On macOS you can search menu items via Shift–Command–QuestionMark (or by opening the Help menu). Most toolbar actions are also exposed as menu items, so this lets you essentially search for almost every function of every application that plugs into standard macOS frameworks.
Some applications have features that extend beyond what can be surfaced through the standard menu bar but the infrastructure is there for "normal" apps.
Ubuntu used to have something similar in earlier versions of Unity. It would surface Gtk and Qt menu trees in a searchable interface.
Oh my! I knew you could search through the menus. I didn't know there was a dedicated keyboard shortcut for it! I've been using MacOS for 10 years and never knew this… Thanks.
I also figured it out just now after 8 years of Mac usage. But I already knew that I don't know/use most of the dedicated Mac shortcuts (thought I think I should).
Another reason could be to ensure that you have at most one copy of the application ever, since you can force it to install stuff always at the same location.
On an unrelated product we learned that users ended up with many different copies of the app scattered throughout the system, if they were allowed to use the traditional bundle + DMG distribution method.
Spotlight would then helpfully pick one random copy, with obvious consequences wrt. project file versioning.
That is despite the DMG having the usual symlink to /Applications for a drag-and-drop installation.
yes, it's a total pain. users send you a crash log, you see that they're on an old version, ask them to update. They say they do, you get the next crash log, and it's still the old version. And then you get a screenshot and you see 12 different versions of your .app, in the desktop, in ~/Applications, in /Applications...
What's the problem with leaving the exe in the DMG instead of copying it out? As a user and a developer I don't see any problem with this whatsoever unless the application is poorly built.
Oh wow, I had no idea about the unintended consequences of the DMG + App bundle installation mechanism.
Maybe the issue could be ameliorated with a self-updater built-in into the app? Not a separate daemon, but something that by running inside the app, would be able to know what's the path of the old version that should be thrown away.
Maybe, but that's also an advantage. Often it is useful to have two versions of the same application available, for example if you are testing one of them, or if a feature or compatibility was broken somewhere along the way. Typical package manager software installation does not accommodate such use cases.
You have to take into account the helper and renderer processes. A freshly launched instance takes around 250 MB on my system. It consumes more as you open files that trigger lazy loading of additional extensions. Still less than other IDEs, though.
Yes! Thanks for releasing this and making my life easier :)
I have an old app deployed to App Engine. The app itself is rock solid and chugging along fine (I touch it once a year or so), but I dreaded having to deploy it due to the lack of vendoring support and other... peculiarities of the Go runtime. Glad to see this is no longer an issue!
FastMail. It's one of the few third party hosts to support push email on iOS with the native Mail app (it's a custom protocol based on APNS), since Mail doesn't implement IMAP IDLE [1].
They are also the main sponsors behind the JMAP protocol [2] and some open source projects such as the Cyrus IMAP server.
One thing to keep in mind about Fastmail is that all their servers are hosted in the US and they have no plan about changing this (I asked). Post-Snowden this means you can be quite sure that all mails will end up being analysed by the US authorities
First of all when making such a choice, you have to identify who the enemy is.
If you're talking about global enemies, like the NSA, then IMO without end-to-end encryption you're screwed. And if you're targeted directly, you're screwed regardless, given they have the capability to use whatever vulnerabilities they can find in your router, your phone, your OS, your browser, etc. If it's connected to the Internet, especially if you're being targeted, you're screwed.
Also many European countries have signed on joint cooperation agreements with US intelligence agencies. If for example you're using servers in the UK, it's in no way safer, see: https://en.wikipedia.org/wiki/Five_Eyes
So back to who is the enemy?
For me it's not the NSA or our local intelligence agencies. If I'm being wronged, I've got legal ways to fight back and I don't really care about the NSA.
What I care about is being _profiled_ by unscrupulous companies that may end up selling that data to other actors that may harm my well being. For example insurance companies could deny insurance if they discovered you smoked cigarettes 10 years ago. Or banks changing your credit score based on who your friends are. Or supermarket chains discovering that your daughter is pregnant before everybody else does. This shit is already happening!
I think the general discourse doesn't go in the direction that it should go. Organizations like EFF have been historically anti-government, but very pro corporate and private companies. Which is why I don't trust them fully.
Identify that enemy. If you're an European for example, that enemy is probably not the NSA.
I do prefer non-US alternatives btw, whenever I get that choice. I do so out of a desire to encourage competition and to reward EU companies that do well, as a "voting with your wallet" thing.
But choosing to reject non-US companies for the reason that some of their servers are located in the US, that's frankly childish. Servers located in the US are cost effective. Either provide better alternatives, or otherwise these services will not be able to compete on the global market from a price or latency perspective.
>Organizations like EFF have been historically anti-government, but very pro corporate and private companies.
I don't think I'd call EFF either anti-government or pro-corporate. Rather, they have a set of positions around surveillance, the public domain, etc. and side with or against governments or private companies based on those positions.
I donate to them, and in my experience they've been pretty consistent on their positions, but if you've noticed otherwise I'd be curious to know how.
I don't want to attack EFF, I think they are on the right side, but it's just a general feeling I've got.
For example when the Facebook and Cambridge Analytica scandal broke loose, that was the perfect opportunity for them to go out against private surveillance, guns blazing. Their reaction was late and with an article like "here's how to protect against Facebook tracking", advising people to opt out in their Settings and to install Privacy Badger, this happening when everybody else was freaking out and doing #DeleteFacebook pieces.
I donated to EFF modest amounts in the past and probably will do so again, because the fights they are fighting are good for us. Maybe they pick their battles, I don't know. But I'm seeing a general pattern in their attacks, which is that they go very light on companies, compared with how they deal with governments.
Maybe it has to do, as always, with their source of funding. I can imagine that they received significant donations from the philanthropists of Silicon Valley. I don't care much though. My general point being that there's too much emphasis lately on government surveillance and control from privacy organizations and less on Google/Facebook surveillance.
I'm glad that there's now mindfulness about it in this community though.
> For example when the Facebook and Cambridge Analytica scandal broke loose, that was the perfect opportunity for them to go out against private surveillance, guns blazing.
This is a very American thing which I can imagine our European counterparts not like, that is govt (USG) is treated as an enemy because it is the most powerful entity in the world. For Europeans, it would Govt AND these mega corporations (because the European govts do not have as much power as the US govt).
This is why in the US, corporations are ignored because they are insignificant on the US soil. And this isn't even a new thing, this opposition of the govt is as old as the founding of the nation.
This is why ACLU will not speak out against censorship of right wing media on Facebook and other companies. Keep in mind ACLU would not have any problem defending the latter against the govt, so it isn't about what the latter represents. It's simply, ACLU is a first amendment right based organization and their focus is preventing govt encroaching on our civil liberties (which is defined by what govt can't do, and not what a person is allowed to do in any circumstances).
Similarly NRA wouldn't care if you got kicked out of a movie theater for being concealed carry, but if a local city tries to ban guns in movie theaters, then NRA would step in.
> Similarly NRA wouldn't care if you got kicked out of a movie theater for being concealed carry, but if a local city tries to ban guns in movie theaters, then NRA would step in.
Well, this isn't entirely accurate. They definitely do chafe at even private restrictions on anything gun. While I don't have time to research this right now, a quick search of "concealed carry in businesses" certainly returns some people complaining that businesses shouldn't be allowed to restrict that. And, if you dug a little deeper, I imagine the NRA would be weighing in there somewhere.
They do see government surveillance as a greater threat than private surveillance, particularly if the private surveillance is disclosed. This makes sense as it is much harder to opt-out of your government than a contract with a private company.
I agree that the NSA is not _my_ enemy and I am probably not being targeted. However, as more people start thinking like that, those that _are_ targeted (journalists, lawyers, activists etc.) will have less options to hide among users of more privacy-aware service providers.
In a way, by using these providers you shield those who need their services the most
People won't speak the truth or do the right thing if the environment makes it hard, or risky to do so.
>I am probably not being targeted. However, as more people start thinking like that, those that _are_ targeted (journalists, lawyers, activists etc.) will have less options to hide among users of more privacy-aware service providers.
If only child porn / drug peddlers, journalists, lawyers... use tor and other privacy tools at minimum, 3 things WILL happen.
1. Tor, fastmail, ipfs, pgp, full disk encryption... WILL become illegal
2. Anyone using encryption / privacy tools will be raided. Arrest first, find crime later
3. Authorities imprisoning lawyers, journalists... who reveal wrong doings will be too easy. "He used privacy tools" would be enough to pacify the public after-all, "Only criminals have something to hide."
Consequently:
We'll lose the right to keep pins/passwords. Because refusal - privacy = admission of guilt.
I'm a teacher and I know how difficult it is for a kid to speak the truth when the entire class is lying. Adults are not much different.
If people have to choose between their freedom, means of livelihood and doing the right thing, telling the truth or exposing wrong things by the government most wont.
"It is difficult to get a man to understand something, when his salary depends upon his not understanding it!" -Upton Beall Sinclair, Jr.
>"Organizations like EFF have been historically anti-government ..."
Can you provide a citation or examples of this? Being pro-civil liberties does not imply anti-government. Those aren't mutually exclusive.
In the US civil liberties are basic freedoms identified in the Bill or Rights and the Constitution. And the Constitution is what established the government in the first place. How is it possible to be pro-civil liberties and anti-government?
The Bill Rights are amendments "to" the Constitution, the very document that establishes the legitimacy of the government in the first place. How can you accept the legitimacy of the government and be anti-government at the same time?
Even the Anti-Federalists, the group that advocated for the establishment of a Bill of Rights were not anti-government.
I take "anti-government" to mean that one is opposed to the actions that the government takes, in some situations, rather than being against the idea of the government. One can believe that a government is legitimate, while also believing that the government's power should be limited. One might argue that this idea is one of the core ideas of American government.
>"I take "anti-government" to mean that one is opposed to the actions that the government takes, in some situations, rather than being against the idea of the government."
That's silly, by that definition everyone would be anti-government then. Nobody agrees with the actions the government takes in all situations, not even within the same political party.
I'm not your enemy. I don't even know you. So please send me your passwords to your online accounts. And I'd like to take a look at your home computer. So please install VNC and open your ports on the router so we don't waste too much time setting it up.
While you're absolutely right, details that are sensitive in nature should be encrypted using end-to-end encryption. Otherwise you won't be safe regardless of email provider, as the other correspondents will often be using a US email provider anyway.
If your threat model includes an actual threat from organizations like the NSA, then I'd say you have bigger problems than the choice of email provider.
Interestingly, as a self-hoster your email is much more prone to metadata analysis than anybody who is hosted at one of the big providers and has most of their email transferred to other big providers down TLS-protected port 25 streams.
Absolutely! Everyone has their own usage case, and one has to adapt accordingly -- even me! :)
My point was that simply selecting an email provider outside the US does not make email safe in any way and that end-to-end encryption is the only way to prevent providers from accessing the content.
Absolutely. Our argument (and to be fair, we are a provider) is that if you don't trust your provider then they're basically just a dumb blob transit pipeline. There's not much value add you can do there.
So we have focused on building the best thing we can for people who _do_ trust their provider, and also on having a business model which means that we can be a trustworthy provider because we have no secondary "customer" who is actually paying the bills. We don't have split loyalties.
They're not cleanly separable. You can tell a lot about a person by simply looking at what's written on the outsides of the envelopes in their mail. No need to actually open them up and read the insides.
Quite simple:
If someone were to sniff the encrypted traffic between Hotmail and Gmail then they wouldn't have any idea who was talking to whom.
If someone sniffs the traffic between Hotmail and my server, it's trivial to see that a Hotmail user talked to me or one of the few others using my email server.
Why isn’t it actually possible to just encrypt saved emails on server? So that government does not have access. Couldn’t one use a hash of the password as key for the data for the data and not save that hash to check password but another one. This way (practically), at least if the password is not eavesdropped and saved by the mail provider, it would be much harder to give away emails.
Apart from the "users lose their passwords all the fricking time" problem (seriously, before we implemented https://fastmail.blog/2017/12/06/security-account-recovery/, lost password was always in the top 3 most common support requests of the week report)
Impementing per-message-encryption would turn us into a dumb blob store. The whole point of FastMail is the value add - fast search, ability to deal with a lot of email quickly, etc.
That and people's devices are basically always on these days, and fetch new email immediately on a push when messages arrive. So if your provider get a subpoena or gets hacked, then a push request will make your device connect with the password, and boom - access granted.
Finally, we don't let people store master passwords on their devices any more, because they get leaked due to hacked devices, so we require people to create app passwords. This would be in direct opposition to many of the other safety things that are done.
(extra finally: phishing protections and antispam solutions are in pretty much direct opposition to the idea of the server not being able to see the content of emails)
Thanks; it's very helpful to know the ins and outs from a practitioner. I am confused by a couple of them:
> if your provider get a subpoena or gets hacked, then a push request will make your device connect with the password, and boom - access granted
If the message is decrypted only on my device, then that wouldn't matter. I'm guessing endpoint decryption is not what you (or maybe the GP) are talking about, but I don't know what you mean.
> we don't let people store master passwords on their devices any more, because they get leaked due to hacked devices, so we require people to create app passwords. This would be in direct opposition to many of the other safety things that are done
What is an "app password"? If it's just a password stored in an app (and then what is a non-app password? one in a text file?), why wouldn't it be as vulnerable to device hacking?
.....
Also, a couple of genuine questions about what's possible:
> Impementing per-message-encryption would turn us into a dumb blob store. The whole point of FastMail is the value add - fast search, ability to deal with a lot of email quickly, etc.
Email messages arrive in the clear, unavoidably; new messages are always vulnerable. Why not do the processing then - spam filtering, build a search index of hash values, etc.? Then permanently (from the server's perspective) encrypt the old, stored messages, and give endpoint/user the only means of decryption.
> users lose their passwords all the fricking time
> we don't let people store master passwords on their devices any more, because they get leaked due to hacked devices
How do the end-to-end secure messaging applications, such as Signal, handle those issues, if anyone knows?
> If the message is decrypted only on my device, then that wouldn't matter. I'm guessing endpoint decryption is not what you (or maybe the GP) are talking about, but I don't know what you mean.
Oh yeah, sure - if you only decrypt on your device, then that's reasonable. We could encrypt to a public key on delivery. There's services that do that, but FastMail isn't interested in being one of those services. The tradeoffs mean we could do very little. Certainly not a webmail service.
It's a password that's created by the server and used on only one app. So if you lose your device, you can disable that one password only. Also, there's no chance that you'll reuse it across sites, so it can't leak from other services because you won't be using it there.
It's also limited to just the protocols that are used on that device, so can't be used to reset your password or payment details or install forwarding rules, etc.
> Why not do the processing then - spam filtering, build a search index of hash values, etc.? Then permanently (from the server's perspective) encrypt the old, stored messages
If you can search for keywords and find maching message blobs, that's nearly as good as having plaintext access. If was encrypted to only the endpoint, the usual issues of "you need to download the entire database to search your email" apply, and of course we're doing very little.
> How do the end-to-end secure messaging applications, such as Signal, handle those issues, if anyone knows?
They're not designed to be your long term memory, which simplifies things a lot. You basically lose access to your history. Which might be find if you don't care about the past, but that's not how I see email. Email is your electronic memory, and encryption+lost password means that nobody can get at your memories, not even you!
I like that, because it at least feels more secure to have a password that can only be used once, combined with the ability to go into the settings and shut off any device if it gets lost.
Yeah, it's by far the best of the options that use standard username/password authentication support. Basically make the password be another server-provided factor rather than user-chosen.
Without saving a hashed password, you can’t authenticate users. End to end encryption like what you really want requires the data to be decrypted by the recipient (using a key or password).
Because the service provider receives the unencrypted email and can choose to save a copy, encrypt it to a different key, etc. This was the scam Lavabit pulled, and the government called them on their bluff and asked for a copy of the key and Lavabit had no legal ability to refuse.
If the threat model does not include a government with the ability to use legal process, it needs to be defined more precisely. In general the US government can use legal process in the US and just straight-up hack into things elsewhere (who's going to raise a diplomatic incident over it? Russia is literally poisoning people, nobody cares, and their military is less powerful than the US's). If your threat model is other governments or just unrelated attackers like advertisers, there are more straightforward approaches.
Calling Lavabit a scam is a bit of a stretch. They, by all appearances, genuinely tried to offer email as secure as it could be, given the limitations of the protocol, and when pressured to give up the keys chose instead to inform their users and fold the business.
They made promises that they should have known were impossible to keep. In my books, that's a scam. Sure, they tried very hard to keep them, but that doesn't change the fact that they could not deliver on their promises and anyone could have told them that.
Also, no, they did not inform their users. They handed over the key and waited for users to notice court documents.
What a sad news. I was expecting more servers in EU in a near future and maybe an option to select the location of our primary DC (US or EU). I've been a happy customer since 2013 and for the first time since I joined I'll be considering other options.
Basically the problem was datacentre network reliability, power reliability, and the pointlessness of having one EU datacentre which isn't reliable enough to run production out of. We'd still need to replicate to a second datacentre for multi-site safety.
At that point, why bother? We'd have to run two EU datacentres to have data only in EU, and we'd still be under the same actual legal jurisdiction (Australia) either way, so it would be security theater rather than an actual change in risk. We haven't ever given data to US authorities directly, we point every single request from anyone to the Mutual Assistance Treaty with Australia, and that would be the same regardless of where servers are.
In summary, having servers in the EU is 99% security theater, and the other 1% is pointless unless we had two datacenters who were as reliable as NYI have been for us. We haven't found such partners.
We haven't ever given data to US authorities directly, we point every single request from anyone to the Mutual Assistance Treaty with Australia, and that would be the same regardless of where servers are.
The EU is outside the jurisdiction of FISA courts, whereas New York is not. I am definitely not an expert or lawyer, but I would think this is not just security theater.
I was always hoping that Fastmail offer hosting that is fully in the EU. To me being affected by the Australian, EU, and US jurisdictions is worse than just the Australian and EU jurisdictions. Of course, I would prefer EU-only.
I am extremely happy with Fastmail. But if there was an EU e-mail provider with feature parity, I would probably switch. Not that I expect that that'll happen anytime soon (subdomain addressing and iPhone push notifications are killer features).
For sure if we had two separate EU datacentres and no US datacentre contained a copy of the emails that would be not security theater. While there's copies in both jurisdictions, having a copy be outside the US really is security theater though.
The financials of running up two full EU-only datacentres don't make sense for us at the moment given the demographic distribution of our customers. And we haven't had any run-ins with the FISA courts in the nearly 20 years we've been operating.
Of course the past isn't a 100% predictor of the future, but US authorities have always been happy (or at least willing) to accept that our data is under Australian jurisdiction.
But fastmail and the admins are under Australia law. This makes all attempts to do anything an international incident. FISA cannot do anything directly, they need to contact Australia for help. FISA can order NYI to put in a wiretap - but why bother when we already know there are wiretaps in all the major peering points on the internet.
I dont think this is true. I don’t believe there is any evidence that the US government is analysing all emails hosted by all US companies.
Rather, if the US government asks for a particular individuals emails the provider must grant the request provided there is a valid (possibly secret) warrant.
Post Snowden I wouldn't safely assume that the govt/three letter agencies don't do something just because there is no evidence. Snowden was years ago, the NSA surely didn't sit on their hands in the meantime, especially now with SSL being deployed everywhere. "Oh right what we did was evil and wrong, let's stop everyone"
The claim made was that they do. You don’t get to say that without providing evidence. You can say they might be, but that’s a different claim.
Also, capabilities matter. I have no doubt if they could they would. The Snowden revelations mainly revealed partnerships between service providers and gov agencies. Simply existing in the US does not mean your data is automatically available to 3 letter agencies. It could, but there is no evidence to suggest that it is.
> You don’t get to say that without providing evidence
Put a parakeet in a windowless room and close the door. I can reasonably make the statement that the parakeet is perching, looking around, and/or preening its feathers, because that's what parakeets do. I wouldn't need direct observational evidence to make this statement.
Panopticon-level spying is what intelligence agencies do. It's what they've striven to do, as much as possible, without getting caught. The Binney and Snowden leaks corroborate this, and there's no reason to believe they've suddenly stopped trying to. OP doesn't need evidence to make the reasonable claim that intelligence agencies spy on us, and likely do it by hoovering up our data for analysis.
Yes agencies like to spy. Do they have a camera in every house in America?
Again, I’m not saying they wouldn’t or wouldn’t like to. But saying “they do EVERYTHING post-Snowden” isn’t a very good argument, and definitely isn’t a fact.
And if the claim is “spy agencies spy” then the country of origin for your data probably doesn’t matter. Invoking “post-Snowden” usually relates to Prism, which was a partnership with specific providers.
The US government doesn't need a warrant for emails older than 180 days that are still on the server.
Emails older than that are considered abandoned[0] and treated the same as an abandoned storage unit, due to an old law from the time when email was regularly downloaded and purged from the server by local email clients.
IIUC, no judicial order is required for collecting. Only for looking at collected data; but agencies get creative around these processes, so I wouldn't count on legal protection from snooping.
Unless you're sticking to countries that hang their hat on digital privacy, hosts outside the USA are also likely to be snooping with varying levels of competency. "Not USA" isn't a good enough filtering criterion.
Many countries have reciprocal agreements for sharing intelligence. Unless you go to a country that is known for its privacy values at the highest level then you're likely not going to maintain you privacy from the government of your country or most other powerful governments.
How is their security? Maybe people like to forget, but security breaches are a thing, and when they occur you get the privilege of opening up your data to the entire world, not just to the NSA.
Google, for whatever else you want to say about them, have first-class security.
Correct, but since the reason this question popped up is due to privacy concerns regarding Chromium, I think it's even more important for people to know about these things to make an informed choice.
By the way, I really like Fastmail - they are very competent. But mail/calender is such an important part of online identity and life, I think people should be careful about who to trust
My problem with FastMail is that if you stop paying for your email address, they recycle it. This means that someone else could potentially buy your old email address (if you migrate away) and use it for nefarious purposes.
I do this and make a new alias for everyone I give an address to (such as hn@domain.com). It can be interesting to see who leaks/sell your email address. You can also shut down alias that get out of control.
Indeed! This is why I stopped using it. I love Fastmail, but who knows if I feel that way in 5 years. The entire point of Fastmail + own domain is never being locked in again. Using subdomain addressing locks you in once again.
I'm with @rb666; Don't rely on it as most will support plus+ addressing but not the the fast mail subdomain addressing as I am now in the process of migrating to Migadu.com and I need to go and unsubscribe and resub using the plus+tag. It's a PITA... lesson learned, stick with best industry practices even if there is an easier method because you'll thank yourself later.
catchalls are great. In addition to allowing the use of arbitrary custom addresses on a whim they make it really easy to identify spam and train spam filters. Anything that arrives on multiple random/unused addresses at your domain is spam.
I do this too but sometimes companies reject my replies because the from address isn't the same address they have on record. Maybe there's a way to make the "reply's from" the same as the "original's to" but idk.
With FastMail, you can select your wildcard as your "from" address on their web app, and just directly edit the `*` to be `<whatever>` and it will work fine :)
FastMail lets you change the from: address on the fly if you’ve set up a catch all.
And if you are not with fadtmail, there’s are several “multiple identities” add-ons for thunderbird (and recently a built in one, though it is still buggy) which let you add from addresses on the fly.
Huh, I haven't had that problem in about 7 years of using a custom domain name. Maybe the distinction is that mine is a .com? I feel like enough businesses themselves use custom domain names that dropping unknown .coms would break a ton of legitimate B2B traffic, but perhaps .me less so.
I use a .me domain myself but I haven't had any spam problems. Although I share it very very sparingly and have a catchall on another domain that I use for signing up with any service / sharing with non-trusted contacts. Even there, the spam problem isn't bothersome.
Surprisingly difficult for a personal-professional email if you have a somewhat common name. Nearly everything under the main TLDs was bought up ages ago. The issue can be mitigated with some creative branding work, but that’s arguably not any easier.
I've used .io and other "unusual" TLDs for a while and never had an email bounce or flagged as spam.
As someone else pointed out, make sure you setup spf, dkim, and all the other jazz. Some providers will host and setup the dns for you but its always best to use your own dns provider as the records are relatively easy to setup.
I haven't had any issues with my personal domain in years, ever since I moved it from random web host to GApps, to deal with IP reputation issues, and have SPF+DKIM setup. (but my domain is a .net one)
Agreed 100%. After losing multiple emails addresses in the past due to ISP changes, having an email on your own domain is nice. You can then even switch email providers as you wish and your address will follow.
Well, my Gmail account dates to 2004 but my personal domain dates to December 2000! I've lost domains that I continued to pay for, in fact I'm pretty sure that Zoho was paying for their domains as well.
Huh I haven't even thought about that. That's really bad, especially since I have a popular fastmail.com address where every other month I get an email asking for the account
Switched to Fastmail many years ago when self hosting became too time consuming for me. Never looked back. I had to use their support only very occasionally and even then their reaction time and competence were outstanding.
They do just one thing - email - and do that very, very well.
Yes, I use their calendar web app on Desktop (the one next to Mail). For mobile, I sync individual calendars into my Android Calendar ("CalDAV-Sync").
My biggest issue with the Google Calendar was the syncing rate of 24 hours for iCal feeds. On Fastmail, new events appear quite fast (and I can force the update manually, if I need to).
This seems like a really common use case that ought to work well. I switched to Fastmail a few months ago (I still haven't fully committed to sticking with it.)
Did you contact support?
Did you solve the problem by switching to another calendar provider?
I use their calendar with various apps like Fantastical or Timepage. It's standard CalDAV and should work with any decent calendar app, including defaults like Apple calendar.app.
Does Fastmail provide any kind of "bundling" or "priority inbox" features?
Since using Inbox on Android, I can't imagine going back to being notified about every single email. Automatic bundling of messages and the custom rules that you can then set on those bundles is a killer feature. If nobody comes along with a decent alternative before Inbox is shutdown then I don't know what I'll do!
I don't know if fast mail provides it out of the box but I have started to test out spark: https://sparkmailapp.com/ as a replacement for Inbox. While it is a bit from as good as Inbox it can get the job done, and has bundling.
I simply set it up to archive when swiping (which is what Inbox seems to be doing). However, it's notifications are far from as good and you can't archive straight from the notification, which, to me, is a let down.
Furthermore, on iPhone 8 there is an actual loading screen when opening the app. Like, why? Everything is already stored in the phone and it should just look for new mail in the background?
So far from perfect, but what can one do when Google is killing stuff off.
One issue though: you have to be in the apple ecosystem as they do not support, anything but iOS/Mac OS.
This would be my complaint having had a quick look at Fastmail. Their mail client provides only the most basic of email functionality - folders, filters, contacts etc. It seems like you're paying a monthly subscription for privacy when you may as well host your own if you don't need any features beyond what IMAP offers as standard.
I've been using https://www.sanebox.com which does a pretty good job of the bundling, leaving you with just the important stuff in your inbox. It's not as well integrated as Inbox could be, but I find it very usable, and even better in some ways as the 'bundles' don't end up back in your inbox, they are always in other folders by default.
Just to provide some balance to the feedback: I've been using FastMail for 2 years and am mostly "meh" on it. My issues are with the web interface (which is largely why I use them instead of running my own server):
- No delay send/undo send. Allegedly in the works for ages
- Very buggy editor. Randomly slows to a crawl while composing, scrolls up and down erratically
- Cannot handle very long threads very well. (since unfortunately the business world uses top replies with Html email) E.g., undo can pin a core and crash the page.
- Notifications randomly show up twice and then freeze on screen
Thanks for the feedback - I've passed that to the product team. We're busy working on the JMAP replacement web interface, which has a fair bit rewritten.
Our search is built on top of the Xapian search engine. We blogged about the underlying tech a while ago. You can sign up a free trial and have a play pretty easily.
Search works decently, but they index the whole message, including quoted text. So a search term shows up in the original message, as well as all the replies downthread.
Yeah, we're working on identifying whether something is in quoted or non-quoted text. That one is quite tricky to get 100% right, so we err on the side of matching more messages.
I second this. Their service was exceptional for 3+ years I've been with FastMail. Got many small businesses I've worked with to migrate.
Only thing which annoys me is that their push-enabled iOS app does not support multiple accounts. It has been like that for years, I've heard that a new app was in the making, but nothing came out yet.
+1 for FastMail — I've been using it for the last 2 years and I've got nothing but praise for them.
ProtonMail seems to be another popular alternative, but their E2E encryption claims sound like snake oil to me, but snake oily as it is, it's still a better choice than Gmail.
1. if it's encryption in the browser via a web interface, then it's not secure; the moment a web form asks for a password that can be used to decrypt your data, that's the moment your alarms should go off, because in spite of the claimed E2E encryption, their security might actually be worse than Google's
2. with email you're communicating with the world and the email world is not encrypted; what this effectively means is that ProtonMail keeps your email encrypted only while it is at rest; maybe it's better than what Google does, but they can still see whatever comes in or goes out in plain text and you're still relying on their promise to do no harm
3. ProtonMail needs to use a "bridge" in order to be compatible with email clients; this means that access to ProtonMail is non-standard (e.g. SMTP, IMAP) and therefore you still have the lock-in of Gmail, only it's now worse
4. It creates a false sense of security. If you want real information security, better tools are needed; various chat apps are much better, plus actual GPG ... because the PGP model requires a "chain of trust" that you have to maintain yourself for actual security
> if it's encryption in the browser via a web interface, then it's not secure
Ehh…
The big difference from native apps is that native apps are often signed by the developer. While with web apps, there's normally only a more "temporary" form of signing, that is, the TLS session.
Assuming the app developers are better at securing their offline signing keys than TLS server keys, native apps with signatures are indeed more trustworthy. (But are they actually better at this??)
Also, you might be more likely to get malware browser extensions than OS-level malware. Maybe??
On the upside, the web is more auditable by default (of course you can obfuscate JS and WASM just like you can obfuscate anything, but "view source" is still much easier on the web).
> ProtonMail keeps your email encrypted only while it is at rest
IIRC it's also end-to-end between ProtonMail addresses or something?
The problem is that the web page loads on every request. This means that you, @floatboth, can be targeted with a broken client that leaks your keys next Wednesday between 13:00 and 14:00 and you'll never know it.
A native app is not something that loads every time you open it. And the binary you get is the same binary that everyone else gets and if you suspect something fishy, you still have that binary later for inspection. Compromising an app binary is not impossible mind you, as we could see with fake Apple XCode fooling Chinese developers into submitting infected apps to Apple's store, but it's much, much harder with security conscious users.
Also there's not much difference between highly compiled and obfuscated JS code and binary code. In both cases people start inspecting such apps by sniffing the outputs. Or otherwise it's not such a big jump from JS to assembly for people that do this for a living (e.g. I'm guessing anti-virus companies).
> IIRC it's also end-to-end between ProtonMail addresses or something?
It might be, but encryption that only works between ProtonMail accounts is no longer _email_. It's either a standard, or it's not email and I'm not interested in communicating only with ProtonMail users.
1. ProtonMail implements the OpenPGP standard and is fully interoperable with other OpenPGP email systems.
2. The web app is a single page application so it does not reload on every request.
That said, you are correct that the web app is not appropriate when the threat model includes ProtonMail itself (though you can run the web app locally and thus sidestep the problem). The native clients are better suited in that case.
It's surprisingly responsive for large email accounts too. I had ~100K emails imported and marking all as read would take about 10 seconds. I can't complain with that all things considered.
FastMail is good, but it's very expensive. I'm waiting for more competition in this space. I think, as people turn away from Google (and thus Gmail), more competition will arise and we'll finally see fair prices.
I don't feel like FastMail is that expensive for most people.
Obviously, compared to free, it's expensive. But in real terms, I pay $70 every 2 years for it - works out about £25 a year for me, which is about the price of a meal out. I think that's worth it for secure and powerful email. I've never found it to be expensive.
This is a clear case of a price being judged differently depending on where you live. 25$ is luxurious expensive meal out for me or 5-7 fast food meals.
It's also expensive compared to rolling my own. Using the standard plan, I'd be paying 200$/y for just a single address for each of my family members. Personally, I want at least 2 myself.
Compare that to the ~120$/y I pay for my main VPS which has plenty of spare resources to handle not only my family's email, but also for some clients AND, since I make the rules, I also don't need services like Sendgrid for sending email from my websites.
All well worth the 5-10 afternoons a year spent maintaining it.
That is really great if you don't have any outbound deliverability issues due to IP reputation on a VPS host! Under those circumstances, that sounds like a great arrangement.
I think that is not quite the norm, lots of these hosts (and home internet connections) tend to have rather bad reputations, and chasing down the various RBLs can get really old really fast, especially since the most common response is to silently blackhole so you don't get a bounce.
This might be what you mean, but I believe they charge by inboxes, not by addresses. I have lots of addresses, but a single inbox (which I use rules to file within), and that is relatively cheap.
I used to run my own email server, but found it difficult to get things like push email working reliably, and had a couple of issues with deliverability of emails.
I might be wrong, but I also think it is expensive. When I can have a 5 family plan from office365, including, word, excel, powerpoint, outlook, etc, with 1TB per account, 60 minutes of skype calls per account, etc, for 10 per month, 25 per month (for 5 people) only for email seems too expensive to me. The only thing lacking is custom email address.
The basic is $3 though. I have migrated all my private emails I've ever sent or received (some tens of thousands, starting from 90s) to Fastmail. Still well under the 2GB limit of the basic plan.
FastMail appears to be $50/year if you want your own domain. --Maybe there's a discount for multi-year signups, but I can't find it in their pricing details.
Honestly, at that price point I would go with Exchange Online for $48/year. --Virtually the same price and yet I would get double the storage and native integration to Outlook on the desktop and mobile.
There is competition. It’s just that many people don’t know or haven’t tried them. Here are three providers on par with Fastmail but are way cheaper if you need multiple mailboxes — Posteo (posteo.de), Mailbox (mailbox.org) and Runbox (runbox.com).
But I do believe that even these cheaper ones are expensive for what they provide in terms of storage capacity, number of aliases, etc. Costs are supposed to go down over time, and prices too.
There's also development and maintenance costs? Someone needs to build that web UI, android and iOS apps, kick those servers when they misbehave, answer the phone or reply to your enquiry?
Except for the apps, cloud hosting providers already give you all of that for a better price. I also don't want an app... IMAP is a standard, you know.
It's cool you spend your time and money doing things you like (regardless of whether those RFCs will be implemented by email servers and clients) but don't make your customers pay for it. Set up donations or something.
This 1-XS server costs 2€ every month and it could perfectly handle the email of hundreds of users. They are charging you more only for yourself, and that's not even factoring in the economies of scale.
Well, think about the VPS you're proposing. Two euros a month is 24€ a year. Even if you're only paying yourself 6€ an hour, I'm skeptical that running an email server for 100 people would require less than four hours per year.
Fastmail can get quite expensive when you need more than a few mailboxes (not aliases, but mailboxes). Cheaper options are Posteo, Mailbox.org and Runbox.
but the problem is that fastmail only offers mail and calendar, while gsuite offers, word processor, spreadsheet, presentations, online forms, and photos...
Fastmail has a photos/files/website feature so it isn't just email. I use G suite now for my side business and I've never used any of the features besides email since I have Office on my machine.
It obviously depends on your use case, your personal situation, etc. But for me it is very hard to justify $5 per user per month (we are 5 so that is $25), when I can pay $10 to Microsoft for Office 365 for 5 users, and get, besides email, chat, and drive, word, excel, powerpoint, and skype with 60 mins of international calls.
FREE PLAN - Up to five users. 5GB/User, 25MB attachment limit.
This is to have all 5 users in one "organization".
ZOHO offers full G-suite replacement, free. They have many more applications too.
I used the free plan for a few years, then started paying $24 per year for more storage. What you get for $24 per year is amazing. What you get with the free plan is amazing. Their business model is to impress you with their products enough for you move to a paying plan. They do NOT make money harvesting your personal information and selling it third-parties.
I’ve been using Fastmail for my personal email for the past four years, and love it. Really reliable, fast, and allows me to keep a personal email without all of the Google Apps stuff.
Same here. FastMail with a custom domain name. First I was planning to self host. But I thing mails are quite touchy and doing it myself may be a risk.
That's fair enough (and I am using gmail precisely because I have no way to pay another service provider -- banking while living in a country that you are not a permanent resident of is tricky). However, the entire thread is about what service should you use if you are worried about privacy.
Although available in Japan where I live, there is literally no way to transfer money out of my bank. You may think it odd, but getting a bank account in a foreign country is actually hard. The bank I use is not my choice, but the choice of my former employer -- that's how I got the account. When I set up my own consulting company, I ended up using the same bank. I'm trying get out of it. I have an account with an offshore bank, but going through the paperwork to actually deliver my pay cheque into it is rather daunting (even though I own the company that pays me!). It will be dramatically easier when I get permanent residence status (which I probably can get whenever I get around to applying for it -- and I should do it sooner rather than later).
But anyway, there are other people in the same situation, where they literally can't pay for things online. I just wanted to indicate that I understood the situation. But thanks for the pointers. It looks pretty useful if I ever get in the situation where I could use it.
I would somehow have to get money into the account... It's the same problem all over again ;-) I suppose I could put the BTC that I mined heating my house when CPU mining was a thing in there...
I don't understand how am I paying for Gmail. I never noticed any ads there (I know that there are ads, but it's hard to find them unless you're searching for them specifically), actually I'm rarely even using web interface and Gmail doesn't add any ads to IMAP-served mail. For me Gmail is absolutely free. May be it uses mail information to target ads for me, but I'm not even sure that I should consider that as a payment. I prefer targeted ads over untargeted ads anyway.
For the privacy, quality, and features it offers at the reasonable price of $50/year, I would say that it's a fantastic alternative. It'd be hard-pressed to find anything free that is on par.
Privacy wise, you're paying for the service so there's a reasonable expectation that they're not mining your emails to build a profile of you. Unlike Google they have no ads to serve you.
> all your personal emails are stored in [someone else's] servers.
Well, yeah. That's true for everything except for hardware you actually own.
They're saying it's better than storing it on Google's servers, not that it's bulletproof.
There really isn't a way to have impenetrable email. It's all about what type and level of risks you're willing to take.
E.g. are you concerned more about rubber stamps or software exploits? Are you more concerned about usage pattern profiles or someone actually reading the content of your messages?
Different people have different priorities and there is no one single best option.
In my 6+ years of being forced to use Office 365 for one of my accounts - it is a flaming POS. Plagued by poor performance, regular (unexplained!) outages and has series issues with data consistency and don’t even get me started on it’s terrible rules system.
Let's not forget that with slightly more money that Fastmail or Protonmail are asking for just one mailbox, MSFT is offering you a whole office suit plus 1TB of storage.
Your criticism regarding functionality might be true, but there is no reason for competitors to charge more.
I'm just a simple email user -- 50 emails per week -- and I don't keep them in my inbox. As soon as I'm done with them, I delete them. A simple 50MB inbox is sufficient for me. I just need an ad-less mail box. For me anything beyond 5$/year is expensive as hell.
I'm using my own domain, so it's $5 per month. Considering that I'm using VPS for less than $1 per month, that price seems absurdly high. I would consider paid mail for $5/year with 25GB storage and fastmail features, otherwise free mail looks much better.
Even $5 is not bad, I’m guessing most HN readers wouldn’t miss $5 a month.
Anyway services like Facebook extract around that amount from you via targeted ads, I’m happy to pay if it allows to me to isolate myself from that a bit.
Having to manage yet another public server is a stress on its own. Having to worry about server backups, security, DKIM, SPF, DMARC, avoid being blacklisted, etc made it even worse. Despite all of this I couldn't shake off the feeling that my mails went directly to the recipient's spam folder.
I'm not interested in maintaining mail servers. I can certainly do it, but my spare time is scarce.
Nowadays, I periodically sync all mailboxes to my laptop, so that they enter the backup chain I already have. If GSuite goes down or Google disables my account, I'll upload my backups to Fastmail, point the MX records there and go on with my life.
I find this setup way easier to understand and maintain than a mail server.
HipChat internally uses Postgres and Redis, not some proprietary undocumented blob store. While I'm sure that a working applicative export function would make things easier, I don't see why you can't give Mattermost the relevant read-only credentials to those datastores and let Mattermost read directly from the source.
I'm not sure what they mean by "export function". Hipchat isn't "an application", it's a bunch of services running on a network of VMs. At the very least, Hipchat includes Elasticsearch and MySQL. Seems odd that they'd rely on any particular Hipchat API when they can rip that data out of the guts of the machine.
I'm sure there's a fair amount of business logic between what's in the database and what's delivered to the presentation layer. Pulling from a database means that the new company has to reverse engineer Hipchat's API implementation.
> since modern thermal pastes are non-conductive, there is no real downside to an enthusiastic application of paste except for making a mess
I recently re-applied thermal paste (an old Arctic MX-2 I had lying around) on a late 2013 MacBook Pro which has bare-die CPU and GPU. The first time I did it, I applied too much paste and it had an observable negative effect on thermal dissipation. Once I applied the correct amount, I got slightly better results than stock paste.
Sources:
- https://www.apple.com/business-docs/FaceID_Security_Guide.pd...
- https://support.apple.com/en-us/HT204587
- https://support.apple.com/guide/security/welcome/web