Allow me to shout into the void for a minute here...
1. Slack is a well-designed interface for allowing teams to communicate via chat.
2. Slack is easy to install is use on Mac, PC, iOS, and Android. It Just Works™.
3. Slack doesn't require me to install IRC somewhere. Which also means I don't have to worry about how people gain connectivity to said server when outside the office.
4. Slack has whimsy. Fun colors, messaging, emoticon, bots, etc.
All of this is what folks in this thread seem to be missing. I've used IRC for a very long time, but have NEVER been successful at getting wide adoption of IRC for communication.
I am well aware that I'm trusting a third party with out information. I'm aware that alternatives exist and you can get them to work. That doesn't matter when I have to try to explain to my CEO how to /join #channel.
There is a reason why IRC, a widely-available, chat solution that has been available for decades didn't catch on. It has nothing to do with how well the software moves messages from one computer to another.
Slack and IRC have two different (but interconnected) use cases. I love IRC, and I haunt a couple servers to chill or to ask an occasional newbie question. I'm pretty comfortable with IRC; it's a part of my culture.
I often find myself needing to establish a line of communication between people who aren't particularly tech-savvy. Slack works excellently for this: I make a new team, fire off some invites, and everyone just understands how it works. I can only imagine that, say, coordinating dev, corporate, and sales over IRC would be like living in the same circle of hell cardinally occupied by people who talk at the theater. If IRC works well for your team (whatever it is), excellent! Don't try to fix something that isn't broken. Slack isn't flawless, but it does have its usecases, and it fills them very nicely.
> 1. Slack is a well-designed interface for allowing teams to communicate via chat.
subjective. I consider a bloated web interface taking several tens to hundreds of megabytes of RAM compared to a text-based interface taking less than 100 kB to be poorly designed.
> 2. Slack is easy to install is use on Mac, PC, iOS, and Android. It Just Works™.
spelled wrong, and IRC clients are harder to configure only because there are so many options for servers, whereas Slack only supports one server.
> 3. Slack doesn't require me to install IRC somewhere. Which also means I don't have to worry about how people gain connectivity to said server when outside the office.
webchat was invented for a reason
> 4. Slack has whimsy. Fun colors, messaging, emoticon, bots, etc.
IRC has had mIRC-style colors supported and even adjustable by the majority of clients for at least 10 years. I don't know what "messaging" means. If you mean "private messaging", pretty much every chat software in the world has that. AOL and ICQ have that. You can put emoticons in your text manually if you want. It was on IRC that the concept of chat bots was invented, not on Slack.
> There is a reason why IRC, a widely-available, chat solution that has been available for decades didn't catch on. It has nothing to do with how well the software moves messages from one computer to another.
Yes, it is about how much money a for-profit company has to spend on marketing and copy as opposed to a standards organization.
This whole response reads like it was written in the 90's. Most people don't care if something takes up 10's of MB's of RAM when new PC's are shipping with 16-32GB standard.
Your comparison of what amounts to ASCII art versus Slack's rich-media embedding reads like it is straight out of a Fortran developer's "I'm still relevant" handbook. You even offer up AOL and ICQ as counter examples!
If we're going there, I guess we should simply assign everyone a GUID and be done with it, right?
> Most people don't care if something takes up 10's of MB's of RAM when new PC's are shipping with 16-32GB standard.
ISTR a -now undoubtedly outdated- answer to a question that was very much like "Why will there not be a real Photoshop clone for mobile devices in the near future?". One of the striking things to come out of the analysis was that -absolute best case- you got something like ~300MB of RAM (and -common case- ~100MB) to work with before you got unceremoniously killed.
I would hope that now you can reliably consume ~500MB of RAM per app, but... that's still a far cry from what you can use on a "real" PC.
How recent is "very recently"? I've been hearing ads in the podcasts I listen to for something close to a year. Prior to that, slack was only something I had seen in HN titles, and even then I had never once clicked on one.
I like slack, I think it's a great product. On finally watching their video and installing it, I immediately saw the draw, it's basically IRC with lots of usability enhancements and a lot of easy-to-configure bots available with a click or two. That said, it took me months or ads to finally take a look, but I did because the advertisements let me know that it was a possible solution for the problem I was dealing with.
It may have spread because they built a good product, but I think it's equally important that they actually exposed a lot of people to information about it. Your great product will die if nobody ever sees how great it is.
Most non-technical users don't care how much memory their chat client takes up as long as it works. They also don't care what server they need to connect to as long as they can communicate with the people they need to — less is more in this case.
Slack has its fair share of flaws but design and ease of use are not among them.
My wife and I both quit our jobs before we left to travel. We've been together for 13 years at this point, were at about 10 years when we started traveling. Something about the travel just resulted in us bickering way more than we ever have before. We aren't 100% sure what the cause was.
I think traveling even slower 1-2 weeks/city might have helped with this, but then again, some cities just don't warrant that much time.
Since coming home we've since traveled for a 5 week trip together and it was much smoother. Perhaps we just needed to learn how to travel together.
In May 2012 my wife and I did this. It went well, but little went to our initial plan.
The experience was far more stressful than either of us expected. Constantly having to find food, a place to sleep, and figure out where/what is next, was tiresome. However, we really enjoyed the experience and found some places off the beaten path that we really loved. We found out that we love hiking and that we wanted travel more in the future.
I can't remember how we ended up settling on a budget, we targeted $80/day for two people. We saved 60k for the trip which from what I can remember was somewhat arbitrary. We also saved 20k as a 'return fund' to ensure that we had ample runway to find jobs. Returning home was incredibly expensive, we sold everything we owned before we left, make sure you budget accordingly.
Finding work after traveling was simple for me, a bit harder for my wife. I had two job offers, both from people I worked with prior to leaving, before I'd been home for more than a couple weeks. My wife wanted to change where she worked, so it took her a bit longer. None of this was to plan, we had planned to move to the west coast, the sway of a job was too strong.
If we did it again... that is hard to say. Both of us wish it was planned a bit more completely, but I see no way to actually accomplish this. I might say stay in one place a bit longer that we did (maybe a week/city). My wife says she would blog less, and I think I agree, documenting the trip was a lot of work. We did it for ourselves and our family, but it was more work than anticipated.
In the end we finished traveling after only (sorry I know "only" sounds ridiculous) 8 months. We thought we would travel for 1.5 years or more. We spent way more time in South America than initially planned and took a boat to Antarctica which was entirely unplanned. It was really amazing.
If you have questions I'm happy to address them further, I tried to keep this short as I can talk about this for hours.
Fascinating, you've done an absolutely amazing job at not just your travel but also your 'inner journey' about how the travelling changed you. Thank you!
This is great advice and what I have been doing for the last 3-4 years for our retirement portfolio. Prior to that we were using an 'investment guy' who had us in a bunch of high-cost funds.
I sent the guy and email and ended the relationship and took a couple months to read and learn about this. I recommend the "investor's manifesto" by William Bernstein for anyone interested.
You may need to pay that $10 if you are investing through some other brokerage account. However, do yourself a favor, open an account with Vanguard directly and you can make that purchase without any fees.
Additionally, I'd recommend se percentage be invested in the Vanguard total bond market fund as well. Holding se percentage there will reduce overall portfolio volatility, and can actually increase returns slightly.
Asset diversification is more complicated than that. To a first order, yes stocks and bonds are inversely correlated. But it is not enough to hold just stocks and bonds.
In order to maximize return over your preferred time frame (while minimizing risk), you have to examine the whole universe of investable assets, examine their volatility as well as correlations amongst themselves.
From there, your goal is to assemble an ideal basket of assets maximizes your return for your personal level of risk. Running these filters and choosing when to rerun/rebalance is the basis of modern portfolio theory.
Managing your money using MPT is the service that many investment houses sell. Rolling your own is absolutely possible, but it is not as simple as stocks vs bonds.
Stocks and bonds being inversely correlated is an old rule that hasn't held as true since the 2008 crisis. Stocks, most bonds, and most other asset classes have been moving up and down together although with different degrees of volatility. Long term US treasuries are a standout as one of the only investments that has a clear inverse correlation to the general pattern.
Having run a lot of simulations in determining my own portfolio I came to the conclusion that these things affected my returns, in decreasing order:
1. annual maintenance costs
2. tax effects
3. choice of index
4. diversifying beyond stocks/bonds
I imagine most people who aren't using a passive strategy can chop 1 - 1.5% off their costs just by switching to indexes, and the remaining optimizations will pale in comparison. But as the size of the portfolio increases the additional effort becomes worthwhile.
It's possible that over the long term the market will decouple again but keep in mind that most investment advice about "universal truths" about the "long term" are based on a little over 100 years of market data. Given that I started investing at age 20 and will hopefully live to old age, that's not a lot of training data in comparison to the amount of prediction it's generating.
True, but for most people without 25M (ie most of us), is the arginal improvement in return on a 500k investment worth the extra complexity over a straight stock/bond mix?
Unrelatedly, what are you thoughts on the permanent portfolio (if you've heard of it).
Not sure if this was directed at jhulla (and actually I was about to ask it to svachalek).
25% in physical PMs is hard to justify but generally speaking I think Browne's Permanent Portfolio is a good base. Perhaps 20% each of domestic equities, international equities, PMs, cash and long term bonds would be more realistic, with rebalance bands at 17/23.
If you are lazy you can just put your money into one of the 10+ Vanguard Target Retirement funds [1] which are just varying mixes of their stock/bond funds + automatic rebalancing. It goes from 90%/10% stock/bond mix (VTTSX) at the high end to 30%/70% at the low end (VTINX).
If you are investing new money every month and attempting to maintain the same allocation over time, you are in a sense automatically rebalancing. Of course, this assumes your total investment over a given time period is roughly in line with the relative delta in performance.
I'm reading this while sitting in a restaurant in Nepal. My wife and I are here for around three weeks for hiking to Everest Base Camp. After this, we are headed to China for 11 days. In total, I'm going to be out from work for 5 weeks. Almost three years ago we quit our jobs, sold our house and travelled for 9 months through South America, Antarctica, and Europe.
I work at a startup. I'm the product manager and we are rebuilding the product from the ground up, in December we will have been working on the rebuild for a full year and our first beta customers will be starting on the new platform. The five weeks immediately previous to that, I'm out of the office for an extended period.
This is to say, you have to make the time for yourself. We both work hard, both of our new jobs (which are way better than our pre big trip jobs btw) allowed us to take this five weeks without much hassle. The team will survive and I'll come back refreshed and ready to tackle new problems.
Perhaps some think our startup will fail because someone took time off for this long, I'll tell you that I sure don't.
Hey, I'm on the eastern edge of the Himalayas near Kunming, the capital of Yunnan, China. While 11 days isn't much so I doubt it, if you guys are planning to visit Yunnan you are welcome to come sailing on our huge alpine lake. :)
The question for us, as technologists, is what are we doing about this?
2FA is nice, but not the end all, be all. OAuth has largely failed to gain any reasonable traction. Using Facebook login means Facebook gets to track me as I move around the web.
Our users reuse passwords, primarily due to the proliferation of dozens or often hundreds of online accounts that a single individual has. We can't expect people to use password managers (they're complicated and then centralize everything into a single point of failure). Forcing people to use crazy passwords just results in weaker passwords.
I was hopeful that something like persona from Mozilla would catch on, but that has failed. Where are we with replacing the password? It is flawed technology.
On top of this we have the compounding factor that our systems are more complicated than ever and it appears that they're simply impossible to secure. Too many layers exist with too much code. Many sites just don't both with even hashing password, meaning those of us that care, are just kind of throwing our hands up and saying "well it wasn't my site that was compromised, so it isn't my fault". All the while, bad guys walk in the front door because we've decided to ignore the reality of the situation.
I know I'm not providing a constructive alternative here, but I'm a bit ashamed that we've even let it get this far. We're failing those that rely on our systems. I don't have the answer, but would love to hear some ideas about what can be done.
However I think you have captured something essential in the idea that Mozilla Persona "failed to catch on", and it wasn't, as far as I can tell, for technical reasons.
The real problem is that any change from the username/password system has a cost (in programmer hours, and support retraining, etc.) and so long as "nothing is broken" it is hard to justify diverting funds from features that are customer-visible to providing a defense against an attack that is arguably the user's fault anyway (password re-use).
To me this issue is sort of a monument to the strange insincere lipservice we pay to technology and technologists. Of course technology is business-critical and of course we work to hire the best and brightest, etc. But somehow organizations keep storing passwords in plain text in spite of the fact that engineers who work there know better.
This idea SERIOUSLY needs more attention, Steve is basically presenting a complete blueprint for how to do web login security right on everything from smartphones to desktops. A startup could run this implementation-wise and if the hype was right it could be a massive hit.
It is our job to explain to the business what the value is. It is our job to convince them of the value.
I know this can be hard/impossible in some situations. I've lost those battles for things that are much more trivial than replacing large parts of the authentication system. However, if you keep beating that drum and take any opportunity to push that goal, you can sometimes create the time to work on something like this.
Are your customers requesting some kind of compliance (SSAE or something of the like)? Use that as leverage. See the recent news (or not so recent higher profile Sony hack news)? We should really address some of our shortcomings.
The problem then becomes, what is the market pushing towards so that you can help push that forward. Right now there isn't a clear answer, solutions keep dying on the vine.
I've bought 1Password for everyone in my family, and nagged them into using it. I console people online to do the same, or use keepassx, or last pass.
It's not effortless security, that's for sure. In a perfect world we would have a better system than passwords. But we live in a world of compromises, and I feel it's presently the wisest course of action.
It would be a great start if sites that don't actually require an account to get the job done would stop asking you to create one. For instance, most e-commerce transactions where you buy a single item still require you to register with the store. That's like having a loyalty card forced upon you because you tank gas somewhere.
Usually I just want to buy the item, not become 'a member'.
> I was hopeful that something like persona from Mozilla would catch on, but that has failed.
I talked with two people from Mozilla at a conference in February and was disappointed (though not altogether surprised) to discover they couldn't articulate the compelling reason why someone would move to using Persona. For something to mainstream, the marketing, positioning and ease-of-use is crucial. They had no answers other than 'privacy' and 'ease of use' -- which while valid, aren't going to convince my aunt & uncle to adopt something new. Until they've been hacked, scammed and otherwise suffered pain.
Just throwing this out there but when signing up for sites while using Safari, Apple gives me the option of using a (Apple generated) random password that is stored to my keychain and synced to my iCloud account. This means both of my MacBooks, my iPhone, and my iPad all have access to these sites with no effort on my part (I never could remember my passwords) while also being random and secure(-ish?).
All that is needed is a service (Microsoft, Google, Apple, Facebook) that you trust as your password manager and is integrated either with the sites you browse or the browser you use.
Having read Apple's iOS security document (http://www.apple.com/ipad/business/docs/iOS_Security_Feb14.p...) I have just the right combination of convenience, ease of use, and feeling secure with their services to use keychain for most of my password needs.
Awkward time to bring up iCloud as a potential SPOF for users' security. Apart from technical flaws in the service (and any cloud service is likely to have one eventually), cryptographer Matt Green (on his twitter feed) has pointed out that Apple chose some poor defaults, particularly the use of peoples' phone password as default for cloud storage. Quoth Matt, "Of course people pick terrible iCloud passwords. You can't enter a good password 50x per week on a mobile device. You'll go carpal." (In subsequent tweets, he acknowledges that password caching would help with this, but says he had to turn it off after his kids ran up a $200 bill.)
Of course, it's not clear that password brute-forcing was what led to the recent leaks of celebrity nude selfies, and not even complely clear that they came from iCloud (though a lot of clues point that way). But regardless, they do illustrate the risks of relying on cloud storage generally, regardless of who provides it.
Sorry, but there's no way I'd allow any cloud service to hold my password vault, and recommending it to end users seems like a colossally bad idea.
I'd want at least two layers of different encryption types (generated by distinct software) protecting any such file if it were to be stored in the cloud. That way if one software package or one encryption algorithm were compromised, there would at least be a chance the other layer would protect it.
So at the moment I put my vault on my laptop and copy it directly to my phone, but I don't copy it into the cloud, ever.
I might consider using something like SpiderOak [1] in conjunction with a Keepass encrypted container, for instance. But I haven't even done that.
What about you load a site, get an HTTP 401 response, your browser sends back an auth header with a password generated for that domain name, based on some secret global key/password. Then in response, most sites would set a cookie. To change the password, you could have a second header that has the new password, along with the original. No usernames needed. The browsers would have a global password for cases of shared computers. Log out buttons on sites just remove the cookie. Or without cookies, just have the browser send the auth header each time until a native log out button is pressed.
>> We can't expect people to use password managers (they're complicated and then centralize everything into a single point of failure).
> What about you load a site, get an HTTP 401 response, your browser sends back an auth header with a password generated for that domain name, based on some secret global key/password.
You essentially describe a password manager with deterministic password generation. It has all the upsides and downsides of a regular one, except migrating passwords is harder (you need to change them instead of storing them).
All the security measures usually presented (including here) are completely unrealistic - no one can use different, complex passwords on every site we log into, and then change them every month!
The only way to do this would be to use a password manager in an Saas mode... and if it gets cracked then you're completely doomed and lose all access to all services.
People probably assume that the time saved by not caring about security is greater than the time they will lose if (when) they're attacked, and they may be right.
keepassX seems to be a local application: how do you use it on mobile, or when you're not at home?
Also: if the database gets corrupted, you lose access to all services; if you have backups then it's a little less safe; if the main password for the database is strong you may forget it (or need to write it down somewhere outside the system); if it's not strong it's not safe.
There are mobile clients for KeePass databases. So you just need to keep a copy of your database on your phone. That's extremely easy to do with syncing data apps like SpiderOak.
You still have to do it manually I think. Having a standardized API to change passwords (a "Rotate all my passwords" buttons) would be nice, but potentially a huge step forward in automating password attacks.
Whatever the solution is, it needs to allow remote permits. e.g., I need to be able to grant an employee access to my NameCheap account for client work purposes.
I don't think there's anything wrong with user-names and passwords in concept. It's familiar to users and easy to implement. Users need to create better passwords and we need to help them do it.
Don't impose any restrictions on what the password should be, e.g. "Must not contain any special chars. Must contain a number..."
Use the word "pass phrase" instead of "password". Encourage people to use memorable phrases and quotes as their pass phrase. The English language has approx. 250,000 words. If a pass phrase contains 4 words, that's 1.62764322e+20 permutations. That's a naive view since "habit osteopath circumference telephone" isn't a particularly memorable password. With this in mind, You could use statistics to reduce the number of permutations, but that's no small feat.
There are advantages, but this poses a high bar for adoption. The current approach of keeping the entire suite of sensors on the car means that infrastructure won't need immediate upgrades to support autonomous vehicles.
I have no doubt that smarter roads are in our future, but they pose too high of a price for wide spread adoption of autonomous vehicles at the outset.
More than anything, what this makes me want to do is lay out some cash to have an actual designer work on a resume for me. I like nice looking resumes, I kind of want a nicer looking resume, I wouldn't mind paying for a nicer looking resume, I don't really want one that looks like those that hundreds of other people are using.
Perhaps a nice direction for a project such as this is to become more of a marketplace, similar to what you have with WordPress templates. This would mean more template diversity with the ease of use that you probably already provide with your CMS.
1. Slack is a well-designed interface for allowing teams to communicate via chat.
2. Slack is easy to install is use on Mac, PC, iOS, and Android. It Just Works™.
3. Slack doesn't require me to install IRC somewhere. Which also means I don't have to worry about how people gain connectivity to said server when outside the office.
4. Slack has whimsy. Fun colors, messaging, emoticon, bots, etc.
All of this is what folks in this thread seem to be missing. I've used IRC for a very long time, but have NEVER been successful at getting wide adoption of IRC for communication.
I am well aware that I'm trusting a third party with out information. I'm aware that alternatives exist and you can get them to work. That doesn't matter when I have to try to explain to my CEO how to /join #channel.
There is a reason why IRC, a widely-available, chat solution that has been available for decades didn't catch on. It has nothing to do with how well the software moves messages from one computer to another.
</rant>