Personally, I am somewhat heartened by the fact that this is remaining such a hot topic. I honestly thought it would have already faded as the "topic of the day" at HN by now, and to the public-at-large as well. But it's remaining in the news both here and in the general press, which suggests that more people do care about these issues than maybe my cynical side expected.
Alternatively it would be nice to see someone take action against PRISM. Less talking. More action.
For my part, I donated $100.00 to the EFF a couple of days ago, and I just registered tricrypto.com, which I intend to use as the website for a new "Triangle Crypto" group here in the Raleigh / Durham (NC) area. The goal will be to engage in promotion, advocacy and education around the use of strong cryptography and related technologies, including Tor, I2P, GPG, SSL/TLS, etc.
Edit: For more information on "Triangle Crypto", see:
No, I won't stop talking about PRISM. It, and all the recent and likely future revelations, impact entrepreneurship more than the vast majority of other news events today.
Your very manner of speaking can reveal a lot about you. I vaguely remember hearing a cold reader say something like, "the first thing I get to know about someone is their hands." Similarly, your word and spelling choices can inform others about your country of origin, and can potentially do much more than that.
Tor could have security issues, especially if you don't keep it up-to-date. Even if it doesn't have security issues, you could accidentally choose an entrance and exit node which are in cahoots and can thereby de-anonymize you. This applies less to hidden services, but still does apply. That is, the government could have compromised the hidden server, and thus might be able to correlate your activity.
Speaking of that, the times of day that you're active can already narrow down what countries you may live in, and may reveal roughly when you go to work and when you come back. So, for example, if you're using IRC over Tor, people could probably get a lot of information about you. Supposing that law enforcement has narrowed your real-life persona as a likely target, for example, they might just see if you join and part only when you're home.
If you were, say, browsing Hacker News or some other site, this could possibly be identified simply by looking at the size of the chunks of incoming traffic. This would be more and more common for larger and larger files -- I would not recommend downloading large videos over Tor, and images could probably offer a similar fingerprint.
You could use an insecure application over Tor -- sending BitTorrent tracker requests over Tor (while downloading in the clear) is one of the most common. So, if you tried to start up your IRC client before the Tor proxy was up, and your client happened to detect that its proxy wasn't working and tried to connect without one, that could compromise your identity pretty fast. For that matter, someone could potentially use an exploit against an out-of-date browser or operating system to turn on your webcam and take some pictures. For that matter, someone could hide a camera right behind you. You might consider only using Tor from within a bedsheet fort if you're suitably paranoid.
More realistically, the fact that you're using a bootable live distro could potentially be used to identify you; there aren't so many people doing that and your Referer string might well be unique. For that matter, the fonts installed on your machine might be probed and unique. It's worth checking this with EFF's Panopticlick. If your use of Tor hidden services reveals "he's a Welsh male Debian and Tor user who likes this obscure band," you might be identifiable solely based on that, and it's hard to be 100% sure that you have masked the fact that you are Welsh or male.
The publicly available tools for making yourself anonymous and free from surveillance are woefully ineffective when faced with a nationstate adversary. We dont even know how flawed our mental model is, let alone what our counter-surveillance actions actually achieve. As an example, the Tor network has only 3000 nodes, of which 1000 are exit nodes. Over a 24hr time period a connection will use approximately 10% of those exit nodes (under the default settings). If I were a gambling man, Id wager money that there are at least 100 malicious Tor exit nodes doing passive monitoring. A nation state could double the number of Tor exit nodes for less than the cost of a smart bomb. A nation state can compromise enough ISPs to have monitoring capability over the majority of Tor entrance and exit nodes.
Other solutions are just as fragile, if not more so.
Basically, all I am trying to say is that the surveillance capability of the adversary (if you pick a nationstate for an adversary) exceeds the evasion capability of the existing public tools. And we dont even know what we should be doing to evade their surveillance.
As for VPN providers, there are YC companies who do security so they're known and ideally trustable. Rather -> The chain of trust is easily verifiable.
That is about the best I can do.
I'm actually curious as to what others say about this as well though!
As for bugs and such, I haven't encountered any that would stop me from using the beta or are frustrating. The only app I have right now that crashes on my is Google+.
I can deal with all the other issues, but terrible battery life is a dealbreaker. I'll hold off putting it on my primary phone until it improves.
An analog to the Hippocratic oath (an oath which is not taken generally in any consistent form , which has no binding force, and the form of which that is administered is generally maintained and decided on by individual educational institutions rather than the practicing community), probably not useful.
Everybody will find justification for their actions as unethical as they may seem to you.
So, yes to more freedom, and please refuse to be terrorized https://www.schneier.com/essay-124.html . Freedom is the absence of coercion, and that is all the security I care to have. The chance of being murdered by a politically motivated hot-head is so low that it doesn't even register on my list of concerns.
There are nearly 40,000 drunk driving deaths per year. If we are willing to give up privacy for security, why aren't there DUI checks on every onramp? Drunk driving kills more people than terrorism by orders of magnitude.
Too bad the statement above confuses me!That's the exact reason why they commit domestic terrorism... ahh the irony!
It will make for a good story in the future called "The Fall of Advance Humans". It shall be a mere legend as near primitive people will wonder, how this advanced world could destroy itself.
Then 1000 years later, history would have been repeated, and there will be a legend called "The Fall of the Advanced Humans, That Once Wondered How an Advanced World could destroy itself... They found the answer"... etc.
sorry for the rambling. I like your post though I agree 100% that PRISM is an act of terrorism on our freedoms.
They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin
But bringing in a bunch of unformed yelling people into the IETF won't help. Bringing in a bunch of concerned but informed people _can_ make a difference. But like most things that make a difference it will take a bit more of your time than just clicking a form.
(a) will not be enabled by default; the developer would have to enable it explicitly?* ;
(b) is mainly intended for compatibility with existing SIP systems rather than new applications, and
* I am not sure if this is actually true; the SDES draft's statement that users of SDES "can be informed of the necessary precautions" suggests that it is, but the problems draft suggests a downgrade attack, and both are somewhat confusing. I would try to figure it out for myself, but WebRTC is one of the most complicated standards I have ever even begun to understand. In any case, if it's possible for a webapp to end up using SDES without explicitly enabling it, that is a bug and should be fixed. There would probably be more productive ways to go about this than posting on HN about the NSA taking over WebRTC.
I mean most devs right now are doing web apps in JS, so obviously if you manage to restraint browsers from being able to do simple simple, raw p2p, you've won another battle against the making of a tech like bittorrent.
I so wish bittorrent inc could pick up on that... The web is not secure, but p2p networks are much more. Someone really have to make p2p networks more accessible and more functional for tech unsavvy people. Bittorrent sync already makes a great job at that, but that's not really enough, it's just files, not discussion groups or private messages.
Why not starting with just a anonymous p2p discussion system, without moderation or identification ? 4chan works that way, and they manage it pretty well, doesn't seem to bother many people. I emphasis on the without moderation or identification, because I guess there will be security flaws allowing to thwart messages.
Any reflexion on such systems ?
If you're ruled to need to comply with CALEA, and don't, you're shut down.
I don't think this is correct.
1) interception is usually about passively recording something. It is totally possible for some party to intercept a DTLD-SRTP session without being noticed. The session would just be encrypted. So it depends on how much CPU power or knowledge about crypto or protocol vulnerabilities the attacker has to turn that intercepted encrypted session into something useable.
2) Persona does not prevent against MITM. It operates at a completely different level. At is basics it is just a mechanism to get a verified email address from a user.
You are correct about SDES and signaling servers. Unfortunately you always need someone in the middle because even in 2013 probably 99.9% of 'things' on the internet are behind NAT.
There are probably secure options to encrypt the SDES before it goes via the signaling server but nobody has really explored that fully.
Iceland seems a safer place to me from a democracy standpoint.
Right now the problem is "the cloud" not the country for the US anyways...
There are also sites which focus more on specific topics... if you're into server-side Java stuff, there's http://theserverside.com, if you're into programming language research, there's http://lambda-the-ultimate.org, etc., etc.
And a lot of the more niche subreddits are actually pretty good. Stay away from /r/funny, /r/politics and the other "big" ones and check out /r/machinelearning, /r/compsci, /r/systems, /r/math, or /r/compscipapers, etc.
There are some other worthwhile tech communities on G+ - just visit https://plus.google.com/communities and do some searches, e.g. for your favorite programming language, platform, or framework.
And many other subreddits besides.
I'd suggest doing some tutorials on http://psd.tutsplus.com/ maybe, though I don't like how hard they're pushing premium content now, and I more or less deleted my own account in disgust after their passwords were dumped, I found them to be a pretty good resource.
With the availability of Glyphicons, or FontAwesome, or the numerous cheap assets you can buy it doesn't make much sense to spend your time on an area you're not proficient in. (Unless you want to become a designer?)
If you want to edit the filter 1) change parameters, 2) click preview to see new filtered results, 3) click save to get a link to the new filter.
Update the removal list in the URL as necessary (or go to http://diff.biz for an old default removal list).
My site has been dead for a while (I think crawlers are crawling my site causing it to hit HN, but then HN blocks me due to over requesting), but I unblocked it today. We'll see how long it lasts.
You connect to the internet you're going through the USA even if the company you're dealing with is based in some other place. For example, I just ran a tracert on a connection to a college located in the same city I am in, it goes through New York State before hitting a data centre in the UK.
You can install Ubuntu, use AOSP on your phone, and use Firefox for your browser. But as soon as you connect to any service, including Hacker News, there is a good chance you're being spied upon.
If you want to avoid the dragnet then I'd stick to obscure sites and services (i.e. smaller providers) since the NSA likely hasn't taken the time to spy on each and every one. Also online game's interplay chat might be somewhat spy free (relative to other IM services anyway).
Then use some form of anonymous payment for anything you buy.
Ensure all of your browsing is done through Tor and/or a VPN.
Don't cache anything, just in case you get raided.
Also, always use a PC in the dark. It works. Trust me.
While SHA-1 should not be trusted too much because it has shown possible theoretical attacks SHA-2 still holds. Also these kind of things are IP - there are a lot of eyeballs and scrutiny going on.
There is much bigger chance of fraked up implementation that will make it insecure than the theory - there are a lot of independent researchers that have scrutinized them quite a bit. And while I am sure NSA employs a lot of very capable people they do not hold monopoly on world class cryptographers.
SHA-3 is the product of a peer-reviewed cryptographic contest.
The Flame malware was distributed using a fake certificate that was generated via a brand new (publicly unknown) chosen prefix collision technique against SHA-1.
That should be reason enough not to use SHA.
It is pretty different from the existing mail clients for the console (pine, alpine, mutt, sup, notmuch), partly for being modal, and partly because it only handles Maildirs. No IMAP or POP3 support at all.
In terms of functionality it is usable for sending, processing, and receiving emails. But there is still missing support for attachments.
There are 2 versions of the Survey compiler, one in production use and a newer version in advanced prototype targeted at tablets etc. The production use compiler is targeted at India and the Middle East and anywhere else where you do Market Research using Pen and Paper format. It can generate outputs for IBM SPSS-Quantum (a specialised software for data processing) and SPSS and and my own cross tabulation engine, described below. Our current offering to clients is a potential 70% speedup in data processing using our system for Pen and Paper data entry.
The cross tabulation engine is on similar lines to IBM SPSS-Quantum but removes many limitations and is potentially much faster. I tested it on 1 million records - each record had about 64000 conditions, it was able to process the data in 20 seconds (I tried this after seeing Evan Miller's post on HN and someone asked about how fast his software was on 10 million records). I compile the input programs to simple C++ fixed size arrays and data is stored on disk as a flat file, fixed length per record. I have been experimenting with sse instructions - there is a lot of potential for further speed improvement.
This is a git repository, active branches are:nc - this is a stable version of the compiler, but uses ncurses and
web-questionnaire-2: this is the new survey compiler
Active GUIs/Framewors we can compile to are : 1. gtk 2. wxWidgets 3. webtoolkit I have also separated out the runtime environment so that we can compile with emscripten Using this, we can compile with 1. Dojo, ExtJs 2. DojoMobile - I could not get Sench Touch to work.
rdg: this is a branch for a Random Data generator. This was used to generate the 1 million records for my testing. I was able to get it to go at a speed of about 170 records a second.
If anyone is interested in playing with it, please write to me - my email should be all over the source code. We are also looking to make a business out of this (I have 2 friends and family investors).
While it's just basic technically, I've learned a lot about A/B testing & driving traffic.
Have taken the first few orders which is proof of concept! Currently working on the next version, integrating more product images & branding too.
Also I work on http://foundcamera.com - it gets quite a bit of natural traffic & submissions are backing up. Could do with some php help if anyone needs a weekend gig!
There were already a few around, this was for fun and I wanted one with easy pre/post hooks.
The use case is 3d shapes where the volume makes 3d printing cost-prohibitive, for example this 4 foot long tyvek dolphin: https://plus.google.com/u/0/photos/102064314320177820526/alb...
If you're in boston, stop by the collision19 show for a look: http://collisioncollective.org/show/collision19
EDIT: Should probably provide some more information. It's a easy way to add colors to the patterns provided on subtlepatterns.com without having to dive into Photoshop.
A 32 channel data logger, driver communication and information aid for motorsport and automotive testing
A kids education app with a Scottish 'teacher' character - this will hopefully be uploaded for App Store approval this weekend
and I have a few client projects on the go
I'm working on a new project management tool called Matterhorn.io its for companies who are design led and follow agile for development.
There are a million and one project management apps but none of them are a fit for us, we like basecamp but need a scrumboard, we like jira but find its too complicated. We are building a happy medium
http://deployanything.com (win,mac,lin + pi)
Tech: C++11, Qt, node.js
Basic HTML + CSS (don't spend too much time here) + skim the Bootstrap docs (you should use Bootstrap for everything after this).
Basic JS. Go deeply into JS (inheritance, etc) if you want to do rich client-side front-end JS or Node.js (more on that choice later); otherwise that is unnecessary.
jQuery. Also learn to use AJAX with jQuery (and learn about REST/HTTP).
Basic SQL and setting up your own schemas (set up tables in the command line interface for MySQL/PostgreSQL/SQLite). I recommend Postgres.
Now pick one of 3 web backend ecosystems: Ruby, Python, or Node; and learn the language. Pick Ruby or Python if you already know one of them. Pick Node if you want to make real-time and concurrent apps or don't want to learn another language (I'm talking true realtime - i.e. collaboration tools, chat, dispatch systems, etc). Pick Python if you want to integrate machine learning/data analysis/natural language processing into your app. Otherwise, pick Ruby (best job prospects, biggest web development ecosystem).
For Ruby, start with Sinatra. For Python, Flask. For Node, use raw Node, and then use Express. Use raw SQL, then try an ORM (ActiveRecord, SQLAlchemy, Sequelize).
Optional: Rails, Django, or Meteor. (Meteor is not really comparable. It's very immature/bleeding edge and has a different use case. I put it there because it's the most popular full-stack big JS framework). I say optional because there are essentially two models for web development: server-centric (everything rendered on server and served), or api-client-side-centric (server = API, browser/mobile app = rich client side). For server-centric development you'll want to learn Rails/Django. For rich client you can stick with Sinatra/Flask (Meteor would be rich client, though).
If you do go the rich-client route, do a little Backbone. I personally never liked Backbone; if you also dislike Backbone, consider AngularJS or Ember (AngularJS is what I'm using now).
With this broad foundation, start with a longer-term project idea and build out its entire stack.
Some topics to explore after you've gotten a foundation: MongoDB/NoSQL, regular expressions, advanced CSS3, advanced HTML5 features, dev ops, socket.io (for Node), promises/fibers (for Node), CSS pre-processors, CoffeScript, d3 (front-end JS).
REST and ORM are merely concepts. You will learn what an ORM is by the process of first learning SQL, and comparing that to your experience with using ActiveRecord/Sequelize/SQLAlchemy. You can simply google "What is REST?", or "REST API tutorial."
As to your questions about Foundation and Go: what I've proscribed here is a foundation. Not a definite, set-in-stone path. There is certainly a lot of buzz around Go. Yet the question is not whether you should learn Go. The question is whether you, as a beginner, should learn Go now. Go is bleeding-edge and highly immature (in terms of the ecosystem). It is not something you should tackle first. As for the Foundation vs. Bootstrap debate, the reason I mention Bootstrap is because it is more or less the de-facto standard HTML/CSS framework. But ultimately it doesn't matter which you pick. I've never used Foundation but I could read the docs in an hour. This is the least of your worries. Just pick one and go with it. Baby steps.
Disclosure: I work at Code Fellows.
Unfortunately, outside of our little bubble here online, the rest of the world is not the same. There are still millions of citizens, blissfully unaware, perhaps due to either ignorance or fear. Our job now is to educate these people and teach them that the government is an entity to be trusted no longer. No longer will elections entail cheering on corrupt candidates who break promises regardless of the political side they take. No longer will our citizens stand helpless as the entrenchment of totalitarianism continues perpetually. No longer will we be a slave to the whims and fancies of our government.
It's time the government worked for us. I think the bozos in command have all but forgotten that they are nothing but LOWLY SERVANTS, not saints who can deliver promises and change set upon a lie. We need to change that. Call your senator. Email your legislature. Tell them your utter dissatisfaction with this issue. Tell your relatives. If they say they don't care, follow them around everything they do and ask if they like that. If they don't, tell them this is what the government is secretly doing. If they still don't, repeat.
Tell your friends, your relatives, your brothers and sisters, to stand up to the oppressive government. Don't be hotheaded; now is not the time for mercurial emotion. Now is the time for reason. If your congresspeople cooperate, good. If they brush you off, say "fuck you" and hang up (I'm being blunt here), and vote for a third-party candidate the next time round.
We can make a difference. We will defeat the Empire, the evil, dark Empire founded by a father whose progeny has gone to the dark side.
Let's do this shit.
among which I especially recommend From Dictatorship to Democracy: A Conceptual Framework for Liberation
as a how-to guide for gaining freedom even when the dictators are willing to torture and kill to limit freedom. (I have seen one country make a successful transition from dictatorship to democracy largely by following this conceptual framework.)
Seriously, step away from the internet/reddit/HN/blogs and go out on the street and talk to an average Joe/Jane about where this ranks on their priorities.
People who think there will be a "revolution" over something like this are seriously misguided. Revolutions happen when people are hungry. The average American is not starving and will never be rioting in the streets over phone records.
A lack of transparency for intelligence operations means their outcomes are difficult to measure, which in turn means the bang-for-the-buck efficacy of those operations is probably not a significant deciding factor in the funding they receive.
If on the other hand you want to change society or improve the lives of people and you have recognised a way of doing so then don't give up. Treat your choiec as a journey or adventure. You're going to have set backs and failures and spend many nights thinking about quitting but you will overcome them and the struggles will make you a better person in tthe long run.
Just because you don't get to the summit of everest doesn't mean you haven't achieved anything and it doesn't mean you haven't improved as an individual and it doesn't mean the next time you try to climb you'll fail again either.
Edit: Also, update your blog, its long overdue!
It might help to remember that.
What I'm doing a little bit different now is really getting out there trying to sell the mvp after it is built. I get burned more often, but at the very least I know a little bit more on what my customer wants.
Hang in there'
The other thing you need to be careful of is getting blind to your small successes. There are probably 10 things a day that I do that people new to programming would be confused by, or wish they could do. They're so commonplace to me that I just do them with no appreciation that I did something someone else would find difficult.
If you've had no levels of success yet then change your approach. Forget networking or pitching or X factor that shit is almost irrelevant. Find a way to make a profit albeit however small it may be and build from there.
Don't start with an idea that requires critical mass or a community just start with a simple product that you can sell.
- Someone that Crunchbase wants to interview for every late-breaking tech news story
- Someone who runs a single person company that makes $60,000 profit after taxes
- Someone who has earned FU money by building their own company(s)
- Someone who has over $1m in the bank in cash
- Someone who has built a recurring revenue stream from just an idea
- Someone whose business hasn't failed yet
- Someone who built a company from an idea and that business sustains them
- Someone who built a company that has employees
- Someone who was able to buy a company and turn that company into a better, more profitable company/outcome
There's not just one definition. So what is "a successful startup" to you? Your definition of success goes a long way to defining your happiness, I think.
Try looking for a similar name plenty of people use search engines and bookmarks so a domain like thexxxx.com or getxxxx.com isn't that ridiculous.
See item 4d in the list. James Siminoff tells how he pleaded for and was given the domain Noble.com for free.
If you have a viable money-making idea, build it without the magical domain name, get rich, buy the domain.
The most important thing is just to pick a direction and get started. It doesn't have to bee anything more specific than "I want to build something using Raspberry Pi".
Once you pick a direction you can start working through some basic tutorials and learning the ropes. At this point after understanding what's possible you might get some ideas about what you might want to do.
If you don't have ideas yet that's ok, but now you're pretty well equipped to research what other people have been doing with your platform. You could build somewhat different alternatives to existing projects, or work on trying to contribute an extension to an existing project.
If just looking at projects doesn't spark any ideas start talking to people. Start with people who might know something about your topic at your university, or reach out to individuals in the community.
The key to a research project is just getting interested in one idea or question. Once you develop a little curiosity about on little thing it's like pulling on a thread that's connected to a much larger tapestry. Maybe your original idea has already been done but you find something else that's closely related that hasn't been done. You'll quickly be able to follow this tiny thread to a much larger world that will be of great depth and in general can be very interesting. If you have the diligence to carefully review existing work it's not hard to steer yourself to a totally uncharted area (this is probably a lot of work for a senior thesis but if you find it fun then go for it).
Also don't worry too much about originality. Re-creating something that already exists is a good learning experience, and might lead to other interesting ideas, like taking an existing thing and using it for a slightly different purpose. Just make sure to give credit where it's due. This isn't a PHD thesis and I don't think you'll be knocked for not making some brilliant original discovery. The key thing is to get started and follow your curiosity.
quartertime writes"Remember Reflections on Trusting Trust, the classic paper describing how to hide a nearly undetectable backdoor inside the C compiler? Here's an interesting piece about how to hide a nearly undetectable backdoor inside hardware. The post describes how to install a backdoor in the expansion ROM of a PCI card, which during the boot process patches the BIOS to patch grub to patch the kernel to give the controller remote root access. Because the backdoor is actually housed in the hardware, even if the victim reinstalls the operating system from a CD, they won't clear out the backdoor. I wonder whether China, with its dominant position in the computer hardware assembly business, has already used this technique for espionage. This perhaps explains why the NSA has its own chip fabrication plant."
Interestingly I managed to discover a Huawei trojan that installed itself without me granting permission via a hotel router. It wasn't particularly well built back in the day which made it easy-ish to identify.
Makes me wonder where China is going with all the deals Huawei is making with Govts across the world too.
It depends on what type of problems interest you.
That said...I worked for a telco for a number of years, so it's a safe bet I did.
SaaS still looks like the best way to deliver our software but I suppose now we will have to load the whole thing with even greater data encryption to help customers feel comfortable. Now just where do we put those encryption keys?