Firefox appears to be a bit better by letting you set a master password that's used to encrypt passwords, although without digging into the behavior I can't say exactly how much that helps.
: https://news.ycombinator.com/item?id=6166731: http://kb.mozillazine.org/Master_password
You can read more about that 1pass vuln here: https://news.ycombinator.com/item?id=11212002
Most browsers store their passwords in plain-text, this means there's applications that can fetch all your stored passwords from all browsers and send them to an undisclosed location in seconds given user level privileges on the machine.
By upgrading to lastpass you have reduced that attack surface by using a secure passphrase and encrypted data-store but you have increased your attack surface to anything accessing lastpass servers and application bugs.
With all these attack vectors one might think that it's better to just not save passwords and just remember them, while this is true in theory in practice it's impossible to remember a sufficiently unique password for each website you are registered to which leads to password reuse which is another much greater attack vector where your leaked passwords from one site can be reused on other sites.
In general I would advice you to use a password manager that generates and encrypts passwords (Lastpass is one of them), use a secure passphrase and don't reuse passwords. Password reuse will likely make you less secure than writing your passwords on a post-it by your computer (don't do that either)
I would also consider looking into using proper 2-factor authentication for sensitive login (document storage, email, password manager) but I don't want to bore people with the details there so I'll defer you to do some independent research
* Store passwords encrypted (Lastpass is fine)
* Don't reuse passwords on different sites
Granted, if you use full-disk encryption, this concern is much less serious.
If, at the end of all this, you don't have a clearer idea about how to help these people to happily give you their time / money / eyeballs, then maybe just leave it be and enjoy $30 worth of beer each month or something.
Also you can ask for Bitcoin / Litecoin donations depending on how technical your visitors are. I know you want normal currency, but you can convert BTC using Coinbase and other exchanges
The reason I'm not sharing the url is because the code is somewhat outdated and may be insecure. In my spare time I'm working on a new version which matches some of the recent security 'standards'. The website started as a project just for learning how to develop a basic website with interaction between users. So about seven years ago I tried becoming new instance of \Zuckerberg. I started chatting the website all over de chat-places. I added a twitter account, following (by hand :)) all those singles and lonely people out there hoping they follow back. Greeting them every day and helping other twitter addicts keeping their following list clean with new tools also presented within a backoffice on the same website.
My situation only allows me to work just a couple of hours a week on a side project. The reason I'm looking for some new ideas to monetize the project a bit more is because I want to buy a new house, like within a year or so. Just need a 100K in euros additionally to buy a nice place to give my son the full experience of life as much as possible in the way me and my wife dream about it. I can't just switch jobs, because the company I work for did alot for me. And I am a very loyal person when it comes to people/businesses helping me out with stuff.
Now, for the chat service, its more like a lonely-chat-service. About 100 visitors a day, saying "Hi, is there anyone around here?" or something like that. Then, the silence is killing them at which point they probably start clicking those ads :) So as I removed the usefull stuff from the website, people started clicking more on ads, to just get away.
When I read the feedback, I think I should just add some sort of feedback button or create a popup with a textarea in which they can add their dream they expected to get in by entering the website. And then start building them those dreams, for just a penny a day.
In terms of getting more $, affiliate income makes lots of money. In the old days when we used to run sites with adsense and affiliates, the affiliate income accounted for about 70% of the revenue. If you had a good place on your site for it, I'd start by looking in to the amazon associates program. FYI. The amazon affiliate pays out from 4% - 10% of the sale of the product.
We haven't monetized hackernoon.com at all and have instead focused on good content and we are now well into the millions of monthly uniques. Its not worth the time to monitize 3k visitors
You probably won't fix that in this thread if you don't share the URL or even enough information about your chat site for people to give educated feedback.
What kind of users are they? Do they chat about everything or is there a theme or geographical niche? What kinds of ads are displaying through adsense? How long did it take you to get to 3k users? Do you feel like it will be hard to get more? Why did you throw up adsense at such low traffic?
How specialized are you, maybe if you're incredibly specialized and have the right crowd, you can start having premium accounts, in exchange for special features.
3k is pretty low, for a chat service (in general, maybe for extremely specialized services it isn't).
If possible, try to expand your userbase, advertising? Social sharing? Affiliate programs?
The possibilities are endless and you live and die by the specifics of your niche.
Decide if you want to aim for massive, or niche, ads, premium features, freemium?
If you want more specifics, I think you need to be more specific in your question, but then I'll gladly expand.
Whatever you do I'd try to listen to your users and see exactly what they want. 3,000 users really isn't very many and it would be really easy for them to disappear. Talk to your users, find out why they're using your site/service, keep that in mind when building out your feature set.
Edit: Keep in mind, building out the service and keeping it free is also an option, especially if you enjoy working on and running the site. If you listen to your users and keep improving the product, it's very possible to turn 3K monthly users into 300K. I run an API that has a front end site which gets around 175K monthly hits and brings in about $1300+ (CAD) a month from the ads. The site costs peanuts to run so I'm happy to serve the 35 million API calls for free and fund the project 100% via adsense. It just depends on how far you'd like to scale it and what your users are like.
This advice is coming from someone who has a site doing roughly $5k month from AdSense via 275k+ visitors / 1.3M+ pageviews and it makes up about 30% of the site's revenue. Rest is from paid plans & affiliate marketing.
Partner with them on making this more profitable.
As others have pointed out, without knowing more about your site it's difficult to answer. But some suggestions. Try selling add-ons such as premium emojis or avatars. Look towards a premium account with added features as well.
- Alfred Hitchcock
For organizations that are closely aligned with humanitarian causes (e.g. health projects in the developing world), I've noticed a much higher gap, presumably because these organizations are able to attract talent that's more passionate about the cause/willing to accept lower compensation.
None of which is to say that a particular individual might not wish to take a position with a particular non-profit that pays less than market rate for a variety of reasons. Only that non-profits often pay full market rate for development [in the context of donors] and fund-raising and administrative staff as well as for services and goods from outside organizations.
What's important is that you feel fairly compensated, and that you don't have to fight for that too hard, so that your income continues to grow.
By contrast I know from personal experience you can earn the same or better than what's listed here outside of London and enjoy the lower cost of living.
Freelance Flash animation / dev for big digital agencies and ad companies (5 years ago) - 250 p/h, with 3 years experience.
Tech Lead - Digital Agency in Shoreditch (1.5 years ago) doing Node / Ember / Angular / DevOps - 45k, however I chose a lower salary for more leave and flexible working hours.
Now I work in Berlin in a dev role doing Node / React / Redux. 57k. My living expenses are 1/2 what they were in London, and I live in a central Berlin 1 bedroom apartment rather than shared housing.
Really need to move towards the midlands (Bristol, Birmingham, Leicester, Staffordshire - cheaper rent, cheaper water, higher pay)
I've been a Dev for 7+ years.
17 years experience, initially as a general web developer, then front end, now more back end. Currently Ruby on Rails but I can turn my hand to almost anything.
Not a manager, not a senior developer, not a tech lead. No desire to be.
I work quite short hours (9.30-5) and that's what's most important to me.
No degree. Around 10 years experience in Network Security.
- Permanent position
- Cloud stuff
- 66k plus bonus et al which pumps it up to around 88k
Currently doing my own startup and cyber-security consulting for 750-900/day.
Edit: long term so no "off" days & 150k ish per year depending how many holidays I take.
Web Developer in London for a dating company - 75000 pa (with bonuses it's around 110000 pa)
I have a PhD (4 years programming), and ~4 years professional experience as well.
Previous roles:Fresh Graduate: "Developer" 28k + 3k bonus.Fresh PhD Graduate: "Senior Developer" 40k.
Digital marketing, education sector, 4 years experience: 39k + healthcare
Experience: 20 years as a dev.Skills: full stack dev .net, angular, iOS etc.
Current gig 475pd, to be honest I had better leads but the client offered the same day of interview and I started the following day.
I have 6 years experience and no degree.
Guy next to me does the same job for 53k.
Edit: media type of industry. Work normal hours, usually 9-5:30.
Small Investment Bank - 61k + ~30% Bonus (3-5years experience) Java / Angular - Back Office Developer - Permanent
Small Hedge Fund - 65k + 50%+ Bonus (expected/promised) - .Net / WPF (5years experience although not in .Net) - Permanent
Base 67kBonus anywhere between 15 to 50%
10 years C++, specialised in low latency
Front office large investment bank. Java. Perm. 15 years in banking, 20 years in programming
110k - no significant bonus.
Create a network with automatic IPv6 addresses and start the management access service (likely ssh) on the zt0 interface. then it "just works", regardless of NAT in between.
This is a completely userland solution however. You probably don't want to put real service traffic on it if you care about throughput. It's perfect for management however. (or just test it, maybe you can saturate your link anyway)
This works either by using the public servers for discovery, or you can set up your own dedicated endpoint(s). Either way, the traffic takes the direct route through the NATs, or within the local netowrk if possible.
I've never set up a VPN and I'm not too knowledgable about them. Should I set one up? I don't know. Toyed with the idea a few weeks ago up until I read this post on StackOverflow (http://serverfault.com/questions/653211/ssh-tunneling-is-fas...) - TLDR (VPNs are slow)
But it really depends on the use-case. HTTP from behind NAT - that's easy, just port-forward. If you're talking about SSH access, then you have a few more options that you might want to explore (port forward, or tunneling to an external host). If you're talking more than one host behind the NAT, then you have another set of possible solutions (reverse-proxy HTTP servers, SSH gateways, etc...).
Care to give us more information?
Might be overkill if you just need to reach one particular service (e.g. HTTP(S)) though, in which case you could consider setting up a reverse proxy (e.g. using nginx) on a DMZ'd server?
It had the advantage of being quite easy to setup for me as I'm quite used to setup VPNs and NAT forwarding rules (for having living in China, bypassing firewalls is almost an everyday routine exercise :)Also, it worked perfectly well and the performances were reasonable. I could access my server at home, in Beijing, behind a NAT, a dynamic IP and the country's firewall, from anywhere in the world. I was happy!
There are surely other (better?) ways to do it though, and the autossh/reverse tunnels option looks very interesting.
However, assuming this device/VM runs "unix", and to K.I.S.S., use reverse SSH tunnelling. Once an SSH tunnel is established on your side, you can do whatever you want... e.g. tunnel VNC through for GUI.
You can of course add more layers of security e.g. non-standard SSH port, dedicated VM/server for the SSH entry point, refresh SSH keys regularly etc.
Essentially you will add a directive to SSH config for the NAT host, and the host that you want to access. In the directive for the host to access, you will specify that you're proxying through the NAT host.
You can then leave out all of the port forwarding options when connecting to the target host, SSH will pick that up from the config file.
Bus to train station. The trains and buses rarely match up so there's a good bit of wait time at either end.
Time to read.
by train 2 hours each way
Deep work is hard, not always satisfying. Generally speaking, progress equals happiness. What's important to you? What do you want to achieve? Why?
Robbins has a good system for creating an action plan > https://www.youtube.com/watch?v=78pwjZ7lzBI
In my experience, burnout comes from too long as a student/worker (even self-employed) without giving yourself a break (among other things, but this is a common start to it). Maybe find some other hobbies to help you out, even if they're only intermittent (like my infrequent gaming hobby). They give you something entirely different to focus on for a few nights each month. That break can do wonders for your motivation and focus when you return to your other projects.
I wish I had some good advice for you, but I'm still trying to figure it out myself.
The next step, however, would be to educate the populous so that all voters were informed, and that voters would be presented (in an elegant fashion) with what is relevant to their districts on the three tiers of national, state, and local policy. I don't know if Unix has a good metaphor or reflection of this, but unix is meant to be a) modular and b) minimalist, so if we can sponsor the idea of true modularity in voting, I think we could see some full-participation schemes that are not overwhelming. I don't have to vote on every issue, but could vote on collections of issues that reflect my general ideology or current understanding of what best suits the republic.
Another issue though, is ownership. In the Feudalistic Republic of the United States (as of 2016) it's hard to describe a system that could be adopted reasonably that promotes the idea that all the nation belongs to everyone in it. We have some things like "the right to life, liberty, and property [often misquoted as 'happiness' at the end here]" and how does one reconcile this idea of property with a truly harmonious community? Good question.
So in short, the basis of the Unix philosophy would help (especially with law versioning, that is just what needs to happen and is so brilliant and clear I am surprised there is not greater traction for it). All Laws need time limits (and easy renew options if they are good)... And the entire populous needs higher quality information that [forces?] causes people to consider the community at large.
/rattle like a snake
- Is it better to use a different passphrase on each key, or does using the same one not matter much? - How much less secure is it to not use a passphrase on a key? - Should you use a different key per user account, per server, or per use-case (i.e. personal or work)?
- Does increasing the amount of bits in a key really have an effect on the security of the key, or does it not make much difference in a real-world use?
My favoured solution is to use a yubikey via gpg: with this method you use your gpg subkey as an ssh key.The yubikey 4 supports RSA 4096 bit keys, if you need NFC then the Yubikey Neo supports max RSA 2048 bit keys.
From that, we get:
- you're not sharing passphrases between keys, you're sharing them between devices, and whether that's safe depends how likely it is that a compromised passphrase on one device can be transferred by an attacker to another. - Similarly, whether a blank passphrase is a good idea or not depends on what other measures are protecting access to that private key. - If a private key ever turns up on the wrong machine, you *know* the key and both source and destination machines have been compromised.
I have setup a VPS, disabled passwords, and setup a key with a passphrase to gain access. At this point my greatest worry is losing this private key, as that means I can't access the server.
What is a reasonable way to backup my private key?
Encode it as something similar to a QR-code, print it, and store it in a hole in the wall? Copy it to an USB-stick and hide that somewhere safe?
Alternatively, I have access to more than one computer, so I could also authorize a couple of other keys to access the server. So I would transfer the public key to the authorized machine, and add them to the authorizedkeys from there?
How to deal with the possibility of death? Do I trust someone with my keys and passphrases?
Host myhost IdentityFile ~/.ssh/myhost
This is a question of layers. If you don't have a passphrase on your key, what stops someone from gaining access to it? Just your account password? If they steal your device, is there some form of storage encryption involved?
> - Should you use a different key per user account, per server, or per use-case (i.e. personal or work)?
I have different keys for different purposes per client device. This is mostly because sometimes I need to login to places that are ancient enough I need to use a weaker key than I would like to use in other places or vice-versa, there's places I can only login with ed25519 keys.
Though having different keys per purpose isn't necessary it allows me to keep certain identities separate. I have a different one for GitHub for example, mainly because GitHub exposes my public key and therefor allows for clever tricks like tying the key to an established identity should I use that key to authenticate in other places.
I would also recommend configuring SSH so that it doesn't send over any/all keys by default. Take a look at the IdentitiesOnly option in ssh_config.
Yep in an ideal world, though I suspect in practice it doesn't matter much.
- How much less secure is it to not use a passphrase on a key?
You are relying completely on the security of your disk, against either physical or cyber. Use a passphrase, use an agent to manage it.
- Should you use a different key per user account, per server, or per use-case (i.e. personal or work)?
Per client device. This is the device that can be compromised and cause invalidation to be required, so this is the one which should be seperate. For convenience you can maintain all your devices public keys concatenated together and hand them out like that - comment each with hostname and date created for ease of identification.
- Does increasing the amount of bits in a key really have an effect on the security of the key, or does it not make much difference in a real-world use?
Up to a point. RSA in 8 bits is trivial. Go for a highish key length, different key types have different recommended lengths. Note some machines dont support higher lengths.
- How/Where should private keys be stored on a device using them?
Permissions should be set for only you to read with no writing. Even better if your home drive is encrypted as it is only vulnerable whilst you are logged in.
- What are some of the pros and cons from a security standpoint, and how may doing different things affect the usability of a key?
If you hop machines a lot key per client can be problematic. In this case a portable secure drive is useful. Of course one leak can be fatal here.
Try not to fall back on passwords, they have nothing like the same security.
Most usability issues are caused by the people running the servers not reacting in a timely fashion to key updates.
- Is it better to use a different passphrase on each key, or does using the same one not matter much?
If they are being used on different device then different passphrases makes sense otherwise no.
10? Not sure you can really quantify an answer. I'd recommend a passphrase if you aren't already using disk encryption with that it's probably less of a concern however with agents there's not much issue with not having one.
Use a different key per client device but you don't need a different key for logging into different servers unless you care about people correlating those users.
Use more than 2048bit for RSA/DSA beyond that it doesn't matter.
~/.ssh on some local filesystem.
It is better to use a different passphrase for each key but it is also less convenient unless you're using a password manager (personally, I'm using KeePass)
> - How much less secure is it to not use a passphrase on a key?
That depends on the security of the computer where the keys are. I remember a Firefox vulnerability where one site exploiting it was looking for ssh keys on the local file system. So I'd say that a passphrase is very important.
Personally I'm using a key per account per host.
> - Does increasing the amount of bits in a key really have an effect on the security of the key, or does it not make much difference in a real-world use?
Yes up until 2048 where the returns of increasing the amount of bits will start diminishing.
It's better to think about specific attack scenarios. If your keys get exfiltrated because of some local exploit (like a browser vulnerability, a malware download or physical access) then the attacker has access to your servers.
1) Disable passwords and only allow keys even for root with PermitRootLogin without-password
2) public-key authentication has somewhat unexpected side effect of preventing MITM per this security consulting firm http://www.gremwell.com/ssh-mitm-public-key-authentication
Two questions came up, how many iterations to use via "-a ", and should I add the private key to my home folder repo in version control? I don't want to lose it in a disk crash, but don't want to give it to bithub either.
Regarding key types:
- DSA keys (ssh-dss) suffer from several issues (fewer bits, bad RNGs in Debian, other issues), and modern versions of OpenSSH deprecate it.
- RSA is pretty standard, and generally speaking is fairly secure for key lengths >=2048. RSA-2048 is the default for ssh-keygen, and is compatible with just about everything.
- ECDSA is largely considered compromised because the constants NIST chose for the cryptosystem weren't well documented how they got them, and the assumption is that the NSA chose them to provide a "backdoor" (so it would provide the same security for a general attacker, but significantly easier for them). This was confirmed as being theoretically possible, and there is of course concern that the NSA could potentially leak those constants, instantly breaking the security of this cryptosystem.
- ED25519 is more or less the same as ECDSA, but was put together by DJB. The big advantage here is speed. EC crypto is much faster to sign, slightly slower to verify, and equivalent security can be achieved with fewer key bits.
- Notes for the future: both RSA and ED25519 become insecure against quantum computing (integer factorization and discrete log are both in BQP).
Generally, use RSA if you work with older servers that only support it, or ED25519 if you like shiny things. Otherwise it's a bit of a tossup.
Regarding using separate keys:
- I follow the philosophy that a private key should never leave the host it was generated on. If you aren't sharing keys between machines, you remove the risk that you'll accidentally share it publicly.
- Beyond that, I'd recommend at a minimum having separate work/personal keys. Keeping separate keys for each user/host you want to log into is a tad excessive, but can be useful for key revocation/rotation.
Regarding passphrases on keys:
- Yes. FDE is sometimes trivial to bypass, and you want to be protected in case someone sets your ~/.ssh folder to be synced to dropbox/samba/etc. You can use an agent to keep the decrypted keys in memory, but I'd avoid using agent forwarding.
Regarding bastion hosts:
- You didn't ask about this, but it is essential for a "best practice" setup.
- Bastion hosts are small VPS hosts that basically run sshd and have a static IP. You disallow any ssh traffic except from your bastion hosts to your servers.
- You'll want to have at least 2 bastion hosts with different hosting services, in case one isn't available.
- Run sshd on your bastion host on a port other than 22. Not for security, but for reducing log volume.
- Run fail2ban on your bastion host, even if you've disabled password authn. Again, not for security, but for reducing log volume.
- Set up fail2ban to alert when a new IP successfully logs in.
- SSH can use certificates for authentication, and this can make the key distribution problem much easier to solve. I have a script that makes this easier.
- Push for everyone in your organization to use SSH keys, and only SSH keys.
- Defense in depth. All it takes is skipping one step and you expose yourself. Assume that something that was exposed has been compromised. An attacker only needs to succeed once.
tl;dr - the defaults are fine and password protect your keys.
Using a passphrase is highly recommended except for server-to-server accounts, which should be locked down (and specify the specific command that server can execute in the authorized_keys file - Userify supports this).
You should definitely use a different passphrase for keys stored on separate computers, and it's not a bad idea to use a different passphrase for separate keys stored on the same computer, especially if they have different servers they can access. However, practically speaking, if your computer was compromised (ie keylogger etc) then it's game over anyway.
> Does increasing the amount of bits in a key really have an effect on the security of the key, or does it not make much difference in a real-world use?
Yes, it does make a difference, depending on what you mean by "real-world". Anyone less than a state-level actor will probably be unable to cost-effectively attack even a 1024 bit key, but that won't be true for long. We suggest 2048 bit keys if you are using RSA, with 4096 if you prefer extra security and don't mind slight latency during a connection, or ED25519 for keys on systems that support it. Generally the defaults are pretty good. We have a HOWTO for different OS's here: https://userify.com/docs/generating-ssh-keys-on-ec2/
> How much less secure is it to not use a passphrase on a key?
From the server's perspective, it's EXACTLY the same, but from the client (your laptop's) side, it's completely different. While it's possible that your laptop could still contain your decrypted key in its key manager's RAM or suspended state (ie unencrypted swap file etc), the use of a passphrase even on (actually, ESPECIALLY on) a non-full-disk encrypted system will raise the level of effort to access your key to near-impossibility levels, especially from non-state actors, whereas a key that has NO passphrase is a piece of cake. Use a passphrase EVEN WITH full disk encryption (for example, the evil maid attack)
> Should you use a different key per user account, per server, or per use-case (i.e. personal or work)?
If you're using a different key and storing them on different computers, you should probably use a different passphrase on each key. The passphrase (or even if one exists) is not visible to remote servers (or Userify - we provide a free-text field that becomes your authorized_keys on remote servers.)
You don't need to use a different key per user account, although you can. You also should not use a different key per server.. that will turn into a management nightmare. It's perfectly ok to use one key everywhere, but you should probably use a different key on your laptop and desktop, or if the keys have different levels of access (Userify can automate that for you too).
> How/Where should private keys be stored on a device using them?
Ideally on a device using full-disk encryption, including swap and laptop suspend space, to prevent access to a decrypted key in RAM (you are using a passphrase, right?). However, FDE does not protect you from other compromises on your system (i.e., another user that gains escalation to root and installs a key logger), and does not protect against a compromise of your BIOS (i.e., Intel UEFI) or boot process (evil maid attack again).
> What are some of the pros and cons from a security standpoint, and how may doing different things affect the usability of a key?
Keys are safer than certificates because there are less moving parts and no outside requirements for your internal CA or dependency on a CA that might go down. Keys can be a management nightmare at scale, but there is software to manage them (ie Userify, ManageEngine, BeyondTrust, ssh universal key manager, keybox (free/open source), etc). If you are doing a small project with few team members, you can also do management with Chef, Puppet, etc, or just by hand.
In terms of usability, a real key solution that manages keys across entire groups of servers with a few clicks can be really helpful... you can do all of the regular SSH things like tunneling (replace stun/sslwrap, etc), proxying all of your other traffic (SOCKS5), keep SSH connection alive (autossh etc), smart ban based on failed attempts (fail2ban, deny hosts), forward encrypted X11 or VNC connections, forward SSH itself (tunnel SSH within itself), and so much more.
We're going to start blogging about all the awesome things you can do with SSH soon, since it's really an amazing and deep protocol.
1. Userify https://userify.com Free cloud and on-premises versions available; full disclosure: I work there
2. ManageEngine: https://www.manageengine.com/
3. BeyondTrust: https://www.beyondtrust.com/
4. SSH Universal Key Manager: http://www.ssh.com/ (no TLS?)
5. Keybox http://sshkeybox.com/
Passphrase is strongly advised
Is it better to use a different passphrase on each key, or does using the same one not matter much?
How much less secure is it to not use a passphrase on a key?
If you expect to be moving your SSH keys across machines (e.g. to use your same personal key on both your laptop and your desktop), then they should absolutely be passphrase-protected, even if they're only transferred via encrypted media.
Should you use a different key per user account, per server, or per use-case (i.e. personal or work)?
Meanwhile, for situations where a server needs to connect to another machine via SSH, each such server gets its own key. That way, if a server is compromised or decommissioned, I can revoke access by key.
Does increasing the amount of bits in a key really have an effect on the security of the key, or does it not make much difference in a real-world use?
How/Where should private keys be stored on a device using them?
A reasonable balance between security and practicality is for any portable media (including portable devices, like laptops/tablets/phones) to be encrypted (in addition to the key itself being passphrase-protected). Better security would be to extend this to non-portable media and machines as well (but this is painful to enforce on servers unless you have physical access).
The directory in which keys are stored should only be accessible to the OS user actually using those keys (so, for example, `~/.ssh` should have permissions `drwx------` when viewing with `ls -la`).
Basically, server SSH keys should be treated like you'd treat your SSL/TLS keys.
What are some of the pros and cons from a security standpoint
and how may doing different things affect the usability of a key?
Upgrade your SSH keys!https://blog.g3rt.nl/upgrade-your-ssh-keys.html?_utm_source=...
Check out this video which explains it pretty nicely: https://vimeo.com/168648012
1) Me, personally: I wouldn't ask for a raise (and this might be me just being pedantic) but I'd ask IF the role change has a scheduled raise and what is to be expected. I'd use this answer to help me make a decision. I'd (me, personally) would assume the role would have a minor raise and future raises based on my performance in that new job. I'd try to secure a 15-20 percent increase in pay for moving to a manager role - which, btw, is hard. Moving into a manager role means learning a new job - this isn't (or shouldn't be) your other job with a couple new responsibilities. This is an entirely new job that isn't your old job... sure, you can help people when they ask but that is entirely different than hiring/firing, writing people up, or trying to determine what sort of a raise somebody deserves.
2) Be humble. Find a mentor. Read a lot. Be humble. Be humble, be humble. I believe that power exposes more than it corrupts but it can also corrupt. Work from goals. Give clear expectations. Also, you may not like this role. I've hired a lot of developers leaving their company because they were great developers that were put into management roles and learned to hate it. Good luck! Me, I love it. (to each their own)
3) Learn. Read. Read. Learn. Read... and remember: In theory practice always works, in practice theory doesn't - You are now dealing with PEOPLE not COMPUTERS. People are emotional beings and often unknowingly irrational. HOW you say something is much more important than WHAT you say.
Lastly - learn to manage UP as much as you learn to manage DOWN.
Best of luck!
Most very large enterprises have 2 tracks: IC and management. Typically most employees start out at IC and through defined and mutually agreed to career development plans train for the management track. This may take a few years. When the time comes for you to be a manager you have been operating in a management role for some time. This is the Peter Principle.
I'd be extremely wary of a surprise promotion in to management where a discussion about that possibility hasn't happened. I've seen this before and it can lead to disaster. You may be setting yourself up for failure or even worse someone is setting you up for failure.
2) Assuming you will be managing individual contributors (and not managers), there are two basic types of first-line software managers:
2.1) Managers who need to still be individual contributors. These are the types where you will still be expected to do some of the former work you did before. It's a lot like being a technical lead, except you are suddenly now thrust into a world of people management. Most technology companies view first-line managers as having this kind of a responsibility, though larger corporations with more established hierarchies may not.
2.2) Managers who are not expected to be individual contributors anymore. This is a role where your responsibilities are managing the projects and people on your team. (If your company has project managers, then that aspect of the role won't be necessary.) In terms of people management, the responsibilities include managing the career growth of the individual contributors in your team, removing roadblocks from their paths (i.e. political, bureaucratic, etc), potentially moving them around from project to project to better allocate your resources to company priorities, recruit and retain people on your team, mentor and train junior employees, set and reinforce a team culture, and think strategically about how to make your entire team more productive.
3) If your company offers management training, take it. If you like to read, there are a ton of great management books out there. One of my personal favs is "Now, Discover Your Strengths", though you can find plenty of recommendations online if you search around. Talk to managers, senior managers, directors, and VPs that you admire; interview them and ask them how they do their jobs. HR or your manager will likely give you a bunch of information on how to do performance reviews for your team. The art of delivering constructive feedback can totally be learned, though if you are new to it, it may take some time to become comfortable doing it.
This is all just off the top of my head. I'm sure I'm missing a lot of other info, but this ought to be a good start.
Being a manager is not for everyone. Some call it "herding cats," which it may sometimes feel like. But it can also be a tremendously rewarding role, especially when you can set everyone up for success and can see them humming along efficiently and effectively.
2. Learn, try and find a good mentor, get feedback, and set objective goals.
The hardest part about management is playing the carrot and stick game without turning a report's life into a carrot and stick game.
I would see https://developer.apple.com/design/awards/ as the tech equivalent award currently.
Managers would read papers about the CMM and declare that they wanted to be a Level 5 organization, causing insane amounts of busywork and document generation and overall grief to realize that their underlying business processes were hopelessly in the way of any positive change.
So then the goal went from "Level 5 or Bust!" to "Okay, let's try to get to 3" and then later "Um, can we make Level 2?" Then everyone just gave up. There were only a handful of shops that ever made 5 and stayed there, the Space Shuttle engineers being the most famous example.
In design, Apple's core hardware design team is over the top psychotic about the quality of their work. It's a true obsession for them. Many font foundries have similar neuroticism driving their work.
I think Chef's Table (great show!) does us all a disservice by kind of skipping over how unbelievably grueling such an undertaking is. It truly is inhuman. It's unfathomably difficult to create merely a successful restaurant... it takes a perfect storm in both the positive and negative sense for someone to create something like a Michelin starred restaurant.
So yes, probably. Is it sexy? Certainly not. It looks insane more than anything outside of the lens of a beautifully crafted documentary.
Hint: The proof is in the pudding. But you have to sit through the whole meal to know whether you enjoyed it...
Their products were regarded as things that "Just work" their website was very easy to use for support and information, and these were consistent over a long period of time.
I'm not so sure about the Apple today, but in the 2000s they were certainly were hitting their marks.
It is too broad and so there is no one deciding factor. You don't even have a clear definition of success. Is http://lawcomic.net/ successful? It has a loyal following, but it doesn't update that much, or earn much money for its creator.
If you're selling something, make it something that people want at the right price and make it easy for them to buy.
If you're selling advertising (you're a decade late on that one...), give people a reason to come back to the site - make the site sticky or have network effects.
Scaling comes later (assuming your initial design isn't a complete resource hog). It literally follows the money.
My understanding (feel free to correct me if I'm wrong) of it in the context of good websites is
Host: You need a great host/site, something stable & something people want to use
Agent: I consider agents as internal factors like technical, sales & marketing, They help you grow & the ensure stability.
Environment: Environment is pretty much your jurisdiction, you need to make sure that your solution is legal & your environment is supporting of you growing. Another fascinating theory to study around that is the Overton window (https://en.wikipedia.org/wiki/Overton_window).
Vector: A vector, an organism which transmits infection by conveying the pathogen from one host to another, with the most powerful agent been word of mouth.
I guess if you have these 4 components structure well, then you have a pretty good chance of having a successful website according to the Epidemiologic Triad.
Now if you're question is more around business models, then heres also another good resource to look into by HBR(https://hbr.org/2016/10/the-transformative-business-model)
I first got hooked on slatestarcodex (http://slatestarcodex.com/) when the author hit a five post homerun streak and he was just too good to not check in with.
When I'm evaluating whether to follow a tumblr I can see the process unfold in real time, where I scroll down and finally think to follow after I see several really good posts at once. The moment I stopped and saw myself doing that I realized if I ever wanted to get followers on tumblr my blog would probably need to have the same kind of five-post punch to get people interested.
1. Update often.
2. Make it easy to find your new stuff, or display your archive proudly and live off the interest.
3. Keep a high quality bar. It might even be useful to take your absolute best and put it in one place so you can show people your better side.
4. Market aggressively or be prepared to wait a while.
You'll get some ideas.
More to the point, making sure people know about it and the site is easy to use. Beautiful design is nice but if it gets in the way people will admire it once, twice... and finally give up. Don't let content get stale.
It's also question that needs to be better defined. What sort of site? What definition of success?
For many sites, the biggest pieces are having something that people want or need, then consistently providing it. Of that pairing, having something people want is the absolute core.
In addition to this documentation, for Gmail and Facebook, I have completed the "I'm dead, do this with my account" sections of my account profiles. Gmail, after 90 days of inactivity, my brother gets an email and gains access to the Gmail account.
I have 2fa everywhere and my close ones won't be able to keep updating my box or troubleshoot... I guess the bank will close my card when I die and I can pay in advance. Currently, I have 3 years of 'insurance' , but what if DO doesn't exist anymore...
As for passwords, keys and so on, you can put all that into a single archive. (eg. regularly export your password manager, put any private keys you want to pass on, instructions for how to use them, etc)
Encrypt the tarball/zip file with a symmetric key.
Then you can use Shamir's Secret Sharing Scheme to split up the key so that a certain threshold of key holders is required to access the data (eg. Any 2 of 4): http://point-at-infinity.org/ssss/
Distribute the parts of the key to your heirs.
Leave instructions in your will so your heirs can locate the encrypted file when the time comes.
Folks speculate that he must have known something. But his wife insists he was always a planner. The business appears to be busy and humming along fine. In many ways a tribute to what he built. Certainly a huge relief to his family, employees, and customers.
Here's good link on contingency planning> https://partners-network.com/2013/10/17/contingency-plan-for...
In the grand scheme of things, we're all irrelevant. And in the end, none of this really matters.
 - https://en.wikipedia.org/wiki/Bus_factor
So, there's the technical route, whoever has the passwords wins.
But if it matters, and you don't want your technical heirs to be fighting each other, you should probably establish ownership and succession with a lawyer.
Concentrate on living a healthier/safer life and keep it going longer.
I understand how ridiculous the threat might feel. But a sufficiently angry person can cause you a lot of trouble for no good reason. It's very likely there are simple actions you could take safeguard yourself. It might save you a lot of money in the long term. And very often even the major law firms will give you amazing free advice. Don't be afraid to call the best.
 And I mean relate in the broadest manner. It doesn't have to actually be related. If they could convince someone with a bit of handwaving that it's related then it's related. The truth doesn't matter.
If neither of these are true, and you are in fact marketing to customers but not using their list or software, gather logs and customer testimonials, and proof about where you got the customer contacts.
Additionally, gather emails indicating why you left the company or were asked to leave, as it might indicate the company's intent to get even with you.
Lastly, talk to a lawyer. Consultation is often free for the first time.
My layman opinion is that he will have to prove his claims, and is probably trying to scare you into giving him your client list.
That's where I would start.
That being said. What's actually kind of good (with actual technical specifications) is Bitcoin wiki, even when it's slightly outdated; then official bitcoin website; and sometimes bitcoin stack exchange website (but that can become outdated too).
I don't think Blockchain can be disconnected from Bitcoin, and if you do, it's very general and not that specific.
And if you want a compiled list of resources for learning:https://drive.google.com/file/d/0B6CKmAqa1_nzRGVicnlHY1BaaUk...
Someone tells a joke based on a prompt. This would be your Genesis block. Then everyone else competes to tell the funniest joke based on only that and the new prompts from the audience.
Repeat until you have an ongoing, hilarious comedy routine that cannot be edited after the fact without being found out because that would ruin the whole routine. It just wouldn't be as funny.
Inserting metadata into the blockchain.https://medium.com/@bkawk/inserting-metadata-into-the-blockc...
Andreas M. Antonopoulos: "Consensus Algorithms, Blockchain Technology and Bitcoin" [UCL]https://www.youtube.com/watch?v=sE7998qfjgk
I work in the field and the most difficult thing is to separate the noise from the signal. On talks with financial institutions and the government, they say they want to use the blockchain but when you ask about how many nodes they are planning to run they came up with one, or doesn't understand the question. Also, there are a lot of use cases that are not realistic because they depend on oracles or there is no way to enforce the smart contract in the real world.
The intro to bitcoin concepts is great place to learn about blockchain.
You'll need (at present) about 80 GB of disk space to hold the blockchain. The full node client will download it for you or you can torrent a recent snapshot of the blockchain and then synchronise from there (quicker).
The software you can obtain from here:
Or you can use git to pull the source code from GitHub and compile it yourself. I've done both, and found the developers on GitHub friendly and responsive to pull requests, even helpful to a newbie submitting a first pull request.
Beware that running a full node will try to eat all your upstream bandwidth. It takes a few days for the Bitcoin network to notice the existence of your new full node, but the number of connections will grow (others asking you for pieces of the blockchain, as well as transaction verifications). You can learn a lot about the Bitcoin ecology this way.
Bear in mind that the word "blockchain" is an evolving word; almost every definition I've read differs. Some see it as barely different than a distributed database that doesn't allow deletions. Many others see it as paradigm shifting.
I have a blockchain/bitcoin tutoring service at www.blockchaintutoring.com. I did a Show HN but didn't get a single comment :(
I'm a programmer myself, but my target market is not the typical HN user. I'm looking to teach more business types and people in the law profession, for example. I'm preparing a small course plan to help people get from 0 to knowledgeable. The course will certainly be a bit technical, but I would not cover for example the pros and cons of the blocksize debate unless someone asks for that information.
I invite you to contact me, either through my website's contact form or the email address there provided. We can chat, and then if you ever choose to use the service, it's going to be at a discount for HN users. Your questions will definitely help me tailor my offering.
Although this paper does not directly address the blockchain, I believe it and the thesis below are at the root of the concept. (If you want to go down the rabbit hole, check out the references page of the above paper). Fair warning, the above paper is from 1999/2000 so obviously much has changed, but still worth reading.
Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control by Mark Samuel Miller:
^ Following along with this helped me a lot. Bitcoin is a rather large onion, but, as others are saying, implementing parts of it is the only way to go.
I have being on the hiring side too, and if I asked you about that gap and got an honest reply about depression, that would tell me a lot. 1. you have identified an issue and worked to resolve it. 2. you are aware of it and may see it "coming" early next time (if it comes again).
I have been burnt too many times from people misrepresenting themselves in interviews (not being real to themselves to "sell" themselves) that I really value open and honest people. I think they know themselves, better, therefore their weaknesses and strengths too.
Could you hit rock bottom if I hired you? Sure, but it wouldn't be a complete surprise, and we could work together to prevent it and make sure you have the help needed before things got bad. (As if I hired you, it was for your skills and drive and fit and I'd want you to stick around to continue that).
Employers and employees can work though a lot if we both are honest and both are bringing something to the party (a job someone wants and the skill/desire to learn/perform).
Note I do not work in the US, and this is my experience.
Of course you could argue that such an inattentive employer is unlikely to be a good employer.
"TL;DR: ZeroBin is a minimalist, opensource online pastebin/discussion board where the server has zero knowledge of hosted data. Data is encrypted/decrypted in the browser using 256 bits AES."
test at http://sebsauvage.net/paste/
- vehicle to vehicle (V2V)
- vehicle to infrastructure (V2I)
- vehicle to cloud (V2C)
Each of those niches has niches of their own. I just finished working on the V2C niche by developing an API to move data between vehicles and updating them automatically (not realtime, though). What can you do with that kind of data? Well, if you have cars operating data (engine temperature, speed, etc.) you can come up with a bunch of interesting stuff.
Don't wait too much. This self driving market is reaching peak hype soon.
There might be a data play on dark-data...all those tables local engineering department traffic studies only accessible as PDF's, but it's hard to see that as non-replicable for a company that can stream data from a cars sensors to its servers in real time.
For a startup, there's an open question of how self-driving cars change the landscape of tier-two and tier-three automotive suppliers. What I mean is that what sort of new opportunities are made available by self-driving cars that are equivalent to manufacturing actuators or air-conditioning subassemblies.
The problem in the space is that the automotive industry is capital intensive. A billion dollars isn't going to ripple the pond and there are lots of companies with the habit of spending many times that. That's the way commodity industries work.
What would you do if you had a robotic chauffeur to take you wherever you wanted? Would you go places that you would not normally go to now? Cars drop you off at your destination and park themselves (maybe call you to agree to whatever the lot or garage, recharge station is charging)
SD-Cars make the driver the passenger... who will now be able to look out and see the roses... listen to an interactive on-the-raod tour. Read the billboards, notice that fruit stand etc. Former drivers will be asking "are we there yet?" Parents can truly interact with their kids on the road.
People that didn't travel as much due to health or medical reasons may be traveling more.
A lot more day planners, maps, review sites, etc. will probably interact more with the vehicle...
As a computer vision researcher, getting my hands on data 'at scale' is a really tough problem.
There is a company named Digital Grammars that is working on that kind of thing, and probably some others.
But you also want to have your identity checked for other risks, such as when medical records , email records, address, and existing accounts can be compromised.What is the best detection service? I'm not sure it's Lifelock. I'd compare.
ID theft insurance- pays for the costs of fixing identity breach, and some also offer a person who does the work for you filing all the paperwork and cleaning up damage.
Just register for a free credit monitoring service like Credit Karma/Sesame or a non-free one like Amex CreditSecure.
That's all you need.
When an address such as firstname.lastname@example.org is used to demonstrate the sign-up process on a website, it directs the user to enter an actual email address at which they receive mail. Example.com is used in a generic and vendor-neutral manner.
I believe the owner of null.com gets tons of emails from buggy OnStar notices to mom+pop websites.
OVH's website looks ugly, if you are used to DO's beautiful interface, but they are good. I tested their DDoS protection and is is second to none.
As a french, I'm proud of OVH as a french company but they favor service quantity over service quality and that's a shame.
I don't use them for gitlab or production because they do not meet the uptime/response time standards I require (300ms pings from Toronto to their Montreal datacentre).
They are cheaper but if the above is more important than raw power then I'd go elsewhere.
Edit: I haven't used their Public cloud offering yet, that might have improved performance over their dedicated boxes and cheap VPS.
Their customer support is indeed quite ever so lacking, but you generally never need them unless you run into a issue with the hardware, or the network.
Anyway, my advice is because everyone is caught up in stigmatizing "ideas", it's likely you will not find an adequate market available to sell your idea or get paid enough for it. You're better off discussing it with people you know. Frame it like "There is an opportunity in market X that is not being pursued, likely because of reason Y. I understand this market/problem very well and could explain it to you in great detail. If you decide to pursue it, I'd like modest [advisor shares/dividends/etc.] in return" or something to that effect.
If you do want to validate the idea, you have to put something together. If you can write code, build a working prototype. Show it a few people.
I will tell you a secret. Ideas are worthless but a working prototype can be worth something. I know a close friend who built a tool and had no clue how to market it BUT he was able to find a buyer for a good amount. Not an actual business yet but he has offered 6 figures for that tool.
If you can't justify to yourself, how can you hope selling such an idea to someone? oh, maybe you are a commercial actor :D
Few ideas are easily patent protected, plus it's easier to improve execution than the quality of one's ideas - so you're always advised to do what's easier. (First off, at least.)
Note too that "Execution" is often a way of saying "patentable ideas that you can hide instead of patenting them" - which is to say, trade secrets (always more valuable than patents, not least because they don't expire.) Intel was built on just such an invisible trade secret (akin to annealing) that made their memory (this is pre-cpu days) far more reliable than competitor's. So a lot of those who expound about "execution" actually mean "ideas", just non-public ideas.
The other thing that prioritizing execution says, is that people tend to have part of an idea, and not realize how much more thinking (and further patentable ideas) are necessary to make it work. Having a necessary-but-not-sufficient patent (such as Wang's 2D iron-core memory patent, back in the day) is not as valuable as a necessary-and-sufficient series of patents, or far more complex patent.
Also the system (laws for sale) is tilted so that corporations can appropriate the ideas of individuals, in many ways. They are put in a position to patent-and-execute; and individuals are short-sheeted.
If it's not worth this amount of effort, then I don't expect someone will pay you money for an unproven idea that doesn't have enough value to spend your own time on.
There is a great scene in The Hudsucker Proxy where he shows a circle and then a line as his diagram of his idea. This turns out to be the hula hoop and is wildly successful. The scene basically repeats -- drawing of a circle for top view, line for side view -- but the idea is now the frisbee.
Effectively communicating ideas in any kind of meaningful, meaty way is incredibly hard. This is part of why demos are so useful.
To sell an idea you must effectively communicate it. People sell ideas all the time, though perhaps not in the sense you mean. For example, people trying to get funding for a movie routinely have to sell the idea. This is where you get expressions like "it's Uber for X." This is an attempt at getting across a density of information succinctly.
Effectively conveying a dense amount of information in a small package is an art form in its own right. People often pay to have that done or to get help with it. It's a very separate skill from seeing a solution in context because of having done work that exposed you to certain experiences.