Great storytelling. I worked in open source for a decade (at Mozilla during the rise of Firefox) and Mozilla hired many from their OSS contributions to Firefox. Its not an easy path, and it pays to specialize in an important niche, but it can be done. Finding orgs that support remote work even when management changes- that's the challenge.
Don't look too closely at the collision avoidance mechanism in 10base-T1S, standardized in 2020. Sure looks like a virtual token ring passing mechanism if you squint...
Not Japan, fwiw. Japan has been very reasonable for real estate for decades. We're now seeing inflation in major metro areas but outside of that, it's very reasonable.
Japan has reasonable real estate and yet around 10% is in Tokyo proper, nearly 30% in the greater metropolis. Less than half own their homes.
This study: https://www.sciencedirect.com/science/article/pii/S026427512... from 2023 shows that they're suffering similar issues of intergenerational wealth transfer when it comes to owning homes, specifically if your parents don't help you - you're unlikely to be able to get on the ladder.
There are a ton of homes that are not claimed but purchasing them, their value, the land value are all - as you know - quite different from the US/AUS/India where the value goes up. Different from the UK where you own the home, but lease the land etc.
People in Japan don't feel the need to own their own homes that much. Apartment rents are generally reasonable, and there's constantly new apartments being built so there's lots of competition. Tenant protection law is also pretty strong so landlords can't mistreat tenants as badly as in other places.
>There are a ton of homes that are not claimed
Those are in rural places with dwindling populations, where no one wants to live any more.
My understanding is that japanese houses are fundamentally different in that they are designed to be expendable in the long term, similar to cars. You don't buy a high quality house that you maintain, you buy or build a new house and then tear it down a few decades later.
Aren't US houses the same effectively? - Not necessarily in that they aren't built to last, but that they'll be rebuilt regardless in a couple decades.
Literally a couple decades like 20 years? I just don't think that could be true, at least not where I live.
Looking at the listings in a broad radius around me, there is still a lot of housing built in the 1960s and 1970s being bought and sold quite regularly, and some stuff even older. A house built in 2004 ("a couple decades") would absolutely not be worth the cost to rebuild.
I'm curious where in the US you're from, or where you've seen that. Florida coast? In the cities I've lived, most of the houses were built right after WW2 (80 years ago), and in some older neighborhoods, most of the houses date to the victorian age. I can't even imagine someone doing a teardown on one built within the "last couple decades" (i.e. built in the 2000s).
The vast majority of houses aren't rebuilt with any regularity in the US. The extreme high-end McMansions are commonly rebuilt, but that's an outlier. Much of the affordable housing is the luxury apartments of 40-80 years ago.
The inflation is mostly because of the devaluation of the yen compared to the USD, mostly because the BOJ refuses to raise interest rates.
There is some real estate inflation in very desirable parts of the biggest cities because of foreign investment, but I'd say it's limited. There's still lots of new construction going on, though it's slowing due to labor shortages. The foreign investment can only go so far: real estate isn't a great investment here because structures depreciate rapidly, and it's relatively easy to build new housing just about anywhere if you own the land.
Japan also suffers from severe population decline (I think it has been declining for 15 years straight). Aka the old guard let their assets go the hard way.
Maybe it's population decline instead of severe population increase beyond what society can sustain. It's like the infinite economical growth didn't account for finite resources.
Always wondered what happens to housing in countries that rapidly depopulate. Like, Latvia losing 1/3 of its population, or Japan losing 4 million in 10 years. So they now have much fewer people for the same housing supply? Does it all just get abandoned?
Yes. Country side or old industrial downs die out with properties will have negative value. While prices in places like capital regions can be unsustainable. In Finland this is happening. Thankfully other growing or sustainable large cities still have somewhat reasonable prices outside most central core.
But there isn't a major housing problem in the cities at all: there's lots of housing, and lots of new construction for new housing, keeping prices in check. The problem everywhere else is that people don't want to build housing, and that factor doesn't apply in Japan. Here, if you can buy the land, you can basically build whateverTF you want on it. So in desirable places, big real estate companies like Mitsui Fudosan buy up land and build apartment blocks or tower mansions on them, and in farther-out (less dense) places old houses are routinely demolished and replaced with new ones. There's no worry about NIMBYs keeping you from building.
The population in Tokyo and other desirable cities is rising, not falling. The population is falling in small towns and rural areas where no one wants to live any more.
Levine being at Bloomberg (which is a central org in finance media) is important. That finance media can support a Levine and his salary is also important.
Until there are significant financial damages associated with each of these breaches, companies just won't invest enough to secure the information. These sorts of breaches should be existential to the company- they should never happen. And yet because the penalties are almost nothing, companies just are not incentivized to secure the data appropriately.
If a breach meant the firing of the CEO and the CTO and the board, then you'd know that companies would spend a lot more on security and privacy.
I’m completely sympathetic to that view. However, until such data breaches regularly lead to severe outcomes for subjects whose data was leaked, and those outcomes can be causally linked to the breaches in an indisputable manner, I’m afraid that we won’t see any such penalties.
>However, until such data breaches regularly lead to severe outcomes for subjects whose data was leaked, and those outcomes can be causally linked to the breaches in an indisputable manner
Which means nothing gets done because it's pretty hard to prove where any one misusing your information got it from. My identity was stolen after breach but when I took it up with entity that lost my information, they were like "Prove it" which of course I couldn't because people who did it to me were never caught.
I own my email domain, and I register for each service with a different address. For example, flightaware-20240817@mydomain.net. This way, I know where my email addresses leak from.
With some email services including Gmail and Protonmail you can add +whatever to your username part of the email address to get the same result. My name+flightaware@gmail.com for example…
And many mail hosting services let you assign a catch-all, which allows you to simply use anything@mydomain.com to get the same result.
Because they assume you've set name+spam@gmail.com to be filtered directly to spam, and they can easily evade those filters by removing the ±spam part.
Big companies do this. I have signed up for things using a +filter email address, only to receive the emails from that company that is signed up to get at my plane address, without the +filter part.
Even if you can enter it, various backends in the same company might not handle it correctly and you enter up with an half-working account that their customer support (if they even have that...) cannot solve. Been there, tried that...
Personally I have - as the separator (not on gmail or similar). If you have to give you email on the phone it can cause lengthy discussions why their company name appears in my email address..
Don't know. Last time I experienced problems was when entering a family members gmail address with a plus sign to share my newspaper subscription. They could not use it and I could not remove it... That was about 5 years ago. Have been burned too often, don't try it anymore.
what's important in "anything", if you can, is name, company, and some pseudorandom chars. Because company@example.com or name+company@example.com is easy enough to guess, but pseudorand_name_company_kroj38@example.com isn't plausibly going to get guessed at.
I do the same but some service provider forbid you to put the name of the company in the mail. That's among those stupid security rules (one of the most stupid is MS Xbox service preventing you to have letter from your email in your password. So if you are using a@xxxxx.com and your password generator use a, it will get rejected….
They didn't spam me, they tried to sign up with a bunch of credit services. Yes, X lost my data, it's getting proof that X data loss where was scammers acquired my data from.
I was merely pointing out the reality of the situation. Significant penalties generally only come about as a result of prominent cases of substantial harm being inflicted in a way where the causality is not in doubt. People like us here holding companies to higher standards by itself doesn't have that effect. I'm not saying that we shouldn't hold them to higher standards — I certainly do — just that realistically much more will have to happen.
It's similar with climate change. It's just a fact of the matter that people at scale only react as actual consequences become palpable.
I'm not saying your observation is inaccurate, but as a society we _let_ these companies continue to do whatever they want without consequence.
1% of users in a data leak having their identities stolen or 1% of the cities in the world becoming uninhabitable due to heat isn't enough to demand action, what about 10%? Is 25% where we draw the line?
> justify inaction with their impact on climate change.
but this is the correct justification. If the customer is the one buying these products that cause climate impact, why is it the sole responsibility of the company to pay the cost of rectification?
In such situations, where externality is problematic, it is up to the gov't to push regulations to prevent it. A carbon capture tax, for example, is one such way.
> Why don't we hold them to a higher standard?
why should companies be held to a higher standard than a person?
Is almost like publicly accessible information like email, phone, address, and, honestly, ss# at this point shouldn't be used for anything serious that doesn't require some sort of authentication beyond itself.
Credential stuffing isn't the only threat. Leaked emails and phone numbers become spam and phishing targets and phishing can get a lot more convincing when they also have your home address and other details.
With GDPR, simply leaking personal data is enough to earn you penalties. If your security is insufficient that someone can take this much personal data (and based on some of the other comments here it was a lot of personal data), then you have not upheld your responsibility according to GDPR.
So I disagree, we don't need to wait until the data breaches lead to any particular outcomes, we need laws that make it clear that data breaches alone constitute damages to the people whose data was released. More people should be protected by GDPR-style laws, and more companies need to recognise that data security is something they need to take deeply seriously.
That's not how it works. I think you are mixing up damages to be awarded by courts to an individual data subject (right to compensation, Article 82) with penalties (Article 83-84) - the latter having a special meaning, in practice covering the administrative fines by authorities (DPAs).
There was a case by the ECJ (C 300/21) saying that for damages to be awarded to the individual, they have to prove the material or non-material damages involved.
Regardless, any data protection authority can and do fine companies for breaches such as this one and also for late filing, and while DPAs also have to take into account the damages caused to data subjects when deciding the amount of fine, that's not a standard that has to be proven for each data subject separately and is therefore not as strict as the right to compensation. FlightAware definitely should be fined... Like Booking, NTT or Twitter or banks for breach obligations, for more than €400k. But it's still strange that very few US companies were fined so far in relation to no or late breach notifications - not that they were not fined heavily for failure to comply with other obligations. https://www.enforcementtracker.com/
IANAL. Damages are relevant in-so-far as a relevant law addresses or requires them. Nothing stops a law from assuming damages under some circumstances.
My private details leaking is damage, that's the point here. If I trust you with my confidential details (which can be anything from my bank details to my email address), and your data security protocols mean that my data gets stolen, then I have suffered damages, and GDPR comes into play.
GDPR enforcement is severely lacking, even in "business as usual" matters like nonconsensual data collection/processing, let alone data breach handling.
GDPR has been with us since 2018, and it if was the deterrent that everyone claimed it to be, we wouldn't be having this discussion today.
If breaches were automatic jail time, no one in their right mind would want these jobs. One same reaction would be to stop collecting personal data, but a lot of Internet businesses would have a hard time adjusting to that.
A more practical policy proposal would criminalize extreme negligence while focusing on financial penalties for lesser beaches. Possibly the young missing vs current policies is that the duty to protect user data should probably increase with the amount of data collected - the juicier target you make your company, the more the penalty needs to hurt. This could mean companies taking a hard look e.g. at whether they really need your address and phone number because every extra bit of hacked information should cost them more.
> a lot of Internet businesses would have a hard time adjusting to that.
Why? The majority of situations where you need an account can be replaced with pseudonymous info.
Netflix needs an account and some payment data (which can itself be a pseudonymous card number with no identifying info attached), but it doesn't need to know my name or anything else.
I can see that the whole advertising/data broker/"growth & engagement" crowd would end up begging on the streets, but I'm not sure many actually valuable businesses would be affected all that much.
Imagine if software engineers had to have a license, and they stood to lose their license in cases of malpractice.
When your license is your bread & butter and you cannot work without it, losing it is devastating—and much more devastating than losing a particular position at some company (so even if you are required to implement an insecure solution, you would have no problems telling respective manager to shove it, respectfully).
Surely a mealy-mouthed email without a formal apology or admission of culpability will be the order the day - perhaps with a $2 Amazon voucher for those willing to click a box and agree to not sue for damages or engage in public disparagement.
What I find surprising more that the usual lack of accountability in these cases is how little its impact tends to be felt on Wall Street. A slight dip in the share price maybe for a week or so, but then it's back to business as usual.
I do think it would incentivize new security products/libraries/services focused on helping companies fulfill their security requirements instead of rolling their own crappy solutions.
If a startup cannot secure their customer’s data effectively, I don’t want their product to exist. If that means fewer startups get products off the ground, I fail to see that as a bad thing if a lack of security was the reason.
Slowing the industry down after a decade of breach after breach after breach seems like a reasonable and possible necessary intervention.
Good model is credit card numbers because they really cannot leak and if they leak, people are prosecuted.
Thus there is basically nobody doing credit card processing and the companies that DO that are unreasonably big and basically a monopoly. (Everyone always complains about PayPal...)
My side projects will never leak passwords. How is that not security 101? You do not need to "invest" in this, every single engineer needs to have this level of working knowledge. Not having this in place should absolutely mean not being allowed to run a business online.
What if someone gets into your app logic and make a POST trigger that gets the passwords out.
What if you log all POST requests for debugging purposes and forget to sanitize the logs.
What if you have XSS in your web app that sends the password to a third party.
What if your mobile phone app has a dependency that includes a keylogger.
The likelihood of this increases the more layers you have in your organization (for example, the log pipeline team assumes the logs are already sanitized; the login form team assumes the log team is sanitizing them; it all goes through some A/B testing team that just dumps all data to "data lake" somewhere unsafe; the FE team puts in random node.js dependencies as it's "just a frontend"; etc).
Passwords can leak from more places than just from the DB...
Getting into the app's running process is an effective way to exfiltrate everything, and likely they'd have a lot more to worry about there. I don't however think that piggybacking on a live app does not give you the size of these leaks. I mean, does every user of a service access the service in these periods?
More likely they steal the app's credentials (db, cloud provider, etc) and then go to town on data at rest.
You're right on logs and things like fullstory, but no one on any team should assume things are sanitized. You do your job independently. If you're an infra, devops, sre, does it make sense to say I thought they had it handled? Was that what you marketed on your resume?
Not saying there aren't complexities involved, but in many of these cases I see a lot of low hanging fruit, likely due to moving too quickly. We really need to own up to the fact that we've grown too comfortable with not giving any thought to other people's data. Why is it that there are the PCI audits when you handle card data, but not when you handle PII? Because card fraud hits the banks and they don't want to pay for any of that. So an entire industry was spawned, it's not perfect, but it helps a lot. You do not see a lot of credit card leaks.
How can you be so sure? Never is a strong word unless you never use passwords in your side projects. And this here wasn't a side project. It's easier if only one person controls a code base than with complexity.
I'm starting to think there should be some statutory minimum like 10€ per account that will be automatic minimum fine. Then depending on type of information it scales up from there.
As someone who spent 5 years in China pre-pandemic, China is a threat to many nations due to their growth. The Chinese govt. is specifically targeting key markets (EVs, solar, battery tech, steel, semiconductors) and China makes much more of those items that can be used internally in China. So China ends up driving any non-Chinese battery or solar panel manufacturer out of business.
If Chinese EVs were to be sold widely in the US, they would be less than half the cost of any Western-made EV and would take over the EV market. A future where Chinese companies own the EV market in the US with all of the American user data going back to servers in China- that's just not a future the US govt. wants- no govt. (outside of China's own) should want that.
Then there's the whole Fentanyl epidemic in the US and elsewhere. That is largely due to Chinese chemical manufacturers who are selling the chemicals to Mexico and then those drugs are smuggled into the US. There are many to blame here but the US has been pushing China to ban the sale of these chemicals outside of China for a long time without agreement. China realizes this is important to the US and it's being used as a key trade issue.
"doubling down on liberal democracy" got us to where we are now wrt China. China doesn't respond to liberal democracy. They only respond to force or trade embargos, or tariffs. That's what was learned as Xi decided to become dictator for life.
> A future where Chinese companies own the EV market in the US with all of the American user data going back to servers in China- that's just not a future the US govt. wants
I agree, but why do cars need to send data to servers again? I don't grok why Tesla does it and I don't grok why BYD does it either. What's wrong with the alternative where we allow real competition that benefits everyone, and then ban any features (eg sending data to servers) that the government gets nervous about? I don't see how this is any different from the myriad of other requirements on cars (eg mandated safety belts etc etc etc).
I recognize that state-subsidised competition still isn't fair, so I support import tariffs that match those subsidies, but any further and you're just hurting competition and the consumer, right?
Thing is, super cheap EVs and solar panels is exactly what we should want. There's a climate crisis going on and these things are a big part of the solution. With climate goggles on, to put import tariffs on the tech that's gonna save the world sound batshit insane. We should want those tariffs to be as low as possible.
You're right that this isn't about data collection/privacy, though it would be a bit scary to have our nation's cars remotely shut off at the whims of a foreign government.
Instead, we want/need to be protectionist of our manufacturing industries so that if we were to go to war, we keep our ability to make more missiles, planes, tanks, etc.
> I don't grok why Tesla does it and I don't grok why BYD does it either.
User data is valuable[1], and storage is now so cheap, for a modest sum, one can keep data forever without deleting[2], so keeping car telemetry/videos has virtually no downsides.
1. For self-driving training, or selling to market researchers, or intelligence services. I'm not claiming this is what's being currently being done with the data, but how "value" can be extracted from it
> I don't grok why Tesla does it and I don't grok why BYD does it either.
> Thing is, super cheap EVs and solar panels is exactly what we should want.
It's plain to me how this can come into conflict with National Interest - no country wants cheap solar and EV at the cost of its own manufacturers going bankrupt (and losing the jobs that go with them going down the supply chain).
User data is valuable[1], storage is cheap, so keeping it has no downsides.
1. For self-driving training, or selling to market researchers, or intelligence services. I'm not claiming this is what's being currently being done with the data, but how "value" can be extracted from it
I dont see how that is true at all. The textile industry has completely left the western world and no one is complaining(other than the luddites I guess). Solar manufacturing isnt very different from textiles. Protectionism just leads to expensive goods, 95% of people gain under free trade.
So what's your mental model for the protectionism by the US against Chinese EVs and batteries despite the push for renewables by the same administration?
> The textile industry has completely left the western world and no one is complaining(other than the luddites I guess).
This was a very gradual process (over centuries), and they weren't really happy about it either. It wasn't just the Luddites who were upset when Samuel Slater (a.k.a. "Slater the traitor") left England and helped set up a competing textile industry in North America.
For self-preservation purposes, no politician will willingly sacrifice jobs at existing regional or national champions[1], regardless of how noble the goal is: politicians get voted out of office for far less. The best we can hope for, is a slow steady decline of harmful industries (see coal).
1. The US will treat Boeing with kid gloves rather than gift the market to Airbus, even though Boeing has a terrible safety culture and not exactly competing on merit. The same goes for VW in Germany, Arianespace in France, Samsung in Korea, Huawei in China, etc.
If the government just gave away money, and paid your salary, your employees salary, your rent, your purchase costs on manufacturing equipment costs, I'd find it hard to compete with you too, given than I'm not a billionaire and would need to raise capital from investors.
The narrative of 'data-privacy' being a threat is IMO a whole lot of simplist bait. The real thing at stake here is the vehicle manufacturing jobs that are being threatened, and the whole chain of high value jobs that come with it. People who lose their jobs lose faith in their governments. And countries losing a high value chain of goods/services isn't going to do well psychologically for them.
This [video](https://youtu.be/BQ23sgi_mgw?si=3HOm3WeWKO7VJMzr) called <Is China’s High-Tech ‘Overproduction’ Killing Jobs In The West?> from Channel NewsAsia covers it. Highly recommend you westerners to watch it; there's some really heavy handed defense/reasoning from the chinese side.
What if we lived in a world where Chinese are allowed to sell their cheap EVs but the government was actually on the side of the common man instead of corporate elites, and actually scrutinized anti-consumer totalitarian data collection, because its wrong, and anti-humanity on principle, and not because it's not controlled by them.
> That is largely due to Chinese chemical manufacturers who are selling the chemicals to Mexico and then those drugs are smuggled into the US.
i say china is not at all responsible for the drug, except as a contract manufacturer. If china doesn't do it, somebody else would've. China just does it cheaply.
The drug problems come from the cartels, and from the fact that US's war on drugs makes drugs expensive, and thus profitable. There's no possibility of humans relinquishing drug use - think about the prohibition and the problems that it caused.
I say, just allow drugs to be manufactured, and sold (under license and regulation) in the US. It's gonna be like alcohol. This will take away the profits from the cartels, and they will stop buying from china. It will increase tax revenue, as drug consumption can be taxed (like tobacco today is).
It will also remove the stigma, and reduce drug enforcement costs in police. The only thing society has to give up is the moral high horse of drug use.
Are you sure drugs can be regulated the way alcohol can? They are both more addictive and behavior changing than alcohol. I don't have a solution as I also dislike the current "war" on drugs. But I suspect regulating safe fentanyl use will be way, way harder than regulating safe scotch use.
it doesn't have to be safe, just legal. If people choose it, and fuck themselves up, they're free to do so. They're doing it today already, but with the added benefit of being illegal and force resources into a drug war against the cartels.
When I was living in the USA I felt this way, but after moving to Japan, a country that is very strict on drugs and has eliminated it from the public consciousness, I feel my opinions changing. I trust myself to be able to use/not use drugs responsibly but given how irresponsible most people are, it’s undeniable the positive effects on society of NOT letting people totally destroy their brains and lives, and it is utterly daunting to think of what it would take to get the USA back on its feet re drugs.
We need the EV and solar transition to happen, and if the Chinese government wants to subsidize that we should let them.
> all of the American user data going back to servers in China
There's a long running argument with the EU over all EU user's data going back to the US where there are no privacy laws or protection against surveillance (US constitution only protects US nationals!), so the US government would have more credibility on this if it recognized that.
I can’t help but think this IP theft scare, while completely real, has a version in the Western US-led economics called ”big business” or ”VC money” or ”platform control”.
How many independent innovations get snatched (sherlocked?) by big business taking the idea and making their own version, when they see a small player that found a customer segment a large company never bothered investigating?
When large sums of money is what’s needed to execute any novel idea to full completion before your competitors can, that money becomes just a version of ”IP theft” or unfair competition. I think what they are getting is a taste of their own medicine.
EVs were a mature idea a decade+ ago, but big money oil companies hamstrung it and big money ICE manufacturers argued it was not worth their time or effort. The Chinese market and leaders knew the fundamentals were valid and cornered the entire manufacturing market before it could be cornered by western companies.
Honestly, it's wild that the US hasn't invested heavily into green energy for the past couple of decades. They could've been in an extremely strong position of selling the tech which all countries need to transition their energy sectors. But instead they've ... fought it? And let China and other countries outside of their hegemony eat their lunch? Why?
The oil industry (eg. Koch) has spent a fortune in lobbying and their ideological allies that want to maintain the status quo have spent enormous amounts of money and effort in spreading FUD around shifting away from an oil based economy.
I really think it’s much less insidious than you are making it out to be. Fracking means America has access to cheap natural gas so no one has worried about energy security in the last two decades so few are pushing for green energy subsidies. This is just politicians doing what their constituents want. China on the other hand has extremely limited oil so green tech has been a top national security priority.
It is the money and lobbying that results in the imbalance in information and an imbalance in what "the constituents want."
Absolutely constituents want jobs and cheap energy. I bet they also don't want the wild salmon they eat to go extinct too. On balance they're hearing about the former and not the latter.
> "doubling down on liberal democracy" got us to where we are now wrt China.
Banning all the paths to growth got the US to where it is now. Everything China did to out-compete the US was illegal in the US - the working conditions wouldn't have passed muster, the environmental damage wouldn't have been acceptable, the investment in cheap energy was off the agenda and the focus on heavy industry was broadly against the policy position which focused on financialisation and growing service industries.
We can argue until the cows come home which policies were the important ones (it is clear that some of what China does is counterproductive) but a key factor was legislative restrictions in the West. That is the opposite of the liberal part of liberal democracy. A key part of liberalism is giving people freedom to better their own lives.
Still it is up to western companies to prove that they aren’t inferior to Chinese ones. Tariffs and trade barriers will buy time but if western companies physically cannot approach the scale or cost effectiveness of Chinese industry then there are serious structural problems in our liberal system.
I mean I'm Chinese, and the number of Americans with rose tinted glasses on China because "america bad" is insane. The real thing China does far better than the US, is having an understanding of how the US works and how to target Americans and American corporations with the right incentives. Americans on average almost know nothing about what the real China is like, and have a general disinterest in other countries and global affairs, and overlook the much suffering and abuse there is on a societal scale. I don't disagree with OP that the US needs to double down on improving social standards as a whole, but policymakers need to think hard about potential abuse from the Chinese side, especially when the economy is just a wheel driven by the political cart. The incentives don't align that neatly in the US, and coordination is hard.
A lot depends on where you ski. If you're skiing in the Northeast US, where conditions are often icy, then yes tuning matters a great deal. If you race, or want precision in your turns, then tuning is important.
If you're a powder hound in Utah or Niseko, then it matters a lot less.
reply