In a lot of ways Notes was ahead of its time. You could easily have encrypted replicated databases with offline work, which was very handy for traveling users back before high bandwidth connections were widely available, and you could build quite complex apps on top of those databases.
I saw at least one large company that migrated from Notes to exchange and they got the email/calendaring bit done quite easily and were still running notes servers for line of business applications years later.
I'd like to believe that technical people at OFCOM actually know the impossibility of what they're being asked to implement but are just going through the motions, so their bosses/politicians can put out pointless press releases like this.
Trying to restrict access to content on the Internet by requiring "robust" age verification was never going to achieve the goals they stated, and has a number of predictable (and already seen) negative side-effects.
Unfortunately governments all over the place seem intent on continuing this type of regulation, I presume so they can be seen to be doing something. Good time to be in the VPN game, I'd guess.
Well, OFCOM lost all credibility with me and many on how they failed to fix the Vectone UK mess. Vectone UK was a virtual operator, however they owned the number range they allocated(Most MVNO's get a block from the provider they use for their network, Vectone behind the scene would shop around and by owning the number range, could made switching core network easier I presume). So even when you ported to another network, as they owned the number, they would set up routing to the new provider(This is how number porting works, of which I was unaware as I'm sure many are not). Issue is that if the provider goes bust, all those numbers go with them. So anyone who had a number that originated from them, even if they ported it to another network, suddenly lost not only their number, but any way shape or form of getting it back. The impact was devastating for many, including myself. All 2FA, or any account ties to that number you found yourself unable to control. Even if you had access to the account, to change the number would see them use best practice security to send a verification code to the old number. THis created a right nightmare as you can imagine with all the automated support we now have. So months of fun and games, with the odd gotcha popping up overlooked from time to time.
OFCOM failed to do anything, they could have forced them to sell the number range, taken over control of the umber range, or proactively thought out such situations due to the way they port numbers being that the new provider gets control of that number and not at the mercy of the previous provider, which in this case went bust.
But like many, I myself contacted OFCOM and found a chocolate teapot far more comforting and with better results.
What with the UK pushing digital ID, funny anecdote there - I did jury service recently and they do not accept a digital ID as proof of ID, nor do they accept a selfie either as proof of age or ID ( we all had a good laugh as was done in the best possible taste ).
Phone number, which means I have a SIM I ported, able to make calls, send text messages from what is a ghost number, that can't receive calls or texts and presents in all effect to the outside as a non-existent number. So ended up getting a new number with GiffGaff, which at least has credibility I trust.
That is one option, but then you get into the world of Corporate VPNs which are heavily in use and it would seriously cause problems if you banned.
Then you're into "what about all TLS connections" which can be used to send traffic, so you have to do TLS interception at scale, which is a very non-trivial problem to try and solve.
Then you're into non-TLS encrypted protocols, so your only option there is to block anything you can't intercept.....
At that point you've pretty much broken Internet access in your country, might as well just chop the cables :P
I wish I was as optimistic about the resilience of the open web as you, but I see what the Chinese government achieved and what the Russian government have been doing over the last few years, and I'm very concerned.
China has built their Great Firewall over many years gradually, and they have a lot of resources inside, so almost everything from the "western" Internet has a Chinese analog.
Russian government simply does not give a flying fuck about people and economy on either side of the border, so they can just pull the plug completely if they see it necessary from the political point of view.
So these countries are hardly reference points for what UK can achieve (although Russia is closer than China).
Oh I'm not saying they won't try and do it, just it'll either be ineffective or they'll effectively wreck the Internet.
For the UK I'm kind of doubting they'll put enough money into it to make it good, so we'll get the ineffective version and politicians will get stories like this one written about their efforts.
I saw an excellent video[1] a few weeks ago that outlined this issue perfectly in the context of Tor's anti-censorship methodologies by hiding its traffic as other kinds of traffic. The endgame is basically to cut the cables and have a countrywide intranet, or just accept that people will bypass it. Even the Great Firewall isn't perfect, and Chinese frequently VPN out of it all the time.
They're still going to try anyway though. Wisconsin is already putting up a hilariously bad anti-VPN bill[2], and I'm curious if they don't just end up trying to ban every server provider out there in the process of enforcing it.
The more practical law is to ban using VPNs to bypass local censorship/filters/etc, which is the law the UAE has for example. Companies can keep using them for security, so can individuals who aren't using them to pretend to be somewhere else to bypass local laws.
This also has the benefit (to the government) of criminalising individuals, making prosecution much easier and allowing it to be more selective according to the government's whims. It reminds me of the way the US dealt with piracy, you could go after a bunch of college kids to make a point etc.
I'd guess the tricky part there is proving intent. If I sign up to a VPN so I can watch sports or other geo-restricted content while on holiday, does that count?
In a fully authoritarian state of course you likely don't have to worry too much about proof, but I'd suggest the UK has a ways to go for that.
On the piracy front, well we've seen how successful they were in stopping piracy.... not at all.
> That is one option, but then you get into the world of Corporate VPNs which are heavily in use and it would seriously cause problems if you banned.
This should not give you /any/ comfort that they won't attempt to ban VPNs. It's as easy as making it illegal to purchase/use a VPN/proxy service as a non-business entity with some loosely drafted legislation that would scare people.
It's child's play to draft legislation that would not affect businesses, plus some appropriate PR/propaganda campaigns
What's a VPN though, just an encrypted tunnel between two nodes. For decently technical people, it'd always be possible to rent a VPS somewhere outside the country and route traffic to it.
If they're going down that route I'd expect the first service to be banned will be Tor, I'm actually mildly surprised they haven't tried that already.
It really is easy. You can not outsmart lawmakers here, if they are determined enough.
It doesn't have to be 100% perfect, just 80% plus some messaging (edit: and harsh penalties). Do you not accept this?
As to wording of the law, eg:
"A Commercial VPN is defined as a service offered to the public for remuneration that routes internet traffic through servers to obscure the subscriber's IP address or apparent geographic location, where the primary purpose is to provide anonymity or circumvent geo-restrictions."
"A Business VPN is defined as a virtual private network operated by or on behalf of an organisation to enable employees, contractors, or authorised agents to securely access the organisation's internal network resources; connect geographically separate premises of the same organisation; or comply with data protection or security obligations."
That is, until you only allow approved vendors (Microsoft, Cloudflare, etc) to provide these types of services. It’s very easy to pass laws like that, and it seems like centralization is the direction everything is headed.
So if you could get Google/Apple/MS on board, then you could embed controls onto most people's endpoints, and actually that'd work more than trying to put the burden on websites/controlling the network. The trick is those are all US corporations who may or may not want to be responsible for that level of control.
While we still have alternate operating systems, that won't be a universal control of course. You'd have to stop people owning general purpose computing devices for that to be fully effective.
> You'd have to stop people owning general purpose computing devices for that to be fully effective.
That's been the corporate and probably governmental wet dream since the iPhone released. I think the only thing keeping the x86_64 scene from doing the same thing is legacy software support, and open alternatives existing. If Microsoft could've viably banned getting software from anywhere outside their store, they would have.
I would argue with all the computers they sold in "S mode" a few years ago, they earnestly tried it in the home market.
Worth noting you don't actually need to be fully root in Linux to do standard pings with your code, there's a couple of different options available at the OS level without needing to modify code.
1. You can just add the capability CAP_NET_RAW to your process, at which point it can ping freely
2. There's a sysctl that allows for unprivileged ping "net.ipv4.ping_group_range" which can be used at the host level to allow different groups to use ICMP ping.
It lets you send raw sockets, and has some dangers (e.g. packet forgery). It's included in pretty much every container in existence (if you're running as root in the container or have ambient capabilities setup).
The goal of the capabilities system was to allow processes and users to gain a small portion of root privileges without giving them all.
In the "old days" ping on a Linux host would be setuid root, so it essentially had all of root's rights. In more modern setups it either has CAP_NET_RAW or the ping_group sysctl is used to allow non-root users to use it.
The solution I go for is, don't ever run a coding agent on a general purpose machine.
Use a container or VM, place the code you're working on in the container or VM and run the agent there.
Between the risk of the agent doing things like what happened here, and the risk of working on a malicious repository causing your device to be compromised, it seems like a bad plan to give them access to any more than necessary.
Of course this still risks losing things like the code you're working on, but decent git practices help to mitigate that risk.
I really wish these agentic systems had built in support for spinning up containers with a work tree of the repo. Then you could have multiple environments and a lot more safety.
I'm also surprised at the move to just using shell commands. I'd think an equally general purpose tool with a more explicit API could make checking permissions on calls a lot more sensible.
I wouldn't be surprised by a drop in security postings. Quite a few companies view security as an "overhead" so the siren call of reducing that overhead by introducing AI is a thing.
Also for a lot of jobs in security it's pretty hard to measure how well it's being done, so if the AI based solutions are worse, that might not show up for a while
> for a lot of jobs in security it's pretty hard to measure how well it's being done
Nothing going wrong: “What are we paying you for?”
Everything going wrong: “What are we paying you for?”
It’s a no-win situation unless you manage to score a division manager who understands security and understands the reports a good security division produces. And most importantly, understands that no news is good news.
We also need to consider the confounding effect of corporate performance and recession expectations.
Cost centers in businesses are early canaries of expected pain, and a reduction in security roles may reflect belt-tightening irrespective of AI impact.
Security products and practitioners are the classic snake oil salesmen. They are actually sales and marketing roles for help closing deals by emphasizing some security aspect. True security comes from general IT practices followed by engineers themselves.
I would be wary of making categorical claims like this, but it's unfortunately true that "security" field hasn't been doing well in a long, long time now.
Half the field is B2B "magic bullet" solutions like CrowdStrike and all the associated sales tactics - with pitches that boil down to "you give us money, we make your security issues go away". Half of what remains is mandatory certifications and other flavors of checklist-obsessed cargo cultists - often CYA-driven, often demanding the adoption of the fancy acronym of the day, regardless of the real threat profiles. Then you get the "security snake oil" - "magic bullet" systems that don't work, never did and never will, but are supported by the right influence groups and get the right pockets lined, and so are used anyway. DRM systems like WideVine and PlayReady being the prime examples. Then there are the corporate "security of our business model" shills - who pay lip service to "security", but have the true aims of "prevent anyone we don't like from doing anything that can harm our revenue streams" - with Apple being a common example.
And about a fifth of the field is people who do actual security work, and keep the sky from falling.
I agree with you totally, although I'd venture to guess 20% is way too high. I'd say you have about 10% people doing security work, 15% doing compliance, and the rest are consuming oxygen.
It's a growth field, so you have lots of idiots getting certifications and stupid jobs. Reminds me of the 90s when I started, and companies were paying MCSE's (ie read a book, hit next-next-finish in Windows NT) more than software engineers in some markets.
> True security comes from general IT practices followed by engineers themselves.
I have yet to meet an org whose engineers care about security, or who would not compromise security if secure practices got in the way of shipping a product or feature.
I consistently see this commenter making a single comment, of questionable relevance, expressing a strong opinion which isn't particularly thoughtful or interesting or true. Then they ignore the pushback and move on to the next thread, where they post another tangential hot take. I'm not at all surprised at the result. Those comments attract a lot of downvote because they aren't very good.
This thread is a microcosm of that. They went on a tangent from a tangent to express how little they think of their colleagues working in security. It wasn't out of curiosity, it didn't raise interesting questions or provoke interesting debate. They didn't defend or substantiate their opinion so that they and we could learn something from it. It was just a drive-by flamebait to stir the pot and express derision. It should be downvoted; it's a bad comment.
Perhaps that pattern is difficult to see when their hot takes align with your own takes.
On the continuum of approval, where at one end there is endorsement and at the other disapproval, it's somewhere in-between. Even I who made the observation don't know exactly where. Sometimes something jumps out at me and I don't yet why.
It could be an incorrect observation. Some of what they said seems true, some false. I don't know enough about security specifically to say. I know a lot about other things to know he said some things that are true.
It's astonishment at perhaps some kind of law of the universe that things that seem one way may be a different way.
It's an exclamation at the poetic irony of someone expressing there's gray area in some things gets downvoted and their comments are in gray colour.
It's a way to introduce myself, to say hi Mr Monero user, and pass a super secret note.
I meant no disrespect.
Perhaps my reply here is astonishment at how interpretation of words may depend on imagination. As if words alone aren't enough.
I post my view that is against the HN hive mind and don't always feel like rebutting the same hive mind talking points again and again. I like to post to prove there is an alternative view out there
I'm also guilty of what they accuse you of. Sometimes my internet comments are not made for the purpose of sparking discussion, but more of a "vent" where I know my take is not popular but I feel the need to throw it out there anyway. The comment is more for "me" than anyone else. And, yeah.. that makes it a bad comment lol.
I also just love playing devil's advocate, and I'm adverse to hivemindy-feeling opinions (even when I share them). Maybe this all describes you, too.
I don't have a problem with people doing that as long as they don't pretend that every other commenter holds the same contrary opinion and that the downvotes indicate they're too sensitive to discuss such things, or other similar rationalizations. If you want to leave some drive-by snark without rationalizing it as being about other people, it's not my favorite kind of comment but I'm not going to object to it either.
The downvoting functionality here and in other forums can mean many things. It isn't a precise thing. If it is precise I'm not finding a clear definition. It can mean I disagree, this is boring, this is false, this made me sad, I don't like reading this, I don't like this user, I'm tired, etc.
One plausible interpretation of a downvote without a comment is drive-by snark without rationalizing.
I don't know your motivations but I know the "HN hive mind" isn't the problem. When you do engage with people who disagree with you, it usually becomes evident to me that there isn't much substance behind your views and that you struggle to disagree amicably. I also see lots of people on HN with a similar perspective to yours who don't have the same problems or engage in the same patterns of behavior.
The facts are that HN has a diverse set of perspectives with many conservative/libertarian commenters who would align with you, but that your comments are frequently shallow flamebait. Though I have seen a couple good points you've made, as well. Do with that information what you will.
I disagree entirely, I don’t even post very frequently so it’s surprising I have someone tracking my posts. The shorter a comment the better it is, if the same opinion that takes an essay can be distilled into a sentence
My first comment on this whole thread was how security in tech is theater, and the sellers mostly snake oil salesmen. I’m not the first to make this observation and I don’t think it’s wrong. Which is why employment in the sector is down, full circle to the OP
Go ahead, take that slim, speculative, tangential connection and interpret it as permission to inject your hot take into the discussion. Decline to elaborate when your supposition is challenged. You've every right to do that.
Just don't pretend that it's for our benefit or that we downvote it because we're unthinking drones, or that you decline to elaborate because we're simply not capable of having the discussion.
I tell you this because if I were insulating myself inside a bubble and rationalizing my interactions with those who disagree with me as being the reflexive behavior of a hive mind, I would hope someone would point that out to me. So here it is; again, do with the opportunity what you will.
This website is full of unthinking drones acting with hive mind behavior, that is my contention, and I think very differently, not just on here but with almost everyone I engage with. However I succeed over and over with asymmetric bets on a wide variety of things, including and especially tech and making money in tech, so if we compare bank accounts and career trajectories, investments, etc. it would be wise to let me speak
Overweighing people's opinions on matters they demonstrate a shallow engagement with on account of their success in other areas is cargo culting. Maybe you should worry less about HN and more about your own reflexes to accept bad ideas from yourself and others based on their wealth. Maybe succeeding in contrarian bets doesn't make you "correct" in some moral sense, but only successful in the trade.
It's easy for me to believe you're an intelligent person who's accomplished impressive things. But it wouldn't contradict anything I've said.
I own a software business with hundreds of employees I built from nothing. I know all about tech security, hiring security guys, etc. It is a cost center, the directors / VPs / CSOs are overpaid salesmen, 99% of the products you want are features from cloud vendors or provided by standard tools like device management or password managers. I totally get the patina desired by large corporations who need to show wall street they care about security. When I box check I use a super cheap cut rate firm who can check boxes for me at the lowest cost because it is total bullshit. I'm sorry this is the reality
It's understandable to have sour grapes after having some bad experiences, but what I'm hearing is unrelated to any impact AI is having on the job market. You're talking about security products you think are snake oil and executives you think are overpaid; that is unrelated to trends in job postings for security professionals, working at software companies, and how that might be impacted from AI.
This is what I've been saying. You've got some random grievance, you want to take this discussion as an opportunity to get it off your chest. But you don't want to engage with people challenging your ideas. And when for whatever reason you do explain yourself to me, your explanation is "I am wealthy and successful, so I must be right. Those who disagree with me are an undifferentiated mass of imbeciles that I have nothing to learn from."
If that's how you want to live, it's your right. You're only cheating yourself, so maybe I'll just shut up and let you get on with it.
> Just don't pretend that it's for our benefit or that we downvote it because we're unthinking drones
The reason many comments are downvoted on HN in general is most often unknown to me. One interpretation is that it's a major flaw in HN.
This design decision by HN could be intentional, as a trade-off to achieve something else. For example, it could be done to have high velocity of discussion. High velocity could preserve an invariant of keeping or pulling users on the site.
If it's a trade-off, which would suggest something is given up for it, it might be worth exploring what's given up.
I could easily see those just running tool and then printing report being replaced by script running the tool and passing results to LLM and then sending report.
I'm not sure how true the stigma is for GLP-1 based drugs. There are lots of online options for getting it from major orgs in the UK including things like Asda who aren't really a well-known pharmacy brand here (https://onlinedoctor.asda.com/uk/weight-loss-treatment.html).
As to advertising, my perception is that it's wrapped in a "weight loss clinic" style presentation but you don't have to be on all the sites long before you get to the "buy $GLP-1" here :)
Unfortunately I don't think they're going to get involved there. There are already multiple "official" images on Docker Hub that are unmaintained and have plenty of CVEs (e.g. Centos https://hub.docker.com/_/centos/tags)
I think the most they'd do is add the DEPRECATED note to the Docker hub page as they have done for things like Centos
I think that's not quite the way consulting should, and to some extent does, work.
The ideal goal of consultancies like Deloitte's is that they hire a small number of people with experience and combine them with a larger number of young bright people and have them come in to review and advise organizations. The people with experience (so who have worked in that field before) direct the engagement and the leg work is done by the juniors, producing a report for the customer.
As to why companies would choose to use consultancies, there's a variety of reasons, some good, some less than good.
- Outside perspective & experience. The consultancy has done engagements with other companies in your field and can provide that experience.
- Neutral point of view. The consultancy should be neutral to any internal politics within the organization.
- Appeal to authority. Many times organizations use consultancies to provide evidence to external stakeholders that the thing they want to do is the right thing.
Now that's not to say that it always (or even often) works out that way, but in theory at least, there are some not terrible reasons.
Ah, OK, so there are actually people with real industry experience there? What happens with the young bright people when they are not young any more though? Are they expected to leave the company to gather real world experience or are they just promoted to "experts" without seeing anything outside their consultancy?
The trick is they pay the young bright people peanuts relative to what they bill them out for, so then market forces rotate the majority of them out of the consulting org automatically, often into positions at the companies they consulted for or into their own businesses.
So why do the young bright people do it to begin with? They get to work with experienced people, broad learning experiences in diverse industries, networking (= future job prospects), etc.
Well they get some experience doing the consultancy work of course, and yep lots go off to industry after 2-3 years.
IME (Worked for E&Y some years back) about 80% of people who started as juniors would have left after 3-4 years with the other 20% staying to try and make partner.
I have a few acquaintances who grew in consulting to become partners who have never, ever, ever worked in the field they consult for. They've only done consulting, only looked through the lenses they were required to for the job they were asked to do with no real experience in the industry.
The only person I know who ended up at a high-ish position at McKinsey with proper industry experience had as their only job being the founder of a company they worked quite hard for 15 years to build, and sold it. Still, it's someone who only had a narrow experience in their industry which is now advising companies in very unrelated fields.
reply