Answering the HN title, as a self-taught developer, I did some full-stack web development work (pro bono) for a small company and built my reputation up there over 2-3 months. From there that company introduced me to a staffing agency which has placed me in interviews with above-market offers (starting my next project through them soon!)
I have had no recruiters or clients question my lack of formal education (I'm 2 history classes away from an associates) except for a health care organization who's insurer required their workers (direct-hire/contractor) have a degree by their definition of being HIPPA compliant.
I've built relationships up over time and have proven myself to others that I can deliver and solve technical problems - really, they're sponsors... I mean, isn't that all a degree is, someone trusted saying you can do something?
I've imagined mesh networks across weaker frequencies, it'd probably require some new protocols but I haven't done that much research so I'm just not aware of any.
If devices or modems/routers were accessible and marketed correctly, I think the niche would grow with passionate users. Just knowing you could hop off of your terrible ISP (or at least avoid them some) would be enough for many people.
What's the possibility of using this exploit to patch the vulnerable Android systems?.. or to root the phone? It'd be an interesting solution against the time we'll have to wait for carrier services/manufactures to straighten themselves up.
(Say, if, oh I don't know... Knox and My Verizon got disabled or removed, Verizon would have no proof to void my warranty. It was Starbucks' wifi, promise!)
The detecting of hijacked sessions with browser fingerprinting (mouse movements, typing speed, etc.) is a very neat idea - something that could be used to throw off red flags or have users sign-in again with the appropriate warnings and education.
I've gotten passed this with the help of two reasons, the first is because ISO images (even for minimal installs...) are huge and HTTPS'ing it all would be an expense from the mirror's end (hopefully with better tech this'll become an after-thought...) and secondly I've learned enough to generate my own checksums to copy and paste across search engines (in Google and with quotes, search strictly for your checksum and look for multiple sources sharing the same context regarding your download/image.)
I've had the luck finding and verifying the majority of what I'd concern myself with. But what really frustrates me is downloading something (verified and all...) and then record its traffic downloading its updates via HTTP. I don't know if it's verifying its own downloads but I simply wish applications were more transparent or that applications had no shame in throwing up a screen providing the checksums of its downloads (well maybe for the users like me who have the time to put towards verifying every thing coming in.)
So I love Notepad++, but I hate how its plugin manager (last time I checked...) downloads the majority of, if not all, its plugins from sourceforge and over HTTP. Windows UAC will pop up saying the newly selected plugins want to make changes to my computer - no, I stop there. If I can, then I'll download the plugin from its developer's GitHub and prepare it to use for Notepad++ myself. The plugin manager could be verifying packages, the packages could be hosted on something other than sourceforge, or whatever else. This is a rant over things I've already built habits and routines around.
> If you think of a Google or cheat sheet lookup like a disk access, well memory is faster than disk.
I like this analogy - not just its application to the current conversation, but because I consider myself to be understanding of a topic when I no longer have to look it up, but instead I know the topic in principle and all I lookup are minor details (maybe like an address in memory to find something on disk?)
For you Firefox users, try the add-on RequestPolicy (https://requestpolicycontinued.github.io/) and before a site opens or redirects to another domain, you'll be prompted (you can make policies around your decision for future instances.)
Sorry, I made a bad implication that the backend would check to see if $MASTER_EMAIL was one of the three, as you called them, white-listed values ("postmaster", "hostmaster" or "webmaster") and if not then to stop processing the form.
When prompting for "postmaster", "hostmaster" or "webmaster", the values in that form should be just those and StartSSL should then put the two together ($MASTER_EMAIL + "@" + $DOMAIN.) They shouldn't assume that the "sendToEmail" value wasn't tampered with or overridden. If the original poster didn't include his screenshots or his steps then I wouldn't believe such a stupid mistake, especially one made by a certificate authority.
Back before I found Gandi.net I came across StartSSL (I was looking for basic SSL certifications.) At the time StartSSL's website was horrible, and I mean ugly, it turned me away because it felt so unprofessional. I see now, even with a new flashy website, that they still remain unprofessional (maybe not in their looks, but obviously in their practices.)
We're thinking along the same lines. It'd be interesting to root your device while navigating around any voided warranties on the basis of your carrier's, or Google's, neglect (I am definitely not a lawyer.)
AND... could one possibly use this exploit to push their own patch? Could someone who has a payload with a fix mass-message all android users? That payload could also try and send itself to others within the then-patched device's contact list.
I use camel case when the subject needs two words in order to identify it. Underscores, I feel, can be used to separate and include multiple ideas within a single name, in order to explain or emphasize on a relationship.
The lack of HTTPS when using Comcast's XFINITY web mail is still beyond me.
HTTPS is used when logging in, however everything else after that prompt is over basic HTTP (session IDs, inbox data, message data, contacts list, etc). I do not communicate much with my provided Comcast email, but I know others who tie a lot of services to it.
Until Comcast provides standard web security, they endanger their customers as well as whoever else involved (paying Comcast or not).
Edit: nevermind, this would prevent you from retrieving the password - I had in mind a password generator, sorry.