adrtessier's comments

I think generally when every alarm bell in your monitoring system goes off the first thing you do is question whether monitoring is broken. When you confirm there is a problem this big, you panic and try to fix it really fast. Then you call your other on-call guys and tell them you actually have an "oh, shit" situation.

Once you recognize there's a serious problem, THEN you make the public announcement. Ah, the life of ops.

I love the idea of labor unions in the private sector. It gives small voices some power against exploitation, and collective bargaining is something the anarcho-syndicalist bit of me loves to see happen as a form of self-governance.

No matter how I look at it, I can't see any net good for voters when public employees unionize. Public employees are meant to serve the community they are employed in. The benefits of taking a government job are supposed to be in that you have a direct result in helping the communities around you; instead, the benefits most people see in government jobs are fat pensions and a bureaucracy that, if you're clever enough, you can get lost enough in to where you don't actually need to work to get paid. If anything ever hits the fan, you have multimillion-dollar, politically-connected attorneys ready to serve you.

In the case of police unions, it strengthens the "thin blue line" into a powerful bureaucracy that only looks out for the interests of its members, very often to the detriment of the people these public servants are supposed to be serving (and always in cases such as we've seen in Chicagoland recently.)

I would love counterexamples to this thought. I can't seem to find any of recent noteworthiness, but that could be due to the current anti-law-enforcement/anti-government streak getting pageviews in the news these days.

> I won't say that it's strictly because of the watch, but I'm now about as fit as I've ever been

I will gladly credit my Fitbit Aria scale for the same result.

Interestingly, it is less for the feedback if gives me in the short term and rather the long-term graphs. I know that if I want to manipulate the scale up or down in weight and fat percentage, I have to be consistent over really long periods of time. I almost never miss days running or at the gym, my days of heavy drinking are long behind me, and I feel orders of magnitude better than I have in years past. These systems really are fantastic tools, and show that the application of game mechanics can be a force for enacting strong positive change on a personal level.

> PH presents as egalitarian and meritocratic, but that's clearly horseshit.

From my experiences, Product Hunt is largely a byproduct of a greater scene in which this is very often the case. It is one of the things I dislike most about Silicon Valley, and is something I have tried hard to make sure I can avoid in some way or another. I have been better or worse at it at different times.

There appears to be a strong component of success-by-networking in the tech industry that I have tried to opt out of, largely because I am afraid that if I get too deep into the networking games, I will begin to lose an objective sense of what I can accomplish technically, and no longer be able to personally calibrate for myself whether or not my work can stand successfully on its own. I bought into a lot of the rhetoric of the endless meritocracy early on, and found the wizard behind the curtain is still often based upon the ol' boys club. Deciding to take this approach has probably hurt my career as a developer in many ways.

This type of stuff is why I have been afraid for years to contribute to sites like Hacker News, even though I have been lurking on this site for five or six years. It's a weird situation for an introvert, to want to be able to contribute to a community I have extracted so much value from, in hopes of adding some back to it in whatever way I can, but also being somewhat terrified of getting absorbed into the echo chamber.

> "Nonetheless, after a perfunctory investigation lasting two days that consisted of brief interviews with Lombardi’s girlfriend, Hilary Maslon, and Lombardi’s parents, the Williamsburg police declared the death a suicide. The studio door, securely locked from the inside, showed no signs of forced entry except for the transom the police had opened themselves. Lombardi’s body was not marked by struggle, and the hasty autopsy determined that his injuries were consonant with having hanged himself."

While it's easy to cry "conspiracy theory, everybody was in on it!" I generally believe the majority of these types of deaths, if they are actually shady, do not involve local law enforcement as co-conspirators whatsoever, regardless of the people who want to believe.

It seems that the upsides for actually following rabbit holes in these types of circumstances are little to none for local law enforcement. If you're a local law enforcement agency with little resources, what's a better outcome for the image of your agency? Take Occam's razor, even under suspicious circumstances, send the body to the morgue, and call it done, or send one of your detectives into the labyrinth?

Sending the detective into the labyrinth has two risks, both of which are bad. You'll either end up blowing a bunch of time on a conspiracy where one does not exist, or, in the case that there is, you will probably just end up sending a detective into a world of classified disaster and end up collateral damage of a much more powerful, much more insidious organization. Either way, probing further means you'll lose face. Most will choose the path of least resistance.

I agree. I think "MVC" has been abused to the point of where it means "the insides of this don't look like a PHP app from 2007, where it's function soup."

I'm a counterexample, I guess: Tosca was the first opera that absolutely enthralled me, cliche or not, even though I had seen others before it. It's my favorite.

Me aside, The Marriage of Figaro is the first one I tell people to see if they can. Act I is engaging from the beginning, and I think does a good job of bringing people into the right mindset to appreciate it even if they don't get opera.

I was coming here to also recommend "How to Listen To and Understand Opera". For the longest time I could not figure out opera at all, and even when I thought I understood it, I learned that I quickly did not.

Learning (or, for some, tolerating until they "get") opera requires a very different frame of reference than learning pop music, or even understanding subgenres of more popular genres. It is one of the more difficult concepts I have had to wrap my head around for some reason.

Out the other side of it, though, I am happy I gave it a go. As an example, the San Francisco Opera is a great company, and as opera patrons age into oblivion these institutions will be finding themselves without an audience if younger generations do not take the time to give opera a go. It is not what most people think; everyone I have run into in the opera house has been courteous, and I haven't detected a hint of snobbery. A night at the opera costs you about as much as seeing a major film, and the sound is pretty magical.

There's an email option as well. Check the demo, then choose "Create Account" - you'll see "with email" as an option, including an email field.

Kenton, thanks for all of the work you and your contributors do on sandstorm.io; I have referred this project to many people wanting to get their feet wet "running a server" as a way to do something without instantly cutting yourself. Have you considered writing a how-to article on replicating ownCloud-like functionality within Sandstorm using apps? It might be a good first step, and I believe that it has the possibility to help people move onto (what I personally believe is) a superior platform.

If that's the case, Roger Dingledine is probably the one that should become a non-US person, given he is still leading the technical side of things from what I can see. He could be NSL'd just the same. At the end of the day, Tor is an American project, and still has to play to some extent by American rules. Doing that above board is really all they have.

I agree with you 100% that Tor has its problems, and that it is a research project. It is not, and I do not believe it is, a panacea for strong anonymity on the web, and it is not intended to provide protection against a lot of things people think Tor provides protection from.

However, I disagree with your statement that Tor is not worth continued support. Even with its imperfections, I believe the Tor Project community is still working toward useful and productive goals on anonymity research, and is still a flagship of that to the greater public that is interested in protecting their privacy online. Maintaining a basic level of support for these ideals is parallel to Tor, but Tor in many ways is also a representative outlet for them.

Regardless of Tor's actual effectiveness, Tor's current profile is likely to make it the first anonymity tool of its kind to get attacked in the courts, especially if someone can do more than pretend there is a link between Tor and Islamic terrorism. How the Tor Project handles the litigation and political process that will stem from this heat will probably set case law, and with it court precedent, for other anonymity tools that come in its future. In that regard, Tor could become the PGP of the so-called second crypto wars.

Ack. If you need bindings in iOS, just use libsodium?

As far as I am concerned, everything about this is a little scary. Some guy like tptacek will come in here and school me (please do, senpai), but even a crypto novice* like me can see there are a thousand ways an API this low-level can go wrong. Some off the top of my head:

1. ECB mode might as well not be implemented. It sucks in a thousand ways, only one of which is the one displayed in the talk. ECB is half of the time the first crypto mode a novice implements (IV? What's an IV?) and using it over the wire is an instant replay attack vulnerability.

2. There is no sane default to AEAD of any sort, and modes like GCM do not even appear to be supported, per this talk. CBC is malleable [1]. Both BEAST and POODLE attacks were on TLS CBC.

3. DES? Seriously? Can we not deprecate this in new libraries, or at least make it a forced add-on to the library vs. an easy to choose built in?

Way too much is left to the developer, all of which are easy ways to shoot one's own foot. I hope you get your KDF right. I hope you get your cipher mode right. I hope you generate IVs from a proper, cryptographically secure random source and don't reuse them.

Low level crypto libraries like this are danger and death, and what someone with half the ability to implement a Swift-only library like libsodium should roll in here real fast, and save the Swift community from this mess before people start mucking around with all of these primitives in their production code. It's only a matter of time if this gets a lot of airtime without an easier solution. Instead, we'll probably end up with a few "secret messengers" that use "industry-standard Apple CommonCrypto library" and a string of primitive names.

These things are effectively an insecure default to publish these as the standard library. Wrappers on this stuff should probably be the default and the best practice from those writing language standard libraries should probably develop those the moment they have primitives available. To use a non-crypto analogy, think of using SimpleHTTPServer instead of socket in Python. We should have SimpleCrypto, with sane, secure defaults and standard primitives. It's a damn shame only a few people are pretty much qualified to audit and write this type of thing these days.

[1] http://cryptopals.com/sets/2/challenges/16/

* The entirety of my cryptographic knowledge comes from Katz, Schneier, reading a bunch of IACR papers, watching the Crypto conferences, and doing all the crypto challenges I can find online to solve. I believe that I know enough to be dangerous, and that is enough to know I wouldn't fucking touch this in a production app.

I feel as you do. As much as I am loathe to accept anything coming out of one of these organizations as an open-source project, I think it may actually do us more harm than good by attacking this project out of protest for the way they use their tools.

We can be as negative as we wish towards these agencies, but rejecting any and all attempts at communicating with the open source community is a strong way to reinforce their already insular culture. Embracing these projects in some way or another can possibly work as positive feedback toward greater organizational transparency, if not by the brass, than by the developers and engineers that work in these organizations.

It is hard for me to come up with a better strategy for a Tor executive director, than to hire someone who is both a proven electronic civil liberties activist and a competent attorney to lead a project that has already been feeling the heat. Unfortunately, Tor likely will be publicly thrown to the angry mob by an ignorant representative the moment it is politically expedient and be seared on the grill of neocon pundits, all while the USG continues to push it covertly in places where American influence cannot as easily penetrate due to network censorship.

Steele has a long road in front of her, but she seems to be a great person to lead this project to success. Congrats to everyone working on the project; it is truly necessary in places like Iran to see a neutral Internet.

> I'd like to see an investigation, however, why a perfectly working truck was shipped overseas and left the American market.

There is a massive amount of used cars in the US, and historically a large demand for these types of vehicles in Africa and the Middle East, where import taxes are lax and it's far easier to register a gray market vehicle than it is in the States. Trucks like this can fetch a much greater premium in those areas, and it is profitable for import/export companies to ship them there.

Assuming Turn2U Inc is legitimate, I'd gladly offer some of my time to work on programs like this as well.

If you don't mind me asking, in which city do you live?

What about anything else where you are paying for the experience? While not a perfect analogy, Walt Disney World comes to mind: it's a place you take your family, and you are subject to potentially spending tens of thousands of dollars there, in the parks and the hotels, on food and attractions. Amusement parks, like casinos, are labyrinthine and optimized to take your money, and food/drinks are usually extremely overpriced for the quality. Leaving souvenirs aside, is this, too, something you are against?

I'm quickly understanding that I need to learn to be more specific as to what the premise of my statement is before I comment here.

I agree with your point as to fixing all holes; I was making the point more toward people freaking out that these AV systems are inserting the certificates and inspecting the traffic in the first place. Sorry for the confusion.