hacker news with inline top comments    .. more ..    27 Sep 2016 Ask
home   ask   best   9 months ago   
Ask HN: How (un)secure are the passwords saved at my browser?
18 points by soneca  2 hours ago   6 comments top 5
Arcsech 59 minutes ago 0 replies      
Yes, browser password storage is really poorly secured. For what it's worth, a Chrome staffer explained on this very site[0] their reasoning, but that doesn't really sit too well with me - in my opinion, browsers should either go all way the way and integrate a full KeePass/1Password style password storage or remove the feature altogether.

Firefox appears to be a bit better by letting you set a master password that's used to encrypt passwords[1], although without digging into the behavior I can't say exactly how much that helps.

[0]: https://news.ycombinator.com/item?id=6166731[1]: http://kb.mozillazine.org/Master_password

zerognowl 10 minutes ago 0 replies      
Lastpass is zero-knowledge but subject to any number of attacks on the client. As the old adage goes: If you can't attack the crypto, attack the client! My personal setup is an always updated version of KeePass. I gave up using 1Password when I realized the loopback is cleartexted when autofilling passwords, and a host of other vulns like the .opvault format not used as the default, and too many other vulns to count. The master password is also a single point of failure and once you get that, you get everything. A chain is only as strong as its weakest link and all that. With KeePass even if they have the master password, they also need a second key / keyfile, and a machine ID so a copy of the KDBX file is useless to an attacker (unless they can emulate your machine UUID).

You can read more about that 1pass vuln here: https://news.ycombinator.com/item?id=11212002

wkd 26 minutes ago 0 replies      
What advice I give in terms of computer security I see more like being sanitary similar to washing your hands, it will not make you free of germs but it will greatly reduce the chance of getting an serious infection. The thing you should realize is that your data will never be perfectly secure. You could take your data offline and store it on an encrypted hard-drive in a waterproof safe on the bottom of the ocean and there could still be ways to access it. You need to find a middle ground where you feel safe enough not to worry about serious infections but aren't afraid of germs to the level it affects your every day life.

Most browsers store their passwords in plain-text, this means there's applications that can fetch all your stored passwords from all browsers and send them to an undisclosed location in seconds given user level privileges on the machine.

By upgrading to lastpass you have reduced that attack surface by using a secure passphrase and encrypted data-store but you have increased your attack surface to anything accessing lastpass servers and application bugs.

With all these attack vectors one might think that it's better to just not save passwords and just remember them, while this is true in theory in practice it's impossible to remember a sufficiently unique password for each website you are registered to which leads to password reuse which is another much greater attack vector where your leaked passwords from one site can be reused on other sites.

In general I would advice you to use a password manager that generates and encrypts passwords (Lastpass is one of them), use a secure passphrase and don't reuse passwords. Password reuse will likely make you less secure than writing your passwords on a post-it by your computer (don't do that either)

I would also consider looking into using proper 2-factor authentication for sensitive login (document storage, email, password manager) but I don't want to bore people with the details there so I'll defer you to do some independent research


* Store passwords encrypted (Lastpass is fine)

* Don't reuse passwords on different sites

oxguy3 1 hour ago 0 replies      
Yeah it's pretty easier to get to your saved passwords in Chrome -- they're at chrome://settings/passwords. They're not encrypted or anything (depending on your OS, you might have to enter your password to reveal the passwords at that link, but that's just to stop unsophisticated snoops -- there's nothing blocking access to the plaintext passwords on your hard drive). I'm not sure precisely how LastPass is accessing them (I use 1Password) but I'm not really surprised. Chrome's password store is for convenience, not security. If you want security, use 1Password or LastPass or something.
jasonhansel 57 minutes ago 1 reply      
Passwords stored by the browser can't be encrypted. Unlike with, say, LastPass, the browser doesn't have any "master password" to encrypt data with. Moreover, the passwords can't be stored as hashes (like in /etc/passwd), since websites require users to provide passwords in plain text.

Granted, if you use full-disk encryption, this concern is much less serious.

Ask HN: What to do with 3K visitors a month?
37 points by SpendBig  4 hours ago   33 comments top 21
philsnow 4 hours ago 1 reply      
What to do with them ? Do right by them. Try to figure out why they are using your site instead of some other one (slack comes to mind), figure out who your audience is, talk to them to try to find out who they are (not necessarily "what they want", because people will tell you all kinds of things), and give them what they need.

If, at the end of all this, you don't have a clearer idea about how to help these people to happily give you their time / money / eyeballs, then maybe just leave it be and enjoy $30 worth of beer each month or something.

zerognowl 15 minutes ago 0 replies      
Flattr is worth investigating: https://flattr.com/

Also you can ask for Bitcoin / Litecoin donations depending on how technical your visitors are. I know you want normal currency, but you can convert BTC using Coinbase and other exchanges

SpendBig 1 hour ago 1 reply      
Very nice, thanks for the feedback. To give it a bit more context.

The reason I'm not sharing the url is because the code is somewhat outdated and may be insecure. In my spare time I'm working on a new version which matches some of the recent security 'standards'. The website started as a project just for learning how to develop a basic website with interaction between users. So about seven years ago I tried becoming new instance of \Zuckerberg. I started chatting the website all over de chat-places. I added a twitter account, following (by hand :)) all those singles and lonely people out there hoping they follow back. Greeting them every day and helping other twitter addicts keeping their following list clean with new tools also presented within a backoffice on the same website.

My situation only allows me to work just a couple of hours a week on a side project. The reason I'm looking for some new ideas to monetize the project a bit more is because I want to buy a new house, like within a year or so. Just need a 100K in euros additionally to buy a nice place to give my son the full experience of life as much as possible in the way me and my wife dream about it. I can't just switch jobs, because the company I work for did alot for me. And I am a very loyal person when it comes to people/businesses helping me out with stuff.

Now, for the chat service, its more like a lonely-chat-service. About 100 visitors a day, saying "Hi, is there anyone around here?" or something like that. Then, the silence is killing them at which point they probably start clicking those ads :) So as I removed the usefull stuff from the website, people started clicking more on ads, to just get away.

When I read the feedback, I think I should just add some sort of feedback button or create a popup with a textarea in which they can add their dream they expected to get in by entering the website. And then start building them those dreams, for just a penny a day.

vblord 4 hours ago 1 reply      
$30/month is pretty good for 3k in visitors i think. I get about 10k visitors and only make $25 off adsense. What's your website address? I'd love to see where your ad placement is at. Maybe it has to do with the amount of time the users are on the site.

In terms of getting more $, affiliate income makes lots of money. In the old days when we used to run sites with adsense and affiliates, the affiliate income accounted for about 70% of the revenue. If you had a good place on your site for it, I'd start by looking in to the amazon associates program. FYI. The amazon affiliate pays out from 4% - 10% of the sale of the product.

aminozuur 4 hours ago 1 reply      
Why would you want to make it more profitable? The alternative is giving your users a better, ad-free experience. What makes you happier:1) Getting $100/month in revenue2) Having a fast growing group of users who love your web-app?
jayzalowitz 4 hours ago 2 replies      

We haven't monetized hackernoon.com at all and have instead focused on good content and we are now well into the millions of monthly uniques. Its not worth the time to monitize 3k visitors

xiaoma 3 hours ago 1 reply      
>"...but I dont have any clue on how to make it more profitable."

You probably won't fix that in this thread if you don't share the URL or even enough information about your chat site for people to give educated feedback.

What kind of users are they? Do they chat about everything or is there a theme or geographical niche? What kinds of ads are displaying through adsense? How long did it take you to get to 3k users? Do you feel like it will be hard to get more? Why did you throw up adsense at such low traffic?

Trufa 4 hours ago 0 replies      
You need to provide more information about the services you provide.

How specialized are you, maybe if you're incredibly specialized and have the right crowd, you can start having premium accounts, in exchange for special features.

3k is pretty low, for a chat service (in general, maybe for extremely specialized services it isn't).

If possible, try to expand your userbase, advertising? Social sharing? Affiliate programs?

The possibilities are endless and you live and die by the specifics of your niche.

Decide if you want to aim for massive, or niche, ads, premium features, freemium?

If you want more specifics, I think you need to be more specific in your question, but then I'll gladly expand.

stanmancan 4 hours ago 0 replies      
Aside from having ads on the site, your only real option is a paid plan. In that case, just start marketing the project as "beta" and add a pricing page that says the pricing is "coming soon". Continue building out features and once you get a good enough product to charge for add a paid plan and flip everybody else over to the default "Free Plan" that's limited in a way that users can still use the site, but have enough reasons to upgrade to the paid plan.

Whatever you do I'd try to listen to your users and see exactly what they want. 3,000 users really isn't very many and it would be really easy for them to disappear. Talk to your users, find out why they're using your site/service, keep that in mind when building out your feature set.

Edit: Keep in mind, building out the service and keeping it free is also an option, especially if you enjoy working on and running the site. If you listen to your users and keep improving the product, it's very possible to turn 3K monthly users into 300K. I run an API that has a front end site which gets around 175K monthly hits and brings in about $1300+ (CAD) a month from the ads. The site costs peanuts to run so I'm happy to serve the 35 million API calls for free and fund the project 100% via adsense. It just depends on how far you'd like to scale it and what your users are like.

throwawayValue 3 hours ago 1 reply      
It's a great feeling knowing that you've built something which is used by thousands of people, but even better when it's generating revenue to cover the costs (your time, hosting, etc). However, to put things in perspective you're really only talking about 100 visitors per day and $1 in revenue. Factoring that, I suggest focusing more on improving the site, growing it's traffic and then when it passes 500 visitors per day start focusing on revenue. If you prefer the AdSense route, make sure you've optimized your ad placements and the type of ads you're serving.

This advice is coming from someone who has a site doing roughly $5k month from AdSense via 275k+ visitors / 1.3M+ pageviews and it makes up about 30% of the site's revenue. Rest is from paid plans & affiliate marketing.

milesvp 4 hours ago 0 replies      
As a chat service, you may have some options for adding premium emoji, premium avatars, or other digital displays of wealth. Digital gifts can be another option. Ok Cupid is rumored to have made a lot on digital roses. Premium services like private rooms may have value as well.
namank 3 hours ago 0 replies      
Go to a startup meetup and hook up with someone you think will be great at marketing or knows something about the chat space that you don't.

Partner with them on making this more profitable.

jeffmould 3 hours ago 0 replies      
My question is do you have 3000 visitors or 3000 MAU? There is a big difference. With Adsense there are things to consider to increase your revenue, such as who your users are (location and demographic), the type of content on the site, and how long they stay on your site.

As others have pointed out, without knowing more about your site it's difficult to answer. But some suggestions. Try selling add-ons such as premium emojis or avatars. Look towards a premium account with added features as well.

ialex 4 hours ago 0 replies      
I work building tools for ad optimizers, next step they take is to get an account for DFP and Ad exchange(Google) which offers better revenue, there are also other ad networks you can configure on DFP to boost revenue like PubGalaxy the thing is you need to take time to test each one or get help for a pro ad optimizer and these days all big publishers are using Header bidding, you can reach me alejandro [at] ialex.org if want more details.
montibbalt 4 hours ago 0 replies      
It's awesome that you made it this far, but to be honest 3k MAU just isn't enough. If you're making money through ads, you'll want more eyeballs on them so try getting more users! Depending on how far you want to take it, your username may unfortunately become very relevant.
afarrell 2 hours ago 0 replies      
Does your community share some set of problems in common? If so, look for sponsorship by an organization that makes money solving those problems.
kwhitefoot 3 hours ago 0 replies      
Where is it? If you had given us the URL you might have got a few cents more.
shanecleveland 3 hours ago 0 replies      
Is it oriented toward businesses? Or is there an angle to create a more business-oriented version? Better ad payouts in my experience, and more likely to pay for a service.
wehadfun 3 hours ago 0 replies      
You could probably sell ads on your own depending the audience. If its a bunch of CEOs on their you could probably sell ads for millions.
dismantlethesun 3 hours ago 0 replies      
Depends on what they're talking about. What's the name of your site?
strugglefun 3 hours ago 1 reply      
"Actors are cattle."

- Alfred Hitchcock

Ask HN: Developer salary at nonprofit in Bay Area?
10 points by m52go  5 hours ago   6 comments top 5
zephharben 4 hours ago 1 reply      
I worked at two technology-focused nonprofits over a stretch of 11 years (mostly in management). At a well-funded nonprofit, you can expect salaries to run around 25 - 30% below market rates.

For organizations that are closely aligned with humanitarian causes (e.g. health projects in the developing world), I've noticed a much higher gap, presumably because these organizations are able to attract talent that's more passionate about the cause/willing to accept lower compensation.

brudgers 2 hours ago 0 replies      
Non-profit does not mean charity, though it can. If the non-profit is well funded then there's not necessarily a reason that employees ought to make direct donations via their paycheck.

None of which is to say that a particular individual might not wish to take a position with a particular non-profit that pays less than market rate for a variety of reasons. Only that non-profits often pay full market rate for development [in the context of donors] and fund-raising and administrative staff as well as for services and goods from outside organizations.

Good luck.

zachlatta 3 hours ago 0 replies      
30% below market is considered competitive for well-funded Bay Area nonprofits. 70-80k for software engineers.
amorphid 2 hours ago 0 replies      
I'd say it depends on how well the non-profit is doing. I recruited a couple dozen engineers for a couple of successful non-profits in the Bay Area. They usually paid 10% to 20% less than my startup clients, and probably offered a less demanding life style.
sfrailsdev 4 hours ago 0 replies      
Non profits vary widely enough that you see places that can only take volunteer developer time and maybe provide some sort of tax benefit, maybe not, and places that pay something approaching market rate.

What's important is that you feel fairly compensated, and that you don't have to fight for that too hard, so that your income continues to grow.

Ask HN: How much do you make in London?
112 points by ldneng  8 hours ago   137 comments top 57
gringofyx 7 hours ago 2 replies      
Reading some of the amounts listed is a bit depressing, I thought that the increased cost of living in London would justify salaries and rates much higher than the average.

By contrast I know from personal experience you can earn the same or better than what's listed here outside of London and enjoy the lower cost of living.

strongai 8 hours ago 0 replies      
Senior technical author. I freelanced from 2004-2013. My very first London contract in 2004 was at 350 a day. Nowadays, it's crazy bad - anything from 200 to 400, maybe 450 if your domain knowledge is spot on. And Google - I'm looking at you - contract rates of 20-25 an hour have been bandied around in conversations with recruiters. So, no real market uplift in more than 10 years, which is why I'm now a permie (not in London) on 55K basic plus 20% bonus, no stock.
throwawaylon3 6 hours ago 1 reply      
Senior Software Engineer (and manager) at Google, ~15 years experience. 100k GBP salary, plus 20% bonus and stock vesting. Gross 200k+ GBP.
contingencies 1 hour ago 0 replies      
Hadn't worked in the western workforce in 7 years. Turned up in London in 2009, got 40k, kicked ass, had 60k within 3 months, up from there. These days I honestly wouldn't live in London for under 100k. I think the thing to do is contract work, live out of London (even in mainland Europe) if at all possible.
throwawayberlin 7 hours ago 1 reply      
Degree in Graphic Design, 8 years industry experience, started with Flash / ActionScript and moved to JavaScript about 5 years ago.

Freelance Flash animation / dev for big digital agencies and ad companies (5 years ago) - 250 p/h, with 3 years experience.

Tech Lead - Digital Agency in Shoreditch (1.5 years ago) doing Node / Ember / Angular / DevOps - 45k, however I chose a lower salary for more leave and flexible working hours.

Freelancing JavaScript dev (Node, Angular etc), digital agencies - aprox 300-350 p/h

Now I work in Berlin in a dev role doing Node / React / Redux. 57k. My living expenses are 1/2 what they were in London, and I live in a central Berlin 1 bedroom apartment rather than shared housing.

barpet 7 hours ago 1 reply      
Those people @ 55 - 60k (EUROS) should really ask themselves if it's worth working in London.
bugahdug 4 hours ago 0 replies      
PHP Developer in the Southwest of UK (Devon, Cornwall, Somerset etc) 25k, no bonus - and that's about average. Living here isn't the cheapest either, 600pcm for a 2 bed flat, over 1,000 a year for water.

Really need to move towards the midlands (Bristol, Birmingham, Leicester, Staffordshire - cheaper rent, cheaper water, higher pay)

I've been a Dev for 7+ years.

LondonTA77 4 hours ago 1 reply      
ASIC design, 7 years here now. 45k + bonus + pension + healthcare. Without the bonus it isn't anywhere near what you'd get in a bank, explains why so many of my university mates took their EE degrees into finance. Probably partly due to the lack of hardware jobs in the capital. I've always found the name 'Silicon Roundabout' very ironic.
TamDenholm 8 hours ago 1 reply      
Contractor, PHP/Full stack, 11 years exp, 350 - 400 a day in London. Not risen much in 5-6 years which is why i started doing other things like business consultancy.
ShinyCyril 7 hours ago 1 reply      
While we're on the subject of tech jobs in London... does anyone work with FPGAs?
frowaway_lon 7 hours ago 3 replies      
This is a bit depressing. In 2010 I retired from full-time post as Investment Bank, front office senior dev on 100K with 30-50% bonus, 20 years experience. C++, Java, Sybase, finance tech and domain knowledge, and colleagues in hot areas were getting way more than that. My impression that rates are dropping seems to be confirmed.
lozette 5 hours ago 1 reply      
Developer (currently at a startup) 62k, no stock but I do have a pension/healthcare.

17 years experience, initially as a general web developer, then front end, now more back end. Currently Ruby on Rails but I can turn my hand to almost anything.

Not a manager, not a senior developer, not a tech lead. No desire to be.

I work quite short hours (9.30-5) and that's what's most important to me.

J-dawg 4 hours ago 0 replies      
Front end developer, large IT consultancy, 35k, no bonus. Feeling underpaid.
spoonie 5 hours ago 0 replies      
"Intermediate" dev using Ruby-On-Rails mostly with a bit of Python, JS, and Go: 41k for the first year and 45k for the second.EDIT: no stock, and only benefit was WFH 1 day/week, and 1% matched retirement savings plan.
noelwelsh 4 hours ago 0 replies      
I don't work in London but I know many people who do. The experience Scala developers I know who work contracts get 500-700pd outside of banks, and 600-900pd in the banks.
londonite 6 hours ago 1 reply      
Throwaway for obvious reasons.

No degree. Around 10 years experience in Network Security.

- BigCo

- Permanent position

- Cloud stuff

- 66k plus bonus et al which pumps it up to around 88k

londontosser 3 hours ago 0 replies      
Yet another throwaway acct. 20+ years large-scale ops and security, last five with one of the "big five" tech companies. 100K base plus stock worth 150-200K/year depending on which way the market wind was blowing on vesting dates.

Currently doing my own startup and cyber-security consulting for 750-900/day.

ijuhoor33 7 hours ago 0 replies      
Senior iOS, contract, last year: 575 per day in a medium sized companySwitched to a smaller company as Team Lead for 500 per day
gooseherald 3 hours ago 1 reply      
Contractor, currently 650/day. Hoping to increase that to 850/day by end of year. Experience > 15 yrs in web dev, though maybe only last 5 applies now (I don't do PHP 3 or perl any more).

Edit: long term so no "off" days & 150k ish per year depending how many holidays I take.

1_player 8 hours ago 1 reply      
Contractor 100% remote, full stack, 10y experience, currently 40/h, will increase to 50 before the end of the year.
ThrowAwayLondon 8 hours ago 2 replies      
(throwaway account for obvious reasons)

Web Developer in London for a dating company - 75000 pa (with bonuses it's around 110000 pa)

thrwwyldn777 7 hours ago 1 reply      
"Lead Developer" with a startup, 55k (I refused options in preference of salary).

I have a PhD (4 years programming), and ~4 years professional experience as well.

Previous roles:Fresh Graduate: "Developer" 28k + 3k bonus.Fresh PhD Graduate: "Senior Developer" 40k.

p0la 5 hours ago 0 replies      
Front-Office Quant Research in French bank, 4 years experience, 70k fix + 35k bonus. Definitely lower that what you would get in a US or UK bank.
wastedhours 8 hours ago 2 replies      
Are we only talking programmer side?

Digital marketing, education sector, 4 years experience: 39k + healthcare

jakub_g 7 hours ago 2 replies      
Semi-related question: How do you calculate taxes in UK? Is the base of the tax the salary offered by companies in job offers? I mean, with say 60k job offer, do I pay tax from 60k? (with the last 17k being taxed at 40%)?
asldfkweiorz 7 hours ago 1 reply      
Throwaway.Data Scientist, Insurance, FT, 39k a year, approx 3 years experience.
throwaway_27Sep 7 hours ago 0 replies      
Currently Senior Dev at a startup: 50k + 3.5% equity.Previous Hedge Fund: 95k + 25-50% bonus.Investment Bank: 80k + 25% bonus

Experience: 20 years as a dev.Skills: full stack dev .net, angular, iOS etc.

santiagobasulto 7 hours ago 1 reply      
This is kind of offtopic, but "There's recently been a lot of discussion about how much people are making in different areas of the US". Where can I find that post? Thanks
surprised_dev 5 hours ago 0 replies      
7 years of experience, mostly PHP and Python. Started at 44 after 2 years 51k. Now got offer for 80k~ as devops.
throwmeaway9 5 hours ago 0 replies      
Contract Senior Developer, stack is usually SPA (Angular/React) with "modern" .NET.

Current gig 475pd, to be honest I had better leads but the client offered the same day of interview and I started the following day.

I have 6 years experience and no degree.

Guy next to me does the same job for 53k.

Edit: media type of industry. Work normal hours, usually 9-5:30.

omurphyevans 5 hours ago 0 replies      
Senior Infrastructure specialist, big bank, 14 years, 450 a day, annualises to about 110k
bowchickabowwow 5 hours ago 0 replies      
I have a computer science degree and around 9 years experience doing full-stack web development(Ruby, PHP, Python, JavaScript). A year ago I was making 55k + around 5k worth of perks as permanent employee. Now I'm doing freelance roles for 350-400 pd.
acta_non_verba 8 hours ago 0 replies      
Startup, full time employee, called Senior but I only have one year of commercial experience, 47,500. ~10% annual bonus & Stock Options.
nicolasMLV 7 hours ago 0 replies      
In 2013 I declined an offer (first job, graduate): software dev in bigco (IT Provider travel industry), 38K
throw9383 7 hours ago 1 reply      
For comparison, in Devon. Full stack senior developer, 20 years experience, full time - 42K.
mrsomeone7 7 hours ago 0 replies      
Developer contractor, nearly 20 yr exp., now mainly .NET, works out at just over 1 a minute :-)
throwawayPayLdn 7 hours ago 1 reply      
Just switched roles so can give two:

Small Investment Bank - 61k + ~30% Bonus (3-5years experience) Java / Angular - Back Office Developer - Permanent

Small Hedge Fund - 65k + 50%+ Bonus (expected/promised) - .Net / WPF (5years experience although not in .Net) - Permanent

throawaylondon3 7 hours ago 1 reply      
Senior front end developer. 4 years experience. Now a contractor on my first project at 350/day in a big company. Expecting this to rise to 400/450 for the next gig. A few months ago I was full time at a startup on 52K.
ldnthrowaway 4 hours ago 0 replies      
Startup, Software Engineer (JavaScript), 2.5 years experience (Grad May '14), 38k, 12% bonus.
throwmesalary 4 hours ago 0 replies      
At a major retail company, here are our published ranges:Engineer 40-65KSenior Engineer 60-80KPrincipal 75-95k
wissam124 7 hours ago 1 reply      
Quant risk analyst for a commodities trading house

Base 67kBonus anywhere between 15 to 50%

jalev 7 hours ago 0 replies      
45k pa working as a DevOps for one of the console companies for 2 years.
throwaway782 7 hours ago 1 reply      
Snr Cloud / Infra. 650 day remote working (desk in London but physically in the office 1-2 days a month), 1 yr contract - but renewable. Annualised, 156K
thawlondon 5 hours ago 0 replies      
52k, some stock, healthcare. Senior dev in a video game company. ~8 year experience
ukthrowaway123 7 hours ago 0 replies      
Lead a team of 6 in one devision of a medium sized org. Web services + api. ~10 years exp.85k plus 30% bonus (expected), no stock.
middleman90 7 hours ago 1 reply      
6 years experience. software developer 450 per day
londondev998 7 hours ago 0 replies      
Senior developer with a front-end focus at a startup with some corporate backing, 7 years of experience, ~80k plus benefits.
Throwaway33333 7 hours ago 1 reply      
650 / day, almost all remote doing Hadoop and Redshift Consulting and POVs. Coding for 15 years, in Big Data for the past 5.
ThroAwayLondon2 8 hours ago 0 replies      
Established privately held (profitable) company, full-time tech-lead, Telecoms + Web + Backend, 10 years experience - 50k.
thrwaynow 7 hours ago 0 replies      
Contractor, 700/day, investment bank, back office role

10 years C++, specialised in low latency

throwaway723895 7 hours ago 0 replies      
Full stack (mostly PHP) contractor, 15 years experience, 100% remote, 400/day
uuidlondon 4 hours ago 1 reply      
Throwaway. 79k + stock option + benefits
throwawaythrowa 7 hours ago 0 replies      
Senior developer in the Civil Service, 8 years experience, 60k/year
le_ticket 7 hours ago 0 replies      
working for an engineering consultancy at a very senior technical level, overseeing big data projects, and doing some business development. 80k p/a plus benefits
throw31337 7 hours ago 0 replies      
Full time senior Java/Scala/JS @ 48K :/
idfsifdsjio 7 hours ago 0 replies      
throwaway account

Front office large investment bank. Java. Perm. 15 years in banking, 20 years in programming

110k - no significant bonus.

dan_b 8 hours ago 1 reply      
May I suggest something more anonymous like a google spreadsheet? Or a HN poll?
Ask HN: What do you use for remote access?
44 points by elwebmaster  16 hours ago   48 comments top 24
viraptor 15 hours ago 2 replies      
Zerotier - https://www.zerotier.com/

Create a network with automatic IPv6 addresses and start the management access service (likely ssh) on the zt0 interface. then it "just works", regardless of NAT in between.

This is a completely userland solution however. You probably don't want to put real service traffic on it if you care about throughput. It's perfect for management however. (or just test it, maybe you can saturate your link anyway)

This works either by using the public servers for discovery, or you can set up your own dedicated endpoint(s). Either way, the traffic takes the direct route through the NATs, or within the local netowrk if possible.

stuxnet79 15 hours ago 3 replies      
I tunnel everything through ssh (both local and remote port forwarding) and in some cases for the exact use-case you have mentioned (web server running on a raspberry pi that is behind a NAT). It works for me.

I've never set up a VPN and I'm not too knowledgable about them. Should I set one up? I don't know. Toyed with the idea a few weeks ago up until I read this post on StackOverflow (http://serverfault.com/questions/653211/ssh-tunneling-is-fas...) - TLDR (VPNs are slow)

mbreese 13 hours ago 0 replies      
The easiest to setup should be port-forwarding on the router. If you trust putting your server on the internet, then that's the way to go.

But it really depends on the use-case. HTTP from behind NAT - that's easy, just port-forward. If you're talking about SSH access, then you have a few more options that you might want to explore (port forward, or tunneling to an external host). If you're talking more than one host behind the NAT, then you have another set of possible solutions (reverse-proxy HTTP servers, SSH gateways, etc...).

Care to give us more information?

Jimidy 12 hours ago 1 reply      
For VNC-style full desktop access, Teamviewer just works...it runs on Windows and Linux, is very fast, and (usually) doesn't need any special firewall/NAT rules set up. I believe on Windows at least, it can be used to establish a VPN as well.

Might be overkill if you just need to reach one particular service (e.g. HTTP(S)) though, in which case you could consider setting up a reverse proxy (e.g. using nginx) on a DMZ'd server?

tbronchain 14 hours ago 0 replies      
I was using a combination of a VPN and NAT rules to do so.Basically, machine A (the machine behind the firewall I want to connect to) would connect to machine B (a VPS or AWS instance - free tier micro instances are awesome for that matter!) using a VPN connection (pptp or openvpn or l2tp or whatever - pptp has the advantage of being super easy to setup and working out of the box on most linux distros. Not the most secured though, but to run SSH on it, it's good enough). I had a script to periodically check (every 1 minute or so) if the VPN connection was up and if not, try to reconnect.Then, I had some iptables NAT forwarding rules on machine B (let's call it gateway) to send all TCP traffic on a defined port to the machine A, port 22, using the VPN interface.

It had the advantage of being quite easy to setup for me as I'm quite used to setup VPNs and NAT forwarding rules (for having living in China, bypassing firewalls is almost an everyday routine exercise :)Also, it worked perfectly well and the performances were reasonable. I could access my server at home, in Beijing, behind a NAT, a dynamic IP and the country's firewall, from anywhere in the world. I was happy!

There are surely other (better?) ways to do it though, and the autossh/reverse tunnels option looks very interesting.

xarope 13 hours ago 0 replies      
Use case is important, to determine what resources+tools you have access to/can deploy.

However, assuming this device/VM runs "unix", and to K.I.S.S., use reverse SSH tunnelling. Once an SSH tunnel is established on your side, you can do whatever you want... e.g. tunnel VNC through for GUI.

You can of course add more layers of security e.g. non-standard SSH port, dedicated VM/server for the SSH entry point, refresh SSH keys regularly etc.

notacoward 8 hours ago 0 replies      
When I'm on the road, I use tinc from the server in my home office out to a bastion server I have in the cloud. Separate keys and passphrases, no ssh-agent to keep the passphrases around for anyone who gets their hands on my laptop. Super simple to set up, and hasn't failed me once in several years. I guess you could argue that tinc isn't the most secure option, but I'm not too concerned about somebody managing to be in the middle of that path. The bastion's the thing that has to be most hardened against attack.
stevekemp 13 hours ago 2 replies      
IPv6. This allows my hosts to be accessible to the internet, even though they're behind routers/NAT devices.
JoachimSchipper 15 hours ago 1 reply      
The semi-standard solution is a VPN, e.g. OpenVPN or IPsec, to an external server.
joefarish 9 hours ago 0 replies      
A very "low-tech" solution but Chrome Remote Desktop is very easy to setup and works well if you want to use an Android Phone/Tablet to connect to the device/VM.


theCodeStig 12 hours ago 0 replies      
All you need is SSH and SSH config. There are a lot of tutorials out there, but I find many of them are based on older versions of SSH which lack a bit more sugar around proxying.

Essentially you will add a directive to SSH config for the NAT host, and the host that you want to access. In the directive for the host to access, you will specify that you're proxying through the NAT host.

You can then leave out all of the port forwarding options when connecting to the target host, SSH will pick that up from the config file.

gamedna 14 hours ago 0 replies      
probably tmi but any / all of the following: - SSH (direct or tunnels)- VNC (usually over ssh or VPN)- RDP (usually over ssh or VPN)- VPN (openvpn or ipsec)- MicroTik Router at home with site-to-site VPN to my DC and Office- Mobile Hotspot (always a must when traveling)- Last resort: Dial direct with 56.6kbps modem to DC when there is an internet uplink failure or DDoS attack.
jimmaswell 12 hours ago 1 reply      
SSH for Linux or TeamViewer for Windows, there's also Hamachi for Linux which worked when I needed to use it once
santa_boy 11 hours ago 0 replies      
I access through http/https using [Wetty](https://github.com/krishnasrinivas/wetty) within a electron shell and it works perfectly!
notatoad 14 hours ago 1 reply      
perakojotgenije 13 hours ago 0 replies      
SSHreach.me - https://sshreach.me/
andrewchambers 13 hours ago 1 reply      
whisk3rs 14 hours ago 1 reply      
tor hidden services. slow, but secure!
codemac 12 hours ago 0 replies      
I use tinc + mosh/ssh, and it's wonderful. I highly recommend it.
mynameislegion 14 hours ago 1 reply      
Port forwarding, reverse SSH tunnel or Tor onion service. All three for more reliability.
nzjrs 13 hours ago 0 replies      
Zerotier one
vacri 11 hours ago 0 replies      
OpenVPN on the bastion host, and ssh over the VPN. If you don't control the bastion, then you need something that 'phones out' (could use a reverse ssh session for small scale stuff)
ilaksh 14 hours ago 0 replies      
In the past I have used ssh port forwarding, LogMeIn Hamachi, and tinc. All seem to work ok.
Ask HN: How long is your daily commute?
8 points by servlate  4 hours ago   16 comments top 14
soulnothing 26 minutes ago 1 reply      
2 -> 2.5 hours one way

Bus to train station. The trains and buses rarely match up so there's a good bit of wait time at either end.

facorreia 59 minutes ago 0 replies      
None -- I work from a home office. It used to be 2 hours per day.
codegeek 1 hour ago 0 replies      
zero commute now. But to share, I used to commute 2.5 hours ONE way daily (Car + Bus combo). Yea, don't ask. I did it for almost 2 years. Job was good, money was good except for that commute. Now I work for myself from where ever I want :)
lsiunsuex 3 hours ago 0 replies      
12 minutes via car each way - about 5 miles. Have been considering biking to work and home but there was quite a bit of road construction this year - maybe next year (snow will be here soon)
blabla_blublu 1 hour ago 0 replies      
20 minutes by public transport each way + 10 minutes walk each way.
mod 1 hour ago 0 replies      
My last commute was ~40 minutes each way. Edit: Car.
poppingtonic 4 hours ago 0 replies      
By public transportation: 45 minutes each way 10 for vehicle delays, since the system I use is inefficient. Good time to read and listen to podcasts, though.
pedoh 3 hours ago 0 replies      
50-80 minutes depending on direction of travel and traffic, on a motorcycle (legal lane splitting in California)
hunterjrj 4 hours ago 0 replies      
Depending on traffic, anywhere from 30 - 50 minutes in the AM and 25 - 45 minutes PM (by car).
zeristor 3 hours ago 0 replies      
42 minutes Tube each way, hopefully off peak + walking.An hour door to door.

Time to read.

OutwitEvil 3 hours ago 0 replies      
By Car, 8.5 miles. AM 20-30 minutesPM 30-40 minutes.
namank 3 hours ago 0 replies      
10 seconds, I live across the street.
jgrahamc 4 hours ago 0 replies      
30 minutes by bicycle each way
tmaly 4 hours ago 1 reply      
by car between 45 min and 60 min each way.

by train 2 hours each way

Ask HN: Motivation
6 points by usernamebias  4 hours ago   3 comments top 3
JSeymourATL 4 hours ago 0 replies      
> The work is mundane and repetitive.

Deep work is hard, not always satisfying. Generally speaking, progress equals happiness. What's important to you? What do you want to achieve? Why?

Robbins has a good system for creating an action plan > https://www.youtube.com/watch?v=78pwjZ7lzBI

Jtsummers 3 hours ago 0 replies      
You mention work, exercise, and work. What do you do socially? Try to keep up the current routine, but change some nights for nights out with friends (or nights in) each week. You may be experiencing some loneliness with your burnout.

In my experience, burnout comes from too long as a student/worker (even self-employed) without giving yourself a break (among other things, but this is a common start to it). Maybe find some other hobbies to help you out, even if they're only intermittent (like my infrequent gaming hobby). They give you something entirely different to focus on for a few nights each month. That break can do wonders for your motivation and focus when you return to your other projects.

RUG3Y 3 hours ago 0 replies      
I feel the same as you. Completely unmotivated and burned out.

I wish I had some good advice for you, but I'm still trying to figure it out myself.

Ask HN: What would work well in a country built on the Unix Philosophy?
13 points by Numberwang  22 hours ago   12 comments top 4
sova 22 hours ago 2 replies      
If all legislation followed the model presented by git (versioning, increments, branches, merges, and total transparency) I think that it would reflect positively on a true democracy.

The next step, however, would be to educate the populous so that all voters were informed, and that voters would be presented (in an elegant fashion) with what is relevant to their districts on the three tiers of national, state, and local policy. I don't know if Unix has a good metaphor or reflection of this, but unix is meant to be a) modular and b) minimalist, so if we can sponsor the idea of true modularity in voting, I think we could see some full-participation schemes that are not overwhelming. I don't have to vote on every issue, but could vote on collections of issues that reflect my general ideology or current understanding of what best suits the republic.

Another issue though, is ownership. In the Feudalistic Republic of the United States (as of 2016) it's hard to describe a system that could be adopted reasonably that promotes the idea that all the nation belongs to everyone in it. We have some things like "the right to life, liberty, and property [often misquoted as 'happiness' at the end here]" and how does one reconcile this idea of property with a truly harmonious community? Good question.

So in short, the basis of the Unix philosophy would help (especially with law versioning, that is just what needs to happen and is so brilliant and clear I am surprised there is not greater traction for it). All Laws need time limits (and easy renew options if they are good)... And the entire populous needs higher quality information that [forces?] causes people to consider the community at large.

/rattle like a snake

oftenwrong 2 hours ago 1 reply      
National PKI. Every citizen would have a key pair. I believe I have read that Estonia has implemented this.
arkitaip 22 hours ago 2 replies      
How do you define The Unix Philosophy as applied to a country? Software doesn't come close to the complexity of an entire country so your analogy could possibly be fundamentally mismatched...
angersock 22 hours ago 0 replies      
The plumbing, presumably.
Ask HN: What are the best practises for using SSH keys?
293 points by TheCustardKing  2 days ago   106 comments top 25
dsl 2 days ago 3 replies      
From my experince as an attacker --

 - Is it better to use a different passphrase on each key, or does using the same one not matter much? - How much less secure is it to not use a passphrase on a key? - Should you use a different key per user account, per server, or per use-case (i.e. personal or work)?
None of these things really matter that much. Make sure you use full disk encryption and never stand up from your machine without locking it, and make sure you keep your local machine patched. If I get code execution on your machine, I am going to use whatever keys are loaded in your ssh-agent to pivot, hijack your existing open sessions, or modify your ssh client to dump the keys I need.

 - Does increasing the amount of bits in a key really have an effect on the security of the key, or does it not make much difference in a real-world use?
Key length is a protection against the future, and against state level actors. Right now, key length doesn't matter much to me because I'm more focused on just stealing your keys from you regardless of length.

daurnimator 2 days ago 4 replies      
I consider best practice to be using a hardware token.

My favoured solution is to use a yubikey via gpg: with this method you use your gpg subkey as an ssh key.The yubikey 4 supports RSA 4096 bit keys, if you need NFC then the Yubikey Neo supports max RSA 2048 bit keys.

regularfry 2 days ago 1 reply      
The first rule: never share a private keys between physical devices. Apart from reducing the opportunities for it to go walkies in transit, or accidentally get left on a USB stick, it allows you to revoke a single credential if you lose (control over) that device.

From that, we get:

 - you're not sharing passphrases between keys, you're sharing them between devices, and whether that's safe depends how likely it is that a compromised passphrase on one device can be transferred by an attacker to another. - Similarly, whether a blank passphrase is a good idea or not depends on what other measures are protecting access to that private key. - If a private key ever turns up on the wrong machine, you *know* the key and both source and destination machines have been compromised.

facetube 2 days ago 0 replies      
If you have a lot of machines, SSH certificates are supported in OpenSSH 5.6+ and are awesome: https://www.digitalocean.com/community/tutorials/how-to-crea.... They allow for centralized management of authentication/authorization without having to touch each machine (beyond an initial trust relationship setup).
mlonkibjuyhv 2 days ago 3 replies      
This is probably the wrong forum, but I have a question or two that I see as related.

I have setup a VPS, disabled passwords, and setup a key with a passphrase to gain access. At this point my greatest worry is losing this private key, as that means I can't access the server.

What is a reasonable way to backup my private key?

Encode it as something similar to a QR-code, print it, and store it in a hole in the wall? Copy it to an USB-stick and hide that somewhere safe?

Alternatively, I have access to more than one computer, so I could also authorize a couple of other keys to access the server. So I would transfer the public key to the authorized machine, and add them to the authorizedkeys from there?

How to deal with the possibility of death? Do I trust someone with my keys and passphrases?

zimbatm 2 days ago 5 replies      
If you use fail2ban make sure to pin the right key to the right host. Otherwise ssh will try all the keys and get you banned from your own host. The easiest way is to use the ~/.ssh/config:

 Host myhost IdentityFile ~/.ssh/myhost

mynameislegion 2 days ago 0 replies      
The classical document about this:


daenney 2 days ago 0 replies      
> - How much less secure is it to not use a passphrase on a key?

This is a question of layers. If you don't have a passphrase on your key, what stops someone from gaining access to it? Just your account password? If they steal your device, is there some form of storage encryption involved?

> - Should you use a different key per user account, per server, or per use-case (i.e. personal or work)?

I have different keys for different purposes per client device. This is mostly because sometimes I need to login to places that are ancient enough I need to use a weaker key than I would like to use in other places or vice-versa, there's places I can only login with ed25519 keys.

Though having different keys per purpose isn't necessary it allows me to keep certain identities separate. I have a different one for GitHub for example, mainly because GitHub exposes my public key and therefor allows for clever tricks like tying the key to an established identity should I use that key to authenticate in other places.

I would also recommend configuring SSH so that it doesn't send over any/all keys by default. Take a look at the IdentitiesOnly option in ssh_config.

Normal_gaussian 2 days ago 1 reply      
- Is it better to use a different passphrase on each key, or does using the same one not matter much?

Yep in an ideal world, though I suspect in practice it doesn't matter much.

- How much less secure is it to not use a passphrase on a key?

You are relying completely on the security of your disk, against either physical or cyber. Use a passphrase, use an agent to manage it.

- Should you use a different key per user account, per server, or per use-case (i.e. personal or work)?

Per client device. This is the device that can be compromised and cause invalidation to be required, so this is the one which should be seperate. For convenience you can maintain all your devices public keys concatenated together and hand them out like that - comment each with hostname and date created for ease of identification.

- Does increasing the amount of bits in a key really have an effect on the security of the key, or does it not make much difference in a real-world use?

Up to a point. RSA in 8 bits is trivial. Go for a highish key length, different key types have different recommended lengths. Note some machines dont support higher lengths.

- How/Where should private keys be stored on a device using them?

In $home/.ssh

Permissions should be set for only you to read with no writing. Even better if your home drive is encrypted as it is only vulnerable whilst you are logged in.

- What are some of the pros and cons from a security standpoint, and how may doing different things affect the usability of a key?

If you hop machines a lot key per client can be problematic. In this case a portable secure drive is useful. Of course one leak can be fatal here.

Try not to fall back on passwords, they have nothing like the same security.

Most usability issues are caused by the people running the servers not reacting in a timely fashion to key updates.

asdfaoeu 2 days ago 1 reply      
Some general advice based on most requirements.

- Is it better to use a different passphrase on each key, or does using the same one not matter much?

If they are being used on different device then different passphrases makes sense otherwise no.

- How much less secure is it to not use a passphrase on a key?

10? Not sure you can really quantify an answer. I'd recommend a passphrase if you aren't already using disk encryption with that it's probably less of a concern however with agents there's not much issue with not having one.

- Should you use a different key per user account, per server, or per use-case (i.e. personal or work)?

Use a different key per client device but you don't need a different key for logging into different servers unless you care about people correlating those users.

- Does increasing the amount of bits in a key really have an effect on the security of the key, or does it not make much difference in a real-world use?

Use more than 2048bit for RSA/DSA beyond that it doesn't matter.

- How/Where should private keys be stored on a device using them?

~/.ssh on some local filesystem.

po1nter 2 days ago 1 reply      
> - Is it better to use a different passphrase on each key, or does using the same one not matter much?

It is better to use a different passphrase for each key but it is also less convenient unless you're using a password manager (personally, I'm using KeePass)

> - How much less secure is it to not use a passphrase on a key?

That depends on the security of the computer where the keys are. I remember a Firefox vulnerability where one site exploiting it was looking for ssh keys on the local file system. So I'd say that a passphrase is very important.

> - Should you use a different key per user account, per server, or per use-case (i.e. personal or work)?

Personally I'm using a key per account per host.

> - Does increasing the amount of bits in a key really have an effect on the security of the key, or does it not make much difference in a real-world use?

Yes up until 2048 where the returns of increasing the amount of bits will start diminishing.[1]

 [1]: https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096

zimbatm 2 days ago 1 reply      
> How much less secure is it to not use a passphrase on a key?

It's better to think about specific attack scenarios. If your keys get exfiltrated because of some local exploit (like a browser vulnerability, a malware download or physical access) then the attacker has access to your servers.

jijojv 1 day ago 0 replies      
From a pragmatic end-user perspective.

1) Disable passwords and only allow keys even for root with PermitRootLogin without-password

2) public-key authentication has somewhat unexpected side effect of preventing MITM per this security consulting firm http://www.gremwell.com/ssh-mitm-public-key-authentication

mixmastamyk 1 day ago 0 replies      
I upgraded to ed209 the other day as well.

Two questions came up, how many iterations to use via "-a ", and should I add the private key to my home folder repo in version control? I don't want to lose it in a disk crash, but don't want to give it to bithub either.

steventhedev 2 days ago 0 replies      
It depends heavily on your threat model. Just about any key is an improvement over using passwords to authenticate. If you want protection from state-level actors, you need to be really careful and consistent.

Regarding key types:

- DSA keys (ssh-dss) suffer from several issues (fewer bits, bad RNGs in Debian, other issues), and modern versions of OpenSSH deprecate it.

- RSA is pretty standard, and generally speaking is fairly secure for key lengths >=2048. RSA-2048 is the default for ssh-keygen, and is compatible with just about everything.

- ECDSA is largely considered compromised because the constants NIST chose for the cryptosystem weren't well documented how they got them, and the assumption is that the NSA chose them to provide a "backdoor" (so it would provide the same security for a general attacker, but significantly easier for them). This was confirmed as being theoretically possible, and there is of course concern that the NSA could potentially leak those constants, instantly breaking the security of this cryptosystem.

- ED25519 is more or less the same as ECDSA, but was put together by DJB. The big advantage here is speed. EC crypto is much faster to sign, slightly slower to verify, and equivalent security can be achieved with fewer key bits.

- Notes for the future: both RSA and ED25519 become insecure against quantum computing (integer factorization and discrete log are both in BQP).

Generally, use RSA if you work with older servers that only support it, or ED25519 if you like shiny things. Otherwise it's a bit of a tossup.

Regarding using separate keys:

- I follow the philosophy that a private key should never leave the host it was generated on. If you aren't sharing keys between machines, you remove the risk that you'll accidentally share it publicly.

- Beyond that, I'd recommend at a minimum having separate work/personal keys. Keeping separate keys for each user/host you want to log into is a tad excessive, but can be useful for key revocation/rotation.

Regarding passphrases on keys:

- Yes. FDE is sometimes trivial to bypass, and you want to be protected in case someone sets your ~/.ssh folder to be synced to dropbox/samba/etc. You can use an agent to keep the decrypted keys in memory, but I'd avoid using agent forwarding.

Regarding bastion hosts:

- You didn't ask about this, but it is essential for a "best practice" setup.

- Bastion hosts are small VPS hosts that basically run sshd and have a static IP. You disallow any ssh traffic except from your bastion hosts to your servers.

- You'll want to have at least 2 bastion hosts with different hosting services, in case one isn't available.

- Run sshd on your bastion host on a port other than 22. Not for security, but for reducing log volume.

- Run fail2ban on your bastion host, even if you've disabled password authn. Again, not for security, but for reducing log volume.

- Set up fail2ban to alert when a new IP successfully logs in.

Other stuff:

- SSH can use certificates for authentication, and this can make the key distribution problem much easier to solve. I have a script that makes this easier.

- Push for everyone in your organization to use SSH keys, and only SSH keys.

- Defense in depth. All it takes is skipping one step and you expose yourself. Assume that something that was exposed has been compromised. An attacker only needs to succeed once.

tl;dr - the defaults are fine and password protect your keys.

benkaiser 1 day ago 0 replies      
Relevant xkcd: https://xkcd.com/538/
jamiesonbecker 2 days ago 0 replies      
> Is it better to use a different passphrase on each key, or does using the same one not matter much?

Using a passphrase is highly recommended except for server-to-server accounts, which should be locked down (and specify the specific command that server can execute in the authorized_keys file - Userify[1] supports this).

You should definitely use a different passphrase for keys stored on separate computers, and it's not a bad idea to use a different passphrase for separate keys stored on the same computer, especially if they have different servers they can access. However, practically speaking, if your computer was compromised (ie keylogger etc) then it's game over anyway.

> Does increasing the amount of bits in a key really have an effect on the security of the key, or does it not make much difference in a real-world use?

Yes, it does make a difference, depending on what you mean by "real-world". Anyone less than a state-level actor will probably be unable to cost-effectively attack even a 1024 bit key, but that won't be true for long. We suggest 2048 bit keys if you are using RSA, with 4096 if you prefer extra security and don't mind slight latency during a connection, or ED25519 for keys on systems that support it. Generally the defaults are pretty good. We have a HOWTO for different OS's here: https://userify.com/docs/generating-ssh-keys-on-ec2/

> How much less secure is it to not use a passphrase on a key?

From the server's perspective, it's EXACTLY the same, but from the client (your laptop's) side, it's completely different. While it's possible that your laptop could still contain your decrypted key in its key manager's RAM or suspended state (ie unencrypted swap file etc), the use of a passphrase even on (actually, ESPECIALLY on) a non-full-disk encrypted system will raise the level of effort to access your key to near-impossibility levels, especially from non-state actors, whereas a key that has NO passphrase is a piece of cake. Use a passphrase EVEN WITH full disk encryption (for example, the evil maid attack)

> Should you use a different key per user account, per server, or per use-case (i.e. personal or work)?

If you're using a different key and storing them on different computers, you should probably use a different passphrase on each key. The passphrase (or even if one exists) is not visible to remote servers (or Userify[1] - we provide a free-text field that becomes your authorized_keys on remote servers.)

You don't need to use a different key per user account, although you can. You also should not use a different key per server.. that will turn into a management nightmare. It's perfectly ok to use one key everywhere, but you should probably use a different key on your laptop and desktop, or if the keys have different levels of access (Userify[1] can automate that for you too).

> How/Where should private keys be stored on a device using them?

Ideally on a device using full-disk encryption, including swap and laptop suspend space, to prevent access to a decrypted key in RAM (you are using a passphrase, right?). However, FDE does not protect you from other compromises on your system (i.e., another user that gains escalation to root and installs a key logger), and does not protect against a compromise of your BIOS (i.e., Intel UEFI) or boot process (evil maid attack again).

> What are some of the pros and cons from a security standpoint, and how may doing different things affect the usability of a key?

Keys are safer than certificates because there are less moving parts and no outside requirements for your internal CA or dependency on a CA that might go down. Keys can be a management nightmare at scale, but there is software to manage them (ie Userify[1], ManageEngine[2], BeyondTrust[3], ssh universal key manager[4], keybox[5] (free/open source), etc). If you are doing a small project with few team members, you can also do management with Chef, Puppet, etc, or just by hand.

In terms of usability, a real key solution that manages keys across entire groups of servers with a few clicks can be really helpful... you can do all of the regular SSH things like tunneling (replace stun/sslwrap, etc), proxying all of your other traffic (SOCKS5), keep SSH connection alive (autossh etc), smart ban based on failed attempts (fail2ban, deny hosts), forward encrypted X11 or VNC connections, forward SSH itself (tunnel SSH within itself), and so much more.

We're going to start blogging about all the awesome things you can do with SSH soon, since it's really an amazing and deep protocol.

1. Userify https://userify.com Free cloud and on-premises versions available; full disclosure: I work there

2. ManageEngine: https://www.manageengine.com/

3. BeyondTrust: https://www.beyondtrust.com/

4. SSH Universal Key Manager: http://www.ssh.com/ (no TLS?)

5. Keybox http://sshkeybox.com/

Tharkun 2 days ago 0 replies      
If you use multiple identities, and want to reduce the odds of accidentally using the wrong one, then having different passwords is a good idea.
gupi 2 days ago 1 reply      
I would also recommend using two-factor authentication (see services like Duo or Twilio's Authy) along with password-protected keys.
xaduha 2 days ago 1 reply      
https://github.com/philipWendland/IsoApplet + some blank java cards + card reader. Something about Yubico rubs me the wrong way.
anonymousDan 2 days ago 1 reply      
What about for the host key of the server (assuming ssh2)?
sztwiorok 2 days ago 0 replies      
Most important is - keep it safe

Passphrase is strongly advised

yellowapple 1 day ago 0 replies      

 Is it better to use a different passphrase on each key, or does using the same one not matter much?
If the keys are for the same thing (i.e. your personal `id_rsa` and `id_ed25519`), then I'd personally be comfortable with the same passphrase. Different passphrases should be used for different purposes (e.g. you shouldn't use your personal passphrase on work-specific keys).

 How much less secure is it to not use a passphrase on a key?
Depends on the situation. I personally err on the side of caution and use a passphrase on all keys unless it's not physically possible.

If you expect to be moving your SSH keys across machines (e.g. to use your same personal key on both your laptop and your desktop), then they should absolutely be passphrase-protected, even if they're only transferred via encrypted media.

 Should you use a different key per user account, per server, or per use-case (i.e. personal or work)?
There's not really a right or wrong answer to this besides "don't reuse the same key everywhere". I personally maintain one key (really two: one RSA, one ED25519) for all of my personal devices, and maintain a strict policy of full-disk encryption on such devices. I've occasionally maintained separate work keys so that I'm not ever in a position where I need to make my personal keys available to an employer.

Meanwhile, for situations where a server needs to connect to another machine via SSH, each such server gets its own key. That way, if a server is compromised or decommissioned, I can revoke access by key.

 Does increasing the amount of bits in a key really have an effect on the security of the key, or does it not make much difference in a real-world use?
It makes a significant difference. More bits exponentially more attempts required to brute-force it.

 How/Where should private keys be stored on a device using them?
Depends on the device.

A reasonable balance between security and practicality is for any portable media (including portable devices, like laptops/tablets/phones) to be encrypted (in addition to the key itself being passphrase-protected). Better security would be to extend this to non-portable media and machines as well (but this is painful to enforce on servers unless you have physical access).

The directory in which keys are stored should only be accessible to the OS user actually using those keys (so, for example, `~/.ssh` should have permissions `drwx------` when viewing with `ls -la`).

Basically, server SSH keys should be treated like you'd treat your SSL/TLS keys.

 What are some of the pros and cons from a security standpoint

 and how may doing different things affect the usability of a key?
Pretty much everything involves security v. convenience tradeoffs. Generally, the more secure, the less convenient, and vice versa. While absolute security is ideal, a lack of convenience makes it more difficult to effectively enforce (e.g. as part of a company-wide security policy) unless you're willing to put in the work to build up an effective workflow around it.

sztwiorok 2 days ago 1 reply      
I agree with following comment.i was wrong. Thanks asdfaoeu for it.
gregorygraf 2 days ago 0 replies      
i can recommend this link:

Upgrade your SSH keys!https://blog.g3rt.nl/upgrade-your-ssh-keys.html?_utm_source=...

Ask HN: What are some exemplary React apps to study?
6 points by goostavos  20 hours ago   1 comment top
keviv 8 hours ago 0 replies      
Not a full fledged app, but React Boilerplate (http://reactboilerplate.com/) is pretty nice in terms of the structure and pattern it follows.

Check out this video which explains it pretty nicely: https://vimeo.com/168648012

Ask HN: Given opportunity to become manager. What do I do?
8 points by big_bing  22 hours ago   10 comments top 7
oneshoe 20 hours ago 1 reply      
For sake of perspective I am a VP of my IT department (smaller company, about 300 employees, about 40 reporting to me)

1) Me, personally: I wouldn't ask for a raise (and this might be me just being pedantic) but I'd ask IF the role change has a scheduled raise and what is to be expected. I'd use this answer to help me make a decision. I'd (me, personally) would assume the role would have a minor raise and future raises based on my performance in that new job. I'd try to secure a 15-20 percent increase in pay for moving to a manager role - which, btw, is hard. Moving into a manager role means learning a new job - this isn't (or shouldn't be) your other job with a couple new responsibilities. This is an entirely new job that isn't your old job... sure, you can help people when they ask but that is entirely different than hiring/firing, writing people up, or trying to determine what sort of a raise somebody deserves.

2) Be humble. Find a mentor. Read a lot. Be humble. Be humble, be humble. I believe that power exposes more than it corrupts but it can also corrupt. Work from goals. Give clear expectations. Also, you may not like this role. I've hired a lot of developers leaving their company because they were great developers that were put into management roles and learned to hate it. Good luck! Me, I love it. (to each their own)

3) Learn. Read. Read. Learn. Read... and remember: In theory practice always works, in practice theory doesn't - You are now dealing with PEOPLE not COMPUTERS. People are emotional beings and often unknowingly irrational. HOW you say something is much more important than WHAT you say.

Lastly - learn to manage UP as much as you learn to manage DOWN.

Best of luck!

djb_hackernews 4 hours ago 0 replies      
Just some feedback I haven't seen yet.

Most very large enterprises have 2 tracks: IC and management. Typically most employees start out at IC and through defined and mutually agreed to career development plans train for the management track. This may take a few years. When the time comes for you to be a manager you have been operating in a management role for some time. This is the Peter Principle.

I'd be extremely wary of a surprise promotion in to management where a discussion about that possibility hasn't happened. I've seen this before and it can lead to disaster. You may be setting yourself up for failure or even worse someone is setting you up for failure.

mikeleeorg 20 hours ago 0 replies      
1) Sure, it never hurts to ask for a raise. The range would depend on a bunch of factors, such as your location. Try looking up the salary of your position online, such as "technical manager salary" or "engineering manager salary" or something like that.

2) Assuming you will be managing individual contributors (and not managers), there are two basic types of first-line software managers:

2.1) Managers who need to still be individual contributors. These are the types where you will still be expected to do some of the former work you did before. It's a lot like being a technical lead, except you are suddenly now thrust into a world of people management. Most technology companies view first-line managers as having this kind of a responsibility, though larger corporations with more established hierarchies may not.

2.2) Managers who are not expected to be individual contributors anymore. This is a role where your responsibilities are managing the projects and people on your team. (If your company has project managers, then that aspect of the role won't be necessary.) In terms of people management, the responsibilities include managing the career growth of the individual contributors in your team, removing roadblocks from their paths (i.e. political, bureaucratic, etc), potentially moving them around from project to project to better allocate your resources to company priorities, recruit and retain people on your team, mentor and train junior employees, set and reinforce a team culture, and think strategically about how to make your entire team more productive.

3) If your company offers management training, take it. If you like to read, there are a ton of great management books out there. One of my personal favs is "Now, Discover Your Strengths", though you can find plenty of recommendations online if you search around. Talk to managers, senior managers, directors, and VPs that you admire; interview them and ask them how they do their jobs. HR or your manager will likely give you a bunch of information on how to do performance reviews for your team. The art of delivering constructive feedback can totally be learned, though if you are new to it, it may take some time to become comfortable doing it.

This is all just off the top of my head. I'm sure I'm missing a lot of other info, but this ought to be a good start.

Being a manager is not for everyone. Some call it "herding cats," which it may sometimes feel like. But it can also be a tremendously rewarding role, especially when you can set everyone up for success and can see them humming along efficiently and effectively.

Good luck!

debacle 7 hours ago 0 replies      
1. In my experience, managers in professional fields don't make vastly more money than the people below them. If it's an addition of responsibilities, I would ask for more money. If it's just a change, then does it make sense to ask for more money?

2. Learn, try and find a good mentor, get feedback, and set objective goals.

The hardest part about management is playing the carrot and stick game without turning a report's life into a carrot and stick game.

JakeAl 16 hours ago 1 reply      
When you become a manager expect to train as a supervisor first. Ask or accept a salary hike as a supervisor that is half of what you expect as a full blown manager. Work your way to manager because if you don't have management experience on resume by the time you are 40 expect nothing but freelance work over the age 40 if you lose your job. Management experience is what separate the expendable labor from the non-expendable staff. Management sucks, I mean having authority is great but having to hire and fire sucks. It's a great deal of responsibility and needs to be taken seriously and to be good you really need to work hard at being empathetic, unemotional, and balancing risk versus reward at the risk of your own career. To not do so just means you are a riding a paycheck and not contributing a whole lot. I made the mistake of going for the job of doing things I enjoy, worked on a lot of really cool incredible projects for well known companies and found myself unemployed over the age of 40 without the ability to get an interview despite my knowledge and experience all because I was a go to guy who got the most complex jobs done but was not a manager. Don't be me. Be humble, tell your superiors you want to work your way up to management and spend time as asupervisor first so you can train in the role as someone who must manage people and deal with HR issues while not being a manager first. Set goals and mnilestones alonga timeline and make sure they are checked off as accomplishments in your reviews. You need to train as someone who has to get your staff to do what you want despite their personalities but not make decisions about the company. Being a manager means both. Once you become numb to taking a chance on employees and learning how to communicate or have crucial converstions (read the book Crucial Conversations) it becomes second nature to make business decisions and not get hung up on the risk. I'd say set a goal of being an entry elevel manager at the age of 35. By 40 tha would make you a skilled intermediate to entry level senior manager that every one repects because you've learned to master the skills.
viraptor 21 hours ago 0 replies      
1) You can always ask for a raise. If you work in a very large enterprise then likely you've got a predefined levels / brackets for most positions up to a VP or similar. If not, just ask them what the raise is for that position. There's also a good podcast which may help you (http://www.kalzumeus.com/2016/06/03/kalzumeus-podcast-episod...)
Ask HN: What's the equivalent to a 3 Michelin starred restaurant in tech?
14 points by itamarwe  1 day ago   23 comments top 8
WA 1 day ago 2 replies      
The game development industry. Low pay, high pressure, trying to achieve better graphics and gameplay and whatnot all the time. Ratings and reviews as Michelin awards.
mtmail 1 day ago 4 replies      
Michelin awards the whole experience in the dining room and doesn't check what went into creating it (they don't step into the kitchen). From documentaries I learned the low level kitchen staff gets a lot of pressure and many are only enduring it (low pay, longer hours) to have that on their CV. I'm not sure I'd call that "amazing and enriching experience", maybe it is later if they look back.

I would see https://developer.apple.com/design/awards/ as the tech equivalent award currently.

joezydeco 1 day ago 1 reply      
A long time ago we used to obsess over the SEI/CMM (Capability Maturity Model), where a software organization is inspected and rated on a level from 1 (chaos, cat herding) to 5 (managed, optimizing).

Managers would read papers about the CMM and declare that they wanted to be a Level 5 organization, causing insane amounts of busywork and document generation and overall grief to realize that their underlying business processes were hopelessly in the way of any positive change.

So then the goal went from "Level 5 or Bust!" to "Okay, let's try to get to 3" and then later "Um, can we make Level 2?" Then everyone just gave up. There were only a handful of shops that ever made 5 and stayed there, the Space Shuttle engineers being the most famous example[2].

[1] https://en.wikipedia.org/wiki/Capability_Maturity_Model

[2] https://www.fastcompany.com/28121/they-write-right-stuff

js4 1 day ago 0 replies      
It really depends on how you define success. Cheesecake Factory is more "successful" then Jiro's Restaraunt with regard to cash generation.
ethanbond 22 hours ago 0 replies      
I think such discipline is exceptionally rare in software, and it's never sexy. How about NASA? Haven't they only had like 4 software bugs in their control software ever (or some equally absurd figure)?

In design, Apple's core hardware design team is over the top psychotic about the quality of their work. It's a true obsession for them. Many font foundries have similar neuroticism driving their work.

I think Chef's Table (great show!) does us all a disservice by kind of skipping over how unbelievably grueling such an undertaking is. It truly is inhuman. It's unfathomably difficult to create merely a successful restaurant... it takes a perfect storm in both the positive and negative sense for someone to create something like a Michelin starred restaurant.

So yes, probably. Is it sexy? Certainly not. It looks insane more than anything outside of the lens of a beautifully crafted documentary.

heisenbit 1 day ago 1 reply      
This is a people service business like cooking. Which makes it hard to scale when it comes to excellent service. Boutique consulting companies may offer excellent service. Like with kitchens there are plenty of them all claiming to serve great food. Stellar are few. The initial looks can be deceiving.

Hint: The proof is in the pudding. But you have to sit through the whole meal to know whether you enjoyed it...

LarryMade2 22 hours ago 0 replies      
I would say probably Apple is a good example in past experiences.

Their products were regarded as things that "Just work" their website was very easy to use for support and information, and these were consistent over a long period of time.

I'm not so sure about the Apple today, but in the 2000s they were certainly were hitting their marks.

perfmode 23 hours ago 0 replies      
Working with Jeff Dean or Sanjay Ghemawat.
Ask HN: What is that one deciding factor that makes a website successful?
32 points by ziggystardust  2 days ago   31 comments top 25
afarrell 1 day ago 1 reply      
This is like asking "what is that one deciding factor that makes a small business successful?"

It is too broad and so there is no one deciding factor. You don't even have a clear definition of success. Is http://lawcomic.net/ successful? It has a loyal following, but it doesn't update that much, or earn much money for its creator.

emilyfm 1 day ago 2 replies      
The one factor: meet a need.

If you're selling something, make it something that people want at the right price and make it easy for them to buy.

If you're selling advertising (you're a decade late on that one...), give people a reason to come back to the site - make the site sticky or have network effects.

Scaling comes later (assuming your initial design isn't a complete resource hog). It literally follows the money.

id122015 1 day ago 0 replies      
Niche is one of the main one.Most people have limited time and limited memory and wont use more than a dozen sites every day. Even though I use to bookmark thousands of websites, when Im bored I dont find it easy to remember more than 5 sites that I'm interested in.
armini 1 day ago 0 replies      
Like everything else, I look at nature for guidance. In this case the Epidemiologic Triad (https://onlinecourses.science.psu.edu/stat507/node/25).

My understanding (feel free to correct me if I'm wrong) of it in the context of good websites is

Host: You need a great host/site, something stable & something people want to use

Agent: I consider agents as internal factors like technical, sales & marketing, They help you grow & the ensure stability.

Environment: Environment is pretty much your jurisdiction, you need to make sure that your solution is legal & your environment is supporting of you growing. Another fascinating theory to study around that is the Overton window (https://en.wikipedia.org/wiki/Overton_window).

Vector: A vector, an organism which transmits infection by conveying the pathogen from one host to another, with the most powerful agent been word of mouth.

I guess if you have these 4 components structure well, then you have a pretty good chance of having a successful website according to the Epidemiologic Triad.

Now if you're question is more around business models, then heres also another good resource to look into by HBR(https://hbr.org/2016/10/the-transformative-business-model)

unimpressive 2 days ago 0 replies      
From what I've observed of my own behavior, the way to get me to consistently check back on a blog is to let me know the blog exists, be in my general category of interest, and then consistently update with impressively good content.

I first got hooked on slatestarcodex (http://slatestarcodex.com/) when the author hit a five post homerun streak and he was just too good to not check in with.

When I'm evaluating whether to follow a tumblr I can see the process unfold in real time, where I scroll down and finally think to follow after I see several really good posts at once. The moment I stopped and saw myself doing that I realized if I ever wanted to get followers on tumblr my blog would probably need to have the same kind of five-post punch to get people interested.


1. Update often.

2. Make it easy to find your new stuff, or display your archive proudly and live off the interest.

3. Keep a high quality bar. It might even be useful to take your absolute best and put it in one place so you can show people your better side.

4. Market aggressively or be prepared to wait a while.

WheelsAtLarge 2 days ago 0 replies      
Very generally speaking, fill people's needs.. Look at maslow's hierarchy of needs, https://en.wikipedia.org/wiki/Maslow%27s_hierarchy_of_needs.

You'll get some ideas.

More to the point, making sure people know about it and the site is easy to use. Beautiful design is nice but if it gets in the way people will admire it once, twice... and finally give up. Don't let content get stale.

prawn 1 day ago 0 replies      
I would've thought that scaling was a fair way down the list. Don't scale prematurely is one mantra commonly mentioned.

It's also question that needs to be better defined. What sort of site? What definition of success?

For many sites, the biggest pieces are having something that people want or need, then consistently providing it. Of that pairing, having something people want is the absolute core.

z3t4 1 day ago 0 replies      
Content is king, don't worry about design or scalability. Just look at HN <grin>
zerognowl 1 day ago 0 replies      
Make your site work in any browser, and make it accessible. The sheer volume of useful sites that break because of poor accessibility and design antipatterns is astonishing. See https://en.wikipedia.org/wiki/Anti-pattern

The audacity of webmasters who think all their users have JavaScript enabled is quite cruel and shows that this problem is endemic of lack of education about who your visitors are. Infact your visitors could be anybody and they could have any configuration.

timehastoldme 1 day ago 0 replies      
The site owners not expecting there to be one deciding factor that would make it successful.
adamqureshi 1 day ago 1 reply      
What is the one deciding factor that makes a business successful? Swap out website for business. Revenue. If your business makes money therefore it's successful. Swap out users if your website / business earns ad rev.
lgas 1 day ago 0 replies      
Having a good mix of other factors.
hasanzuav 1 day ago 0 replies      
Kind of the YCombinator mantra: "make something people want". Talk to potential/existing users often and use that information to be laser focused on product building.
xapata 1 day ago 0 replies      
That's like asking what the one deciding factor for cancer is.
threesixandnine 1 day ago 0 replies      
The deciding factor that makes a website successful is offering info or tools that people look for and need.
garethsprice 1 day ago 0 replies      
It meets the needs of its users while fulfilling the objectives of its creators.
erikpukinskis 1 day ago 0 replies      
Does what it says.
atultherajput 1 day ago 0 replies      
Its all about marketing strategy.
gjolund 1 day ago 0 replies      
Mz 1 day ago 1 reply      
I think you need to specify here what you mean by success. It sounds to me like you mean something like "made someone rich," which is a far cry from what I was thinking when I came here intending to try to articulate something only to realize it is almost certainly wholly unrelated to what you are talking about.
estefan 1 day ago 0 replies      
Satisfying a need.
ttam 19 hours ago 0 replies      
its purpose
Gustomaximus 1 day ago 0 replies      
gcatalfamo 1 day ago 0 replies      
probinso 1 day ago 0 replies      
Ask HN: How do you pass on your work when you die?
33 points by PascLeRasc  1 day ago   24 comments top 17
rabboRubble 1 day ago 0 replies      
Everything depends on having a person that you can trust. Along with my will and estate plan, I have a technical handover plan ("THP"). The THP for is 2 pages long with the core accounts needed for recreating my technical life. Page 1 is a technical recovery document with instructions that assumes complete loss of all my hardware, for example in a fire. Page 2 lists 1Password vault password key, hardware inventory, cloud accounts, and offsite data back up. For each item, I list some combination of password, ID, license key, two factor recovery key, and where I get a two factor code from. These documents are on file in a trusted person's fire proof safe and with an attorney.

In addition to this documentation, for Gmail and Facebook, I have completed the "I'm dead, do this with my account" sections of my account profiles. Gmail, after 90 days of inactivity, my brother gets an email and gains access to the Gmail account.

angry-hacker 1 day ago 1 reply      
My problem is that I can pay everything in advance to insure myself, but who can make sure everything keeps running on my vps?

I have 2fa everywhere and my close ones won't be able to keep updating my box or troubleshoot... I guess the bank will close my card when I die and I can pay in advance. Currently, I have 3 years of 'insurance' , but what if DO doesn't exist anymore...

p333347 1 day ago 0 replies      
There are these two stackexchange qna threads [0] [1] that I had bookmarked a while back. I came across another one [2] that mentions something called "bus factor"[3], which I found quite amusing, though this question is about freelancing. I think there is enough material in all these combined and the links they point to to sufficiently address your concerns.

[0] http://programmers.stackexchange.com/questions/125656/softwa...

[1] http://workplace.stackexchange.com/questions/9128/how-can-i-...

[2] http://freelancing.stackexchange.com/questions/126/how-can-w...

[3] https://en.wikipedia.org/wiki/Bus_factor

danso 1 day ago 0 replies      
Set up access control. I believe Google Cloud applications can be assigned to multiple users, in the same way that a Google Document can. Create a couple of superuser accounts. As long as one person is alive, someone has the proper access to change things if needed.
Canada 1 day ago 0 replies      
Do you have a will? Issues such as who will inherit copyright ownership of your work should be handled there.

As for passwords, keys and so on, you can put all that into a single archive. (eg. regularly export your password manager, put any private keys you want to pass on, instructions for how to use them, etc)

Encrypt the tarball/zip file with a symmetric key.

Then you can use Shamir's Secret Sharing Scheme to split up the key so that a certain threshold of key holders is required to access the data (eg. Any 2 of 4): http://point-at-infinity.org/ssss/

Distribute the parts of the key to your heirs.

Leave instructions in your will so your heirs can locate the encrypted file when the time comes.

mattbgates 1 day ago 0 replies      
Kind of an interesting thing, but nothing is guaranteed. The only things that are probably guaranteed are the websites with boards, major social media networks, with CEOs who make sure that they get passed on. Apple is a pretty good example. I currently run a popular website, http://www.confessionsoftheprofessions.com and I have hundreds of companies and individuals that rely on me every year to publish their articles. The thought always crosses my mind to know what would they do if something would happen to me.. sure, the site would die and they would probably just find somewhere else to publish their new articles, but I would certainly love to know it would continue without me, but its a blog that I know how to run and I've not really taught anyone else how to "process" articles, so I suppose it will go with me. I have mentioned it to my fiancee and left her with the username and passwords, and even if she doesn't process any new articles, I would hope that she at least pays to keep the server and hosting going! At least Google and the Internet archive might do something with it.
pseudozach 1 day ago 0 replies      
google has a mechanism for such things in place it's called "account inactivity". Basically you setup a contact person to whom your account will be handed over after a certain time has passed and you haven't logged in.
JSeymourATL 1 day ago 0 replies      
I was shocked to hear recently of a local business owner who I knew that died suddenly-- still young in his mid-50s. Super sharp guy, a systems guy. He had a contingency plan in place.

Folks speculate that he must have known something. But his wife insists he was always a planner. The business appears to be busy and humming along fine. In many ways a tribute to what he built. Certainly a huge relief to his family, employees, and customers.

Here's good link on contingency planning> https://partners-network.com/2013/10/17/contingency-plan-for...

kennu 1 day ago 1 reply      
Isn't the real answer to this to start a company (or some other form of organization)? Then the accounts and other ownerships are no longer tied to a single individual but to a virtual entity that can be controlled by other individuals when needed.
besselheim 21 hours ago 0 replies      
I used to concern myself with this, but eventually realised that it doesn't really matter, as I'll be permanently dead and gone. And in time, so will everyone who ever knew me.

In the grand scheme of things, we're all irrelevant. And in the end, none of this really matters.

ng-user 1 day ago 0 replies      
One thing I've considered too as I begin to work with more and more developers on larger projects is the good ole 'Bus Factor [0]. In short, it's determining whether or not your project can be sustained should the major contributor or 'main brain' behind the project get hit by a bus. The entire objective is to reduce the number of places the project can fail, simply by having one member pass unexpectedly. Should you steer clear of avoiding a single point of failure? Absolutely. Is it always avoidable? Absolutely not.

[0] - https://en.wikipedia.org/wiki/Bus_factor

kawera 1 day ago 1 reply      
A bit tangential but this may be part of the solution: https://www.deadmansswitch.net/
a3n 1 day ago 0 replies      
I asked about this years ago, I think it was PairNic. They said file a legal document and send them a copy.

So, there's the technical route, whoever has the passwords wins.

But if it matters, and you don't want your technical heirs to be fighting each other, you should probably establish ownership and succession with a lawyer.

33a 1 day ago 0 replies      
Will figure it out when that happens.
ChoHag 1 day ago 0 replies      
That's what children are for.
aaron695 1 day ago 1 reply      

Concentrate on living a healthier/safer life and keep it going longer.

Raed667 1 day ago 0 replies      
Why would you care? You'd be dead.
Ask HN: Former Employer Threatening Lawsuit
5 points by o0-0o  22 hours ago   8 comments top 4
auganov 21 hours ago 1 reply      
If you're operating any business/website/etc that relates[0] in any manner to the potential lawsuit - take it down now. Get a lawyer to review all your doings to see if there is the slightest chance of a potential claim.

I understand how ridiculous the threat might feel. But a sufficiently angry person can cause you a lot of trouble for no good reason. It's very likely there are simple actions you could take safeguard yourself. It might save you a lot of money in the long term. And very often even the major law firms will give you amazing free advice. Don't be afraid to call the best.

[0] And I mean relate in the broadest manner. It doesn't have to actually be related. If they could convince someone with a bit of handwaving that it's related then it's related. The truth doesn't matter.

darkmouth 22 hours ago 0 replies      
First of all, backup any and all email communication you have had with the company about it.

If neither of these are true, and you are in fact marketing to customers but not using their list or software, gather logs and customer testimonials, and proof about where you got the customer contacts.

Additionally, gather emails indicating why you left the company or were asked to leave, as it might indicate the company's intent to get even with you.

Lastly, talk to a lawyer. Consultation is often free for the first time.

imaginenore 22 hours ago 0 replies      
Stop talking to us. Lawyer up. Don't post any more information that can be recognized.

My layman opinion is that he will have to prove his claims, and is probably trying to scare you into giving him your client list.

samfisher83 21 hours ago 2 replies      
Why not just publicly shame them. It seems to have worked for some people. If you have to hire a lawyer it is just too expensive. Even if you win you are going to lose.
Ask HN: What's the best way to learn about the blockchain?
256 points by m52go  3 days ago   71 comments top 35
lhnz 3 days ago 5 replies      
Building the minimum viable block chain: https://www.igvita.com/2014/05/05/minimum-viable-block-chain...

That's where I would start.

shp0ngle 3 days ago 4 replies      
Everything in Bitcoinlandia is fairly superficial, since everyone is trying to sell Bitcoin and make himself rich. So it's like reading multi-level-marketing books.

That being said. What's actually kind of good (with actual technical specifications) is Bitcoin wiki, even when it's slightly outdated; then official bitcoin website; and sometimes bitcoin stack exchange website (but that can become outdated too).

I don't think Blockchain can be disconnected from Bitcoin, and if you do, it's very general and not that specific.

justinpobrien 3 days ago 1 reply      
Highly recommend the Princeton book and Coursera course as a starting point.

And if you want a compiled list of resources for learning:https://drive.google.com/file/d/0B6CKmAqa1_nzRGVicnlHY1BaaUk...

daveguy 3 days ago 2 replies      
I assume you have read the the original Nakamoto paper on bitcoin. I will put it here for reference purposes. It is a seminal paper on blockchain and fairly accessible.


zmanian 3 days ago 1 reply      
I highly recommend the Princeton book and associated video lectures as a place to get started. It does a great job of framing things in the context of the wider fields of cryptography and distribute systems research.


daniel-cussen 2 days ago 1 reply      
My understanding of how the blockchain works:

Someone tells a joke based on a prompt. This would be your Genesis block. Then everyone else competes to tell the funniest joke based on only that and the new prompts from the audience.

Repeat until you have an ongoing, hilarious comedy routine that cannot be edited after the fact without being found out because that would ruin the whole routine. It just wouldn't be as funny.

fode 3 days ago 0 replies      
This has been a great resource for me, especially Andreas's video at the end:

Inserting metadata into the blockchain.https://medium.com/@bkawk/inserting-metadata-into-the-blockc...

Andreas M. Antonopoulos: "Consensus Algorithms, Blockchain Technology and Bitcoin" [UCL]https://www.youtube.com/watch?v=sE7998qfjgk

wslh 3 days ago 0 replies      
I think a good unorthodox start is skimming/looking at Q&A sorted by votes on [1] and [2]. A good book but oriented towards bitcoin is [3]. My company also made an spreadsheet comparing different blockchain approaches [4] to have a high level understanding (e.g. blocks speed, security vulnerabilities)

I work in the field and the most difficult thing is to separate the noise from the signal. On talks with financial institutions and the government, they say they want to use the blockchain but when you ask about how many nodes they are planning to run they came up with one, or doesn't understand the question. Also, there are a lot of use cases that are not realistic because they depend on oracles or there is no way to enforce the smart contract in the real world.

[1] http://bitcoin.stackexchange.com/questions?sort=votes

[2] http://ethereum.stackexchange.com/questions?sort=votes

[3] https://www.amazon.com/Mastering-Bitcoin-Unlocking-Digital-C...

[4] https://docs.google.com/spreadsheets/d/1DQ770nGnHfJOoRSqTLmI...

fitzwatermellow 3 days ago 0 replies      
Stanford CS 251: Cryptocurrencies, blockchains, and smart contracts


gregoryrueda 3 days ago 0 replies      
21 has some fun tutorials.https://21.co/learn/

The intro to bitcoin concepts is great place to learn about blockchain.


elorant 2 days ago 1 reply      
I would suggest the book Mastering Bitcoin from OReilly. I dont have extensive experience on the issue but what really worked for me is that the book provides code examples (in Python and C++) that help get a better grasp of the technology.
umutisik 3 days ago 1 reply      
Probably too basic for original poster but this post by Michael Nielsen helped me with the basics of the bitcoin protocol. http://www.michaelnielsen.org/ddi/how-the-bitcoin-protocol-a...
jloughry 2 days ago 0 replies      
Set up a full node at home and run it for a while. Turn on logging and watch the messages there.

You'll need (at present) about 80 GB of disk space to hold the blockchain. The full node client will download it for you or you can torrent a recent snapshot of the blockchain and then synchronise from there (quicker).

The software you can obtain from here:


Or you can use git to pull the source code from GitHub and compile it yourself. I've done both, and found the developers on GitHub friendly and responsive to pull requests, even helpful to a newbie submitting a first pull request.

Beware that running a full node will try to eat all your upstream bandwidth. It takes a few days for the Bitcoin network to notice the existence of your new full node, but the number of connections will grow (others asking you for pieces of the blockchain, as well as transaction verifications). You can learn a lot about the Bitcoin ecology this way.

aerovistae 3 days ago 1 reply      
This book is insidiously useful. I went from not getting it at all to getting it more or less completely. Includes code interacting with the blockchain in a wide variety of ways.


scott_ci 3 days ago 1 reply      
I've found that getting a wallet and sending some Bitcoin is a great first step. This course introduces Bitcoin and also surveys an array of other decentralized, blockchain projects: https://www.pluralsight.com/courses/bitcoin-decentralized-te... (caveats: self-promotion, pay-walled, but the free trial allows you to watch 95% of it).

Bear in mind that the word "blockchain" is an evolving word; almost every definition I've read differs. Some see it as barely different than a distributed database that doesn't allow deletions. Many others see it as paradigm shifting.

anatoly 2 days ago 0 replies      
I liked this for a technical introduction:http://www.michaelnielsen.org/ddi/how-the-bitcoin-protocol-a...
blockchain 2 days ago 0 replies      
Read the original Bitcoin paper, it should take no more than two hours even if you're not technical; http://genius.com/Satoshi-nakamoto-bitcoin-a-peer-to-peer-el..., once you understand what a blockchain does you'll probably want to know more about smart contracts http://about.smartcontract.com/#defining-a-smart-contract, since their decentralized data/transaction storage capabilities enable the decentralized computation which has the capacity to replace 90%+ of computable contracts (http://www3.weforum.org/docs/WEF_GAC15_Technological_Tipping...) which are currently in silos, much like what we had with various data before the internet
bitcointutoring 3 days ago 1 reply      
Hi m52go,

I have a blockchain/bitcoin tutoring service at www.blockchaintutoring.com. I did a Show HN but didn't get a single comment :(

I'm a programmer myself, but my target market is not the typical HN user. I'm looking to teach more business types and people in the law profession, for example. I'm preparing a small course plan to help people get from 0 to knowledgeable. The course will certainly be a bit technical, but I would not cover for example the pros and cons of the blocksize debate unless someone asks for that information.

I invite you to contact me, either through my website's contact form or the email address there provided. We can chat, and then if you ever choose to use the service, it's going to be at a discount for HN users. Your questions will definitely help me tailor my offering.

jeffrestore 3 days ago 0 replies      
Capability-based Financial Instruments:http://www.erights.org/elib/capability/ode/index.html

Although this paper does not directly address the blockchain, I believe it and the thesis below are at the root of the concept. (If you want to go down the rabbit hole, check out the references page of the above paper). Fair warning, the above paper is from 1999/2000 so obviously much has changed, but still worth reading.

Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control by Mark Samuel Miller:


Razengan 2 days ago 2 replies      
Newb question: Why do people refer to it (these?) as "the" blockchain?
izqui 3 days ago 0 replies      
If you are interested in the technical implementation of it, I did a very basic version of a Blockchain in Go a while ago.


hendzen 3 days ago 0 replies      
Honestly your best bet is to read everything Gregory Maxwell has ever written.
udayj 2 days ago 0 replies      
Annotated Bitcoin paper (which also talks about Blockchain) - http://genius.com/2683791Digital Currency MOOC http://digitalcurrency.unic.ac.cy/free-introductory-mooc/
benev 3 days ago 0 replies      
I wrote a piece for Linux Voice on how bitcoin works a couple of years ago. It's obviously focused on this particular blockchain, not the principal in general and it's a couple of years old now. I tried to give a good overview for techincal people : https://www.linuxvoice.com/bitcoin/
ftlio 3 days ago 0 replies      

^ Following along with this helped me a lot. Bitcoin is a rather large onion, but, as others are saying, implementing parts of it is the only way to go.

brudgers 3 days ago 0 replies      
I found the various interviews on Software Engineering Daily informative. There's probably more than revealed by a naive search, but it's a start:


adamqureshi 3 days ago 0 replies      
I was working on this service. Teaching blockchain bootcamp courses online. I found a few instructors. Just need go figure out the MVP. Are you in NYC? Check the landing pagehttp://studioblockchain.com/
Everhusk 3 days ago 0 replies      
If you enjoy more of a hands on approach, try getting a miner setup for some new coin. You'll learn a ton in the process.
kobeya 2 days ago 0 replies      
brighton36 2 days ago 1 reply      
Blockchains are just databases rebranded to be something interesting when cryptography is applied. There's no magic to keeping transactions in 'folders'. Database journaling, and message signing has been performed since the 80's (or older)
kapauldo 2 days ago 0 replies      
Read the Greek guys open source book.
ttam 2 days ago 0 replies      
as others have mentioned, the princeton course videos + _homework exercises_ are a great entry point. also read satoshi's paper and then other resources
Nano2rad 3 days ago 0 replies      
Learn elliptic curves.
Ask HN: How do I explain my 3-4yr employment gap due to a nervous breakdown?
7 points by throw_away42  1 day ago   11 comments top 6
muruke 10 hours ago 2 replies      
Maybe I'm alone in this. But I think be honest, you don't have to go into details. I have family and friends that have been (or still are) in bad depression. Based on the stats nearly everyone you talk to will as well.

I have being on the hiring side too, and if I asked you about that gap and got an honest reply about depression, that would tell me a lot. 1. you have identified an issue and worked to resolve it. 2. you are aware of it and may see it "coming" early next time (if it comes again).

I have been burnt too many times from people misrepresenting themselves in interviews (not being real to themselves to "sell" themselves) that I really value open and honest people. I think they know themselves, better, therefore their weaknesses and strengths too.

Could you hit rock bottom if I hired you? Sure, but it wouldn't be a complete surprise, and we could work together to prevent it and make sure you have the help needed before things got bad. (As if I hired you, it was for your skills and drive and fit and I'd want you to stick around to continue that).

Employers and employees can work though a lot if we both are honest and both are bringing something to the party (a job someone wants and the skill/desire to learn/perform).

Note I do not work in the US, and this is my experience.

rl1987 9 hours ago 0 replies      
Just say "medical issues" and refuse to elaborate.
alimw 7 hours ago 0 replies      
You know, there's at least a chance that noone will ask. A lot of employers won't read your CV too carefully, and then at interview, if they like the look of you, will only hear what they want to hear.

Of course you could argue that such an inattentive employer is unlikely to be a good employer.

mazeway 9 hours ago 1 reply      
I'm in a similar boat. I'm considering to strike out on my own. The market doesn't care about your employment gap or something. It only cares if you solves a problem. Though I have to learn nontechnical skils like marketing..etc.
wslh 18 hours ago 0 replies      
If you think that now you are ready to work, I don't think a smart lie will be unethical to move forward. Fill the gap with the help of some friendly company who can help you on that.
sharemywin 23 hours ago 1 reply      
do you have any kind of side projects that you could list as projects while you were "self-employed?" When I was a consultant the consulting company took projects that I worked on for friends and family and listed them as projects under self-employed.
Ask HN: User-friendly online vault web app to securely share secrets?
7 points by niels_bom  1 day ago   5 comments top 5
zerognowl 20 minutes ago 0 replies      
If you want to store files on a private blockchain: https://storj.io/
saluki 1 hour ago 0 replies      
Helpspot has a really nice tool for sharing text securely.


just_observing 1 day ago 0 replies      
I have an install of zerobin which I use for keys, items that I would prefer not to email but it does not support files, just text. Essentially it's a pastebin.

"TL;DR: ZeroBin is a minimalist, opensource online pastebin/discussion board where the server has zero knowledge of hosted data. Data is encrypted/decrypted in the browser using 256 bits AES."


test at http://sebsauvage.net/paste/

shakna 9 hours ago 0 replies      
Though not a web app, I've used magic wormhole [0] with some success with clients. Your requirements for hosting might make finding something suitable difficult.

[0] https://github.com/warner/magic-wormhole

Ask HN: Self driving car startup ideas
6 points by hpagey  1 day ago   6 comments top 5
asimuvPR 3 hours ago 0 replies      
I've been working on some for the past years. You should think of the interactions a vehicle will have. There are:

- vehicle to vehicle (V2V)

- vehicle to infrastructure (V2I)

- vehicle to cloud (V2C)

Each of those niches has niches of their own. I just finished working on the V2C niche by developing an API to move data between vehicles and updating them automatically (not realtime, though). What can you do with that kind of data? Well, if you have cars operating data (engine temperature, speed, etc.) you can come up with a bunch of interesting stuff.

Don't wait too much. This self driving market is reaching peak hype soon.

brudgers 18 hours ago 0 replies      
It's going to be hard to out data collect Google (think of all the Android-phone miles and uses of Maps over the last few years on top of the Street View project), or even Tesla with it's field deployed systems. Even GM has years of OnStar data.

There might be a data play on dark-data...all those tables local engineering department traffic studies only accessible as PDF's, but it's hard to see that as non-replicable for a company that can stream data from a cars sensors to its servers in real time.

For a startup, there's an open question of how self-driving cars change the landscape of tier-two and tier-three automotive suppliers. What I mean is that what sort of new opportunities are made available by self-driving cars that are equivalent to manufacturing actuators or air-conditioning subassemblies.

The problem in the space is that the automotive industry is capital intensive. A billion dollars isn't going to ripple the pond and there are lots of companies with the habit of spending many times that. That's the way commodity industries work.

Good luck.

LarryMade2 15 hours ago 0 replies      
Think of new perspectives of the passengers and owners.

What would you do if you had a robotic chauffeur to take you wherever you wanted? Would you go places that you would not normally go to now? Cars drop you off at your destination and park themselves (maybe call you to agree to whatever the lot or garage, recharge station is charging)

SD-Cars make the driver the passenger... who will now be able to look out and see the roses... listen to an interactive on-the-raod tour. Read the billboards, notice that fruit stand etc. Former drivers will be asking "are we there yet?" Parents can truly interact with their kids on the road.

People that didn't travel as much due to health or medical reasons may be traveling more.

A lot more day planners, maps, review sites, etc. will probably interact more with the vehicle...

atroyn 21 hours ago 0 replies      
Data. A kaggle for self driving data would be fantastic.

As a computer vision researcher, getting my hands on data 'at scale' is a really tough problem.

tpae 1 day ago 1 reply      
In-car entertainment would be nice, if we could eliminate the need for concentration.
Ask HN: How to best manage multilingual content
4 points by throw-away-acco  21 hours ago   1 comment top
mbrock 11 hours ago 0 replies      
It's probably more cutting edge research than you'd like but I'm really intrigued by Grammatical Framework and the idea of generating UI language from an "application grammar."

There is a company named Digital Grammars that is working on that kind of thing, and probably some others.

Ask HN: Is identity theft protection service worth it?
2 points by tmaly  23 hours ago   3 comments top 3
gry 1 hour ago 0 replies      
A credit freeze is another tool; it prevents potential creditors from extending credit since they won't be able to pull your file to verify your creditworthiness. Temporary unlocks can be done when you need to apply for a loan, etc.


kobly 4 hours ago 0 replies      
Free- block your SS# at the source, http://www.ehow.com/how_6926296_block-social-security-number...

But you also want to have your identity checked for other risks, such as when medical records , email records, address, and existing accounts can be compromised.What is the best detection service? I'm not sure it's Lifelock. I'd compare.

ID theft insurance- pays for the costs of fixing identity breach, and some also offer a person who does the work for you filing all the paperwork and cleaning up damage.

pbarnes_1 22 hours ago 0 replies      

Just register for a free credit monitoring service like Credit Karma/Sesame or a non-free one like Amex CreditSecure.

That's all you need.

Ask HN: Have you ever visited example.com?
10 points by glaberficken  2 days ago   9 comments top 8
guessmyname 2 days ago 0 replies      
Also note that example.com has no MX records [1]:

 When an address such as username@example.com is used to demonstrate the sign-up process on a website, it directs the user to enter an actual email address at which they receive mail. Example.com is used in a generic and vendor-neutral manner.
The list of reserved TLDs is quite short actually [2] but thanks to this page I understood that ".dev" is a bad TLD that people enjoy(ed?) using for their test/local websites [3]. I have been using ".test" for all my offline projects for a couple of years now, and ".local" was specifically very helpful when I had to build a fake DNS server for a DNS manager that I was maintaining.

[1] https://en.wikipedia.org/wiki/Example.com

[2] https://en.wikipedia.org/wiki/Top-level_domain#Reserved_doma...

[3] https://iyware.com/dont-use-dev-for-development/

ytjohn 2 days ago 0 replies      
I always use the example.net/example.com domains for my documentation. It drives me crazy when I see a tutorial using something they just made up like "myfakewebsite.com". Almost always, these lead to an actually registered domain like what OP was expecting to encounter.
SamReidHughes 2 days ago 1 reply      
I use it as a non-HTTPS site that I can use to log in to Starbucks Wifi.
frantzmiccoli 2 days ago 0 replies      
Some domains are not to be sold, to avoid domain squatting and the kind of spammy websites you were expecting.
danso 2 days ago 0 replies      
Yes, I use it as an example URL for tutorials or for testing out any HTTP-request-making code.
27182818284 1 day ago 0 replies      
Yes, it is used a fair amount by web developers. Often I notice more junior developers making up their own things, but that leads to situations where your debug/private messages can be sent to a real person. I'll see things like null@null.com or something@nothing.com, which is bad.

I believe the owner of null.com gets tons of emails from buggy OnStar notices to mom+pop websites.

atsaloli 2 days ago 0 replies      
Sure. Example.com is an Internet standard. See http://www.rfc-editor.org/rfc/rfc2606.txt
zerognowl 1 day ago 0 replies      
Special Use for now, but this could change at the whim of standards bodies, and could become an ordinary domain. It certainly would be interesting to own such a domain and see what kind of emails you'd be getting.
Ask HN: Someone uses stock trading as passive income?
11 points by 00taffe  1 day ago   7 comments top 3
larrykubin 1 day ago 1 reply      
I get passive income from stock dividends. Most people who trade for a living spend a lot of time looking at charts (if into technical analysis) or doing research (if investing based on fundamentals). I wouldn't call stock trading passive unless you have a fully automated system. I've seen plenty of people lose more money doing this through paying transaction fees and regular income tax over and over again, rather than just holding the S&P 500 for a couple decades.
pesfandiar 1 day ago 1 reply      
What do you mean by trading? The index funds that I blindly buy every month give me almost absolutely passive income in the form of dividends and some capital gain. I wouldn't call anything more involved passive.
baccredited 1 day ago 2 replies      
Half a question, so I'll provide half an answer. $93,917 for 2015. But it ain't "trading" it is "holding".


Should I really avoid OVH for production app?
4 points by benishak  1 day ago   8 comments top 8
aminozuur 16 hours ago 0 replies      
OVH is one of the largest VPS companies on the planet, they didn't get there if they sucked as bad as you make them out to be. I recently switched over to a OVH VPS (just $3.5/month) for 1 project (I usually use Digital Ocean) because OVH has excellent DDoS mitigation (while that is non existent at DO).

OVH's website looks ugly, if you are used to DO's beautiful interface, but they are good. I tested their DDoS protection and is is second to none.

ancymon 7 hours ago 0 replies      
I heard an advice that it's best to pay them on monthly basis. In that case when you encounter hardware problem you just buy a new VPS instead of dealing with support.
lnalx 1 day ago 0 replies      
I'm an OVH customer for 5 years, at the beginning all was very great, no problems at all. After several years I switched to Kimsufi (their cheap dedicated server) but it was a mess: Never had a day without a disk failure or good response time. I quit for 2 years (for Online.net) and I've recently bought a VPS for production usage and after some hours problems came again... It's incredible! I cross the fingers for the future but I'll not switch all my servers in their datacenters.

As a french, I'm proud of OVH as a french company but they favor service quantity over service quality and that's a shame.

hackerboos 1 day ago 0 replies      
I used to get frequent downtime from them when I used dedicated machines, about 4 hours a month. These days I use their VPS for staging environments and gitlab-agents.

I don't use them for gitlab or production because they do not meet the uptime/response time standards I require (300ms pings from Toronto to their Montreal datacentre).

They are cheaper but if the above is more important than raw power then I'd go elsewhere.

Edit: I haven't used their Public cloud offering yet, that might have improved performance over their dedicated boxes and cheap VPS.

zerognowl 1 day ago 0 replies      
OVH are a catch all solution for hosting, and spread themselves very thin, similar to GoDaddy who try to do everything-all-at-once That's not to say I don't like OVH, but if it's a VPS then my default reply is Digital Ocean who happen to specialize in this area. From my experience, OVH support is fast and reliable. OVH's unique selling point is their selection of domains. (They're the only company I know who can sell rare ccTLD at an affordable price).
Axsuul 22 hours ago 0 replies      
I have a dedi from SYS, a reseller of OVH with 32 GB RAM for about $50/month. It's a great value for what you can get and haven't really had an significant issues for the past 2 years that we've had it.
rngesus 1 day ago 0 replies      
I've used OVH for more than three years professionally for both production and development applications without any issues or problems.

Their customer support is indeed quite ever so lacking, but you generally never need them unless you run into a issue with the hardware, or the network.

pravula 1 day ago 0 replies      
I was going to ask something similar and was surprised to find a thread. I have been trying to signup for an account and get a vps for 2 days now. Wow, what a horrible website.
Ask HN: How to sell and idea?
13 points by hacknat  2 days ago   18 comments top 11
panorama 1 day ago 0 replies      
I don't really understand the negativity. Ideas, like advice, have intrinsic value. People are caught up with the notion of an "idea" (like 'Uber for X') and don't realize OP is discussing a market opportunity. It's very possible OP has an idea that can generate value for an obscure niche that's slow to adapt. This happens all the time - the wheel is constantly being reinvented in different industries and markets and plenty of people make a decent living doing stuff like this.

Anyway, my advice is because everyone is caught up in stigmatizing "ideas", it's likely you will not find an adequate market available to sell your idea or get paid enough for it. You're better off discussing it with people you know. Frame it like "There is an opportunity in market X that is not being pursued, likely because of reason Y. I understand this market/problem very well and could explain it to you in great detail. If you decide to pursue it, I'd like modest [advisor shares/dividends/etc.] in return" or something to that effect.

codegeek 2 days ago 1 reply      
To put it bluntly, you want to "sell an idea" that has no validation, no product, no customers, no reputation, no branding. No one is going to pay for that Idea. That is the honest truth and you know it already.

If you do want to validate the idea, you have to put something together. If you can write code, build a working prototype. Show it a few people.

I will tell you a secret. Ideas are worthless but a working prototype can be worth something. I know a close friend who built a tool and had no clue how to market it BUT he was able to find a buyer for a good amount. Not an actual business yet but he has offered 6 figures for that tool.

lpellegr 2 days ago 1 reply      
I love the sentence "I just can't justify (to myself) wasting that much time on a problem I don't find interesting (even if it made me 10k/month recurring profit..."

If you can't justify to yourself, how can you hope selling such an idea to someone? oh, maybe you are a commercial actor :D

caseymarquis 1 day ago 0 replies      
If you're willing to spend a little bit, contract someone to build a site that offers the service and looks good, but only actually allows people to sign up for the future service or something along those lines. If you get people who are willing to sign up, then perhaps you could persuade someone to invest in the business and finish building the actual service via contract with someone else's money? At that point you could maybe leverage some sort of sale/investment where you end up being very hands off? Even if you were going to build it yourself, just making the site to confirm interest would probably be a good move. Reading "The Lean Startup" with a coworker right now. It advocates a lot for experimental validation before investing any engineering effort.
Nomentatus 1 day ago 0 replies      
There are those who do. Even without patents. They leverage the internet/publicity/rpost etc to deter intellectual theft and also learn who to talk to and how at companies, leaping over those barriers. There's a book reference here I'd like to drop but I don't have it handy.

Few ideas are easily patent protected, plus it's easier to improve execution than the quality of one's ideas - so you're always advised to do what's easier. (First off, at least.)

Note too that "Execution" is often a way of saying "patentable ideas that you can hide instead of patenting them" - which is to say, trade secrets (always more valuable than patents, not least because they don't expire.) Intel was built on just such an invisible trade secret (akin to annealing) that made their memory (this is pre-cpu days) far more reliable than competitor's. So a lot of those who expound about "execution" actually mean "ideas", just non-public ideas.

The other thing that prioritizing execution says, is that people tend to have part of an idea, and not realize how much more thinking (and further patentable ideas) are necessary to make it work. Having a necessary-but-not-sufficient patent (such as Wang's 2D iron-core memory patent, back in the day) is not as valuable as a necessary-and-sufficient series of patents, or far more complex patent.

Also the system (laws for sale) is tilted so that corporations can appropriate the ideas of individuals, in many ways. They are put in a position to patent-and-execute; and individuals are short-sheeted.

dangrossman 2 days ago 1 reply      
To summarize: you have an idea which would take 6-12 months to execute on, and would not generate enough revenue to build a real business around. You want someone to pay you for this idea. Sound right?
marcc 2 days ago 1 reply      
The best way I can think of to sell an idea is to build it (at least a prototype), prove the idea, and then try to sell it. You aren't going to be able to sell just an idea. You can recruit a partner to work on it with you; you don't have to build it yourself.

If it's not worth this amount of effort, then I don't expect someone will pay you money for an unproven idea that doesn't have enough value to spend your own time on.

wslh 18 hours ago 1 reply      
I have one friend who has a lot of ideas and profit from them partnering with small company builders . Sometimes work, sometimes doesn't.
Gustomaximus 1 day ago 0 replies      
Put you money where your mouth is. Find someone else that can build it and put them on contract for 6-months, or less given this was only going to be built in spare time.
sharemywin 1 day ago 0 replies      
How do you know once you prove it can be profitable lots of other people won't jump in an compete driving down the profits.
Mz 1 day ago 0 replies      
The reason we have sayings like "Ideas are worthless, execution is everything" is partly because execution often contains or reveals a great deal more information and unstated assumptions than your nutshell explanation.

There is a great scene in The Hudsucker Proxy where he shows a circle and then a line as his diagram of his idea. This turns out to be the hula hoop and is wildly successful. The scene basically repeats -- drawing of a circle for top view, line for side view -- but the idea is now the frisbee.

Effectively communicating ideas in any kind of meaningful, meaty way is incredibly hard. This is part of why demos are so useful.

To sell an idea you must effectively communicate it. People sell ideas all the time, though perhaps not in the sense you mean. For example, people trying to get funding for a movie routinely have to sell the idea. This is where you get expressions like "it's Uber for X." This is an attempt at getting across a density of information succinctly.

Effectively conveying a dense amount of information in a small package is an art form in its own right. People often pay to have that done or to get help with it. It's a very separate skill from seeing a solution in context because of having done work that exposed you to certain experiences.

       cached 27 September 2016 20:05:02 GMT