I've never met a hipster who wasn't uber interested in proving how uncool other people were. Mostly they find people "uncool" for being "late" to whatever thing they thought was completely awesome 3-6 months ago. I've never met one who wanted to be cool, at least not in the traditional definition.

By definition they aren't interested in being cool, to be cool, you have to be doing what the majority of people are doing, and by that time the hipsters have moved on to whatever is next to avoid becoming "cool".

It seems to me the most likely machine to be compromised is probably a user desktop. Servers and web services can implement pretty effective countermeasures against brute force attacks (3 tries and you're done for an hour, 5 tries and you're done forever). Not to mention multi-factor authentication.

Putting all of your passwords no matter how complex on a windows 7 desktop with a single (easy to remember, easy for computer to guess) password, which can be trivially retrieved with a keylogger seems like completely broken security to me. One zero day in IE, keylogger installed, access to all user passwords for all sites granted.

You're literally a single hack away from having bank accounts, social media, email, everything hacked. Or am I wrong somehow about password managers/keyloggers?

Maybe my recollection is bad, but, wasn't the big PR push just in the last year? I know at my high school (granted, almost 20 years ago now) you had to take 2 years of CS to get into the AP course and even attempt the test. So at a minimum I would expect the PR push to show up in next year's numbers. Its going to take more time and effort than 1 year of google handing out cash to make a significant change in numbers, and its going to take a long time to really improve pass rates. You can't just throw a CS book at your average HS student and expect them to get a 5 in 6 months time.

Its going to take at least a decade to get female numbers up to parity, changing culture is hard. Its going to take at least a decade to improve pass rates because you have to start teaching CS earlier in order to have a foundation. We start teaching math in kindergarten, how many students take the AP test in calculus and how many pass?

Also, in my experience each year the tests are vastly different and have vastly different pass rates, so one year does not really mean much. My AP Chemistry test was an example, we only had a few students pass (with 3s) out of a class of 30, where the year before, 75% of this same teacher's class passed, and more than 50% got 4 or 5. The teacher after the test read through it and said our year was the hardest test she'd ever seen.

From rtfs, it seems o3b is aimed at the ISP market. I think this could be quite neat, they are aiming at being a backbone provider for say a local wireless ISP on a tropical island, this ISP sets up their terrestrial wifi equipment, and sets up a link to o3b for backhaul.

This could transform the competitive landscape in a lot of these places where either a) becoming an ISP means signing a multi-thousands/mo deal with the 1 company that has pulled fiber under the sea for thousands of miles, or b) having no option, because the terrestrial land lines are all owned by the government run telco who has no interest in providing an upstart with bandwidth

Of course, for this utopia of competition to break out, it assumes that o3b will be charging significantly less than whoever has pulled fiber under the sea, and that government regulation in all these countries doesn't simply preclude the business model by granting unlimited monopoly power to the government run telco. I know in the 2 south american countries I've visited this second hurdle is much larger than the first... The government owns the telco, thats the only way to get internet, period.

But assuming I'm wrong about the regulatory landscape, and assuming o3b will have reasonable pricing, it almost becomes interesting to attempt to setup a wifi based ISP in some underserved country...

I found it hilarious that the post bemoans the state of getting started with a new environment, and how it invariably requires a tutorial, and that is terrible.... And then you download their software and you're presented with a blank screen and no idea how to get started... so you turn to you guessed it.. a tutorial.

And then a tutorial that isn't even illustrated, so you can't tell what is supposed to happen with you hit cmd/ctrl+enter... I get a little checkbox next to my line of code.. I don't know what that means. Line is syntactically correct? Line executed? Line monitored by system? And it certainly doesn't provide any insight into the flow of data. I don't see a pane like I do in pycharm that lists the variables with their current values, I don't see any state.. Is that intended? I don't know, the tutorial doesn't inform me, and the environment is useless.

I don't generally use debugging tools, preferring to keep my abstractions shallow, my code small and understandable, and a test suite that can prove that my code is handling the cases its designed for correctly. In some projects, yes, complexity is a requirement, but I feel like the advent of IDEs and debuggers has only served to allow people to more easily break what is in my opinion the first rule of development:

  "Everyone knows that debugging is twice as hard as writing a program in the first place. So if you're as clever as you can be when you write it, how will you ever debug it?" - Brian Kernighan

Break systems down into small manageable parts. Write the code simply and clearly. Write tests EVERYWHERE.

The problem is apple *did* implement the standard, this is a classic submarine patent. Apple is using the standard SIPS+SRTP protocol... but guess what? These guys patented it a year before it was standardized, and now its the defacto standard in everything (IP Phones, LTE, literally all voice communications now use SIP)

So these guys printed a mint by patenting something, then getting standards bodies to adopt their standards, then claiming everyone infringes by implementing the standard.

By my reading, this company virnetx claims to have patented SIP... So Asterisk, grandstream, and everyone else is probably on their list as well. Anyone who setups up direct communications between 2 endpoints violates their patent.

According to what I've read, using SIP secured by TLS/SSL and SRTP was only "standardized" in 2004, 1 year after these guys patented "setting up an adhoc VPN" between two devices automatically (which is what SIPS+SRTP does) according to them.

So, I guess we'll all use VoIP again in 2023, once this patent finally expires.

How is it sloppy security practice? You're seriously arguing that *every* *single* *api* on the internet *must* implement oauth right now because the api *will* be reverse engineered and users will be tricked into providing their credentials directly to a third party? Even when third party apps are not authorized? Every company with an api on the net *must* provide for third party access?

Oauth doesn't provide any security anyway. Users will still be tricked into providing their credentials directly to third parties (on phishing oauth portals). Whats going to stop someone from spoofing an oauth portal, and distributing an app that redirects to said portal? User enters username/password on spoofed oauth portal, third party has creds, does nefarious deeds. Oauth provides precisely 0 security if the user is not careful.

Well, I'd argue this is one such context. There is no third party, Tesla's API is not designed for third party access, its designed for Tesla app -> Tesla API communication. Adding Oauth to this workflow, just for kicks, certainly would decrease usability, as you'd get redirected to a third Tesla page, to provide your credentials and generate a token for Tesla's own app.... The facebook and twitter apps published *by those companies* don't use oauth, they ask directly for your username/password

Saying Tesla's app should use oauth is crazy. Saying that anyone who publishes an API on the internet *must* implement oauth so third parties can access the API is equally crazy.

Tesla wasn't even trying to re-create Oauth, they *don't* provide third party api access. They implemented a perfectly reasonable first party api authentication mechanism. If users are inclined to give their creds to *unauthorized* third party apps then that is on the user.

Every API in the world shouldn't be *required* to provide third party access.

The problem with the article and the sentiment you express is that this api is *not* a third party api. It is not published, it is not intended for use by third parties. Oauth is a PITA. Why would tesla setup Oauth between themselves and... themselves?

Oauth is designed to work between 3 parties, the user, the "authenticator", and a third party app that wants to access the authenticated service on behalf of the user. In this case, tesla implemented an API for their app to communicate with, so there is no third party involved, and the system wasn't designed to support third party apps. Now, intrepid hackers have reversed engineered this api, and services have begun popping up that provide "functionality" via this api, but they require you as the user to fully trust a third party that is *violating terms of service* and using an unpublished api that they've reverse engineered. If you as a user trust this third party you are foolish.

There are no Tesla approved third party apps, this API wasn't designed for use by third parties, so why would anyone expect Tesla to implement a third party authentication protocol? Is the argument really that *any* API exposed to the internet must provide access to third party apps? That seems a rather untenable position to take. Certainly its not unreasonable for Tesla to ask for your username/password in *their own app*?

I'm much more concerned about banks not implementing oauth, and the fact that there are literally millions of people handing out their banking credentials to third party apps (mint, money desktop, etc). These apps are storing much more important (and much more valuable) info than any hacked third party app to honk your horn.

The problem with the article is there are *no* authorized third party apps that use this API. Tesla does not provide third party access.

People have reverse engineered the api, and then if you give these third parties your credentials, they can make calls to the api and do things to your car. The article is arguing that *any* API that is exposed on the net *must* implement oath so that third parties can use it. Seems pretty crazy to argue that any api exposed to the internet must implement third party app access.

I don't know where in the US you live, but where I live (yes in the lower 48) I've been hosting servers happily on residential connections for 13 years, using 4 different ISPs over that time frame.

Every ISP I know of here (centurylink (qwest before buyout), att, and xmission) will gladly sell you static IP addresses on residential connections. Not 1, but a block of 16 or 32 (heck xmission will give you a full class C for just $60/mo).

Why on earth would you buy a block of 16 IPs if you can't host servers on them?

Now, since its not a business class service, you wouldn't want to put anything that needs super high availability on this connection, but thats perfectly understood, I'm hosting a few personal web sites, a couple blogs, a code repository, and a minecraft server... If the rest of the country really is so seriously locked down against having a mail server in your basement, I guess I better not move ever.

I didn't see that anywhere in the linked article, but *LOTS* of ISPs will let you run a server, even comcast will sell you a static IP (for $30/mo) and let you run a server. Sure if you're filling up your upstream pipe 24/7/365 they'll probably get upset with you, but I've been running servers in my house since 2000 when I first got dsl, business servers, hosting websites (mine and other people's), hosting email, blogs, voip, code repositories, minecraft, you name it... I've been on 4 different ISPs over the 13 years, and have never had a problem (even when the ISP was qwest... well there was a reliability problem then, but not a "shut down your service" problem).

Well.. I used to be jealous of the google fiber cities...

Now I'm happy to live on with my 40mbps/20mbps connection with 16 static IPs and an ISP that happily lets me host servers in my basement...

(minecraft, git repos, a couple web servers, media server, encrypted voip server for friends and family.... ) All cranking away on a couple old dell servers from ebay...

seriously I wouldn't go near google fiber with that policy if they paid me to use it, in fact they couldn't pay me enough to use it (well... maybe if they paid me 6-700/mo so I could afford to colo my 2 servers in a cheapo datacenter)