Forgive me for not looking at Chrome's source code on this, but I'm going to go ahead and assume that Chrome doesn't encrypt the passwords on the disk. You can easily do better than this while maintaining all of your current functionality.
On my system, I have installed scrypt and use it as a password management tool. When I need a password, I simply run a shell script I created, type my master password, and the password I'm searching for is placed in my clipboard.
Sure, I could write an extension to do this and I really should be concerned with the security of the clipboard implementation... but, those are fairly trivial (I do flush my clipboard buffer when I'm done).
This would be a simple solution for Chrome, actually. You already have all of the works for managing passwords implemented. All you need to do is add in the decryption process and simply not log the master password.
In this way, even the root user wouldn't have access to a user's passwords (as is currently the case with Chrome).
I would worry that after the copy and paste into the browser, copies of the password are found decrypted all over the place in RAM, and then if you don't have whole disc encryption it may creep in plain-text into swap.
This isn't a matter of police officers surrendering rights. It's a matter of whether or not they get special rights to privacy. If I can be recorded with video or audio, so can they. If they can have video/audio recordings in their vehicles to record the traffic stop or other encounters, so can I.
This is a ridiculous article. By ignoring the reality and focusing on only a small aspect of the economy, the author attempts to covey the idea that the current tax structure is not only bad for business, but bad for employees.
The author suggests that his company pays $74,000 to get $44,000 into his employee's, Sally's, pocket. The tone used implies that the other $30,000 is purely a waste. The key point conveniently ignored, however, is where that $30,000 goes. He mentions the abstract ideas of state and federal taxes, unemployment insurance, disability insurance, Medicare, and Social Security.
If we assume the author would be happy eliminating all taxes and insurance payments, we're left with a range of possibilities; he wants Sally to have between $44,000 and $74,000. Considering the article's purpose is to suggest he's not hiring because he doesn't believe Sally is worth $74,000 and we can eliminate the high-end (let's take of the top 10% and put Sally's max at about $66,000).
Starting from the $44,000 figure. $7,322 of that would have to go toward a supplemental system for Social Security. It's not government backed and Sally has to spend time managing her investments. As we've all recently learned, even without making any mistakes herself, she stands to lose a lot of money if the stock market fails. $1,712 would be spent on supplementing Medicare. The $12,000 in benefits would have to come from somewhere, in this worst-case for Sally, we'll take it out of her pocket. Without paying taxes, Sally must pay however much the privatized school charges her. She must pay the privatized police force to protect her. She must pay the privatized fire station in case there is a fire. She'll pay tolls for every road she uses to get to and from work. I'm sure the author enjoys the ability the company has to lay off workers, so Sally will have to put back some money in case she becomes suddenly unemployed or temporarily disabled. That's $275 for the author today -- but Sally wouldn't have the benefit of a collective pool of funds, so she'd have to build up a buffer very quickly. So far, we're well above $21,309 not counting the costs to which we've failed to attributed any value (police, fire, roads, schools, et cetera). Let's assume those and associated services currently provided by the government are a very reasonable $8,691 per year (many private schools would be beyond Sally's reach). Whereas the author would save $30,000 to put the same $44,000 in Sally's pocket, just to maintain her standard of living today, she would need to easily spend that $30,000 out of her own pocket. Whereas the employer might then be willing to hire someone, Sally wouldn't be willing to work. Well, actually, she wouldn't have any choice but to work or die.
What about the magnanimous author who'll now pay Sally $66,000? Well, she'd bring home $66,000 and immediately spend $30,000 to pay for all the gaps that taxation left. Which means she'll effectively receive $36,000. That sucks for Sally and distills the author's argument down to: he wants to place the burden squarely on the shoulders of the workers so he can save money.
Obviously any employer will only spend as much on an employee as they make from having hired that employee. So, either Sally creates $74,000 in wealth or more OR she doesn't. That's the bottom line. Stop trying to blame taxation when the reality of the proposed system merely punishes the employee to the additional benefit (beyond the value already created by the employee for the company) of the employer.
Also, please note the multitude of public services I failed to mention which are supported with taxation. Research, universities, military, postal services, social services, public health, water, sewage, oversight and regulation... Without these, Sally's standard of living would likely be much worse than it is today.
By the way, you ~could~ argue that Sally could get by with less money for Social Security, Medicare, and benefits. It wouldn't work, though, as it would be predicated on the idea that individual endeavors would be more sustainable than large-scale investments among an aggregate population. Even if we opened these services up for private enterprise, it's unlikely that they would operate as efficiently or more than the government bodies. Some people take that as a maxim, but they don't evaluate the services currently offered with the appropriate considerations. The most notable of which is "Caveat Emptor." Private enterprise can cut corners and save money, sure -- but someone's paying the cost. In no research that I've seen do private industries significantly out perform government institutions without a lot of cajoling and numerical torture.
The postal service is a frequent scapegoat here. Yet, the price of a stamp has been nearly constant when evaluated based on purchasing power and inflation. Further, try doing a cost comparison between FedEx, UPS, and the USPS for the same package. I've worked in shipping and receiving and both FedEx and UPS have more than their fair share of delivery issues and damages. Yet, I get bills and letters in the mail _very_ regularly and reliably. Go figure.
I think most avoid Microsoft because of two main factors: cost and source.
You might think Microsoft is stable and that things tend to just work; but, if they stop supporting something you need -- you're SOL. If there is a bug that affects your software and it's low on their priority list -- you're SOL.
With FOSS, you can branch the project and not update and everything should continue to work as you'd expect. You can fix a bug yourself if the community doesn't think it's a priority.
What's more, with the new anti-IP laws in NZ and having the PirateBay being hosted by the Pirate Party, I imagine there will be a lot of very interesting changes in the FOSS community.
That's great -- assuming your applicant pool is small. Some employers throw out any application that's not printed on resume paper with the watermark oriented appropriately and an attractive font/style, et cetera.
Are these metrics truly indicative of an individual's skills? No. In fact, many applicants might print their application on hot pink A4 hoping to get noticed (and hoping that attention is positive).
Even with this tool, I'm merely reducing your applicant pool -- not selecting employees for you. My previous company used a few personality profile tests that were very effective in identifying people who'd work well at the company and with one another. That's not really the point, though. The point is determining who is a good Java developer and who isn't. Most recruiters I've dealt with know only buzz words and can't differentiate between well-qualified candidates and those who "used Oracle 10g to port BSD to J2EE over XSLT."
If your preference for UI engineers leans one way or another, the system would make appropriate corrections to the recommendations. Rather than getting a UI engineer who needs to work closely with a back-end developer and visual designer -- one who can pretty much only manage CSS and Flash work -- you can get results that include people who are more comfortable with the MVC framework, can handle templating in various languages, hates action script, can sling javascript in their sleep, and has a keen eye for visual design.
I'm not offering a one-stop, all-inclusive solution. I'm merely suggesting a method by which to intelligently and functionally reduce applicant pools to something the HR department can handle.
He doesn't. But, of course, he doesn't control his ranking -- others do. So, deleting his account doesn't do anything to remove his ranking. Perhaps people who are below average will then drop off and the cultural relevance of a rating of 5 out of 10 will adjust itself. I'm betting that enough will stay to make the site worth while -- certainly anyone for whom the system works. Also... not all companies want a 10-point programmer. Those cost money. Some tasks only require a 5-point developer.
I have been looking at the HR problem too and FamousActress has a valid point. The chicken and egg problem here is HUGE... and anything that can be a "downer" or "demotivational" will not make it.
Again, even the idea of a '10 point programmer' or a '5 point programmer' is depressing, and I struggle to believe that it could accurately convey the complexity of the value that different people have in different contexts.
Where I DO see some interesting numbers having values in this area are where the numbers aren't rankings, but rather indications of participation, passion, and relevance. For instance, I think Stack Overflow scores.. or maybe even HN karma points, might both be really valuable indicators. If I got a resume from someone with a Stack Overflow score attached to it, I'd know that this is a person who participates, is a good communicator, and knows the answers to lots of tough questions! Not only that, but I can go look at his or her posts.
I think this is where your project needs attention... What's in it for the employee? If only '10 point' employees really like your service, then I think you're wasting your time.. '10 point' employees don't have problems finding work.
Interestingly enough, 10 point "employees" can and do have trouble differentiating themselves. MIT Ph.D. admission, for instance, is rather selective. There is much research available demonstrating that there is a huge qualitative difference between consummate achievers and great minds. Unfortunately, most businesses and schools have far too many applications for employment and need some easy metric to reduce the set to something approachable. I'm not suggesting a blind hire of the top guy. I'm trying to provide a more relevant metric than current exists. Any other system I've seen in play is easy to game -- or hard to game, but in gaming it, you're becoming the opposite of what the company/school is seeking.
Further, "what's in it for the employee" doesn't enter into it. I could easily say: famousactress is rated as 8.34 for her dramatic performances but only at 5.21 in comedic roles. That has nothing to do with your willing participation. I agree that it's depressing to be considered sub-par. But, there are so many people trying desperately to stand out that they're losing their way.
Google can't hire the right sort of people because every metric they have attempted to date has resulted in honest, dependable, clean-cut, recently-shaven, knowledgeable CS graduates from top universities. Sadly, they're trying to expand a business built (like so many other startups) by the ideas of college drop-outs (or similar), who were too busy doing something interesting to go to class and get good grades. Those interesting things aren't bragging rights (level 80 character in each class and each faction on WoW appears on very few resumes).
If I attach my HN information, you might disagree with my positions and opinions. I'd miss out on the job based upon personal bias -- maybe I should. But, you'll notice my karma here is _very_ low. I suppose that seems justified since you're not on board with this concept. But, is it? Reddit is commonly gamed. If I had an outrageous karma score, would you think highly of me or consider me a karma whore?
Well, you might say, you'd simply read my posts. Great! Now, consider you have a highly coveted position and 10,000 applicants. You can only read the posts of about 20 applicants. Do you take the top 20 highest scores? What if the 21st highest was actually the best fit? Well, then you blame your metric. The reason you blame your metric is because people will game their karma scores to reduce their competition to only 20 other people who were busily whoring karma and not building necessary job skills. At the same time, you can't deal with 10,000 resumes. You need a metric that's not easily gamed and that's as representative as possible of an individual's skills.
Just like I can tag you in a photo on Facebook without your consent, this site would allow me to rate your skills as an actress and as a programmer. My opinion of your acting skill is pretty much worthless (whether it's good or bad); my opinion of your programming skill is more significant -- but I'm not going to single-handedly make you or break you.
So you want to build a FICO score for employees. Gotcha. I just think it sounds very challenging (or impossible) to get a number to reflect someone's fit for a position accurately.. and difficult to get adopted. It's complex enough to attribute a number that represents someone's ability to pay back a debt.. and that's based on fairly straightforward historical behaviors that aren't up for much debate... someone's skill and past job performance are subjective.. so you'll crowd-source it and hope that the score averages out, but that requires participation. What's the motivation to rate people? The whole thing sounds gross.
It does sound gross. I'll admit that. A friend of mine, after hearing about all the gorey details, hated the idea. He said it was intrusive and ripe for abuse. Every bit of that is true. Your reservations are accurate and commendable. I'd have the very same objections.
But, I've got a few ideas about how to do some initial data mining to build a useful-yet-niched database. I'll target a specific industry and, I'm guessing, enough people will value their skills that they'll be happy to encourage their friends and colleges to rate them. The hope is that this can be done quickly enough to generate sufficiently many data points for accurate analysis without the initial dataset.
Once that happens, I'm banking on the utility of the system. If it's as good as I hope, it'll be adopted by other groups. If it's not, then it should fail.
As far as the grossness factor and potential for abuse goes; I'm protecting user information as much as is humanly possible -- at least, to the limits of my own ability. The system will be open sourced and as transparent as possible. Unfortunately, I can only guarantee so much. I can't think of a way for users to verify what code is actually running on the server -- but, they can ensure that the data they are sending to the server is exactly what they expect. But, there is no certainty that the server isn't recording their IP and associating it with the input for future data analysis. Hm.
What happens to the popularity of the software when the hiring managers or HR people are rated poorly or even "just average"?
Think about the newest social games. They metric is progression. There are no downers. If you have a low score, it's because you're new to the game or haven't played enough. You always "gain" experience points, gold, whatever.
In order to get past the chicken and egg problem in the social space you need to turn the scale from 1 to 10 into 1 to infinity and give the perception of not punishing low scores.
I don't think so. Viewing one's site in terms of game mechanics is a fun idea and has some basis in game theory. However, all I really have to do is offer a winning value proposition. If you are a hiring manager and are rated fairly low on the managerial aspects, you might disagree with that evaluation of your skills. Any prudent person would not base their decision on one data point. Rather, the intelligent hiring manager would evaluate applicants based upon the site's relative ranking of that person compared to other members of his or her team.
While the perception of a 1 to infinity scale reduces the immediate negativity of being obviously below average... that illusion only works for a short period of time. When you start playing WoW 10 gold coins is a lot of money, you can delude yourself and harbor odd ideas about your worth. However, once you compare yourself to _anyone_ else, it becomes immediately apparent that 10 gold coins is practically worthless. As far as the "misdirection" is concerned, perhaps I ought to note some aspects of the UI.
Unlike LinkedIn or Facebook, the site doesn't revolve around the user. As such, when you visit the site or login, you are not presented with your profile. Rather, the site is devoted to finding and comparing applicants. As such, the main page is a search page and most users will likely spend much of their time sorting through candidates. In fact, the only way a user could see their own data is to search for themselves. My guess is that that'll be a fairly common practice. My hope is that people will identify their weaknesses and either improve them or re-evaluate their career goals.
I know it seems harsh. But, the hiring practice is harsh. I sit people in a little, unfamiliar, echo chamber and send in a string of people to scrutinize and judge them. I'm not trying to get everyone hired on at obscene salaries and stroke everyone's ego. My goal is not to paint the world with a rainbow facade of unicorns and fairies. I want to enable Harvard, Yale, MIT, IBM, Microsoft, Google, et cetera to have a tool which quickly and accurately separates the wheat from the chaff. If an individual's skills are average or worse, they're not likely to be working at a company which receives so many applications that so sort of automated elimination is requisite. Rather, they're probably looking for average people for average work at an average company. And there's nothing wrong with that.
Here on HN, there are a lot of startups with a different sort of problem. No applications, but strong desires/needs for well-qualified employees. In that case, this tool would also be useful. If a startup wants to rely on friends from college and guys met at HN meetups, that's fine.
Again, I appreciate any and all feedback and am aware of the cold start and related problems. I have a few solutions that I'm not interested in discussing here and now; but, I understand that this is a major concern and certainly appreciate people pointing it out.
"Downer" and "demotivational" seem to indicate that you're approaching this from the perspective of an employee. The site does not operate according to the willingness of employees to be evaluated. I am happy to rate my coworkers who are good or bad (in my opinion). I'm happy to be rated by them, my employers, and my peers. Not everyone feels the same way. That's fine. And, yes, there _is_ a cold start problem.
While I'm well aware of the issues with building a useful site (and have many ideas to circumvent them) -- I'm more interested in the perception of the utility of the site were it to exist and have a reasonably large data set.
People adjust very quickly and easily. Much of the inefficiency the commenters on this thread observe are either the result of intent or indifference. We've had the technology for years to make for "better" traffic flow. Studies have been done which demonstrate local maxima which aren't adopted by municipalities. The main barriers are archaic ideas based on felt truths and the profit motive.
Many city planners believe that stopping traffic frequently makes the city safer. This isn't true, of course. But, it seems true and it's easy to believe. If a city timed major traffic ways properly, it's been shown that accidents are reduced. But, facts are so inconvenient. Rather, lights are timed poorly which causes greater pollution and tension. The drivers, seeking a more optimal path, start taking side roads and neighbors complain. So, the city, rather than improving the efficiency of their roads, make the neighborhood streets less attractive by adding stop signs and speed bumps.
The other factor is the profit motive. Frustrated drivers who have limited options for side streets become increasingly likely to slip through changing lights or speed between signals. The result is, of course, greater revenue for the city. You'll note, this is also a completely unsafe situation. Ideally, our municipalities are there to make things better, easier, safer. Here, they're not -- yet, no one seems to complain.
What you can do, rather than introducing yet another optimization agent (humans do this pretty well), is organize a social movement to make your streets safer through applying demonstratively better solutions with existing technology. For instance, why do demand lights initiate an immediate change rather than simply queuing the change durning the next light cycle? Negligence and miserliness.
Diaspora isn't the answer. It's reactionary. It tries to deal with privacy concerns but is limited because it ignores the utility of Facebook.
If I meet someone, I can exchange a lot of information with them by merely sharing my Facebook information. I can then "stalk" them and learn a lot about them. If there are n independent servers (for security), I'm now limited. I have to expose myself on a multitude of sites or convince others that my sys-admin is the most trust-worthy in existence. The sys-admins need to make money, though. Even the most altruistic sooner or later run out of funds, right? You could argue that each of the n servers will be designed to share information and the user interface is no different than Facebook today -- however, if that is the case, then a malicious individual can add a node to the cluster and then scrape any and all data that comes by.
So, either it shares information freely so that anyone and everyone can exploit it, or it requires a lot more involvement from the user. The avoidance of which is exactly the reason people don't simply use: Flickr, MeetUp, evite, LinkedIn, Google Calendars, Twitter, PlentyOfFish, OkCupid, et cetera.
Privacy is a major concern. But, also, functionality is very important. If you want to topple Facebook do two things:
Guarantee privacy and revolutionize functionality. Here's how:
Privacy; The Zero-Knowledge Database.
By relying upon the client to compute deterministic indexes based upon user-input, you can abstract the relations from the database into the client space. The result is that you have two items, say a pet and owner that look like this:
Pet: id afb142, name Spot
Owner: id dsf513, name Data
When Data logs in with his username and password, those values are never sent to the server -- instead, they're used along with other information to create keys <afb142> and <dsf513>. This process is deterministic given the sign-on data, but difficult to reverse-engineer (a one-way, trapdoor function or hash). So, Data knows his pet is Spot, but anyone else, even with full access to the database, doesn't.
This database design facilitates collaborative filtering, demographics analysis, et cetera.
On Functionality: Pro-active social networking.
Facebook loses because it tells you what you know (or what your friends know). We've seen that globalization's promise of expanding our horizons is wrong -- we only become more niched. Yet, despite being very focused on a few topics, no one is exploiting this in a useful way. If you know that I enjoy older Country music and that I like a well-made cocktail, why can't your social networking site hook me up with a suggestion about what to do this weekend?
Right now, most people hear about new things through their contacts. But, their contacts have to be introduced to them through exploration or diffusion through their contacts. This process is slow and requires extensive contact networks of people with similar interest to find one another. The system, however, knows who likes Hank Williams and it knows who likes a perfect Vesper. Through some basic analysis; why can't it suggest to me a bar and a band this weekend based upon what other people with similar taste are doing?
Imagine waking up in the morning and logging into NotFacebook... it tells you about a few articles on HN, Reddit, and a number of blogs. Some are bloggers you know and love while others are new-to-you bloggers writing about subjects you enjoy. The system also recommends dinner at a restaurant that's recently enjoyed positive reviews from your fellow mushroom-hating, meat-loving epicureans. I knows you and Sam are free (Sam has similar taste, after all, and is a good friend of yours).
On my system, I have installed scrypt and use it as a password management tool. When I need a password, I simply run a shell script I created, type my master password, and the password I'm searching for is placed in my clipboard.
Sure, I could write an extension to do this and I really should be concerned with the security of the clipboard implementation... but, those are fairly trivial (I do flush my clipboard buffer when I'm done).
This would be a simple solution for Chrome, actually. You already have all of the works for managing passwords implemented. All you need to do is add in the decryption process and simply not log the master password.
In this way, even the root user wouldn't have access to a user's passwords (as is currently the case with Chrome).