The problem is apple *did* implement the standard, this is a classic submarine patent. Apple is using the standard SIPS+SRTP protocol... but guess what? These guys patented it a year before it was standardized, and now its the defacto standard in everything (IP Phones, LTE, literally all voice communications now use SIP)

So these guys printed a mint by patenting something, then getting standards bodies to adopt their standards, then claiming everyone infringes by implementing the standard.

By my reading, this company virnetx claims to have patented SIP... So Asterisk, grandstream, and everyone else is probably on their list as well. Anyone who setups up direct communications between 2 endpoints violates their patent.

According to what I've read, using SIP secured by TLS/SSL and SRTP was only "standardized" in 2004, 1 year after these guys patented "setting up an adhoc VPN" between two devices automatically (which is what SIPS+SRTP does) according to them.

So, I guess we'll all use VoIP again in 2023, once this patent finally expires.

How is it sloppy security practice? You're seriously arguing that *every* *single* *api* on the internet *must* implement oauth right now because the api *will* be reverse engineered and users will be tricked into providing their credentials directly to a third party? Even when third party apps are not authorized? Every company with an api on the net *must* provide for third party access?

Oauth doesn't provide any security anyway. Users will still be tricked into providing their credentials directly to third parties (on phishing oauth portals). Whats going to stop someone from spoofing an oauth portal, and distributing an app that redirects to said portal? User enters username/password on spoofed oauth portal, third party has creds, does nefarious deeds. Oauth provides precisely 0 security if the user is not careful.

Well, I'd argue this is one such context. There is no third party, Tesla's API is not designed for third party access, its designed for Tesla app -> Tesla API communication. Adding Oauth to this workflow, just for kicks, certainly would decrease usability, as you'd get redirected to a third Tesla page, to provide your credentials and generate a token for Tesla's own app.... The facebook and twitter apps published *by those companies* don't use oauth, they ask directly for your username/password

Saying Tesla's app should use oauth is crazy. Saying that anyone who publishes an API on the internet *must* implement oauth so third parties can access the API is equally crazy.

Tesla wasn't even trying to re-create Oauth, they *don't* provide third party api access. They implemented a perfectly reasonable first party api authentication mechanism. If users are inclined to give their creds to *unauthorized* third party apps then that is on the user.

Every API in the world shouldn't be *required* to provide third party access.

The problem with the article and the sentiment you express is that this api is *not* a third party api. It is not published, it is not intended for use by third parties. Oauth is a PITA. Why would tesla setup Oauth between themselves and... themselves?

Oauth is designed to work between 3 parties, the user, the "authenticator", and a third party app that wants to access the authenticated service on behalf of the user. In this case, tesla implemented an API for their app to communicate with, so there is no third party involved, and the system wasn't designed to support third party apps. Now, intrepid hackers have reversed engineered this api, and services have begun popping up that provide "functionality" via this api, but they require you as the user to fully trust a third party that is *violating terms of service* and using an unpublished api that they've reverse engineered. If you as a user trust this third party you are foolish.

There are no Tesla approved third party apps, this API wasn't designed for use by third parties, so why would anyone expect Tesla to implement a third party authentication protocol? Is the argument really that *any* API exposed to the internet must provide access to third party apps? That seems a rather untenable position to take. Certainly its not unreasonable for Tesla to ask for your username/password in *their own app*?

I'm much more concerned about banks not implementing oauth, and the fact that there are literally millions of people handing out their banking credentials to third party apps (mint, money desktop, etc). These apps are storing much more important (and much more valuable) info than any hacked third party app to honk your horn.

The problem with the article is there are *no* authorized third party apps that use this API. Tesla does not provide third party access.

People have reverse engineered the api, and then if you give these third parties your credentials, they can make calls to the api and do things to your car. The article is arguing that *any* API that is exposed on the net *must* implement oath so that third parties can use it. Seems pretty crazy to argue that any api exposed to the internet must implement third party app access.

I don't know where in the US you live, but where I live (yes in the lower 48) I've been hosting servers happily on residential connections for 13 years, using 4 different ISPs over that time frame.

Every ISP I know of here (centurylink (qwest before buyout), att, and xmission) will gladly sell you static IP addresses on residential connections. Not 1, but a block of 16 or 32 (heck xmission will give you a full class C for just $60/mo).

Why on earth would you buy a block of 16 IPs if you can't host servers on them?

Now, since its not a business class service, you wouldn't want to put anything that needs super high availability on this connection, but thats perfectly understood, I'm hosting a few personal web sites, a couple blogs, a code repository, and a minecraft server... If the rest of the country really is so seriously locked down against having a mail server in your basement, I guess I better not move ever.

I didn't see that anywhere in the linked article, but *LOTS* of ISPs will let you run a server, even comcast will sell you a static IP (for $30/mo) and let you run a server. Sure if you're filling up your upstream pipe 24/7/365 they'll probably get upset with you, but I've been running servers in my house since 2000 when I first got dsl, business servers, hosting websites (mine and other people's), hosting email, blogs, voip, code repositories, minecraft, you name it... I've been on 4 different ISPs over the 13 years, and have never had a problem (even when the ISP was qwest... well there was a reliability problem then, but not a "shut down your service" problem).

Well.. I used to be jealous of the google fiber cities...

Now I'm happy to live on with my 40mbps/20mbps connection with 16 static IPs and an ISP that happily lets me host servers in my basement...

(minecraft, git repos, a couple web servers, media server, encrypted voip server for friends and family.... ) All cranking away on a couple old dell servers from ebay...

seriously I wouldn't go near google fiber with that policy if they paid me to use it, in fact they couldn't pay me enough to use it (well... maybe if they paid me 6-700/mo so I could afford to colo my 2 servers in a cheapo datacenter)

The FA clearly states the forms were all generated BY DHS... The government made a mistake generating the forms, and then wanted to force the citizen to lie and say they hadn't made a mistake.

Then they stole his boat for refusing to be complicit in a lie.

sure, I didn't completely understand/put together the multiple offers/engineer thing... as a previous poster pointed out. But as the previous reply stated, that basically makes the numbers meaningless so why share them at all except to brag... In that case its just a case of statistics (of the lies/damn lies variety)... They picked the biggest number they had (total value of all offers, regardless of whether all offers could be accepted) and put it next to the smallest number they had (number of engineers) to get an "ooh wow" effect.

It has nothing to do with their potential revenues as that is based on accepted offers, hence my assumption of 1 per person. It is then impossible to infer anything about how many offers each engineer got, or how much the individual offers were for (although, on average each engineer did get offers worth 350-500k/yr... just might have been spread over multiple offers). Each engineer could have received an average of 5 offers of $68k/yr each and that would hardly lead to any of the conclusions of the original article... IE that there is a labor shortage, or that companies are having a hard time finding people willing to work (or even that "there's a huge need for something better in this space").... But again you can't tell anything from these numbers without the total number of offers, or the average number of offers per engineer....

My mistake was assuming that the numbers had some meaning... Unfortunately they don't. No reason to get all uppity though, sure I made a mistake. I can own that :)

I agree with your premise there are lots of "developers" who have worked on a project that used technology X... And realistically only a couple members of any team are producing 70-80% of the code, but the recruiting agencies and HR depts are a huge part of the problem. I am (no really) in that 5%, but I have the hardest time finding jobs, because I've worked all over the map... From designing huge networks, to automating deployment of tens of thousands of network devices, to DB design/DBA type work, to software design, development, etc both web and client based. HR departments are so keyword driven, they don't know what to do with my resume. I'm repeatedly told by recruiters "Well, this company only wants java experience, so you're out because you have other experience on your resume". Or: "Your C++ experience isn't recent enough"... Sure it was 2 years ago, I'm sure the fact that I've been integrating a large C codebase with python to make it scriptable for the last 2 years I've forgotten all my C++... (And oh no that reminds me... its now been 4 years since I used java professionally.. I'll probably never get another java job again... or is that a good thing?)

I regularly teach myself new tech, and really enjoy working in the field, but the miscommunication between development and hiring managers/outside recruiters is very painful to deal with. I shouldn't have to explain to someone who's never written a line of code that there is very little difference between all these languages, and that I know I would be productive on a project written in C, C++, Java, C#, Python, PHP, Perl, Ruby, Javascript, or SQL within 2-3 days at most. Hell, I was one of the most productive Foxpro programmers at one job I had (no I don't list foxpro on my resume) and I don't even know the language, but I could sit down in code review with the foxpro developers and find/fix bugs all over the place.

On a different note
Why is the position so "unattractive"? Because you're only offering $50k/yr for 6 days a week plus a rotating 24 hr on call day? Where's it located? is it strictly an entry level position?

So, these companies are really bidding an average of $350-$500k/yr for developers in these auctions?

And isn't your "4 years at google and a *Standford* CS degree" just the same arbitrary requirement as a recruiter that thinks "rails" is a form of transportation?

I have 15 years of software development experience, have run 2 startups (one as CEO, one as CTO), and been a team lead or senior engineer on multiple projects at both startups and established companies. I have extensive experience with C, C++, Java, Python, PHP, Perl, Javascript, SQL, and lots more... And, I'd be just as excluded by you because my CS degree is from the University of Utah, and I haven't worked at Google as I would be by the recruiter who's never written a line of code and doesn't know that someone with my background can learn Ruby and be proficient in a week or 2 at most.

I also went to sign up on DeveloperAuction, and was disappointed that you give so much weight/prominence to github projects. I have many side projects, but not of the public nature, and I chose not to pay someone to host my source code privately when I can do that just fine myself thank you. (What self respecting software developer doesn't have 4-5 servers in their basement to host/play with personal projects?)

I haven't lost faith in Science... just politically motivated "scientists"