hey guys. here's a hypothecal on taking an offer in a start-up-ey company. established (5+ years), doing well, just broke profitable, so no more VC. the position is senior/lead software engineer in a department of 50-80.

offer A: $Xk base salary, plus $Xk guaranteed cash bonus spread over 3 years (lets say evenly).

offer B: $Xk base salary, no bonus, Y % optioned equity in the company.

how large does Y have to be for offer B to be better than A?

There's honestly so many variables about the company and about your personal lifestyle/preferences that its impossible to answer.

I guess at the very least I'd want to know how the bonus compares to your base salary. If it's 5% of your base salary I'd be much more inclined to take the options. If it's 50% of your base salary I'd be much more inclined to take the bonus.

the bonus is the same amount as your salary, just spread over 3 years. so you could say 33% annually.

Currently in an intense nerd fight in the comments on SO:

http://stackoverflow.com/questions/1...nerator-in-php

He's Rook.

I cannot stop laughing -- this is officially the nerdiest thing that I have ever done in my life.

It makes it 10x funnier when you read this guy's comments to other people's questions:

http://stackoverflow.com/users/183528/rook?tab=activity

Nuggest of pure comedy gold in there. I keep picturing that rude, mean computer guy from the SNL skit.

EDIT: Be sure you click "show more comments" or whatever so you can see it all.

TBH, I am slightly confused by the question...? HMAC works on the principle of a shared secret... only your server, and the calling application should have access to the shared secret, if anyone else gets access to it, then they could very easily spoof requests.

sd,

This wouldn't even make the top 10 of nerdiest things I have ever done. This is just standard condescending snippiness you see very often in IRC and programmer forums. SO isn't terrible about it generally, but it's there too. Trying to fight it is a losing battle.

I am confused about your question though. Doesn't HMAC always require a secret key known only to the signer and the verifier?

The setup is a JS file hosted on my server, and remotely included on a customer's web site. The JS file sends an Ajax request for an hashed signature from the client's page to my server.

Basically I was thinking about how an HMAC signature setup could work where the client only needs to include a Javascript file, without any code on the server.

He may have been right that the question wasn't worded as well as it should have been. I have no problem with that feedback, but that wasn't the issue.

Eh, it may not have been the nerdiest thing I've done either, but for some reason I've been getting a kick out of this guy.

Does the answer I gave MrWooster clarify it? There's no doubt I'm not articulating it as well as I should.

If the whole thing is over https, and the client is logged in, why do you need an HMAC?

If it's not over https, then you can never send the secret key securely to begin with, so it won't be secure. Maybe I still misunderstand what you're trying to do?

Oh, I forgot to mention -- his comment that I was referring to was something to the effect of "f--- you 1st amendment"

I drop the f-bomb about every 6th word, but I love SO, and I don't want it to deteriorate into a rats nest of mean spirited comments like HN did.

Yeah, I really wish I had left the SSL part out. My hope was to find a solution that wouldn't necessarily require SSL since my server will be communicating with a client's server that I don't control. I actually was hoping that by indicating my awareness of SSL and OAuth, the somewhat non-standard use of a JS CORS request would invite a solution that I hadn't been able to find.

Also, I searched through dozens of SO questions, and there were tons of unanswered posts where people sort of dismissively answered with "Use OAuth". It was a misguided effort to avoid such a fate.

At any rate, further evidence to conclude that it was a poorly worded question.

I should also say, I don't think the scenario that I'm talking about is actually achievable.

They wouldn't be logged in for this case. You're exactly right, it would be pointless if they were.

I'm not trying to transfer a key at all. I was trying to allow a client to request a hashed signature that will be used to authenticate a request that will happen later.

Edit: Screw it, just gimme a second and I'll type up exactly what I'm trying to do. I have no idea why I'm being weird about answering this. Hang on.

A client's server... So this is not a standard web app?
In any case, you'd need a way to get them the secret key securely. That part has to be done over SSL or some other secure protocol. If you send them the key in an insecure way, everything that follows is insecure, so yeah, it sounds like it's not possible. If there is some installation procedure on the client's side, you could make downloading the key from a secure link part of the procedure or something, but it's hard to tell if that's even relevant to your situation.

This, you really need to quantify how much the stock is worth and what you think the realistic viability of the company's growth is and potential future dilution.

If it's $x in bonus vs. the same $x in current day stock value, then sure seems like stock is a no brainer if you believe in the company. You might be able to ask for MORE than $x in stock because it doesn't cost the company the cash that's important now, plus the fact that it ties you into the company is a big plus for them.

And when you say options, you mean non-discounted options, right? So basically your strike price is at or above the price per share paid in the last fundraising round.

Without other details I'd go with the bonus. If you take that extra income and invest it in various other places you can probably get a better return rate at a lower risk. Taking the options basically means you're investing 1/4 of your salary in the new company. I think you have to be very confident in its future to do or have your salary be small compared to your net worth (which for most of us is usually not true).

@sdturner02

Am I right in thinking that you are looking for a way to securely transfer data from the client's browser to your server? Its still a bit unclear in my head, but I will go forward based on that assumption.

IMO, using HMAC or OAuth (or any other hash based authentication) is not the correct solution here. If the page is not over SSL, then there is no way to guarantee authenticity of the message (someone could tamper with the javascript.. Man In Middle attack) and as you point out, someone could use your API to generate their own messages.

Its important to note here that without SSL, you have no guarantee that a message has not been tampered with. Since you are sending the client the JS code, this is susceptible to even a Man in the Middle attack.

My advice would be to use SSL with a secure cookie, identifying the client. The flow would look something like this:

* Initial request to server, secure cookie is set with UUID identifying client
* Client makes ajax request to server
* Cookie checked for UUID
* If UUID matches authenticated user then proceed

Hope this helps

Hey guys, this problem doesn't seem thread-worthy so i'm going to put it in here. If it's in the wrong thread/section just lmk

I'm just beginning java and I've been asked to write a program that will print the first ten numbers in the sequence 1, 8, 27, 64, ... (Cubes) on the screen using a while loop.

I currently have the following

Thoughts on how I would keep cubing i and print the answers in a row, eg: 1 9 27 64 etc.

In my first attempt I created a bunch of variables and did i = i * i * i, a = a * a * a (a = 2), b = b * b * b (b = 3), but this looked really clogged up and we are supposedly penalised for over-use of variable. There must be a simple piece of code to do this?

Thanks for any help

good point. although these are pre-ipo options, so i believe they are at exactly last fundraising price. lol, if they are above.

Just increment i at the end of the while-loop and use that again. Print it or add it to a string-variable and then print it once the while is done. Run the while-loop while i<11 to get the results for 1-10.

Yeah, I don't really know how that works. I think my last company (also pre-IPO) raised the option price granted to new employees over time even without doing a funding round. I don't know for sure though.

Thanks for the reply . A friend just told me the same thing and it's wored perfectly. Why didn't I think to put i++; at the end of the loops? because I'm a moron, thanks again.

The good news is that they didn't offer you a C. If they offer you a C that is pretty similar to A or B but slightly better/worse...snaptake the nonsimilar one and lol all over them (or better yet away from someone offering like that).

Also parrot making tool story on HN was interesting imo:
http://arstechnica.com/science/2012/...n-in-the-wild/

Reminds me of programmers captured in offices building tools :P

What I've been working on is a way to allow ajax file uploads from the user's browser directly to a third party. As a component of that, I'm also working on a way to allow these browser-to-3rd party uploads to occur by only including a JS file on the page.

For example, say we're using S3. Direct to S3 uploads are fairly trivial with Amazon's POST form upload API, but that still requires an HMAC signature with the secret API key as the hash key. I want to avoid relying on a client's server.

My thinking is that the uploader JS file could automatically make a request for a single use upload HMAC signature on page load (or maybe when the user clicks to browse for files, doesn't matter). This signature is appended to the CORS ajax request that will be later used to upload the file, allowing the upload to be authenticated and received.

Of course, if we want to allow multiple file uploads, we'll need to request a fresh signature as well.

Here's a decent looking example of how direct to S3 XHR uploads could occur:

https://github.com/carsonmcdonald/di...upload-example

The problem with this is that anybody can generate a signature just by calling signput.php. I only looked over it quickly -- i'll review it more in a bit -- but I think he's basically doing what I was saying.

Also, I'm not sure why I was being evasive with those answers because I never have a problem sharing ideas with people. Probably has more to do with fear of criticism than pilfering ideas.

At any rate, one of the ideas I've been pondering lately is a better video transcoding service geared toward developers.

My idea is to allow developers to provide video upload transcoding capability with only a single JS file and some minor configuration. As txpstwx and I recently discovered together, video uploading and transcoding can be a pain to get setup.

Videos would be uploaded from the browser to my server, transcoded based on whatever settings the dev has opted for, and then automatically dropped into an S3 bucket designated by the developer after transcoding is completed.

Based on developer preferences, notification of completion could occur by calling a specified URL, returning JSON or some other response to the browser, etc.

Of course, I'd allow developers to send files with a PUT request if they don't want direct uploading.

Some reasons why I think it may have some potential:

1. I'm not 100%, but I don't think anyone is offering turnkey direct-to-the-server uploading that automatically places the completed file in your S3 bucket.

2. File uploading is a hassle, particularly for videos. They're usually large files, so it's practically a requirement to use Ajax style uploading with a progress bar. Large uploads without any sort of progress indicator will often be aborted b/c users think the browser froze up.

3. Only one or two transcoding services have built in support for adding a file upload progress bar. In the one I'm thinking of, Flash is required for IE users. I can support cross-browser upload progress bars that don't require Flash in IE. It works right now. I abstracted away the JS so that only a single progress() function will return progress data, no matter which browser you're in.

4. Pricing models for several transcoding services are just awful.

This is very strong deductive reasoning.

The signature request and the file upload will always be over SSL. I can control that, so I can rely on it being there. I can't guarantee the same for the actual page.

Anyway, that took forever to type. Fire away.

Given the above... is it such a big deal if anyone can generate a valid HMAC just by calling your script? All they would be able to do (presumably?) would be to upload a file to your S3 bucket (something which the system is intended for anyway). You would want to implement some sort of rate limiting to stop spammers.

Having said that, you should tread carefully if you are going to take this approach. Allowing users to upload directly to S3 gives you very little control over the content they are uploading. You have no control over file size, or file content. A malicious user may decide to upload 100s of GB of files just to give you a large bill at the end of the month from Amazon. This is why services typically upload the file to a server before passing it on to S3... gives you much more control.

Edit: Another potential issue here is that you dont have any control over the file name... a malicious user could upload a file containing bad code, with the filename of a trusted file, and the trusted file would be overwritten.

I should have separated that last wall of text into two posts.

The first part about uploading directly to S3 was just an example of what I had been working on as far as direct browser uploads and what I was referring to in my original SO question.

In real world application I would never allow anyone to upload directly to an S3 bucket. You're correct on every point.