I work in a NIS2 compliance sector, and we basically use Go and Python for everything. Go is awesome, Python isn't as such. Go didn't always come with the awesome stllib that it does today, which is likely partly why a lot of people still use things like Gin for web frameworks rather than simply using the standard library. Having worked with a lot of web frameworks, the one Go comes with is nice and easy enough to extend. Python is terrible, but on the plus side it's relatively easy to write your own libraries with Python, and use C/Zig to do so if you need it. The biggest challenges for us is that we aren't going to write a better MSSQL driver than Microsoft, so we use quite a bit of dependencies from them since we are married with Azure. These live in a little more isolation than what you might expect, so they aren't updated quite as often as many places might. Still, it's a relatively low risk factor that we can accept.
Our React projects are the contrast. They live in total and complete isolation, both in development and in production. You're not going to work on React on a computer that will be connected to any sort of internal resources. We've also had to write a novel's worth of legal bullshit explaining how we can't realistically review every line of code from React dependencies for compliance.
Anyway, I don't think JS/TS is that bad. It has a lot of issues, but then, you could always have written your own wrapper ontop of Node's fetch instead of using Axios. Which I guess is where working in the NIS2 compliance sector makes things a little bit different, because we'd always chose to write the wrapper instead of using one others made. With the few exceptions for Microsoft products that I mentioned earlier.
We used to have some C# but we moved away from it to have fewer languages and because it was a worse fit for us than Go and Python. I'm not sure .NET would really give us any advantages though. Microsoft treats most major languages as first class citizens in Azure, and since we build everything to be sort of platform agnostic, we wouldn't have the tie-ins that you could have with .NET. I'm not saying it would be fun to switch cloud, but all our services are build so that there is a decoupled "adapter" between our core logic and Azure. We use a lot of Azure functions as an example, but they run in container apps on a managed k8s, so the Azure function part is really just an ingress that could be swapped for anything else.
It's been a while since I worked with an "actual" function app in Azure. We did have a few .NET ones that weren't using containers. At the time they were pretty good, but today I'm not sure what the benefit over a managed container envrionment with container apps would be. Similarily with sqlserver. We use it because of governance and how it ties into data factory and I guess fabric, but we don't use ORM's so something like Entity Framework wouldn't really be something we'd benefit from with .NET.
I think the only thing we couldn't realistically replace and get something similar is the governance, but that's more to do with how Management Groups, Policies, Subscriptions and EntraID works than anything else.
Eventuallyt everything will probably be Python and then C/Zig for compute heavy parts. Not because Python is great, it's terrible, but it's what everyone uses. We're an energy company and with the internal AI tools we've made widely available we now have non-SWE employees writing code. It's Business Intelligence, it's Risk analysys, it's powerplant engineers, it's accountants. They're all working with AI code in their sandboxed environments and it's all Python. Since some of it actually turns out to generate great value, it's better for us (and the business) if our SWE teams can easily take over when "amateur hour" needs to meet operational compliance for the more "serious" production envrionments. I put things in "'s because I'm still not entirely sure how to express this. A lot of what gets build is great, and would have never been build without AI because we don't have the man power, but it's usually some pretty bad software. Which is fine, until it isn't.
Having worked in non-swe enterprise for two decades I would argue that this is less true today than it was 10 years ago. It used to be that new hires would come with a basic knowledge of windows and office, but that's no longer the case. At the same time, you have things like Smartsheets and so on, which are more popular, at least with our employees, than Excel and everyone seems to hate Outlook these days. I don't think it was ever really the case though. What Microsoft sells to enterprise is governance, and they really don't have any competition in this area.
Being in the European energy sector we're naturally looking into how we can replace every US tech product with an EU/FOSS one. It's actually relatively easy to buy the 365 experience through consultants which will setup a NextCloud, Libre/Only Office, Proton and a teams replacement I can't for the life of me remember the name of. Beneath it there is a mix of Identity Management systems, often based around Keycloak, at least for now. It works, from what we've seen in Germany (specificlaly with their military) it's also possible to roll it out relatively quickly. It's all the "other" stuff that gets murky. There isn't a real alternative to AD/Entra, yet, from a governance perspective. There are great tech solutions which does the same thing, but they require a lot of IT man hours. Something the public sector is always going to be more willing to deal with than the private sector. If we collectively decided that trains in Denmark should be free for passengers, then that would happen. You can't do that in a private business, though security obviously does factor into it.
This is the general story really. Microsoft's copilot studio is relatively new, and it's probably been flying under the radar in a lot of tech circles because it's basically what power automate always wished it could be. Having used it to build a HR flow, where an AI model will receive the applications, read them, auto-reply to irrelevant ones, create a teams site with files and the relevant people for the relevant applications, and invite the applicant to their first appointment. Well... I gotta say that I'm not sure what we have that's an alternative to that. It took me a couple of hours to build it, and it frankly works better than I thought it would. Granted, I did know the tool because I had previously done a PoC where I build a teams agent which "took over" my teams interactions. Everyone noticed because it spelled correctly and wasn't capable of posting Warhammer 40k ORK meme's in any form of quality, but it was frightenly easy. What Microsoft sells in this area is again the governance of it all. You can do these things because of how EntraID lets you connect services seamlessly with a few clicks. While behind the scenes all of those clicks are only available to you because your IT department control them... Again... without hundreds of manhours.
I'm sure we'll eventually get there, but it'll likely come down to change management. Because even if you're willing to retrain your IT operations crew, it's not likely that they will want to leave the Microsoft world where they are well paid and job-secure. Well, maybe I'm in a cheese bell, but I've never met an Azure/Microsoft IT person who would want to work with something else, and having been forced to work a little bit with it behind the scenes, I sort of get it... well not really.
Which boils down to why Microsoft has always been good with enterprise customers. The decision makers in your organisation will listen to everything, but their own IT departments will often sort of automatically recommend Microsoft products and at the end of the day, it'll all boil down to risk. Which is what Microsoft really sells... risk-mitigation. Sure their licenses are expensive, but is it really more expensive than losing your entire IT staff? (this isn't an actual question I'm asking, it's what goes through the considerations.)
This probably reflects my own prejudices, but it always struck me that MS based IT people wouldn’t work with anything else, basically because they couldn’t.
That stack optimises for not really having to understand what you’re doing, but also avoiding any major foot guns (and having the general arse covering that buying IBM used to provide, but which MS now does). The price you pay is that everything is horrible to work with. But if the alternative is not really being able to get anything done at all then so be it?
The Windows ecosystem does a lot of things that, to me, as a Linux/MacOS user, seem like a weird bunch of crazy decisions that are different just because.
Whether that's true or not, it does mean that a lot of people who came up on Windows IT don't have a mental framework for how to run or manage Linux systems. Likewise, when I'm trying to diagnose something on Windows it just seems like the entire thing is a disaster; where are event logs? In the event viewer! How do I filter them? It's a mess! Can I search them? Kind of! Do they have information to help me diagnose the problem? Almost never!
On Linux, I know all the tools I need to solve all the problems that come up; on Windows, I have only minimal concept of how things work, and very little way to diagnose or debug them when they go wrong, which is often.
For example, when my Windows gaming machine comes out of hibernation my ethernet controller insists that there's no connection. I can't convince it otherwise except by disabling the device and re-enabling it. I can't figure out where I might find information that tells me why this is happening, so I just wrote a powershell script to turn it off and then on again. I bet some Windows IT dork could figure it out in 30 seconds, but I'm a Linux IT dork and I have no clue.
> For example, when my Windows gaming machine comes out of hibernation my ethernet controller insists that there's no connection. I can't convince it otherwise except by disabling the device and re-enabling it. I can't figure out where I might find information that tells me why this is happening, so I just wrote a powershell script to turn it off and then on again. I bet some Windows IT dork could figure it out in 30 seconds
Windows and Linux dork here (heh). It has to do with how various computer manufacturers implemented the Sleep/Standby State (S3/S4), how they've resisted implementing a common standard at the hardware level, and how Microsoft eventually gave up arguing and patched around it with their own Modern Standby system in the S0 state.
Tbh, though, the only computer I've ever seen Hibernate work well on are Macs. Every x86 computer usually has some sort of issue with it, except for maybe business laptop models (eg HP's Elitebook line).
> Tbh, though, the only computer I've ever seen Hibernate work well on are Macs. Every x86 computer usually has some sort of issue with it, except for maybe business laptop models (eg HP's Elitebook line).
This has always been my experience, going back I'd say at least to the early 2000s on cheap laptops, and all the way back to the earliest days of sleep and hibernate on desktops, where sleep just doesn't matter that much.
When I started dabbling in boot code around 2006, I read a bunch of the specs and one of them was ACPI, which I only scratched the surface of.
I think until then it had just not occurred to me that a modern paged protected OS would even want to call into any code supplied with the computer, vs. having it come from a driver disk, or be built in to the kernel where everyone can see it.
The whole idea of a bytecode interpreter running random code supplied by a fly-by-night system builder is a little unsettling.
All that law says is that the applicant 'shall have the right to obtain from the deployer clear and meaningful explanations of the role of the AI system in the decision-making procedure and the main elements of the decision taken.'
And even then, only if a job application rejection 'produces legal effects or similarly significantly affects that person in a way that they consider to have an adverse impact on their health, safety or fundamental rights'.
So as long as the company is recording the decisions taken and the reasons for those decisions, and providing those to candidates on request, they're in the clear.
If they're using a LLM to make those decisions, then they're fundamentally unable to provide the reasons for those decisions, because of how LLMs work.
Not to mention you can't trust that the AI is actually filtering out applications properly. I've run into that myself when I was responsible for hiring at my last role. The AI solution my boss insisted we use was awful. It highly rated completely unqualified applicants and ignored the few good ones.
> Which is what Microsoft really sells... risk-mitigation. Sure their licenses are expensive, but is it really more expensive than losing your entire IT staff?
There's an old saying in IT that was pretty popular in the 70s and 80s: "Nobody ever got fired for buying IBM."
I'm Danish. There are 56k people in Greenland and almost half of them live in Nuuk. The USA could frankly "take" greenland simply by putting a warship there and saying it was theirs. Not really sure why it was ever on the table though. The USA has basically free reign to expand it's military bases there, aside from the ban on nuclear weapons. Sure it would need approval by both Greenland and Denmark, but up until recently we were frankly more allied with the USA than the EU, and I doubt we've ever really said no before. We even bought the damn f35's despite them being so much more expensive than the alternatives, primarily because our history with the F16's. Which would probably have been a possiblity considering we're now debating whether or not to have french nuclear weapon carrying planes stationed on Danish soil in the fallout of the USA no longer being a trusty NATO ally.
If it was because of resources, then American companies are frankly free to extract them as long as they reach deals with Greenland about it. If the USA had waited a few years for Greenland to gain more independence then it would have been even easier.
I'm Danish and like every other western country Palantir want's to mass survailance us (and we apparently sadly want them to do it too despite the whole Greenland thing). I can't tell you how it'll shift power from the cultural elite to the working class because that's not what we're seeing. We're seeing AI shift power from the cultural elite, and, the working class to the technical/financial elite.
It does so with survailance and information. In a free democratic society you can jaywalk when no car is around and be ok. In a survailance state, you can't, because it'll hurt your social credit score. Similar to what we see in certain Asian countries, effectively making you a B class citizen. Jaywalking is just an example of course, because we've agreed that is technically illegal but basically every human when confronted with a situation like that outside of bureaucracy will think it's ok you crossed the completely empty road. They won't think it's ok if the road wasn't empty. Which is the nuance in the system, that the survailance bureaucracy doesn't have.
I like to think of it in dungeons and dragons alignments. Democracy is in the neutral zone, perhaps with a slight chaotic basis, but over all you don't want it to be either too lawful or too chaotic. If it goes too far either way the other side will suffer. The reason it can be a little biased toward chaotic is because chaotic people don't try to force their way on lawful people quite as much as the other way around.
I guess more working class men in America are lawful? Over all though, the people with the power will be the people with the information and the wealth to impact the bureaucracy.
Isn't part of why Apple's iPhone can be so expensive is because it's very easy to get actual human support for it when something goes wrong? You probably didn't make the mistake at Microsoft, but I've seen people look at the localized spreadsheet and miss the long term company wide spreadsheet completely. Often because the sales and support departments are so far from each other that they're basically two different companies working in different directions. Maybe Microsoft customer support is a bad place to measure these things because of the size, but around here quite a few banks have tried outsourcing their phone support to everything available and have come back because it cost them customers. Even customers who never phoned them.
That being said. Your example of customers calling for support on things they shpuld be capable of figuring out themselves in is probably where AI is going to shine as first line support. Once (if?) AI voice chat is good enough to replace chatbots we may not even realize we're talking with an AI unless it tells us.
>customers calling for support on things they shpuld be capable of figuring out themselves in is probably where AI is going to shine as first line support.
It certainly won't be cheap to run real-time AI voice chat, or any real-time AI chat. The AI costs that you currently see are heavily subsidized, just like OP's example of "VC backed competitors who are OK burning $$ to gain market share", it's the same. These AI companies are far from profitable, burning billions to insert themselves into customer support pipelines and everywhere else they can, and then the other foot will drop. Uber and Lyft are far more expensive today than when they started, and the price to run "AI" will also inflate when these companies have to pay off all the billions they've spent but didn't earn. I doubt it will end up costing much less if less at all than human support, with worse results.
>Isn't part of why Apple's iPhone can be so expensive is because it's very easy to get actual human support for it when something goes wrong?
Yeah, Apple has best in class support. They tried monetising it through Applecare but thats largely broken down.
I cant stand Apple for a lot of reasons, but their phone support, and everything behind that like training, is about as good as you can possibly hope to achieve.
> But do the humans need to actually understand the code? A "yes" means the bottleneck is understanding (code review, code inspection). A "no" means you can go faster, but at some risk.
I always thought of things like code reviews as semi pseudo-science in most cases. I've sat through meetings where developers obviously understand the code that they are reviewing, but where they didn't understand anything about the system as a whole. If your perfect function pulls on 800 external dependencies that you trust. Trust because it's too much of a hazzle to go through them. I'd argue that in this situation you don't understand your code at all. I don't think it matters and I certainly don't think I'm better than anyone else in this regard. I only know how things work when it matters.
If anything, I think AI will increase human understanding without the need to write computer unfriendly code like "Clean Code", "DRY" and so on.
Have you met the average programmer on a thursday afternoon after a terrible week of little sleep, family issues and unnecessary meetings? When I'm in that state of mind myself I'm fairly confident that any LLM could explain my weeks work better than I could.
Code reviews are pseudo-science now? Computer unfriendly code? What are you talking about? Do you understand that this babble makes zero sense ? Are you one of those product managers who recently learned to vibe-code? If so, make sure your latest Replit project does not delete your production database..
Splitting your code up into multiple functions across multiple files is computer unfriendly code. It'll cause L1, L2 and L3 cache misses. Yet it's heailed as very human friendly and maintainable by Uncle Bob and his disciples. As far as code reviews go, do you have any form of evidence that it's not a pseudo science? If I look at our industry today, it's not like it's in better shape compared to where it was decades ago. Hell, some of our most important systems are still running COBOL. If all these methodologies and principles that people swear by actually worked, I'd argue that things would have improved over the previous 40 years.
I think AI is pretty terrible for a lot of things, and pretty great for a lot of things. Since I work in a NIS2 regulated field I can't have any form of agent running with any form of access. Which makes sense for any form of critical service we write, but I wouldn't have an issue having an AI deal with some "unimportant" internal application.
> Splitting your code up into multiple functions across multiple files is computer unfriendly code. It'll cause L1, L2 and L3 cache misses
I think you have no idea what you're talking about and trying to sound technical based on some concepts you misheard somewhere.
A lot of non-tech people got into "tech" in the last years not because they were passionate about technology but because they heard they could make more money there. This was possible due to VCs throwing around money at various software companies. As a result we get statements like yours. There is one thing that I am hopeful for with the AI bubble - which is the VCs panicking out because they think "everyone will vibecode an SaaS" - and pulling out of software companies investments, causing the folks like you to go back to whatever you were doing before and leaving software to people who actually know it and do it out of genuine interest and not primarily for the money.
I think it comes down to "it depends". I work in a NIS2 regulated field and we're quite callenged by the fact that it means we can't give AI's any sort of real access because of the security risk. To be complaint we'd have to have the AI agent ask permission for every single thing it does, before it does it, and foureye review it. Which is obviously never going to happen. We can discuss how bad the NIS2 foureye requirement works in the real world another time, but considering how easy it is to break AI security, it might not be something we can actually ever use. This makes sense on some of the stuff we work on, since it could bring an entire powerplant down. On the flip-side AI risks would be of little concern on a lot of our internal tools, which are basically non-regulated and unimportant enough that they can be down for a while without costing the business anything beyond annoyances.
This is where our challenges are. We've build our own chatbot where you can "build" your own agent within the librechat framework and add a "skill" to it. I say "skill" because it's older than claude skills but does exactly the same. I don't completely buy the authors:
> “deeply”, “in great details”, “intricacies”, “go through everything”
bit, but you can obviously save a lot of time by writing a piece of english which tells it what sort of environment you work in. It'll know that when I write Python I use UV, Ruff and Pyrefly and so on as an example. I personally also have a "skill" setting that tells the AI not to compliment me because I find that ridicilously annoying, and that certainly works. So who knows? Anyway, employees are going to want more. I've been doing some PoC's running open source models in isolation on a raspberry pi (we had spares because we use them in IoT projects) but it's hard to setup an isolation policy which can't be circumvented.
We'll have to figure it out though. For powerplant critical projects we don't want to use AI. But for the web tool that allows a couple of employees to upload three excel files from an external accountant and then generate some sort of report on them? Who cares who writes it or even what sort of quality it's written with? The lifecycle of that tool will probably be something that never changes until the external account does and then the tool dies. Not that it would have necessarily been written in worse quality without AI... I mean... Have you seen some of the stuff we've written in the past 40 years?
I work in a NIS2 regulated sector and I'm not sure we can ever let any AI agent run in anything we do. We have a centralized sollution where people can build their own chatbots with various configurations and cross models. That's in the isolation of the browser though, and while I'm sure employees are putting things into it they shouldn't, at least it's inside our setup and not in whatever chatbot they haven't yet run out of tokens on. Security wise though, I'm not sure how you can meet any form of compliance if you grant AI's access unless you have four eye validation on every single action it takes... which is just never going to happen.
We've experimented with rolling open source models on local hardware, but it's so easy to inject things into them that it's not really going anywhere. It's going to be a massive challenge, because if we don't provide the tools, employees are going to figure out how to do it on their own.
Even in the EU we can't use a lot of "society important" smartphone apps without Google Play or the Apple Store. I can get a physical key thing for my national digital ID, but I can't get anything for my bank, my healthcare (which is a public service in Denmark) or any of our national digital post services. You can apply to get exempt from the digital post services, and they do have a website sollution, but still.
Don't get me wrong. I appreachiate all the work being done to get Europe out of the claws of US tech companies, but I think having an official EU app store alternative would be a good start.
This doesn't help. Your contact number is shared by 50 parents' phone..are you sure of their security measures.
Even if I keep everything safe many govts are using Microsoft cloudfor day2day operations. Recently my employer lost tons of data. Every CV you send to a company or recruitment is kept often unencrypted. Every other country is fingerprinting/face ID upon arrival. Are you sure about their security?
Things that I have dumped into my email are far less consequential compared to those.
The game is lost. Very few people can have privacy.
You still have to get Google Play to get the apps. It's better but it's not like it makes us less reliant on Google in the current way these apps are distributed.
Parent mentioned not using the Play Store or the Apple Store. The hardware Graphene runs on is kind of irrelevant for that. I don't see a problem with paying Google for hardware that I am free to use as I like; unlike other manufacturers the bootloader is unlockable, which means the stock OS can be replaced.
Requiring a device from the same manufacturer as the OS as the only way to be free: there is really nothing you see contradictive in that? I mean, power to you!
You most likely can.[0] Of course, banks don't tend to advertise these kinds of authentication devices, probably because people tend to find apps easier, but you absolutely should be able to get one from your bank. It's very much not a Danske Bank specific technology, and it's explicitly there to allow for accessibility for those people without "suitable" phones, e.g. old people.
It's certainly not as convenient to use the online bank with a fob like this vis-à-vis a banking app, and we should absolutely push for banks to not be reliant on Google and Apple for their apps, but it is possible to use the services without being reliant on Google or Apple.
> my healthcare (which is a public service in Denmark) or any of our national digital post services. You can apply to get exempt from the digital post services, and they do have a website solution, but still.
Now admittedly I don't know how this stuff is over there in Denmark, but here in Finland we have access to the digital healthcare services via a website, both for the national patient database and the healthcare region access. Again, not as convenient as the respective apps -- although the app for the national patient database, OmaKanta, is very much in beta stages still, and it's way more convenient to use the website even on the phone -- but it's possible. I would be very surprised if that wasn't also possible over in Denmark.
And authentication can happen via couple means that aren't reliant on the smartphone duopoly, with authentication doable with online banking -- which as established, doesn't even need a phone -- and via a "phone authentication" which IIRC only needs support insofar as it's supported by the SIM card, and then of course authentication can be done with the national ID card and a smartcard reader.
And again, the point isn't that this kind of de-Googling or de-Appleing isn't difficult or inconvenient, or that we shouldn't improve the situation, but that it's absolutely possible to get away without using these vendors. And that we should make sure that these kinds of alternatives remain possible to use.
> Don't get me wrong. I appreachiate all the work being done to get Europe out of the claws of US tech companies, but I think having an official EU app store alternative would be a good start.
Bridgefy, Firechat, Bitchat and other bluetooth/wifi peer-to-peer SoMe's are great as long as you're enough people around. As long as you don't rely on one of the big tech app stores (or use an iPhone), it's not hard to get them even when the government is being tyrannical. It would be interesting to build something that would work over the various IoT networks which basically span all of Europe, but I guess that would be hard in countries where there are large areas of "nothing". It also depends on farmers choosing open source technology for their tech since you'd need a lot of farming IoT equipment to connect cross rural areas.
> It would be interesting to build something that would work over the various IoT networks which basically span all of Europe, but I guess that would be hard in countries where there are large areas of "nothing".
A portable device that could effortless hook up to the existing decentralized wireless networks would be even better, Freifunk covers large part of Germany, Guifi covers large parts of Spain, probably there are more somewhere else too, but AFAIK there is no portable device that lets you easily just connect and chat, still requires a bit of setup to participate.
Our React projects are the contrast. They live in total and complete isolation, both in development and in production. You're not going to work on React on a computer that will be connected to any sort of internal resources. We've also had to write a novel's worth of legal bullshit explaining how we can't realistically review every line of code from React dependencies for compliance.
Anyway, I don't think JS/TS is that bad. It has a lot of issues, but then, you could always have written your own wrapper ontop of Node's fetch instead of using Axios. Which I guess is where working in the NIS2 compliance sector makes things a little bit different, because we'd always chose to write the wrapper instead of using one others made. With the few exceptions for Microsoft products that I mentioned earlier.
reply