* It was well organized
* Had quite a range of topics on interesting topics that poked you right in the intellectual curiosity
* Had an audience that was eager to talk about esoteric ideas, but still able to bring it back to a semi-pragmatic form - rare to be able to walk those lines
* Just a lot of fun
Usually I'm quite exhausted after conferences, but I came away from Polyconf feeling energized about programming, creating (and destroying), and exploring in a way I hadn't for quite awhile - highly recommended!
I went to PolyConf 2016 in Poznan. I enjoyed how broad the range of topics was. Although it can be a double-edged sword. Having so many differing backgrounds can make it tough to strike up a meaningful conversation. For example, if someone is super passionate about OCaml, and I've never touched the language, then there's only so far we can take the conversation. I suggested at one point to have people's top interests printed on their name cards to narrow the search space a little.
If you can go - go! Thank me later.
The author acknowledges that this can happen:
> So, youre now out of address space. There are two ways you could try to address this.
> a) Think carefully about your data representation and encode it in a more compact fashion
> b) Allow the program to just use more memory
> Im the performance guy so of course Im going to recommend that first option.
As a "performance guy", he should know that using a bit more RAM is essentially free, and much, much easier to code than doing the kind of bit-fiddling wizardry he suggests ("encode it in a more compact fashion"). In practice, that kind of low-level code will not get written anyway, at least not by modern Microsoft, and much less so by most extension authors. Which means that there's an arbitrary and very hard limit on how much you can customize/extend Visual Studio before you hit that 3 GB wall. And again, this is on modern workstation machines with gigabytes of unused RAM lying around.
In short, there may be very valid technical reasons why VS can't go 64-bit, but to claim that this doesn't hurt the product is in my opinion not justified.
I wanted the 64-bit transition only so I could properly use my tools at work (used to work in a .Net shop). We had resharper and several other plugins that ran in the same Visual Studio process as everything else and it was fairly common to hit the memory limit of a 32-bit process and Visual Studio would essentially die until it was killed and restarted.
Sure, you can say "stop using those tools" or "they should have written them better". But at the time I was required to use most of them (it wasn't only Resharper though Resharper was pretty nice).
Today I don't have this problem anymore. But I think because of that type of issue it would still likely be worth it. Honestly I feel like they could optimize Visual Studio at the same time; it has a ton of capability but it's also incredibly large and, from my understanding, carries a TON of legacy code and resources throughout.
- You really only get 3GB of RAM
- Actually, you get less than that, because of DLLs that get loaded into that space.
- Actually actually, fragmentation becomes a problem, and making very good use of the remaining memory gets awkward pretty quickly.
3GB is pretty crowded, especially when you're talking about (say) a game with tens of GB of footprint. You need to page stuff into that footprint, and be clever about the memory pressure not affecting the user experience.
On the server side of things, we regularly run processes with > 8GB footprints, including things like solr (at 32 to 160GB). Breaking this stuff up would involve a lot more disk and network chatter, as well as bugs involving OOM conditions, reducing global performance and reliability.
So while VS may be fine with 32-bit code+data (I am not convinced), real-world applications definitely need more. I'm guessing that making a 64-bit VS is hard for legacy reasons, and that the 32-bit space is actually holding the VS team back (and possibly plugin makers as well).
Can someone explain why exactly 64-bit is generally slower than 32-bit?
I understand that more RAM will be used and I/O to it slowed down due to double the bits pushed around since "chunks" have double the length, which ends up being a lot of empty padding (is that correct?).
But everything inside the CPU, like registers or ALUs, are 64 bits wide anyway (right?), so computing in 64-bit mode would just make use of resources that were unoccupied in 32-bit mode. Or am I missing something?
Hell, why not stick with 8 bit? We can just optimize everything to work on that, right?
Makes sense if you're running Java with -Xmx1024m
Wait... did you just tell me to go fuck myself? ;)
Edit: is the site broken, or is the author blocking archive.org?
This is the advice I can give to anyone who has a side project. Get to the point where you can show something to the users and just start adding stuff.
Even if it's just two lines of code or changing the favicon - still worth it. In practice, it's harder to do than it sounds, but I've been doing it for some time and it's been going great.
In reality, you won't have millions of users on day 1 no matter how great your product is. If you start small and keep adding stuff you will have more success.
In fact, the biggest challenge for side projects is marketing and not the tech or infrastructure.
However, it also depends on the goal - if you want to build the project that makes money it's completely different story to experimenting with tech. In the end, you get the experience.
For example, a few years ago I managed to build an overengineered CDN product that compressed images on the fly (almost on the fly). I shipped the project and it even worked great for testers, but I didn't get to the point where it makes money, so I shut it down as with half unfinished features as it was taking too much time.
While building it I managed to learn Go, improve my AWS skills, plus some other tricks. Now it sounds like a great investment even though I feel that I haven't completed the project.
I've realized that finishing a project is roughly 10% exploration another 20% getting to working and at least 70% polish. The exploration phase is very enjoyable and it's what keeps me hopping from project to project. Occasionally, the enjoyment will phase will encourage me to keep plugging away at it until I get to working. This is the minority of my projects, but it happens naturally to some extent. But I rarely put in the time and work to do that other, much larger bit to get to a done state. Because that part is actually work and it's not fun.
But what I've discovered in looking at my projects that actually got to done is that there's one thing that, for me, leads me to finish...having a social pressure. The projects that I've discussed with friends and gotten them excited about are the ones that I finish. My attention will wane and I'll drop it for a bit, but then I'll have a conversation where someone asks what what the status is and I'll pick it up and work more. And if that repeats enough, I finish. The best case scenario is getting someone excited enough to actually code with me on a project. In those cases, we usually get to done pretty quickly.
I think this is why being a solo founder is so difficult. You're going to run into difficult stretches and you'll want to focus on something else. It's a very rare person that can continually return their focus to a single problem, even in the face of adversity. But if you've got someone else to steer your focus back, you can keep working long enough to succeed.
So here's my advice to a coder who's never finished. For your next side project, when you get the inspiration, instead of immediately sitting down at a keyboard, contact a friend, go out for drinks and tell them about your project. Better yet, get a group of friends and discuss it. Get them excited about it and let them know that you're excited about it. Only after that step should you start coding.
The technology aspect is really only 10% of it. Sure, it's the essential 0-to-1 kicker that gets you going, but once that's done you still have to find product-market fit. That quickly assumes second-job status and can wreck your personal life. I've seen it happen.
A side project means you're taking all that on yourself without any help or real guidance. Not having that help means that when you finally do ship your side project, it's probably not going to achieve the kind of rapid growth you need to make scaling up possible.
And you really need rapid growth in order for working on a startup of your own creation to beat out having a reasonably-decent job. And if you don't have a reasonably-decent job, it's way easier to switch jobs / industries than it is to build out your own company.
What I want out of a side project is the kind of deliberate practice that is often lacking in my real job. Also to chase down random mind hares that seize my interest.
The problem is when this behaviour crosses over into your professional life, because you're not delivering value to your customers quickly enough and as a result you'll either get sacked or the company can go bust. Having someone else to keep you in line works great, it doesn't even need to be a Product Manager or Product Owner. And if you don't have someone else to keep you disciplined, then you better work hard on improving this area where you're lacking. Write down ideas on paper for example and ruthlessly prioritise and prune them every morning. Sayings like "work on what's highest priority", "do the least amount of effort that results in the greatest value", "keep it simple", "reduce scope", "you aren't gonna need it", "defer nice to haves", and so on are things we hear so often because it really is good advice that you should follow.
The key difference is that my project was a video game (this one: https://www.youtube.com/watch?v=YwXl8lDrxn8) and that takes a lot of temptation to do what the OP is writing about, rewriting stuff in Haskell for example. The interesting bit when it comes to side projects (and now my full time projects) for me isn't actually the tools or the methodology or anything like that, but the end result. I spent my teenage years building games that I never finished, and it made me quite miserable, because I so just wanted to finish something. Anything.
I remember the first game I ever finished was a clone of Snake. There was nothing remotely interesting in the implementation or in the design, but I was so flipping pleased with myself, I had finished something! And that let me slowly build my projects up to more interesting endeavours, and eventually to one that could be sold. Starting small was the key for me, as I learned two things: 1 - what was 'too much' for me to try and tackle at the time and 2 - self-discipline, not chucking the project the moment I got bored, or had a 'better idea'.
Not EXACTLY the same problem as the author, because I am not building out scalable infrastructure. I just spent a ton of time learning the fundamentals of angular and node, then try to understand express, then grunt, and mocha and bower and... now I have weeks into this pile of stuff... nothing working and I am frustrated, disappointed, and oh look Overwatch patch notes.. time to try out the new hero.
Side projects tend to be small , fast and enjoyable. This is the way the human brain works and is actually much more efficient than taking big steps.
Also make sure that your main goal is fun, if it is not, it will only get worse. Fun is the fuel of the brain. You cannot fight fun, because you cannot fight the brain. The brain always win.
Make your brain your ally and success will come. You are not your brain , your brain is a lot more than you.
Let me say once more , brain.
Oh and if you think your code will never sell , remember that fortunes have been built selling rubber bands for hair. There is always a way.
" use the brain Luke "
It's true that a lot of programmers do jump from shiny new tech to the next shiny new tech. If it's to start a business, it's probably best to stick with boring stacks.
My advice: pick three "side projects": one that you can build in a day, one that you can build in a week, and one that you can build in a month.
Build the first one in a day and ship it. This will motivate you and build your confidence in your shipping abilities. Then build the second one in a week and ship it. Then build the third one in a month and ship it. You've now shipped three projects, good going!
That said, I want to echo what @vinceguidry said. Side project != business. If you want to build a business, the same logic applies... just get something out the door. But you need to be serious about ongoing support and maintenance. Whereas a side project could be anything, like a fun open source project, a personal website, experimenting with new frameworks, etc.
p.s. Don't be so hard on yourself. You just shipped a blog post to the top of HN. And you've got a long history of blog posts on there. Maybe you should ask yourself why you can ship blog posts but not side projects?
Michael Abrash has some books on optimizing code in assembly language, and he takes special care to talk about why & when to optimize that would also apply here. The point he makes repeatedly is to optimize from the user's point of view - don't do something the user won't notice.
We all do it though, this is a human trait, but we programmers and computer scientists often amplify the problem. We love obsessing over what's "best", without regard to whether we actually need the best. We are taught during our Computer Science degrees to generalize and abstract at every opportunity, to plan for future problems we might have, and for future problems others have had that we might never have. We discuss incessantly how important it is for software to be scalable, and how to use the "best" everything, best language, best database, best algorithm, etc.
Strive to solve only the problems you're already personally experiencing, wait to solve problems until you are already experiencing pain, and ignore the problems that only "might" happen, then it will be easier to finish things.
Trying to build something in your free time forces you to think about dividing work up into very small pieces (what can I do with a free hour, etc). I've found this very beneficial in a work environment.
If you get to the point where you can show people, showing people changes how you think about the project - some invisible social pressure to do better, similar to code reviews.
You also have to think through the structure of the entire project on your own - often in a work environment, you're joining something in progress.
This is also a great way to research new tools. Instead of thinking how cool they are, you evaluate how they fit into a "real" project, but without the pressure to actually make it work.
Do the Work - https://www.amazon.com/Do-Work-Overcome-Resistance-Your/dp/1...
The War of Art - https://www.amazon.com/War-Art-Through-Creative-Battles/dp/1...
You have to build a muscle for this stuff. It's hard.
I finally bit the bullet and launched http://www.survivalscout.com in January. It's a definitely whole new set of challenges going from coding to trying to market and sell your project.
Acquiring all that knowledge leads to a feeling that you _potentially_ can do more. You are _potentially_ more powerful. It is a good feeling. You can never be disappointed in yourself if you don't finish anything.
I do get occasional this feature not working mails but at least I'm creating new sites again and making more money. If there is anything you want to take from this rant is don't waste your time doing things that other people are telling you to (how ironic). Do what you love and you will get shit done.
Am I missing something? It's a nice set of thoughts, but I can't imagine paying to have read somebody's personal blog, and would have been vaguely weirded-out at him having ads on it.
I've wanted to write for years but thought I had to pen esoteric essays composed of thousands of words. Recently I just started writing short, simple posts that are helping me establish a habit, develop fluency and enjoy the process of writing.
My first post was on this idea of atomic actions: https://alexsingh.svbtle.com/atomic-actions
Maybe it'll be of help to someone else :)
I think the author's intent is a good one and it overcomes the "perfect is the enemy of the good" trap we can all fall into at times. As the technical lead on a multi-team project last year, I had to beg my developers to just check in anything at one meeting because they were terrified of having the other teams see their imperfect code. When I assured them their code couldn't be any worse than mine, which I had checked it several times and actually had rejected by the version manager, that they were able to laugh and agree to start committing their work to the repository.
Your code is going to get criticized no matter how much you polish and engineer it. If you can accept that, then I think you will find yourself free to be more productive.
People have built million dollar business that had it's first iteration in MS Excel, if it is useful to someone and kind of serves the purpose then that is enough for a start.
I wrote a post titled Side Projects: Avoiding Failures to Launch a few months ago that touches on these same ideas in more detail.
Perhaps you simply "haven't learned to finish what [you've] started", but sometimes there are deeper issues at play.
Or teach people how to use the new shiny thing.
Or help them decide the pros and cons of new technologies by talking about the subtle distinctions you have noticed between them through your experimentation.
You can put that off until you have a successful startup and I bet by then you'll realize you don't need it anyways.
Personally, my problem is that I just have too many side-projects. I have one startup side project, but I probably have a half dozen of other OS side projects that I'm either working on here-and-there or I'm at least thinking about when I should be thinking about my startup.
I think this is one of the disadvantages of doing a startup as a side project while still working full time. Even though I allocate 1 hour and a 1/2 to 2 hours a day to work on my startup I still find myself working on other hobby stuff nearly half the time :( A lot of those hobby OS projects come out of some problem I'm experiencing at my day job but don't have the time to solve in the elegant OS way I would prefer to.
I'm super happy to have read this article and plan to take the advise. No more side-projects, just get my startup shipped.
You (probably) don't need the microservices and the complexity that comes with it, upfront. A monolith (and the simplicity in terms of deployment, logging, monitoring, etc. etc.) will probably do early on.
However, you don't want to shoot yourself in the foot for when it turns out you do need those things.
I try to write code in self-contained modules, with well defined boundaries, and glue it together in a monolith. If/when it needs to be split out into separate services, it becomes much easier.
So, application/business logic code: keep the standards high, do shit properly. Glue code to keep it all together? Less important. You can rip that out later and move to different infrastructure with the same code.
That's very generic advice, and I seem to always break my own rule on this at some point... but I find it's a better mentality for when shit just needs to get done.
Doesn't help with tech choice in general though (and I'm often guilty of this as well...).
Usually some well-funded competitor comes up later with the same idea and takes all the market.
My advice: Don't bother starting a side project unless it's really niche, easy to implement and you just want to make enough money to replace your own income (the market has to be small).
Unless you personally know people who have tons of money to invest in your side project, then it's a complete waste of time. It has to be people first.
9 out of 10 businesses fail and it has nothing to do with abilities, drive or persistence; it's only about luck.
I've met a 17 year old who built a wordpress website that generated $10K per month after just 6 months (though it already had tons of traffic in the first month) and couldn't write a single line of code. I've heard of hundreds of similar stories.
Some random person somewhere on planet earth randomly puts together an app because they think it's cool without any thought whatsoever; it blows up in popularity out of nowhere; then some smart engineers/people who actually understand the potential find out about it early enough and join up in exchange for a stake in the project; that's how actual smart people do business.
Some of my stuff is good enough to use (as in early alpha), but doing the final 20% won't pay off anyway.
It's crazy how the little things add up, like sounds, icons, animations, hosting, advertising, analytics, websites, landing pages, facebook pages, codepush, in-app purchases, etc. etc.
Hopefully I'll launch soon though, and be able to share it on HN.
Also did I mention that you are an introvert by nature (read susain cain). You are easily distracted by shiny things.
P.S. I am no expert, those are just the things that I realized about myself....
P.P.S Shit. I think I am still like you, because otherwise I would have worked on the code review that I was supposed to do....
I guess all of us learn something similar to this at some point in our lives.
In the quiet times, I ask myself these questions and get sheepish, embarrassed answers. When you can give reasoned, confident answers on hard, painful questions about your future business rather than current tech demo, then your project has a shot at life.
I have an amazeballs tech demo for my side project. It is scoped way too huge. Heroics and not knowing what I was signing up for got it to where it is today.
Honestly, if I were to do it again, my first features would have been user management and payment processing. I wish I could take users and have them pay me as soon as they saw value in my growing hobby project. But I can't because I didn't prioritize getting users and using their subscriptions to fund my work. I have a ton of neat features and no users, argh!!
This can be a good thing, if it helps you move forward, as long as you pay it off + don't let too much build up.
It also helps to remember that software projects are never finished - only abandoned.
So I've became more picky about the side projects and if I'm unwilling to commit to finishing it in the wee hours of the morning then it probably isn't worth doing at all.
Tinkering with stuff to figure out how it fits together is good. When the right project presents itself, the persistent tinkerer will be ready. She or he will have the advantage of knowing how to do the project.
(if its a bad joke, dont vote me down :) )
Here here my friend.
I wonder if OP has ever question why he wants to create these startups.
I found a while ago, that I like kids, I like playing with them, I would never have one though, I see Startups as the same way, it's something you'd be stuck forever, like my JQuery Mobile based product of my own startup, I can tell you now that I get to fuck around in my free time, now I'm happier.
You need to question yourself more, are you a programmer or an entrepreneur?
I first started creating a project or two that were completely free. These projects helped me learn what people like and if people were even interested in using anything I created. Turns out.. I've got good ideas that people actually find useful. I'm not after creating the next Facebook, Twitter, or LinkedIn. Rather, I'm after creating things on a much smaller scale that help with everyday life. Once I got that concept down and accepted that I would not be creating something huge like a social media network, but other useful things on a much smaller scale, more specialized and to the point -- many programs start off great -- then the developers add too many things to it and it becomes bloated and no longer focused on what it was originally meant to do.
So whenever I start a project: I write out all the things it should do; its function and purpose. I do my best never to deter from what I had intended it to do. This keeps me focused and helps me complete projects much faster. I did more research in how to charge for the things I made. I would love to give away everything for free, but I need to eat and pay my mortgage too. I'm certainly not looking to charge anyone an arm and a leg, but if I charge a fair price for the products I create, taking the time and consideration, and how some of it does actually make life easier, than why not ask my users to pay a small fee to use the product that helps them in their everyday life?
If everyone pays a small fee to me, than I can continue supporting my products and creating more. I've certainly lost motivation and interest too many times to count, but money is certainly a motivating factor. To help stay motivated, I originally calculated how much potential income I could make from X amount of people signing up and paying the monthly or yearly recurring fee from any project I start. Anytime I lose motivation, I look at those numbers as the potential revenue that I could be making and it instantly puts me back in the mood to continue my side projects.
I was so serious about my side projects that I registered an LLC in my state, opened a business bank account in order to collect money via Stripe, and I talk about and act like I am already a business owner creating products for my business. I have a few "solid products" out there, but the ones I'm charging for are still in beta and testing phases. My journey into understanding how to design products for people began at the end of 2015 and it is now the beginning of 2017. So I'm about a year in so far. I will eventually get to where I want to be.
The other thing that keeps me motivated: I'm tired of working for someone. I've done it for almost 20 years... I have dealt with my fair share of arrogant asshole bosses, backstabbing co-workers, or just being under-appreciated or under-paid. It is exhausting to have to show up to a place for 8 to 9 hours a day, only to be treated like you are just a means to an end for a company. I get it: they need to make their money too, but to treat you as a human being and show respect and help you to keep your dignity and sanity goes a long way.
I get to watch other departments who are all eligible for things like "CEO's Club" or "Honored Vacations" or "Gold Member Status" while my department is "not eligible" and completely ignored and treated as if we don't matter, despite the fact that we bring in millions of dollars every year for our company. We design the products for the entire business and control how things are distributed and what they look like. We literally influence how web design looks on the Internet. I'm tired of watching my co-workers make mistakes and not get in trouble for it, while I make a single mistake, far less worse than theirs, and I am singled out, and a whole meeting is called to address the issue. Sure, I'm probably held to a higher stand because I have been there much longer than my co-workers, but everyone should be held to that high standard. I've worked on projects that have brought the company in tens of thousands of dollars in a single shift. I'm also tired of being the developer who can complete 4 or 5 projects in a single shift, while my co-workers can hardly complete one or two projects, yet there is no bonus to me for doing that, yet it is expected that I am the one to be the sort of "sweeper" who ensures that all projects meet their deadlines, no matter what, while it is okay for my co-workers to leave me those projects to do because they know I will do them -- and I have no choice.
I'm certainly not complaining about my job or the money. I love both! I love web developing. I love web designing. My paycheck isn't the greatest (because most of us.. could always stand to make a little bit more -- and more never seems to be enough), but it allows me to pay my mortgage and other bills and feed myself and my family and enjoy life a bit. I also live about 10 minutes from my job which is awesome. Imagine all that money saved in gas and car repairs. On the warmer days, I ride my bike to work. It is such a relief to be so close to work! But giving 8 or 9 hours of your life every single day, 5 days a week, 52 weeks out of the year... it is very draining. It is like I am paying for my house to sit there all day and be empty.
So this is why when I go home.. and I am working on my side projects, I feel I am working for a better life: Designing products for others to use, hopefully products that don't have too many bugs in them, and my hope is to create that recurring income, so that I can work 20 hours a week and not 40 or 50 hours a week.
Sure, this is totally "first world problems" -- I'm happy that I'm not working in fast food. I'm happy I'm not in construction or that my job is not backbreaking work or intensive labor. I'm happy I'm not working for minimum wage. I probably have a better life than most people do. Again: I am not complaining about my job or the money. I'm not even really complaining about my company. The issue lies in not being treated with more dignity and respect and appreciation, which I think is completely lost in much larger corporations, where you are just one among thousands of employees.
So to never complete a side project means you are content with your life as it is. The only way to get ahead in life is to create things that other people like, want to use, enjoy using, and would actually pay you for it (or win the lottery or manage to successfully sue some corporation or whatever).
You could try to create something like Facebook, though Google Plus showed us it is not possible to even contend with that type of influence and stronghold. To not charge any money at all, you have to basically get to the point where you are receiving so many visitors that advertisers love you. Therefore, your only option is to charge a small fee for the usage of your product. You may not become the next Mark Zuckerberg, and that is okay. But if you can generate enough income to actually quit your day job, than I'd say that is success right there.. at least, it is success for me and certainly keeps me motivated to complete those side projects!
- I could just create an account with nothing entered on the password field and could also login to that account that way.
- https://thisnumber.rocks/ is not being pointed to this same app.
Then we switched to more of a "ring all the lines at once and the first one who picked up got the call" -- much better for the person dialing in... but meant every one of our support people got distracted every time the phone rang... they hated it.
Eventually we just went back to something like ZenDesk for customers to write in to create tickets, and then expanded it to something more like what Apple does... where the user creates a request to be called back at a certain time. This is what the client still uses. It's a better system for everyone than trying to sort out incoming calls in real-time.
BTW, anyone interested in a tutorial? I can create one.
> I had a bit of a sad when I realized that we were perfectly fine with users selecting a 10 character password that was literally "aaaaaaaaaa". In my opinion, the simplest way to do this is to ensure that there are at least (x) unique characters out of (y) total characters.
Isn't that exactly what you're complaining about with your arbitrary password restrictions to begin with?
I mean, I can imagine that a clueless user might have the illusion of safety if they're using something like "1q2w3e4r5t" but if I use "aaaaaaaaa" as a password on a website I know full well what I'm doing. So why even bother?
I think there are two possible ways to look at this problem from a service provider perspective:
- if the user getting their password stolen is a bad thing for you (i.e., you're a bank or something like that, and getting an account compromised will put you in trouble), then IMO the only satisfactory solution is to impose a password to the user. In effect these ridiculous password requirements are exactly that, except less convenient and secure. Cut to the chase and say "your bank password is Axei5aoc0i, write it down somewhere safe".
- if the user getting their password stolen is not a problem for you because it's not your responsibility to handle these issues (like a hacker news account for instance) then just let the user pick whatever they want and deal with the consequences. If they care enough about it they'll care enough to pick a decent password. At most if you really want to be friendly give an indication that a password might be weak, but please don't disallow it.
I use a command line tool to generate passwords, and I use a password database to store them. It has happened to me before that the maximum password length is something disconcertingly small, like 20 characters. I would copy and paste my password, submit, and then failed to be able to login. Why? Because my password in the "create" page was silently truncated on the front end, but the same truncation does not occur in all places, so I would type a longer password on the login page then what was registered in the system and it would fail.
Other times a password that was too long or contained whitespace would fail with a cryptic error message, or would tell me I failed to meet some other password rule that I know I did not fail to meet.
I don't understand how something with so many widely-recognized best practices associated with it can be implemented badly.
One of the questions I asked was why they limit password length. The (low) limit suggests that they were storing the password rather than a hash of it. They wouldn't confirm that was what they were doing, but their ultimate answer to me was stop worrying - you aren't responsible for fraud.
I also asked for a list of all the external IPs that had accessed my account and I couldn't get that for privacy reasons. I'm not sure whose privacy they were worried about, but I guess it wasn't mine. In the end, it was an incredibly unsatisfying exercise.
They force you to come up with a new password that you probably haven't used before and so you will probably forget it.
There are websites that I don't use often where I literally have to reset the password (and go through all the i-forgot-my-password steps) every time I want to log in because they forced me to come up with an overly creative password.
I think most people have two or three passwords for all their apps/services; one very secure one, one medium security one and one low security one (where you literally don't care if you get hacked). It's not the company's business to tell you which of those classes of passwords it deserves for its website.
I really liked the zxcvbn library from Dropbox, as it allows you to catch those really egregiously bad passwords before it's too late, but is much smarter than any list of arbitrary rules could be. I actually wrote a similar library (nbvcxz - https://github.com/GoSimpleLLC/nbvcxz) for my company which implements all of the functionality of zxcvbn (and extends it as well) so I could use it on the server side.
It's a great one. Not only does i recommend against composition rules, but
> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)
Oh, if there is a sin against passwords it is forcing quickly memoizable (i.e. simpler) passwords.
- if the system uses a login + password scheme: 12 chars min and mandatory mix of all among non-caps/caps/digit/special
- if the system uses a login + password + time-based exponential backoff rate limiting with a baseline of 1 min after 5 tries maxxing at 25 per 24h or lockout after 10 tries or a bot detector such as captcha: 8 chars min and mandatory mix of 3 among non-caps/caps/digit/special
- if the system uses login + password + environmental information (such as IP or MAC addr, etc...) + time-based exponential backoff rate limiting with a baseline of 1 min after 5 tries maxxing at 25 per 24h or lockout after 5 tries or a bot detector such as captcha: 5 chars
- if the system uses login + password + hardware second factor (SIM, U2F, YubiKey...) + lock out after 3 tries: 4 chars
To fend off in-transit and offline attacks, the document suggests that auth should transit sufficiently encrypted (using a cipher or method currently recognised as strong and non-vulnerable) and passwords should be stored obfuscated using a secure (similarly defined as strong and non-vulnerable) one-way cryptographic function with salt (and possibly pepper since they mention a "key", which makes no sense for one-way crypto functions).
Essentially, Facebook accepts 4 forms of the password as correct: 1) the correct password, 2) the caps-lock inverted version, 3) the correct password but with the first letter capitalized, and 4) the correct password + 1 character of any type. Each of #2-4 seems to be designed to prevent a failed login for the real user under common error cases, particularly when logging in on a phone.
Since each of those options can be easily stored as hashes (with #4 being done by also testing the entered password with the last character omitted against the correct password hash), the only weakness I can see this introducing is that if hashes were leaked, there's 3 valid passwords that could be found by an attacker rather than just 1, but with good hashing practices, that doesn't seem like a big deal since the search space will still be quite large.
With that in mind, that seems like a user-friendly addition that doesn't introduce any major weaknesses. Anything I'm missing that would make this a crazy scheme to have implemented?
- Contain both numeric and alphabetic characters.
- Users to change passwords at least every 90 days.
- Password parameters are set to require that new passwords cannot be the same as the four previously used passwords.
Which go against the NIST guidelines. So how do you do things that are considered "best practices" when people like PCI require you to do them wrong?
Password reuse across sites. Have some check as to whether the same password can be used for the same username / email across other sites. I discovered this one early; back in 2000 I was an admin for a student portal at uni created by Virgin. As an admin I could manage people's accounts; including reset their passwords. The field for me to change their password had their current password; it was hidden by asterisks so I couldn't see it... until I clicked view source on the site :/. So now I had everyone's passwords & their email addresses; my guess is I could have taken advantage of this for at least 80% of those accounts.
Password change frequency. Changing your password can be annoying; but there is some benefit (so long as you're not changing too often).
Password reset rules. If you click "forgot password", many sites still use the memorable question with questions which are often publicly available (e.g. to get someone's mother's maiden name, this information's on the public record, and can often be found through someone's social media too by looking through their contacts, then the contacts of those sharing their surname; as their mother's maiden name will match their uncle's surname, and most people with their surname will be friends with both their mother and their uncle). Emailing a reset link is great; but relies on email which isn't (and some people's mail's very unsecure; e.g. company mail can often be legitimately viewed by the company's IT team; and that's the non-hacky scenario).
I'd be willing to bet that a future version of Discourse will also disallow using your previous password as well. Then we'll get another password blog post talking about how hard passwords are and how we need more rules for passwords. Experience is a funny thing.
Even a 5-character password should suffice in this situation, and a human user would never even notice the 2-second delay. How would malevolent password-crackers get around this?
If you follow the NIST guidance, it's not a problem at all. The bullshit happens when you allow infosec people who lack applied skills and go overboard in their analysis of policy and standards documents. Those infosec people wrongly see increasing entropy as equating to high assurance -- in reality increased complexity leads to ad hoc "something you have" tokens (i.e. My complex password is written on a post it note).
You need length and complexity standards because users don't know how to measure risk, don't understand what a good enough password is and don't really care. So people do stupid shit like make their password "qwerty". It puts their data and the integrity of your system at risk.
Disregarding the navelgazing about cultural insensitivity re: character sets, a 10 character length + 3/4 of upper/lower/numeric/symbol, combined with lockout controls ensures a reasonably high level of assurance. Again, per the NIST guidance, if you need more trust, you need multiple factors.
To make matters worse, the email looked just like a phishing attempt. Right down to having you download some html attachment, which, after it opens, directs you to click on something which finally takes you to the "secure email". The whole process felt like something a scammer would come up with, and is really not how banks should condition their customers.
At first I thought the answer would be obvious but the more I thought about it and did some scribbling I couldn't come up with a good answer. Math is not my strongest skill.
Let's assume you had hashes of passwords following these rules and knew the hashing algorithm, could the rules be so restrictive they narrow the search space and actually make it easier to crack them than no rules at all?
 for example: http://www.the-interweb.com/serendipity/index.php?/archives/...
(See rules here: https://csdashlane.zendesk.com/hc/en-us/articles/202698981-I...)
Of course you could use the EFF word database but after trial and error I actually like the Emoji annotations  better (I obviously remove short words and non ascii stuff).
I plan on having the script show the words along with the corresponding emoji (iterm supports emojis) to help remember. The idea being not to copy and paste (I need practice on remembering stuff anyway... the joy of getting older).
A long all-lowercase pass phrase that's pronounceable is both safe and easy to remember and easy to type on mobile devices. When I hit sign ups that require other characters while on a tablet, I frequently decide I don't need it and bail out.
1 - won't make backup of the password manager (PM) database
2 - will forget sometimes the main password of the PM
3 - will loose the cellphone where the PM is installed
4 - will not update the PM
5 - will tell somebody else the PM password
And there will be many PM, some will have flaws, bugs or backdoors. Some will work on iOs but not on Android. Some will mess up in same point and make users lose trust.
And there will be sites with bad interface that won't accept copy-and-paste of the passwords. That will require things that your random-generated password doesn't contain. Will complain about something that it contains. Will do good on the password but will have those stupid questions (maiden name? grandfather name? pet name?) that you'll be able to find in any Facebook. Than the weak point becomes the password recovery.
I just found one type of requirement that was good enough to people take real care with the password: when the password is the one that allows anyone to withdraw cash from their account. When there is real money in the game, people take care.
Edit: misspelling, thanks for the warning!
There's no better way to communicate this to your customers than complex password requirements.
To add to the bullshit, it is so common that a site will have some idiotic rule (like "must include a number," "must have at least one lower (or upper) case letter," "must include a special character," "must not include any of these special characters," "must change password every 30 / 45 / 60 / 90 days"), that I don't even get mad about it anymore. I can't even spend the mental energy to send them an email.
Whew, thanks. I feel better now.
Special brickbat for American Express who doesn't let you use special characters in passwords - screwing up my system.
I asked Keepass for another password; it included special characters, was 24 chars long and "very strong", according to the website. Rejected.
I then noticed that the message was telling me I could not have more than 16 characters, so I trimmed the password to something rated as "medium". Accepted.
So yes, password rules are bullshit.
Edit: and if you speak German, there is a short film about passphrases: https://passphrasen.de/
The first rule for passwords, you don't talk about your password rules.
Bad UX is a defect. We need to stop giving a pass to crypto programmers who make such shitty software. Software that is not easy to use won't be used, and should therefore be considered as insecure as any other defective software.
Is password hacking really still that big of a deal? I mean, most big hacks into retail places like Target, Best Buy and others are done by getting into their POS (point of sale) systems, or hacking their networks to get at the customer data.
I just don't see a lot of one off doxxing to get into a persons email or financial records. Most groups are going after the big scores, not small potatoes stuff like a few hundred cracked password protected accounts.
I could be wrong, but it just seems like even when you protect your accounts with a strong password and triple layer redundancy and six-step protection, all it takes is one SQL injection or an Adobe Flash flaw and all that work is useless because the company holding your information was lax with their own security.
from a security standpoint. I hate the required special characters BS, especially since other sites will explicitly restrict you from using those same characters. Seriously, without a password manager of some kind I don't know how people can function online.
It's probably controversial, but I'd love to see a yellow security icon in browsers when sites are using well known https relays that can see plaintext (or are doing other obviously bad things, like running software with known zero day exploits, etc)
This blog post is a nice example: 30 requests (ublock origin blocked another 12, with those enabled the time to load increases to a whopping 28 seconds), 2.5M transferred, 7 seconds load time. And all that for 4K payload + some images.
From a VPS in Sydney, with a Good Enough bandwidth:
root@sydney:~# speedtest-cli 2>&1 | grep -e Download: -e Upload: Download: 721.20 Mbits/s Upload: 117.89 Mbits/s
root@sydney:~# ./rg-diag -json https://www.theregister.co.uk/ | grep -e elapsed_time -e cloudflare_time -e origin_response_time "elapsed_time": "0.539365s", "origin_response_time": "0.045138s", "cloudflare_time": "0.494227s",
Why does railgun help? Because this is what a user would get otherwise; the "whitepapers" site is hosted in the UK, and doesn't use Cloudflare or Railgun it only uses Cloudflare for DNS:
./rg-diag -json http://whitepapers.theregister.co.uk/ | grep elapsed_time "elapsed_time": "0.706277s",
How much would https add, if it were done without Cloudflare's https and Railgun? That's easy to check, as our the whitepapers site has TLS (although admittedly not http/2):
root@sydney:~# ./rg-diag -json https://whitepapers.theregister.co.uk/ | grep elapsed_time "elapsed_time": "1.559860s",
It's a bit older, but here's some info, much of it is still valid:https://istlsfastyet.com/
First that almost every firewall out there right now supports https snooping via MITM. Example: https://www.paloaltonetworks.com/features/decryption
I forgot to pay me electric bill before I flew out and it took me nearly an hour to login, push pay my bill, accept the terms, and confirm payment. I was not a happy camper.
It seems to me that while https is a very good thing, in some cases http and low bandwidth solutions might be worth implementing. It seems to me that one might actually want to tailor this to your audience, no one in their right mind is going to waste 5 minutes loading your web page. If they are so desperate they need to wait, they are going to hate you every minute they do it.
The Cloudflare Railgun is an interesting solution, and one that could be implemented in the context of an SPA over a websockets connection. Or conceivably some other consumer of an API.
https://tools.ietf.org/html/draft-thomson-http-bc-00, and Ericsson's article on it https://www.ericsson.com/thecompany/our_publications/ericsso...
Here's a couple innocent-looking special cases that are still surprisingly hard:
1) Given an array [a1, a2, ..., an, b1, b2, ..., bn], rearrange it into [a1, b1, a2, b2, ..., an, bn] using O(n) time and O(1) extra space.
2) Given an array of zeroes and ones, sort it stably using O(n) time and O(1) extra space.
I'd be very interested to hear about any advances in this area.
I would be interested in hearing recommendations for other such sites that specifically discuss the methodology for approaching these problems.
Geeksforgeeks.com is another such resource for learning the approaches as well but I would be curious to hear any other suggestions as well.
Which modern language should I try if the first thing I miss in a language is the STL and the C-like syntax?
Then, make sure you use std::make_unique or std::make_shared rather than operator new if you are going for a C++ job.
C++98 or C++03 or C++11 or C++14 or C++11 or C++17 or C++20 ?
I've been playing around with it for a a while, and really enjoy it.
That said, if you hate Ruby, keep walking...
Just to nitpick, capturing STDOUT is not that hard in Ruby at all. Definitely not as easy as Stdio.capture, but Ruby gives you a variable called $stdout, which you can assign to local variable and treat it like a file. If you would rather not print messages out during the test, then you can just temporarily assign $stdout to nil.
The new non expiring free tier in GCP (aka Always Free Usage Limits) also offers a f1-micro instance while AWS does not offer a VM as part of their non expiring free tier.
Then I found this article (written 3 years ago):
Bandwidth to Australia cost 20x that of EU or US because of Telstra :(
Good news though, Google are planning a Compute Engine zone in Sydney this year :)
If so, does that mean I can have a personal server running in the cloud, for free, forever? There's a hell of a lot you can do with a tiny server these days.
I guess I'll just have to keep using AWS/Azure/$competitorX :(
I can't seem to select "Individual" when I sign up, it permanently selects "Business" and asks for a VAT number. I don't want to lie and get in trouble with the tax authorities or whatever.
I only plan to use it for tinkering at home!
AWS doesn't do this, why Google?
I did look on the website but I couldn't find the information. I have to say on a mobile device the GCP pages are very poor IMO. Too big a font, too much spacing, intrusive sticky header and too many scrolling effects where content magically appears or disappears. And even worse - when I click the pricing calculator it doesn't fit on the iOS safari screen so it is unusable. It does feel that some CSS and JS wizard got given far too much free reign.
Make sure they changed / fixed this before trusting GAE
If anyone could confirm this is still the case please say
Edit - is GAE usage == GCP ? If not I will remove this comment immediately sorry
From what I understand based on the docs, you have to run an AppEngine instance just for the cron functionality.
No news here, just the usual business model of the "cloud": cheap in, expensive out. They rope you in with a fee tier then charge you 9-18x more for egress than you pay for it running your own hardware with IP transit (or going with a VPS provider like Vultr that charges you the correct prices for it).
Have fun scaling your company economically, hope you don't need to send any data to your customers.
Quoting the page:"Always Free Usage Limits. Included products and usage limits are subject to change."
Why they don't write a truth: "Current Free Usage Limits, which are subject to change." ?
This used to be fine print (which is still wrong). These days I call it bullshit print.
I ask because since 2010, Amazon.com has been running on AWS.
(Around 7m30s into video)
While many people seem to agree that the platform itself works very well, if you are developing on GCP, free credits or not, doesn't this mean you are knowingly getting into a platform that will be hard to leave?
Can someone who has worked with GCP address if these concerns are still ongoing? Also, are there some positives which are not easy to see from the outside which might have helped you choose them/stick with them?
It may be a simplification of the article that I'm misinterpreting, but as someone who got a hearing aid in early 2016, that's not how (modern) hearing aids work.
I got my hearing tested which enabled a frequency response of my hearing loss to be plotted (my hearing at low frequencies is fine, at higher freq I have moderate loss). My hearing aid is then tuned to match the inverse of that freq plot (ie boost volume of high frequencies, leave low freq alone).
You don't actually want a HA that arbitrarily boosts 'speech' since that won't be matched to your needs and has unintended side effects (like music can sound overly harsh/bright) because un-needed frequencies are being boosted or supressed).
--On a tangent, after I got my new HAs, I complained to the audiologist that they didn't sound very good. Everything sounded far too crisp. She pointed out that having lived with hearing loss for 5-6 years, I actually had almost no idea what something should sound like since my brain had got used to a world with muted high frequency sounds.
That blows my mind ... a bit like how do you know the color green is green. Maybe it's purple, but you have been told by someone else that it's green.
After a few weeks, my brain re-learnt what sound should sound like and now it sounds 'normal' with HA in. Without HA, everything is a little more muffled (as you would expect) and I really notice how much I used to struggle understanding people (I believe my untreated hearing loss contributed to me losing my job a couple of years ago).
Hearing aids have changed my quality of life (at age 40).
> My lab was the first, in 2001, to design such a filter, which labels sound streams as dominated by either speech or noise. With this filter, we would later develop a machine-learning program that separates speech from other sounds based on a few distinguishing features, such as amplitude (loudness), harmonic structure (the particular arrangement of tones), and onset (when a particular sound begins relative to others).
> Next, we trained the deep neural network to use these 85 attributes to distinguish speech from noise.
> One important refinement along the way was to build a second deep neural network that would be fed by the first one and fine-tune its results. While that first network had focused on labeling attributes within each individual time-frequency unit, the second network would examine the attributes of several units near a particular one
> Even people with normal hearing were able to better understand noisy sentences, which means our program could someday help far more people than we originally anticipated
> There are, of course, limits to the programs abilities. For example, in our samples, the type of noise that obscured speech was still quite similar to the type of noise the program had been trained to classify. To function in real life, a program will need to quickly learn to filter out many types of noise, including types different from the ones it has already encountered
They didn't 'reinvent' anything, they improved upon an existing shortcoming.
I feel bad for the MS employees who are making awesome products but then have to deal with all the ridiculous fallout of Windows 10 decisions. Sorry for the rant, but these actions are honestly making me think about discontinuing my use and support of Microsoft's products, and I hope that someone somewhere is listening to us geeks.
For example, switching from Windows\System to Windows\System32 for Chicago made 100% sense, but how did we end up with 32-bit software stashed in \Windows\SysWOW64 and 64-bit software in \Windows\System32?
It's like that movie The Day After Tomorrow where they discuss how big a part of US they have to abandon, a few releases back Linux tossed out a lot of 90's assembler code, such purging has never occurred in Windows source tree.
Maybe I am a linux hermit, but you guys really abide this shit? I can't fathom a tech savvy person giving this kind of software a pass anymore. I know, lock in, standards, etc. But damn.
The ideal OS, much like the ideal ISP, stays the hell out of the way and does an excellent, efficient job, doing only what you need it to do.
I find other things much more annoying:
- I really like the random lockscreen pictures. But sometimes, I get ads for Xbox Games or movies from the Windows Store. It seems inappropriate at work, and people think I'm a fan of game XY although I've never heard about it before.
- On one PC, I get the infamous "Try edge, it is 20% faster than Firefox" every time I start Firefox. I assume (strongly hope) that this is a glitch...
- A OneDrive ad that really annoys me is a popup window, telling me to login to OneDrive (and possibly purchase something, IDK). It opens at startup, and at random times when using office. I think when an application tries to open a file that doesn't exist on a network drive triggers it also (!?). I can deactivate it, but it comes back after some time.
I have no need for OneDrive (as I already use Dropbox and Nextcloud). It's fine that you offer it to me once, but please let me opt out and never be bothered again.
On the positive side, maybe this means that there will be finally a proper common integration of sync providers? Every service places their icons in different places. Dropbox, Nextcloud, OneDrive, Google Drive, CERNBox (proprietary service at work). It would be really funny, because then this would mean the linked tip is another one of those frequently repeated tips that actually make you experience worse (as you can't see when a future Dropbox is trying to tell you there was a sync failure...).
They have a monopoly sized market share of desktop computers, which they are using to unfairly boost their Dropbox competitor.
This seems very similar to the very behavior that earned them an anti-trust smackdown.
Then again, I don't blame them, with the current administration you could probably murder children and not face any real push back from the DoJ.
$ git clone git.kernel.org/linux.git ***** TRY SUBVERSION ENTERPRISE FOR $49.99/MO ****
It's sucky but definitely not just an MS thing.
Disappointed in you, Microsoft.
And I say this as someone who's been really enjoying Windows 10 and Microsoft's recent opening to the world at large.
Somehow I am reminded of this essay by PG:
"The other big force leading people astray is money. Money by itself is not that dangerous. When something pays well but is regarded with contempt, like telemarketing, or prostitution, or personal injury litigation, ambitious people aren't tempted by it. That kind of work ends up being done by people who are "just trying to make a living." (Tip: avoid any field whose practitioners say this.)"
Have you noticed how close to telemarketing the entire Windows 10 upgrade process was, especially to Windows 7 customers who were very happy with their OS?
Does any know an alternative version of windows 10 costing extra $$ for which is guaranteed without "telemetry" "forced updates" and other hostility? 3rd party add-ons to disable this behavior are just temporary hacks.
If there isnt a 'windows-10-guaranteed-isolated-edition' kicking around windows 7 will be the last microsoft OS I ever install on bare metal.
But I am convinced this good will was a ruse, a charade, to excuse their questionable business practices at the the expense of the consumer. Advertising directly inside the O.S. is a good example.
And we, who reaped the benefits of this goodwill, are more likely to turn the other cheek when they are out of line - especially if (god forbid) our product relies on Windows.
"Oh, that's just Micro$oft being Micro$oft again."
"But what about all the good things they've done lately?"
Making the ancient file explorer that already has a shitty usability even worse is almost like asking us to stop using it.
It'll be interesting to see if this is compatible with UK regulation of advertising, which says that any adverts must be clearly identified as ads.
Set-Privacy.ps1: PowerShell script to batch-change privacy settings in Windows 10 https://github.com/hahndorf/Set-Privacy
One can only imagine the state of this mess in three years. Let's not forget that win10 is basically just one year old. And they already have it in such a ridiculous state.
I've not seen anything to suggest they've fundamentally changed since then. The Microsoft that wrote the following in 2002:
"Messages that criticize OSS, Linux, & the GPL are NOT effective. Messaging that discusses possible Linux patent violations, pings the OSS development process for lacking accountability, attempts to call out the 'viral' aspect of the GPL, and the like are only marginally effective in driving unfavorable opinions around OSS, Linux, and the GPL, and in some cases backfire. On the other hand positive OSS, Linux, and GPL messages are very effective - both across geographies and audiences."
... is still with us today, and their current strategy is merely a reflection of their assessment of their marketing.
The 'nice' Microsoft you see today is a PR exercise based on their discoveries, 15 years ago, about the (in)effectiveness of FUD tactics against open source software.
Doctor: So do you want the $500 edit to ensure your child won't have diabetes. How about the $2,000 Autism edit? Then the gender change edit is to late to perform. We could do artificial semination and guarantee the gender of your child.
Here is a decent general article on the pros and cons.
All the same, the fact that we're close to gene editing feels like something our of a SciFi book, and I think that's pretty cool.
Thank you NASA!
I assume that the LRO is active, since they mentioned people that were still on the team, so they must have just been using it for target practice.
We can track objects in space like these - yet we failed to track down MH 370.
"Vanish" suggests to me it was portaled to an alternate universe, engaged its cloaking device, put on its ring of invisibility or something.
P.S. I found Haxe by following some of the 7drl entries. But I think I would like to use Racket to make one one day.
As someone who's wanted to try making something like this for a while but just doesn't know where to begin, can anybody recommend useful resources or suggestions on how to get started?
If it helps, I work mainly in C# and so would prefer that if possible, but this could be a good way to get familiar with a new language.
Outside of that, I'm digging this.
I also in general find AMP pages to be a bit of a UX nightmare.
Outside of raw speed, I have nothing good to say about AMP pages, and the speed is nowhere near good enough to justify using them. They make the Web a worse place for the sole benefit of Google. They are abusing their monopoly position in search by forcing AMP pages down people's throats.
(Edit: not that this is necessarily great for publishers or the ecosystem!)
The AMP team is working with analytics vendors to display data as realistic as possible.
At AMPConf on Tuesday eBay gave a great talk how to deal with this phenomenon. Video will be out soon.
We measured "active time on page" based on how engaged the user was on the page: were they scrolling, clicking, moving the mouse on a focused page, etc. It wasn't perfect, but it was much more helpful to publishers than Google Analytics' page-level metrics.
Is it just that you're not allowed to use third-party plugins for ads and tracking, and instead have to use a single standard Google plugin?
I'm still hopeful that publishers will bring a class action lawsuit against Google and force AMP's closure. Sooner the better.
At the same time, I feel the article goes a bit overboard with "birth of TV as art". You can go back even earlier to Twin Peaks, for example, as raising the bar for TV to the level of art. Other shows have gotten similar acclaim.
Not to diminish Buffy, it's a classic and it certainly transcended the "teen entertainment" genre.
Much easier to read one-handed on the train, and having a good backlight makes for convenient reading at night (with the screen brightness turned down enough that it doesn't bother my partner). I've pretty much stopped buying paper books now, while with my old kindle, I'd alternate between paper and digital books.
He was denied a US visa because "attending a conference is not a good enough reason".
My friend with the agency who has a visa is concerned he won't get thru immigration. He was planning on expanding to the US, but is has shelved those plans.
Is the next step having an additional Canadian office for those that can't get US visas? Canada has a generous startup visa for founders coming from other countries .
It might be more sensible to open a second incubator in the EU. Berlin, Amsterdam, Dublin, Barcelona, there are plenty of options. (London is a good choice on paper too but pray tell what'll happen after Brexit.)
I'm happy to assist YC and/or founders with anything requiring local experience or a local presence. Send me an email.
I'd like to know the reasoning behind choosing Canada as an alternative interview location because from experience, it easier to get a US visitor visa than that of Canada.
Nigerians cannot even transit the Canadian airport without a visa which takes upward of 8 weeks to get AFTER approval vs days for the US. Requirements for Canada are more onerous.
1. A country of interview per continent. For instance, Dubai will cover Africans + Middle East + Europe
2. Shortlist some countries and let people select 2 options to interview at.
On paper, the passport index  looks like a good way to do it but doesn't take into account spread of countries that can visit
So, I say, with all sincerity, "thanks, Trump."
There's an old saying out there that history is merely a set of cycles. I suppose we'll see if that is true in the upcoming years.
*one note I would add is that with recent policy uncertainty (i.e healthcare) the advantages of hiring around the world have come into starker relief. That's even more dangerous. Sure, the United States may become less competitive in the war for talent because of walls and tighter borders -- but it'll become less competitive, period, for companies relying on high-skill workers who by definition will be close to or at the peak of their physical and/or mental health.
To which I can assume there is cultural shock even when they go to the East Coast
But the world is big and not everything that happens appears on HN (or even on English speaking media).
Canada is a lot more open than the US at this point in time, but it's not all roses for people even to get to Vancouver.
What if there were a hub in, say Dubai? And a few other spots around the world?
I imagine Ycombinator would be one of many potential clients. Universities whose students have to delay a semester might use it. Other institutions would use it.
Welcome to Vancouver.
I mean, YC's still onboard with Peter Thiel: YC Partner, one of Trump's most significant individual donors, and founder of Palantir, the analytics services company that's powering the Trump administration's purge of immigrants (http://www.cnbc.com/2017/03/07/peter-thiel-palantir-trump-im...).
But good for YC. Helping several foreign entrepreneurs break into the Valley scene. Moving the needle.
With virtual reality, 4k HD conferencing and network bandwidth which can support both.
California taxes and real estate prices in SV will make more businesses move to Texas and other states where there is little or no income taxes.
What about people with families or dependents that can't afford to uproot their life and relocate to SV?
Don't get me wrong, this is great, but it would be even better if it expanded to include additional circumstances.
EDIT: It'll work pretty well for people coming from countries which have the Muslim ban.
One of the easiest tourist visas to obtain for vast majority of nationalities, with cheap flights. Near EU, other Asian countries, and Africa. Thailand and Singapore could be other options, but they are far from EU.
How many applicants does YC have from countries with visa issues?
Has any YC applicant been denied entry into the US? If so, what were the circumstances?
In looking though YC historical records, how many people, on average, would typically apply from affected regions?
How many of those people were accepted into the program?
How many of those people succeeded?
In the age of Skype, why can't interviews be conducted without the need to travel?
Yes, I understand speaking to someone in person delivers a lot more information than possible through online meetings. An initial online meeting could function well as a 1 to 3 pass filter leading up to an in-person meeting, thereby providing a lot more time to deal with visa issues.
I am taking a wait-and-see attitude with regards to visa restriction issues. As is the case with any startup or new venture, mistakes are made, non-ideal rules are implemented, some confusion seeps in, etc. So long as the process is one where the right solution is evolved and the ability to pivot is retained things eventually improve. These rules should not behave differently.
What gives me hope? Take a look at who sits in Trump's business advisory council (not sure this is a current list):
It would be inconceivable that this topic isn't discussed with frequency in these meetings.
If I were to presume to be able to give YC advice it would be this:
Use your connections to gain a seat in this council.
Being part of the dialog is the best way to affect positive change. That doesn't mean agreeing with all policies, it does mean you'd be heard at the highest levels rather than not.
And, if you do gain a seat in this council I would further ask that you work hard to convince the administration to take the SBA and convert it into a YC-style program where, in every city of this country, entrepreneurs can have access to not just funding but a real support infrastructure to chase after their ideas.
The SBA has never been of real use to the myriad of startups that have revolutionized the world. If you want to borrow $100K from the SBA you better have $100K in the bank, or more. And the "advisers" they offer-up are often so far behind the times they are only good to help open a doughnut shop or more traditional non-scale-able businesses.
Yeah, do that and the immigration thing and you'll change this country. But you have to be on the inside to do it.
It's also probably not fantastic for the United States to be strip mining the entire >130 IQ population of eg Sudan and packing them into SF/NY/DC to work on ad optimization when they're desperately needed by their own people; setting up infrastructure to work remotely is a great first step to eliminating the brain drain problem period.
> Trump is the Silicon Valley candidate in every way except that the ideology is flipped, said Sam Altman, a prominent technology leader, chief executive of Y Combinator.
So now that the government has been "disrupted", YC has decided to avoid the issue by fleeing the country? Maybe instead of avoiding the issue, YC could organize Silicon Valley and spend some of it's political power actually addressing the issue (lobbying, funding local candidates, etc). Silicon Valley is home to many fantastically powerful corporations and individuals, it's time they took a stand for justice.
If the US's new shiny fascist regime keeps progressing at this pace, you can bet that things will reverse quickly. Good bye, world leading startups, nobel prizes, top universities, etc. These things can happen faster than one tends to think.
The best thing countries like China could do right now is heavily open up to English, and fund things such as foreign PhD students. Everyone is fighting to get into Harvard and MIT right now, but a half decade of Trump policies could have drastic consequences a few decades down the line and give us a very different world.
Edit: some followup to this comment further below https://news.ycombinator.com/item?id=13831085
People also seem to get stuck on "China" in my comment. If that makes you unhappy, replace that word with Brazil, Japan, Singapore, Estonia, whatever you want... the point is, viewed under the "startup lens", this new administration makes the dominance of the US in STEM/entrepreneurship ripe for disruption by a more nimble, flexible entity.
Please explain if otherwise.
This entire article could, and should, be a single sentence title. "YCombinator holding Canada interviews for founders without US Visa".
>The Association of Hot Red Chili Pepper Consumption and Mortality: A Large Population-Based Cohort Study
>In this large prospective study, we observed an inverse relationship between hot red chili pepper consumption and all-cause mortality, after adjusting for potential confounders. Adults who consumed hot red chili peppers had a 13% lower hazard of death, compared to those who did not.
By the way, a great way to relieve the "pain" is by eating bread (use your tongue to move the bread around before swallowing).
PS: managed MySQL is currently the most requested additional service on Azure:
.. and managed Postgres + MySQL are currently the third most requested feature in relation to their managed DB offering
Source: Work on Cloud SQL.
Edit: Nevermind, it does! https://cloud.google.com/sql/docs/postgres/extensions
Don't get me wrong. GCP as a product is really awesome. I've been using GCE and Datastore for a project and they just work. I just can't trust Google enough to bring all my works to their cloud.
Postgres has it, but it is kind of a pain to setup correctly and I love RDS because I don't have to deal with the setup anymore.
Edit: not a complete end of the world, but it would be really nice (and completely easy/safe) to have the uuid-ossp extension available.
Is Google contributing anything back into Postgres codebase ?
They could have named something different for the product - Cloud SQL ? seriously.
With so many DBaaS tools available, I'd like to know the best options for things like pricing, availability, features, tooling, monitoring, etc...
Anyone have any comments or experiences with the Google app engine flex environment for ruby?
It looks like there aren't many you can't use SUPERUSER, and they enable extensions, options, and parameters one by one at request.
Seriously, who is this for? I have no idea - SSD VPS like this is about $10/mo ...
And therefore, the one who built is, is not the person who makes it his lives mission to break it. Breaking it means more work, more searching for bugs, and then testing again. And nobody likes doing that. Except for awesome testers. They love looking at the face of a desperate developer getting frustrated by a nasty bug.
I'm not frustrated with testing in the slightest. I consider it a fundamental requirement for any serious production application.
I get the impression that people tend to be far too dogmatic about testing methodologies. Write lots of unit tests, as long as they add value or help improve stability. Not everything needs unit tests. It depends on what the module does, and how it relates to the application.
Now this is only one in a myriad of nuanced struggles which I can potentially face as a developer when deciding what and how to test. When these tools facilitate this need without creating such an undue burden then I, and I'd bet many others, will naturally gravitate toward automated testing.
Automated testing is the process of writing code to understand your code. We already have to understand our code. Testing is being deliberate about that understanding and writing it down. The same design/testing thoughts that lead us to edge cases can lead us their elimination without testing at all. It's an integrated process, not something separate.
I find that the two tasks of writing functions and tests for those functions are closely intertwined. I like for developers to write their own unit tests, and then for Q/A to develop the functional/integration tests from the perspective of the client (machine or human).
It's very difficult to come in after the fact and write unit tests for someone else's code, especially if they weren't thinking about writing testable code.
and if you leave end-to-end to a tester they'll have to learn to code.
My current project has objects that are only ever used once in one place but still have abstract interfaces, lots of injected parts & test cases. Its only a simple class, it doesn't need all this extra complexity. For me its frustrating that lots of people think its "good design". Sure - you need to be able to test your application but unit testing everything is rarely the right way.
Note : The demo is pretty slow to initialize