Interesting. I was burned in a weird way by SourceForge's descent into evil. A friend who was managing my BTC for me (long story) was a victim of the PyWallet trojan and lost ~40BTC in April 2016. :-( I tried to get her to use the GitHub posted version of PyWallet, but she wasn't (at the time) familiar with how to download stuff from GitHub. :-(

I actually really despise Git as a tool. One really spectacular feature would be if all repositories that were either git or Mercurial could be transparently accessed by either. I have some significant commits in Mercurial, though I haven't worked on it in a very long time. I might be able to help. :-)

The analogy is if you suspect someone of stealing your wallet, you are allowed to break into their house, search through it to find and take back your wallet, destroy a few things here and there to prevent them from pickpocketing in the future, and then call in the police to arrest the guy.

Oh, but if you made a mistake and destroyed some random person's stuff, well, you were still acting within the law.

I think police should need a warrant to use facial recognition in many cases. I also feel that perhaps searches of electronic devices and online accounts need to strictly limit exactly what is searched for and disallow any evidence of any crimes not listed in the warrant from being used.

The 4th amendment is supposed to make it hard to prosecute certain kinds of crime. In my opinion, the police really have no business going after crime that isn't reported to them anyway, except for a few exceptions like murder.

It's only propaganda if you routinely reject the evidence of your own senses.

That's who Trump answers to, not us. :-/

Isn't associating non-Google app and web site activity with Google information sort of necessary in order for Google Now and Google Home to work properly?

House of Cards distribution rights are not solely owned by Netflix. Wikipedia indicates distribution is jointly owned by Netflix and Sony. Compare to Daredevil or Luke Cage, which I think was launched simultaneously everywhere, where Netflix is listed as the only distributor.

What happened to all the /. posts about how there is an excess of qualified U.S. candidates and companies asking to raise the H1-B cap are just trying to pay people less?

Anyway, OP's problem is one I think is very common when you're actually looking for someone really good. Even if crypto or security is not the primary job, a senior architect/developer/designer will be able to do a much better job knowing about crypto and security for the same reasons such a person would do a much better job knowing about multi-threading or cache behaviors. Knowledge and skill in those areas will ensure the design and code starts out in a better state than otherwise. In today's increasingly security-conscious world even the most basic of applications and devices need team and project leads to consider security as a fundamental aspect of development.

A lot of answers to this post are basically stating security considerations are not important to the job or the questions are too specific. I disagree with that. (Although I do think it would be OK for people to make a few mistakes around details in an interview as long as they demonstrated proper understanding.)

Maybe a candidate does know how to set up a web site to use HTTPS instead of HTTP. Does that same candidate know why certain cipher suites should not be used? And that really only secures the public network communication. What ensures user passwords are not easily accessed while in use and not just while at rest? How do you protect sensitive keys, symmetric or private, like the one used to encrypt user data?

If you're putting together something super simple and turnkey like a personal blog then maybe you can get by just following examples you read online. But if you're actually developing a new application or device then your solutions will need to be customized to your needs and capabilities. And that's not something you can copy/paste out of a Google search.

I had tried using GnuTLS for a while in one of my builds (with libcurl, I think), but found it didn't always work right while OpenSSL did. I'm not sure if that is because I had to do something different with GnuTLS, but it just wasn't happy as a drop-in replacement.

Anyway, I don't think "trust should be earned" works. If you visit a banking or shopping web site, in what way are they supposed to earn your trust before you do business with that web site? I can't think of a particularly good way (scalable, understandable, and convenient) other than the "I trust X and X trusts Y so I can trust Y" approach we are using today.

The New Yorker published an article named The Open-Office Trap a couple weeks ago about open offices as well, and included research data that showed open offices are a net negative to productivity. Feeling good about doing something didn't actually make that thing good. :)

That was my point. I didn't say that this unionized employee who saved the company $5M or increased revenue 10% got rewarded. My expectation is that he wouldn't, precisely because his compensation (i.e. reward) is constrained by a preset formula. Which is great for treating everyone equally, but people are not all equal. A competitor that recognizes this would come in and grab that exceptional unionized employee in a heartbeat, and reward exceptional work appropriately.

IMO, Buffer is not going to attract any amazing talent. Just okay talent. Unless they have some other sort of bonus equity policy in place to reward exceptional contributions.

Anyway, I hope you left that job and went somewhere better that would recognize and reward your abilities.

That was my point. When compensation is tied to a specific formula (be it a union-designed formula or just one the company came up with) you will run into trouble when it makes sense to reward exceptions. All people are not equal, nor do people or their ideas all fit into nice little compensation buckets. In such an event, the people with equity or who are not constrained by those buckets are the only ones who can benefit.

Instead, that exceptional employee is probably best off taking a competitor's job offer because that competitor is willing to recognize and reward being exceptional.

There are ways you can figure that out without having to know your coworkers' salaries. For example you could interview at other places or read salary data online. If a company is afraid of losing you, they'll do what they can to keep you. If you're worth more than your current employer will acknowledge, then changing jobs would be a good idea. This tends to be why the average tech job these days is a few years instead of a lifetime like it used to be--employees started embracing the free market. If it turns out you're not actually worth as much as you think you are, the free market will end up letting you know (most likely) although learning that might be a tough lesson.