This is good news indeed. I moved back to India 1.5 years ago because my wife could not work there. Not sad I moved back, but yes, a lot of people would be really really happy today.

NDTV did. Not too much details though..

http://gadgets.ndtv.com/internet/news/yahoo-confirms-bangalo...

why not just overload the + operator in C++?

first thing i thought when i read the title:

    #include <iostream>

    class Int
    {
    private:
            int _value;

    public:
	    Int(int value) : _value(value) {}
	    Int operator + (const Int& b){ return Int(++_value + b._value); }
	    friend std::ostream& operator << (std::ostream& out, const Int& value){ out << value._value; return out; }
    };

    int main(int argc, char** argv)
    {
	    std::cout << Int(2) + Int(2) << std::endl;
            return 0;
    }

output: 5

IMO Hashing on the client side is a terrible idea. There is now no way for the application to check the complexity of the password on the server side. Relying on client side controls to do the same is almost useless.

Why do you think it's useless? Not transmitting the password in plain text is clearly a win, and you can do whatever checks you need on the client side just as easily. (If a user wants to fool whatever checks you have, they can do that whether or not you have server-side checks--it happens all the time.)

It's fairly useless: If an attacker can sniff your connection he can just submit the encrypted password he sniffed to the server. The only win you have is that the attacker can't see the password itself, a potential bonus when people reuse passwords.

However, if you can sniff the connection you can probably alter it and inject javascript that submits the clear-text password to the attacker.

We are just talking about scrambling the password. You would still be using e.g. SSL/TLS or TLS-SRP for the transport. There's nothing "useless" about it.

Well, useless as in "added implementation complexity and no gain". It won't hurt much either, but you could be spending your time better elsewhere, for example in tuning your SSL/TLS-setup.

No. There's absolutely a gain. A big one, too. The main reason it isn't done today is not that it isn't useful, but that it's too slow to run e.g. bcrypt on the client without native browser APIs. WebCrypto will change that by adding PBKDF2 as a module accessible from JavaScript.

The main reason we encourage people to use key stretching algorithms on the server is that, if an attacker gets access to a database of password digests that aren't very strong, they can trivially be reversed.

Doing this key stretching or "password scrambling" on the client side simply moves the processing burden from the server to the client. There is nothing less secure or less useful about it.

There is, if you don't again hash the passwords on the server. This is why new password-hashing proposals like [Catena](http://eprint.iacr.org/2013/525.pdf) include an official "server relief" mode where the majority of the hashing is done on the client side, but there's still a final server-side transformation step.

Until such time as these things are readily available, recommending that people do client-side hashing is absolutely going to result in trivially poor implementations.

You might want to consider that if these problems were as trivial as you seem to believe, there would already exist a library vetted by cryptographers to do exactly that.

I agree with you about SSL, client-side hashing seems like a solution for a very mature website with clientèle who strongly value their privacy. Something like LavaBit comes to mind (RIP). But "useless" is too strong a word. It is really trivial to use stolen credentials on other services, and effective to boot. But by hashing on the client side in addition to the server, you "double" the amount of effort required to perform the attack.

Password complexity is not a critical validation. The client-side code could easily perform the same validation before hashing. If someone hacked the client-side code and intentionally disabled the validation, then they could submit a weaker password, and that's not a big deal. It's a huge win if the plaintext password doesn't leave the browser.

"it's not terribly different from a random attack in the street or a shopping mall" You are right. However, the one difference is the reaction to an attack. It is fairly straightforward (these days) to get responders on the scene in a mall. A shooting or knife fight in an airplane is much harder to contain or react to.

Overall though, I agree with Schneier about the need for intelligence replacing TSA check points.

Well in Kenya the reaction wasn't great. Perhaps other countries are better prepared.

"This Google ad has moved people to tears across India and Pakistan"

Probably not all across India. I am from the south and neither me nor my ancestors have any personal experiences from the partition. Don't get me wrong.. this is a great ad and I understand the emotion behind it. but this is only as moving as a similar story on the Israel-Palestine border(ok maybe a little more because of my high school history books and representation in popular culture). Culturally, South India is more seperated from the North compared with North India (Punjab, Delhi, Kashmir) and Western regions of Pakistan.

To me this is a well produced ad which highlights the troubles of a particularly cruel time in India's history. Nothing personal about it.

I did not see Elon complaining when a car launch got so much attention from the press. This just seems to be the other side of the same coin. This happens to every runaway success. Remember the "death grip" nonsense for iPhone4 and how it was blown out of proportion? Media loves the story of a man who worked against all adds to build/create something amazing. Unfortunately, they love "the fall of the guy" even more.

> Unfortunately, they love "the fall of the guy" even more.

Tesla went out of their way to flaunt the safety features of the car, alleging a 5.4 NHTSA score when the agency explicitly said that they don't issue scores that high. Tesla said they had the safest cars on the road, and this is the eventual result (people actually expect it to be safer).

IMHO the reaction is entirely appropriate given Musk's and Tesla's behavior up to this point. If Musk and Tesla weren't flaunting their safety claims, this wouldn't be a significant issue

I kinda like what my employer does. There is a 1-5 ranking, but the distribution/buckets for bonus is determined after the reviews are complete. Of course, the concern here is that management "can" slot the buckets in a way that suits them, but I trust them enough to not do that.. Due to this, no one knows "what needs to happen to get X bonus".. everyone is just trying to do their best to get to the highest score and the amount of cash you get depends on what bucket you fall under

A good point to note is that none of the major reports on snowden leaks came from tech journalists. The best op-eds and reporting came from the Guardian, WaPo and other main stream outlets. This speaks volumes about the path taken by Tech Journalists. Having said that, I am not sure tech news sites (mashable, techcrunch, cnet etc) are capable of "newsie" stuff. A lot of the top "Reporters" who established the industry were techies first, journalists next. We need more traditional journalists understanding and writing about the tech industry (not in a naive way, which is what happens in traditional outlets these days) in a competent manner. This will probably lead to the kind of journalism the author hopes for

I used to reddit a lot before I got hooked on to YC (usually the tech subreddit). I love the format but try to stay away from cat pictures.