HackerTrans
TopNewTrendsCommentsPastAskShowJobs

the_bear

no profile record

comments

the_bear
·15 ngày trước·discuss
I run a small CRM company that serves some travel agents (we're not travel-specific, but we have a lot of small broker/agent businesses using us). We have ~11,000 customers with ~25,000 users between them, and our database stores ~100 million contacts, so about 4k contacts per user.

Most of those contacts are probably random leads that got imported, not actual clients that would have uploaded their passport info, but it seems reasonable to think that a CRM of our size (which, again, is not very big) that served exclusively travel agents would have millions of actual "clients" with passport info. 1 million passports across 25k users would just be 40 per user. If you assume a typical trip is for a family of four, that would mean the average user has just booked 10 international trips ever which seems pretty low to me.

I want to reiterate that we're not travel-specific and we don't have a feature for capturing passport info, etc., so I'm really just commenting on the volume of records that might be impacted by something like this.
the_bear
·tháng trước·discuss
I'm not a lawyer, but I'm currently working on getting my company HIPAA-compliant, so I know more than the average person about this.

My understanding is that there's a thing called the "conduit exception" which basically says that if data is transiently passing through a channel and it's not being looked at, it's ok. But wherever the data lands must be HIPAA-compliant.

This seems crazy to me, but that's how it works I think. For example, if you encrypt PHI and store it in AWS without signing a BAA with them, that's a HIPAA violation, even though the data is encrypted and Amazon can't see it. But if you send encrypted data through AWS without actually storing it, that's fine.

Mail is specifically mentioned as a thing that qualifies for the conduit exception. I'm not totally clear why it isn't a HIPAA violation the moment it arrives at a destination (it's not in-transit at that point, and it's potentially not in the possession of the intended recipient either), but it seems pretty well accepted that it's not.

All that to say: I think encrypted email would still require a BAA because it's being stored, not just transmitted.
the_bear
·tháng trước·discuss
I was going to say the same thing. I only saw two things that are sort of about the future and not the past:

- BIMI (I hadn't heard of that before) which seems like a very minor thing to be calling "the future of email"

- AI might be easier to trick that humans

On that second point, here's the exact text:

> A person reading a suspicious email might notice that the sender’s domain has an extra character, or that something about the request feels off. An AI assistant scanning your inbox for items that need action may not slow down to check those things.

That seems wrong (AI should be better at this than the average human), but let's assume that assertion is correct. It then says "authentication is the safeguard that should stop it before it ever reaches your mailbox". Except then, a few paragraphs down, it says "A scammer with a convincing look-alike domain and a properly configured DMARC record will still pass sender authentication checks." Ok, so authentication isn't a solution to the stated problem at all (it does solve a different problem). And unless I'm missing something, no solution is proposed. No statement is made about what the future actually looks like.

Like you said, what is the point of this article?
the_bear
·tháng trước·discuss
Those "message centers" aren't just about security, they're also about compliance. For example, insurance companies need to be HIPAA-compliant which requires that they can only send health-related info to other HIPAA-compliant systems, which means signing a BAA (a contract) with those other systems. There's no way to do that with email (your insurance company can't sign a contract with every potential email host in the world, and they don't even know where the email will ultimately end up after they send it) so practically speaking, they're not legally allowed to send any health info via email.

It's extremely difficult to accurately identify which emails have health info and which ones don't (even something like a person's name or IP address could count depending on the context) so they just default to sending everything through their message center. No amount of email security could change that.
the_bear
·4 tháng trước·discuss
Agreed. Unless it's a really frequently used UI, my company defaults to showing all options to all users regardless of permissions. It's better to see "Manage users" in the settings menu which takes you to a page explaining that you don't have permission as opposed to seeing nothing and wondering why it's not there even though the help article says it should be there.

No, putting an explanation on the help article that this feature is only available to admins doesn't work. No one reads anything.
the_bear
·5 tháng trước·discuss
I think that's the point though. The AI companies can't compete without hiring very talented employees and raising lots of money from investors. Neither the employees nor investors would participate if there weren't the potential for making mountains of money. So these AI companies fundamentally can't be non-profits or true B-corps (I realize that's a vague term, but the it certainly means not doing whatever it takes to make as much money as possible), and they shouldn't pretend they are.
the_bear
·5 tháng trước·discuss
When we used Stripe, we opted out of all their fraud prevention stuff to save money (not sure if that's still an option). As a b2b SaaS where payment happens after a free trial (not at signup), we're just not a target for fraud, so it was totally fine.

I can't speak to why Stripe's fraud protection is so expensive. Is it because they're a target? Or maybe because they realized people will pay for it (it seems valuable for something like ecommerce)? I dunno, but I can confidently say that as of ~5 years ago, it wasn't required by any regulation, and my business was perfectly fine without it.

Now we use Paddle, and they also try to sell us a bunch of stuff we don't need at ridiculous prices. We're just using them because we wanted a merchant of record (where they handle taxes and stuff), but no, I'm not going to pay a % of my revenue for basic dunning emails, fraud prevention, vague "optimizations" that "increase conversions" (lol no they don't), etc.
the_bear
·8 tháng trước·discuss
My small SaaS app has been DDoSed a handful of times, always accompanied by an email asking for a ransom in the form of bitcoin.

The first time we switched to Cloudflare which saved us. Even with Cloudflare, the DDoS attempts are still damaging (the site goes down, we use Cloudflare to block the endpoints they're targeting, they change endpoints, etc.) but manageable. Without Cloudflare or something like it, I think it's possible that we'd be out of business.
the_bear
·9 tháng trước·discuss
This is the main thing that's been bugging me about the AI discussion. People seem to forget that capitalism is competitive, and if everyone gains the same advantage, then it's not an advantage. If the cost of labor goes down, it means companies will either need to lower their prices or increase their investment in other areas (e.g. hiring even more people now that they're cheaper).

Unless you're a monopoly, I don't see how AI will lead to these massive cost savings everyone is hoping for.
the_bear
·10 tháng trước·discuss
As someone who switched from Dropbox Paper to Notion...

There's no question that Paper is a better pure writing experience. If you're viewing Notion as just a note-taking app and nothing else, I think you're misunderstanding what it's for.

For starters, it's way easier to organize stuff in Notion than Paper. This is less a feature of Notion, and more of a terrible limitation of Paper. Paper was stuck with the "files within folders" model. Just the fact that Notion lets you control what shows up in the navigation sidebar was a huge time saver for me. And being able to create pages within pages within pages (which is very different from having sibling documents inside a folder) made it much more flexible for organizing everything.

But the real power of Notion is when you start to treat it as a database builder rather than a note-taking tool. Yes, it's useful for taking notes, but those notes are about something, and with tools like Paper, Obsidian, etc., the thing is always living somewhere else.

With Notion, I was able to make a database of projects and another database of tasks which linked to those projects. Each developer on my team has a custom dashboard showing just the tasks that are assigned to them and currently in-progress. I have a totally different view showing all the projects going on right now. And then each of those tasks have a pretty good (I admit it's not great) note-taking feature. The notes are living within the actual object you're taking notes about, which is totally different from Paper.

I even use Notion for personal stuff. I have a Notion form that my wife and I use to enter things we need to buy next time we're at the store. And there's a view showing the things we need to buy from each separate store with checkboxes next to each one so it's easy to remove them when we're done. There's a separate database listing the movies we want to watch, with a view for all the ones we previously watched, and when. I have a database of cocktail recipes along with ingredient lists (so I can easily filter by ingredient), formulas to calculate different volumes based on how many drinks you're making, a rating system, etc.

Basically, if you look at Notion as a bucket of unstructured notes with a markdown editor, I agree, it's nothing special. But that's not what it really is.
the_bear
·năm ngoái·discuss
I think there are two common definitions of startup, and neither require VCs to be involved.

One (seen elsewhere in these comments) is any small business. I personally don't like that definition because there is a pretty big difference between a local coffee shop and the thing we all mean when we say "startup".

The other one which is more common here is a company that is currently small, but the business model involves getting much much larger. There's a blurry line between a small business and a startup with this definition, but it seems to be a "you know it when you see it" type of thing.

Companies like Mailchimp and Atlassian (in their early days) clearly qualified as startups even though they hadn't raised VC. You might say they're outliers, but so are the VC-backed companies that reach that level of success. If a small company is growing quickly and on pace to become a multi-billion dollar company, it seems weird to say they're not a startup just because they didn't raise money from the right people.
the_bear
·năm ngoái·discuss
I agree that LLMs turn short prompts into long code blocks, but I don't agree that it's fluff in the same way that email pleasantries are fluff.

The short prompt leaves a lot of room for interpretation. The code itself leaves zero room for interpretation (assuming the behavior of the coding language is well understood). I don't agree that AI will allow us to start relying on code that isn't fully defined just because it might allow our emails to remove fluff that didn't contribute to the meaning at all.
the_bear
·năm ngoái·discuss
This is basically what Google's reCAPTCHA v3 does: https://developers.google.com/recaptcha/docs/v3

The other versions of recaptcha show the annoying captchas, but v3 just monitors various signals and gives a score indicating the likelihood that it's a bot.

We use this to reduce spam in some parts of our app, and I think there's an opportunity to make a better version, but it'd be tough for it to be better enough that people would pay for it since Google's solution is decent and free.
the_bear
·3 năm trước·discuss
Many people who want to work from the office are mostly interested in doing so because they want to be around their coworkers. If their coworkers are remote, they won't get what they want. Similarly, remote people might not be happy at a company that allows remote work but primarily has an in-person culture.

Letting everyone do what they want is not a path towards everyone being happy. I think a better approach is for companies (or at least teams) to land somewhere on the spectrum from full in-person to full remote, and then employees can work at the place that fits them best.
the_bear
·3 năm trước·discuss
I think this is the right answer, and I especially want to call out the second part, because it can be a bit counterintuitive.

The reason for having security documentation isnt so that it can answer the questions the client has. No one will actually read it. The thing is, people have an unlimited appetite for wasting your time if it's free for them to do so. By pointing them at documentation and having them get back to you with questions, you're now making it their problem instead of yours. Some clients will say no, fill out the questionnaire. You can politely bow out with those clients. Others will glance at your docs and decided it's not worth it to them to figure out if you actually answer all their questions, so they'll just check the "security review complete" box in their buying process.
the_bear
·3 năm trước·discuss
That's an interesting thought. Any company that raises money from VCs will ultimately either fail or end up publicly traded (via IPO or acquisition), and at that point it's just a matter of time before they start squeezing their users.

I wonder what the ideal time is in a company's arc to start their eventual replacement. Render just raised a series B which probably means they're still many years away from step 3, so it's probably too early. But maybe when they're raising a series C or D, it's time to start thinking about making their replacement.

I feel like Stripe is entering that territory right now. Not that they're worse than alternatives, but they no longer have that "wonderful experience" magic because they've started to turn on the maximize shareholder value engine.
the_bear
·4 năm trước·discuss
From what I'm seeing, Photoshop only costs $20/month (actually $20.99) if you commit to an annual plan. It's $31.49/month if you want month-to-month.

And in the past, every time I've wanted to cancel a subscription, I've had to spend ~30 minutes with their support. How are you able to turn it on and off so easily? I'd love to figure out a way to avoid their normal cancelation flow.