http://cryptopals.com

Part of the point of the crypto challenges was to illustrate why people shouldn't work directly with low-level primitives, as a sort of antidote to the kind of advice OWASP gave out.

I'm not sure that the cryptopals chalelnges are the best way to learn exactly how you should be implementing everything, but I've found the knowledge that I gained from doing the challenges very applicable in my daily job and definitely helped further my understanding of crypto in a way that reading a book just couldn't do.

There is a theory that we practice on my team that you don't really understand something unless you try to break it. And this team regularly tells developers facts about their programs and systems that previously unknown to them.

I did the challenges years ago when you had to email in for them. Since then I can count at least five occasions where having done the challenges has allowed me to identify vulnerabilities in real-world crypto. I was usually able to recommend fixes that in theory made those codebases more secure. This is keeping in mind that I'm at best a hobbyist security researcher and just barely a professional developer.

I think there are about seven or eight people on Earth that I would trust to securely implement cryptography in their code. For the rest of us I'm happy with doing the best we can with libraries that make that easy (NaCl), and otherwise trying to find ways to break the thing. The cryptopals challenges help you do that, so that's where I'd recommend a developer start.

(I am not at all familiar with the European software labor market, so all this is based on the assumption that London is equivalent to New York City and Manchester equivalent to Chicago.)

In London, those top-paying jobs will mostly be in the financial industry and the internationals that only dip their toes into the "alpha" cities. PHP folks won't ever get that high, but the talent vacuum at the upper end will sort of pull up the salaries at the lower end, right along with the cost of living.

Avoid recruitment agencies wherever you can. In the US, they have never helped me one tiny little bit, and have wasted more of my time than I care to consider. And as the original poster has noted, they made a pretty bad match.

I think it very likely that OP should be able to find a better job, at higher pay, within eight weeks. But the search process is exhausting and stressful, and full of stupid hoops to jump through. Seekers are sorely tempted to let other people handle most of the leg work for them. Don't succumb. There's no one else on Earth that will be as invested in the decision to take a new job as the person who will actually be doing the work.

I wouldn't quit today. I would use the fact that I had a job to take the time to make a better decision this time around, and to be more selective with the advertisements, applications, and interviews. With a competitive offer in your back pocket, you can then have a conversation with your current bosses with greater confidence, knowing that they no longer have the power to keep you from making rent.

Edit: Note that the target numbers above are reasonable for your first offer in the salary negotiation, or the upper end of any salary range posted with an advertisement. The actual salary will likely end up less than that, but there is always the possibility that the company agrees to give you what you ask for.

Developers should be inline with other high paid professionals.

Since you program too, do you think there is much crossover? Some analogous form of practice that makes you a more effective coder?

One of the most unexpected things to me is how good I am at hitting deadlines. But it makes sense. As a musician, deadlines don't move. You're playing a concerto with an orchestra on such and such a day . . . that concert is going to happen whether you are ready or not. Your choices are to get up there and play like a badass or get up there and fail in front of a thousands of people. You learn that when you're 8, and it sticks with you. When I moved over to coding, I never thought twice about it. A deadline is a deadline. It doesn't move. That's a thing that's been consistently talked about in my career. I nail my deadlines. Not because of any magic about me as a programmer, just a mental inability to view those as flexible. I can see, however, that this would be a weakness for me if I were to get into management: I'm awfully impatient with people who don't hit deadlines.

Dealing with toxic environments. I read about brogrammers and silicon valley startups with all kinds of ego problems and sexism all the time. We all do. I've even worked for a startup or two that styled itself that way. I've never met anyone with the kind of ego that professional musicians have. Not all, mind you. It's been my experience that the best people in any field are quite kind and wonderful and humble. And the worst are the ones who are actually just mediocre. But there are tons of mediocre performers who have terrible sexist, racist, and generally toxic attitudes. I managed an orchestra while I was studying statistics after I dropped out of my music degree because it seemed like a good idea. I've never seen such a wretched hive of scum and villainy. As far as I'm concerned, even the most obnoxious of the party-boy, popped-collar, douchebag bros I've ever worked with are basically nothing compared to you run-of-the-mill regional orchestra player jerk.

Being willing to learn from anyone. There are many musicians (particularly string players) who subscribe to a certain philosophy of playing. All other methods of playing are ipso facto wrong. My best teacher is a violinist, Bruce Berg, who studied with Galamian, Gingold, and Dorothy DeLay. He did an undergrad, grad, and doctorate at the Julliard School. Where he claims to have learned very little (I doubt this is true). After finishing his doctorate, he went and studied with a Cellist--heresy!--named George Neikreug. What could a violinist with these credentials possibly have to learn from a Cellist? To this day, Bruce claims that he never actually learned to play the violin well until he studied with George. I've taken that same approach, (and I picked up a lot of George's techniques from Bruce), both in music and in technology, and I think it has served me well. Go to the dark side for advice some times. Go learn a language that you don't like. Go talk to people you don't think have anything to offer you. Go with an open mind and a warm heart. And a couple hundred bucks. Because people often charge money for their knowledge. But I've learned as much about programming from reading Marco Arment talk about how he does all his web apps in PHP because his needs are simple as I have learned from reading Eevee about how much PHP is a hammer with the claw part on both ends.

I could continue on about this just as much as the earlier topic. But I should probably shut it down. So I'll close with this:

Don't be afraid to contact big important people and ask them for help. I remember when I was just learning python, I was writing an extension for SPSS to do some statistical junk that we couldn't do with the interface as it existed. So I just went and wrote one that shouldn't have worked but did and emailed him the code and asked why it worked. I got completely schooled by a total master. It didn't really work. Slightly embarrassing, but since I didn't bring an ego to that situation, I learned a ton. John Peck is a really great guy.

Practice thoughts:

Have a plan when you sit down (or stand up) to practice. Know what you want to accomplish. This gets more and more important the older you get and the less time you have. When I was a kid, I practiced for 5 or more hours a day. Even more in college. As an adult with a job and a girlfriend, I will never have that luxury again. But what I do have is 15 minutes here and 20 minutes there. It is FAR from optimal, but that's what you have to work with. I do still get up early before work so I can practice scales for an hour every morning. That might be all I can do for one day. But even with scales, have a goal.

It helps to do this if you have thought about the piece you want to work on and what you think you need to do. It's hard to generalize because you are so often in different places. But give yourself a goal, break it up into manageable tasks, and check them off the list. I'm learning the Shostakovitch violin concerto right now to play with an orchestra in a few months. Each day of the week my schedule is different. Some days, I'm going to yoga after work; some days, I'm driving an hour to my gf's place, sometimes, I just go home. This week, I'll have a few 15-20 minutes time slots, and I'll have 1 2-hour slot. I prefer to work the "hardest" parts in the smallest time slots. I'll take those 2-3 short times and work a single measure that's tricky. I'll take the longer time slot and work on performing a larger chunk.

I was a violin performance/music theory/philosophy major in school (and dropped out after 6 years, of course). So it's natural for me to analyze the music I'm playing to get the best understanding of it I can. You don't have to be a music theorist to have some grasp of the form and structure of a bit of music you want to learn. Read about the music online. Understand it the best you can. This will help you remember it. I break up my practice goals when I'm doing the initial analysis of the music.

One good reason to do some analysis before you practice is to understand what parts are similar and what parts are different. Abstract the challenges as much as possible. If you are working on a piece in f#-minor, practice a lot of scales in f#-minor so that you have that key in your ear and your fingers and don't have to worry so much about intonation in general. If it follows a standard form, you'll spend some time in A-major and there will be at least some C#-Major(!). Practice those scales as well before you sit down to do the hard work. Composers tend to reuse material. Take the time to figure out what the composer is doing over time with the musical components, and you will save a ton of time in your practice.

In the classical world, the number one biggest priority is playing in tune. It doesn't matter what else you do or can do or what you can feel about the music or anything else: if you don't play in tune--and I mean really well in tune--no one cares. We are hyper-attuned to this because of recording technology that lets anyone sound like they can play perfectly in tune. In reality, no one does. No one even really agrees on what "in tune" means these days. But if you don't do it, you've got nothing. So! Train your ears. Spend some time, at least once a month doing exercises that are designed to maximize your ability to detect small changes in pitch. I apologize in advance to wind and brass players, I don't know what the analog is for this exercise. Obviously, this isn't relevant to fretted instruments.

The "ear cleaner" is an exercise you can do that will make you crazy obsessive about intonation. It's very simple. Start on a pitch. A fingered pitch; not an open string. You have to have total control for this. But it doesn't really matter which one because this isn't a finger exercise. It's an ear exercise. Now what you are going to do is gradually--and in even divisions--move from the pitch you are on to a pitch one half step above it. Over the course of 8 even bow strokes. So for each bow stroke, you are going to increment your pitch by 1/8 of 1/2 of a whole tone. It's very difficult. The point isn't so much that you be able to execute it perfectly so much as it is to get you to listen that closely. And when you practice this for 5-10 minutes, you'll hate yourself a little because everything will sound out of tune.

If there is a part of the linked article I agree with, it is practicing in smaller portions. I really don't think that randomizing is a good idea. But planning small segments is a great idea. The important thing to remember is that you are developing muscle memory. If you are practicing mindlessly, you are probably practicing something wrong. Which means you will be reinforcing something wrong. I suggest this: do not practice for any longer than you can maintain total focus on the thing you are trying to improve. There are too many things to think about already. If you are as planned and focused and you should be, you are still only working on one aspect of your technique, and others are not being executed properly. Choose one thing. Do it well. Stop as soon as you lose focus.

I could keep going on for a very long time, but I'll close the practice notes on this: remember to practice performing. Performing is a completely different mental exercise than practicing. When we practice, we have to be very acutely attuned to all of our little (or big) errors, and we need to note them for future reference because our ears and minds are the only error-checking mechanisms that we have (aside from audio recorders, which are a VERY good idea when practicing performing). But performing is different. You cannot and should not be thinking or hearing in the same way when you perform. When you perform you have to be focused on the music that you want to make (that you planned out, right?! Back when you analyzed the piece before you started practicing), and you can't let the inevitable mistake distract you from your performance or shake your confidence. You can't think in small chunks of technical execution one note or measure at a time. You have to think bigger than that. And you have to be listening to the other people you are playing with and responding to what they are doing. You don't have time for you when you perform. Performing is all about other people. You have to practice getting into that mindset and practice forgetting about what you are doing when you play. It's an entirely different skill. So practice that one too.

I work with threedaymonk and the reason that he came across this way is that he is a remarkably nice, well-intentioned, polite person.

1) A general law, rule, principle, or criterion by which something is judged 2) A collection or list of sacred books accepted as genuine

(http://www.oxforddictionaries.com/definition/english/canon)

Snarky but true: implementing this was roughly as hard as reading a comment by tptacek about billing weekly, deciding that I bill weekly, and then telling all existing clients and future clients that I now bill weekly.

Does this mean you only work on one project at a time? I seem to maximize my billable time by doing one project at 20 hours/week plus a few long-term relationships with smaller ad hoc projects. Sometimes the "big" projects overlap briefly but I try to avoid that.

If I moved to weekly billing, I'm afraid I'd need a longer sales process and I'd have to turn down a lot of work that I can slip in with my current approach. So I'm curious: do you work one engagement at a time, and what is your time between engagements?

The only thing we're telling you not to do is to break your bills out by the hour. A whole lot of bad stuff happens when you start billing in sub-day increments.

How precisely do you specify upfront what a 'day' means? Are you just keeping it vague and not working with anyone who takes issue with that? Or are you specifying it as 6 hours so you have time to handle other things?

I recently attempted a move to daily billing but had a client who was anal about 1 day = 8 hours and this caused significant friction/lack of flexibility. The client was a somewhat difficult/overly-controlling person but willing to pay well for quality. Would you simply turn down someone like this?

I think that with all sane clients, you will also find that once the delivery date is negotiated to both sides satisfaction, nobody gives a shit about what happens in the intervening days. Good clients are happy to know that they're going to get something on a specific date. They are thrilled to have a black box that they can put money into and get value out of. Don't open up the black box and explain it. They don't need to know how the fuel injectors work, and if you explain electronic fuel injection to them, some of them will just get neurotic about whether it's functioning correctly.

I don't. All my recent contracts of this nature have simply stated that a day on which any services are provided is chargeable, or words roughly equivalent to that.

This does require a client to trust that I won't abuse the deal by, say, charging for a day off just because I spent a few minutes replying to an e-mail. I suppose legally speaking I could do that, but then legally speaking a client can typically also fire me in the time it takes to get a letter delivered if they're not happy with progress on their project. As with so much of this business, trust goes both ways.

In reality, I have never found this to be a problem. As others have said, clients are typically more interested in the value of the work you produce than in how, when, or where you produce it. You might see the occasional raised eyebrow if someone asks directly and is surprised at your answer, but personally I'm not aware that I've ever lost business or left unhappy clients over it.

The client was a somewhat difficult/overly-controlling person but willing to pay well for quality. Would you simply turn down someone like this?

Given a reasonable alternative, which is usually the case: yes.

Incidentally, in the UK, where I am, you should be very wary of taking on "overly controlling clients". If you aren't sufficiently independent -- as demonstrated by signals like your clients controlling your working hours -- then you could be deemed a disguised employee rather than a separate business. That leaves you with all the overheads of running a business, yet also leaves both you and your client with all the tax obligations of an employer-employee relationship, which is a Very Bad Idea.

This is a problem a couple friends of mine have had. It seems like incorporation, which is cheap and something you should do anyways, mostly fixes it.

In the UK, we have almost the opposite problem.

If you set up a limited company to operate a freelance business, then by default you get to run it like any other business. That means you're responsible for paying your own overheads and doing the same administrative paperwork and taxes as any other company. (Who else is going to pay for or do those things, after all?) However, it also means that if you're the only owner and director, you can treat most of the profits as dividends rather than salary, which can be a significant tax advantage in some quite common circumstances.

Unfortunately, this arrangement was being abused by some people who were in effect working as employees of someone else, who operated with little meaningful independence but were being paid through a company so they could take the tax breaks anyway.

Consequently, with probably good intentions but unfortunately not a very good implementation, a set of rules known as IR35 were introduced that basically said if your arrangement works like employment, you'll have to treat your contract like employment, with the full tax liability that goes with it.

The trouble is that there has never been any useful, objective definition of what counts as working like employment, so all we really have to go on are a few precedents from early cases. In practice, this means every independent professional here who works this way, however legitimately, has this permanent axe hanging over their head. You can pay some accountants for an expert contract review that comes with insurance if they tell you you're OK and you are subsequently determined to be within the scope of IR35 anyway, but that's a lot of hassle and a significant cost if you do change contracts often, so not everyone does.

The tax authorities did make an attempt to codify some more concrete guidelines with their Business Entity Tests a few years ago; those were supposed to give you a clearer idea of how likely you were to fall within the scope of IR35, but the questions were bizarre and completely ignored most of the really important distinctions between an employee and a genuinely independent professional operating as a real one-person company, and the BETs were effectively killed off not so long after they were introduced.

This leaves us back at square one. Despite protests from the independent sector about the ongoing burden of IR35 and the lack of evidence that it has ever generated anywhere near the kind of additional tax revenues it was supposed to, successive governments have maintained the rules arguing that if they removed them now then the floodgates would open and suddenly everyone would be going down the disguised employment path costing the government a fortune.

In practice, the good news for genuinely independent professionals is that the tax authorities have very limited resources to go after small time tax dodgers, so as long as you're behaving reasonably it seems you're unlikely to get in much trouble. This brings me back to where I came in, which is a warning that if you really are trying to operate properly as an independent, a very controlling client who is able to impose obvious restrictions like setting working hours is not something you want pushing you to the top of the pile for an IR35 investigation.

I wrote a fuller explanation here: http://digitalassassin.net/2014/07/am-i-caught-by-ir35/

To be clear, I'm not arguing that this is necessarily due to any ill intent on their part. It's just that even if HMRC people are trying to help when you call them, they can still fail to understand what the tax rules actually say and they can give incorrect advice as a result. When that happens, they seem to err on the side of saying you're caught by whatever it is you're asking about and should pay the extra tax.

If I'd taken them at their word the last couple of times I called, my companies would have paid far more tax than we really owed. (To be clear again, I'm not talking about any funny tax avoidance measures here, just applying the normal but somewhat complicated rules for things like international sales.) Fortunately, we also spoke with some accountants who could explain why the first advice was wrong, which in fact they did by citing parts of HMRC's own written guidance that HMRC's own people had overlooked.

I suppose this only matters if the clients vocalize this assumption?

I should probably point out that "maximising my billable time" isn't really an important goal for me as a freelancer, so we're likely talking about a different business model. You'll hear this a lot from patio11 and tptacek, but overwhelmingly, my goal is to provide as much business value to my clients as possible and charge accordingly.

You don't necessarily have to position yourself as a content marketing/CRO/Security/Sandwich-making consultant to do this, just find a way to make or save your clients buckets of cash and you can charge them whatever you want.

*: That makes me sound like some sort of rockstar freelancer, but in reality I'm a boringly average Rails developer. I get and keep clients by working really hard on sales and treating existing, long-term clients like my family's financial security depends on them (hint: it does!).

There are some types of non-muslims (open apostates) that would be putting themselves in real physical danger by entering your average mosque in Islamabad and praying. We have a local ex-muslims meetup in London and stories of threats + actual physical violence from family and "community" are more common than not.

It also goes without saying that if there's no women's section and you have a vagina, you're shit out of luck.