hacker news with inline top comments    .. more ..    10 Aug 2013 Ask
home   ask   best   4 years ago   
1
Ask HN: Advice for Canadian looking to move to US for IT work
6 points by canadiancreed  5 hours ago   5 comments top 3
1
Spoom 3 hours ago 1 reply      
My first advice as a Canada to US immigrant is, don't attempt to come down on a visitor visa or visa waiver (i.e. visa-less entry) and get work. It sounds like this would be obvious to you based on your question, but so many people think they can just adjust their status later once they're in the country, and by and large they are very mistaken.

As a Canadian, you can, however, apply for TN (NAFTA) status at the border.[1][2] You need a prearranged job to do this, though, and it has to fit one of several categories defined by NAFTA[3]. Typically, you must have at least a Bachelor's degree.

I'm a family-based immigrant so I don't know how hard it is to get prearranged work on a visa basis. I do see a lot of postings that require permanent residency or citizenship, though I believe such immigration classification discrimination is illegal.

[1] http://travel.state.gov/visa/temp/types/types_1274.html

[2] http://www.uscis.gov/portal/site/uscis/menuitem.eb1d4c2a3e5b...

[3] http://canada.usembassy.gov/visas/doing-business-in-america/...

2
gesman 3 hours ago 0 replies      
What's your passion?- south-ness of the border?- great job?- nice pay?

Pick ONE (not two or three)

3
lifeisstillgood 3 hours ago 1 reply      
Why not work remotely?
2
We need an NRA for privacy
209 points by plg  15 hours ago   160 comments top 26
1
rayiner 13 hours ago 7 replies      
Privacy advocates need to get their act together and form a single-issue organization. I need to be seeing teenagers coming to my house peddling privacy the way they do for churches and baby seals. The tech industry needs to sack up and realize that their business interests are at stake, and put some serious money in PACs behind the whole effort. It needs to have a focused mission, no getting distracted in related issues (e.g. copyright reform or reform of hacking laws), but be a big tent (don't care what else your other viewpoints are). There needs to be a diversity of messages, targeted at different demographics. There has to be something in it not just for techie yuppies in San Francisco, but also church-going grandmothers in small-town Iowa (any political movement that can't capture at least some old people is dead on arrival). That's a key strength of the NRA: it has vigorous support across a wide diversity of voting demographics.

The EFF and the ACLU are fine for what they are, but they've got too broad of a mandate to have the kind of focused impact you want. You can't be an effective mainstream advocacy organization when you're off defending unsympathetic people for principled purposes. That's an important thing too, but it's a different thing.

For people interested in effecting real political change, I seriously recommend watching this documentary on the Prohibition: http://www.pbs.org/kenburns/prohibition. One group of people got a nation that until (and during and after!) prohibition drank 140 million gallons of liquor a year to outlaw alcohol. The money wasn't on their side (the government made 1/3 of its revenues from liquor taxes and the beer makers had tremendous power), but they accomplished their goal by masterful politicking: http://en.wikipedia.org/wiki/Wayne_Wheeler.

"Under Wheeler's leadership, the League focused entirely on the goal of achieving Prohibition. It organized at the grass-roots level and worked extensively through churches. It supported or opposed candidates based entirely on their position regarding prohibition, completely disregarding political party affiliation or other issues. Unlike other temperance groups, the Anti-Saloon League worked with the two major parties rather than backing the smaller Prohibition Party."

2
hga 13 hours ago 5 replies      
What has made "the NRA"---really, gunowners, the NRA has but a fraction of them as members---so powerful?

Well, first of course there's a lot of us. Even having only a fraction, the NRA now has 5 million members. The EFF? I would be surprised to learn they had more than 50,000 (couldn't find a number in a quick search).

2nd, we vote, and many of us vote first and foremost on this issue. Especially since it's a good general touchstone, not that more than a tiny tiny fraction of national level politicians really give a damn about either issue no matter what they say most of the time.

3rd, there are many major elections where it's clear gunowners were a necessary if not necessarily sufficient part of the winning side. Gun control at the national level mostly disappeared in this century until Newtown after the Democrats suffered a string of catastrophic defeats from losing both houses of the Congress in 1994 to Al Gore losing by a whisker in 2000. That it was even close is telling, especially since Bush isn't much of a conservative or friend to gun owners, e.g. he officially supported renewal of the "assault weapons" ban.

(Note that it's in our cultural DNA to defy being told we can't or shouldn't have something, be it guns or e.g. drugs. But those are tangible, literally put your hands on them things, not like "privacy", the loss of which isn't immediately visible.)

On the side of the Stupid Party, every post-Reagan defeated Presidential candidate was, or appeared to be bad on gun ownership (Romney's actions were good, but his rhetoric was very bad). Again, the very narrow margins by which Bush won in 2000 and 2004 are probably also telling, bad rhetoric and very few good actions.

Now for some historical specifics that made a difference:

The biggest is how extreme gun grabbers are. While businessman Eric Schmidt is notorious for some creepy even if possibly true statements, I'm not aware of any national level politician who's willing to go on record saying we have no right whatsoever to privacy (whatever they actually believe).

Nothing compared to e.g. Dianne Feinstein's "If I could have gotten 51 votes in the Senate of the United States for an outright ban, picking up every one of them . . . Mr. and Mrs. America, turn 'em all in, I would have done it. I could not do that. The votes weren't here.", or Michael Dukakis' "I do not believe in people owning guns. Guns should be owned only by police and military. I am going to do everything I can to disarm this state."

Legislation stripping us of gun rights are much more in your face than e.g. FISA, and have much more concrete results (see below). Privacy is much more a Federal issue, although there have been a number of gun privacy atrocities at the state and local level. Whereas the nation frequently watches some state go crazy and e.g. tell you that you can load only 7 bullets in your 10 round magazines ("clips"), and arrest people on that basis. Plus hypocrisy, there are many many carve outs for the anointed, be they police or politicians, or the frequent discovery that a prominent gun grabber owns guns. And all the politicians with armed bodyguards telling the rest of us we don't deserve that level of protection.

Then there are specific atrocities, cases well known by gun owners of innocents brutalized or killed by abusive organs of the states. This became big a while after the national Gun Control Act of 1968 was passed, when the BATF had to find something to do for its Revenuers after sugar price supports killed the moonshine industry.

Our side can point to kittens killed ("I swear I am not making this up"), pregnant mothers who miscarried, people crippled for life, mothers shot dead while holding a baby (Ruby Ridge, in which the BATF was enlisted to try to force her husband to spy), and many many outright killed (Waco started out as a BATF "ricebowl" operation, they wanted some nice video for their first budget in the Clinton Administration). Plus a constant drumbeat of gun owners ensnared by "flypaper" laws in gun grabbing localities; even NYC has realized it's damaging their tourist industry.

And how could I forget Fast and Furious, just one of several Federal Government gun running operations that sent thousands of guns south of the border, resulting in 350 deaths and counting, just to generate better statistics for gun grabbing propaganda (that reason is now on record and any other explanation suffers an Underpants Gnomes logical error).

The very secrecy of our national security privacy problems makes the latter problematical. Ignoring that the targets of the DEA are seldom ones we can empathize with, that they launder the tips they get from the NSA means that as of now I don't think there's a single specific case we know of.

And one final general point: lots of public figures are willing if not happy to demonize gun owners of almost every sort, and gun organizations (we can see the latter in this discussion). That results in strong push-back from the targeted (again, it's not in our cultural DNA to take that lying down).

3
lambda 14 hours ago 3 replies      
It's called the EFF.

The problem is, it's mostly supported by individuals, not the industry. And there are a lot more individuals interested in gun rights than electronic rights. It has a budget that's a tiny fraction of the NRA's.

4
jstalin 13 hours ago 0 replies      
Go. Right now. Donate all you can to EFF. NOW.

https://supporters.eff.org/donate

Other ways you can help EFF, like using their Amazon referral link:

https://www.eff.org/helpout

5
oinksoft 15 hours ago 8 replies      
There's a reason the NRA can do what they do: Guns are a >$30B/year industry.

http://www.businessweek.com/articles/2013-03-14/the-nras-cor...

6
jellicle 12 hours ago 3 replies      
Currently 59 comments on this post, 2 hours old, I did a ctrl-F "epic" and get no results.

So apparently no one at Hacker News knows about EPIC:

http://epic.org/epic/about.html

which is, more or less, what the original poster is asking for. They're not militant, I suppose. They don't have the same level of anger that the NRA manages to harness, don't have talk radio hosts promoting them, that sort of thing. But they do exist and are focused on this one issue of electronic privacy, and yet apparently are failing at their job of self-promotion, because no one on HN knows they exist.

Are they failing to do enough outreach? Is a different organization really needed, or does EPIC just need to do a better job of marketing itself?

7
k2enemy 15 hours ago 2 replies      
The NRA is a powerhouse because millions of Americans (and manufacturers) care enough about guns and the 2nd amendment to be willing to donate and pay fees to the NRA.

Privacy? Not so much. But we do have the EFF. So donate!

8
robg 11 hours ago 1 reply      
Privacy isn't explicitly guaranteed in the Constitution. So the Court has tended to side with the Government on matters of National Security vs. Privacy. In fact, the Constitution guarantees searches for the Government, so long as they are reasonable. On matters of national security versus a database, national security readily wins. The Court finds those searches reasonable.

So, in the case of Privacy, you aren't fighting your Representatives who can be bought to change laws. You are fighting the Court. That fight is much more of a long game. And that long game would seem to be better won through broader Civil Rights which are already under attack. Read the First Amendment and think of Snowden and the media. Read the 4th and consider the broadness of "unreasonable" and where it extends to property seizure laws. Heck read the 8th and consider how broadly solitary confinement is used as punishment in our prisons. Or how anti-drug and anti-marriage laws restrict personal choice. To me, protection of our broad Rights against the Leviathan is the issue of our time.

That said, the 2nd Amendment is also an ally in this fight. In contrast to Privacy, the right of gun ownership is explicitly guaranteed and the NRA is a partner in questions of privacy. We just need to help them realize that the national security apparatus could easily be expanded inwards to target gun owners. We need to help them realize that the technology to do so is already trivial for the Big Bad Government.

9
VandyILL 13 hours ago 1 reply      
I don't think it'll work.

The NRA & the gun industry have successfully marketed a product, and the NRA has successfully marketed itself as the means of protecting customer's rights to that product.

Note, the NRA doesn't have to be the one that markets gun ownership as a positive - that can come from any number of sources, inside and outside of the gun industry. The NRA just has to give the image of being the political outlet to protect that right. Thus the media and/or possibly the gun industry can throw gas on the fire to show that guns are a necessity of American life and in turn because of it's perceived credibility on the issue people vote according to what the NRA says.

Now, presently I don't think either the NRA or the industry really has to do much work marketing guns. All they have to do is hold back the tide whenever a tragic event happens and forestall action when the willpower to change is present. Then, when election season rolls around, they just remind their members how to vote.

In the case of privacy there is #1 no product, and #2 no clear "defender" of our right to privacy. Further, given the nature of privacy, I don't think there will ever be a clear product or defender for/of that right. Without that, there's never going to be the approach that markets the product as a necessity or a group people will pay attention to when voting.

Just think about the ACLU - part of their mission is privacy. But yet I'm sure half the people who care about internet privacy don't even like much less trust the ACLU. EFF - majority of the population hasn't heard of them. It's just too sensitive of an issue to have a blanket organization representing everyone's interest.

Finally, as a side note, I think I would pay for an email service like this: free email, with conditional payments. Whenever the service receives and refuses a government request, it charges a very small fee (couple cents or even a penny - will wait till x amount has accrued before charging card). Then in turn, the payment fee goes to the campaign of a pro-privacy candidate or organization like the EFF etc.

10
protomyth 12 hours ago 0 replies      
It comes down to this, Does the EFF scare Senators and Representatives at election time? If the organization that defends your rights doesn't scare the hell out of a campaign (to the point opponents demonize the organization and its members) then they are worthless for advocacy in this era.

The NRA does this and, like the ACLU, knows to defend the extremes. If we want the 4th amendment defended, then we need that type of organization.

11
danso 15 hours ago 0 replies      
The NRA actually does stand up for privacy: of its members, anyway. You've probably heard of those stances being used against the NRA sometimes, for example, when they've fought to prevent the Feds to deny gun rights to people who have been placed on terrorism-related suspicions list (which, by some reports, was as inaccurate as the no-fly lists).

If you hate the NRA, it's easy to paint this political stance as nothing but a move of pure-gun-lust...however, such stances set precedent for other privacy related rights. To put it another way, just because the ACLU defends pornographers, it doesn't mean the ACLU is doing it purely out of love for pornography.

edit: In any case, there will never be a "NRA for Privacy". Pause and think about it. What does the average person experience in terms of privacy invasion? Not too much, and not at a constant clip. Would that average person be able to discern between heavy privacy protections versus some privacy protections, on a daily basis? Not really, you mostly only know your privacy is being invaded when it's too late.

Compare that with how your life as a gun owner changes if, say, conceal and carry is revoked. Or AR15 rifles are banned. You experience that immediately.

Also, good luck getting celebrities on board. They are used to having their privacy violated as a matter of routine. For them to experience a real change in privacy would involve infringing on certain First Amendment rights (look up the difference between public and private figures)

12
wes-exp 12 hours ago 0 replies      
Privacy is what economists call an "externality" - i.e., the full cost of harming privacy is not accounted for in conventional business activity (like pollution).

In the past, naturally occurring inefficiencies helped to safeguard privacy. Privacy was free. However, now that the technology to collect, store, analyze, and distribute information is so cheap and readily available, we are seeing a massive loss of privacy.

As an economic externality, privacy can only be protected through deliberate effort. We will not get privacy unless we demand it from society. Therefore, political action is a prerequisite. Pro-privacy organizations will be essential in the years ahead.

13
aubergene 13 hours ago 1 reply      
Systems like PRISM should be a lobbying issue for the NRA. Background checks and gun ownership registration become moot when the government has copies of all your web browsing history, purchasing activity and correspondence. PRISM is the biggest threat to the second amendment, the NRA needs to wake up to this.
14
tippytop 14 hours ago 1 reply      
We need a privacy amendment to the Constitution. It needs to shore up the legalese of the 4th which lawyers have made a runaround.
15
_pmf_ 14 hours ago 0 replies      
The problem is that people really love guns.

People only like privacy as an optional concept; what they really like is sharing their personal information with strangers on the internet.

16
johnny22 15 hours ago 2 replies      
it's called the EFF.. DONATE!
17
pcvarmint 4 hours ago 0 replies      
The NRA is not the most gun-friendly organization. The JPFO and Gun Owners of America are better. The NRA is a sellout, compromising on principles in order to maintain political power.

Just as the Rutherford Institute is more protective of individual rights than the ACLU is.

But you're right we need an organization for privacy.

The EPIC and EFF are not enough.

18
brador 14 hours ago 1 reply      
The problem is encryption is useful for many things. Some good, some bad. It's great for underground humanitarian organizations in third world countries...it's also great for kiddy diddlers hiding their stash. But the tech is the same, so we pick both or non. Right now, government is leaning on none.
19
jbaiter 15 hours ago 0 replies      
How about the ACLU and the EFF?
20
dreamdu5t 7 hours ago 0 replies      
The problem is there's no big business in protecting privacy, and therefor no lobbying money. The NRA is driven and funded by gun manufacturers.
21
tomphoolery 13 hours ago 0 replies      
I would join this, and be as militant as the NRA.
22
jydarche 12 hours ago 0 replies      
We can't expect such association when the biggest internet companies in America (Google, Facebook, Yahoo...) clearly don't care about privacy. It's all about money.

Google don't be evil? FAIL

23
readme 12 hours ago 0 replies      
We already have the EFF.
24
BgSpnnrs 15 hours ago 1 reply      
I think the issue of privacy is being intentionally and collusively kept a series of domestic affairs by national state agencies.

We need a global charter for privacy rights.

25
RRRA 12 hours ago 0 replies      
It's called the EFF, and please don't compare it to the NRA :P
26
mattreaver 14 hours ago 0 replies      
www.campaignforliberty.org
3
Why is encryption so hard?
41 points by retube  15 hours ago   35 comments top 22
1
jgrahamc 15 hours ago 5 replies      
You can certainly find libraries with interfaces like that. For example, OpenSSL has extensive libraries for all sorts of cryptographic primitives and protocols.

If you take a narrow focus on a particular cryptographic event (such as your encryption of a string with an RSA public key) then you miss the greater story about encryption: it's not just the individual cryptographic primitive that needs to be implemented correctly, it's everything else.

An RSA encryption like that does not stand alone. Keys must be generated, secured and distributed. The RSA library itself must be validated to ensure that it works correctly. The actual primitive must be used correctly (in the case of RSA don't use a stupid exponent as some have done). And the environment within which the encryption is used must be understood and secured (just look at the CRIME and BREACH attacks against TLS to see how something 'secure' can be broken because of something apparently irrelevant, in this case, compression).

The overriding reason that encryption is 'hard' is that secure computer systems have enemies and those enemies (attackers) will do _anything_ to attack the system. They will attack it based on timing, compression problems, flaws in the protocol, freezing the RAM to extract a private key, etc. etc. There's really no end to the variety of things you can try to attack a cryptosystem.

So, building a secure system may have encryption as a necessary condition, but it's not sufficient. So much else can and will go horribly wrong.

If you are interested in this hit the books and understand the history of cryptography. For example, look at how Vigenere was broken by Babbage, or the Venona ciphers, or Lorenz. These 'old' ciphers can tell you a lot about how people actually attack things. Then read about modern ciphers and attacks on them. Wikipedia has much. Read about TEMPEST and imagine other attacks possible in that way.

2
e12e 14 hours ago 1 reply      
Lots of good answers here. NaCl (salt) is one (relatively) recent effort to be just such a library, see eg under the sub-heading "High Level Primitives" on the features page:

  http://nacl.cr.yp.to/features.html   High-level primitives  A typical cryptographic library requires several  steps to authenticate and encrypt a message.  Consider, for example, the following typical  combination of RSA, AES, etc.:  * Generate a random AES key.  * Use the AES key to encrypt the message.  * Hash the encrypted message using SHA-256.  * Read the sender's RSA secret key from    "wire format."  * Use the sender's RSA secret key to sign the    hash.  * Read the recipient's RSA public key from wire format.  * Use the recipient's public key to encrypt the    AES key, hash, and signature.  * Convert the encrypted key, hash, and signature to wire    format.  * Concatenate with the encrypted message.   Sometimes even more steps are required for storage  allocation, error handling, etc.  NaCl provides a simple crypto_box function that  does everything in one step. The function takes the  sender's secret key, the recipient's public  key, and a message, and produces an authenticated  ciphertext. All objects are represented in wire  format, as sequences of bytes suitable for  transmission; the crypto_box function  automatically handles all necessary conversions,  initializations, etc.
Of course, "such libs have bugs" -- it is software after all. But bugs can (and will be) fixed.

Somewhat unique to security and cryptography are the number of subtle bugs possible. There are both problems of actual "normal" bugs (like the Debian entropy bug) and system level design errors (like CRIME).

NaCl/Salt tries to reduce the number of errors possible by using the library wrong (as opposed to eg: openssl that has a very (some say too) rich interface). But you could still end up writing the secret key to swap. Or doing something silly with the plain text. Or expose yourself to a buffer overflow in the part of the code that renders those cute avatar-images for your chat application.

edit: formating

3
preinheimer 14 hours ago 0 replies      
Simply invoking some sort of "encrypt" library is easy, it's everything else that's hard, and you have to get it perfect.

- Simply encrypting your message as indicated will not protect you from replay attacks. Someone could record your message and re-transmit.

- Simply encrypting your message will not assure that the contents haven't been modified, someone could patiently sit in the middle poking bits to see what happens.

- Most encryption schemes will require you to choose a block cypher, doing so requires some knowledge of the options and the data you're sending. Some handle large amounts of data poorly, others fail when you send identical messages.

- Most encryption schemes will require you to initialize them with truly random data, both an early version of Netscape, and Debian messed something up and provided far less entropy than they appeared. Relying on /dev/urandom on a machine that's just booted, or otherwise faulty entropy providers is fatal.

- Attackers can record your data and play with it forever, so even if a mistake or attack isn't revealed for years, they can still go back and decrypt your data. I believe the NSA broke the Russian's use of a One Time Pad because they re-used pages years later.

- Simply encrypting data doesn't provide assurances that you're communicating with the system you think you are, the initial contact is still tricky.

So there's more to it than a single function call.

4
sdevlin 13 hours ago 0 replies      
A few reasons.

The overarching problem is that you don't really get any feedback about whether what you're doing is right or wrong. For example, no cryptographer would use RSA like that, but that's not obvious just from studying the wiki article. Or from looking at the function output - it does turn ASCII into gibberish, as advertised, and that's where most developers will call it a day.

The moving parts are also treacherous. You're not just going to encrypt a string - someone is meant to decrypt it. Have you authenticated the ciphertext? Are you exposing a padding oracle? Or timing attacks? Are messages susceptible to replay? In crypto systems, these things are equivalent to locking the front door and leaving the window wide open.

In practice, most insecure crypto constructions aren't due to bugs in the implementation of RSA or AES. They're because of developers choosing inappropriate primitives, gluing them together incorrectly, or inadvertently exposing dangerous side channels.

Fortunately, there are libraries that can help. As mentioned elsewhere, NaCl/Sodium and KeyCzar provide higher-level interfaces that can abstract away many of these issues.

5
gcv 13 hours ago 0 replies      
Lots of good answers on this thread. I think the fundamental underlying reason is that programming is difficult and so poorly understood.

A given: all software has bugs. Usually, that doesn't matter a CRUD app will eventually get debugged enough to the point of usability. (Sometimes even maintainability.) We do not understand enough about programming to guarantee perfect execution in all cases, but no one gains any value by causing an obscure input case to cause a null pointer exception.

Whenever we use crypto, however, we inherently have code which protects something valuable: from forum passwords to credit card numbers to state secrets. This means that all the subtleties which break in ordinary code, but no one cares about, suddenly become important. Every interaction of input to memory to processing to storage (to network) must be scrutinized for places where a crucial piece of data may leak an encryption key, or perhaps just enough known plaintext of known cyphertext to mount an attack.

6
andrewcooke 14 hours ago 0 replies      
To answer the "why is it hard?" question, I tried to collect my own experiences at http://www.acooke.org/cute/WhyandHowW0.html - not sure I did a good job, but the main conclusion was that you underestimate how important experience is in avoiding errors.

To repeat what others have said in answer to your more general question - solutions to "real world" problems include more than a single call to a primitive. So you need to find libraries that provide a higher level API, like parts of NaCL http://nacl.cr.yp.to/, Google's keyczar http://www.keyczar.org/, etc.

Even for simply encrypting a string with a password - https://pypi.python.org/pypi/simple-crypt which is what I talk about in the first link - I needed three things: key strengthening, the encryption itself, and an HMAC. Making those work well together was harder than I expected (at least 5 bugs harder...)

7
sarbogast 15 hours ago 0 replies      
Also, encryption is all about maths, so there are hundreds of ways to do just about anything, different parameters, different algorithms with different tradeoffs about speed, performance, resistance to attacks, data bandwidth, etc. etc.So I don't think a library with the kind of interface you describe would be very useful. But I do think it would be great to have a library that allows us to configure encryption based on requirements instead of technicalities.
8
Shish2k 15 hours ago 0 replies      
AFAIK there's no "encryption for humans" library (at least no widely known, widely used, widely tested one) - they all rely on the developer to specify the right parameters into the function, with no sanity checking asserts.

The results of this is things like the developer who used "1" as the multiplication factor, so to decrypt the data, you need to divide each block by 1...

9
Zigurd 12 hours ago 0 replies      
There are two facts about crypto that often get mixed up in these discussions:

1. For a high value target like Edward Snowden, there is a broad spectrum of attacks, and any operational weakness is fatal. There are many examples of these attacks described on this thread. Unless you know what Snowden knows, odds are you will not get it right.

2. BUT, if everyone had easy encrypted email and real time communication, the mass surveillance machine would be blinded, because the kinds of attacks that are used against high value targets do not scale up well.

10
nilved 14 hours ago 1 reply      
Encryption being painfully and needlessly difficult is one reason why it isn't widespread on both the business end and the consumer end. GPG, which _everybody_ should use for email, has one of the most terrible interfaces conceived. It is absolutely no surprise that people would rather be spied on than spend a week getting that POS working.

There's a massive market for easy-to-use encryption. Easy-to-use does not imply insecure in any way at all.

11
pothibo 15 hours ago 0 replies      
I guess the main problem is that encryption is foreign to most of us (myself included). It's hard to understand what is safe from what isn't.

It's also very hard to figure out if your encryption is bugged or not. I guess that for most us, once your method returns a hash, you expect that everything is secure.

On a side note, I wonder how many people on HN would claim to know the inside out of encryptions. (Not the difference between SHA1/MD5/bcrypt but the actual math behind derivations and how they work)

12
geoffsanders 8 hours ago 0 replies      
For anyone interested, we have encryption examples in Python (PyCrypto & M2Crypto library), Ruby (OpenSSL), PHP (phpseclib), Java (Spongy Castle) and Objective-C (CommonCrypto) here: https://launchkey.com/docs/api/encryption

disclosure: I'm a co-founder of LaunchKey

13
reaperhulk 13 hours ago 0 replies      
Just in your example there's already a problem. If you don't use something like OAEP padding (PKCS1 v1.5 padding has been proven to have issues) then you're vulnerable to attack (see: Bleichenbacher http://www.bell-labs.com/user/bleichen/papers/pkcs.ps).
14
bradleyjg 13 hours ago 0 replies      
https://code.google.com/p/keyczar/

From their homepage:

Crypter crypter = new Crypter("/path/to/your/keys");

String ciphertext = crypter.encrypt("Secret message");

15
weavejester 15 hours ago 0 replies      
Sometimes crypto libraries have bugs, but it's also easy to use them incorrectly, especially if you don't have an good understanding of cryptography.

For example, a common mistake is to assume that by encrypting something, attackers can no longer change it. Or perhaps you'll use your standard equality operation to check whether a decrypted string matches some value, without thinking about timing attacks. Or maybe you'll just use AES in ECB mode.

16
NegativeK 14 hours ago 0 replies      
As a different, less technical response: crypto is so hard because it's natural to assume that cryptanalysts are so persistent.

A good crypto library should keep your data safe for decades. We don't make the same demands (no bugs, due to no updates possible) of other software that often.

17
ra 14 hours ago 0 replies      
Encryption is hard because computers are constrained by (but exceptionally good at) discrete maths. All encryption does is slow cryptographic attacks down (a lot).

Also, proper key management is out of reach for most of us.

18
joshka 13 hours ago 0 replies      
There is a crypto challenge that explains many of the flaws in crypto done not exactly right, by giving real examples / puzzles on how to break the crypto.See http://www.matasano.com/articles/crypto-challenges/
19
skrowl 12 hours ago 0 replies      
I know it's cool to hate Microsoft and .NET here on [Y], but .NET framework actually comes with a ton of encryption classes & methods - http://msdn.microsoft.com/en-us/library/system.security.cryp...
20
falsedan 15 hours ago 1 reply      
Encryption is easy, security is hard. Every time you increase the security of a product, you decrease usability.

e.g. easiest to use :: SSH with password <<>> SSH with passphraseless keys <<>> SSH with passphrase-protected keys :: most secure

21
gamachemarkr 12 hours ago 0 replies      
This is exactly what the NSA wants you to think! Encryption is only a tiny part of the problem space, and yet still gets broken in fun ways (padding oracles, bad RNGs, etc). The more difficult mart is key management and distribution. This is where crypto rubs up against the human. Humans suck.
22
a3n 13 hours ago 1 reply      
To step back a bit from the tech problems -- encryption is hard because not everybody uses it.

I think what we need, for email at least, is a completely new protocol that's end to end secure (as hard as that is). The problem though is that I don't think something like this can be done anymore, without "interested" corporations co-opting or talking it to death. The golden age of the internet is gone.

4
Youtube Easter Egg - One for the Geeks
48 points by webdisrupt  18 hours ago   25 comments top 9
1
UnoriginalGuy 16 hours ago 0 replies      
It is nice that Google still allows Easter Eggs. Many other companies (e.g. Microsoft) have outright banned them.
2
jpswade 18 hours ago 4 replies      
Type 1337, view the comments.
3
MrKurtz 17 hours ago 0 replies      
4
Joeboy 16 hours ago 1 reply      
I find it amusing that London's buses are plastered with Geek Week publicity, but until now I've not seen any actual geeks mention it.
5
klimeryk 15 hours ago 0 replies      
If you right click on a video, it will show a "Stats for nerds" option (showing the usual stats, but nice touch nevertheless).
6
FridayWithJohn 17 hours ago 0 replies      
Awesome stuff... although my boss wouldn't think so ;-)
7
NKCSS 15 hours ago 0 replies      
Haha, so awesome
8
scottlinux 13 hours ago 0 replies      
Another one: type Alt-F4 during a video.
9
caxton 14 hours ago 0 replies      
Now this is awesome. My favourite part was "Video destroyed. Game over". Lol
5
With the decrease in employment, how do graduates find jobs?
2 points by Apane  2 hours ago   2 comments top 2
1
Apane 1 hour ago 0 replies      
I would consider myself a junior rails developer :)

and took the Science and Business course at Waterloo/

2
dllthomas 2 hours ago 0 replies      
What are your skills?
6
The People's PRISM
5 points by gdne  6 hours ago   discuss
7
Ask HN: Python resources?
4 points by shire  6 hours ago   3 comments top 2
1
jdc 5 hours ago 0 replies      
I've found "The Hitchhikers Guide to Python" quite helpful: http://docs.python-guide.org/en/latest

And if you're a Windows user wanting to use Python modules that are partly implemented in C, I recommend downloading them in binary form: http://www.lfd.uci.edu/~gohlke/pythonlibs

2
jfdi 6 hours ago 1 reply      
Cool. I'd suggest you start here: http://learnpythonthehardway.org/book/
8
Ask HN: What do you do with your dead projects?
5 points by bert2002  7 hours ago   3 comments top 3
1
masukomi 7 hours ago 0 replies      
They tend to rot on my system. The problem is that no-one really wants to pick up someone else's half-finished work unless they know the person really well and believe in the project, which is unlikely since they'd already be working on it and it wouldn't be dead if that were the case.
2
NonEUCitizen 5 hours ago 0 replies      
I keep them. Some of them I revive a few years later (possibly on a different OS). Some others that don't get revived may still have useful pieces of sample code.
3
dschwartz88 7 hours ago 0 replies      
They go on my GitHub. Most as public, some as private. The only ones that stay private are the ones that have some code I worked on for weeks solving a very specific problem that I may use at some point in the future for a business.
9
Alternatives to Lavabit, with no physical ties to the United States?
4 points by caberus  8 hours ago   3 comments top 2
1
replax 5 hours ago 0 replies      
hosted in Germany, you might want to look at

www.posteo.de

2
caberus 6 hours ago 1 reply      
it looks countermail.com is a good alternative, has an interesting feature: Diskless web server and some other "unique features".
10
Tell HN: thank you (+ a 50% discount during 3 months on my new SaaS)
8 points by thibaut_barrere  14 hours ago   3 comments top 3
1
AznHisoka 55 minutes ago 0 replies      
Why would you target a market (freelancers) that is starved for cash, and want to do almost everything themselves? Your product is almost doomed to fail.
2
bjourne 2 hours ago 0 replies      
HN readers aren't dumb. Your post is a thinly veiled attempt to market your site, not to thank anyone and you know it. Not that there's anything wrong with self-promotion, but at least be honest about it!
3
thibaut_barrere 14 hours ago 0 replies      
11
PGP key as Facebook profile photo
7 points by plg  13 hours ago   5 comments top 4
1
runjake 12 hours ago 0 replies      
Because current interfaces to PGP/GPG are not grandma/soccer mom friendly.

It's better that they don't use encryption than it is for them to use it incorrectly (insecurely) and give them a false sense of security.

This "idea" comes up year after year after year after year. Occasionally, someone says they'll build a better mousetrap. Always, nothing comes of it.

PS: Zuck does not care about your privacy in the least. You are not his customer, you are his product. Advertisers are his customers.

2
borplk 9 hours ago 0 replies      
The difficulty of interface isn't even the biggest challenge here.

The biggest challenge is to get grandma / soccer mom and the girl next door to care the tiniest bit about encryption and privacy.

It's the cold hard truth, the overwhelming majority simply don't care. They don't understand why they should care and they don't care enough to learn why they should care.

With things like this, the average person continues ignoring it, until he feels directly threatened in the near future. Anything more than that and they start to think "meh...who cares...maybe another time"

Imagine in 1990 someone told you "in 20 years time people are going to be spying on themselves on a daily basis and providing detailed information about their lives to their government, they will login to a computer system and will enter what's on their mind, what they've been thinking about, who their family is, where they work, with whom they've had relationships with, what they like, where they have been, what events they have attended, their gender, sexuality, birthday, religious and political views and albums and albums of photos of themselves and those who refuse to spy on themselves will be rather alone, disconnected and viewed as rather weird for not participating in these wonderful activities".

Who would've believed that? To an spying/intelligence agency that sounds so good that wouldn't even be capable of imagining ever seeing it as a reality.

Yet here we are, 23 years later, and it sounds all too easy "Facebook", "Twitter", "LinkedIn", "Social Media". The population has been brain-washed to accept, adopt and love these tools with their cute names and logos and seemingly innocent appearance.

Before NSA and PRISM revelations you could call me a delusional, overly-negative, cynic, techophobe or conspiracy theorist. But not today. Today we know for a fact what is happening, and we know that's just the tip of the iceberg that we know about, and just like pre-PRISM times, there's probably a lot of nasty crap that we are not aware of until the next Snowden reveals it.

It all makes sense now.

3
growt 12 hours ago 0 replies      
It's a nice idea, maybe the QR code could contain a link with the key itself, relevant information and links to pgp software.

I wouldn't count on Zuck though, he kind of lives from facebook being unencrypted.

4
sorennielsen 12 hours ago 1 reply      
Agree somewhat except "don't know, click here to generate one"... I personally don't want Facebook to generate key-pairs. That is even worse then not having privacy.

The private key should never leave the users machine and should definitely not find it's way to one of the worlds biggest eavesdroppers.

12
Ask HN: Given the Lavabit case should we trust LastPass?
5 points by AhtiK  13 hours ago   2 comments top
1
mknits 13 hours ago 1 reply      
LastPass has been compromised by hackers before; I think this incident happened last year. Since then, I stopped using LastPass and now I use KeePass, whose database rests on my desktop.
13
Ask HN: can I visit your Berlin office?
5 points by FiloSottile  10 hours ago   1 comment top
1
timgluz 8 hours ago 0 replies      
I used to hack @St.Oberholz on weekends. And sure we can talk about startupping, Clojure, d3.js - just lookup laptop with VersionEye and Datanerd stickers.
14
Ask HN: Are we complicit in the NSA dragnet?
5 points by econner  12 hours ago   1 comment top
1
adultSwim 8 hours ago 0 replies      
Yes.
15
Ask HN: How do you deal with clients who keep second guessing your decisions?
4 points by rartichoke  11 hours ago   6 comments top 3
1
mkautzm 11 hours ago 2 replies      
I don't work in design. I do a combination of software development (and often get UI design input from my colleagues) and sys and network administration, but while I'm not good at handling situations like this, the owner of our company is exceptionally good at it, and I've taken notes as to how he deals with.

He always seems to be in absolute control of the conversation. If somebody wants something done, he'll always be totally honest with them, in a very direct way. So, if someone says, "Instead of buying recommended UTM, I'd like to just use free Antivirus program that's not fit for business use", he doesn't let it just go, he'll say something like, "That isn't a complete solution and it's going to end up costing you in malware removal time and headaches. You really should just use this product as it will save you money and time in the long run. I can get you a quote on it before the day is over."

He totally owns the conversation and directs and redirects it to a central point. In this case, that point is 'Free AV is not a good solution for businesses that have hardware in house. You need a UTM of some kind." It's never, 'I recommend..." or "I think you should...", it's always, "This is how it is in the real world. You aren't hiring me to softball in suggestions, you are hiring me to be an expert." He addresses their motivations, in this case, cost and benefit of a proper solution.

For design, I'd imagine it'd be very similiar. Something on the lines of, "Comic Sans is an unprofessional font. It does the face of your company a huge disservice and should be avoided."

I honestly suck at it and I'm trying to get better and owning and directing conversations with customers -- The advice he gives me is go into a conversation with a purpose and a direction. Redirect the conversation to the original purpose when you need to ("We can talk about other thing, but first, I really want to get this product/website/solution in your hands before we address that. What do we need to do to make that happen."), and finally, slow the conversation down enough to really hear what they are saying and understand their motivations and then respond accordingly. It's really easy to let a conversation run away from you and you end up following a mental script instead of actually responding to a customer.

2
gesman 3 hours ago 0 replies      
You're second guessing yours. Client just follows you.Break the cycle by sending client the [reasonable] bill for services rendered so far.

If he'll pay - he's yours.

If he won't - he never was.

3
borplk 9 hours ago 1 reply      
I really like the mechanic analogy. Why do you think this difference exists?
16
Show HN: TrueVault.io | A HIPPA compliant backend for your healthcare app
11 points by jason_wang  1 day ago   5 comments top 4
1
brudgers 22 hours ago 0 replies      
2
phony1 1 day ago 0 replies      
* On my 1920px wide screen, your banner message stretches to the edges. It makes it really hard to read.

* The spinning gear for 'Rapid Setup' really distracts me. Animation is good when used well (perhaps to direct people to the sign up form?) but this looks like it is not well thought out.

* The features panels have blank space underneath them. It looks weird and incomplete. You should make their heights consistent and the height should be set to that of the tallest panel.

* The scrolling threshold for the menu banner appearing is too high - it feels unnatural. I think it should appear earlier. Is there another site that uses the concept that feels more natural, so you can copy their timing?

Sorry, no comments on the actual product as I'm not in your target market.

3
skram 1 day ago 1 reply      
Very interesting. Been seeing a need for something like this for quite a while, both as a developer in the health IT space as well as someone who has had to sign BAA's and work within HIPAA guidelines in large organizations, often rendering them inflexible with modern technology.

I signed up and am really interested in hearing more such as what the time line looks like. In short, my company is a group of clinicians + developers.

www.aqua.io may or may not be doing the same thing.

4
kohanz 10 hours ago 0 replies      
clickable link: http://www.truevault.io
17
Ask HN: What prgramming language to learn?
4 points by redxblood  14 hours ago   15 comments top 7
1
octo_t 14 hours ago 3 replies      
If you don't know C, learn it. Its very different from python and java, but will give you a feel for whats going on "under the hood" so to speak in both those languages.
2
zachlatta 12 hours ago 0 replies      
I recommend doubling-down and focusing on Java. It'll help you get fundamental programming concepts down and will give you a strong foundation in object-oriented programming.

I recommend learning C after Java. It's much more difficult to learn, but your prior Java experience will help you pull through.

Note: this all depends on what you mean by "some" programming experience.

3
wusatiuk 13 hours ago 1 reply      
this is a questions asked quite often and i guess there is only one answer: what do you want to achieve? Do you want to make Web Apps, Mobile Apps, Desktop Apps, Games,... there are so many different directions you can go, that you should first answer the questions WHAT and then answer the question HOW and not the other way around.
4
lmm 13 hours ago 0 replies      
From a similar position I found scala was the best help professionally. It combines the best of both - lightweight syntax like python, but with strong typing and the java library ecosystem - better still, you can introduce it into a java project bit by bit.
5
dradtke 10 hours ago 0 replies      
Depends on what you want out of learning a new language. If you want to become more familiar with the fundamentals of computers and how they work, C is the best option; if you want to learn a new paradigm and way of thinking, I recommend Haskell; if you plan on doing any web stuff, JavaScript is pretty much a must; and if you want to be at the forefront of new language developments, go for one of the shiny new languages like Go or Rust (I'm currently taking this route).
6
joeldidit 7 hours ago 0 replies      
C was trivial to learn, don't listen to them. I learnt that first, and it made learning other languages easy (most popular languages are modeled after C). Mobile is a hot market, so it'd be good to learn Objective C. Also, Javascript is another popular one. Then I hear talk of learning Haskell and Lisp "just because," but I don't do anything "just because."
7
jedisct1 9 hours ago 0 replies      
Rust.
18
Ask HN: How to deal with inappropriate interview questions?
8 points by kobot  1 day ago   3 comments top 3
1
dandrews 1 day ago 0 replies      
Your interviewer just sounds inexperienced to me. I'd deflect it: "That sounds like an off-prem kinda question. Maybe one of these days we can meet for a beer after work and swap stories."
2
throwaway420 1 day ago 0 replies      
It all depends on the level of inappropriateness, how it benefits you, and your personal comfort level with it. If you're applying for a super great job, it might be in your self-interest to casually accept a few probing questions like that if you think that it gives you a better opportunity to get the job.

If you're the litigious or confrontational type, you might be able to spin this type of incident into a lawsuit or threaten them in some sly way to guarantee the job. I wouldn't do it that way or recommend doing that, but that's certainly an option for aggressive personality types.

3
dnm 1 day ago 0 replies      
"Relationship status" is flat out illegal.

The personal family stuff is just wierd.

https://duckduckgo.com/?q=things+you+are+not+allowed+to+ask+...

19
Ask HN: How to borrow money?
2 points by shire  11 hours ago   1 comment top
1
mchannon 10 hours ago 0 replies      
Borrowing is ideally on flexible (or no) terms, with as low an interest rate as possible.

Friends, family and fools come first as a source of borrowing.

Then perhaps a credit card (0% intro APR if possible; that should play well against your 5 month plan to repay).

LendingClub, Prosper.com, and similar make a song and dance a possible vector for getting crowdsourced loans.

Then perhaps a bank loan, or title loan/second mortgage if you have anything of value.

Depending on what you plan on spending the money on, store credit cards from Walmart, etc. can also come in handy.

Hopefully you're not planning on investing it in Bitcoin mining equipment from a mysterious seller on the internet.

20
Ask HN: Good VPS offerings from companies outside the US?
5 points by MrGando  15 hours ago   14 comments top 6
1
mattbee 13 hours ago 1 reply      
We've just taken the beta wrappers off http://bigv.io/ after two years (we've been in business for 11). It's hosted in Manchester, UK - 10 / month for 1GB RAM, scale to 180GB, real actual humans on the phone for support, console access, choice of disc grades (SATA, SAS, SSD), command line interface... OK I'll stop selling. It's really very good though.
2
windexh8er 11 hours ago 0 replies      
Are OVH and Hetzner the top contenders here? I have things split across DigitalOcean and Linode and am about to drop both - thinking a non-VPS provider is actually the better route as I'm willing to pay if I have my own server. Any good hosts in Switzerland? That's likely the best country to host in at this point, or one of...
3
junto 13 hours ago 0 replies      
4
dossy 14 hours ago 1 reply      
Why, because you think that foreign governments are going to respect your privacy more?

Ha.

5
andyhart 14 hours ago 1 reply      
We have UK-based VPS packages... www.hartserver.net/servers/vps/
6
SomeoneWeird 15 hours ago 1 reply      
ovh?
21
Ask HN: how to deal with the NSA situation if a Startup handles user's data?
8 points by asenna  1 day ago   4 comments top 2
1
angersock 1 day ago 1 reply      
We're about to launch a storage and collaboration service ourselves, and all this shit couldn't have happened at a worse time.

I'll go ahead and ask another question:

If I've got a multitenant system, how can I best protect my clients if they're on a box with somebody who pisses off the feds? I don't want to go all Cryptonomicon here, but what can I do beyond a bunch of separate encryption keys and directories and whatnot?

2
brudgers 1 day ago 0 replies      
Let dealing with it be a cost of business when there's a business. Right now, addressing the issues is premature optimization. No customers. No problem.
22
Ask HN: do you trust your "secure email" now?
26 points by aw4y  18 hours ago   42 comments top 15
1
jacquesm 16 hours ago 1 reply      
I consider everything I type into a computer with an active network port to be published.

Anything less would be folly, there are so many hops where people could be listening in on your data (starting with the cable that runs from your keyboard to your computer) that even an email sent to your 'drafts' box on your own IMAP server is probably not secure. Unless you own the co-location facility and all the infrastructure between where you sit and where you store the mail.

The whole security thing to me is a matter of economics. I assume that any data that is not worth reading is collected and that anything that is worth more than it would cost to collect and read is read.

Maybe that's a paranoid view of the state of affairs but at least I won't be surprised or disappointed. My main bulwark against wholesale exposure of the contents of my inbox is a 'Rob'. Rob is a veteran sysadmin who configured and set up my machine and I trust him (I have to, since he has access).

Rob is secure in the sense that he's an honorable person, and that I believe that there is no offer that could be made that would make him break our bond of trust. So short of blackmailing Rob (which is hard, and I would definitely forgive him if that were to happen) my stored email is reasonably secure, but any email in transit is fair game and will probably be caught somewhere along the line and I treat all email that I send and receive as public as a consequence of that.

2
junto 15 hours ago 2 replies      
"Secure email" is an oxymoron. Email isn't secure. We should treat it as such.

Even if you use the "technically challenging" PGP (i.e. challenging for the layman), then the metadata still leaks relationships.

We need a replacement that is secure by default and easy to use, so that 'Mom and Pop' can make the easy switch. Get that right and you can replace email.

In my opinion, a company like Yahoo is in the perfect position to write, sponsor and open source an new innovative messaging solution, that is secure by default (and cannot be made insecure) and cannot be monitored. External validation of the source code and cryptographic implementation would be paramount. A whole ecosystem of new "secure messaging" servers and clients could spring up. It could be the next paradigm shift on the internet.

Yahoo are slowly getting back on their feet. If there ever was a perfect time to release a killer app that would resonate with the majority, it would be this. From trampled and downtrodden to the golden boys (and girls) again.

Go on Yahoo. I dare you!

3
alan_cx 17 hours ago 1 reply      
If my, or some one else's, life or liberty depended on it, no. Not email, not the internet.

From a simpleton POV... there is a wire from my computer to an ISP. Then from that ISP to another ISP. Then from that ISP to a recipient. At any point some one can intercept and decode. So, AFAIAC, that's an end to it. Even if the data can be secured from being read, there is proof that one computer talked to another computer about something. That's often enough "evidence". Its an opening.

Frankly I don't see how the internet can be secure. AFAIK, it never was.

4
D9u 15 hours ago 1 reply      
If the Director of the CIA can't keep his email secure, what makes anyone think that their email is more secure than his?
5
wiml 17 hours ago 1 reply      
My secure email provider is /usr/local/bin/gpg, so ... yes?
6
DanBC 17 hours ago 1 reply      
What are you protecting, and who are you protecting it against?

I knew that well funded government agencies could probably get access to anything, so with that caveat yes, I trusted a few providers.

In general if it's important you shouldn't trust anyone. Use GPG, but do so carefully after reading all the documentation.

7
rainsford 14 hours ago 0 replies      
I don't trust other secure email providers, and to be honest, I don't trust Lavabit or SilentCircle...at least I don't trust them as far as they suggest I should trust them.

I trust providers that offer encryption to prevent basic things like my ISP looking at data or maybe casual eavesdropping if I'm in a foreign country. But the idea of hosted services that completely protect you even against the government of the hosting country, which is how these services seem to be sold, is sort of unrealistic.

And in the broader sense, I trust something like Lavabit less than Gmail. Permanently losing access to my email without any warning is a bigger threat to me than whatever ill defined privacy line Lavabit claims was being crossed. Email for me is primarily about convenient communication. If I want extra security for some reason, I'll use something else or combine GPG with email.

8
harrytuttle 16 hours ago 0 replies      
There is no such thing as secure email. Use another channel.

Yes I'm aware of GPG etc but no one else is.

9
Zash 10 hours ago 0 replies      
Yes, I do, because I host my own email on my own hardware.
10
venomsnake 18 hours ago 1 reply      
I will trust Lavabit if they reopen.
11
albeertoni 16 hours ago 0 replies      
Not especially. As others have mentioned, email leaks metadata and the existing protocols are such that it would be impossible to secure them reasonably.

Of course, it all depends on what your threat model is. Are you a target of the NSA, or a jealous spouse? That's what this comes down to. Neither Lavabit nor Silent Circle could have given encrypted and unattributable email service - so if that's what you needed, you're SoL. If server-to-server encryption was all you were interested in, then the distros of pgpu they used would have been fine for you.

It's hard to think of a threat that would be stymied by server-to-server encryption alone. Maybe someone else has a good idea of what that might be, but it's too early for me.

12
SGFja2VyTg 13 hours ago 0 replies      
Yes.

Lava happened to have a known, admitted national security threat as a client/user. It is expected, legal, and proper for a national security letter to be used in this context.

It is possible that the NSL was demanding things that were way too broad, but I imagine that this was not the case (and rather that Lava had an ethical issue with the whole process).

13
vegasbrianc 15 hours ago 0 replies      
Go back to the stone age. Hand written notes with couriers.
14
aw4y 17 hours ago 3 replies      
so apparently there's no reason for lavabit, silent mail, hushmail ...?
15
Dirty-flow 18 hours ago 0 replies      
never trust anyone! :)
23
What Linux Distro is the best for a developer on a laptop?
10 points by mrt0mat0  1 day ago   24 comments top 14
1
chao- 1 day ago 0 replies      
There is no "best". There is only "best for your needs". I'd recommend changing the title, lest people take it wrong and derail the thread.

If by "works" you mean "has a familiar and mostly-polished interface", then I would agree. If you like Mint so far, go with that. To give a comparison on the "other end" of the user experience spectrum, try Crunchbang. It is the same underlying ecosystem as Mint (Debian), but builds itself out of a handful of more minimal components. It's my go-to dev distro because it's just enough to get work done in, and nothing more.

If you've tried "the big common ones", then you've hit 90% of the mainstream options. If you need something special, unique or custom beyond those, you definitely would have identified those needs in your post.

2
sehrope 1 day ago 1 reply      
I use Linux exclusively on my desktop and have had a bunch of laptops over the years with Linux installed (mainly Debian based). It's never been quite pleasant though. I work primarily off my desktop so I wouldn't mind it that much but it was never good enough for me to be happy when roaming.

I recently got a Macbook Air (the new 2013 one) and it's working out pretty well. Rather than deal with a desktop Linux OS I've got everything running in VMs and either work through them or cloud based remote servers.

For casual computer use (web browsing, email, etc) I use native apps. For software dev I use a combination of SSH to VMs/remote servers and native text editors accessing shared filesystems (mainly sshfs).

I still much prefer my desktop (a real keyboard is always way better) but at this point my laptop is tolerable enough that I can roam around and actually get work done.

3
angersock 1 day ago 1 reply      
I've greatly enjoyed #! (Crunchbang):

http://www.crunchbang.org/

It's Debian based with minimal extra bullshit, has a super-friendly config script right out of the box on first boot, and uses OpenBox as the WM. Very snappy and minimalist distro.

4
a3n 1 day ago 0 replies      
Since you're on Mint you're in the apt-* world. One of the Mint variants is probably best for a combination of minimal configuration and latest-ish packages in the repository. Debian itself (the final stop upstream from Mint) would be good if you want to be involved with your own system's configuration for whatever reason; its packages will be somewhat more out of date, possibly more stable.

If you're selling into an enterprise that requires RedHat, Oracle etc, then possibly CentOs for cheaper development costs as compared to developing on RedHat itself. Those are in the RPM world.

So many other ways to slice this pie, depending on what you need and how involved you want to be with your disto as opposed to whatever it is you're doing.

5
LarryMade2 1 day ago 0 replies      
I've been using Ubuntu for almost ten years now. What got me here:

- Package management: DEBs were sooo much easier to deal with than RPMs.

- Hardware support - usually everything just seemed to work or there was a forum discussion with a solution on what to do about it.

- Good variety of included packages.

- Excellent support forums, even if you are doing non base Ubuntu stuff there's probably a discussion a 'google' away that covers whatever issue you have.So, even tough Canonical does not-so-pleasant things to the UX, you can easily find ways to fix your experience and back to developing.

If you have similar positive experiences with Mint, why switch? Figure out what you are missing or looking for first.

6
grumps 15 hours ago 0 replies      
I'm more of hobbyist developer, although I could probably switch to professional but I'd have to pick PHP... and I'm not so crazy about that.

Anyway at work I run Ubuntu 12.04. Mostly because I find it to be a little more forgiving than Debian out of the box.

At home a run Debian Sid. I ran Wheezey for almost a year and when it was released as stable I switched to Sid. My only real issue is the lack of the full Firefox.. Right now I'm pretty sure I have the one installed from a mint repo. Ice Weasel just isn't the same. For example when using outlook it would set my spell check to Bolivia Spanish. Despite the default being English.

7
LoneWolf 1 day ago 1 reply      
There is no best, there is a specific distro you will like using and find a better fit for your needs.

Take this example, some years ago I tried Debian, SuSe, Mandrake, and a few others, ended up using Gentoo and it is still my distro of choice, I won't say it's the best for everyone, but so far has been the best for my needs.

8
CyberFonic 1 day ago 1 reply      
I prefer Debian based OS, e.g Ubuntu, Mint, et al.

Then all the windows managers are a mere apt-get install ... away.

The only thing that irks me is the driver support for laptop peripherals. Still can't get MBP to run as cool and for as long on battery with Linux as with OS X. I've given up on VmWare as it seems to churn the CPU even doing very little.

9
ericcoleman 1 day ago 1 reply      
It's really just up to what your personal preferences are, mostly related to packaging and setup.

I've been using ArchLinux for a while, but have been slowly moving to stock debian.

10
baconhigh 1 day ago 0 replies      
IMO the "best" is the one that requires the least amount of futzing from you to get your job/work done.

You don't want to waste time setting up X.. resolving dependencies.. making things 'work' that should 'just work'.

So, whatever solves that?

Personally, I've gone for the latest available release of Ubuntu where possible, although recently i've started using OS X and shelling into a linux machine to do any necessary work that requires it. I find OS X provides a decent *nix underneath and with the addition of http://brew.sh/ - makes it a viable choice for me over a Linux set up.

11
codemonkeymike 11 hours ago 1 reply      
When it comes to compatibility you should think of a debian kernel based distro. Ubuntu, Mint(What I am currently using), or Debian(Stable, Testing, Unstable etc etc). If its your first time using Linux I would stick with something that is familiar to a Windows user, Mint.
12
asenna 1 day ago 0 replies      
I started off with Ubuntu but moved onto Mint. I love Mint 14 and I don't feel the need to use anything else. For some of my clients working in the Microsoft environment, I use windows in a VM with a shared folder. Works great.
13
dsschnau 7 hours ago 0 replies      
fwiw i run Fedora 19 on my Asus Zenbook and I love it.
14
mtgx 1 day ago 0 replies      
The best for what? If you want something easy and like Windows 7 UI-wise, then try Zorin OS.

http://zorin-os.com/

24
Ask HN: How to find problems worth solving?
11 points by thomaaas  1 day ago   11 comments top 8
1
helen842000 17 hours ago 1 reply      
People often look for pain points in an area they like.

However the pain points that you actually should solve are the ones that drive you crazy, that make you woof in annoyance when they just don't work. Stuff that you know you 'should' do but find a way to put it off. People tend to stay away from these areas because - well they hate them!

Yet that is where the solutions are needed the most.

Some pain points that really frustrate me :-

* Getting an e-mail with an attachment that I have to print out, fill in, sign, scan back to my e-mail and then attach back to the receipient. That is just far too many steps. I don't think the likes of 'Sign Now' cut it because that relies on the sender sending it in that format. It needs to be a solution for the recipient.

* Setting up mailing lists.

* Formatting & nice templates for e-books.

* Following up enquiries x number of days after I sent a quote.

* Tracking the ROI from different advertising methods (adwords, print advertising, facebook etc)

* Tracking all the issues & bugs I fix at work to prove my productivity.

Don't pick what you WANT to work on. Pick something that is currently a pain in the ass and feel the benefit of your own solution.

2
redspark 1 day ago 1 reply      
1. Pick a niche or industry you want to work with.

2. Get in touch with owners/managers in your chosen area.

3. Take them to lunch and discuss their business. Watch their face and when they show you a pain point, try to pinpoint the cause.

4. You should discover more than a few problems they would spend money to have solved if you talk to enough of them.

5. Follow up with an email thanking them for their time and mention again how you have been giving some thought to a particular pain point. Try to find an article, software package, etc that attempts to solve their pain point and send them the link.

6. Build a true MVP (should be embarrassing, yet offer value to them), and follow-up with an email. Tell them you have been thinking more about their problem and wrote up a quick dirty app that might help them. Offer to demo it for them. While demoing discuss how much their pain costs their business.

7. Iterate based on their collective feedback.

8. Based on the discussion about pain costs, come up with a value-based price for your solution.

9. Refine your MVP, follow-up with another demo. Sell them a subscription to your solution. It may still be rough, but you should be able to demonstrate value and savings compared to their pain costs. CLOSE THE DEAL.

10. Follow-up

11. Iterate

12. Follow-up

13. Iterate

14. Follow-up

15. Iterate

16...Rinse... Repeat.

3
Jemaclus 1 day ago 0 replies      
Talk to people. People love to complain, especially about their jobs. They'll complain about their pain points. Listen for one that seems interesting.
4
onion2k 1 day ago 0 replies      
Trawl Firespotting. There's a lot of crazy on there, but in amongst it all are some really good ideas: http://firespotting.com/news
5
johnmurch 1 day ago 0 replies      
1) Solve a problem that YOU face or someone you know faces/has2) Start small and think big3) Saw this list - https://medium.com/design-startups/49acac7c3405 lots of stuff popped up but saw "A bookmarklet to help people manage their job search the job search process sucks. Let people use a bookmarklet to track jobs they like, which theyve applied to, and the rest" and was like.. WOW - NO one does this. It's super simple and the process sucks for all of us, but could be a simple way to build out a MVP and generate $

Just a thought - Good Luck!

6
pmtarantino 1 day ago 0 replies      
It has to be more than just "worth solving". I can think in a few ideas "worth solving" just like that. It has to be good enough so people pay for it.

A lot of people would like to have X feature, X website, X software. Would they pay for it? Ask that question. For what would you pay for right now?

For example: I am starting to selling goods. I'd like a place where I put all my good purchases from ebay, alliexpress or wherever, and I can track it, see when it will arrive, how much stock I have left, etc.

7
dcu 1 day ago 0 replies      
Take a look at this pg essay: http://paulgraham.com/startupideas.html
8
joeldidit 1 day ago 0 replies      
Ask a lot of people. Ask them about their daily frustrations. Ask them to share what they think the big problems of the world are. Post on forums online, go into chat rooms, etc.
25
Dedicated Server vs. own server, suggestions?
8 points by federicola  1 day ago   24 comments top 13
1
migrantgeek 1 day ago 0 replies      
Do not host yourself. Find a better provider.

With collocation you'll end up responsible for all of the hardware and still be dependent on remote hands so service could still suck and likely get much worse.

System Administration is hard and unless you have the $$ to pay one full time, rent the HW.

Most hosting companies will suck if you don't have much business with them. I worked for Rackspace years ago and bigger fish always get much more attention.

I do some consulting work now and find myself on calls with Hostway pretty often and they seem to know their stuff. You might check them out.

2
incision 1 day ago 0 replies      
Are you sure it will save money in the long run? I feel like most of the conversation along these lines that goes on is pretty shallow, performance to dollars in a vacuum.

I'd say flip it around, think about what you're trying to achieve and do the math on all the options to solve it. Pre-framing it as a dedicated rental versus a self-managed purchased is unnecessarily narrow.

3
hashtree 1 day ago 0 replies      
I'd colocate if you have a proven/reliable revenue stream, predictable growth, you anticipate more than 6-RUs worth of servers, or need very high speced servers (e.g. 192GB of RAM in one box). You can build entire servers for the cost of one month of PaaS/SaaS in many situations. There is a whole strategy that addresses every single issue that has been brought up (e.g. hardware failing, sys admin, being on call).

Feel free to connect. I can speak to how I do it with about ~1.25 racks worth of servers for my company for ~5 years now. I've also done it for MUCH larger international companies. No, I am not trying to sell you something :)

4
CyberFonic 1 day ago 0 replies      
I'm assuming you have the technical resources to manage your own hardware.

I've built a a lot co-lo solutions for clients. They end up being very expensive if you use a "name brand" provider. You are paying for rack space, power, A/C, security, bandwidth, etc, etc. And then anytime something breaks, you need to send somebody in to fix it. If the provider supplies "hands" then they charge heavily for that. Remote consoles are good, but not that good.

With so many providers out there, ranging from bare metal to VPS to PaaS - I find that hybrid solutions work the best. Not putting all your eggs in one basket, etc.

In my experience, the greater the lock-in the worse the service - of course YMMV. I tend towards pay-by-month and stay flexible. Whilst AWS is expensive if used continuously, I find it good for handling spikes. But you do need to architect you solution to move the workload around and that can end up being more bother than its worth.

5
true_religion 1 day ago 0 replies      
Don't host it yourself unless you're planning on using the same server for 2+ years. If not, then stick withe rentals and find a better provider. At the end of every year, renegotiate your prices for a better deal if you want to keep the same server, or bump up to the newer models.
6
thenomad 1 day ago 0 replies      
+1 for "Don't host it yourself, find a better hosting provider".

There are lots of very, very good providers of servers out there. Sign up with one of them.

7
cmer 1 day ago 1 reply      
We've been with OVH for about 3 months and over all the experience has been good. Prices are also very competitive. I'd look there if I were you.
8
iloveshw 1 day ago 1 reply      
If you're thinking about hosting yourself it doesn't make any sense. If you think about collocation then it's better but in your calculations include the fact that hardware breaks and with dedicated servers you get it fixed for free, when you buy the server yourself you have to buy anything that breaks and replace it. Almost always it means more of your time spent in dealing with it, more time of your users with lower quality/no service and it adds to the cost.Of course it's an option but you have to keep those things in mind. And before you do it I would search for some other provider of those dedicated solutions (or vps) before making that step
9
dildonics 1 day ago 1 reply      
Have you guys seen Hetzner hosting? Their servers have ridiculous hardware for very low monthly costs relative to other hosts, and the support usually gets back to me within the hour.

http://www.hetzner.de/en/hosting/produktmatrix/rootserver-pr...

10
ScottWhigham 1 day ago 1 reply      
Upgrading memory on dedicated servers is and always has been crazy expensive. It's absurdly expensive - we had a 4gb Dell server at <big company /> and, if I wanted to double that to 8GB, it was going to be another $50 per month for two years. I could've bought the memory outright for $120. It's around that time that you need to re-evaluate which server you have and whether it's time to change servers completely.
11
makerops 1 day ago 1 reply      
Hey,

Shoot me an email anthony@makeropspro.com I am developing a service specifically for startups, that you may be interested in, I can probably help.

12
Theory5 1 day ago 2 replies      
I've always wanted my own server, but then I discovered Amazon's AWS. It's much much cheaper, and you can scale pretty easily.
13
devb0x 1 day ago 0 replies      
change hosts, go with a company with history and longevity in mind.
26
Ask HN: If you were to build a new webapp today, how would you pick your techs?
3 points by babebridou  18 hours ago   9 comments top 2
1
boothead 18 hours ago 2 replies      
I would almost certainly build the back end from the ground up based on the concept of a stream of events. Current state is then expressed as left fold over a base empty state and all of the event types you're interested in.

Benefits that I can see:

* Purity. You can test the hell out of this with no side effects.

* Transaction log built in.

* The ability to look back in time, by only applying the events up until the point you're interested in and disregarding the rest.

* Very flexible and scalable.

* You can retrospectively answer questions that you might not have known how to ask, by creating new operations over your states.

* Plays well with monitoring, and analysis. E.g. just stream all of your events into logstash and elastic search.

2
geektips 18 hours ago 1 reply      
I Will be using a Lemp (Linux engine-x Mangodb Php) Stack instead of Lamp Stack , I will be using memcache for cacheing
27
Ask HN: in light of the leaks...
2 points by mark_integerdsv  15 hours ago   discuss
28
Ask HN: Lisp programmers - do you experience occasional code blindness?
6 points by qingu  1 day ago   discuss
29
[discussion] Distributed everything against multiple jurisdictions
5 points by siculars  1 day ago   2 comments top
1
kbar13 1 day ago 1 reply      
Solution: don't depend on a provider
30
Ask HN: Do you prefer a world without IP laws?
3 points by kumarski  1 day ago   4 comments top 3
1
ProblemFactory 18 hours ago 0 replies      
No. But I believe copyright and patent laws should be refactored based on their contribution to society, not the individual copyright or patent holders.

* The purpose of copyright is to encourage creation of more works of art than would happen without it. In return, the rest of society agrees to grant the author a limited-time exclusive right for the work. Shorter (10-15 year) copyright terms should be sufficient to make a profit from a book/movie/software. After that, the authors can publish new or updated works to continue making money. There is no way the Disney corporation's copyright on Mickey Mouse character is still encouraging the long dead Walt Disney to produce more artworks.

* The purpose of patents is to encourage both more invention, and detailed publication the methods than would happen without it. In return, the rest of society agrees to grant the inventor a limited-time exclusive right to use the invention. Patents which are obvious, or patents whose methods can be determined by looking at the final product or outcome do not bring value to the society in that transaction.

3
kumarski 1 day ago 0 replies      
I think:

-the cost of innovating has become higher. -it's unusual for lawyers and accountants to determine the intensity and speed of relationships between customers and products/services.-since 1984, semiconductor companies have focused a large amount of resources on building patent armories rather than innovating. -a world without patent law would allow for competition and products/technologies to reach the entire world faster at viable prices. -that the world can function and entrepreneurs will be fine without IP protection.

       cached 10 August 2013 04:05:01 GMT