bc software engineering learning is 99% BOTTOM-UP...
and that's bc SE education FAILED BADLY... almost nothing of what's useful is thought in schools and nothing of what's thought is useful
instead of FIXING education and theory, software engineering marched on forcefully without it
now we need to go back and properly fix education, because an intern should absolutely be required to have the "advanced" skills that we imagine in our deluded minds that only "10+ ys of industry experience" should confer, and that are absolutely required to be even a junior AI-augmented SE
SE/CS education should be rethought from scratch to distill, purify, and teach in 3ys max the concepts that used to be acquired through 10-30ys of experience - it 100% CAN be done, and we should wake tf up and DO IT instead of complaining about it - "advanced enterprise systems" architecture require nothing more than mid-highschool math and can be thought on symulated systems in sem 1 of year 1, it's just some of the "teachers" would have to actually put in the 80hrs-weeks of work to do it in due time
> going into every interaction thinking about which parts of oneself to dial down
what if (a) I hate leading questions, (b) by default only smile when bad/tragic things happen (eg "train crash leaves 100 dead and maimed"), (c) I'm quite bad at listening bc if you don't say interesting things often/densely enough my mind adhd-s away, and (d) interrupting is second-nature to me?
...advice may be good, but for some of us it's like 99% of ourselves that we need to dial down in order to carry on a successful interaction - it works, but takes a hell lot of energy
You seem to have a lot of limiting thoughts about yourself. Other people do those kinds of things but just don’t mind and don’t think that they are a bother to others.
You’re allowed to be weird. Weird people make the best conversation because you don’t know where they’re gonna go
Yes, you and I are making the same point :-) There's lots of useful advice out there about how to be a better conversationalist but it's exhausting for those of us who have to constantly think about it, and disheartening when we get it wrong despite all the effort.
one interaction? some of us spent half our lives having 99% of interactions be like that - we've grown out it one way or another, but for many ppl "doing people" is HAAAAAARD ...just as for some differential equations are. we're just build veeeery differently. for many "the social world" is a hostile jungle, and we ca face it all right, but with a strong suit of mechanized armour and fully loaded weapons strapped to it.
I get that. I spent my entire childhood and the majority of my 20s as a closeted gay man. Every interaction was high stakes because if one person figured out you’re gay, then the cat is out of the bag.
I had to do a hell of a lot of accepting myself before I could actually hang with people in the moment. Realistically it took six years to be “normal “in my own eyes
we love to say things like these, but... most security issues are in fact BYPASSABLE - virtualization, firewalls, autorollbacks, ro-filesystems and so on are many of the tools we have on our belsts
decades of WordPress have taught us that insecure apps can 100% be securely deployed
it's a bit of an art, most recently edicated devops/sre ppl suck at it, but it's doable
...aeons a go in a former life we ran production apps that got hacked weekly, and nobody batted an eye at it, backups servers recreated from secure ro-images were span up with last-clean-app version, occassionally we had fun disassembling whatever reverse shells and other mallware that got beached on our systems (but couldn't "swim" bc everything we ran was "too exotic" for them to figure out the next steps of a proper attack), development and business continued as usual with zero interruptions etc
If you go against every principle (defense in depth, security through obscurity), maybe you should ask yourself "am I willing to be on the record saying this when my company gets hacked?"
There can be multiple reasons system crumbles, do you want to be behind one of them... intentionally?
100%. I'm willing to prioritize what matters at the right time. if "inner-system security" is not the right priority, and security can be attained at the "outer-system level" better, we should have the balz to say it. fuckitol
Imagine if your doctor said "we don't really need to do this if some other guy or nurse does a right job, so fuck it".
In other critical professions you don't want to screw up because when you lose license you're legally unemployable. Maybe it's time to require a license to be a programmer. We used to have a strong culture but those days are gone and stakes are higher. Putting people at risk because you think VC can vibe code an insecure app and then it's everybody else's responsibility to ship it securely?
you got everything I said wrong: I'm familiar with security and infrastructure best practice and I'm confident I/we can securely deploy almost any vibe-coded crap someone can throw at us - we understand security, we understand defense-in-depth, we understand the subtle trade offs of why security by obscurity is usually a bad idea (and when it does help) etc.
sure, if the vibe-coded sloptopus does bank transfers and stuff, properly carving out these pieces out of it might require actual engineering work before containerizing it - but someone is willing to pay for it it can be done
some "toy" example: take a crappy app that stores llm keys in config files that the llm agents themselves can edit - after isolating it up, but an llm proxy in front of it and have those keys be short lived proxy-keys with aggressive rate limits and monitoring etc etc
isolation, injecting proper monitoring into code of apps, putting proxies between app and apis, and layers between app and infra it runs on or touches etc
and these things now can be mostly cookbook-ified / automated 90% of the way too
as long as you can shop things into little ppl and ensure short-lived and granular access to valuable data you can 100% run totally unsecure and buggy code reliably and get value from it
it's engineering and understanding security from first principles [and a culture arund it - that _is_ the HARD af bit though...] instead of just believing in "secure app best practices" from the "holy scriptures" - secure apps are hackable, and unsecure apps can be unhackable, heck even mil systems run on unpatched old software everywhere, they're just properly insulated, the components are insecure but the system as a whole can be perfectly secure
ffs sake, u get the point... "under threat models x, z & q that are considered for scenarios ..."
anything deployed is hackable ofc, question is just the profit/risk ratio a business tolerates/prefers, and what backup plans exist to "reboot" after fatal incidents
nothing's perfect in the real world but most things are survivable
reducing all risk is the same as reducing all opportunity for profit - and in a much truer sense than it seems ...as you also reduce adversary's risk to profit form you, so essentially pursuing too low risk you head towards negative sum (as security has costs) games that on average we all loose from playing
...also migrating AWAY from Fastmail (Australian) and TO an European provider sounds like a very bad idea - I'd kind of want both the US and the EU legally away from my coms at all costs (!)
Is it that different? Being Australia in alliances like "Five Eyes" I don't think you can keep your stuff away from the US at least when using Fastmail.
If you want both US & EU away from your data, I suppose you will have to consider things like Yandex Mail, which comes with its own set of problems too, of course :)
The problem is that, even if Fastmail are Australian, they host exclusively in the US. They state that sure, there is the possibility of interference at the data center level, but they rely on their anti-hacking measures to prevent unlawful access
The EU has about 450 million citizens, which of course limits my direct vote. Downside of a democracy (EU is a complicated democracy, but still) is that a majority probably has other priorities than me.
However there are many ways to impact policy makers. From individual contact to impact on the public debate. Even a small post here may lead to people considering their vote or contacting a local or EU parliamentarian, which in sum pushes the needle. In the end they are receptive, as they need the votes by the people.
It's long and tedious and not all things go anywhere, but then again: I am just one in 450 millionand for most of those priority is to have a Job which pays the rent and food and thus I have to break it down to be relevant for them.
The actual answer as to how much you influence policy is: none at all.
The European commission proposes laws. European commissioners are proposed through existing EU institutions. They are not voted in.
You vote for MEPs, who discuss laws, pass them, perhaps amending them. They do not propose them.
And by the way, this is not democracy, it is 'representative democracy' - you vote for one person to represent you and 100,000s of others for all the decisions an MEP makes over their 5 year term. They are not bound in any way to stick to their campaign promises.
Anyway, you might be happy or not about the laws these unelected bodies pass - I'm glad you seem happy about it. You might or might not see Europe as a triumph for its subjects. But there is no need to kid yourself or others that you have any impact over policy.
The European commission are appointed by the Council of the EU which is composed by elected individual member countries' heads of government. Commissioners also need to be individually approved by the European Parliament which is directly elected.
Representative democracy is democracy. Basically all nation level democratic governments are representative democracies.
EU has citizens initiatives. Citizens can propose changes to the law and the parliament has to discuss it.
Stop Killing Games movement actually got a foothold.
EU as every healthy democracy has also non-elected experts (just like judiciary side) in its organs who can create law proposals. That's how we got USB-C and GDPR.
how about the OPPOSITE problem: _anyone knows of any non-EU AND non-US email providers_? with email accounts as the roots of trust for many things, i'd really wanna know how can I get a trustworthy one not-attached to eithern an unstable system (US), or a very overregulating one like the EU juristictions...
Name a country and it probably has its own problems: some combination of instability, corruption, authoritarian governments, collaboration with the US and EU governments that you want to escape…
ProtonMail is in Switzerland, so it’s perhaps the best mainstream bet. But the Swiss are absolutely not immune to US and EU pressure.
Runbox are a good option - company and servers in Norway: https://runbox.com/
Been around since 2000. They're also working on JMAP support and are the top financial contributor to the Stalwart mail server (https://opencollective.com/stalwart) so I think they'll have a more compelling offering soon.
Also worth keeping an eye on Thunderbird pro which will also use Stalwart: https://www.tb.pro/en-US/
Can recommend Runbox for a lot of reasons, but one gotcha that bothered me in day-to-day use was that emails are delayed by a minimum of 30 seconds, with no real upper bound, just a probability curve with, say, the 90th percentile around 5 minutes. On rare occasions, that means OTPs or login links valid for 5 minutes have expired when you get them. Yes this was really on Runbox' side, yes I talked to support, yes they cared, yes they subsequently ghosted me when delivering the requested headers of emails delayed for more than 5 minutes which they considered a normal delay "because email wasn't supposed to be real-time" (be that as it may, that doesn't take away that you sit there 30 seconds... 60 seconds... 90 seconds, wondering if you should go do something else while you wait for the confirmation link and get back to your current task later)
Seriously though, nothing but recommended in every other regard. Alias management, anonymous domains you can use, configuring the sender in Thunderbird no problem, everything else was great. My colleagues didn't seem to mind this delay so much as me so it's something to be aware of but might work fine for you
Edit: I realised this is already like four years ago now, it could have gotten fixed in the meantime. It was an issue for several years before we switched away for some reason related to calendars (don't remember the details, I wasn't my choice)
I agree, as a happy Runbox customer of several years. But probably the parent post meant non-EEA too, as Norway is effectively subject to any and all EU regulations.
Recently Runbox had a couple significant outages which made me rethink hosting my email with them. I and my family have used them for many years and I liked what they offered (didn't like bad web UI) but will probably be migrating to Fastmail or other when my current subscription expires.
I was disappointed more by their lack of communication than by the outages. And one outage wasn't even reported on their status page although they confirmed it via support. That's a very bad communication.
And that's pretty much the thread. You're either subject to a large power's jurisdiction or subject to a jurisdiction whose sovereignty is at the pleasure of large powers... Pick a threat model, plan appropriately, and keep things in perspective.
...would those "overreach instinct" expand to "handing over access an overreaching and likely corrupt EU or US prosecutor"? (I don't care about 5eyes etc, spyies will spy me, I just don't want stuff to be easily and unexpectedly draggable in a court case, or am email used as bolt-key to access other things to get blocked by a prosecutor's regulation...)
If your threat model includes the USA government then you can only go with obscurity, honestly - preferably self hosted with a completely locked down system that cannot initiate any network communication besides on the relevant mail protocol ports, completely immutable filesystem beyond the mail data with encryption at rest
And with all of that they'll still be able to pwn you through network equipment which relays your mail, eg some router or switch which they backdoored and mirrors all traffic to their datacenter.
> how about the OPPOSITE problem: _anyone knows of any non-EU AND non-US email providers_?
Yes, your own server at home. All countries have fundamentally the same problems, so you will have everywhere the same tradeoffs as a customer. So it really depends on what your specific circumstances and requirements are. If laws are your problem, then stay away from countries where you break them; otherwise, just don't go where they will sell your data for any random penny.
> or a very overregulating one like the EU juristictions...
WTF is this kind of demand? Those regulations do not concern you as a user, but can be very beneficial for you, don't you understand this?
lol, you want trustworthy stability without “too many” regulations. Good luck with that.
I’m not sure you know what instability means if you think the US is unstable. If anything, the fact that the dumbest person on the planet is in charge of the United States and the country still functions as well as it does proves a lot about the stability of the USA. The country runs on geopolitical easy mode.
Maybe there’s a libertarian fantasy novel where you can host your services.
> Mistral AI has already partnered with world-leading organizations, like ASML, DSO National Laboratories Singapore, Ericsson, European Space Agency, Home Team Science and Technology Agency (HTX) Singapore, and Reply to train models on the proprietary data that powers their most complex systems and future-defining technologies.
When you can actually represent somebody like the ESA get in touch with them. Otherwise, uh, gtfo.
and that's bc SE education FAILED BADLY... almost nothing of what's useful is thought in schools and nothing of what's thought is useful
instead of FIXING education and theory, software engineering marched on forcefully without it
now we need to go back and properly fix education, because an intern should absolutely be required to have the "advanced" skills that we imagine in our deluded minds that only "10+ ys of industry experience" should confer, and that are absolutely required to be even a junior AI-augmented SE
SE/CS education should be rethought from scratch to distill, purify, and teach in 3ys max the concepts that used to be acquired through 10-30ys of experience - it 100% CAN be done, and we should wake tf up and DO IT instead of complaining about it - "advanced enterprise systems" architecture require nothing more than mid-highschool math and can be thought on symulated systems in sem 1 of year 1, it's just some of the "teachers" would have to actually put in the 80hrs-weeks of work to do it in due time
reply