Although this is clearly the equivalent of Cloudflare propaganda, they are trying to address the issue of connecting a user and an agent in a way that respects the users privacy.
They effectively use credentials and cryptography to link the two together in a zero-knowledge type of way. Real issue, although no one is clearly dying for this yet.
Real solution too, but blind credentials and Chaumian signing is equally naive to think it addresses the root issue. Something like Apple will step in to cast a liability shield over all parties and just continue to trap users into the Apple data ecosystem.
The right way to do this is to give the user sovereignty over their identity and usage such that platforms cater to users rather than the middle-men in-between. Harder than what Cloudflare probably wants to truly solve for.
But, why do we want to tie the agent to the user’s identity?
The interface the user wants is “I pay for and obtain pizza”. The interface the pizzaria wants is “I obtain payment via credit card, and send a pizza to some physical location”.
It doesn’t matter who the agent that orders the pizza is acting on behalf of, or if there is an agent, or if some third party indexed the pizzaria menu, then some anarcho-crypto syndicate based in the White House decided to run an auction, and buy this particular pizza for this particular person.
If a malicious user is attacking a site via an agent, the current solution is to block the agent and everyone else using that agent, because the valid requests are indistinguishable from the malicious requests. If the agent passes on a token identifying the users, you can just block agent requests using the malicious user's token.
As a Fireman/EMT of 7 years whos been in high-tech for almost 10 - I feel sorry for this guy.
Sure, some parts of work will definitely get better and feel different. But a lot will get worse.
Say goodbye to good working conditions and simple problems. Work life balance is meaningless when your work has a habit of sticking around everytime you close your eyes. And the hero culture of EMS wears off quick when you realize 90% of the time you're societies janitor. That 10% you make a difference is amazing, but for the most part it's medics who are really making an impact and that world is almost as political and overmanaged as technology is.
The real problem is trying to make your career your life source rather than just an income stream. Tech utopia is no different than emergency-medicine utopia - its all fantasies that have no bearing to real life.
I wish the author the best of luck, and the issues they bring up are oh so real, but the source of the problem lies elsewhere in my humble opinion.
My perspective as someone who’s done some of both.. regardless of working conditions, doing “janitorial” work is rewarding in that it is, um, real work.
What I mean is that it’s really easy to have a multi decade career in tech and look back, realizing that not only is none of the code you worked on still running anywhere, but none of the companies even exist. Frustrating on some level, even if you managed to avoid directly contributing to society’s problems.
Emt can be horrible on many days but saving a life lasts, well a lifetime roughly, more if the person has kids. But shit, even painting a fence is more of a “legacy” than most of the code that most people will write professionally. even more if you’re a land scaper. If someone removes the fence or the tree, there is a decent chance it was done for a better reason than resume-driven development, sketchy m+a to manipulate stock prices, etc.
Janitorial work is not necessarily intellectually stimulating though, knowledge work is not necessarily meaningful. Ideally every life would have some time and space for both, and if that were possible I think society as whole would also benefit.
> doing “janitorial” work is rewarding in that it is, um, real work.
> ... it’s really easy to have a multi decade career in tech and look back, realizing that not only is none of the code you worked on still running anywhere, but none of the companies even exist.
Precisely. I feel the same way. I wrote tonnes of Terraform code years ago at XYZ/ABC Ltd and I often think, "Who knows what that code is doing now. Who cares? Does anyone care?"
I have a few answers for you:
1. Go part-time in the tech field (contract or consult for a few hours per week) and reduce your involvement whilst capitalising on the high income
2. Produce (digital) goods that are closer to the consumer: videos, books, etc. on anything that takes your interest
3. Use your free time to do something like cleaning up your local community of trash
For (2), what I'm doing is getting back into making YouTube videos. Even then, I've fallen into a trap for weeks now. A trap of thinking: "What should the format look like? What amount of work should go into it?" And so on. In the end, I decided to turn on the web cam, record, throw the footage in Canva and do some basic editing and overlays, and publish. Quick, simple and, to get back to your point (or rather to attempt to counter it): I'll have produced something that I can see, through stats, is being observed and having a positive impact on people. That's hopefully going to help too.
For (3), go into your local community, even just your street, or a neighbouring street, and clean it. Take a thick bin bag, a pair of pinchers for picking up trash, and clean up. Do that once or twice a week, and the impact will be massive for you and everyone around you. You'll feel better for it because it's physical and "real".
It's a tough position the OP is in, but I'm getting there my self as well. I can feel it.
Re: the YouTube thing, that’s an interesting point of comparison too. I can well imagine a younger version of myself looking at all “content production” stuff as quite silly and ephemeral, and of course much of it is.
The irony though is that lots of things more or less in this category still have a longer shelf life than software (or effort you put into technology related stuff in general). A 5 minute journal entry about that day still may serve some purpose even years later, but 5 hours/weeks/years spent on an obsolete platform or now irrelevant problem? Probably not. Even setting aside companies and professional work, bitrot gets really frustrating eventually after you realize that practically everything requires so much care and feeding. I don’t customize things like phones, browsers, or IDEs anymore because I fully expect most of the effort is pointless treadmill where most problems actively resist even semipermanent solutions.
Awareness of this kind of stuff helps some, which is why you see enlightened devs being pretty ruthless about pruning dependencies. Some tech ecosystems are obviously better than others too, but once you see the treadmill you never really unsee it
I have hundreds of videos on YouTube, and even the old tech tutorial ones around Terraform and Ansible, which are super dated now, get comments thanking me for my time. It's interesting to see videos from 5+ years ago getting positive engagement and making a difference to someone.
> doing “janitorial” work is rewarding in that it is, um, real work.
> What I mean is that it’s really easy to have a multi decade career in tech and look back, realizing that not only is none of the code you worked on still running anywhere, but none of the companies even exist
Actual janitors have their work undone by the time their next shift begins. I don't get the tech nihilism[1]; making software is "real work" - maybe you're too far removed from your actual users to experience their appreciation, or perhaps you hate your users - not judging, I've worked in the enterprise space too. One doesn't need to leave software to make a difference, but if its tech that's burning you out, more power to you.
Expecting permanence is a fools errand, and likely born of hubris. A truly janitorial mindset is knowing your work makes things temporarily a little better, but entropy always wins if not for people like you.
1. I suspect people complaining about "bullshit jobs" have limited imagination, experience, or both.
Thanks for your perspective. It’s a very real concern I have — am I trading one kind of burnout for another?
I do think there’s a difference between approaching EMS as a first career, and coming to it later in life (I’m 43) as a second career. I’ve talked to a number of people who’ve done what I’m doing and a higher percentage of them are happy with the decision vs those who started younger.
I’m also not going in with rosy glasses. I’ve been thinking about this for at least seven years, and have had plenty of time to talk to folks at all levels of emergency healthcare, including right here where I’d be working. I think I have a pretty realistic view of what I’m signing up for.
Only time will tell, though. Maybe I’m making a terrible decision; only one way to find out.
I would have thought that if you are the co-creator of Django, co-owner of a consulting agency, and Treasurer of the Django Foundation, at this stage you would have enough financial flexibility to say no to doing any work you feel is evil, and invest some time into work that you think advances the cause of good.
So it doesn't make sense to me that he would leave the tech industry because of the evil in it. I agree with him completely about the evil being there, it's increasingly horrifying what the tech industry is becoming. But the net is vast and infinite. Surely he can go somewhere the evil isn't involved.
Going anywhere the evil isn't involved is hard. I'd say that the human nature has the capacity for evil, as much as it has the capacity for good. Anywhere you go with the intent to do good, you have prospects of seeing evil, because you're going to work with humans, and especially their social structures.
Maybe one can get into e.g. pure mathematics. Proving a conjecture usually does not have a direct societal impact, so it's can't be evil. By the same token, it doesn't do anything obviously good.
I write this from the ER after my dad took an ambulance for chest pain (he is fine).
I imagined that the job of the EMTs were difficult. But I also felt the real tangible impact they had in ways that I haven’t in 25 years of being in tech.
No value judgement in profession. But boy can I relate. And so many others my age ~45 (some in tech, not all) that I talk to can as well.
> ... the issues they bring up are oh so real, but the source of the problem lies elsewhere in my humble opinion.
I'll bell the cat - Capitalism is the source of the problem, specifically the strain championed by American companies. It's the root of surveillance tech, and why medical systems can act in ways that result in terrible medical outcomes which deteriorate to emergencies.
Please don't bother to reply whinging about communism. Capitalism may be the best system humans have adopted, but it's far from perfect.
As a southerner who has also pondered this, I think it's simply the basic nature of the menu and local nature of the employees.
Food is basically just pre-made batter, eggs, potatoes, and processed meat; all of which holds well and only requires limited refrigeration. Staff is pretty basic crew: Cooks and customers can order directly at the register if waiter isn't available.
Add to that a culture of staying open at all costs and there you go.
And the reason it was made is because the encrypted database may as well be a shrine to a dead god; it makes you feel awe, but it's otherwise completely useless.
I don't think this is relevant. Even on-prem "air gapped" networks get breached. I would say it happens on as frequent a basis as any other network tbh. Microsoft hacks get headlines because Microsoft is a public company; there are lots of undisclosed breaches happening out there.
Security vulnerabilities come from the same place they always have. Where IO happens, where transactions happen, and where an operating system does a lot of work. How attackers get to these points, what happens when they do, and then how the system reacts when a malicious event occurs are the factors that matter.
In today's world of complex technologies, I have yet to meet a single organization that is invulnerable to these threats. I've seen a lot of organizations limit damage, patch vulnerabilities, and generally manage their risk profile effectively - but losses are a part of the business.
IMO, the only thing that will really make a difference is when we have technologies that are sufficient enough to male the user more resilient. Only then can we have a truly safer web.
I have worked at 20+ companies and the ones that had little to no security got ransomwared at LEAST yearly (with 50m+ in revenues) and the ones that had basic and standard security practices got zero network wide intrusions (at least at lower then say, a nation state level.)
Now, COULD they have been exploited with an 0day? Sure, in theory these networks could be both exploited with the same technology or by a dedicated actor likely without an issue - they're internet connected corporate networks mostly with probably out of date tech; and in practice most attacks corporations need to mitigate are the drive by trash that consumers also face.
> I would say it happens on as frequent a basis as any other network tbh.
...really?
I find this extremely hard to believe on its face. Sure an attacker can infect a system via a USB drive, but they need to get physically close to the victim (at least at one point in time). That both dramatically decreases the number of possible attackers and increases their personal risk.
It also becomes far more difficult for an attacker to exfiltrate any data.
Exfil may be tricky if the system is actually airgapped - I take GP's use of scare quotes to mean that most systems are "airgapped" by means of software-enforced security policies, which should correctly be referred to as "not airgapped".
As for the attack method, there's always the good ol' "flash drive found on a parking lot" vector.
> As for the attack method, there's always the good ol' "flash drive found on a parking lot" vector.
Right, which requires the attacker to be physically near the parking lot at some point! That decreases the number of possible attackers by several orders of magnitude at least.
> Exfil may be tricky if the system is actually airgapped - I take GP's use of scare quotes to mean that most systems are "airgapped" by means of software-enforced security policies, which should correctly be referred to as "not airgapped".
Ah, that makes more sense! I do think tpmoney was quite clearly talking about truly airgapped systems, however.
> Ah, that makes more sense! I do think tpmoney was quite clearly talking about truly airgapped systems, however.
Very much so. My point being that a truly air gapped system is objectively more secure than one that is networked, and yet, a bank or social network company that only operates with truly air gapped systems will be strictly worse off than their competitors in their actual business of banking or social networking. And so since their actual job is not objectively better cyber security, but banking or social networking, then they are inherently at a disadvantage compared to Attackers whose business IS attacking (or at one step removed, selling the resources obtained from attacking). In the name of making their business better, Defenders will chose weaker security, and attackers will chose stronger attacks.
My point is that the vulnerable points, regardless of where they come from, are ultimately there because the purpose of the Defender is not to have perfect cyber security, but to use computers and technology to enable business. Or as you said, "losses are a part of the business"; and that's so because "the business" isn't cyber security.
I’m sorry but I really really really want some citations here - a network that has VPNs, LANs at multiple locations is as vulnerable as a single location that uses air-gapped computers passing say usb sticks around to share say git repos.
I am not sure I would enjoy working at the second place but I would really hope we weren’t an easy target
It's been shown many times that people will pick up random USB devices from anywhere and plug them into any computer without thinking. Airgapping just stops the automated scans and stuff that was already being stopped. Defence is reactive, so the momentum and advantage is always on the attacker side, and stopping the lazy ones doesn't do anything to stop the real threats.
The costs of seatbelts are already built in to the car. The cost of airgapping is not. The sheer inconvenience and limiting of the potential employee pool would put it far out of budget for anyone but governments or very large corporations doing very sensitive work, and even in those cases it would be on a site-by-site basis, not org-wide.
How is YJS different from introducing CRDT? Doesn't it basically just do that for you anyways?
If CRDT is complications and difficult to manage, either YJS resolves that completely, or more likely that complexity will leak out of the abstraction layer no matter what.
To me it seems more like that OP should compare and contrast concurrency solutions, one of which is CDRT via YJS or another could be something like concurrency based on Go routines.
Edit: Should obviously mention Loro, the literal thread we're in now lol
I wrote that comment as a stream-of-consciousness, so it could have been written much clearer. What I meant was that you probably don't want to reach for a CRDT of any kind unless either multi-tab or multi-user editing is an inherent part of your app's experience. Else you can get the same benefits with less complexity.
Because at this point it's a well known API. I bet people want to recreate AWS without the Amazon part, and so this is for them.
Which, to your point, makes no sense because as you rightly point out, people use S3 because of the Amazon services and ecosystem it is integrated with - not at all because it is "good tech"
Storage is generally sticky but I wouldn’t be so quick to dismiss that reason because it might explain why anything would fail to displace it; a bunch of software is written against S3 and the entire ecosystem around it is quite rich. It doesn’t explain the initial popularity but does explain stickiness. Initial popularity was because it was the first good REST API to do cloud storage AND the price was super reasonable.
Oh, I’m definitely not saying integration or compatibility have nothing to do with it - only that “horrible interface with a terrible lack of features” seems impossible to reconcile with its immense popularity.
First mover + ecosystem wins over interface. And also, I really don’t have so many issues with the interface as others seem to and we had to implement it from scratch for R2. There’s features we extended on top of S3 so it’s not really the interface so much but rather that Amazon doesn’t really invest in adding features so much. I suspect it’s really hard for them to do so. We also exposed a native JS API that was more ergonomic but the S3 endpoint saw more traffic which again points to the ecosystem advantage - people have an S3 codebase and want to do as a drop in replacement as possible.
They were first mover for cloud storage and combining object storage with HTTP. Previous attempts were WebDAV (not object storage and very complicated to the point that kk one implemented) and Hadoop which didn’t have HTTP and couldn’t scale like S3’s design.
The preceding lines in this surah explicitly mention this is addressed to wives of the Prophet who are unlike other women. The answer in your link even explicitly mentions this is their interpretation outside of what is explicitly written.
Islam is no different from the other Abrahamic religions. It is the culture of organized Islam that is uniquely violent, conservative, and extreme in its views today.
Religion is always interpreted by people and how they interpret and act on the text becomes the religion itself. If you read the Bible, you'll find Christians don't follow most of the stuff written there and do follow a lot of stuff that is nowhere to be found in the bible (the Trinity, for example).
You can't really separate the religion from its culture is what I'm saying. If you go to into a cave and practice your own pure form of Islam, that is commendable, but has no impact on the rest of the world and thus isn't worthy of discussion.
It's mostly neglect on behalf of the teams. In this case, the code was never audited and was created by a rather immature team that was rushing for production. So recupe for disaster.
In truth you can write code that is upgradable or ammendable, but always within limits of Ethereum transactions being immutable. However, when a project wants to emphasize that immutability, because that's perceived as the need by the users and the devs, then you end up in this situation.
So, as usual, the problem is solvable with a little diligence. The challenge is for crypto culture to get over itself and mature and actually perform that diligence.
I will say that there are very mature, very well developed projects that you don't hear about getting hacked, because they take advantage of the wealth of experience that's been built on this subject.
>So, as usual, the problem is solvable with a little diligence.
If you're going to potentially lose tens or hundreds of millions, you need a lot more than a little diligence. Formally proved code (something along the lines of Ada with Spark Pro) is the bare minimum for something with some much money on the line, and even then I'd still prefer a traditional contract and leave things to the courts.
They effectively use credentials and cryptography to link the two together in a zero-knowledge type of way. Real issue, although no one is clearly dying for this yet.
Real solution too, but blind credentials and Chaumian signing is equally naive to think it addresses the root issue. Something like Apple will step in to cast a liability shield over all parties and just continue to trap users into the Apple data ecosystem.
The right way to do this is to give the user sovereignty over their identity and usage such that platforms cater to users rather than the middle-men in-between. Harder than what Cloudflare probably wants to truly solve for.
Still, cool article even if a bit lengthy.