First, your business has to solve a very intense chicken or the egg problem. Quality freelancers will not join until there are good projects. And you won't get good projects until you have quality freelancers. In freelancing, the problem is even more difficult to solve as both sides of the exchange require quite a large investment in time. Listing yourself as a freelancer (and building a high quality listing) takes work. And listing a project also takes work. This is an obscenely difficult problem to solve and networking alone will not get you there.
Second, you decided to enter a market with a ton of competition. Your competitors range from the simple but effective (Craiglist) to the complicated but mostly useless. People who list projects are wise to the game - they know that most sites deliver shit. And freelancers are also wise. Whenever I've joined a freelancer website, I've been inundated with 'offers' to do 200 hours of work for $500 USD. How do you provide better value to both sides of the market?
Third, your website is quite bad. If I just navigated there by chance, I'd have no idea what I was even looking at. Much less would I have any idea what to actually do. Your language and choice of words betray a serious lack of professionalism. Work on your copy a touch and maybe find someone to read it over - preferably someone who will tell you the unvarnished truth.
"Due to some amount of trolling on the site, filters to be implemented and the site will be cleaned up within the next 24 hours."
That's not only a grammatical nightmare, but you're coming right out and telling people not to trust you!
Or, consider "no bullshit listings for freelancers." At best, that's an extremely unprofessional attempt to sound edgy and hip.
Good luck with this!! You seem like a good person and I'd love to see you fix this (badly broken) business.
Finally host your own landing page, stick Google analytics on it, and track how your visitors behave with Inspectlet.com and experiment with A/B tests (split tests).If you want to learn how to do this on AWS check out my course and I'll throw in a coupon and save 70% https://www.udemy.com/go-landing-pages/?couponCode=HACKERNEW...
Many thanks and good luck!
So get your Producthunt invite, build some Karma on Hackernews, share useful links on Twitter and gain a following. Create Facebook pages, write tutorials for your product, do Reddit AMAs, do Reddit selfposts, etc
Try to add value as much as possible. All the best marketers I know are doing Youtube screencasts for free and showing their prospects that the company has a genuine passion for the product(s).
(1) Your real market is the people/companies seeking to hire freelancers. You need to focus the site on that. Once you start having jobs listed, the freelancers will come. Otherwise, as a freelancer there is no real reason to join unless you offering some other benefit.(2) It's fine if you only want to have freelancers from Mumbai or Bangalore, but if you want listings you need to open that up to more than just those to locations.(3) Change the Title of the page "No bullshit Listings for Freelancers" really doesn't sound professional and if you are targeting people/companies seeking to hire, may be a turn-off.(4) Create a landing page that tells what and why. I understand you want "simple" but at the same time you need to explain what/why/how.
You eventually want a product that users come to on their own, but in the beginning, you could talk to users on both sides to get them to come to the table. If you are interested in the space, this should come easy!
For instance, talk to people who want apps and sites created. Formulate their requirements into really great, attractive, clear posts on the job board. Give them logins to your site so that they can see the post. Now you have real users, and real job listings.
Now "advertise" the job listings, and/or your site in general with freelancers (tweeting the jobs, tweeting at freelancers, announcements with popular hashtags, telling your freelancer friends about the new site, etc etc). As others have said, when there are job listings, the freelancers will stick after their first click when they see there are listings.
Get feedback from both sides. I think the freelancers will be more able/willing to communicate electronically their feedback, and you will already be in touch with some people who had apps/site projects, so you can get feedback from some of them directly. Rinse and repeat many times.
I do think the existing freelancer sites need improvement in the personal touch area, so I think it's totally possible for you to compete, and even a major advantage to you in the beginning stages since I think success will hinge upon you doing things like this, which don't scale.
Good luck, please post a follow up to let us know how it goes!
Lecture 4 - Building Product, Talking to Users, and Growing (Adora Cheung)
Your user experience is ... void of any considerations for your user. No way to search for a particular set of projects, no way to see potential matches, no way to see how old a particular request is, no way to unselect a city, etc.
I would strongly recommend you avoid marketing and promotions until you have iterated several times on real user feedback. Your current product will most likely leak users so you'll just be wasting money.
Don't try to get user testing through marketing - that's super inefficient. Just pay people directly to use your product and give you some real world feedback. Much faster, cost effective, and easier to do.
#1 Is your product aimed at freelancers like yourself as you describe, for when "work load gets a little difficult to handle" and these busy freelancers are looking for "other freelancers to help" do some of the heavy lifting, but you (busy freelancer) remain the point person between the client on an already established project?
#2 Is your product aimed at everyone i.e. competing directly with freelancer.com and upwork.com where you are trying to:(a) get a market of clients to post their project needing a freelancer and (b) have a community of freelancers for clients to hire from?... With your revenue being some version of taking a small cut per job.
I realize your site is pre-beta and not finished. But knowing the actual goal here helps provide feedback and better advice for next steps.
Side note: How to get people to use _______ (fill in blank) when you suck at networking has very different answers depending on what the product is. Sucking at networking is rarely the main issue. I suck/don't enjoy networking but it turns out it only gets you started, other kinetic factors take over quickly (word of mouth by clients is an example).
Have you tried running any adverts? Ultimately, I suspect it comes down to either running a marketing campaign yourself or networking enough to find someone else who's prepared to handle that side.
They are your target market, no?
Networking isn't scalable unless you have something industry/domain specific and can reach influencers (top bloggers, users, etc.). It's probably better to work on appealing SEO, design and succint message in a way which automatically sells potential customers on its value. Let the product sell itself 24x7 so you don't have to do as much work. Then, once profit is coming in, think about a sales team and hustling others whom don't/won't self-discover. At the beginning, focus on schelping to solve real/hard problems, providing fanatical support to early customers and other things that don't scale; and eventually make the product experience so compelling they voluntarily spread the word as well.
2. Develop a persona for your target customer. Make it tangible so you can imagine your end-user. Imagine how they go about their days. What their interest are; what their hobbies are. What they do in the morning; what they do at night. Their fears and challenges. What is the challenge that your product is solving for these people?
3. Now, you should have a sense of who you want to reach. It might be quite a broad category... 'Heads of Business Development in start-ups', 'Design freelancers on PeoplePerHour'. At this point you should be in a position to think about where you might be able to find lists of these people. Go niche, so you don't overreach. It's easy to capture a small market than a big one. Start small, and grow to new markets. Maybe, if you're building a freelancer website, it'll mean dialing down your target market to 'design freelancers in Aspen'. Try to find a directory of people online that meet this category.
4. Create a database of all these people. Only start with 100. It should have their names, companies, email addresses, and a notes column. Fill all this data in. This is a list of potential early adopters.
5. Draft these people a short, targeted email laying out in CLEAR and DIRECT language your valuable proposition. 'I spotted your were a design freelancer in Aspen. I'm building... I thought you might be interested because... Is this something you might want to use?' Follow up a week later with an even shorter note for people that didn't reply. RESPECT their details. Don't spam them. This is a PERSONALISED message.
6. You will receive two responses (a) 'yes' -- that's great, you have an early adopter; track their use of the service and value them; (b) 'no' -- that's even better, ask them why they don't think it's a good fit for them; ask them for feedback; why isn't it attractive; what would make it attractive?
7. Fill in your database with all these responses. After you have 20-50 responses, you have some important intelligence about whether you have built a product which ACTUALLY solves a market problem (i.e., you have market fit); if not, pivot -- build a product that responds to these people's feedback.
8. Rinse and repeat.
Sorry for the plug... people have told me that the most time consuming bit of this process is finding these people and their emails. That's why I built Find Emails Team. You can find it here: http://findemailsteam.com. For a few dollars, we can put a manual team to work to find these contact details for you.
Best of luck!
There are two points of overlap between your employer and your side business to be mindful of.
1) time and resources.
Generally speaking, your employer owns all IP you develop at work, or using work resources. In practice, I've never seen an employer be a dick about this, but you should still be exceedingly careful. It's really easy to be 100% free and clear on this one. Just don't ever do side project work (to include answering emails, etc) on work machines or on premises at work.
2) intellectually property.
This one's trickier. The agreement that matters most you already signed, if your employer uses one. It's basically a list of stuff you've already invented or have as a side project, and it exists specifically as a papertrail. eg: I work on finance software interfaces as my full time job, and have also done work on this for myself on the side. This agreement says "I created product X, which does Y with method Z" as part of the employment agreement, so that they can't later claim that I only came up with Y and Z because of my employer's training or resources, thus entitling employer to the project.
How careful you need to be here depends on the thematic proximity of your employer and your side project. If you work for dropbox and your side project is flappy bird, you're probably fine. If you work for adobe and your side project is an alternative to photoshop, do a lot of homework and consider talking to a lawyer.
TL;DR: don't use employer time or resources, do use common sense.
Those may be illegal in your jurisdiction but in most places in the US they arent.
You should verify this before starting to look for part time work.
Respectfully, I'd argue that building your own skill set or business is going to be exponentially more valuable use for those hours anyway, unless you really need the cash.
I work about 20hrs a week on various side-gigs. Pretty strict about the working hours and work not overlapping with whatever my current employer is doing. It's nice to keep things separate.
I don't remember whether this is stated in my employment agreement or not, but practically freelancing is OK, as long as you get the job done first. Do it after office hour, for example.
I'm in Indonesia, BTW.
As others have suggested, talking with a qualified clinical therapist may be a reasonable way to coming to find a peaceful place for your friend's death and to live with your grief in healthier ways.
A qualified clinical therapist can bring understanding and insight to the grieving process. This doesn't mean that your loss isn't unique, just that people tend to encounter similar patterns when grieving and these patterns are normal and can be dealt with in healthy ways without ignoring the reality of personal loss.
My childhood best friend, Leonard, was struck and killed by a car Thanksgiving night, 1984. Writing that made me sad. The loss is still there after all those years. But I've found a place for it and it would be worse I think if I didn't still feel the loss. My friend Phil was in the Marine Corps when Leonard died. He'd known him longer than me. The Corps would not grant him leave for the funeral.
All these years later, sometimes when we talk, we talk about Leonard's death because it hasn't gone away. But mostly we talk about our families and friends and our work and the joy in our current lives. Because that doesn't go away either.
This is a reality millions of people live with (and millions more would love to have). You'll probably get used to it over time.
Start with small steps. Over thinking and over reasoning is a way for your brain to avoid what you are actually feeling. This is normal because we are all inclined to avoid unpleasant feelings. Slowly try to get in touch with those feelings, even if they're painful. The more you try to avoid them, the more they will linger, and the more you try to suppress them, the deeper your depression. Getting in touch with those painful feelings are actually not as bad as you fear. It can actually be cathartic.
Along with all the suggestions to see a qualified therapist, I would recommend reading some of Pema Chodron's books. There's one in particular that may be relevant for your situation called 'When things fall apart'
I won't wish you good luck, because luck will not make things better for you. This will take some time and a little effort to work through. You have already taken the first step by reaching out. What you do next, and the skills and lessons you will learn through processing this experience will grow you as a person. Remember - one step at a time.
I don't think there's much else to say, really. Get well, and the rest will follow.
I'd recommend therapy and a trip to the doctor. If it makes it easier, call your physician and take this with you to explain. He or she might be able to recommend a psychiatrist or therapist for you as well.
If medication is recommended, I recommend taking it. It doesn't mean you'll be on it forever, but it will make it a whole hell of a lot easier to work through this to get to the non-medicated point.
Given time, you change and adapt. A great majority of dysfunctions put themselves right if you wait.
If you are patient with yourself you shall be fine. I repeat: be patient with yourself.
Here is my hypothesis or idea of why this sort of thing happens to us.
The brain is this complex organ and when it undergoes stress such as bereavement it shall put you in a certain state, such as low mood, because some part of it not under your conscious control has decided to do this. Seeing this as an error, could be an error. To put it another way, when you injure your leg, you cannot walk on it because of pain. Pain tells you not to hurt yourself more so. The same is true of mental troubles, only instead of pain, it is a lowering of mood. Perhaps this should be understood as a safety mechanism.
In most cases if you run on autopliot for a period of time, perhaps some months or years, you shall recover. In some cases you need to change your environment in some way, but your intuition should be the judge of that.
Consider going to school and studying something perhaps unrelated to engineering. You'll meet people and be given a perspective you won't pick up on the internet.
Go outside, start working out (walking, jogging, lifting, swimming, rowing). Do something in meatspace.
The IaaS part is called GCE (Google Compute Engine): https://cloud.google.com/compute/pricing
Given all your comments in this thread. You seem to struggle quite a lot to understand the market and you didn't clarify what you want to achieve (how many servers do you have now? how many applications do you run? how many dev? how big is your company?)
So forgive me for thinking you are either a hobbyist or a newcomer, with rather simple needs. If that's the case, GCE and AWS are overkill. You should stick to Digital Ocean or Linode. It's wayyy simpler and cheaper.
The alternatives also are related to the specific business. For Home Depot, running on AWS means running in a competitor's data center.
The problem of finding and alternative to AWS really boils down to research, and that's a time commitment versus just whipping out the plastic. One might say, "Nobody ever got fired for using AWS."
* Google Compute Engine * Microsoft Azure * Joyent * IBM BlueMix * Linode (like DigitalOcean more VPS than cloud provider)
- SoftLayer (IBM IaaS)
And additionally there are several other providers that are more comparable to DigitalOcean like Vultr, Linode, Scaleway, etc.
OP mentioned a desire to work with bare metal/do IaaS their own way, and dedicated server providers are awesome for that. Conversations about infrastructure are often about "cloud vs. running our own datacentres!" and renting dedicated servers is an interesting middle ground - you get a ton of hardware and bandwidth for your dollar and maintaining the hardware isn't your problem. You give up per-hour billing but you could very well still save money - it's a serious alternative to VPS providers like DigitalOcean.
There is Openstack, which is a collections of IaaS provider with connected with an API.
Digitial Ocean & Vultr which you already know about.
GCE mentioned else where here.
Linode, while not feature rich is the 2nd largest VPS provider.
Azure, which is Microsoft's IaaS. Which I've always had some reservations about, but have actually subcontracted management out separate companies to protect user info.
Scalaway is great low price option but there AZ's are mostly in Europe.
I'm personally using LunaNode, which doesn't offer nearly as many nine's in up time, but is great for the price (I have a 3 cpu, with 2G of ram, for ~$10 a month).
There are tonnes of IaaS platforms out there, very few have the full feature set of EC2, but again it depends on what you want.
I personally can vouch for Vultr. Been running a freebsd system with them for over a year now.
When clients ask about AWS, I throw in Digital Ocean or Vultr so they can save a ton of money. Most of the the time, they go with AWS as it is the most popular but tends to be an overkill for most of the projects I'm dealing with.
Crazy cheap. Support is garbage.
We do use S3 for backups and big storage. That has no equal.
Disclosure: co-founder and CEO
Right now only Azure (behind) and Google Cloud (way behind) are alternatives to AWS.
If what you need is just VMs and a CRUD API, then yes, DO is a very good alternative (I run most of my servers with them).
1) Brand SEM terms are cheap - if you own the brand, especially something like Squarespace, your ad will have a high quality score and will thus pay a much lower CPC than a competitor trying to vie for eyeballs with your brand name as a keyword. This means that brand terms generally are pretty cheap to buy.
2) Real estate ownership - The more real estate on the page you own the more click share you will get. This will keep other organic listings from getting click share which may mean your competitors will get less traffic off of searches for you.
3) Control over message - Ads provide a high degree of creative control which means you can change the copy and also add on Ad Extensions like sitelinks, app download buttons, "click to call" buttons, etc. These are all things that are harder to control on your organic listing.
You choose a list of terms you want to show your ad in, but by default Google will also put your ad up in "related" searches. If your company or product is already popular enough, it's likely to end up in the related searches for the terms you chose.
This cost me quite a bit of money before I found out I was wasting money on these ads by accident.
That being said they were not 100% sure.
Also prevents someone from buying an ad for Squarespace.co or some other domain for a phishing site, which could result in bad press from a """"hack"""" (note the use of quotes, it's not hacking.)
Many brands could see a lift from bidding on brand terms not just in click volume from covering more of the SERPs but particularly conversion rates from controlling one of the most prominent placements of your brand online.
Ad extensions can do wonders for many, and Google didn't fully let you control messaging for your homepage like you can with brand term ads.
Beyond that there are a few other really compelling reasons that make it a no brainer in many cases.
- Control the landing page URL, particularly for setting parameters or a/b testing
- Controlling site link messaging and URLs to help searchers self select a more relevant experience, particularly if you have multiple audiences
- Potentially a slight boost to account level quality score (I've seen mixed data on this)
- I don't see this mentioned enough, but you can get solid organic query volume data in AdWords now
- Super valuable insight into the raw queries. Are people searching for "your brand vs new competitor brand?" Are they searching around some horrible PR that you were unaware of? Maybe they are looking to see if you sell a product and if you don't you should consider it. With secure search everywhere now, this is arguably one of your best data sources for these sorts of insights
For the pennies per click you pay it is absolutely worth it in many cases. If you have doubts, Google just released their data driven attribution model in AdWords, which, among others, can help inform whether you are giving too much credit to them (although this can be hard to actually determine).
For most companies I'd fully educate on the pros and cons and recommend trying them before making uninformed assumptions. At this point, I typically default to enabling them fwiw.
There is a very cool and informative video from Google that shows what goes into bidding for and awarding the ads that are shown. I had truly encourage you watch this:
One answer to your question is "volume", with a related cause of personal incentives.
You're getting those clicks for free and buying ads on branded terms is just cannibalizing your organic results. Now, instead of $500 per day, you want to scale your campaign to $5,000 per day.
How do you do that? Your return will be less efficient as you seek volume, but you need to spend the $5,000 as effectively as you can.
You (or the agency) look better / get paid more when they're able to spend with a better return. It's probably not your department, or your KPI, what the organic SEO is like. So if you cannibalize some conversions from organic in the SEM attempt to spend the budget and raise conversions, you're probably happy, because you're hitting KPIs that matter to you.
It would take a wise leader to recognize what is happening. Even then, they might decide that although the efficiency of the overall SEO/SEM spend is lowered, it provides more volume. If your company is focused on growth, they may prefer volume over efficiency.
It's rational, once you try to see the larger context in which these decisions are made w/in a company. (It also has it's drawbacks)
They find no measurable short term benefit to purchasing the "Ebay" keyword on sales.
But also lots of the other reasons posted here are very true too.
I think increasing the clickable area is pretty important, especially with mobile users.
And customers, since they know it's an ad, might be nice and click on the organic link instead. :-)
As someone else mentioned down thread, I'm happy to reward those who cannibalize their organic results and help ensure that their adwords budget doesn't go unused...
I once had a business partner (French) and we were launching a software-based business. He was the President, I was the CEO (leading all technical, engineering and operations management matters, that's quite a bit... he was handling the sales).
I told him that as a first step, I wanted to pay myself a $80k salary as soon as the business would have the appropriate cashflow. He told me "$80k ? That's quite a high salary for a CEO, but this sounds like a good long-term objective".
Lol. This is one of the reasons I talk about this partnership in the past tense. But this gives you an idea, about the mindset in Europe and of how the compensation tends to be way below the value produced.
For some reason I'm happy when I read here about people just turning 30 making over $150k per year as development manager / senior devs. This is what a first-class engineer deserves.
To get here I've had to negotiate every career change. I learned early that an offer was just that, an offer. I made it a habit to not accept the first offer and (almost) always counter.
I find that too many of us don't negotiate hard enough. I suppose it's easier to negotiate when you have options. With my salary and age, I'm also finding fewer options when I look for the role.
I worry about ageism sometimes, but it still seems far off. I'm more concerned about just not getting jaded. I've been in a lot of work environments that seemed good at first, but turned out to be rather unpleasant.
I love being 30. It's a great age. I'm excited to get older, too. No desire to go back to my 20s.
If you're witnessing ageism already, you're probably dodging a bullet working at those toxic places for reasons that go beyond just ageism. Seattle would be my choice to live in though if I were on the West Coast.
I do projects on the side as a hobby (mobile apps and such). Keeps up my skills and pays for my lunch money. Used to do a lot of contract work for startups in the area and small businesses. Wanted more stability, so I gave it up for a regular salary. I sometimes miss the freedom I had with my previous work, but doing my side projects keeps me happy when I get bogged down with too much "process" at my day job.
- 125K, startup.
- 110K, cut salary for an early stage startup.
- 150K, with upto 25% bonus, plus options, startup that made boatload of money.
- 210K, consultant
- 280K, consultant
- 300K, consultant
I just realized how bad I'm getting boned.
Seems likely that people who are successful will be more willing to post their earnings then people who are not!
Talking with friends it seems like salaries have exploded the past 1-2 years. I know of two at ~160k and recruiters are indicating 160-180k base right now.
So it seems like I'm leaving a lot on the table....
175k total cash comp (part of it is bonus).
Years exp: 8 full time
Bonus:30% (more last year)
I work remotely for a fortune 500 as a software engineer. No degree. College dropout.
2008 - $125k + 20% bonus - Full-time employee
2009 - $80k - Started my own web development company
2010 - $110k - Built a product
2011 - $132k - Daughter born
2012 - $145k -
2013 - $150k -
2014 - $150k - Son born
2015 - $250k - Hired 1st employee
2016 - $480k - Hired 2nd and 3rd employees
I make the equivalent of about $16.5/h on B2B (net pay after all taxes, social fees etc.)
SF bay area. > 10 yrs at top tier post-IPO SV company. Backend infra development (C++). One of the top 10-15% engineers in the company.
> 400K total comp this year - < 50% of that is salary; rest is bonus and stock grants (portion vested in 2016 of all the grants received over the last 3-4 years).
Going forward, it seems stocks will dominate the total compensation but its okay given the current state of my company.
Taxes: effective 35-40% (federal + state + payroll).
Wondering what my next move in a couple years should be.
My salary is actually above the average.
$170k base salary plus $20,000 signing bonus. 0.5% equity. Series A small company.
Feel very underpaid after reading this. 8 years experience, CS degree.
$145k, $90k/year in RSU, 15-20% bonus from base salary.
14 years exp.
2005 - 27k
2010 - 43k
2011 - 47k
2012 - 53k
2013 - 66k (Got a promotion)
2016 - 73k
It seems very broken that IT specifically should be bound to a physical place. Are there any plans to innovate in this regard or any research YC is doing?
My choke point has always been finding another technical-minded parter that gets the industry. Every time I've seen the YC application season roll around, I've thought it'd be a perfect fit for applying to YC, with the connections and clout that come with it. What's stopped me, even at my half-assed pace, was the chance of the huge ego/momentum hit of getting rejected, considering it's still a labor of love (although profitable).
I have a handful of customers that are already paying monthly for "The Vision Lite" at discounted prices: just enough for me to continue development. But larger competitors are sure to move more aggressively into the area over the next year or so, before my current trajectory can deliver on the "this is Star Trek-level shit" experience I've got planned. I'm sure I can grow my customer base at a moderate rate, but I'm not sure I can keep up once the field gets serious against better-funded competitors.
Where do you think the tipping point is between the Basecamp-style "Just get profitable, stay profitable, and move forward" model vs. "Take VC money and turn a two-year schedule into a six months, and get entrenched while you can?" (Fred Brooks notwithstanding)
Has YC ever considered a class of only single founders and trying to solve the problems YC anticipates with single founder startups (i.e. emotional support, etc...)
It seems to me that the demand is there, and the potential for single founders to succeed is certainly possible... why not experiment putting together a track that "fills in the blanks" for singe founders much the way YC does with legal and accounting for startups to get started.
Edit: I recognize the signaling issue of not being able to convince a cofounder to join, etc... but sometimes signals are just noise.
I get that SV is a great place to start a startup, all things being equal. But there are a lot of great opportunities that are 8-12 time zones away. And leaving your customers alone for 3 months -- especially if you are trying to grow rapidly during those 3 months -- sounds very risky. Additionally, the money spent living in SV for three months could otherwise be spent on working capital; this is extra true in developing markets where costs are lower.
In the absence of a formal policy change re: moving to SV for 3 months, would you be willing to extend a bit more leeway for founders who really want to get their companies into YC but don't want to spend too much time away from the customers they're trying to please?
As a middle-aged developer, I've seen a lot in my lifetime, but I believe that right now, even though in some ways I'm much more hopeful for the future than I've ever been, I feel like there are many huge time-bombs out there in the world that make focusing on a startup just to have a chance to become financially successful a petty and, for some, a possibly futile ordeal.
For example: political divisiveness/change/chaos, scary world leaders and potential world leaders discussing/threatening/testing nuclear weapons, wars for and against religions involving terror, causing mass death, spawning racism and restricted freedoms, other random shootings/acts of violence, discord and violence between people that are racially targeted and those who want to serve the public to protect people regardless of their race, terrible diseases/epidemics some without cures or growing resistance to cures that we've long depended on, weather related natural disasters, economic troubles, etc. The list goes on and on.
Given the climate of the world today and all of our problems, what things do you want to see- not just in the startups that you and/or YC as a whole want to help, but across the board? And what do you say to those that think that just don't feel safe enough to invest the time, money, and effort on a startup which has a greater chance of failure than success when they could just be working a stable job to try to save enough to survive what is ahead?
Here are my questions:
1. Do you think people need to get a PhD degree to become useful research scientist in AI industry?
2. Do you think people need to get a PhD degree to become Member of Technical Staff (Machine Learning) in Open AI?
If not, what would you need to see from an application with no product to be accepted into YC?
If so, what was about that application that made you believe in them so much?
It's known YC prefers teams. Do you have a preferred shape or size for the team (2 tech, 1 marketing, or 1 tech, 1 web, 1 marketing and business etc); is any combination shown to be more likely to succeed within YC?
How do you view teams too heavy on tech? It's common for a group of tech people to have the idea, but as a team have some gaps on say the marketing side, and probably other areas.
A startup I was involved in, years ago, lacked much depth in sales and marketing. Filling that gap was a nightmare. Candidates would happily talk out of their hat, claim allsorts they didn't have, and those we trialled failed hard then invent no end of "reasons" why it's working perfectly. Suddenly recruiting programmers was easy!
Even people we've known in this area suffered from at least some of these habits, sometimes meaning it's a case of "nice guy, don't trust him as co founder". Made it hard to resolve, so the least worst techie got stuck with site copy etc.
No surprise, I've learnt much more about online marketing since those days. :)
How would an Indian startup trying to build a global product primarily for the U.S / Europe market fit into the scheme of things?
Do you think the start-up structure of running a business could increase or decrease income inequality (and what do you consider beneficial?)
Does it make sense to keep applying to YC, given our size now? From what I understand, we got rejected every time because our equity split is around 80-20, which makes us more like a single-founder company. We would have liked to be part of YC but if YC strongly prefers not to consider single-founder companies then we would save time and not apply.
What should I know about applying based on that?
Also, for the competitors question, should I put a list of 15-20 names I made, or choose the top 3 or so?
Finally: I may be able to launch within the next few days. Should I try to launch and wait to apply until I have launch data, or should I apply now? (The nature of the startup is consumer facing and I think I can gain some traction within the first week.)
I would wager that if you take a look at an accurate distribution of markets according to potential you would find a magnitude more small/average markets (that are untapped) than billion dollars ones. And similarly, I suspect that the success rate for those "boring" ventures is much higher than the exciting shiny rising stars.
Question: Why not optimize for companies that are certainly not going to become Airbnbs but will capture the full value of an averagely sized market (say between 50 and 300 millions)? And if my guess is correct and they end-up eating a lot less resources than the soon-to-be-unicorns, you could even optimise for volume.
Is the pay-off (wrt. to the energy spent and success rate) for unicorns really worth it?
Some friends and I were throwing around ideas on how to eliminate scalping, a practice we get bitten by. We came up with some solutions that might work, but they don't provide any financial gain for event organisers so I couldn't see them going for it.
Any ideas how your 'YC cities' thing is going to look?
Twitter seems to be the example du jou, but there are many.
Do you feel the YC partners are mainly bullish or bearish irt cryptocurrencies?
If not then how quickly can the [unrelated] problem below be solved, algorithmically
Unrelated Problem: Given a set of numbers of length n, find a single rule that can map each item x to the corresponding item x+1
are the odds stacked against us if we have 5 founders? (EE, ME, EE, SW, Sales/Business)
Also does a startup that can help reduce carbon emissions/move from something that generates lots of emission classify under the energy section of request for startup?
Is there a place for me in YCombinator?
(p.s. I have several other follow up questions I'd love to ask if you entertain me with a response)
I understand you have limited resources and that YC's core is focused on fast growing companies, but some early-stage ideas/prototypes need a little help before becoming something YC would accept (and, it looks to me, the bar is higher every year).
The MOOC fills one part of the gap, but, will it enable promising students to get some sort of funding?
My cofounder and I don't live in the same country so we're each recording half the video separately and then editing the pieces together. Does this affect us negatively in any way?
Is working at a start up a viable path for college graduates or is it recommended starting at a more established company?
Do you see Silicon Valley maintaining its dominance as a tech capital in future decades or will there be better entrepreneur ecosystems?
Which industries are ripe for entrepreneurship? Like the automobile industry at the moment has innovations of self-driving and electric energy source.
2. In the competition of web vs mobile? What would be their state after 10 years?Will there be more native mobile apps or websites?
For how many companies per batch, YC is a second accelerator?How many companies have raised Seed round?
Quick question 1: Is there a "Delaware C Corp" equivalent for the incorporation process/legal structures of nonprofits by state, or does it not matter?
Real question: Is there something to be said about founders waiting until they have users and initial growth to then use the YC opportunity to transition towards growing their company? In other words, if a startup is only getting one shot to go through YC, generally is finding initial product-market fit harder, or is growing the company?
Granted, the latter can't happen without the former happening first. But it would seem that for some founders that have genuine insights into real big problems, it would suck to waste the opportuniy of YC just "checking the boxes" of building their MVP, which they could know how to do already from PG's essays/YC's blog/Startup Class -- whereas they could be getting genuine advice on problems unique to their specific domain problem if they just waited and applied later.
Do you prefer that companies have their own technology or is it okay that a company utilizes existing platforms in the beginning?
My team consist of CS and ME/EE.
It's PokeBin.com if you wanted more information.
How behind am I, assuming my primary goal is maximizing positive impact on the world?
Put in another way, would there ever be a case where you'd recommend a bootstrapped company not take investment (assuming the terms were good) in the bay area?
EDIT: Particularly if there is potential synergy with a business component as well?
Do you have any particular industries in mind to invest in? where do you see the most potential?
What sort of advice does YC offer founders when it comes to hiring early employees?
i.e. might have no interest in presenting at demo day or pursue any further fundraising, but instead look for profitability and self-investment as the path to growth.
1. What's the possibility of YC companies doing biz dev with LargeCorp during the 3 month bootcamp? Is this something that YC can help with due to it's large network etc.
This question is unrelated to YC. How often do you go with your gut in decision making, and how well does it turn out?
For emerging industries like our's in the virtual reality space, there is so much money driving the industry into gaming and the desires of the bigger players like Facebook and Oculus. Is it more valuable to align with these bigger players and play along with their game, or disrupt the industry but risk being outcasted?
Thanks!Stan SedberryVidi VR
Do you agree with this? How do see these evolving?
For example becoming a self taught programmer? Quadrupling one's income? Doing all that while starting a new family? I feel like I'm becoming significantly more formidable. But the side project that pulled me into becoming a programmer, itself, is still lacking clearly visible progress.
When to put this on the Internet to show you guys and how much should I have.
Working on this in my spare time is very difficult to get to a point I'm happy with. Maybe I should quit my job?
Be good to be super clear on this...
I have the idea, a v1 design, portion of the API, and incomplete web app prototype... all built by me. I lack the business plan in paper however have pretty cool ideas on how I can eventually generate income.
Is this enough to be considered? Have companies come to you with less while still being accepted?
P.S.: I'm talking about a case where only the subsidiary has applied for YC and that subsidiary is making a different product than what the parent company is making.
1. Would YC consider a media/publishing company that is not really a tech startup short of leveraging tech to reach a broader audience. (it's more like investigative journalism to arm buyers with info. needed to negotiate better deals.)
2. The info. in these reports can capture value by being sold right away, but giving the info. away for free is more in line with the mission of eliminating information asymmetry (by selling we are just replacing one inbalance, with another)...so is it better to capture initial value...or try to build trust to the point of people going straight to you to research purchases...and monetize later on or with add-ons (i.e. outsourced negotiation.) or eventually becoming the defacto source for consumer research (which is bound to be monetizable one way or another)?
Do you think it helps, as a founder and in life, to be optimistic rather than realistic?
Is it a good/bad idea to found a startup in a market that is no longer saturated but also has big players (such as social media?
I know you know a bunch of people who are concerned about technological stagnation and I was curious about your personal take on it.
what's you opinion on product managers and when/do you think a startup should hire one?
Have you ever considered writing a startup book?
Mistakes, rewrites, late nights, firefights, and deadlines. Core dumps, memory leaks, hardware faults, and plain bad luck. Big O, data flow, always learning -- or out you go. Manager metrics, schedules hectic, methodology hegelian dialectic. Taking the heat, feature creep, open office, uncomfortable seat. Holy wars, revolving doors, carpal tunnel, all you can take? There's always more. Fucking suits, random reboots, and the ever present "thousand language stare". Oh yeah, pressure -- lots of pressure. And time, time, time. Metric shitloads of time. Time, man. You gotta do your fucking time.
My experience is generally the people I recognize as having deserved the title don't _simply_ just code. Not only do they write code that works and delivers the feature in a timely manner, they make it so the next 3 features to come out in that area can be done quickly by junior developers. Not only do they code, but they make everyone around them better coders. Not only do they code, but they also think strategically about what the team needs to keep going two years from now. Not only do they deliver the project, they get everyone excited about delivering the project.
I once read someone say "there's a difference between having ten years of experience, and having the same year of experience ten times." Time is a factor, but it's also whether you've exposed yourself broadly and deeply to new technologies, approaches and experiences so that when you are in a new situation (technical or otherwise), you have patterns for how to deal (or the self awareness to know that you don't know how to deal). So, part of it is time, but part of it is spending that time wisely.
Senior developer is about wisdom as opposed to knowledge. Juniors may learn things quickly, but what distinguishes senior is that you can trust them to do the right thing which is not always technical problem.
I like to compare this to asking children a question that they don't know the answer to. Some children will feel they have to come up with some answer and some will say that they don't know.
Junior developers too frequently feel pressured to produce a result and they don't see how saying that they don't know something is making them closer to producing anything. Senior developers know from their experience that this is just as important to know when you don't know something as it is important to know things. They will not feel too bad about not knowing something because they know the alternative is even worse.
It can happen even with two years of experience.
From https://rkoutnik.com/2016/04/21/implementers-solvers-and-fin..., which is a really great read.
Our industry is way too obsessed with fashion... sooner or later you realise that most of the "new" stuff is largely existing ideas re-hashed in a slightly different form. Senior programmers realise this and can pattern match to understand the role of various new technologies, and learn the details if and when necessary.
How do you get there? You already are, you just don't realise it yet.
No, I'm not being snarky, so hear me out...
I've met and worked with many developers over the years and lots of them have become very good with technology and user domains, but still have struggled to "crack the digital ceiling". These are brilliant people who have achieved serious things, but are still not recognized by the big decision makers as "senior", whatever that means.
Then there are a select few who always get the big gigs, big money, and big reputations. Why? Because they best satisfy their customers. There are lots of non-technical skills that help them, but I think the biggest is their ability to separate the signal from the noise and zero in of the most important things to work on and to get them done. It's almost like they have "satisfiability radar". And this rarely requires any special technical or people skills. All they really have to learn is a good grasp of the technology, a deep understanding of the customer's domain and business, and the ability to get things done through others. And how did they develop them? By good old fashioned grunt work, whether digging into the bowels of the system or getting up off their butts and relentlessly going around finding out whatever they needed to know.
Once you've figured out the best thing(s) to work on to best satisfy your customers, got them onto the decision makers' radar, and found a way to get them done one way or the other, you are no longer a dev or even a senior dev. You're now a digital rainmaker, the most senior dev of all.
1. Technical Skills a. Great programmers: are able to write modular, well-tested, and maintainable code b. Know a domain really well and radiate that knowledge
2. Leadership a. Begins to show architectural perspective b. Leads the design for medium to large projects with feedback from other engineers
3. Code quality a. Leaves code in substantially beter shape than before b. Fixes bugs/regressions quickly c. Monitors overall code quality/build failures d. Creates test plans
4. Communication a. Provides thorough and timely code feedback for peers b. Able to communicate clearly on technical topics c. Keeps issues up-to-date with progress d. Helps guide other merge requests to completion e. Helps with recruiting
They were forced to offer me position of senior developer and no other company after that dared to offer me lower position.
Junior: Can do it with guidance and/or clear and non-transitional specs
Developer: Takes the ball and runs with it. Can walk a customer through requirements gathering and make recommendations. Will help guide junior developers.
Senior Developer: Can architect a system well. Can communicate equally well between executives, salespeople, management, and end users. Can and will mentor lower level developers. Can explain concepts on the fly to lower level developers and walk them through the development process in terms they understand. Takes initiative at learning new technologies.
2) When you get asked by the business to do something you question what they are asking and the motivation, and then determine the best course of action based on their motivation rather than delivering the specific task they asked.
That's it really, it's nothing to do with your coding ability but more to do with your mentoring ability and problem solving skills. This is what is valuable to your colleagues and the business. Any answer related to coding ability is missing the point, it's important, but after a few years most people are the same programming level - it's just some people can help at the team or business level which is what makes you senior.
More seriously, except for very big and very hierarchical orgs where tenure is overly important, people will tend to give you the senior title when your work is indispensable. To be indispensable you don't need to know by heart this technology or the other - you need to identify what are the things that bring the most value and work hard at delivering them.
Senior people have made the right mistakes, wasted weeks of time, and know what to avoid, what to embrace, and what to ignore. A senior dev can understand the requirements and figure out what is important and deliver something without a lot of external input.
So to answer the original question: it is impossible to know.
As others have mentioned as a senior you can be left to implement changes without guidance, you will clean up issues as you come across them instead of leaving it to others, you suggest improvements, you make time to mentor and guide more junior members of the team, you know how to relate to muggles and you act like a team captain.
Knowing lots of different hosting environments and languages comes with experience. The approach you take to your role show's your all rounded skill set.
To sum it up I will use .NET as an example, in my eyes when someone says I am a senior .NET developer I assume that she/he has: - used UMLs, - knows how to write proper OOP and understands SOLID, - can use MS SQL and some kind of ORM, - uses some of the testing frameworks (e.g. NUnit), - knows how to deploy application whether on IIS, or install it with ClickOnce for example. - know how to handle source versioning (TFS or whatever is your poison)
I probably missed a few things, but that's about it for me. If a senor doesn't have these skills I assume first that she/he has great knowledge of company business which would make her/him a valuable asset, or that she/he got lucky, or it's a crappy company :)
> But I feel like I'm always a step behind the rest.
Don't look at things in this way, low self-esteem is the worst you can get. There are always people better than us, but their skills and knowledge weren't conjured up. Even extremely talented people need time to learn. And if you don't feel like learning new things may make you better, why to feel guilty? If you're not a Java programmer, why to feel bad because you don't know Spring or other details perfectly? You wrote you do things fast and correctly. So you're better than, say, 90% developers who work slow and produce crap. :)
My main problem with thinking about developer roles in this way is that there's obviously no standard for what constitutes seniority. It varies between and sometimes within organisations. Advertising it, glorifying it, striving to achieve it, all take the focus away from far more interesting things that you can say about yourself and aim for.
Are you working on interesting projects? Are you learning new stuff? Are you being challenged technically? Are the other people on your team good developers? Do you enjoy what you do?
Seniority as an end in itself seems like a hollow objective to me. And making a big deal about it in a recruitment context takes the focus away from more meaningful topics.
- you are technically competent
- can handle design aspects of full stack (backend, persistence, frontend)
- have enough credibility and confidence to say NO to business people
- you can lead a small team of developers (2 to 5 people)
To me the things that make a senior developer are:1) you give them a project, even an ambiguous or large ones, and expect it will work out fine.2) they have been around enough different situations that they likely aren't going to be thrown for a loop by new challenges.3) they mentor their fellow less senior developers.
To get there you need 2 things:1) bare time, you just have to put in the time2) variety of projects - if all you have is a bunch of time on the same problem you are unlikely to have developed the breadth of knowledge you need.
Our senior developer is always thinking about the business value when estimates are made vs quality. He even does not do alot of softwae development, but is always asked to help out other developers, system engineers and even management to give advice.
To be able to do that in a professional way, your vision plus skillset makes you a senior imo. Not just the years of experience and amount of skills you have.
Some times it's given to people instead of money.
Don't worry about the title. Worry about getting good at what you do, and an asset to your team and organization.
A solid general code understanding is also needed in my opinion. This includes things like using documentation over googling everything. If I pair with a senior and he types "golang how to do x" on every problem, I probably wouldn't consider him senior. (Not saying googling is bad. Just don't be a copy-paste-from-stackoverflow engineer)
With that, I also hate the term "senior engineer". I got friends with 3 years of work experience that are now "senior" because a company hired them under a senior position (basically more salary) and the companies after that just did the same because "well he already is a senior, right"? This also generates a strong in-balance inside the team with a hierarchy that shouldn't be there. I am usually advocating for getting rid of job titles and calling everyone just "Software Engineer"
I am now 6-7 years into my career and don't consider myself senior. When people in interviews ask me what my career goal is, I usually mention I want to be able to consider myself senior as the next step.
They have to have the basics we all need as engineers simply to pass the interview process. The data structures and algorithms, Big O and be able to walk through systems they have worked on in the past and the trade offs they made and why.
Then on top of the basics I look for a few more things. Usually the understanding of multi threading, multi process, asynchronous programming is very different between junior and senior folks. I dive into distributed systems and see if they have any exposure. I dive into multi paradigms and how deep their knowledge is in their respective toolset they have listed on their resume.
I don't necessarily think you need to know multi threading in and out, or distributed systems in and out, or your tool set in and out. You certainly need to know one or two of those though. You need to have some body of work you can speak very well to, this is a huge indicator of seniority. Mentorship and all the other things that go with that help differentiate as well between junior and senior.
I don't think there is a hard rule anywhere. Different folks will look for different things and at least where I work those things I listed are very important differentiators.
Above that, it depends what you want to do. If you fancy managing people, you can be a team/tech lead, or if you don't, then there is the title of "expert"(only a handful of programmers who worked here 10+ years have those).
1 year later new and shiny will become the standard, there will be thousand of beginners and you'll be one of the few "senior" developers on that technology.
Of course you'll already be learning the new and shiny that will become the standard 1 year later.
I consider senior someone who:- knows how to mentor juniors- knows his way around tech, even if he never used a particular product- most important, can communicate effectively with stakeholders and devs.
The best "senior" is the one who nags everyone to get stuff moving forward. Doesnt mind getting his hands dirty and going by people's desks to make sure the team delivers.
You may need to brush up your marketing skills in order to promote yourself as senior. Don't get impressed by people that know stuff.
The true power to make you senior is how you train your brain to think and abstract. This will boost your capability of design rather than just coding
Since I started programming my work-behaviour changed from asking people all the time when I don't know what's happening to reading their code.
I think developers are considered senior if they can work on their own.
Like, if you get all the engineering practices of designing, implementing and maintenance done without much help.
In my understanding, a senior engineer is an engineer that can contribute without the need for technical supervision.
Now, not requiring supervision is different to leadership. A senior engineer is often an individual contributor, not necessarily a team technical leader.
Another aspect that seperates seniors is their ability to talk and present to senior or top management.
Seriously, I worked for a place where thay was the rule.
Titles are somewhat meaningless. Apparently I'm a consultant these days...
Senior is the difference between keeping your eye on the big picture and helping to move your team forward to the objective in a timely manner to achieve the business objectives that drive the company forward. It's the ability to step up and lead your team when called for. It's the ability to make decisions balanced between what's technically right in the short and longer term without losing sight of the end goal.
Never forget that you're not paid to deliver software just to deliver amazing software. The software you deliver is a tool, a means to an end. That may be to cut costs, it may be to increase profits, it may be the lifeblood that your company's stock price hangs on.
A junior developer may be amazing with the tools provided and may have some good architectural sense. They may need some, or a lot of hand holding. A junior developer generally has their head in the code most of the time and may but probably shouldn't be expected to understand or care about the objectives of the business as a whole. You give them a feature to develop and can largely expect that they will need all of the dependencies to hand. They may have a good handle on debugging and unit, integration and functional testing or this may be something they need to learn. This is OK.
An intermediate developer can be given objectives regarding code and architecture and left to their own devices and trusted to deliver on their objectives in a timely manner. By this time, you should expect to at least understand the business objectives and be able to think critically about the code they're providing in order to meet those objectives. I would expect an intermediate developer to have enough of a clue about architecture that handed a feature requirement and some architectural direction for how to integrate it, they could architect it competently and integrate it and know where to go to ensure any dependencies are satisfied. They will have a good handle on debugging and at least unit and integration testing. They may have a good handle on functional testing and debugging production code.
A senior developer is someone in my mind who who can be trusted with the business objectives, can chase down architectural advice, from an architect or UX input or whatever else they need to get the job done; they can communicate effectively with stakeholders and the business; they can be expected to dig in and fill any gaps that would prevent delivery or cause problems in production. They can delegate pieces appropriately and deliver what is expected in the allotted time frame. They may be someone that can step up as team lead/team manager, or lead from the back and be the glue that gives the team cohesion. They can be expected to have the discipline to take care of things properly when nobody is watching. They can be expected to help debug production issues and be among the first to muck in when the shit hits the fan to help resolve production issues.
So you see, the difference between junior, intermediate and senior doesn't have an awful lot to do with code or tools. You will expected to either be or become a master of your tools whether junior, intermediate or senior. You will be expected to do this on the fly, on the job, regardless of everything else that is going on around you. This is part of being in this industry. You will be expected to keep up with the codebase and dig in and understand it at whatever level you're at. These are all prerequisites for your job as a developer, they are not a prerequisite for your title. There's a big difference.
If you want to make the jump from junior to senior quickly, here's my advice: Find the most gnarly difficult problems your company is having and dig in and help solve them consistently. When you've put yourself through the wringer; when you've suffered the late nights, the stress, the anguish about whether or not you've got what it takes to do this job. Do this until you get to a point where you think you've seen every last problem that could possibly occur, and despite that, something else hits you out of left field and knocks you clean off your feet. Do this until when this happens, you just get back up and keep going. When you get knocked down and get back up when everyone else would say fuck it, when you can be trusted to make shit happen when everyone else would say fuck it - this is when you can call yourself a senior developer.
"Out of the 39 000 men and women that make up the United States Coast Guard there are only 280 rescue swimmers. This is because we are the Coast Guard's elite. We are the best of the best. When storms shut down entire ports, we go out. When hurricanes ground the United States Navy, we go out. And when the holy Lord himself reaches down from heaven and destroys his good work with winds that rip houses off the ground, We. Go. Out." - Ben Randall, The Guardian
Live by example.
I think it's great because although dominated by Ruby (Griffin is a committer on Rails, and I gather it's ThoughtBot's main language) the discussion is typically applicable to other languages, or focuses on a human element. I don't think I've ever written a line of Ruby, and I enjoy it.
There's also some Haskell discussion and more recently a lot of Rust - Griffin having created the Diesel ORM .
The format's great though, and as a consequence never sounds like a contrived dialogue - it typically starts as a "what have you been working on this week", and that recent real experience turns into a more general discussion around whatever it was.
I can't really recommend it enough, I only found it fairly recently, and went back through to listen to the entire catalogue of episodes.
- 0: https://thebikeshed.fm
- 1: https://githib.com/sgrif
- 2: https://github.com/diesel-rs/diesel
Regular listens - shows to which I subscribe, in rough order of how excited I am to see them show up in my podcast app:
Not So Standard Deviations 
Talk Python to Me 
The Versioning Show 
Data Skeptic 
Occasional listens - not subscribed but regularly check for interesting guests:
Data Stories 
Partially Derivative 
I tried Software Engineering Daily last year and wasn't a big fan - based on the following here I'll have to give it another shot.
0 - https://soundcloud.com/nssd-podcast
1 - https://spec.fm/podcasts/immutable
2 - http://shoptalkshow.com/
3 - https://talkpython.fm/
4 - https://www.sitepoint.com/tag/versioning-show-episodes/
5 - http://dataskeptic.com/
6 - https://datastori.es/
7 - http://partiallyderivative.com/
Developer Tea is along the same lines, straddling between technical topics & career development.
Soft Skills Engineering is entirely focused on, well, soft skills.
Leader.team is just getting started but they seem to be a good resource for technical leads & managers.
and it's not a technical podcast, but Creating Disney Magic (Lessons in Leadership, Management, and Customer Service) with Lee Cockerell is a must-listen for me every week.
I have tried several tech-related podcasts, but gave up on most within a couple episodes.
One common format is a host who brings on a new guest for an hour-long interview each episode. My main gripe with these is they're too long for the amount of substance they contain.
I ended up basically scrolling the archives of these shows to pick out only the guests I was already interested in, because the random ones just weren't worth the listening time.
The podcasts I keep coming back to are concise, edited episodes of 30 minutes or less. Most of these aren't directly related to the types you're looking for, though. I'd love to know of more.
StackExchange Hanselminutes SE-radio SEI podcast Cognicast Software Engineering Daily
Last year, I listened through a lot of the Changelog's back catalog. But I sort of maxxed out on it because my interest is more toward the infrastructure than the front end development tools.
Developer on Fire tends to feature more personal interviews with software developers.
Software Engineering Daily produces episodes at a similar rate to the previous podcast but discussion tends to be product-oriented.
Coder Radio can be good fun sometimes. The hosts can sometimes be a bit over the top.
 http://www.se-radio.net/ http://developeronfire.com/ http://softwareengineeringdaily.com/ http://www.jupiterbroadcasting.com/show/coderradio/
My favorite podcast because the hosts (a) are highly talented developers (b) did careful research for each episode (c) chose common Apple programming challenges as the topic for each episode.
Sadly, it died last year, and I've found nothing out there to fill its void.
Edit: funny replaced with off topic
In addition, ICANN the organization will have new accountability measures that will allow the community to challenge decisions it makes. It provides new powers like spilling its Board under certain circumstances.
One of the main drivers to change the current setup is NTIA's role above is seen as undue US government influence in what should be a purely technical operation by many. Over the years some have advocated fundamentally altering how ICANN works (like moving it to the UN) because of the US Government's influence. By transferring the primary oversight role to the multi-stakeholder community (users, business, non-profits, etc.) who have always really driven ICANN's decisions anyway, it is hoped that that criticism will go away and pressure to fundamentally alter how it works will dissipate.
I think a lot of politicians (ahem Ted Cruz) are trying to frame the transition in a shadowy way to discredit the current administration, but its simply a procedural thing thats been in the works for a long while.
ICANN has a list of squashed conspiracy theories. https://www.icann.org/iana-stewardship-questions
But for many years no one did this, except very rarely. And the honors were left to some folks in the US, IANA/ICANN. Do not be fooled by the acronyms and the fabricated processes and formalities on the official websites. IANA was essentially one person. Bless the hearts of those who worked to create the early internet but these "organizations" derive their "authority" from nowhere. The internet is an abstraction, a term to describe different networks that cooperate.
The generally static nature of the root.zone file changed recently. It has doubled, maybe tripled in size and is now filled with TLDs such as .loans and .cologne. As well as trademarks such as .google, .microsoft, etc. These can also capture traffic from users who type strings into address bars that are not FQDNs.
ICANN charged $85K+ just to bid on these beauties; they made some very easy money. Most of them are worthless. Exit time for ICANN. :)
Now that it is filled with garbage, and perhaps anticipating some finger-pointing, it is time to acknowledge that the root.zone belongs to everyone and is managed by all countries of the world, not only the US.
The "transfer". More fabricated formalities.
The truth is that anyone can exercise control over the root.zone file, and anyone can serve it. Whether you choose to follow them or not is up to you. (Most users just let default DNS settings decide this for them.)
Similar to the early IANA, one person can do this job. I maintain and serve my own root.zone. I am the only user but there could just as well be hundreds of users. This could grow to thousands which could grow to millions which could grow to hundreds of millions which could grow to...
This is what happened with the DNS. It started out small and grew big. Believe it or not it is still not that big. I could fit all domain names in existence on consumer-sized storage media.
Thus concludes an opinion. Mildly informed.
Then, the international corporation would decide what websites you can access, and if the website you want to have a look at doesn't adhere to the corporation's view, it will simply become inaccessible.
There is also the question of political relevance; that is, why the urgency? Why require that this be passed during the Obama administration just before an election, and without congressional input?
To stop this? See this petition.
https://wh.gov/iMbbvWhich routes to:https://petitions.whitehouse.gov//petition/stop-icann-handov...
ALSO, an interesting side note:
Right now domains like wikileaks.org and thepiratebay.se exist. Will they continue to exist in the same manner going forward? Or, in a few years, will attacks on these domains be made, and their domains seized?
I'm really concerned about this, above all.
Milton Mueller at Internet Governance Project (1).
his latest blog post may shed some light (2).
This is the primary issue I have with every single one of ICANN's rebuttals: nothing will change (so they say), and yet, here we are, making a change.
Okay, then, here's a stupid question: why is a change being made? Ted Cruz may be an ass, but that doesn't make ICANN's position correct.
If nothing will change, they guess what? No change is necessary. If it ain't broke, don't fix it.
If something will change, then ICANN should be entirely up front about what that change exactly is. Instead, we get a bunch of denials that nothing will change, the US has no current role anyway, yadda yadda yadda, but serious you guys, we have to change this right now.
We're talking about managing the DNS system here, that's not an "insignificant" thing, as other commenters have suggested.
Yes, existing ASes can already block specific domains today. Fine. But ICANN could easily become a Title IX-type situation, where ASes are forced to block specific domain names in order to remain part of the global Internet system.
It's true it doesn't police ASes that direction today, under the existing ICANN governance model, but there's (to my knowledge) no reason why that couldn't be true today (under US control), and I see no reason why adding "more stakeholders" will make the situation any less likely in the future. If anything, it makes it more likely: look at the UN. Certainly ICANN itself doesn't think it's any less likely, but here's what they don't say: with this change, it'll be extremely hard for US citizens to fix if it does come about. That's not "insignificant" to me.
 For instance, consider how the US Justice Dept. is using "Dear Colleague" letters in 2016 to force schools to adopt a less-rigorous sexual assault policy or face loss of federal funding. ICANN could apply similar pressure to ASes in the future (not funding, but zone updates or whatever).
What exactly was wrong with the 1998 setup? ISI and Jon Postel were managing fine back then.
I also don't recall a "US control over ICANN" that could be "relinquished" being part of the original ICANN proposal. I don't think that would have gone over well with the European operators at the IETF meetings. If it had been they probably would have stuck with the CCITT's x.25 networks, Minitel and such.
- Mechanical keyboard, cherry MX blues- Dvorak keyboard layout- Tiling window manager- Dark color themes for night
Thats about it.
Specifically, adjusting ambient lighting near my desk that is brighter/darker than the displays.
I work at night a lot and try to keep a couple lamps on - not work in a dark room. Likewise, I work near a window during the day but added a pull-down perforated window screen to allow sun in but dull (~25%) of the bright sunlight.
My eyes looked off screen more than I realized and adjusting ambient lighting feels like it reduced eye strain and reduced time to return to focus.
I think the best option is not software but hardware. For example when I need to wake up early in the morning, I put my alarm clock 3 meteres away from my bed, so the other ME doesnt turn it off.
The Pomodoro style timing of 20+5 never really worked for me. I found a lot of my light tasks need 510 minutes while for serious dev tasks, 45 minutes of work is a better period of time to dig in deeply and get something done. Then I'll take a longer break of 1020 minutes to balance that out. If I'm really in the zone at the 45-minute mark, I'll go ahead a plunge through a second 45-minute period without stopping.
Additionally, I use some good quality eye drops like Systane Balance which help lubricate my eyes when I wake up and before bed.
A new thing I've been trying to do for multiple reasons is write out my designs on pen/paper before sitting down at the computer. This has helped with eye strain and also helped me better clarify my ideas instead of sitting at my computer and "wandering" through the problem space in my IDE.
According to the printer's status sheet it's printed 7298 pages so far and jammed just nine times.
The printer is still running on its original fuser and drum units and it's on its second toner cartridge. I think it cost me GBP150.00.
It's connected directly to my Windows 10 workstation via USB and is "shared". Fairly certain I could get some sort of WiFi arrangement rigged up, but this PC is rarely switched off.
* Canon MG5500
Got this as a freebie. I use it now and again as a scanner and to print high quality Hubble pics onto high quality printer paper. It's set up over WiFi which was ridiculously easy to do. It even scans over WiFi which gave me a certain sense of wow that's clever even though it shouldn't have :)
In parting, I'd say that the economics of a half decent laser printer are a bit of a no-brainer if its mostly b/w printing you do.
 Forgot to mention that both printers happily talk to Fedora.
Cost to print 5,000 B&W pages on my Brother laser: $25 ($12.50 per 2600-page generic toner).
Inkjets make no sense if you can put up the extra $50-100 up front for a laser printer. B&W is at least 10x cheaper, color is at least 5x cheaper, per page.
I have a Brother HL-2270DW for B&W printing, and an HP M251nw for color. Both are wireless, easy to set up.
Bonuses: Print 5 reams of paper before you need to swap a toner cartridge, instead of 3+ ink cartridges per ream. If you don't print anything for a few weeks, you won't need to throw out a dried out cartridge to use the printer again.
I have an inkjet at home, hardly use it.
When I want something to look nice, down to the ink on the paper, I use Staples.
Working as employee and cotractor for about 10 years now.
I have the feeling all business lectures focus on what to do AFTER you got this kind of thing sorted out, before you are pretty much on your own.
I will go to a trade fair next week, maybe I'll find something there...
I used to work in the gaming industry. I have 2 problems which they consider "difficult" but i know are solvable.
Its the "getting shit done" which is harder for me. All the small implementation details pile up ;(
Are you into web dev, desktop or backend ?
VCs like this because with enough funding and persistence, you get a sticky high margin product.
How about B2C ?What is your technical skill set ?
Once you've done that, products that people will actually pay for become easier to see.
I dont imagine startups start their ideas based on trends, unless you mean technology trends. But in any case. This information would be very hard to come by as most people/companies dont announce what they plan to build until they have an MVP.
The only thing I can suggest is to follow a bunch of hackathons, hopefully ones that are not limited to sponsorship tech or industry. And try workout the trends from there.
side note: this could be a nice little machine learning project :)
Im not sure how timely they are, but you can survey some popular themes among app ideas.
* "Convert your leads to customers using more effective way"
* "Protect servers repute"
* "Get rids of the duplicate emails to contain only unique addresses"
* "We offers 100 free checks while the great service"
If I have a file to upload with 10000 emails say, then either they have opted in via an auto-responder and therefore those emails are already validated, or I have purchased a list off someone, which is potentially a bit shady but I should just get them validated again with a double opt in.
Where does this service fit into that?
Make your special offer more targeted to avoid showing it to the same person N*pages_visited_all_the_way_down.
Some others I like:
- Momentum (https://chrome.google.com/webstore/detail/momentum/laookkfkn...)
- Hacker News Enhancement Suite(https://chrome.google.com/webstore/detail/better-history/obc...)
- Better History(https://chrome.google.com/webstore/detail/better-history/obc...)
- HTTPS Everywhere - by EFF, works alongside the HSTS preload list to improve HTTPS coverage (https://www.eff.org/https-everywhere)
- Privacy Badger - By EFF again. Blocks scripts. (https://www.eff.org/privacybadger)
- Send to kindle - Sends articles directly to my kindle (https://www.amazon.com/gp/sendtokindle/chrome)
- iReader - Quick and easy readability extension that lets you read badly formatted extensions. (https://chrome.google.com/webstore/detail/ireader/ppelffpjgk...)
- Ad Block Plus 
- Nimbus Screenshot and Screencast 
Full Page Screen Capture. It can auto split very long page for me.
I'm sure it has many features, but I just use it to quickly delete cookies for one site, primarily on my development sites.
I use it a couple of times a day, probably.
Most common use case: I switch rails projects, and being on the same localhost:port address, it tries to use my other cookies and causes problems. I delete them in 2 seconds.
Visual History - augment back/forward with tree-like hierarchy navigation (disclaimer; made this one)
* move around the page
* click on links
* opening new page from browsing history
* refresh page
Basically the only time I need to use mouse or trackpad are pages that have incorrectly marked links (they just add some on-click behaviour without marking element as link)
- Pocket (https://getpocket.com/chrome/) - To read something later.
- Pushbullet (https://www.pushbullet.com) - Less wonderful since they make Universal Clipboard a premium feature, but still the most graceful way to get content across from phone to laptop and back.
- Better History (http://better-history.com/) - Because let's face it, Chrome history sucks.
- Any.do (https://chrome.google.com/webstore/detail/anydo-extension/kd...) - I've stopped using the app on my phone for most part, but this extension is still easier to use than adding things to your calendar.
Marker - https://getmarker.io .
This Chrome extension allows you to capture a screenshot, annotate it and create a GitHub issue, a JIRA issue or a Trello Card without leaving your page
It's pretty powerful for bug reporting.
Disclosure: I'm the founder :)
So I have only 5 of them installed.
From chrome web store:
* blank ntp (shows a blank page, rather than the chrome default)
* ublock origin (duh)
Not from the web store (I "trust" them, for I wrote them):
Full Page Screen Capturehttps://chrome.google.com/webstore/detail/full-page-screen-c...
ScreencastifyVideo capture from desktop/tab/webcamhttps://chrome.google.com/webstore/detail/screencastify-scre...
The Great SuspenderAutomatically suspends unused tabs to free up system resourceshttps://chrome.google.com/webstore/detail/the-great-suspende...
Open ScreenshotCan capture an entire page, even if bigger than screenhttps://chrome.google.com/webstore/detail/open-screenshot/ak...
Without it, the web is a totally different place.
Something like Tree Style Tab but TO shows a single tree for your entire browsing session instead of just the current window. Its cloud backup allows me to sync my tree hierarchy across my devices.
Dynamite  - right click on anything than Dynamite / Hide element or selection and it removes a DOM element that was under cursor. Sometimes you have to to this several times to remove something. Firefox has Nuke Anything Enhanced . It allows me to:
- get behind obnoxious popups with no visible close button
- get through dumb subscribe-wall
- remove annoying floating navigation bars (really handy if you like to resize browser windows like me)
The Great Suspender  - it unloads tabs unused for specified time and allows to reload them on click. I forgot which one I used on Firefox.
FooTab  - blocks loading of tabs on startup - it would be great if The Great Suspender would do this (Firefox do this by default).
I use uBlock Origin and HTTPS Everywhere, but that's just baseline.
Each time you open a new tab you see a nice picture.
Full disclosure: I wrote it, but it is open source and totally free.
Tab Snooze: Close unnecessary tabs and make them magically reappear when you need them.
Twitter Web Night Mode - https://chrome.google.com/webstore/detail/twitter-web-night-...(Disclaimer - I built this )
After installing this, you can adjust the playback speed by 0.1 increments on any HTML5 video element. Works great for lectures and talks. I often watch some videos at 1.5x, 2x, and sometimes even 3x for exceptionally slow speakers.
http://www.gettoby.com/ - for saving bookmarks easily.
http://www.unwander.com - for saving places from Trip Advisor, Yelp etc directly to a Trello type board.
Trying out Falcon, keeping the exclusion list updated has been slighty more work than originally estimated.
Proxy Switcher, to access some sites though an SSH proxy automatically
"Click to remove element" - Remove any html element.
"Fix fixed" - remove sticky headers
And various adblockers I guess.
note: I'm the proud developer of BriefTube.
Allows my monkey brain to actually get some code written when I'm connected to the chasm of infinite distraction that is the internet.
A little buggy, but saves a lot of time while developing a new site.
Its Pretty good. Especially on youtube.
Another is one I wrote and use to read articles without seeing paywalls. It got pulled off the chrome web store as it started to pick up users, but you can still install and run it in developer mode: https://github.com/cezary/bypass
Lightshot: to capture some part of the page as png
Google Transalte: to understand others
Adblock Pro: to block ads cruelly
adblock for youtube
the great suspender
- YouTube Ratings Preview
- Remove Google Redirection
- TrackMeNot (sends random queries to search engines)
- HTTP Headers
- Vanilla Cookie Manager
- Project Naphta (on the fly OCR for images)
(currently, extension seems to work only for videos accompanied with english subtitles)
- size of backlog
- time new requests spend in queue
- cost of delays to the business
For example if the company starts paying all developers time and a half for hours beyond forty per week then it is practical to measure the amount that the developers work in dollars/pounds/pesos and compare that measurement to the dollars/pounds/pesos hiring another developer would require.
- Find out what metrics they care about (time lost, money lost, potentially employees lost, clients lost).
- Formulate your proposal in a way that emphasises how those metrics will improve by hiring more developers.
Upwork is competitive and rates are low.
First try your contacts/network, you might not think you have connections but I expect someone you already know either needs or knows someone needing your services. So email/call everyone you know.
While you are waiting to hear back from your network you can try going door to door to local small businesses who would benefit from your services and try to build a relationship/offer your services in person.
Sometimes it takes a while for projects to get off the ground so try to find one or price one that is 2x your rent and get 50% up front payment.
Make sure you deliver on time/quality work so you can build your reputation and build your client base.
Good luck with your freelancing and startup.
But these dont necessarily mean professional connections. What about your friends? Or if you are part of any hobby groups then what about people you know through them? Theres strength in weak ties; the people you know may no people that do require your services.
Go to some tech or networking events with the goal of quickly discovering problems that you can potentially solve. If youve ran into someone at an event you know you can help then dive deeper into the ways you can help them.
First, find a niche that is needed quite a bit in your area and which you can do. This might be marketing and commerce websites (custom wordpress templates? But don't say that, say marketing and commerce solutions). Maybe you specialize in media presentations for companies (custom landing pages with media and some tie to revenue). In my case I chose DevOps, as there are a lot of companies with aging infrastructure who want to go to the cloud. Whatever you do, do not call yourself a "Wordpress developers" or "Facebook specialists". If you want to make money quickly in freelance, tie yourself to revenue generation right now.
Second, start writing. Write a 1200 word, well edited article that reads like something you would find in a real magazine. Don't make it sales-y. Give deep information that helps your target market and makes you sound like an expert. My first had to do with how DevOps saves organizations money as they move from their own infrastructure to cloud infrasturcture in 5 essential areas.
Third, tomorrow is Monday. Pick 10 - 15 businesses you would like to go and visit tomorrow in your area that you think need your services. Look on linked in and find out who the decision makers are. Write a small personalized letter to these people and print them out. Introduce yourself, explain what you can do for them and how you are helping other businesses in your area with the same problems they obviously have. Do not mention price. Just mention why they need you to make more money for their business.
Fourth, print out the article you wrote above. It's your "free gift" but also shows how much of an expert you are. Get it printed on something nice. Make sure it has a byline with your name. You are now marketing yourself.
Finally, show up in person to the 10-15 businesses on Monday. Ask for the decision marker. Wait for them if they are busy. Talk to them in person if you can. Explain who you are, why you can help their business, and then ask them if you can help them with "X" thing for their business right now. "X" thing is your specialty. This is the hard sales part. Just do it. I have no good advise on how to make closing the deal any easier other than try to remember how hungry you will be if you don't close the deal.
If you can't get with the decision maker for some reason, or if they aren't interested in talking too much, leave them your letter and your article and move on to the next company. Follow up 2 days later to see if they read your letter and your article and then pitch them again on your sale point.
Do this every day. If you meet 50 companies in a week, you will have more freelance work than you will know what to do with IF you pick a niche people need.
Something else I loved was that many students got to apply their math knowledge naturally and in a fun way, e.g. shooting bullets at angles, rotating turrets, following parabolic paths, and even a ray caster. (As an added bonus, Processing uses a very similar IDE to Arduino.)
I happened to teach another group of kids Arduino, which was fun but frustrating to some. Our final project of the week was very complicated, and only a few students finished it. I also unfortunately had many students fry parts and boards, which was frustrating when I gave so many reminders how to avoid it. (Though, young students are not exactly careful about double-checking their wiring.)
My recommendation to you for middle schoolers (ages 11-14) is to use Lego Mindstorms. Largely, the middle schoolers in my class were not patient/meticulous enough yet to effectively wire, write software, and most importantly debug when something goes wrong. (After all, it could be the software, wiring, OR a bad part.)
In teaching programming, I've found that often the hardest thing to learn is how to break down problems logically, not how to write code. For example, if I assign students to write a function that takes an average (mean) of a series of numbers, very few will fail because of syntax errors. Many more will fail because they've never thought about how to take an average!
Therefore, my latest thinking is that the first few programming lessons should be about basic mathematical problem solving. How to compute an average. How to estimate a square root. That sort of thing in a "math" class is assumed given. To a mathematician, the square root of two is "the square root of two" and no computation is necessary. I want to convey to my students that computers have to be taught a process, not an answer.
I'll find out next semester if that's a better approach. I hope you find it helpful or at least interesting.
Create a network with automatic IPv6 addresses and start the management access service (likely ssh) on the zt0 interface. then it "just works", regardless of NAT in between.
This is a completely userland solution however. You probably don't want to put real service traffic on it if you care about throughput. It's perfect for management however. (or just test it, maybe you can saturate your link anyway)
This works either by using the public servers for discovery, or you can set up your own dedicated endpoint(s). Either way, the traffic takes the direct route through the NATs, or within the local netowrk if possible.
Might be overkill if you just need to reach one particular service (e.g. HTTP(S)) though, in which case you could consider setting up a reverse proxy (e.g. using nginx) on a DMZ'd server?
I've never set up a VPN and I'm not too knowledgable about them. Should I set one up? I don't know. Toyed with the idea a few weeks ago up until I read this post on StackOverflow (http://serverfault.com/questions/653211/ssh-tunneling-is-fas...) - TLDR (VPNs are slow)
But it really depends on the use-case. HTTP from behind NAT - that's easy, just port-forward. If you're talking about SSH access, then you have a few more options that you might want to explore (port forward, or tunneling to an external host). If you're talking more than one host behind the NAT, then you have another set of possible solutions (reverse-proxy HTTP servers, SSH gateways, etc...).
Care to give us more information?
It had the advantage of being quite easy to setup for me as I'm quite used to setup VPNs and NAT forwarding rules (for having living in China, bypassing firewalls is almost an everyday routine exercise :)Also, it worked perfectly well and the performances were reasonable. I could access my server at home, in Beijing, behind a NAT, a dynamic IP and the country's firewall, from anywhere in the world. I was happy!
There are surely other (better?) ways to do it though, and the autossh/reverse tunnels option looks very interesting.
However, assuming this device/VM runs "unix", and to K.I.S.S., use reverse SSH tunnelling. Once an SSH tunnel is established on your side, you can do whatever you want... e.g. tunnel VNC through for GUI.
You can of course add more layers of security e.g. non-standard SSH port, dedicated VM/server for the SSH entry point, refresh SSH keys regularly etc.
Essentially you will add a directive to SSH config for the NAT host, and the host that you want to access. In the directive for the host to access, you will specify that you're proxying through the NAT host.
You can then leave out all of the port forwarding options when connecting to the target host, SSH will pick that up from the config file.
I built Wormhole Network https://wormhole.network with the idea of making remote access very easy and as secure as possible.
Disclosure: This is SaaS and I've built it.
Wormhole builds an overlay network where you can run any L3 protocol really. By default we provide DHCP for IPv4 within the 100.64.0.0/24 (yes, just a /24 by default as it suits most users, it can be customised or even disabled under request). We have chosen this address space to increase the chances of non-overlapping with your own networks.
The advantage of running an overlay network like Wormhole are:
- No need to open ports anywhere or do any inbound NAT or PAT. All traffic is outgoing. By default UDP, but the protocol would fall back to 443/TCP if needed.
- The above means it works pretty much anywhere with an Internet connection that lets you browse the web.
- Your devices' IP addresses inside Wormhole could be always the same, regardless of where they are. Think of migrating your servers to a new hosting? Keep the same IP. Do you team mates move frequently, work from home at times or even from their favourite coffee place? No problems, they'll keep the same IP address.
- Full access between devices inside the network. It works like a real LAN. No need to open ports to reach out to your development server nor leave any other services reachable from the internet. You could lock down all inbound access from Internet to your servers and still reach them through Wormhole.
- All traffic is encrypted. Note: We don't roll our own crypto. We rely on SoftEther's (see below).
- No need to configure a VPN with your cloud/hosting provider, provision VPN hardware nor anything like that.
- Multiplatorm Linux, Windows and macOS.
- It all runs on free, open source software: SoftEther https://www.softether.org so you can audit the software (and it's not ours, people are using it all over the world for VPN)
The architecture is based on central servers that route the traffic among the peers in your network, hence why full connectivity can be accomplished always with only outbound connections. It is important to choose in which server you want to create your connection, so the latency is as low as possible.
Learn more about us in our documentation section: https://wormhole.network/docs/
We currently have a few hundred users and are looking into making the product better by listening to your feedback. We have a free tier without time or traffic limits, available in three regions (US East, Netherlands and Singapore); it just has user limits. No credit card needed to use it.
I'll be extremely happy to receive criticism, suggestions and any other feedback in general here or directed to pedro /at/ wormhole.network
- Is it better to use a different passphrase on each key, or does using the same one not matter much? - How much less secure is it to not use a passphrase on a key? - Should you use a different key per user account, per server, or per use-case (i.e. personal or work)?
- Does increasing the amount of bits in a key really have an effect on the security of the key, or does it not make much difference in a real-world use?
My favoured solution is to use a yubikey via gpg: with this method you use your gpg subkey as an ssh key.The yubikey 4 supports RSA 4096 bit keys, if you need NFC then the Yubikey Neo supports max RSA 2048 bit keys.
From that, we get:
- you're not sharing passphrases between keys, you're sharing them between devices, and whether that's safe depends how likely it is that a compromised passphrase on one device can be transferred by an attacker to another. - Similarly, whether a blank passphrase is a good idea or not depends on what other measures are protecting access to that private key. - If a private key ever turns up on the wrong machine, you *know* the key and both source and destination machines have been compromised.
I have setup a VPS, disabled passwords, and setup a key with a passphrase to gain access. At this point my greatest worry is losing this private key, as that means I can't access the server.
What is a reasonable way to backup my private key?
Encode it as something similar to a QR-code, print it, and store it in a hole in the wall? Copy it to an USB-stick and hide that somewhere safe?
Alternatively, I have access to more than one computer, so I could also authorize a couple of other keys to access the server. So I would transfer the public key to the authorized machine, and add them to the authorizedkeys from there?
How to deal with the possibility of death? Do I trust someone with my keys and passphrases?
Host myhost IdentityFile ~/.ssh/myhost
This is a question of layers. If you don't have a passphrase on your key, what stops someone from gaining access to it? Just your account password? If they steal your device, is there some form of storage encryption involved?
> - Should you use a different key per user account, per server, or per use-case (i.e. personal or work)?
I have different keys for different purposes per client device. This is mostly because sometimes I need to login to places that are ancient enough I need to use a weaker key than I would like to use in other places or vice-versa, there's places I can only login with ed25519 keys.
Though having different keys per purpose isn't necessary it allows me to keep certain identities separate. I have a different one for GitHub for example, mainly because GitHub exposes my public key and therefor allows for clever tricks like tying the key to an established identity should I use that key to authenticate in other places.
I would also recommend configuring SSH so that it doesn't send over any/all keys by default. Take a look at the IdentitiesOnly option in ssh_config.
Yep in an ideal world, though I suspect in practice it doesn't matter much.
- How much less secure is it to not use a passphrase on a key?
You are relying completely on the security of your disk, against either physical or cyber. Use a passphrase, use an agent to manage it.
- Should you use a different key per user account, per server, or per use-case (i.e. personal or work)?
Per client device. This is the device that can be compromised and cause invalidation to be required, so this is the one which should be seperate. For convenience you can maintain all your devices public keys concatenated together and hand them out like that - comment each with hostname and date created for ease of identification.
- Does increasing the amount of bits in a key really have an effect on the security of the key, or does it not make much difference in a real-world use?
Up to a point. RSA in 8 bits is trivial. Go for a highish key length, different key types have different recommended lengths. Note some machines dont support higher lengths.
- How/Where should private keys be stored on a device using them?
Permissions should be set for only you to read with no writing. Even better if your home drive is encrypted as it is only vulnerable whilst you are logged in.
- What are some of the pros and cons from a security standpoint, and how may doing different things affect the usability of a key?
If you hop machines a lot key per client can be problematic. In this case a portable secure drive is useful. Of course one leak can be fatal here.
Try not to fall back on passwords, they have nothing like the same security.
Most usability issues are caused by the people running the servers not reacting in a timely fashion to key updates.
- Is it better to use a different passphrase on each key, or does using the same one not matter much?
If they are being used on different device then different passphrases makes sense otherwise no.
10? Not sure you can really quantify an answer. I'd recommend a passphrase if you aren't already using disk encryption with that it's probably less of a concern however with agents there's not much issue with not having one.
Use a different key per client device but you don't need a different key for logging into different servers unless you care about people correlating those users.
Use more than 2048bit for RSA/DSA beyond that it doesn't matter.
~/.ssh on some local filesystem.
It is better to use a different passphrase for each key but it is also less convenient unless you're using a password manager (personally, I'm using KeePass)
> - How much less secure is it to not use a passphrase on a key?
That depends on the security of the computer where the keys are. I remember a Firefox vulnerability where one site exploiting it was looking for ssh keys on the local file system. So I'd say that a passphrase is very important.
Personally I'm using a key per account per host.
> - Does increasing the amount of bits in a key really have an effect on the security of the key, or does it not make much difference in a real-world use?
Yes up until 2048 where the returns of increasing the amount of bits will start diminishing.
It's better to think about specific attack scenarios. If your keys get exfiltrated because of some local exploit (like a browser vulnerability, a malware download or physical access) then the attacker has access to your servers.
Regarding key types:
- DSA keys (ssh-dss) suffer from several issues (fewer bits, bad RNGs in Debian, other issues), and modern versions of OpenSSH deprecate it.
- RSA is pretty standard, and generally speaking is fairly secure for key lengths >=2048. RSA-2048 is the default for ssh-keygen, and is compatible with just about everything.
- ECDSA is largely considered compromised because the constants NIST chose for the cryptosystem weren't well documented how they got them, and the assumption is that the NSA chose them to provide a "backdoor" (so it would provide the same security for a general attacker, but significantly easier for them). This was confirmed as being theoretically possible, and there is of course concern that the NSA could potentially leak those constants, instantly breaking the security of this cryptosystem.
- ED25519 is more or less the same as ECDSA, but was put together by DJB. The big advantage here is speed. EC crypto is much faster to sign, slightly slower to verify, and equivalent security can be achieved with fewer key bits.
- Notes for the future: both RSA and ED25519 become insecure against quantum computing (integer factorization and discrete log are both in BQP).
Generally, use RSA if you work with older servers that only support it, or ED25519 if you like shiny things. Otherwise it's a bit of a tossup.
Regarding using separate keys:
- I follow the philosophy that a private key should never leave the host it was generated on. If you aren't sharing keys between machines, you remove the risk that you'll accidentally share it publicly.
- Beyond that, I'd recommend at a minimum having separate work/personal keys. Keeping separate keys for each user/host you want to log into is a tad excessive, but can be useful for key revocation/rotation.
Regarding passphrases on keys:
- Yes. FDE is sometimes trivial to bypass, and you want to be protected in case someone sets your ~/.ssh folder to be synced to dropbox/samba/etc. You can use an agent to keep the decrypted keys in memory, but I'd avoid using agent forwarding.
Regarding bastion hosts:
- You didn't ask about this, but it is essential for a "best practice" setup.
- Bastion hosts are small VPS hosts that basically run sshd and have a static IP. You disallow any ssh traffic except from your bastion hosts to your servers.
- You'll want to have at least 2 bastion hosts with different hosting services, in case one isn't available.
- Run sshd on your bastion host on a port other than 22. Not for security, but for reducing log volume.
- Run fail2ban on your bastion host, even if you've disabled password authn. Again, not for security, but for reducing log volume.
- Set up fail2ban to alert when a new IP successfully logs in.
- SSH can use certificates for authentication, and this can make the key distribution problem much easier to solve. I have a script that makes this easier.
- Push for everyone in your organization to use SSH keys, and only SSH keys.
- Defense in depth. All it takes is skipping one step and you expose yourself. Assume that something that was exposed has been compromised. An attacker only needs to succeed once.
tl;dr - the defaults are fine and password protect your keys.
1) Disable passwords and only allow keys even for root with PermitRootLogin without-password
2) public-key authentication has somewhat unexpected side effect of preventing MITM per this security consulting firm http://www.gremwell.com/ssh-mitm-public-key-authentication
Two questions came up, how many iterations to use via "-a ", and should I add the private key to my home folder repo in version control? I don't want to lose it in a disk crash, but don't want to give it to bithub either.
Using a passphrase is highly recommended except for server-to-server accounts, which should be locked down (and specify the specific command that server can execute in the authorized_keys file - Userify supports this).
You should definitely use a different passphrase for keys stored on separate computers, and it's not a bad idea to use a different passphrase for separate keys stored on the same computer, especially if they have different servers they can access. However, practically speaking, if your computer was compromised (ie keylogger etc) then it's game over anyway.
> Does increasing the amount of bits in a key really have an effect on the security of the key, or does it not make much difference in a real-world use?
Yes, it does make a difference, depending on what you mean by "real-world". Anyone less than a state-level actor will probably be unable to cost-effectively attack even a 1024 bit key, but that won't be true for long. We suggest 2048 bit keys if you are using RSA, with 4096 if you prefer extra security and don't mind slight latency during a connection, or ED25519 for keys on systems that support it. Generally the defaults are pretty good. We have a HOWTO for different OS's here: https://userify.com/docs/generating-ssh-keys-on-ec2/
> How much less secure is it to not use a passphrase on a key?
From the server's perspective, it's EXACTLY the same, but from the client (your laptop's) side, it's completely different. While it's possible that your laptop could still contain your decrypted key in its key manager's RAM or suspended state (ie unencrypted swap file etc), the use of a passphrase even on (actually, ESPECIALLY on) a non-full-disk encrypted system will raise the level of effort to access your key to near-impossibility levels, especially from non-state actors, whereas a key that has NO passphrase is a piece of cake. Use a passphrase EVEN WITH full disk encryption (for example, the evil maid attack)
> Should you use a different key per user account, per server, or per use-case (i.e. personal or work)?
If you're using a different key and storing them on different computers, you should probably use a different passphrase on each key. The passphrase (or even if one exists) is not visible to remote servers (or Userify - we provide a free-text field that becomes your authorized_keys on remote servers.)
You don't need to use a different key per user account, although you can. You also should not use a different key per server.. that will turn into a management nightmare. It's perfectly ok to use one key everywhere, but you should probably use a different key on your laptop and desktop, or if the keys have different levels of access (Userify can automate that for you too).
> How/Where should private keys be stored on a device using them?
Ideally on a device using full-disk encryption, including swap and laptop suspend space, to prevent access to a decrypted key in RAM (you are using a passphrase, right?). However, FDE does not protect you from other compromises on your system (i.e., another user that gains escalation to root and installs a key logger), and does not protect against a compromise of your BIOS (i.e., Intel UEFI) or boot process (evil maid attack again).
> What are some of the pros and cons from a security standpoint, and how may doing different things affect the usability of a key?
Keys are safer than certificates because there are less moving parts and no outside requirements for your internal CA or dependency on a CA that might go down. Keys can be a management nightmare at scale, but there is software to manage them (ie Userify, ManageEngine, BeyondTrust, ssh universal key manager, keybox (free/open source), etc). If you are doing a small project with few team members, you can also do management with Chef, Puppet, etc, or just by hand.
In terms of usability, a real key solution that manages keys across entire groups of servers with a few clicks can be really helpful... you can do all of the regular SSH things like tunneling (replace stun/sslwrap, etc), proxying all of your other traffic (SOCKS5), keep SSH connection alive (autossh etc), smart ban based on failed attempts (fail2ban, deny hosts), forward encrypted X11 or VNC connections, forward SSH itself (tunnel SSH within itself), and so much more.
We're going to start blogging about all the awesome things you can do with SSH soon, since it's really an amazing and deep protocol.
1. Userify https://userify.com Free cloud and on-premises versions available; full disclosure: I work there
2. ManageEngine: https://www.manageengine.com/
3. BeyondTrust: https://www.beyondtrust.com/
4. SSH Universal Key Manager: http://www.ssh.com/ (no TLS?)
5. Keybox http://sshkeybox.com/
Passphrase is strongly advised
Is it better to use a different passphrase on each key, or does using the same one not matter much?
How much less secure is it to not use a passphrase on a key?
If you expect to be moving your SSH keys across machines (e.g. to use your same personal key on both your laptop and your desktop), then they should absolutely be passphrase-protected, even if they're only transferred via encrypted media.
Should you use a different key per user account, per server, or per use-case (i.e. personal or work)?
Meanwhile, for situations where a server needs to connect to another machine via SSH, each such server gets its own key. That way, if a server is compromised or decommissioned, I can revoke access by key.
Does increasing the amount of bits in a key really have an effect on the security of the key, or does it not make much difference in a real-world use?
How/Where should private keys be stored on a device using them?
A reasonable balance between security and practicality is for any portable media (including portable devices, like laptops/tablets/phones) to be encrypted (in addition to the key itself being passphrase-protected). Better security would be to extend this to non-portable media and machines as well (but this is painful to enforce on servers unless you have physical access).
The directory in which keys are stored should only be accessible to the OS user actually using those keys (so, for example, `~/.ssh` should have permissions `drwx------` when viewing with `ls -la`).
Basically, server SSH keys should be treated like you'd treat your SSL/TLS keys.
What are some of the pros and cons from a security standpoint
and how may doing different things affect the usability of a key?
Upgrade your SSH keys!https://blog.g3rt.nl/upgrade-your-ssh-keys.html?_utm_source=...
I have Caps Lock mapped to Ctrl and I'm glad that MacOS provides this option out of the box, but Caps Lock as Esc is not an option for me. I hope there will be an out of the box way to map Escape to something sensible.I'd trade ~ for Esc anytime, as long as ~ and ` are accessible via the OLED strip.
As time progressed, task switching and copy/paste were obvious shortcomings due to limitations with iOS, but the experience was mostly bearable but not awful.
Towards the end it became unbearable as the escape key was so engrossed with all things unix/linux that i gave up a month early.
If the escape key is actually vanishing, I am completely confused. macOS is a unix derivative and apple has a boatload of developers. Why would they want to alienate us?
It was constantly registering touches on the top row when I didn't want them. With a laptop, I commonly rest my hand on the keyboard and touch -- but don't depress -- keys.
Today it's only used in a desktop configuration with an external keyboard.
I'm not the only one who felt this way -- see, for example, this Ars review of the gen 3, which said of the gen 2 keyboard:
"...the keyboard shed its top row of function keys, replacing them with a software-controlled touchable strip, and used a peculiar arrangement for buttons including home, insert, backspace, and delete. The result wasn't better; it was awkward."
Other than the coffee-shop crowd, how many of you would say you're exclusively a laptop-keyboard user? Not a dig, just wondering.
If Apple offered an iPad Pro, running OSX with USB ports (or a thunderbolt port usb hub) for a physical keyboard, I would switch over in a heartbeat.
I press escape OFTEN, but tildes rarely. For the most part its to get into consoles in games or other dev functions - I could see myself losing it and not being too sad.
Based on other replies, equity and control may be issues that concern you. Spolsky's post on this matter is widely cited as a response to this question. There are also quite a few posts that dispute his thesis. These are relatively easy to google. This is one example:
Here is a list:
Note that there can be issues that 50/50 doesn't appear cover cleanly -- supplying cash, full time versus part time, building, selling, contacts/network, etc.
Some would say that all of these other things, if they lead to something other than 50/50, may suggest the business is doomed from the start. While I will remain neutral on that question in this reply, it's certainly a good thought exercise.
Most of all, I wonder if you would choose to marry your potential cofounder. If your response is not "hell yeah!", you may want to reconsider. You will effectively be married to this person for quite a while, and any weaknesses in your relationship will be amplified.
(Edit: answered the original question)
source: long experience with co-founder teams
If you are a 1 person startup (and don't want to be a CEO), how would you decide on the CEO as and when that may be? (say you decide you want to be a CTO / COO)
The first is to get past H.R. gatekeepers to get you to an interviewer. This involved having the right years of experiences, keywords, school, gpa, etc...
The second is to have interesting things to talk about with an interviewer. Putting your school project on your resume won't heart the 1st one. But if it's and interesting project and you would look good talking about it. Then heck yeah put it on your resume.
After 4 years though if it's not a really awesome project you might want to remove it. It could be perceived like you haven't accomplished anything noteworthy recently.
Going further, it's worth doing a minimum amount of research for any position you want and to CV/resume tune for it.
Especially if it can be related to the job you are applying for.
All those concepts don't matter if you don't have where to apply them, and ifyou do have use for them, you'll learn them soon enough. It was quite visiblewith a nice paradigm of aspect-oriented programming dozen years ago(from imperative programming field); it looked like a good idea, but there wasnowhere to put that into use sensibly, and AOP eventually died.
That's where I would start.
That being said. What's actually kind of good (with actual technical specifications) is Bitcoin wiki, even when it's slightly outdated; then official bitcoin website; and sometimes bitcoin stack exchange website (but that can become outdated too).
I don't think Blockchain can be disconnected from Bitcoin, and if you do, it's very general and not that specific.
And if you want a compiled list of resources for learning:https://drive.google.com/file/d/0B6CKmAqa1_nzRGVicnlHY1BaaUk...
Someone tells a joke based on a prompt. This would be your Genesis block. Then everyone else competes to tell the funniest joke based on only that and the new prompts from the audience.
Repeat until you have an ongoing, hilarious comedy routine that cannot be edited after the fact without being found out because that would ruin the whole routine. It just wouldn't be as funny.
Inserting metadata into the blockchain.https://medium.com/@bkawk/inserting-metadata-into-the-blockc...
Andreas M. Antonopoulos: "Consensus Algorithms, Blockchain Technology and Bitcoin" [UCL]https://www.youtube.com/watch?v=sE7998qfjgk
I work in the field and the most difficult thing is to separate the noise from the signal. On talks with financial institutions and the government, they say they want to use the blockchain but when you ask about how many nodes they are planning to run they came up with one, or doesn't understand the question. Also, there are a lot of use cases that are not realistic because they depend on oracles or there is no way to enforce the smart contract in the real world.
The intro to bitcoin concepts is great place to learn about blockchain.
You'll need (at present) about 80 GB of disk space to hold the blockchain. The full node client will download it for you or you can torrent a recent snapshot of the blockchain and then synchronise from there (quicker).
The software you can obtain from here:
Or you can use git to pull the source code from GitHub and compile it yourself. I've done both, and found the developers on GitHub friendly and responsive to pull requests, even helpful to a newbie submitting a first pull request.
Beware that running a full node will try to eat all your upstream bandwidth. It takes a few days for the Bitcoin network to notice the existence of your new full node, but the number of connections will grow (others asking you for pieces of the blockchain, as well as transaction verifications). You can learn a lot about the Bitcoin ecology this way.
2) Longest lecture Nick Szabo, inventor of blockchains, ever gave was in the money museum in Zurich: https://www.youtube.com/watch?v=tWuN2R2DC6c
3) Study the original source code (bitcoin version 0.0.1).
Bear in mind that the word "blockchain" is an evolving word; almost every definition I've read differs. Some see it as barely different than a distributed database that doesn't allow deletions. Many others see it as paradigm shifting.
I have a blockchain/bitcoin tutoring service at www.blockchaintutoring.com. I did a Show HN but didn't get a single comment :(
I'm a programmer myself, but my target market is not the typical HN user. I'm looking to teach more business types and people in the law profession, for example. I'm preparing a small course plan to help people get from 0 to knowledgeable. The course will certainly be a bit technical, but I would not cover for example the pros and cons of the blocksize debate unless someone asks for that information.
I invite you to contact me, either through my website's contact form or the email address there provided. We can chat, and then if you ever choose to use the service, it's going to be at a discount for HN users. Your questions will definitely help me tailor my offering.
Although this paper does not directly address the blockchain, I believe it and the thesis below are at the root of the concept. (If you want to go down the rabbit hole, check out the references page of the above paper). Fair warning, the above paper is from 1999/2000 so obviously much has changed, but still worth reading.
Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control by Mark Samuel Miller:
^ Following along with this helped me a lot. Bitcoin is a rather large onion, but, as others are saying, implementing parts of it is the only way to go.
Firefox appears to be a bit better by letting you set a master password that's used to encrypt passwords, although without digging into the behavior I can't say exactly how much that helps.
: https://news.ycombinator.com/item?id=6166731: http://kb.mozillazine.org/Master_password
You can read more about that 1pass vuln here: https://news.ycombinator.com/item?id=11212002
Most browsers store their passwords in plain-text, this means there's applications that can fetch all your stored passwords from all browsers and send them to an undisclosed location in seconds given user level privileges on the machine.
By upgrading to lastpass you have reduced that attack surface by using a secure passphrase and encrypted data-store but you have increased your attack surface to anything accessing lastpass servers and application bugs.
With all these attack vectors one might think that it's better to just not save passwords and just remember them, while this is true in theory in practice it's impossible to remember a sufficiently unique password for each website you are registered to which leads to password reuse which is another much greater attack vector where your leaked passwords from one site can be reused on other sites.
In general I would advice you to use a password manager that generates and encrypts passwords (Lastpass is one of them), use a secure passphrase and don't reuse passwords. Password reuse will likely make you less secure than writing your passwords on a post-it by your computer (don't do that either)
I would also consider looking into using proper 2-factor authentication for sensitive login (document storage, email, password manager) but I don't want to bore people with the details there so I'll defer you to do some independent research
* Store passwords encrypted (Lastpass is fine)
* Don't reuse passwords on different sites
Granted, if you use full-disk encryption, this concern is much less serious.
By contrast I know from personal experience you can earn the same or better than what's listed here outside of London and enjoy the lower cost of living.
Freelance Flash animation / dev for big digital agencies and ad companies (5 years ago) - 250 p/h, with 3 years experience.
Tech Lead - Digital Agency in Shoreditch (1.5 years ago) doing Node / Ember / Angular / DevOps - 45k, however I chose a lower salary for more leave and flexible working hours.
Now I work in Berlin in a dev role doing Node / React / Redux. 57k. My living expenses are 1/2 what they were in London, and I live in a central Berlin 1 bedroom apartment rather than shared housing.
Really need to move towards the midlands (Bristol, Birmingham, Leicester, Staffordshire - cheaper rent, cheaper water, higher pay)
I've been a Dev for 7+ years.
Currently doing my own startup and cyber-security consulting for 750-900/day.
17 years experience, initially as a general web developer, then front end, now more back end. Currently Ruby on Rails but I can turn my hand to almost anything.
Not a manager, not a senior developer, not a tech lead. No desire to be.
I work quite short hours (9.30-5) and that's what's most important to me.
Web Developer in London for a dating company - 75000 pa (with bonuses it's around 110000 pa)
Current gig 475pd, to be honest I had better leads but the client offered the same day of interview and I started the following day.
I have 6 years experience and no degree.
Guy next to me does the same job for 53k.
Edit: media type of industry. Work normal hours, usually 9-5:30.
No degree. Around 10 years experience in Network Security.
- Permanent position
- Cloud stuff
- 66k plus bonus et al which pumps it up to around 88k
I have a PhD (4 years programming), and ~4 years professional experience as well.
Previous roles:Fresh Graduate: "Developer" 28k + 3k bonus.Fresh PhD Graduate: "Senior Developer" 40k.
Experience: 20 years as a dev.Skills: full stack dev .net, angular, iOS etc.
Edit: long term so no "off" days & 150k ish per year depending how many holidays I take.
Small Investment Bank - 61k + ~30% Bonus (3-5years experience) Java / Angular - Back Office Developer - Permanent
Small Hedge Fund - 65k + 50%+ Bonus (expected/promised) - .Net / WPF (5years experience although not in .Net) - Permanent
Digital marketing, education sector, 4 years experience: 39k + healthcare
Startup salaries topped out at 80k (ignoring non-liquid stock) so went contracting. You need the stomach for it, but it pays a lot better for similar work.
I've been longing to go contracting in the last few months, but judging by the sentiment on this thread, it doesn't look like it's a wise choice.
One of the big tech companies
70k Base20k Bonus+ ~20k / year stock vesting
10 years C++, specialised in low latency
Base 67kBonus anywhere between 15 to 50%
77k basic 10k bonus plus stocks
28k in London, full stack dev with 2 years experience... react + redux, node, express, elasticsearch, rabbitmq, postgres, mongo etc.
Front office large investment bank. Java. Perm. 15 years in banking, 20 years in programming
110k - no significant bonus.