As a security engineer that regularly architects and helps implement new defense tactics that no LLM has trained on, I choose not to use LLMs at all, like a cave man.

Being differently trained and using different tools than almost everyone else I know in engineering my entire career has allowed me to find solutions and vulnerabilities others have missed time and time again. I exclusively use open source software I can always take apart, fully understand, and modify as I like. This inclination has served me well and is why I have the skillsets I do today.

If everyone is doing things one way, I instinctively want to explore all the other ways to train my own brain to continue to be adversarial and with a stamina to do hard experiments by hand when no tools exist to automate them yet.

Watching all my peers think more and more alike actually scares me, as they are all talking to the same LLMs. None for me, thanks.

"But this magic proprietary tool makes my job so much easier!!" has never been a compelling argument for me.

Yeah grinding the domain expertise is definitely the play if you have the resources to do so.

It is not for anyone but Apple, because they control the source code and full remote code execution access to your device at a higher privilege level than you as the supposed owner have.

I trust Apple with that. Maybe not as much as I would've were Jobs still around, but I certainly still trust them more than any Android OEM.

So you believe dictatorships are a good idea when it comes to technology control.

My question is then the same of anyone who prefer to give up freedoms to centralized seemingly benevolent dictators: What happens when you are told you can no longer do something you were previously allowed to do, that is only in the interest of the centralized power?

> So you believe dictatorships are a good idea when it comes to technology control.

Not generally, but sometimes there's a good one (like Linux). Apple happens to also be one I like.

The linux ecosystem is a peaceful and effective system of anarchy with no central authority. Pretty much the exact opposite of the Apple dictatorship.

I am a Linux distro maintainer and my team and I do whatever we think is best in our distro, even including patches and defaults Torvalds did not approve of, because our goal is security first and his is compatibility first. That is what we mean when we say "free" in free open source software. Torvalds can do whatever he wants in his branch, and we can do whatever we want in ours, selectively taking the bits we want.

Want to modify the operating system on your iPhone? Want to use Tor globally for privacy? Want to use an external NFC/USB smartcard for secret management or authentication? Want to use a browser with an engine other than last gen crippled webkit? Good luck. Apple did not extend those freedoms to you.

You have no freedom on that device but to install binaries Apple blesses and use it the way they intend. Apple does not produce free software or give their users freedom over their devices because they want maximum profit and control.

Including custom ROM devs like the GrapheneOS team or the LineageOS team? That's a lot of trust you're putting in a company that only has their own profit at heart.

I do not have a smartphone and have had no problem being a customer of multiple top banks. They strongly _encourage_ you to use apps, but if smartphones are against your unspecified religion, alternative paths always appear.

In EU? For internet banking you need a mobile phone or a dedicated hardware token (thing you own), as part of the Strong Customer Authentication (SCA) requirement under the PSD2 regulation: https://ec.europa.eu/newsroom/fisma/items/658958

I know in some countries (UK, Germany, Switzerland, Austria) they're used to hardware tokens already since they were in use long before PSD2. But I seriously, seriously doubt banks in e.g. Poland specifically implement support for hardware tokens issued to very few annoying customers who refuse to use an app but otherwise want internet banking.

This is untrue in reality. Literally I used more than 5 banking apps, and few investement ones (including 1 in the US). I could log in to all of them through a browser, using a phone number 2FA, or a proprietary authenticator of the bank (a physcial device). Never a bank forced me to use their app to login. It's an option though (and a convenient one). If that end up ever to be the case, I am for sure not using a google phone to do so. iPhone it is.

And here is the funny part. On my A13 Android (fully rooted, BL UL, custom ROM) I can totally bypass play integrity, using the keybox method. There is literally no way for google to patch this. I am yet to get it working on A16, mainly for lack of time to tinker, also because OP15 has no sources released yet to build ROMs for it, which is the main motivator for me to use an Android phone.

The takeaway is this: Google promotes "Play Integrity" (PI) as a working solution against "tempered devices" (ie. because god forbid you have sudo access on your device). Yet, it's easy (albeit a bit complex as you have to know the right telegram groups) to bypass it. PI gives the illusion of security, yet in reality it counter-solution exists. Real bad actors would have 0 issues doing what they want to do, the real impact is deterring users from open source roms like Lineage, simply because their bank app wouldn't work, which imo is Google plan all along masquerading as security feature. Google's main business is ads, and hosts based ad blocking is extremely easy once rooted.

Their recent moves align well with this (slow rollout of open sourcing, QPR2 is still not out yet, antagonizibg 3rd party stores like f-droid), all in the "name" of security.

Interesting. I just moved to Android from iOS with the idea of eventually switching to GrapheneOS, but was scared that my apps will randomly stop working as soon as Google catches up with the hacks. From what I heard it's a cat and mouse situation, they patch things, then android community finds a way. I do not want to find myself in a situation I need to use my bank or government app and fail because Google just caught up with the hack.

So what you're saying is that you can have it permanently 'fixed' with no shenanigans like that?

Yes, until google makes more changes, but this has been the eay for over a year now.

Between what the law says and what actually happens there's sometimes a gap.

I'm in the EU and currently I do online banking with 3 banks without using any app, i.e. thru a laptop browser. The 1st literally lets me stay logged in with a simple cookie, with an SMS 2FA requirement every 90 days. The 2nd additionally asks for a PIN to be entered at each session. The 3rd is a neobank and is tougher, requiring a TOTP (which I generate on the same machine, needless to say).

A 4th does require an app, and in fact can hardly even be used with a desktop OS. That bank is Revolut and I therefore don't use it and I recommend others avoid it too.

I host weekly friend-of-friend open events where some people show up most weeks, find a nice comfortable spot to doom scroll in for a couple hours, maybe take a nap, leave, sit in their car for a bit, scroll some more, then go home.

I am just hoping they actually took a break from doom scrolling while driving as then at least I can say I had some non zero positive impact on their lives.

5 years phone-free and I do not miss it. People use them as security blankets to avoid having to be present for more than 5 minutes at a time with other people or even just exist in their own heads. I now find this behavior immature and gross but avoiding it would mean not having friends.

A smartphone is like toilet paper. No one wants to watch you use it.

Maybe host your event in a cave if you can, no cell coverage, no Wi-Fi.

There is a bar like that where I go sometimes, it is in a cave, some people got Wi-Fi from the staff, and you have some reception if you stand near the front door, but it is mostly a network-free zone and it is great.

Another thing we did from time to time at the restaurant is to put all our phones stacked in the middle of the table, anyone who picks up his phone before the end of the meal for any reason pays the bill for everyone. So far, no one did.

Suddenly the one good use case for lead paint becomes clear.

Get better friends! Not everybody does this.

Very curious to hear how you went phone-free and what your setup looks like

I have a mini PC hooked to screens in every room other than the bedroom and bathroom, and remote controls with built in air-mouse and keyboard (pepper jobs remotes). This way anyone can pick up a controller in any room and look something up on a shared communal screen as needed, which discourages use of private screens.

When I leave home for less than a day I pack no electronics of any kind and enjoy the peace in my own head to think about the next problems I want to solve in my universe.

I pay with cash exclusively in public so tap and pay is not an issue. If I ever need to be reachable for emergencies I can carry a pager but so far this has not been worth it.

Did not expect that: I got rid of a small screen i can carry around by putting a lot of small screen all over my house.

I put that in the same bin as all the “Stop doomscrolling” apps. You can’t prevent doomscrolling by adding another app on your phone. Get rid of the phone (and all other screens), one does not need to be able to look up everything in a moments notice. Write it down on a paper and do it later.

It causes a major difference. It forces all uses of screens in common spaces with others present, to be inclusive to said others. You do not open anything on shared screens you do not mean for others to participate in, so they function more as collaborative tools instead of private escapes.

Anyone can grab a remote and access to summon shared entertainment, order food, do shared research, fact check something, etc... but said screens are just linux machines with no proprietary software or magic addictive algorithms. Just tools.

Also when we walk away from them they do not follow us, and they cannot notify us.

It has completely changed the way my family and I interact with, and separate ourselves from, the internet.

If my phone battery died, I used to panic. Now with no phone, when I leave home, I am just... present, and can get lost in my own thoughts again. A skill I lost for decades with distractions always in my pocket.

Really just moving the screens further away, tethering them to walls, and ditching all proprietary addictive software is easier. Also a couple TVs and mini pcs cost less than one modern smartphone and covers the whole family.

This makes me worry about the future where I will be unable to hire anyone that actually knows how to solve novel engineering problems via programming with a real keyboard on a real computer with their actual brains.

To be honest it is already starting to feel that way.

We banned proprietary software in our home, self host the internet services we need and want as a family, and block ads in everything.

Gave up my own phone entirely a few years ago partly to ensure kids never see me use one or rely on one so they know such tools are optional in life.

I like teaching kids modern technology starting with a soldering iron making an LED blink, and building a PC from parts, and eventually compiling an operating system from source code. I see absolutely no reason for a kid to ever need unsupervised access to the internet until at least high school, and even then not on a phone, but via desktop computers in common areas where there is accountability.

Kids turn 18 eventually. Unless they’re homeschooled and kept in a compound away from peers with different experiences, I’m not sure how sustainable this approach is long-term.

I say this as the father of a 17-year-old who once read 200 books per semester in elementary school, winning school and city reading awards. This year in high school, she’s read maybe a couple of short stories at most. She’s grown up surrounded by bookshelves in every room, but now she has no inclination to even glance at the spines, much less open a book.

We read aloud together every night for years, usually books well beyond her grade level, which was already advanced. I exposed her early to Bergman, Antonioni, Kurosawa, Mizoguchi, and other great directors. Now her media diet is mostly TikTok and gaming YouTube videos. Musically, she’s remained open to everything from classical to oldies, fortunately. As for technology, despite learning quite a bit of Python and JavaScript starting at 10-11, she’s currently uninterested in and actively hostile to understanding anything about AI architecture or underlying systems.

Is this a teenage phase? Maybe. I’m hoping with everything I have that it is, and that the curiosity I modeled for her will resurface eventually. You can create the ideal environment, model the behavior you want, and do everything you can as a parent. But once kids develop autonomy and see what their peers are doing, they make their own choices. Sometimes those choices look nothing like what you hoped to cultivate.

When a kid is old enough to pay for their own apartment and bills and has money left over for a smartphone, drugs, alcohol, or other poisons, that will be their choice to make.

Until then, they are not an independent adult, and it is absolutely the responsibility of a parent to keep them away from poison they are clearly not emotionally mature enough to regulate yet.

> she’s currently uninterested in and actively hostile to understanding anything about AI architecture or underlying systems.

Same answer. Most adults cannot moderate proprietary social media algorithms and AI tech so why would we expect a teen to?

When one permits kids to access to things literally purpose built to ensure humans think less, it should not be surprising when they think less.

Burn ChatGPT and Tiktok with fire. Every home would be better off banning things like these.

Mate what were you hoping a kid would get out of Ingmar Bergman and Antiononi movies and Javascript? Imagine forcing a child to watch Red Desert lmao. And now you're writing off her curiosity because she's not interested in AI architecture or whatever. Let people develop their own interests jfc

I think you are confusing forced exposure to something with being exposed to something by choice. I did not force my daughter to watch Bergman and Antonioni; I was interested in their movies so I saw them, and she chose to be interested in what kept me interested. That is how we get our cultural knowledge passed down through generations of parents who do not simply consume whatever algorithmically generated media is served up to them. You are setting the problem: you have assumed that for children to be introduced to anything other than the popular culture among their peers is always oppressive. And when you narrowed my references to Bergman, Kurosawa, Fellini, and Antonioni down to "Red Desert," you showed either that you are being dishonest or that you really don't know what you're dismissing when you dismiss all of these directors and their works. Her access to everything included books, music, films from different genres and time periods, and she chose which things she wanted to pursue based on the options available to her. The fact that now she does not care about the architecture of artificial intelligence does not indicate that the exposure I provided to her earlier failed her, and this is precisely what I said could happen: teenagers are making their own choices, influenced by peer pressure and social forces, and that does not make the earlier exposure I gave her invalid or mean I should have given her an iPad at the age of 5 and called it autonomy. I’m not writing off her curiosity, which you would see had you read all the way to the end of my comment. Given your username, I am not surprised that you are weak in nuanced thinking regarding exposure versus coercion.

Spot on. Giving kids a smartphone and unsupervised access to algorithm driven content is child abuse, though sadly a legal form of it. Also, model the behavior you want to see, so put your own phone down around kids and let them see you pursue interests other than scrolling on a small rectangle.

If you need kids distracted for a while, at least take take the time to thoughtfully pick out some books or physical media like DVDs they can enjoy ad-free with dedicated offline media players, or give them a mechanical puzzle, or a yo-yo, or legos, or paper and crayons.

Neglectful; sure. Child abuse; hardly. Please let’s not degrade the meaning of child abuse; it’s detrimental.

These same arguments were put in front of the public when TV was released. A steady stream of boob-tube content was seen as a detriment to society and many questioned it. But now we have a new wave of technology that parents are using to placate their children to avoid the challenges present in parenting today, just as they did 70+ years ago, but now we’re saying things like, “we’re taking away their smartphones and putting them in front of TV content we grew up with!”

I am not advocating parents plop their kids in front of devices of any kind, but to argue it’s abuse is absurd. And furthermore, to claim that TV shows prevalent in the 80s and 90s are somehow an acceptable proxy is almost as absurd.

Knowingly giving a child poison known to cause lasting damage to their brain sounds pretty abusive to me. It is the modern day equivalent of putting whiskey in the bottle to calm a kid down.

Also it is not about 80s/90s content so much as it is about helping a kid develop a longer attention span. Give them things worth watching more than 10 seconds at a time, or puzzles and project kits worth playing with for hours.

oh no!, some tedious beurocratic "legal" definition of child abuse would have to be amended, and therby threaten certain agencies who consider child abuse to be under there sole, authority. Children are dying, and bieng lured into any and all ilegal activities, the main platforms are targeting children for every reason, but with pictures of puppys and buterfly's and sing song characters that then segue into the darkest corners of the internet, 3 redirects away, any time, anywhere

The difference is- the producers of shows such as Mister Rogers and Sesame Street did not have a profit motive to increase "engagement" numbers. They actually used psychology to try and improve the outcomes of their viewers (aka children) rather than trying to improve the outcomes of themselves.

I mean, watch CoComelon and Sesame Street (or Mister Rogers, or Daniel Tiger...) side by side and tell me there isn't a qualitative difference between the two.

You’re being purposefully obtuse by indirectly saying that TV of the past is somehow ok, when previous generations argued much the same against it.

So... because we believe now that the moral panic around TV was unfounded, that directly implies there could be no concerns about the impact of consuming large amounts of algorithmically generated "junk content" by young developing brains?

Then, if that's the case, put your kids where your mouth is, go buck wild and sit your kids in front of CoComelon all day.

Let’s talk in 70y.

TV of the past is not okay, especially not in excessive amounts. But I too have noticed that shows from that era tend to be less fast-paced than those of today, so it's probably less harmful.

It is not just Google Ads that are dead. Advertising in general, is dead.

No one wants this shit and no matter where you go, people will find a way to block your ads or leave the platforms they cannot easily block ads in.

As soon as you advertisers moved to the internet, you gave users the power to delete you, so thanks for that.

400K would go -fast- if they stuck to a traditional colo setup. Donations like this are rare and it may be all they get for a decade.

Personally I would feel better about round robin across multiple maintainer-home-hosted machines.

> 400K would go -fast- if they stuck to a traditional colo setup.

I don’t know where you’re pricing coloration, but I could host a single server indefinitely from the interest alone on $400K at the (very nice) data centers I’ve used.

Collocation is not that expensive. I’m not understanding how you think $400K would disappear “fast” unless you think it’s thousands of dollars per month?

400k would last me 13 years for a rack, power and 10Gbit/s bandwidth at my colo place (Switzerland, traditionally high prices)

Yes, but that's not their only expense.

Yes, but that’s not the last or only donation they’re receiving either.

Don't bet on receiving money in the future.

It's a community donation-supported project. That's kind of the whole deal.

Regardless, the ongoing interest on $400K alone would be enough to pay colo fees.

Since you've already done the math, what's the interest on $400k pay for the colo costs?

at a (fairly modest) 3.3 its like 1100/month.

I don't know what kind of rates are available to non-profits, but with 400k in hand you can find nicer rates than 3.3 (as of today, at least).

that covers quite a few colo possibilities.

USD money market funds from Vanguard pay about 3.7% now. Personally, I would recommend a 50/50 split between a Bloomberg Agg bond ETF and a high-yield bond ETF. You can easily boost that yield by 100bps with a modest increase in risk.

Another thing overlooked in this debate: Data center costs normally increase at the rate of inflation. This is not included in most estimates. That said, I still agree with the broad sentiment here: 400K USD is plenty of money to run a colo server for 10+ years from the risk-free interest rate.

Stupid question from me: What are their other costs? I'm a total newbie about data center colo setups, but as I understand, it includes: power and internet access with ingress and egress. Are you thinking their egress will be very high, thus thus need to pay additional bandwidth charges?

I, personally, have a cabinet in a colo. With $400k, I can host it at that datacentre with the income from risk-free return never exercising the capital with 10 GigE, 3 kW of power. If I can do it, they can do it.

Modern computers are super efficient. A 9755 has 128 cores and you can get it for cheap. If you've been doing this for a while you'd have gotten the RAM for cheap too.

If I, a normie, can have terabytes of RAM and hundreds of cores in a colo, I'm pretty sure they can unless they have some specific requests.

And dude, I'm in the Bay Area. Think about that. I'm in one of the highest cost localities and I can do this. I bet there are Colorado or Washington DCs that are even cheaper.

I to am in the bay area, and clearly I have been shopping at the wrong colos. I expected to find nothing with unlimited bandwidth for under $1k/mo given past experience with what may have been higher end DCs.

In any event if I was the volunteer sysadmin that had to babysit the box, I would rather have it at my home with business fiber where I am on premises most of the time because getting in and out of a colo is always a whole thing if their security is worth a damn.

Even given a frugal and accessible setup like that I can imagine 400k lasting 5 years tops especially if paying for the volunteers business fiber and much more especially given I expect some of it is to provide a sustainable compensation to key team members as well. Every cent will count.

For reference, in the US at least, there was/is a company called Joes Data Center in KC who would colo a 1U for $30 or $40 a month. I'd used them for years before not needing it anymore, so not some fly by night company(despite the name).

At that rate, that would buy you nearly 1000 years of hosting.

I was trying to avoid naming exact prices because it becomes argument fodder, but locally I can get good quality colo for $50/month and excellent quality coloration with high bandwidth and good interconnects for under $100 for 1U

I really don’t know where the commenter above was getting the idea that $400K wouldn’t last very long

Joe's got bought out by Patmos.

The jury's still out on whether or not this is a good thing.

Love finding other metro area folks on hn!

I'm actually Canadian, not a metro area person, just a happy customer

Ah, well, it's a great spot. I walked around when Joe was building it from the ground up. Power, HVAC, and racks of wire shelving initially.

So glad it grew into what it is now!

Those prices are rock bottom! For that price, what do you get for (a) power budget, (b) Internet connectivity, (c) ingress and egress per month?

I Googled for that brand and got a few hits:

    - https://inflect.com/building/1325-tracy-avenue-kansas-city/joes-datacenter/datacenter/joes-datacenter
    - https://www.linkedin.com/company/joesdatacenter/
    - https://www.facebook.com/joesdatacenter/

The homepage now redirects here: https://patmos.tech/

Another under appreciated point about that data center: It has excellent geographical location to cover North America.

For a server? The going rate for a 1/4 cabinet is $300-500/month.

A full rack, 10 gigabits bandwidth and 1920W of power is available for as little as $800/month: https://1530swift.com/colocation.php

Of course you have to buy the switches and servers…

If 100 years is fast, yes. You can get pretty sweet colo for 4k per year. I know cheaper places too.

> It makes it sound like a very amateurish operation.

Wait until you find out how every major Linux distributions and software that powers the internet is maintained. It is all a wildly under-funded shit show, and yet we do it anyway because letting the corpos run it all is even worse.

What do you mean by "major distribution"?

e.g. AS41231 has upstreams with Cogent, HE, Lumen, etc... they're definitely not running a shoestring operation in a basement. https://bgp.tools/as/41231

Yet most distros have maintainers build and sign their own package recipes and/or artifacts on their own random home workstations infected with who knows what so the trust is distributed (but not decentralized) which is the worst of all worlds. And that is for the ones that bother with maintainer signing at all, as distros like nix and alpine fully skip caring about bare minimum supply chain security.

Some distros do build on a centralized machine, but almost always one many maintainers have access to from their workstations, so once again any single compromised home computer backdoors everything.

The trust model of the linux distros that power most servers on the internet is totally yolo, without the funding to even approach doing build and release right, let alone code review. One compromised maintainer workstation burns it all to the ground.

Sorry if this ruins anyones rosy worldview. The internet is fragile as hell, and one bored teen away from another slammer-worm style meltdown.

Relevant context: I founded stagex exactly because no previous Linux distribution has a decentralized trust story appropriate for production use hosting public internet services.

Once you decentralize supply chain trust then the question of "which place and people people do we trust for the one holy server" totally goes away.

This is 100% false.

Once supply chain attacks enter your threat model, you suddenly realize that the entire internet breaks if any one of a few hundred volunteer owned home computers are compromised.

Fixing this requires universal reproducible builds redundantly built and signed by independently controlled hardware. Once you have that then you no longer have single points of failure so centralized high security colo cost becomes a moot issue.