This advice is dangerous, because the author fails to mention other precautions the user can and should take, such as:
* Use a Linux live CD on the "burner laptop" -- don't trust the preinstalled OS
* Change the MAC address of the Wifi used to connect at the internet cafe
* Use Tor, most easily via the Vidalia browser bundle
The author also does not mention that leaking documents can expose the whistleblower via watermarking and user information embedded in the file (most infamously in MS Word documents with versioning).
Most people never review source code, and they certainly don't disassemble and review all the binaries. 'Many eyes' is a security fallacy in cases like this.
Debian, which is much better known and in much wider circulation than Tails generated weak SSH keys for two years. Yes, it was indeed very big news. When it was found. After two years.
Oh, and tin-foil-hat on: Do we know (actually know-know, not just assume, think, trust) that the weakness wasn't planted there?
Buy a long-range WiFi antenna and connect from a distant location instead of going to an Internet cafe where you can be recorded by a lot of cameras in the way.
This! Who cares if the laptop is a "burner" if you were caught on Starbucks cameras opening a laptop minutes before the communication was sent, in a place you'd never normally go?
Or parking up and walking past the bank next to the coffeeshop a few more minutes before entering the coffeeshop?
You have to be even more paranoid if you are on a short list of people with access to the information - they will pull up all of your movements, possibly check traffic cameras for your care movements, etc.
Fears of watermarking is probably why the leaked documents are what they are. A court order and a training slide deck are the kind of thing that people are authorized to distribute internally.
Which is why you need a co-leaker. Dangerous yes, but you can at least compare documents between each other. Extract the text, strip the UTF down to ascii and fix the whitespace...
Hell, even have it transcribed by a typist. Full air-gap. This whole leaking business needs to be turned into an SEO optimized translated wiki page.
> I don't think this is an invasion of privacy at all.
I vehemently disagree. Most companies will just hide the fact they are collecting (and often selling) user data within slimy legalese.
Consumer protection includes niceties such as warranties, and protection against false advertising, and clear display of nutritional information and safety warnings.
Privacy also deserves the same treatment so users can make an informed decision, without having to wade through a hefty licence agreement.
I didn't mean to say most companies sell user data, but rather of the companies that sell user data, most are not straight forward about it.
Example: Onavo, Dolphin Browser, Opera Mini, Ask Toolbar
What I am emphasising is that while they could ask plainly, and state they are collecting your data, and then selling it to 3rd parties (even if in aggregate), they do not.
I would want users to be given a clear choice about what is happening with their data, and some companies have the integrity to do this.
By all means users should be asked for permission. I can't speak for others but I personally don't often read ToS and that is my choice. In the event that there is something there that I object to and I miss it because I didn't read something I was supposed to I'm not going to cry about it.
What do you suppose the best way to ask for permission is? Please provide actual examples, perhaps from the companies you respect.
> What do you suppose the best way to ask for permission is? Please provide actual examples, perhaps from the companies you respect.
Literally ask for permission. That's what Apple does, as does almost every other traditional desktop software developer. On first launch, or when an error occurs, or when some other event that would involve sending personal/usage data to Apple occurs, they:
- Ask if you want to send the data
- Provide details on what kind of information will be sent (including, in some cases, providing access to the data itself)
- ... and usually give you the option to always send that kind of data
I agree this is also a good way to ask for permission. Does Apple do this in iOS? I don't recall ever seeing it outside of OS X. I imagine it's difficult to clearly express why the app wants to send this data within the constraints of a UIAlertView.
iOS asks for permission before exposing location information, or access to contacts/photos and I can see why, the information is highly private. I don't agree that "this user pressed this button at this time" quite fits into the same category of privacy though.
> I agree this is also a good way to ask for permission. Does Apple do this in iOS?
Yep, just once.
> I don't agree that "this user pressed this button at this time" quite fits into the same category of privacy though.
You're going to consume the user's resources by sending that information, and most users don't really want you to (for obvious reasons), so it seems most ethical to ask first.
I can't speak for their dictionary, but KingSoft has an antivirus/internet security program which is nigh on impossible to uninstall, including extremely misleading messages on their uninstall screen.
I wouldn't touch any of their other stuff for that reason alone.
> I consider myself pretty good; I honestly have no baseline...
This is your only blocker to success. I also had a lack of self confidence -- I put this up to the pedestal we put university degrees upon.
By what you've done so far, it sounds like you are better than most 90% of people finishing with Computer Science degrees. There are employers who can see that -- but most recruiters do not (though they do latch on to buzzwords).
Demonstrate your passion and your skill and you'll easily get a job somewhere in the industry.
I second this. Take the first professional job you can get (and you can start freelancing and putting stuff on github to help you get that job), you can use that to bounce into a higher paying job after a year or two. Once you're inside the industry people won't bother looking at your piece of paper or lack thereof.
I spent 3 years at University doing a completely non software related degree, gave it up, was doing feelance web design, then luckily managed to get into a professional software developer position (for relatively low pay). After 16 months I moved into another job with a 40% pay increase and much better environment/conditions.
After reading some of the insightful comments above, I'd like to add that it would be good to round out your skill set beyond web development. Learn C, it will teach you great things. Learn Linux (and read the source code), you'll learn a lot about how complex systems work.
If you do go down the path of university, then make sure you stray outside what they teach. Challenge yourself, because that's how you improve, and you'll also differentiate yourself when someone is looking to hire you.
Australia is similar in the regard, except the Federal government covers part of the full course cost, the rest being covered by a CPI indexed loan (HECS) which needs to be paid back once employment income exceeds $38k per year (taken from tax refunds -- we have tax deducted every payday).
That said, a typical university student will accumulate $9000 a year of HECS debt.
And yet Universities continue to cry poor, cutting student services and teaching staff, despite increased revenues from full fee paying international students over the past decade.
I'm perplexed as to why this is.
Edit: Just found this: http://www.nteu.org.au/library/view/id/3828 --
RMIT University spent $8.2 million on 19 "senior executive and council members".
That's ~$431k a head, or according to the Union "125 HEW 6 academic staff."
> In all institutional groupings—public and private—tuition prices increased faster than education and general spending per student. This suggests that both public and private institutions are becoming more dependent on tuition as a source of general revenue—not just to pay for education and related expenses, but as a general subsidy for all functions, including research and service.
Page 33:
> The primary cause of tuition increases in public institutions is not increased spending, but rather cost shifting to replace losses in state appropriations and
other revenues.
What would you rather have?
1) Low tuition subsidized by higher taxes when you're working
2) higher tuition but lower taxes later on
The market seems to have chosen (2). Whether or not taxes are actually lower is another question.
Personally, I think it's horrible to graduate with 80K+ in debt. To put it into perspective, my parents graduated with minimal debt. Their first debt was the purchase of a house, for about the same amount as student loans are now.
What would you rather have on graduation? Student debt, or no student debt and a house?
There is also a Python based "gpglib"[1] which currently is able to parse and decrypt GPG messages. All heavy lifting is done via PyCrypto so its quite fast.
If you just need to do crypto in python use keyczar[1] or pynacl[2], and keyczar is probably the best bet.
But if you need to do gpg compatible crypto use the python wrapper for gpgme:
pygpgme exposes the gpgme library to Python. The product was started by
James Henstridge. Beside Python2 it supports Python 3 since v0.3 (March
2012). The wrapping is done using python's C interface directly without
using a generator tool like SWIG.[3]
It's fast like Slackware (which I liked when I tried it), very customisable by using PKGBUILD/AUR (similar to Gentoo portage, which is amazing for absolute control) and has an excellent wiki (https://wiki.archlinux.org/).
You'll also get the most up-to-date packages, and roll along happily.
If you feel you need a little more stability, then go with a Gentoo or Funtoo Stage3 install. :-)
Re FreeBSD, the best thing about it is the Port system, but you'll likely be hating the non-GNU userspace!
There really isn't /that/ much difference between BSD and GNUs user space. And definitely nothing that can't be found out after spending a few seconds in Google or the UNIX man pages.
Plus FreeBSD docs are excellent (in fact I've found them to be a more reliable source than even Ubuntu's - but that's a whole other topic)
I want to thank the flask team for this. we are using flask + gevent in production and it has been highly performant (1200 requests a second for our app) and stable :-)
* Use a Linux live CD on the "burner laptop" -- don't trust the preinstalled OS
* Change the MAC address of the Wifi used to connect at the internet cafe
* Use Tor, most easily via the Vidalia browser bundle
The author also does not mention that leaking documents can expose the whistleblower via watermarking and user information embedded in the file (most infamously in MS Word documents with versioning).
Edit: update formatting