There will be no "European Cloud" as you understand it

Europe needs a paradigm shift, not an ethical Amazon Web Services replica.

One rare topic where I strongly disagree with Bert Hubert is the need for a European Cloud.

One does not win by copying the incumbent

Whatever European clones of AWS may come to existence, they will be worse than AWS. Look at Azure and Google Cloud. These are essentially clones of AWS, each of them have own strengths and weaknesses, but on average, AWS is a clear winner.

I'd argue that the same pattern applies to many situations, and the history of S3 and Google Docs come to mind as the obvious examples.

S3 over POSIX-compatible file systems

For years, businesses tried to have POSIX-capable filesystems seamlessly scale in size and in availability. I remember the hassle of setting up Glusterfs and Ceph for a small business. It was undoubtfully a daunting task to sell POSIX-compatible filesystems as a service until Amazon rolled out a simpler alternative that, by having a smaller set of features, enabled so much sought properties of distributed file systems in an efficient and commercially viable way.

Google Docs over Microsoft Office

Open Source and businesses tried to make a Microsoft Office competitor by mimicking Microsoft Office. Naturally, all clones were worse than the original. Until Google changed the paradigm and rolled out Google Docs that had a unique feature of online collaboration. Then was the turn of Microsoft to mimic collaboration features of Google Docs in Microsoft Office and be worse at it almost by definition

Structured communication for every minute

One thing about Peppol is how worryingly complex it is. I really hope it will be lobbied out in favor of a simpler solution.

As a reminder... remember the structured communication in your Belgian bank transfers? The one with triple pluses at the beginning and at the end? Like +++250/4171/01095+++.

The below shell script generates a unique one from today's year, month, day, hour and minute.

Things should not be more complex that they need be.'

DATE=date  +"%y%m%d%H%M"
CHECKSUM=printf "%02d" $((DATE%97?DATE%97:97))
echo $DATE$CHECKSUM |\
  sed -e 's#\([0-9]\{3\}\)\([0-9]\{4\}\)\([0-9]\{5\}\)#+++\1/\2/\3+++#'

Did I say that the validation of the Belgian National Number is easy?

I was wrong.

Semi-official and unofficial open source code is often hilariously bad, although the format is quite well documented in Wikipedia.

One thing that people seem to misunderstand is that it tries to disambiguate between two possible birth dates spaced by 100 years. That is, the national number of someone who was born on April, 16 1925 will be 25.04.16-123-47 and for someone who was born on April, 16 2025 that would be 25.04.16-123-76.

Here it goes in Java:

What about the Belgian Digital Sovereignty?

Bert Hubert wrote at length and more openly about EU dependance on US software since the election of Trump. Not that engineers did not know about all that, but European IT is not run by engineers to the same extent as in US.

The situation is slightly different in Belgium:

  1. We have our own government cloud. It runs on US software, but we are pretty much in control of it.
  2. We have our own authentication service, but large parts of it run on COTS software from US.
  3. We forgot how to host our own email, even the Ministry of Foreign Affairs and the Cabinet of the Prime Minister use M365.
  4. We voluntarily gave up control over Belgian Certificate Authority to the US-based conglomerate DigiCert.

I guess things have to be fixed in the reverse order:

  1. Take back control of Belgium Root CA
  2. Host our own email
  3. Own government auth
  4. Migrate government cloud off Broadcom and IBM (anyway we need to migrate off Broadcom for money reasons)

That's a nice task list and luckily we already have an IT czar

P.S and Disclaimer: I indirectly work for the government, but everything above is public knowledge, for instance:

2FA or not 2FA

A few weeks ago I received an unsolicited email from the Belgian Center for Cyber Security. It starts with the statement that 80% of cyber attacks could be avoided if 2FA was active and then says literally that If you only use a username and password for your remote logins, you're a sitting duck.

This is not true, username and password are no less secure than 2FA. In a way, they are more secure. I know this is controversial, but please bear with me, and I will explain CCB assumptions, my assumptions, and how it all makes sense.

CCB assumes that people can not be trusted with passwords. Over the years, the most popular passwords have been 123456 and password, closely followed by 12345678 and qwerty. Research has proven time and again that we use weak passwords whenever possible.

But hold on. These same people behave reasonably and optimally. Whenever they start using a new website or app, its value is close to zero, so it it an optimal strategy to use a weak password. More often than not, the interaction is unique or spaced in time so much that it makes no sense to save the password at all. When I visit a website I have not visited for years, my old password usually does not work anymore, and I have to reset it.

I have a workflow for auto-generating passwords and storing them in a password manager, but it is totally reasonable to expect other strategies for occasional users:

Tags: 
Strategic Autonomy
security
2FA

Resume vs Curriculum Vitae

Old farts like me often have long and detailed LinkedIn profiles that we just copy as Curriculum Vitae when applying for leadership roles.

This is based on two assumptions:

  • People are good at glancing over long texts, reading between lines and forming opinions.
  • Automated resume ranking tools are better at extracting data from long and detailed curriculum vitae rather than one-page resumes.

Both are wrong:

  • HR are not people. Senior HR partners do not read CVs, junior HR may not be as skilled as your Software Engineering pals at reading at drawing conclusions. Your CV has to be digested into a shorter resume for them.
  • None except big tech uses automated resume ranking tools, and even these let junior HR filter the results.

So better:

  • Use your long and detailed CV to feed to ChatGPT so that it tailors it to the individual job description.
  • Assume that people reading your resume are less skilled.

Finally, a curriculum vitae can be roughly translated from Latin as the course of one's life while resume is... well, a resume of your course of life, tailored to a particular situation.

Use one or the other when appropriate.

Tags: 
jobs

Adaptive delivery for websites: a forgotten concept

Back in 2011 my team built a news website with adaptive delivery. It loaded a small html page with a JavaScript that checked the screen size and user agent, then based on whether the user was on a phone, a tablet or a desktop, downloaded and displayed the content crafted for that particular device. It then left a cookie to avoid the extra round-trip for returning visitors.

Nowadays people tend to adapt the design to devices with CSS frameworks and flexbox layout, but this does not always reduce traffic and CPU time for low-powered devices.

While our engineering feat was adorable and I praised the team for the achievement, this architecture did not last. The editorial team did not want to maintain essentially 3 different content layouts daily, the marketing team was not willing to compromise on ads on smaller screens.

None was happy except the readers.

Tags: 
adaptive delivery
webdesign

Falsehoods people believe about email

Not everyone has an email.

A businesswoman once proudly shown me a dumbphone and said that she does not have a personal email, only a corporate one. That persuaded me for a while, until I learned that her husband was prosecuted for money laundering around the same time. So yes, not everyone has email, but those who don't are few and they have very good reasons.

Email is unsecure

Aside from spam and automated emails, pretty much all email typed interactively in an email client is encrypted between the sender and the receiver.

We could have a long technical discussion here about the opportunistic encryption of STARTTLS or about the market share of Google, Microsoft and Apple, but the reality is that is is protected for all practical purposes that matter to ordinary people. That is, it is impossible to view and modify in transit emails that are written by individuals.

You can impersonate anyone in an email

Long gone are the days when you could send a mail from gates@microsoft.com from your personal computer. To start with, port 25 is probably blocked for sending at your ISP. Then, even if you managed to send an email, it will be probably rejected as coming from a residential range of IP addresses. But even if you send a mail from Amazon SES, then the receiving SMTP server will use SPF and DMARC to check if Amazon SES can send emails on behalf of @microsoft.com and it won't.

Tags: 
smtp

Hetzher vs AWS

I moved a business of ~100 FTEs from AWS to Hetzner once. Aside from the migration cost, the price was roughly 25% of AWS. I left many years ago, the business switched frameworks since then but they stayed on Hetzner.

Thinking again of this old story I now realize that the biggest gain was not monetary, but human. For years, that business could retain skilled engineers who had the opportunity to work closer to bare metal, caring about the nitty-gritty technical details of backups, failover and high availability.

And they did not even cost much. That they had so much leeway in designing the system instead of "relying on the cloud" was a major retainer.

Pages