you want it to be, so it doesn't have the performance optimizations that haskell has with recursion (as opposed to tail-call recursion) and it's therefore discouraged to not use tail-call recursion.
Now that's my recommendation for a first functional programming language. For a first language in general, I'd recommend the reverse because with clojure you can actually start doing something practical as soon as you get started, where with haskell it takes a while to get to that point.
But the installation process is different with the two. With clojure, the language is designed around being used with a build system as part of java tradition, which means that you normally can't just type `clj` and get a REPL (at least not with the official distribution). Generally the best way to go about doing that is to install leiningen and make a new project and do `lein repl` in the project directory.
In Haskell on the other hand (with the Haskell platform installer) you can just run the installer and type `ghci` and get a REPL. If you want to run a Haskell program to test it, it's just `runhaskell file.hs` and to compile, it's as simple as `ghc --make file.hs`. But when things get more complicated, even slightly so, Haskell can be an incredible pain to deal with (in terms of compiling and such) whereas clojure, being designed around build systems for large project, scales up just fine.
With Haskell, you'll be learning more than basic lambda calculus. Haskell has a lot of new concepts that traditional-language programmers may have to rewire their brains to think about. Things like lazy evaluation by default, automatic currying, a more advanced type system than most other languages and the concepts that brings like Functors, Monads, and Iteratees. Lazy IO is rough edge which is, as we speak, in the process of being cleaned up by Iteratees.
With a Lisp, you can learn the basic concepts of lambda calculus without having to learn more advanced language features at the same time. You'll tackle things like programming in a declarative language and leveraging first-order functions. Remember, you're trading for-loops for recursion, and for some, that's enough brain rewiring without also worrying about lazy IO.
Lisp allows you to divide and conquer the multitude of language features functional languages have to offer. Why take them all on at once? Once you're comfortable with Lisp, Haskell's true benefits really start to shine. Haskell is by far my favorite language and I find myself hating programming without the features it offers but I'm not sure I would have made it far enough to see it's benefits without learning Scheme first. And learning Lisp is easy. It's a terse language which one could write a small project in in a few weeks and be ready for Haskell.
Haskell is challenging but there's a reason which I'll try to illustrate with an analogy: Calculus is more complex than arithmetic and without a more advanced problem to solve, the added complexity may not be a clear advantage. But you get to a certain point in physics where it simply becomes harder to work in only arithmetic and learning the abstraction of calculus up front pays dividends. Haskell is the same way. I'll end with PG's "The Blub Paradox" http://www.paulgraham.com/avg.html scroll down).
You can look at the Yesod book, Real World Haskell and "Learn You a" online, i.e. read the complete, updated texts. Thompson's orange "Craft of FP" is a good read also, with methodical (and relatively slow-paced) coverage of all the basics. GHC is piling on language features and libs at a breathless pace, from deferred type checks, limited forms of dependent types, concurrency (async loops, STM, updated thread manager), IO abstractions (conduits), web apps (Yesod)
Clojure is an incredibly well documented (in books) language. I'm looking at the excellent O'reilly and Pragmatic books, and the 2 Manning books ("Joy of" is terrific), all of which came out in the last 4 months and target 1.3. And i will wager that Marick's book will be top notch as well. Unfortunately, these don't have texts online.
If you're going to learn a functional programming language learn a pure one.
None. Learn a language that is appropriate for beginners like Python or PHP.
I found them pretty useful -- have a look!
Also have a look at this one: http://news.ycombinator.com/item?id=3407705
 http://colloquy.info/ http://www.barebones.com/products/TextWrangler/ http://www.macports.org/ http://www.finkproject.org/ http://www.videolan.org/
From their site:
Quicksilver is a launcher utility app for Mac OS X which gives you the ability to perform common, every-day tasks rapidly and without thought. An introduction to Quicksilver's abilities include:
* Accessing applications, documents, contacts, music and much, much more.
* Browsing your Mac's filesystem elegantly using keywords and 'fuzzy' matching.
* Managing content through drag and drop, or grabbing selected content directly.
* Interacting with installed applications through plugins.
Sublime Text 2 is pretty great (http://www.sublimetext.com/2).
Home brew or mac ports help install unixy tools. Work on the assumption that whichever you install, at least once a year you will have to completely remove it and reinstall it, as sometimes they get in a mess.
Apple mail is OK, I prefer thunderbird, but it isn't very Macy.
VLC tends to play whatever you chuck at it.
General note - HFS tends to get unhappy (performance-wise) if your drive gets more than about 85% full.
When I first got a mac I was tempted to install lots of hacks to standard apps and the OS. These seem much less popular nowadays, but still try to resist any, at least for a while. Mac OS X is very hard to debug if it starts to misbehave.
finally, never install the .0 version of any new OS :)
> Homebrew is the easiest and most flexible way to install the UNIX tools Apple didn't include with OS X.
- iStat Menus: RAM, network and CPU usage right in your menu bar. Ridiculously useful.
- Video player: VLC
- FTP: CyberDuck. Desperately slow to launch and not a big fan of the UI but it's free, it works and I use FTP rarely enough to never have bothered looking for something better.
- gfxCardStatus - not necessarily a must-have but quite handy to see which app is causing your Mac to switch to the battery-sucking discrete GPU.
- Email: MailPlane (gmail / google apps only). I have to say that I've never found what I would consider to be a great email client for my taste on either Mac or Windows. So these days, I stick with Gmail's web interface (which I'm not a big fan of either but there's no native app that I find any better).
- Text Editor: TextWrangler. I still prefer Notepad++ though (in part because TextWrangler, like so many apps on Mac OS X, is so slow to launch).
- DaisyDisk - for later when you'll inevitably run out of disk space.
- Parallels Desktop for Windows + Remote Desktop Connection to manage Windows servers. I wish there was a better RDP client and a decent SSMS-like SQL Server client.
- Apps that used to be must-have but that I no longer use: HandBrake (DVD ripping), LiquidCD (CD / DVD burning), NetNewsWire (RSS)
That's about it. Random stuff that you might or might not need: Acorn (simple, cheap image editor), CoconutBattery, Hues (standalone color picker), iStumbler (Max OS X's NetStumbler), MacHg (Mercurial client). You can try Sparrow for email too.
That's it - have surprisingly few apps actually.
- First thing you should do: Install Homebrew: https://github.com/mxcl/homebrew/
- IRC: Colloquy - http://colloquy.info
- Editor: Sublime Text 2 - http://www.sublimetext.com/2
- Launcher: QuickSilver or Alfred
- Lion's Mail.app is great. I used to use Sparrow (http://sparrowmailapp.com) on Snow Leopard, but don't need it anymore. It's a little buggy and I like Mail.app's UI better.
- IMPORTANT: Check http://gpgtools.org for a simple app that lets you manage PGP credentials and use them in Mail.app and elsewhere (don't miss this one)
- RSS reader: Reeder - http://itunes.apple.com/us/app/reeder/id439845554?mt=12
- You're new to Mac, so install CheatSheet (http://itunes.apple.com/us/app/id529456740?mt=12) to learn keyboard shortcuts by heart (press down CMD key for 2 seconds to get a list of all shortcuts)
- Check this blog out - it has plenty of great stuff about OS X that even veteran OS X users don't know (trust me, I know a lot of them): http://www.macyourself.com
- You'll inevitably wonder what 'ocspd' or 'mdworker' are, when using 'ps -Ac' or 'top' (spoiler: ocspd is for certifications, and mdworker, or metadata-worker is a process that gathers information about files and feeds them to Spotlight for search), so install atMonitor (http://www.atpurpose.com/atMonitor/) instead of searching for process names on the Internet. It offers tons of other cool features.
- Markdown Pro (http://www.markdownpro.com) and Mou (http://mouapp.com) for Markdown.
- As much as I despise iTunes, nothing comes close to it (unfortunately) in terms of media management.
- Bartender - tidies messy menu bars: http://www.macbartender.com
* Moom (http://manytricks.com/moom/) - allows you to move windows around a lot easier.
* TotalFinder (http://totalfinder.binaryage.com/) - Finder with tabs and other useful bits.
* CoRD (http://cord.sourceforge.net/) - Decent RDP client (better than the official Microsoft one).
* Caffeine (http://itunes.apple.com/gb/app/caffeine/id411246225) - Stops the screensaver activating at the click of a button.
* CleanMyMac (http://macpaw.com/cleanmymac) - Can strip the unwanted language packs etc from applications saving you a significant amount of space.
* Enqueue (http://www.enqueueapp.com/) - Decent iTunes replacement, with FLAC support.
* Flu.x (http://stereopsis.com/flux/) - Warmer screen during dark hours, makes it easier to work in dim light.
* SourceTree (http://www.sourcetreeapp.com/) - Decent GUI Git/Hg/SVN client.
* GrabBox (http://grabbox.devsoft.no/) - Instantly throws screenshots into your Dropbox public folder.
* iStat Menus (http://bjango.com/mac/istatmenus/) - Memory and CPU utilisation in your menu bar.
* YoruFukurou (http://itunes.apple.com/gb/app/yorufukurou/id428834068) - Decent Twitter client with muting rules etc.
- Sublime Text 2 editor (even has a vim mode) (http://www.sublimetext.com/2)
- Sparrow, but you might be happy with the native Mail app (http://sparrowmailapp.com/)
- Media: iTunes and Quicktime do a good job, VLC occasionally.
- Handbrake for encoding (http://handbrake.fr)
- Transmission (http://www.transmissionbt.com/)
- Dropbox (http://getdropbox.com)
- Cloud app: instant, easy uploads (http://getcloudapp.com)
- Twitter's official client (http://itunes.apple.com/us/app/twitter/id409789998)
- CSS: uh? There is Coda/TopStyle/Espresso, but ST2 is enough
- Github for Mac (http://mac.github.com)
- Versions for SVN (http://versionsapp.com)
- Sequel Pro (http://www.sequelpro.com/)
- Homebrew package manager (http://mxcl.github.com/homebrew/)
- ImageOptim (http://imageoptim.com/)
- CodeKit or LESS.app for LESS/Coffee compiling (http://incident57.com/codekit/)
- MS Office: yeah (it's much better than the windows version). Just hide the cruft away (MSN etc) after installing.
- Wunderlist to-do app (http://wunderlist.com)
Nice to have / superfluous:
- Mou markdown editor (http://mouapp.com/)
- Cathode: vintage terminal emulator (http://www.secretgeometry.com/apps/cathode/)
- Lidpop: make noises when you close/open your lid (https://shinyplasticbag.com/lidpop/)
* Growl works very well but the whole notification business (emails + builds + IM + song detailsâ€¦) can be counter productive. Use it lightly.
* iTerm2 is the most modern terminal emulator you'll find on Mac OS X. I use it only because I wanted 256 colors and I'm not on Lion. I've never used its more advanced features.
* I don't know Notepad++ but I would say Sublime Text 2 (http://www.sublimetext.com/blog/articles/sublime-text-2-beta) and TextMate (http://macromates.com/) may do. You could also try a full blown IDE like Aptana (http://aptana.com/) or RubyMine (http://www.jetbrains.com/ruby/). If you already know Vim, MacVim (https://github.com/b4winckler/macvim) is the way to go for both the GUI and the CLI.
* Apple's own Mail.app works well. I've never felt the need to use another app. Microsoft's Outlook is pretty good, too.
* VLC is the obvious choice on Mac OS X too. You might want to install Perian (http://perian.org/) to add support for many exotic formats to Quicktime. For audio, Cog (http://cogx.org/) is nice.
* You don't need a CSS editor. Just use your code editor.
You might be interested in a few other apps:
* ClipMenu (multiple clipboards) http://www.clipmenu.com/
* Burn (disc burning) http://burn-osx.sourceforge.net/Pages/English/home.html
* Charles (http debugging) http://www.charlesproxy.com/
* DejaMenu (access the menubar from a contextual menu) http://homepage.mac.com/khsu/DejaMenu/DejaMenu.html
* HTTP Client (http debugging) http://ditchnet.org/httpclient/
* Notational Velocity (the most elegant AND efficient note taking app ever) http://notational.net/
* Quicksilver (Quicksilver) http://qsapp.com/
* ShiftIt (window positioning) https://github.com/fikovnik/ShiftIt
* The unarchiver (opens exotic archive formats) http://wakaba.c3.cx/s/apps/unarchiver.html
* Yummy FTP (the best FTP client on Mac OS X) http://www.yummysoftware.com/
* VirtualBox (virtual machines) https://www.virtualbox.org/
* SourceTree (Git/Mercurial GUI) http://www.sourcetreeapp.com/
3. https://github.com/tpope/vim-fugitive, https://github.com/tpope/surround
4. The https://github.com/scrooloose/nerdtree
8. https://gist.github.com/2260182 (OS X for Hackers)
9. Cathode (http://www.secretgeometry.com/apps/cathode/, for shits and giggles)
10. DiffMerge (http://www.sourcegear.com/diffmerge/)
11. Electric Sheep (http://www.electricsheep.org/)
12. Gridwars (http://gridwars.marune.de/)
13. Integrity (http://peacockmedia.co.uk/integrity/)
14. httrack (http://www.httrack.com/)
15. iSoul (http://code.google.com/p/isoul/)
16. LittleIpsum (http://littleipsum.com/)
17. KeyCastr (https://github.com/sdeken/keycastr, more shits)
18. LiveReload (http://livereload.com/)
19. Mactracker (http://mactracker.ca/)
20. Onyx and/or Maintenance (http://www.titanium.free.fr/)
21. MAMP (http://www.mamp.info/)
22. MacVim (http://code.google.com/p/macvim/)
23. Patterns (http://itunes.apple.com/us/app/patterns-the-regex-app/id4294...)
24. Mou (http://mouapp.com/)
25. mutt (http://www.mutt.org/)
26. Pixelmator (http://www.pixelmator.com/)
27. ProCSSor (http://procssor.com/)
28. Reeder (http://reederapp.com/)
29. Skim (http://skim-app.sourceforge.net/)
30. Slammer (http://ringce.com/slammer)
31. Q (http://www.kju-app.org/)
32. svnX (http://www.lachoseinteractive.net/en/community/subversion/sv...)
33. SSHTunnel (https://github.com/primalmotion/sshtunnel)
34. localtunnel (http://progrium.com/localtunnel/)
35. The Unarchiver (http://wakaba.c3.cx/s/apps/unarchiver.html)
36. Homebrew (http://mxcl.github.com/homebrew/)
37. VLC Player (http://www.videolan.org)
38. Compass/SASS/LESS (http://compass-style.org/install/, http://sass-lang.com/, http://lesscss.org/)
39. Pandoc (http://johnmacfarlane.net/pandoc/)
* Transmit - FTP
* Pixelmator - 90% of Photoshop without the high cost but still with a slick interface
* Cornerstone/Versions - SVN
* Textmate - Code editor
* Wunderlist - Todo list
* Fantastical - Easy way to access and add dates to your mac calendar
* Concentrate - Block HN and other stuff when you need to get things done
(Note: Most of these are not free and are between $10-$80 but well worth it in my opinion)
1. Backblaze for off-site backups: http://backblaze.com2. Dash for access docs: http://itunes.apple.com/us/app/dash-docs-snippets/id45803487...3. Solarized and ir_black themes for Terminal and all editors: http://ethanschoonover.com/solarized / http://blog.toddwerth.com/entries/13 (I use ir_black w/ Terminal.app, terminal Vim and the sidebar fork of Macvim: https://github.com/alloy/macvim/wiki/Screenshots)4. This fork of GitX: http://gitx.laullon.com/5. DTerm (pop-up terminal emulator for the occasional 'less README'): http://decimus.net/DTerm6. XScope (rulers and stuff for UI design): http://xscopeapp.com/7. LittleSnapper (tried everything, this is the fastest and cleanest way to collect UI inspiration â€" Skitch + Evernote would be my second choice): http://www.realmacsoftware.com/littlesnapper/8. Found (don't use this much, but it's awesome. Indexes Gmal, Dropbox and Google Drive and lets you search and launch files â€" a bit like Alfred): https://www.foundapp.com/9. DaisyDisk (essential harddrive file visualization): http://www.daisydiskapp.com/
And, another shoutout for Quicksilver â€" more powerful than Alfred.
* 1Password - Password facilitator (http://www.agilebits.com, buy the Mac App Store version)
* OmniFocus - GTD/Todo list (http://www.omnigroup.com/omnifocus)
* OmniOutliner - Best list makinga pp ever (http://www.omnigroup.com/omnioutliner)
* OmniGraffle - Great for development purposes (http://www.omnigroup.com/omnigraffle)
* Acorn - Quick image editing (http://www.flyingmeat.com/acorn)
* VoodooPad - Personal Wiki (http://www.flyingmeat.com/voodoopad)
* Byword - Markdown editor (http://bywordapp.com/)
* Dropbox - Duh (http://www.dropbox.com)
* Fantastical - Calendar app (http://flexibits.com/)
* Launchbar - Launcher (http://www.obdev.at/products/launchbar/)
* Reeder - Google Reader client (http://reederapp.com/)
* Transmit - SFTP (http://panic.com/transmit/)
* VLC - Video (http://www.videolan.org)
Along with iA Writer, Writeroom, Sublime Text, etc etc... there are a lot of great apps. The above is my favorites.
Divy (Lay out all your windows on a grid extremely quickly)
Skitch (quickly marking up screenshots, photos, etc)
WeatherHD (Lap warming tool, also renders beautiful full screen weather for what's happening where you are/where you set it to)
Visual JSON (JSON validator, builder)
Crash Plan Pro (a pretty reasonably non-invasive offsite backup program)
1Password (Cross platform/Smartphone password autofill manager)
Camouflage (Hides everything on the desktop when you present)
Caffeine (Keeps the laptop awake while you're presenting)
Daisy Disk (Finds the crap you can delete and clean off the hard drive, quickly beautifully, and makes cleanup a joy)
Screenflow (Excellent videocasting/webcasting/tutorial making software) (Currently on sale at http://www.mupromo.com/ for half off its $99 pricetag with other stuff included)
Screenshots (Fantastic tool for taking a picture of exactly the section of the screen you want, and nothing more).
If you have iOS devices you like/use too, AirDisplay (makes an iPad or iPhone an extension of the mac desktop) and AirServer (makes the mac a mirror of the iOS screen using Airplay).
Geektool is an excellent tool that makes a lot of stats about your Mac on the desktop, it's infinitely customizable, but has a steep learning curve, maybe to be installed in the second batch.
I hate iCal, although it does integrate different calendars. I think it and Mail tool are some of the poorest designed Mac software (e.g. compared with Outlook) but what are you going to do.
Secrets is another advanced tool, that exposes many hidden setting for the Mac.
- Google Chrome (http://chrome.google.com) - iTerm2 (http://www.iterm2.com/) - Xcode (http://developer.apple.com/xcode/) - Homebrew (http://mxcl.github.com/homebrew) - For emacs-snapshot, zsh, git, gnupg, etc. - Google Drive (https://drive.google.com) - Flux (http://stereopsis.com/flux/) - TextMate (http://macromates.com/) - VLC (http://www.videolan.org/vlc) - Transmission (http://www.transmissionbt.com/)
But the above are the ones that seem to make it onto every new machine in the first day or two.
Other apps that I always install on new Macs are Homebrew, VLC, Adium, MacIrssi and then the usual stuff that's on any PC (Spotify, Skype, Dropbox, Minecraft, F.lux).
And yeah it's important to install Xcode, otherwise your system doesn't have a C compiler so you can't do much. I think Git is also included with it.
iCal and Mail do a fantastic job syncing with Google and Exchange, so I use those.
1) Moom (move/zoom windows) - http://manytricks.com/moom/
2) TotalFinder (enhances the finder) - http://totalfinder.binaryage.com/
Some other must haves for me:
* rather than vanilla vim, try MacVim
* textmate is popular, though I don't use it
* tunnelblick for vpn management
* video: vlc, but mplayerx and MPlayer OSX Extended are popular options
* TotalTerminal (make terminal show/hide with a keystroke)
* cyberduck (ftp/s3/whatever file transfer client)
* keka as unarchiver
* xchat aqua as alternative irc client
Sparrow (http://sparrowmailapp.com/) is my favorite email client.
I can't live without a window resizer on OS X. Use SizeUp (http://www.irradiatedsoftware.com/sizeup/) for easy window maximizing, half splits, and quadrant resizing.
PREY: http://preyproject.com/KNOX: https://agilebits.com/knox
Don't set your Mac to auto-login on your main account. I use an empty account that starts up automatically. It has no real data and Prey is installed on it. Set the screen to lock after 1 min of not using it. I keep important stuff in it's own Knox vault.
Try out ZSH if you want to try something slightly different to Bash Package Manager: Homebrew - https://github.com/mxcl/homebrew Terminal/Emulator: iTerm2 - http://www.iterm2.com/ Vim running in iTerm2 via Homebrew Chat Client: Adium - http://adium.im/ MySQL DB GUI: Sequel Pro - http://www.sequelpro.com/ Mail: Sparrow - http://sparrowmailapp.com/ Git GUI: GitX (L) - http://gitx.laullon.com/ Window "manager" : Shiftit - https://github.com/fikovnik/ShiftIt General productivity: I love QuickSilver, however it's been crashing quite frequently on me since I installed Lion, so I'm giving Alfred a try at the moment.
Same with Sparrow for (non power use) GMail.
Currently enjoy Found (over Alfred and Quicksilver) as a Spotlight (native to OS X) replacement -- it's free in the "App Store"
Most people don't need Photoshop but still want something that supports layers, does image manipulation basics and feels like a happy OS X citizen.
On the other hand, GraphicConverter is the Swiss army knife of image formats and is even more powerful. GC can read virtually any image file ever created. It's a little more buggy, and the UI is less modern/fancy, but oh so handy.
Yorufukurou - hardcore twitter client
Media player: I prefer mplayerx to VLC. mplayerx is on the app store.
Text: macvim and sublime text 2.
VLC - video player
iTunes - music
Alfred - launcher
Divvy - window management (can create hotkeys for resizing/positioning windows)
Kaleidoscope - great diff tool
I use the default Mail and Calendar apps
- Perian (http://perian.org) Perian lets quicktime run almost any video format. Unfortunately it's not under active development. Still useful to have installed regardless.
â€" Google Chrome (http://www.google.com/chrome) Don't install Flash unless you have to. Chrome has it built in. I use Safari for most of my browsing and switch to Chrome when I want to use flash.
â€" If you aren't going to install Flash, then install YouTube5 (http://www.verticalforest.com/youtube5-extension/) It's a Safari extension that lets you watch YouTube videos natively without Flash.
- Day-O (http://www.shauninman.com/archive/2011/10/20/day_o_mac_menu_...) Adds a drop down calendar to the menubar.
- Alfred (http://www.alfredapp.com/) Another vote for Alfred. Much quicker and more powerful than Spotlight.
- 1Password (https://agilebits.com/onepassword) Remembers passwords/logins and makes it super easy to auto login to sites.
[Development]Spotlight - OSX built in app launcher etcSourceTree - GUI Git/Hg/SVN client.HomeBrew - like apt, yum package managerMacVim - Coming from the GUI world look at JanusiTerm2 (Zsh, OhMyZSH plugins)MAMP - Apache, MySQL etc dev env (like XAMPP)$ CSSEdit - GUI CSS editor, mainly use vimCyberDuck - (s)FTPSequel Pro - MySQL GUI, SSH connection$ Parallels - VM
[Calendars] - iCal or $ Busy Cal[Mail] - OSX Mail[Office] - $ iWork, LibreOffice[Feed Reader] - NetNewsWire[Torrent] - Transmission[Transcode] - Handbrake
[Utilities]$ little snitch - Network monitorMenuMeters - Free limited version of iStatMenusFlip4mac WMV in QuicktimePerian (Make QuickTime like VLC)TwoUp - free window basic managementRightZoom - Maximise zoom buttonClipMenu - Multi Copy, Paste boardUnArchiver - File DecompressionCleanArchiver - File compression (sans .DS_Store)NameChanger - GUI for mass renaming filesOnyx - System maintenance and set extra OS defaultsClick2Flash - Extension in Safari blocks flash defaults to HD mp4, right click to download video.
At the same time, if you've not spotted by now that EBS (elastic block storage, which powers RDS) is not reliable and not to be trusted, then you have to look at yourself too.
EBS is by far the worst product AWS offer, you simply should not use it without a very good reason, and if you do need to use it, you have to assume any given drive image will disappear at any moment - as it did here.
Beyond that, any time you're running a database, no matter who the provider is, if you're not doing backups every day or hour, then you're not doing things right.
Good backups are the best defense.
Could you explain that a bit more?
If you were running your own database, you surely would have had rigorous backups because the responsibility was on you.
Assume that if a service can fail, it will. If data can be lost, it will be. Then, plan accordingly.
I did find a blog post about this by Pingdom in 2009
I think it's interesting because of the notion of having some sort of Chef or other configuration management on Github, and then being able to fork that for particular development purposes or preferences and switch between them. I gather from some of the other interviews that the sputnik project is aiming for something like that.
As far as hardware goes, I like Lenovo ThninkPads best, and the Dell E65xx series that kind of copy them are also pretty good. I expect to screw around googling driver settings and etc on any new hardware I buy, so I'm not to worried about "just working". Someone else's definition of everything "just working" probably isn't good enough for me anyway.
Running clones of specific production environments in a VM is a good idea, using it as your main everyday interface is not, IMHO.
But your laptop is already certified there, the sleep thing has been around in linux for a long time and the only thing is to make sure it goes to sleep before you put it away or shut it down when you are done.
Battery life again isn't going to improve with another laptop windows should be better for pretty much every supported laptop, you could look into buying a bigger battery maybe?
You could try System76 but I don't know that they will be better than an x220
If you decide to learn to live with it, actually learn to live with it: you will have to adopt new usage patterns and tools. Don't try to turn it into Ubuntu, it's not.
You say you're willing to pay so take a look at people like Zareason and System76 -- people who design the hardware around what will work in Linux. You pay them over the odds, they support you.
But don't get hung up on some features. Battery life is one of those where everybody seems to get the same drop vs Windows. Yeah, I'd really like those bugs found and fixed but it's not going to affect my purchasing decisions. If I need long battery life, I just look at bigger batteries (or slower CPUs). Graphics is another interesting topic.
I'd also go out of my way to avoid dual-GPUs (Optimus et al) for the moment. They do work (bumblebee, ironhide, tbp, etc) but having to prepend things with optirun can get annoying - plus they're another power drain.
In contrast to some competing free apps/services, the Pushover mobile apps are $3.99 which pays for the monthly hosting costs to keep the service running. Both apps are highly rated on both app stores and so far the app sales have paid for the domain name and other tangible development costs and are continuing to generate profit. I just purchased a Blackberry phone for development and plan to create a Blackberry app for the service.
Sharks and all that: http://news.ycombinator.com/item?id=4017843
(Am I paranoid much?)
I also made StepStats - http://StepStats.com/ - for better FitBit data visualization; it's free, but enough people have donated money that it has covered all costs involved.
This was a weekend project and it performs already way better (a few weeks in) than my 1.5 year startup (which is something completely different).
That's some scary shit right there. Purely fascinating.
Plus greed on the part of ICANN. You can only sell one .google TLD, but there are thousands of relevant words in the dictionary for anyone with a deep enough coin purse.
On the other hand, I'm sure they'll make them publicly available - for the right price.
Were any alternative methods of allocating TLDs ever proposed?
How are those non-standard .cc addresses working out for everyone.
Nice idea, but you should link that lonely island to twitter/facebook as (Mobile-/Web-)App for higher availability.
The Twitter bootstrap looks ugly. Why not use warmer colors and stock photos that spread a warmer feel. Customizable SmilePages that contain all the love at a secure/private link would also help spreading.