If 24/7 availability is required, the company should simply hire someone to work those hours, perhaps in a different timezone if needed. Many mistakes are going to be the result of management pressures to "ship" too quickly, incentivizing cutting corners, which someone will have to deal with at some point, even if it's during their regular working hours.
Nah, the rota is large enough that it will likely be somebody else’s problem anyway and the chances are even if it does land on them they just won’t answer the phone.
Punishing mistakes with unpaid overtime has never been a good approach to quality. It just teaches management that they can get away with low quality because the engineers will pick up the pieces in their own time.
Through European lenses this part seems insane. It is work, so pay me for it :) Every oncall rotation I was part of ever was paid, is the "unpaid" part a US thing, or was I just lucky?
This is of course a complicated question. The US has many tax jurisdictions and widely variable cost of living, and jobs vary a lot. But I could compare, say, a Google engineer in Paris vs Seattle.
A Google senior software engineer in Paris earns €168k per year (according to levels.fyi) and takes home €96k after a 43% effective tax rate. A Google senior engineer in Seattle earns €336k and takes home €239k after 29% taxes, a 2.5x increase in take-home pay. According to Numbeo, cost of living in Seattle is 15-25% higher.
Of course, in America you have to fund your own retirement. As long as the pensions plans remain solvent, "savings" are a lot less important in Europe.
Anecdotally, I know people who were able to opt out of working altogether after 10-15 years in a large tech company in the US. I don't think this is common in Europe.
>Of course, in America you have to fund your own retirement.
Isn't social security a thing? Plus employer funded 401K also?
>As long as the pensions plans remain solvent, "savings" are a lot less important in Europe.
"As long as" is doing a lot of lifting here, and that's enough if you're lucky enough to own your own property and not have to pay market rate rent at your old age.
In the US it's common to either negotiate 'differential' pay for the responsibility, or as one might see in this thread, get suckered into it for free.
Anyone who does 996 is being exploited, unless they're the actual boss, in which case they're the ones doing the exploiting if they're pushing 996 on their employees.
This is why 996 bosses think AI can replace their employees, because they already see the employees as robots, not humans.
OP discovered the state of Malta's InfoSec culture the hard way.
TLDR: infosec is screwed in Malta. The only people who benefit are malicious actors.
Some missing historical context is that there was no real legislation other than computer misuse up until the recent case known as the FreeHour case. A group of students discovered some pretty nasty vulnerabilities in an app aimed at matching student schedules. One of these vulns was exposing RW API keys for hundreds of student's google calendars, hanging out to dry on the open internet.
The students involved, together with one of their lecturers, sent a standard vuln disclosure notice via email to the company. Instead of what you'd expect, the students were arrested, strip searched and charged with computer misuse.
This really threw the entire local infosec scene off, with some very vocal voices saying how draconian the situation was. Finally they all receieved presidential pardons [1] although last I heard they don't have their hardware back yet. FreeHour and their tech supplier (never publicly mentioned but if you ask around you can find out who they are) never saw any consequences.
I've done two public disclosures [2] [3] which worked out well but only because I knew how to go about it. In such a tiny country is about who you know and how you know them, so in both cases I established contact via trusted intermediaries, both times ensuring I found someone who would know what I was talking about whilst also not immediately reach for the police.
I'm sitting on another issue I discovered because after a long conversation with CSIRT about it we figured the only way I can actually anonymously report it is by snail mailing it to them. I can't pull together the energy to complete it because I don't have the time right now in my life for another legal melodramatic situation.
Despite this, MITA (the government IT department) annually runs cybersec award ceremony [4]. I had once planned to nominate the students for the award but the nomination criteria forbids nominations for individuals who have "averse media publications" about them.
This is very much a deep socio-political problem in the country: we don't handle candour or bluntness of any kind in the public sphere. Being a very blunt person, it got me in all kinds of trouble growing up.
If you don't want to run your machine 24/7 (whether for electrical consumption, environmental, noise, etc reasons), I wrote an ssh proxy [1] that will send WOL packets to a target machine and hold your connection until its alive.
I then configured debian-autoshutdown [2] to turn the machine off if there's no traffic on ssh after 15 minutes.
This way I just ssh into my machine (whether via antigravity on my laptop or termius on my phone) and within 30 or so seconds its awake, no physical button presses needed. I documented the whole flow in more detail on my blog [3].
I'm now working on an improvement called machine on proxy (or mop) that will allow me to start Proxmox VMs instead of physical machines, so I can let gemini-cli run wild and if it decides to wipe the entire hard drive I can restore from a snapshot.
I do the same. I can SSH into my router at home (which is on 24/7), then issue a WOL request to my dev machine to turn it on.
You don't even have to fully shut down you dev machine, you can allow it to go into stand-by. For that it needs to be wired by cable to LAN, and configured to leave the NIC powered on on stand-by. You can then wake up the device remotely via a WOL magic packet. Maybe this is possible with WLAN too, but I have never tried.
Also, you don't need a Tailscale or other VPN account. You can just use SSH + tunneling, or enable a VPN on your router (and usually enjoy hardware acceleration too!). I happen to have a static IP at home, but you can use a dynamic DNS client on your router to achieve the same effect.
I run a lot of small form factor (SFF) machines including NUCs, Minisforums, and a Mac Studio.
At idle, they aren't loud or consuming much electricity compared to sleep/shutdown.
Fruit co devices in particular are extremely efficient; the Studio is rated at 6W idle, 145W max consumption (cf. https://support.apple.com/en-us/102027 )
I don't think WOL works over Wi-Fi and whether you can get WOL from a USB ethernet adapter.
My proxy doesn't attempt to handle security. Most folks use either Tailscale or some other VPN solution. In my case I use the wireguard server in my router to VPN into home which gives me access to the proxy and consequently to the machine.
Anecdotally, with two young children (5, 1), the savings add up and mean twenty more seconds with them or not being overwhelmed after they're asleep with the state of the house.
I was super interested in DBOS but I had to back out when I figured that the observability isn't self hostable yet :(, so I'm chuffed to hear its coming!
Whats the best way to hear about it when it does? Maybe newsletter I can register to or something.
Those not on rota can either join or have their PR receive heavy scrutiny
reply