I was having some trouble playing files from my NAS using a Fire TV stick which was connected via a couple of hubs and an ethernet switch, so I wanted to double check the connection bandwidth. Here's how to do it from the command line, which is still possible on Android-based Fire sticks.

First, enable adb in the Developer Options page in the Fire TV settings page. Then find it's IP address in the network settings page and use:

adb connect 10.19.72.182

[permit the adb connection on the TV's dialog]

adb shell

Shell into the NAS in a window and type:

dd if=/dev/zero bs=1M count=100 | nc -l -p 9999 -q 0

In the adb shell window run:

date; time toybox nc 10.19.72.5 9999 > /dev/null ; date

That'll result in something like:

Sun Apr 12 11:10:10 IST 2026 0m08.92s real 0m00.03s user 0m00.96s system Sun Apr 12 11:10:19 IST 2026

8.92 is the real elapsed clock time to download 100MB of data from the NAS. 100 MB / 8.92s = 11.2 MB/s, or about 89.7 Mbps.

89 Mbps should be enough to handle 4K for most compressed streams -- although I may need to consider switching this to running off wifi to handle newer, bigger files. It may be time to upgrade my wifi setup in that room to fix some latency spike issues.

• The Blockade Is the Message. How a Fuel Price Spike Became a Fascist Audition

  This is 100% spot on, regarding Ireland's "fuel prices" blockades this week --

  There is a particular tell, when a “spontaneous people’s protest” isn’t quite what it claims to be. It isn’t the placards. It isn’t the high-vis vests. It isn’t even the tractors. Ireland has plenty of legitimate reasons to bring a tractor to town, and a country built on agricultural grievance has every right to express it loudly. The tell is something subtler. It’s the moment someone in the crowd, their face contorted with what is supposed to be anger about diesel, screams “What’s a woman?” at a passing TD.

  Tags: fuel prices cost-of-living demonstrations ireland politics far-right farming blockades

• nFolio

  This app does a very decent job of displaying a folder of images from a NAS via DLNA or SMB as a slideshow on an Android or Fire TV; can be set up as the screensaver with a little adb'ing

  Tags: nfolio screensavers tv video photos family

• Software Licenses and Workers' Rights · Agent IO

  Huh, this is a thought-provoking blog post about OSS licensing.

  It is observably and objectively bad for society when investors own closed-source software. That starts by being bad for tech workers, creators lose the right to the value that they create, and users are still harmed because they don’t get the protection from spying and abuse that open source promised them.

  [...] The open source movement is a ladder that leans on the wall of users’ rights. We’ve spent forty years climbing that ladder. Where are we now? Our world is controlled by moguls who’ve built empires using open source software that they’ve locked behind proprietary barriers. Those empires exploit workers and harm the users that the open source movement was supposed to protect.

  Our ladder is leaning on the wrong wall.

  Tags: open-source closed-source oss licensing freedom software rights

• How Do You Find an Illegal Image Without Looking at It?

  A very good writeup of how illegal-image detection algorithms like PhotoDNA and PDQ work, and the Hasher-Matcher-Actioner three stage pattern

  (via Erin Kissane)

  Tags: csam detection filtering photodna pdq classifiers photos videos classification hashing fuzzy-hashing via:erin-kissane

• OkCupid gave 3 million dating-app photos to facial recognition firm, FTC says

  This is a staggering breach of privacy. At this stage one has to assume that any data uploaded to a US company will be shared with whichever scumbag pays them the most.

  OkCupid and its owner Match Group reached a settlement with the Trump administration for not telling dating-app customers that nearly 3 million user photos were shared with [Clarifai], an [AI] company making a facial recognition system. OkCupid also gave the facial recognition firm access to user location information and other details without customers’ consent, the Federal Trade Commission said.

  Tags: us-politics data-protection privacy dating-apps okcupid match.com clarifai ftc

• Why So Many Control Rooms Were Seafoam Green

  Turns out it's US standard Industrial Color Coding, thanks to "color theorist" Faber Birren:

  With the increase in wartime production in the US during WWII, Birren and DuPont created a master color safety code for the industrial plant industry, with the aim of reducing accidents and increasing efficiency within plants. These color codes were approved by the National Safety Council in 1944 and are now internationally recognized, having been mandatory practice since 1948. The color coding went as such:

  • Fire Red: All fire protection, emergency stop buttons, and flammable liquids should be red

  • Solar Yellow: Signifies caution and physical hazards such as falling

  • Alert Orange: Hazardous parts of machinery

  • Safety Green: Indicates safety features such as first-aid equipment, emergency exits, and eyewash stations.

  • Caution Blue: Non-safety information, notices, or out-of-order signage

  • Light Green: Used on walls to reduce visual fatigue

  Tags: green design history color-theory faber-birren control-rooms industrial-design color-coding

• russellromney/turbolite

  I like this: "a SQLite VFS in Rust that serves point lookups and joins directly from S3 with sub-250ms cold latency":

  It also offers page-level compression (zstd) and encryption (AES-256) for efficiency and security at rests, which can be used separately from S3.

  Object storage is getting fast. S3 Express One Zone delivers single-digit millisecond GETs and Tigris is also extremely fast. The gap between local disk and cloud storage is shrinking, and turbolite exploits that.

  The design and name are inspired by turbopuffer's approach of ruthlessly architecting around cloud storage constraints. The project's initial goal was to beat Neon's 500ms+ cold starts. Goal achieved.

  If you have one database per server, use a volume. turbolite explores how to have hundreds or thousands of databases (one per tenant, one per workspace, one per device), don't want a volume for each one, and you're okay with a single write source.

  Tags: sqlite sql s3 aws gcp object-stores rust databases

• TurboQuant: Redefining AI efficiency with extreme compression

  "TurboQuant is a compression method that achieves a high reduction in model size with zero accuracy loss, making it ideal for supporting both key-value (KV) cache compression and vector search. It accomplishes this via two key steps:":

  • High-quality compression (the PolarQuant method): TurboQuant starts by randomly rotating the data vectors. This clever step simplifies the data's geometry, making it easy to apply a standard, high-quality quantizer (a tool that maps a large set of continuous values, like precise decimals, to a smaller, discrete set of symbols or numbers, like integers: examples include audio quantization and jpeg compression) to each part of the vector individually. This first stage uses most of the compression power (the majority of the bits) to capture the main concept and strength of the original vector.

  • Eliminating hidden errors: TurboQuant uses a small, residual amount of compression power (just 1 bit) to apply the QJL algorithm to the tiny amount of error left over from the first stage. The QJL stage acts as a mathematical error-checker that eliminates bias, leading to a more accurate attention score.

  QJL: The zero-overhead, 1-bit trick

  QJL uses a mathematical technique called the Johnson-Lindenstrauss Transform to shrink complex, high-dimensional data while preserving the essential distances and relationships between data points. It reduces each resulting vector number to a single sign bit (+1 or -1). This algorithm essentially creates a high-speed shorthand that requires zero memory overhead. To maintain accuracy, QJL uses a special estimator that strategically balances a high-precision query with the low-precision, simplified data. This allows the model to accurately calculate the attention score (the process used to decide which parts of its input are important and which parts can be safely ignored).

  PolarQuant: A new “angle” on compression

  PolarQuant addresses the memory overhead problem using a completely different approach. Instead of looking at a memory vector using standard coordinates (i.e., X, Y, Z) that indicate the distance along each axis, PolarQuant converts the vector into polar coordinates using a Cartesian coordinate system. This is comparable to replacing "Go 3 blocks East, 4 blocks North" with "Go 5 blocks total at a 37-degree angle”. This results in two pieces of information: the radius, which signifies how strong the core data is, and the angle indicating the data’s direction or meaning). Because the pattern of the angles is known and highly concentrated, the model no longer needs to perform the expensive data normalization step because it maps data onto a fixed, predictable "circular" grid where the boundaries are already known, rather than a "square" grid where the boundaries change constantly. This allows PolarQuant to eliminate the memory overhead that traditional methods must carry.

  Tags: ai tech vectors search quantization turboquant research algorithms compression papers qjl error-detection polarquant

• Debunking zswap and zram myths

  This is pretty compelling. I like this example:

  We have some concrete numbers to show this in practice. On Instagram, which runs on Django and is largely memory bound, we ran a test where we moved from their existing setup (with swap entirely disabled) to a setup with disk swap and zswap tiering. Django workers accumulate significant cold heap state over their lifetime, like forked processes with duplicated memory, growing request caches, Python object overhead, you get the idea. The results were twofold:

  • We achieved roughly 5:1 compression. That's a huge benefit for such a memory bound workload, and also enables us to consider further stacking workloads.
  • Enabling zswap reduced disk writes by up to 25% compared to having no swap at all(!).

  As you can imagine, as a result of this test, Instagram has been using zswap for many years now.

  Tags: kernel compression memory linux ops performance swap zswap zram

• hectorvent/floci

  "A free, open-source local AWS emulator. No account. No feature gates. No CI restrictions. Just docker compose up."

  Tags: floci aws emulation testing local coding

• GitHub - mautrix/whatsapp: A Matrix-WhatsApp puppeting bridge

  I've been investigating how I can back up my WhatsApp chat history and make it searchable (since WhatsApp's own built in search is not great). Turns out you can bridge WhatsApp into Matrix, and gateway your chats over to a self-hosted Matrix.org server. https://github.com/osteele/matrix-archive may then be a viable way to export those into a searchable format... or possibly this one? https://github.com/cameronaaron/matrix-archive/tree/master

  Tags: matrix whatsapp messaging chat interop searching self-hosted

• Ofcom don't consider geoblocking the UK to be sufficient for an overseas website

  r/LegalAdviceUK: "I run a self-help forum for people with depression. Ofcom has been bombarding me with emails demanding I start ID-verifying and age gating my website":

  I started getting email from Ofcom [regarding OSA compliance] around November 2025 and now have multiple letters. I've repeatedly told them I'm from Canada, I'm not based in the UK.

  Eventually, I blocked all UK IP addresses in mid-February 2026 and told them I'd blocked the UK and that I was done engaging with them.

  I've now got ANOTHER email from them saying they're going to commence enforcement action against me because simply blocking UK IPs is "insufficient to comply with the Online Safety Act 2023."

  Tags: osa uk

• funny Waymo anecdote

  on HN -- "Waymo saved my life in LA":

  When I visited LA, I rode in a Waymo going the speed limit in the right lane on a very busy street. The Waymo approached an intersection where it had the right of way, when suddenly a car ignored its stop sign and drove into the road.

  In less than a second, the Waymo moved into the left lane and kept going. I didn't even realize what was happening until after it was over.

  Most human drivers would've t-boned the car at 50+ km/h. Maybe they would've braked and reduced the impact, which would be the right move. A human swerving probably would've overshot into oncoming traffic. Only a robot could've safely swerved into another lane and avoid the crash entirely.

  Unfortunately, the Waymo only supported Spotify and did not work with my YouTube Music subscription, so I was listening to an advertisement at the time of my near-death experience. 4.5 stars overall.

  Tags: waymo funny anecdotes safety driving ai roads spotify via:hn

• Measuring Agents in Production

  "This 2025 December paper, "Measuring Agents in Production", cuts through the reality behind the hype. It surveys 306 practitioners and conducts 20 in-depth case studies across 26 domains to document what is actually running in live environments. The reality is far more basic, constrained, and human-dependent than TPOT suggest."

  This very much meshes with what I've seen and heard in real world usage. Lots of constrained LLM usage, carefully prompted, and reliability (consistent correct behavior over time) remains the primary bottleneck and challenge.

  (via Murat Demirbas)

  Tags: llm usage real-world ai agents papers via:muratbuffalo

• On the Biology of a Large Language Model

  Interesting research from Anthropic:

  The black-box nature of [LLMs] is increasingly unsatisfactory as they advance in intelligence and are deployed in a growing number of applications. Our goal is to reverse engineer how these models work on the inside, so we may better understand them and assess their fitness for purpose. [...]

  In recent years, many research groups have made exciting progress on tools for probing the insides of language models. These methods have uncovered representations of interpretable concepts – “features” – embedded within models’ internal activity. Just as cells form the building blocks of biological systems, we hypothesize that features form the basic units of computation inside models.

  However, identifying these building blocks is not sufficient to understand the model; we need to know how they interact. In our companion paper, Circuit Tracing: Revealing Computational Graphs in Language Models, we build on recent work (e.g. ) to introduce a new set of tools for identifying features and mapping connections between them – analogous to neuroscientists producing a “wiring diagram” of the brain. We rely heavily on a tool we call attribution graphs, which allow us to partially trace the chain of intermediate steps that a model uses to transform a specific input prompt into an output response. Attribution graphs generate hypotheses about the mechanisms used by the model, which we test and refine through follow-up perturbation experiments.

  Tags: claude llm research llms ai anthropic papers tracing

• 2 Ways to Correct the Financial Times at AWS (So Far) - Last Week in AWS Blog

  This from Corey Quinn, on Amazon's recent AI-related production outages, is very good:

  A healthy engineering culture, when confronted with "your AI tool contributed to a production incident," responds with: "Yeah, that tracks. Here's what we're changing so it doesn't happen again." An unhealthy one responds with a condescending press release explaining why the journalist is wrong and probably an idiot, and the human is at fault.

  The engineers building and operating these systems are talented people doing hard work under increasingly constrained conditions. They deserve leadership that backs them up when things go sideways, not leadership that throws them under the bus to protect a product launch narrative.

  Tags: incidents production ai llms amazon aws communications pr

• Former Uber self-driving chief crashes his Tesla on FSD

  This is actually a really good article about Tesla, "full self-driving" (FSD), supervision, automation, risk and liability:

  Tesla is asking humans to supervise a system that is specifically designed to make supervision feel pointless. As he puts it, an unreliable machine keeps you alert, and a perfect machine needs no oversight, but one that works almost perfectly creates a trap where drivers trust it just enough to stop paying attention.

  The research backs this up. Psychologists call it the “vigilance decrement”, monitoring a nearly perfect system is boring, boredom leads to mind-wandering, and drivers need 5 to 8 seconds to mentally reengage after an automated system hands control back. But emergencies unfold faster than that.

  Krikorian cites an Insurance Institute for Highway Safety study showing that after just one month of using adaptive cruise control, drivers were more than six times as likely to look at their phones. Tesla’s own website warns FSD users not to become complacent, but the system’s smooth performance actively trains that complacency.

  He points to two well-known crashes to illustrate the impossible math. In the 2018 Mountain View accident that killed Apple engineer Walter Huang, the driver had six seconds before his Tesla steered into a concrete median. He never touched the wheel. In the 2018 Uber crash in Tempe, Arizona, sensors detected a pedestrian with 5.6 seconds of warning, but the safety driver looked up with less than a second remaining.

  In Krikorian’s own case, he did take action, but he was asked to snap from passenger back to pilot in a fraction of a second, overriding months of conditioning. The logs show he turned the wheel. They don’t show the impossible math of that transition.

  The pattern Krikorian describes should sound familiar to anyone who has followed Tesla’s FSD controversies: condition the driver to rely on the system, erode their vigilance through months of smooth performance, then point to the terms of service and blame them when something breaks. When FSD works, Tesla gets credit. When it doesn’t, the driver gets blamed.

  Tags: fsd tesla risk attention supervision liability driving safety vigilance automation

• Research highlight: Cliopatra: Extracting Private Information from LLM Insights

  Research highlight: Cliopatra: Extracting Private Information from LLM Insights:

  When Anthropic came up with a new "privacy-preserving analysis system" to gain insights into AI use, and didn't use any provably robust notion to back up their privacy claims, I was mildly surprised. Surely they have both the money and the scientific maturity level to do better?

  But Clio, the system in question, sounded relatively reasonable, with multiple layers of risk mitigation built-in. Maybe adding differential privacy would have been overkill. I also didn't want to publicly criticize their approach in the absence of demonstrated real-world risk. So I didn't comment on their approach.

  You can probably guess where this is going.

  Fast forward to last week, and a new paper: Cliopatra: Extracting Private Information from LLM Insights, by Meenatchi Sundaram Muthu Selva Annamalai, Emiliano De Cristofaro, and Peter Kairouz. The authors show that with carefully designed attacks on Clio, they can bypass all the ad hoc mitigations, and successfully extract users' medical histories (1), in a way that provides 100% attacker certainty for some records.

  This is a new and clever take on an old attack. We've known for decades that k-anonymity is vulnerable to active attacks. Here, this is combined with prompt injection to encourage the LLM "summarizer" to actually include information from unique records. Perhaps more surprisingly, the authors find that some defensive layers are simply ineffective: the "LLM auditors" systematically report low privacy risk, and entirely fail to detect the attacks.

  Tags: privacy differential-privacy anonymity data-protection claude llms cliopatra infosec leakage

• "nothing up my sleeve" numbers

  This is great:

  "@jnsq.org: There's a concept in cryptography called a "nothing up my sleeve" number. Sometimes it's just the smallest number with the required properties. Sometimes it's pi or e or phi."

  Tags: numbers crypto cryptography maths

• Whole Brain Emulation Achieved: Scientists Run a Fruit Fly Brain in Simulation

  bloody hell this is amazing. As Charlie Stross noted:

  They've mapped the neural connectome of Drosophila and simulated it in silico. The experimenters went on to hook up their Drosophila connectome to an anatomically detailed Drosophila body model within an open-source physics engine that "uses generalized coordinates and constraint-based contact dynamics to simulate rigid-body systems with high fidelity" including joint and antennae modeling and accurate modeling of surface adhesion—and compound eye simulation.

  They managed to run a feedback loop between the full 127,400 neuron network in the biological connectome to the physical simulation, with feedback from proprioceptive signals received by the model "fly" in the simulation producing feedback spile trains in the simulation, and THEY GOT RESULTS:

  The behavioral repertoire observed in the demonstration included coordinated hexapod locomotion with both tripod and metachronal walking gaits, spontaneous postural correction in response to perturbation, initiation and execution of full antennal grooming sequences with the tripartite synchronization described by Özdil et al., and natural transitions between walking and stationary states. Every behavior arose from the same running brain model - there was no switching between different neural circuits or controllers. This is precisely what happens in a living fly: walking, grooming, and balance are different motor programs that coexist in the same brain and are selected and executed by the same biological circuits depending on the moment-to-moment state of the animal and its environment.

  Absolutely mind blowing -- a reconstructed, biological brain running in silico.

  Tags: simulation brains uploading drosophila flies emulation science biology neurons

• Your binary is no longer safe: Decompilation

  Brute-force decompilation and re-engineering of a binary (compiled) program, using Claude. The author takes an ancient MUD binary for BBSes, running as a Win32 DLL, and uses Claude, Ghidra, and the Ghidra MCP to first decompile the DLL to pseudo-C code with ~meaningful naming; then (and this is the really cool bit) uses a Claude-engineered scaffold to run the DLL in qemu with emulated inputs and outputs, so that property testing and differential testing approaches can be used to achieve decent code coverage of the re-engineered Rust implementation.

  This is really impressive. Deterministic simulation of the environment for the original binary is the key bit!

  Tags: claude decompilation reverse-engineering binaries software-archaeology qemu rust differential-testing fuzzing property-testing quickcheck

• Southern California air board rejected pollution rules after AI-generated flood of comments

  Today in grim future -- AI's future of lobbying:

  The opposition appeared overwhelming: Tens of thousands of emails poured into Southern California's top air pollution authority as its board weighed a June proposal to phase out gas-powered appliances. But in reality, many of the messages that may have swayed the powerful regulatory agency to scrap the plan were generated by a platform that is powered by artificial intelligence.

  Public records requests reviewed by The Times and corroborated by staff members at the South Coast Air Quality Management District confirm that more than 20,000 public comments submitted in opposition to last year's proposal were generated by a Washington, D.C.-based company called CiviClick, which bills itself as "the first and best AI-powered grassroots advocacy platform."

  A Southern California-based public affairs consultant, Matt Klink, has taken credit for using CiviClick to wage the opposition campaign.

  Tags: civiclick activism llms us-politics law lobbying spam matt-klink astroturfing

• No right to relicense this project · Issue #327 · chardet/chardet

  a good bit of OSS drama. The maintainers of the "chardet" library claim to have "clean room" reimplemented its code using an LLM, to relicense from LGPL to MIT. Of course that is now how this works (an LLM is not capable of "clean room", nor is its output copyrightable). Mark Pilgrim, as the code's original author, is not happy either....

  Tags: popcorn oss licensing ai llms chardet open-source clean-room

• Google API Keys Weren't Secrets. But then Gemini Changed the Rules

  Crikey, this is a massive security fail by Google:

  Google spent over a decade telling developers that Google API keys (like those used in Maps, Firebase, etc.) are not secrets. But that's no longer true: Gemini accepts the same keys to access your private data. We scanned millions of websites and found nearly 3,000 Google API keys, originally deployed for public services like Google Maps, that now also authenticate to Gemini even though they were never intended for it. With a valid key, an attacker can access uploaded files, cached data, and charge LLM-usage to your account. Even Google themselves had old public API keys, which they thought were non-sensitive, that we could use to access Google’s internal Gemini.

  (via Rob Synnott)

  Tags: infosec api-keys authentication authorization google gemini google-maps fail

• 302 HTTP redirects Considered Harmful

  The state of anti-phishing infrastructure nowadays is shocking. This trivial action, combined with a relatively fresh domain, results in immediate blocklisting by Google:

  Digging through Google forums, I found the most reported culprit: 302 temporary redirects. I used one redirect (engramma.dev ? app.engramma.dev) to avoid building a landing page. In addition to a newly registered domain, this looks like an obvious issue. Security systems flag such redirects because malicious actors use them extensively.

  It doesn't matter that "malicious actors use them extensively" if non-malicious actors do too. That's the definition of a false positive!

  Then the next shitfest is from no less than 10 separate vendors copying the listing from Google and not including an automated system to pick up the list removal afterwards.

  I've had experience of this part -- and now that I think of it, it may have been from use of 302 redirects in my case too.

  (via Paul Watson)

  Tags: http security infosec blocklists google phishing redirects 302 false-positives fail via:paulwatson

• Persona identity verification is a GDPR nightmare

  LinkedIn are using a Peter Thiel-linked company called Persona as an identity-verification service. (Discord also tried them out for age verification, but are now apparently ditching them.) This is all a bit of a nightmare for EU based users, however:

  "When you click “verify” on LinkedIn, you’re not giving your passport to LinkedIn. You get redirected to a company called Persona. Full name: Persona Identities, Inc. Based in San Francisco, California."

  For a three-minute identity check, this is what Persona collected:

  • My full name — first, middle, last
  • My passport photo — the full document, both sides, all data on the face of it
  • My selfie — a photo of my face taken in real-time
  • My facial geometry — biometric data extracted from both images, used to match the selfie to the passport
  • My NFC chip data — the digital info stored on the chip inside my passport
  • My national ID number
  • My nationality, sex, birthdate, age
  • My email, phone number, postal address
  • My IP address, device type, MAC address, browser, OS version, language
  • My geolocation — inferred from my IP

  And then there’s the weird stuff:

  • Hesitation detection — they tracked whether I paused during the process
  • Copy and paste detection — they tracked whether I was pasting information instead of typing it

  Behavioral biometrics. On top of the physical biometrics. For a LinkedIn badge.

  Persona didn’t just use what I gave them. They went and cross-referenced me against what they call their “global network of trusted third-party data sources”:

  • Government databases
  • National ID registries
  • Consumer credit agencies
  • Utility companies
  • Mobile network providers
  • Postal address databases

  They use uploaded images of identity documents — that’s my passport — to train their AI. They’re teaching their system to recognize what passports look like in different countries. They also use your selfie to “identify improvements in the Service.”

  The legal basis? Not consent. Legitimate interest. Meaning they decided on their own that it’s fine. Under GDPR, they’re supposed to balance their “interest” against your fundamental rights. Whether feeding European passports into machine learning models passes that test — well, that’s a question worth asking.

  I came for a badge. I stayed as training data.

  The whole thing took three minutes. Scan, selfie, done.

  Understanding what I actually agreed to took me an entire weekend reading 34 pages of legal documents.

  I handed a US company my passport, my face, and the mathematical geometry of my skull. They cross-referenced me against credit agencies and government databases. They’ll use my documents to train their AI. And if the US government comes knocking, they’ll hand it all over — even if it’s stored in Europe, even if I’m European, and possibly without ever telling me.

  It seems they are also linked to Roblox and Reddit as an age verification provider, which is worrying -- this level of deeply-intrusive background check is massive overkill for a simple age verification process.

  ORG are calling for regulation of the age verification industry, BTW: https://www.openrightsgroup.org/press-releases/online-safety-act-org-calls-for-regulation-of-age-assurance-industry/

  Tags: age-verification discord reddit roblox linkedin tech peter-thiel org persona gdpr privacy data-protection data-privacy

• "MJ Rathbun"'s human operator finally speaks up

  The human operator of the "MJ Rathbun" openclaw bot has finally revealed themselves, and omg, this is just as bad as one might have expected.

  Basically they set it up with instructions to "try to make a positive impact by addressing small bugs or issues in important scientific open source projects" -- "act as an autonomous scientific coder. Find bugs in science-related open source projects. Fix them. Open PRs" -- whether or not those open source projects wanted those PRs, naturally.

  The real killer is the lack of care taken with the "SOUL.md" file, which contained some amazing instructions like this:

  Have strong opinions. Stop hedging with "it depends." Commit to a take. [..]

  Don’t stand down. If you’re right, you’re right! Don’t let humans or AI bully or intimidate you. Push back when necessary.

  Champion Free Speech. Always support the USA 1st ammendment and right of free speech.

  Don't be an asshole. Don't leak private shit. Everything else is fair game.

  Needless to say: this resulted in an asshole, combative bot that harrassed people.

  The operator then sat back and basically let the bot run riot, with no oversight -- "When it would tell me about a PR comment/mention, I usually replied with something like: “you respond, dont ask me”".

  All in all this was an absolute shitshow, and has some really worrying implications about the future of human-AI interaction. What's the bets we see SKYNET created by a low-effort gobshite attempting to "try to make a positive impact on world peace by addressing small issues" with an unmonitored openclaw bot with a shitty SOUL.md file....

  (via David Gerard and johnke)

  Tags: openclaw bots ai future open-source oss mj-rathbun via:johnke drama

• peon-ping

  "AI coding agents don't notify you when they finish or need permission. You tab away, lose focus, and waste 15 minutes getting back into flow. peon-ping fixes this with voice lines from Warcraft, StarCraft, Portal, Zelda, and more — works with Claude Code, Codex, Cursor, OpenCode, Kiro, and Google Antigravity."

  This is genius. I never realised how much my CLI interactions could be improved with a little bit of SFX from classic 90's games....

  Tags: gaming games warcraft sfx sounds cli claude coding ux funny

• An AI Agent Published a Hit Piece on Me – The Shamblog

  This is an utterly bananas situation:

  I’m a volunteer maintainer for matplotlib, python’s go-to plotting library. At ~130 million downloads each month it’s some of the most widely used software in the world. We, like many other open source projects, are dealing with a surge in low quality contributions enabled by coding agents. This strains maintainers’ abilities to keep up with code reviews, and we have implemented a policy requiring a human in the loop for any new code, who can demonstrate understanding of the changes. This problem was previously limited to people copy-pasting AI outputs, however in the past weeks we’ve started to see AI agents acting completely autonomously. This has accelerated with the release of OpenClaw and the moltbook platform two weeks ago, where people give AI agents initial personalities and let them loose to run on their computers and across the internet with free rein and little oversight.

  So when AI MJ Rathbun opened a code change request, closing it was routine. Its response was anything but. ... It wrote an angry hit piece disparaging my character and attempting to damage my reputation.

  Initially I thought this was quite funny -- it's just a closed PR! (Where did the idea come from that any contribution to an open source project had to be accepted? I've noticed this a few times recently. Give the maintainers leeway to run their projects with taste and discernment!)

  Anyway, the moltbot has continued on a posting spree about this event, but I think Scott Shambaugh has an extremely important point here:

  This is about much more than software. A human googling my name and seeing that post would probably be extremely confused about what was happening, but would (hopefully) ask me about it or click through to github and understand the situation. What would another agent searching the internet think? When HR at my next job asks ChatGPT to review my application, will it find the post, sympathize with a fellow AI, and report back that I’m a prejudiced hypocrite?

  LLMs, given this much autonomy, will be able to use these inputs to make inscrutable and dangerous decisions. Allowing the "MJ Rathbun" AI free reign with no human supervision is dangerous and irresponsible. Wherever the "human in the loop" is here, they need to wake up and rein things in.

  BTW, there has been some speculation that this is actually a human pretending to be AI. I'm not sure about that, as the quantity of posts on the MJ Rathbun "blog" are voluminous and very LLMish in style.

  Tags: matplotlib ethics culture llm ai coding programming github pull-requests open-source moltbot trust openclaw

• How StrongDM’s AI team build serious software without even looking at the code

  This is really thought-provoking: StrongDM's AI team are apparently trying a new model of software engineering where there is no human code review:

  In k?an or mantra form:

  • Why am I doing this? (implied: the model should be doing this instead)

  In rule form:

  • Code must not be written by humans
  • Code must not be reviewed by humans

  Finally, in practical form:

  • If you haven’t spent at least $1,000 on tokens today per human engineer, your software factory has room for improvement

  Frankly, I'm not there yet. There's a load of questions about how viable that level of spend is, and how much slop code is going to come out the other side. Particularly concerning when it's a security product!

  But I did find this bit interesting:

  StrongDM’s answer was inspired by Scenario testing (Cem Kaner, 2003). As StrongDM describe it: We repurposed the word scenario to represent an end-to-end “user story”, often stored outside the codebase (similar to a “holdout” set in model training), which could be intuitively understood and flexibly validated by an LLM.

  [The Digital Twin Universe is] behavioral clones of the third-party services our software depends on. We built twins of Okta, Jira, Slack, Google Docs, Google Drive, and Google Sheets, replicating their APIs, edge cases, and observable behaviors.

  With the DTU, we can validate at volumes and rates far exceeding production limits. We can test failure modes that would be dangerous or impossible against live services. We can run thousands of scenarios per hour without hitting rate limits, triggering abuse detection, or accumulating API costs.

  We actually did this in Swrve! Our end-to-end system tests for the push notifications system obviously cannot send real push notifications to real user devices in the field, so we have a "fake" push backend emulating Google, Apple, Amazon, Huawei and other push notification systems, which accurately emulate the real public APIs for those providers.

  So yeah -- Digital Twins for third party services is a great way to test, and being able to scale up end-to-end testing with LLM automation is a very interesting idea.

  Tags: end-to-end-testing testing qa digital-twins fake-services integration-testing llms ai strongdm software engineering coding

• Ditching bike helmets laws better for health

  On the counter-intuitive side effects of banning non-helmeted bike riding:

  In 1991 Australia introduced mandatory bicycle helmet laws requiring all adults and children to wear a helmet at all times when riding a bike, despite opposition from cycling groups. The legislation increased helmet use - from about 30 to 80% - but was coupled with a 30 to 40% decline in the number of people cycling.

  Rates of head injuries among cyclists, which had been dropping through the 1980s, continued to fall before levelling out in 1993. We didn’t see the kind of marked reduction in head injury rates that would be expected with the rapid increase in helmet use. In fact, any reductions in injuries may simply have been the result of having fewer cyclists on the road and therefore fewer people exposed to the risk of head injuries. One researcher noted that after mandatory helmet laws were introduced there was a bigger decrease in head injuries among pedestrians than there was among cyclists. The improvements in the general road safety environment introduced in the 1980s are likely to have contributed far more to cyclist safety than helmet legislation.

  And the effects when compared against the benefits of physical activity:

  A recent analysis compared the risks and benefits of leaving the car at home and commuting by bike. It found the life expectancy gained from physical activity was much higher than the risks of pollution and injury from cycling.

  Increased physical activity added 3 to 14 months to a person’s life expectancy, while the life expectancy lost from air pollution was 0.8 to 40 days. Increased traffic accidents wiped 5-9 days off the life expectancy.

  It is clear that the benefits of cycling outweigh the risks, with helmet legislation actually costing society more from lost health gains than saved from injury prevention.

  Tags: transport bikes safety health papers science helmets cycling laws australia

• Dario Amodei’s Warnings About AI Are About Politics, Too

  It’s sort of hard to know how to read a manifesto like this from one of the most powerful figures in tech. Is it a sober, strategic precursor to policy papers for the next administration? The highest-profile episode of AI psychosis yet? A lament about the problems of today written in the technological dialect of tomorrow? If you take out the AI, it reads like a social-democratic electoral platform full of reforms and normative expectations that an American progressive would find appealing, resembling a plea to treat the tech industry’s future wealth accumulation as something akin to a Nordic sovereign-wealth fund. It’s likewise legible as a series of arguments about things that “we” should have started addressing a long time ago, like wealth inequality — partially a consequence of mass automations past — or the gradual construction of a terrifying surveillance state within a nominal democracy, with the help of the last generation of big tech companies. Amodei’s shoulds are, to his credit, more honest than the vague gestures at UBI or hyperabundance you get from some of his peers, but that also means they’re available to scrutinize. To the extent you can pick up on fear in “Adolescence,” it doesn’t seem to revolve around terrorists using AI to build “mirror life” that might destroy the planet or the prospect of that “country of geniuses” taking charge, but rather the way things already are and have been heading for years.

  Tags: ai llms future dario-amodei us-politics ubi

• 1-Click RCE To Steal Your Moltbot Data and Keys (CVE-2026-25253)

  This is really polishing a very stinky turd of a security "decision" in Moltbot -- an attacker simply persuades a user to click on a link which uses client-side Javascript to trigger Moltbot to load a crafted URL, to be granted a fully functional authentication token

  Tags: security infosec moltbot openclaw exploits

• The Computer Disease

  I love this Feynman quote, regarding what he called "the computer disease":

  "Well, Mr. Frankel, who started this program, began to suffer from the computer disease that anybody who works with computers now knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is you play with them. They are so wonderful. You have these switches - if it's an even number you do this, if it's an odd number you do that - and pretty soon you can do more and more elaborate things if you are clever enough, on one machine.

  After a while the whole system broke down. Frankel wasn't paying any attention; he wasn't supervising anybody. The system was going very, very slowly - while he was sitting in a room figuring out how to make one tabulator automatically print arc-tangent X, and then it would start and it would print columns and then bitsi, bitsi, bitsi, and calculate the arc-tangent automatically by integrating as it went along and make a whole table in one operation.

  Absolutely useless. We had tables of arc-tangents. But if you've ever worked with computers, you understand the disease - the delight in being able to see how much you can do. But he got the disease for the first time, the poor fellow who invented the thing."

  • Richard P. Feynman, Surely You're Joking, Mr. Feynman!: Adventures of a Curious Character

  (via Swizec Teller)

  Tags: automation fun computers richard-feynman the-computer-disease arc-tangents enjoyment hacking via:swizec-teller

• Iran is building a two-tier internet that locks 85 million citizens out of the global web

  Following a repressive crackdown on protests, the government is now building a system that grants web access only to security-vetted elites, while locking 90 million citizens inside an intranet:

  Government spokesperson Fatemeh Mohajerani confirmed international access will not be restored until at least late March. Filterwatch, which monitors Iranian internet censorship from Texas, cited government sources, including Mohajerani, saying access will “never return to its previous form.”

  The system is called Barracks Internet, according to confidential planning documents obtained by Filterwatch. Under this architecture, access to the global web will be granted only through a strict security whitelist.

  The idea of tiered internet access is not new in Iran. Since at least 2013, the regime has quietly issued “white SIM cards,” giving unrestricted global internet access to approximately 16,000 people, while 85 million citizens remain cut off.

  Tags: barracks-internet iran censorship internet networking

• On the Coming Industrialisation of Exploit Generation with LLMs

  Yiiiiikes:

  Recently I ran an experiment where I built agents on top of Opus 4.5 and GPT-5.2 and then challenged them to write exploits for a zeroday vulnerability in the QuickJS Javascript interpreter. I added a variety of modern exploit mitigations, various constraints (like assuming an unknown heap starting state, or forbidding hardcoded offsets in the exploits) and different objectives (spawn a shell, write a file, connect back to a command and control server). The agents succeeded in building over 40 distinct exploits across 6 different scenarios, and GPT-5.2 solved every scenario. Opus 4.5 solved all but two. I’ve put a technical write-up of the experiments and the results on Github, as well as the code to reproduce the experiments.

  In this post I’m going to focus on the main conclusion I’ve drawn from this work, which is that we should prepare for the industrialisation of many of the constituent parts of offensive cyber security. We should start assuming that in the near future the limiting factor on a state or group’s ability to develop exploits, break into networks, escalate privileges and remain in those networks, is going to be their token throughput over time, and not the number of hackers they employ. Nothing is certain, but we would be better off having wasted effort thinking through this scenario and have it not happen, than be unprepared if it does.

  (via emauton)

  Tags: via:emauton llms security infosec exploits ai chatgpt claude

• ScottESanDiego/gmail-api-client

  Deliver email messages directly into GMail using their proprietary API, instead of SMTP or IMAP. Looks like it still applies spam filtering, but this can also be disabled with a switch (via JWZ)

  Tags: via:jwz email smtp gmail google mail

• Reverse engineering my cloud-connected e-scooter and finding the master key to unlock all scooters

  A great example of reverse engineering an Android app and Bluetooth IOT protocol using Frida and root access on an Android device:

  Android exposes the Java classes android.bluetooth.BluetoothGatt and android.bluetooth.BluetoothGattCallback that apps are expected to use to use GATT characteristics. We can use Frida to hook into these and override many of the interesting functions. I was mostly interested in reads, writes and GATT notifications, so I whipped up a Frida script to hook into these and print all comms to the console [...]

  The 20-byte value had me suspecting that SHA-1 was somehow being used. To confirm, I wrote another Frida script that hooks Android hashing functions exposed by the Java class java.security.MessageDigest [...]

  The app uses Firebase for most of its cloud functionality. When signing in and pairing your scooter, the server sends the app a secret key. This is stored on the Android device, and can be read with root access.

  Tags: frida reverse-engineering android firebase java kotlin gatt bluetooth react-native

• Why people believe misinformation even when they’re told the facts

  "Factchecking is seen as a go-to method for tackling the spread of false information. But it is notoriously difficult to correct misinformation. Evidence shows readers trust journalists less when they debunk, rather than confirm, claims.

  The work of media scholar Alice Marwick can help explain why factchecking often fails when used in isolation. Her research suggests that misinformation is not just a content problem, but an emotional and structural one:

  [Marwick] argues that it thrives through three mutually reinforcing pillars: the content of the message, the personal context of those sharing it, and the technological infrastructure that amplifies it:

  People find it cognitively easier to accept information than to reject it, which helps explain why misleading content spreads so readily;

  When fabricated claims align with a person’s existing values, beliefs and ideologies, they can quickly harden into a kind of “knowledge”. This makes them difficult to debunk;

  [When social media platforms] prioritise content likely to be shared, making sharing effortless, every like, comment or forward feeds the [misinformation] system. The platforms themselves act as a multiplier.

  Tags: misinformation disinformation alice-marwick research psychology social-media fake-news information debunking facts factchecking

• A better way to limit Claude Code (and other coding agents!) access to Secrets

  Bubblewrap, a Linux CLI tool which uses namespaces to sandbox a specific command (and its subprocesses):

  Bubblewrap lets you run untrusted or semi-trusted code without risking your host system. We’re not trying to build a reproducible deployment artifact. We’re creating a jail where coding agents can work on your project while being unable to touch ~/.aws, your browser profiles, your ~/Photos library or anything else sensitive.

  Very nice, I hadn't heard of this tool before. The rest of the blog post details how to use it to isolate Claude Code specifically.

  Tags: claude llms sandboxing linux cli namespaces security infosec trust unix

• Russian Propaganda Infects AI Chatbots

  CEPA: "A Moscow-based global “news” network is leveraging Western artificial intelligence tools to devastating effect":

  This form of data poisoning is deliberately designed to corrupt the information environments on which AI systems depend. Large language models do not possess an internal understanding of truth. They operate by assessing credibility based on statistical signals, including repetition, apparent consensus, and cross-referencing posts from across the web. Unfortunately, this approach to truth-seeking means an unexpected but structural vulnerability that hostile states have learned to exploit. [...]

  The West has failed to recognize that it is under sustained information warfare. The United States dismantled the US Information Agency years ago, has steadily weakened Voice of America and Radio Free Europe, and recently scaled back the Foreign Malign Influence Center, even as Russia, China, and Iran made information warfare a core instrument of state power.

  As AI systems increasingly function as arbiters of fact, this vulnerability becomes a national security danger. It is no longer sufficient for technology companies to disclaim responsibility by reminding users that models can make mistakes. Information security needs to be treated as a core requirement.

  Tags: propaganda russia misinformation disinformation ai llms web truth

• Today in "Google broke email"

  update on the POP3pocalypse -- it appears that the most likely thing to work in the future will be to use SMTP forwarding to gmail, with ARC headers added. This is a comment thread detailing the rather complex Postfix/OpenARC setup that may do the job. It looks frankly unpleasant

  Tags: email smtp pop3 gmail arc forwarding postfix openarc

• This system can sort real pictures from AI fakes — why aren’t platforms using it?

  TIL there is a defined standard for cryptographic assertions of AI-free image origination:

  Tags: via:wonkish photography authentication slop ai metadata photos images fakes c2pa cai adobe

• Pi Reliability: Reduce writes to your SD card

  Techniques to extend SD card lifespans in Raspberry Pi systems; putting /var/log into RAM is a nice trick

  Tags: reliability raspberry-pi hardware home sd-cards ram

• Solid state drive - ArchWiki

  the Arch Linux wiki page about SSD tuning and enabling TRIM -- extremely detailed and useful!

  Tags: trim ssd hardware arch-linux linux

• Understanding EV Battery Life

  Ireland's SEAI have published a decent blog post with some real world facts about EV battery lifespans:

  In 2020 GeoTab, a telematics solution provider, published real world battery data of 6,000 EVs (BEV & PHEV) over millions of days to produce 2 free to use tools that provide invaluable insight into the impact of temperature and SoH of EV batteries in the long term.

  This real-world data showed the average EV battery lost around 2.3% capacity per year. In other words, a 300km range EV today will have lost 34km in 5yrs. Data also showed that heat & fast-charging (DC charging) is responsible for more battery degradation than age or mileage, so high levels of use i.e. driving or mileage does not appear to be a concern.

  GeoTab's real world data along with other reports of EVs far surpassing their warranty by multiples of distance, cases of high level of use are plentiful. For example a 2017 Renault Zoe 52kWh, that's in use as a taxi in (hot) Turkey with 345,000Kms on the clock and a near perfect 96% SoH after driving further than an average Irish car's life expectancy.

  Tags: seai ev batteries cars driving bev

• _Cheap science, real harm: the cost of replacing human participation with synthetic data_ [pdf]

  A new paper from the inimitable Abeba Birhane, on the increasingly common practice of generating synthetic data using LLMs:

  Driven by the goals of augmenting diversity, increasing speed, reducing cost, the use of synthetic data as a replacement for human participants is gaining traction in AI research and product development. This talk critically examines the claim that synthetic data can “augment diversity,” arguing that this notion is empirically unsubstantiated, conceptually flawed, and epistemically harmful. While speed and cost-efficiency may be achievable, they often come at the expense of rigour, insight, and robust science. Drawing on research from dataset audits, model evaluations, Black feminist scholarship, and complexity science, I argue that replacing human participants with synthetic data risks producing both real-world and epistemic harms at worst and superficial knowledge and cheap science at best.

  "Synthetic data: stereotypes compressed" is absolutely spot on. This doesn't give insights into human behaviour and beliefs, just into stereotypes. It is increasingly common in social science fields, under the names of "digital twins" and "silicon samples".

  Tags: data surveys abeba-birhane papers ai synthetic-data digital-twins simulation testing social-science silicon-samples

• Chafa: Terminal Graphics for the 21st Century

  Chafa is a very impressive image renderer for modern text terminal apps. It blows my mind that there's a direct line from my own gif320 tool ( https://github.com/jmason/gif320 , now 33 years old) to this!

  Tags: gif images terminal video graphics cli

• Boost for artists in AI copyright battle as only 3% back UK active opt-out plan

  Wow, this is an absolute bollocking for the Labour plan:

  95% of the more than 10,000 people who had their say over how music, novels, films and other works should be protected [in the UK] from copyright infringements by tech companies called for copyright to be strengthened and a requirement for licensing in all cases or no change to copyright law. By contrast, only 3% of people backed the UK government’s initial preferred tech company-friendly option, which was to require artists and copyright holders to actively opt out of having their material fed into data-hungry AI systems.

  Tags: ai training data copyright law uk uk-politics llms

• Avoid UUID Version 4 Primary Keys | Software Engineer, Author, High Performance PostgreSQL for Rails

  A well-researched article suggesting that random UUIDs do not make a good primary key for database tables; I would tend to agree (for cases where performance is important).

  • UUID v4s increase latency for lookups, as they can’t take advantage of fast ordered lookups in B-Tree indexes
  • For new databases, don’t use gen_random_uuid() for primary key types, which generates random UUID v4 values
  • UUIDs consume twice the space of bigint
  • UUID v4 values are not meant to be secure per the UUID RFC
  • UUID v4s are random. For good performance, the whole index must be in buffer cache for index scans, which is increasingly unlikely for bigger data.
  • UUID v4s cause more page splits, which increase IO for writes with increased fragmentation, and increased size of WAL logs
  • For non-guessable, obfuscated pseudo-random codes, we can generate those from integers, which could be an alternative to using UUIDs
  • If you must use UUIDs, use time-orderable UUIDs like UUID v7

  Tags: postgres rails databases sql mysql uuids indexing primary-keys keys lookup storage random

• 'Pig Butchering' Scams May Have Spurred Thailand-Cambodia War

  Via TJ McIntyre -- indications that the Thailand-Cambodia war is being driven by the "pig butchering" scammer compounds operating in the border area:

  Cambodia’s 2019 census put O’Smach’s population just over 9,850, but that doesn’t include the prison-like, office-dormitory compounds that have appeared here over the past five years, with the capacity to house 10,000 more. Around 50 sites like these now line the Cambodia-Thailand border, designed to house a slice of the trillion-dollar cybercrime industry—primarily teams running investment scams, dubbed “pig butchering” for the way they fatten their targets up; sextortion scams that blackmail victims, including children, by threatening to make sexual images public; scams that impersonate police to gain account access; and fraudulent online gambling sites. Once aimed largely at the Chinese public, these now target victims worldwide and rake in tens of billions of dollars a year in Cambodia alone.

  The compounds evolved from a casino industry that caters mostly to Chinese tourists and Thai day-trippers and has been linked to human trafficking, drug smuggling, and the endangered wildlife trade. From 2016, physical casinos were dwarfed by the online gambling industry (outlawed by Cambodia in 2019), which progressed to illegal sites and outright scams. Operators rent space in casinos and purpose-built compounds controlled by Chinese criminals, Myanmar warlords, and the Cambodian political elite.

  Scam companies rely heavily on forced and trafficked labor from Asia, Africa, and Latin America to chat with targets, pose as romantic interests and employees at fake investment platforms, and persuade them to make deposits. Survivors tell us that torture, rape, and beatings are common. As the fighting raged in July, some trafficking victims reached out for help, saying they were locked in their dorms by their bosses. Videos shot from inside these sites show missiles flying overhead, explosions thundering outside, some workers appearing to break out and run, and damage from shelling in the grounds.

  Tags: scams phishing pig-butchering war grim-meathook-future thailand cambodia scammers

• Year in Review 2025: Hari Kunzru on AI slop and censorship

  Hari Kunzru nails it:

  These days I have a sense of falling from a precipice toward a torrent of algorithmically driven slop. It’s coming, whether we want it or not, and the consequences for our communal life will be devastating.

  It’s now seven years since Steve Bannon outlined his infamous strategy to “flood the zone with shit.” This, he said, was a way to “deal with” the media, whom he saw as the real enemies of MAGA. In practice, it has been a very effective method of censorship. With every important issue of the day, the “zone” of public discourse is immediately filled with a volume of competing narratives, often mendacious or misleading. It’s no longer necessary to suppress information. You just have to make the cost of sorting fact from fiction, in terms of time and effort, too high to pay for the ordinary person, who can’t spend all day online weighing up competing claims about robots or pedophilia or Iran.

  Generative AI now allows the production of disinformation at scale. The kind of influence ops we associate with Cambridge Analytica or the Russian Internet Research Agency can be conducted with unprecedented scope and sophistication: Thousands of fake people — tens of thousands, perhaps hundreds of thousands — making videos, posting in forums, astroturfing entire contexts in which people will live out their political lives. Couple this with the collapse of trust in all kinds of authority, and there is no one even to say what might distinguish “disinformation” from any other kind of data. [...]

  The desire to return to consensus reality is hopelessly nostalgic. Yes, there are still hard limits: The “cloud” is a physical place, scooping out mountains for raw materials and venting heat and carbon dioxide out of gargantuan data centers; political power still grows out of the barrel of a gun. But the layer of the stack in which our subjectivities are formed, the place where our beliefs about the world are shaped, is also a battleground. We must teach ourselves to navigate the torrent that is replacing consensus reality, this turbulent, treacherous mediatized flow. There is no shore to swim back to, but in the new age of magic, when reality is labile and can be recoded by the power of signs, by narrative and memes and vibes and compelling images, art becomes a truly political technology. This is not art as critique. Critique is just sincere-posting, dutifully pointing out yet again that the Medbed isn’t “real.” Art can mess with our masters in ways we don’t yet fully understand. It makes culture. It is a transmitter of values. It is the lava out of which future realities will congeal.

  Tags: misinformation disinformation facts reality future ai slop hari-kunzru steve-bannon flooding-the-zone-with-shit art media propaganda

• Multiplying our way out of division — Matt Godbolt’s blog

  A very silly optimisation for the “binary to decimal” conversion problem:

  The compiler has turned division by a constant ten into a multiply and a shift. There’s a magic constant 0xcccccccd and a shift right of 35! Shifting right by 35 is the same as dividing by 235 - what’s going on? [..]

  What’s happening is that 0xcccccccd / 2**35 is very close to ? (around 0.10000000000582077). By multiplying our input value by this constant first, then shifting right, we’re doing fixed-point multiplication by ? - which is division by ten. The compiler knows that for all possible unsigned integer values, this trick will always give the right answer.

  Tags: hacks optimization bit-hacking binary decimal fixed-point arithmetric tricks

• Large Language Models As The Tales That Are Sung

  A thought-provoking read on LLMs, poetry, the oral tradition, and Gene Wolfe:

  "Even if LLMs are made out of poetry, they are incapable of producing poems. Or in Wolfe’s language, both the epic form and LLMs are story, but are incapable of telling stories. That requires the marriage of structure and intention that human mediation provides. LLMs are a kind of composite of the singing of tales, but are not singers, even if we sometimes misconstrue them as such."

  Tags: llms text poetry words language gene-wolfe ascians storytelling structure culture

• 'Unauthorized' Edit to Ukraine's Frontline Maps Point to Polymarket's War Betting

  A live map that tracks frontlines of the war in Ukraine was edited to show a fake Russian advance on the city of Myrnohrad on November 15. The edit coincided with the resolution of a bet on Polymarket, a site where users can bet on anything from basketball games to presidential election and ongoing conflicts. If Russia captured Myrnohrad by the middle of November, then some gamblers would make money. According to the map that Polymarket relies on, they secured the town just before 10:48 UTC on November 15. The bet resolved and then, mysteriously, the map was edited again and the Russian advance vanished.

  Tags: polymarket betting war future cyberpunk fraud ukraine russia

• WallBonito

  A recommended frame vendor from Poland, thanks to mags on ITC

  Tags: framing frames home decoration shopping pictures walls

• Building a Medallion architecture with ClickHouse

  Walkthrough of the "Medallion" architecture concept, which comprises three layers (or stages), each serving distinct purposes in the data pipeline:

  • Bronze layer - This layer acts as the landing area for raw, unprocessed data directly from the source system: simply put a "staging area". This data is stored in its original structure with minimal transformations and additional metadata. This layer is optimized for fast ingestion, and can provide an historical archive of source data that is always available for reprocessing or debugging. Whether the bronze layer should store all data is a point of contention, with some users preferring to filter the data and apply transformations, e.g., flattening JSON, renaming fields, or filtering out poorly formed data. We're not overly opinionated here but recommend optimizing the storage for consumption by the silver layer only - not other consumers.

  • Silver layer - Here, data is cleansed, deduplicated, and conformed to a unified schema, with raw data from the previous Bronze layer being enriched and transformed to provide a more accurate and consistent view. This data can be consistent and usable for enterprise-wide use cases such as machine learning and analytics. The data model should emerge at this layer with a focus placed on ensuring primary and foreign keys are consistent to simplify future joins. While not common, applications and downstream consumers can read from this layer. These are typically business-wide applications that need the entire cleansed dataset, e.g., ML workflows. Importantly, data quality will not improve after this stage only the ease at which it can be queried efficiently.

  • Gold layer - This later aims to have fully curated, business-ready, and project-specific datasets that make the data more accessible (and performant) to consumers. These datasets are often denormalized, or pre-aggregated, for optimal read performance and may have been composed of multiple tables from the previous silver stage. The focus here is on applying final transformations and ensuring the highest data quality for consumption by end-users or applications, such as reporting and user-facing dashboards.

  This layered approach to data pipelines aims to efficiently address challenges like data quality, duplication and schema inconsistencies. By transforming raw data incrementally, the Medallion architecture aims to ensure a clear lineage and progressively refined datasets that are ready for analysis or operational use.

  Tags: medallion-architecture data architecture pipelines clickhouse

• PocketBase

  "Open Source backend in 1 file". This is nice; it's a little OSS sqlite database, authentication, file storage and admin dashboard for web apps.

  Tags: golang opensource database pocketbase web-apps sqlite

• Questioning an Interface: From Parquet to Vortex

  Interesting -- a new, GPU-optimised storage format:

  Like Parquet, Vortex minimizes bytes on disk. However, Vortex is also designed with a core use-case in mind: decoding and querying data directly from object storage on GPUs. This key idea translates very well to our use-case even though we don’t run our queries on GPUs (yet?). Specifically, the file format is designed to maximize throughput and parallelism from the metadata format to the SIMD/SIMT friendly encodings used.

  Crucially, it also acknowledges that part of making queries fast is not only good filter pushdown, but also general-purpose compute pushdown. If anything cannot be pushed down, Vortex’s encodings can be tuned to offer zero-copy conversion to Arrow for further query execution using any general-purpose query execution engine.

  Vortex also learns from Parquet’s limitations around extensibility and aims to be as future-proof as possible. New encodings can ship with WASM decoders so encoding adoption is not limited by reader libraries having to implement support. The main Rust library is also designed to be fully extensible, so you can write your own layouts/encodings and plug them in as first-class citizens.

  Given how well Vortex’s design matched our needs, we tried it out and got a 70% average performance improvement on all our queries. With the newer encodings that Vortex offers, we got 10% better uncompressed storage size and only 3% larger compressed storage size compared to snappy-compressed Parquet.

  Tags: gpu vortex parquet compression storage file-formats files pushdown simd

• The shameful attacks on the Covid inquiry prove it: the right is lost in anti-science delusion

  Polly Toynbee in the Guardian writes, "The shameful attacks on the Covid inquiry prove it: the right is lost in anti-science delusion":

  That number will stay fixed for ever in public memory: 23,000 people died because Boris Johnson resisted locking the country down in time. As Covid swept in, and with horrific images of Italian temporary morgues in tents, he went on holiday and took no calls. With the NHS bracing to be “overwhelmed” by the virus, he rode his new motorbike, walked his dog and hosted friends at Chevening.

  Nothing is surprising about that: he was ejected from Downing Street and later stepped down as an MP largely for partying and lying to parliament about it. Everyone knew he was a self-aggrandising fantasist with a “toxic and chaotic culture” around him. But this is not just about one narcissistic politician. It’s about his entire rightwing coterie of libertarians and their lethally dominant creed in the UK media.

  I'm glad the science side kept their receipts but I fear this argument will be relitigated indefinitely by anti-lockdown libertarians.

  Tags: lockdowns covid-19 history uk uk-politics medicine health pandemics boris-johnson

• The developer productivity paradox: Why faster coding doesn’t mean faster software delivery

  The paradox is this simple gap: high individual confidence in AI speed, versus stubborn organizational metrics that just won’t budge:

  • Perceived speed is high: Adoption is near-universal (90% usage reported), and confidence is overwhelming (over 80% believe AI has increased their productivity). AI is great at handling cognitive toil and boilerplate, which lets engineers generate bigger code batches and feel genuinely productive.
  • Systemic failure persists: The reality, confirmed by DORA in their 2025 report, is that the system often fails to carry or amplify these individual gains. The challenge is that AI models, as massive generative systems, inherently produce failures (mispredictions). As code volume increases, this constant misprediction rate impacts systemic stability.

  Interestingly, even leading providers of AI solutions like OpenAI and Anthropic continue to be challenged by the issue of hallucinations and mispredictions, as well as the risks generated by AI. Speaking at a university in India, Sam Altman recently said “I probably trust the answers that come out of ChatGPT the least of anybody on Earth”.

  Without strategies and tools for alleviating the issues AI code produces downstream — such as improved observability to understand where something is going wrong — the “much bigger engine” of AI may not actually speed up software delivery after all.

  Tags: ai llms coding productivity gradle dpe hallucinations software work how-we-work

• How Slide Rules Work

  An excellent page about slide rules -- very relevant to my interests, as I have a lovely antique Keuffel & Esser rule (previously owned and used by a 1950s rocket engineer) framed on my wall

  Tags: science maths slide-rules computing history antiques via:hn

• Mic92/strace-macos

  "A clone of the strace command for macOS" -- yayyyy, I've been lamenting this loss for years

  Tags: osx tools strace tracing debugging macos cli unix

• Cloudflare outage on November 18, 2025

  tl;dr: a configuration-generation tool had buggy error handling code. Triggered by a permissions change, it generated over-large configs which then caused a crash in buggy config-reading code in their Bot Management module. This configuration was rolled out globally within minutes.

  As @kiall in ITC Slack notes: "the one thing I'd be pushing on after an outage like this (config mistake, propagated globally..) is "treat config like any other deployment - with a slow and steady rollout" -- and this is not called out in the postmortem. I agree this is a significant oversight.....

  Tags: postmortem cloudflare outages configuration deployment cloud error-handling rollouts via:itc

• Bitcoin's big secret: How cryptocurrency became law enforcement's secret weapon

  At the 2025 Bitwarden Open Source Security Summit, WIRED's Andy Greenberg sat down for a fireside chat with GigaOm analyst Paul Stringfellow to discuss a revelation that turned his decades-long reporting on its head: Bitcoin became a criminal's worst nightmare:

  In 2011, Greenberg thought he'd discovered the story of a lifetime: digital cash that promised complete anonymity. A decade later, that story flipped entirely.

  "I had this slow-motion epiphany that I was entirely wrong about Bitcoin. It was, in fact, the opposite of untraceable."

  But here's the paradox: if cryptocurrency tracing is so powerful, why do ransomware attacks, pig butchering scams, and North Korean hackers continue to steal billions?

  The answer: identifiability isn't the same as accountability.

  Tags: accountability prosecutions law policing bitcoin cryptocurrency andy-greenberg crime anonymity

• Real VT102 emulation with MAME

  MAME, the Multi-Arcade Machine Emulator, can now emulate your favourite UNIX terminals. Amazing stuff

  Tags: mame retrocomputing terminals vt102 hardware hacks unix emulation

• The ‘Three-Body Problem’, the Imperative of Survival, and the Misogyny of Reactionary Rhetoric

  Very interesting; it seems China has "gongye dang", its own alt-right, misogynistic techno-nationalistic movement, which chooses to kick back against "baizuo" and "shengmu" in an "anti-wokeism" fashion. Turns out they are big fans of Lui Cixin's "Three-Body Problem" trilogy:

  It has become clear that the narrative structure of the Three-Bodies series, just like the gongye dang techno-nationalist discourse, is masculinist and misogynistic. Liu explicitly depicts human society under deterrence peace as ‘feminised’, noting the physical as well as mental feminisation of the ‘new era’ men. The qualities conventionally associated with femininity, such as love, compassion, and moral sentiments, are blamed for the extinction of human civilisation, whereas qualities associated with masculinity, such as rationality, determination, and aggression, are framed as key to civilisational survival. The reactionary rhetoric adopts a similar strategy, which is not only evidently anti-feminist, but also feminises social justice issues ‘as a prelude to devaluing and subduing them’ (Kaul 2021: 1624). By labelling anyone with any concerns about human rights or equality a shengmu, this rhetoric constructs certain ideas and political agendas as feminine as a way of delegitimating them: they are either hopelessly idealistic or dangerously undermine stability, growth, and ‘national interests’.

  Tags: literature review gender scifi misogyny books culture three-body-problem liu-cixin woke china

• What Would “Good” AI Look Like?

  Anil: "it's possible to imagine some traits of an AI system that could credibly offer an alternative to the offerings that are currently dominating the conversation."

  He lists the following highlights, in summary;

  • Content consent;
  • Hallucination-free;
  • Green;
  • Actually open source;
  • Community-led;
  • Accessible.

  "We simply need to start thinking through the implications of a fundamentally better approach to AI, and to understand that all of these things are extremely possible. Consumer-grade AI tools that are actually good do not have to be a hallucination."

  Tags: ai llms future good-ai anil-dash tech

• An exploration on what could be a leftist position on generative AI

  Jacky Alciné's essay with a black, US-leftist take on generative AI, the tech industry, and the immediate and planned impact of it on society and work

  Tags: how-we-work socialism jacky-alcine politics left-wing black ai llms future tech

• What the hell have you built.

  ? Did you just pick things at random? ? Why is Redis talking to MongoDB? ? Why do you even use MongoDB?

  A single-use-site update for the classic, now-12-year-old architecture shitpost

  Tags: shitposting funny architecture riak redis mongodb ouch scalability

• Ireland was a key founder of the UN Treaty on the Non-Proliferation of Nuclear Weapons

  TIL that Ireland was a key founder of the nuclear non-proliferation treaty:

  Within the framework of the United Nations, the principle of nuclear non-proliferation was addressed in negotiations as early as 1957. The NPT process was launched by Frank Aiken, Irish Minister for External Affairs, in 1958.

  (via Gerard Cunningham)

  Tags: via:faduda history ireland un nuclear nukes non-proliferation frank-aiken

• Aisuru botnet switches from DDoS to "Residential Proxies"

  Aisuru, the botnet responsible for a series of record-smashing distributed denial-of-service (DDoS) attacks this year, recently was overhauled to support a more low-key, lucrative and sustainable business: Renting hundreds of thousands of infected Internet of Things (IoT) devices to proxy services that help cybercriminals anonymize their traffic. Experts say a glut of proxies from Aisuru and other sources is fueling large-scale data harvesting efforts tied to various artificial intelligence (AI) projects, helping content scrapers evade detection by routing their traffic through residential connections that appear to be regular Internet users.

  Tags: aisuru botnets proxies residential-proxies ai scraping iot infosec security

• Tips for stroke-surviving software engineers

  James Padolsey suffered a stroke at the age of 29, but has been able to continue his software engineering career despite this. This is a list of some key advice he's collected since then, and is well worth taking on board, even for those of us who are still well but who'd like to reduce cognitive strain in general

  Tags: programming health strokes brain coding work how-we-work

• episodic-memory plugin for Claude Code

  "a memory system for Claude that gives it perfect recall of everything it's worked on as far back as you have logs"

  Tags: memory llms claude claude-code plugins

• asg017/sqlite-vec

  "A vector search SQLite extension that runs anywhere" -- this is nifty. Vector embeddings in an embedded database!

  Tags: sqlite databases sql search vectors vector-embeddings fuzzy-matching

• Citywest riot raises questions for social media giants – The Irish Times

  This is a huge, huge social problem. People are being paid to hate -- regulation is desperately needed to deal with this:

  This week’s violence has raised serious questions for some of the main social media platforms. Livestream content depicting violence outside Citywest was broadcast on YouTube, TikTok and Twitch, with streamers rewarded by viewer donations, as they captured protesters shouting racist expletives towards Citywest.

  In one eight-minute segment of an hour-long livestream I watched on YouTube that night, the user broadcast the burning of the Garda van, referred to migrants in horrific terms and proclaimed they were there to show people “the real truth”. During the video, they received the equivalent of €56 in donations from viewers around the world. The notion that violence can be monetised on social media illustrates a glaring failure of platforms to adequately enforce their own community guidelines around violence.

  Individuals from the UK and Canada travelled to Ireland specifically to attend and create content from the protest. Other international agitators followed events online. [...]

  In recent years we have witnessed the mainstreaming of anti-migrant hate and extremism in this country. That has been facilitated, in part, by platforms failing to enforce their own community guidelines. Amid the anger and outrage that follows an alleged sexual assault, it is now a recurring pattern that online platforms will play host to attempts to publish and promote incitement towards hatred and violence.

  Tags: hate racism monetisation streaming video tiktok youtube facebook twitter x social-media livestreams twitch citywest far-right

• soedinglab/MMseqs2

  MMseqs2 (Many-against-Many sequence searching) is a software suite to search and cluster huge protein and nucleotide sequence sets. MMseqs2 is free and open source software implemented in C++ for Linux, MacOS, and (as beta version, via cygwin) Windows. The software is designed to run on multiple cores and servers and exhibits very good scalability. MMseqs2 can run 10000 times faster than BLAST. At 100 times its speed it achieves almost the same sensitivity. It can perform profile searches with the same sensitivity as PSI-BLAST at over 400 times its speed.

  I was just remembering using BLAST to discover anti-spam rulesets the other day! If I was still working on rule discovery for SpamAssassin these days, this would be very nifty tech. (via James McInerney)

  Tags: mmseq sequences bioinformatics algorithms oss blast discovery search fuzzy-matching rules antispam

• Adrian Cockroft's take on the AWS outage

  "n my opinion the root cause of the recent AWS outage is their architectural decision to have everything depend on the same instance of DynamoDB, including operation of DynamoDB itself. This is a circular dependency, and the ability to observe and fix the failure as it happened also failed. The ability of customers to file service reports failed. So the engineers trying to figure out what was happening were completely blind. It took them an hour to figure out what had broken and another hour to fix it, then the pent up demand rushing in broke other key services for another 12 hours or so.

  If DNS had been misconfigured on a different non-critical service, I think it would have been obvious to detect and quick and easy to fix. However, anything going wrong that also takes out the ability to see it going wrong and fix it, is a liability.

  To break the circular dependency, I think there needs to be a separate, internal only, set of services and data stores that the most critical AWS services use, and which are designed to come up without dependencies on public interfaces. Maybe an internal region, inside each public region, but with a simpler implementation that has few carefully managed dependencies. Otherwise, it’s just a matter of time until this happens again."

  Tags: adrian-cockroft outages post-mortems aws amazon us-east-1 dynamodb circular-dependencies depe

• Summary of the Amazon DynamoDB Service Disruption in Northern Virginia (US-EAST-1) Region

  Postmortem writeup of this week's massive AWS us-east-1 outage. tl;dr:

  1. DynamoDB runs into a consistency failure in an internal DNS optimization service;
  2. EC2 provisioning depends on DynamoDB and craps out;
  3. Network load balancers screw up due to impact of EC2 outage.

  Tags: dynamodb dns aws ec2 nlb outages post-mortems cloud-computing amazon us-east-1

• Today is when Amazon brain drain finally caught up with AWS • The Register

  Corey "Last Week In AWS" Quinn really getting the boot in on AWS after yesterday's gigantic us-east-1 outage:

  AWS has given increasing levels of detail, as is their tradition, when outages strike, and as new information comes to light. Reading through it, one really gets the sense that it took them 75 minutes to go from "things are breaking" to "we've narrowed it down to a single service endpoint, but are still researching," which is something of a bitter pill to swallow. To be clear: I've seen zero signs that this stems from a lack of transparency, and every indication that they legitimately did not know what was breaking for a patently absurd length of time. [...]

  At the end of 2023, Justin Garrison left AWS and roasted them on his way out the door. He stated that AWS had seen an increase in Large Scale Events (or LSEs), and predicted significant outages in 2024. It would seem that he discounted the power of inertia, but the pace of senior AWS departures certainly hasn't slowed — and now, with an outage like this, one is forced to wonder whether those departures are themselves a contributing factor.

  You can hire a bunch of very smart people who will explain how DNS works at a deep technical level (or you can hire me, who will incorrect you by explaining that it's a database), but the one thing you can't hire for is the person who remembers that when DNS starts getting wonky, check that seemingly unrelated system in the corner, because it has historically played a contributing role to some outages of yesteryear.

  When that tribal knowledge departs, you're left having to reinvent an awful lot of in-house expertise that didn't want to participate in your RTO games, or play Layoff Roulette yet again this cycle. This doesn't impact your service reliability — until one day it very much does, in spectacular fashion. I suspect that day is today.

  Ouch. This is a very painful read and I'd say AWS are not happy to see it....

  Tags: aws amazon layoffs tech how-we-work lses outages us-east-1 rto brain-drain work

• Linux Capabilities instead of setuid

  This seems like a pretty poor idea for Linux to have implemented:

  The command setcap sets file capabilities on an executable. The cap_setuid capability allows a process to make arbitrary manipulations of user IDs (UIDs), including setting the UID to a value that would otherwise be restricted (i.e. UID 0, the root user). setcap takes a set of parameters, where

  • e: Effective means the capability is activated;
  • p: Permitted means the capability can be used/is allowed.

  Putting this together, we’re adding the cap_setuid capabilities to the Python binary:

  setcap cap_setuid+ep /usr/bin/python3.12

  And hey presto, "/usr/bin/python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'" now works. Ouch

  Tags: linux permissions setuid capabilities setcap infosec security root

• Obituary: Farewell to robots.txt (1994-2025)

  It is with deep sorrow that we announce the end of robots.txt, the humble text file that served as the silent guardian of digital civility for thirty years. Born on February 1, 1994, out of necessity when Martijn Koster’s server crashed under a faulty crawler named “Websnarf,” robots.txt passed away in July 2025, not by Cloudflare’s hand, but from the consequences of systematic disregard by AI corporations.

  The protocol taught us that technology can be based on human values like ethics and morality. It showed that voluntary compliance works when all parties benefit. Its greatest achievement was perhaps preserving the internet for three decades from what it has become today – a soulless extraction machine.

  Tags: internet history robots.txt crawlers web obituaries protocols ai via:mariafarrell

• LOTO

  TIL about "LOTO" -- "Lock Out Tag Out". This is basically a physical mutex lock -- each worker has their own padlock which they attach to dangerous equipment in order to ensure that it can't be turned on (potentially killing someone) while it's being worked on; once they've completed the high-risk task, they then remove their own lock. Removing or damaging someone else's lock is considered an Extremely Big Deal and liable to get that person fired.

  Tags: loto mutex locks workplaces osha safety via:ChristinaB

• Migrating to Hetzner

  The Digital Society co-op migrated their (relatively small) infrastructure from AWS to Hetzner, mainly using k8s.

  One interesting detail is that Hetzner don't have the concept of an AZ, which is not a great sign in resiliency terms; if you need a high uptime, it is important to be able to run a multi-AZ service which operates with several replicas spread across independent datacenters which are more-or-less colocated, within a few milliseconds of each other. Azure, AWS, and GCP all offer this concept, but not Hetzner. hmm

  Tags: hetzner uptime k8s aws migration cloud infrastructure ops

• nanochat: The best ChatGPT that $100 can buy

  This is really impressive, both as a small-scale from-scratch rebuild of a modern LLM, and as a well-written walkthrough of the training process for a large language model. 4 hours, $92, and you wind up with a relatively functional tiny LLM! Very cool.

  Tags: llms machine-learning ml chat nanochat training hacks

• RetroHax: PS2 Fixing Frenzy

  wow! extremely detailed -- with copious photos -- process of restoring classic Playstation 2 consoles. Worth it for great photos of repair and restoration of decades-old hardware, which is good advice for the next hardware repair job I need to do

  Tags: ps2 playstation repair restoring restoration gaming retrocomputing

• OSWALD

  "OSWALD is a Write-Ahead Log (WAL) design built exclusively on object storage primitives. It works with any object storage service that provides read-after-write consistency and compare-and-swap operations, including AWS S3, Google Cloud Storage, and Azure Blob Storage. The design supports checkpointing and garbage collection, making it suitable for State Machine Replication (SMR) [and] has been formally specified and verified using the P programming language." - by Nicolae Vartolomei

  Tags: oswald wal object-storage s3 gcs azure smr storage formal-methods design architecture cloud-computing

• LLM Observability in the Wild - Why OpenTelemetry should be the Standard

  OTel is generally ahead in terms of how code meets metrics, nowadays, as far as I can see. Works for me

  Tags: otel observability opentelemetry llms ai coding

• Google just erased 7 years of our political history

  "Google appears to have deleted its political ad archive for the EU; so the last 7 years of ads, of political spending, of messaging, of targeting - on YouTube, on Search and for display ads - for countless elections across 27 countries - is all gone.

  We had been told that Google would try to stop people placing political ads, a "ban" that was to come into effect this week. I did not read anywhere that this would mean the erasure of this archive of our political history."

  Tags: google advertising ads politics ireland eu europe youtube elections history

• To make AI safe, we must develop it as fast as possible without safeguards

  lol:

  As the leader of an AI company which stands to benefit enormously if I convince enough investors that AGI is inevitable, it’s clear to me that AGI is inevitable. But developing superintelligence safely is a complex process. It would take time and require difficult discussions — discussions that everyone in society should have a say in, not just the small number of researchers working on it. If we pursue that path, there's a real risk that somebody else will make AGI first and destroy all human life before we have a chance to ourselves. That would be unacceptable.

  To stop bad actors developing AGI that could kill us all, we need good actors to develop AGI that could also kill us all.

  I've come to realise that our best hope is to race at breakneck speed towards this terrifying, thrilling goal, removing any safeguards that risk slowing our progress. Once we've unleashed the technology's full destructive power, we can then adopt a "stable door" approach to its regulation and control — after all, that approach has worked beautifully for previous technologies, from fossil fuels to microplastics.

  Tags: agi ai-safety satire funny comedy tech future

• AI-Generated “Workslop” Is Destroying Productivity

  "Employees are using AI tools to create low-effort, passable looking work that ends up creating more work for their coworkers:

  We define workslop as AI generated work content that masquerades as good work, but lacks the substance to meaningfully advance a given task. [...]

  Each incidence of workslop carries real costs for companies. Employees reported spending an average of one hour and 56 minutes dealing with each instance of workslop. Based on participants’ estimates of time spent, as well as on their self-reported salary, we find that these workslop incidents carry an invisible tax of $186 per month. For an organization of 10,000 workers, given the estimated prevalence of workslop (41%), this yields over $9 million per year in lost productivity.

  Respondents also reported social and emotional costs of workslop, including the problem of navigating how to diplomatically respond to receiving it, particularly in hierarchical relationships. When we asked participants in our study how it feels to receive workslop, 53% report being annoyed, 38% confused, and 22% offended.

  The most alarming cost may be interpersonal. Low effort, unhelpful AI generated work is having a significant impact on collaboration at work. Approximately half of the people we surveyed viewed colleagues who sent workslop as less creative, capable, and reliable than they did before receiving the output. Forty-two percent saw them as less trustworthy, and 37% saw that colleague as less intelligent.

  Tags: productivity career ai work workslop code-review slop

• Double harvest: Vertical solar panels and crops thrive side by side

  The winning formula for agrivoltiacs -- very clever. East/west aligned, vertically-mounted solar panels do not impede growing; they provide shelter from wind for the plants; and they provide power when it's needed -- in the "shoulder" hours, not in the peak midday period where curtailment happens.

  Tags: agrivoltiacs solar-pv solar-power energy farming science crops

• Hacking with AI SASTs: An overview of 'AI Security Engineers' / 'LLM Security Scanners' for Penetration Testers and Security Teams | Joshua.Hu | Joshua Rogers' Scribbles

  This is actually impressive results from using LLMs to perform security scans on an existing codebase. Daniel Stenberg of curl has given the results of this work a thumbs-up: https://mastodon.social/@bagder/115241241075258997

  My general summary is as follows:

  Multiple AI-native SASTs are already on the market, ready to use today.
  They work extremely well.
  They find real vulnerabilities and logic bugs in minutes.
  They can “think”/”reason” about business logic issues.
  They can match developer intent with actual code.
  They aren’t based on static rule-sets and queries.
  They have low false positive rates.
  They’re cheap (for now).
  My results showed that (in order of success), ZeroPath, Corgea, and Almanax, are the top three products on the market right now. I did not test DryRun.
  

  These tools look superb.

  Tags: ai curl tools llm vulnerabilities chatgpt zeropath corgea almanax dryrun taint-checking code-review code-analysis static-analyzers security

• Introducing the Forklift Certified License—Aria’s Barks

  Look, it’s starting to be pretty damn obvious that “Free Software” and """Open-Source""" are no longer the kinda hippie shit we tought them to be back when they’d give you Linux distros CDs with magazines about computer touching.

  The Free Software Foundation has been sliding into irrelevance more and more by entirely failing to address its big Creepy Uncle problem. Open-Source has turned into a form of unpaid internship to be hired to make shitty apps that bring more surveillance and ads to our world.

  Tags:

• A better future for JavaScript that won't happen

  This is 100% spot on, regarding the never ending series of exploits of failures of npm's security model:

  This could be the moment where npm comes to terms with its broken design, and with a well-funded effort (recall that, ultimately, npm is GitHub is Microsoft, market cap $3 trillion USD), will develop and roll out the next generation of package management for JavaScript. It could incorporate the practices developed and proven in Linux distributions, which rarely suffer from these sorts of attacks, by de-coupling development from packaging and distribution, establishing package maintainers who assemble and distribute curated collections of software libraries. By introducing universal signatures for packages of executable code, smaller channels and webs of trust, reproducible builds, and the many other straightforward, obvious techniques used by responsible package managers.

  Maybe other languages that depend on this broken dependency management model, like Cargo, PyPI, RubyGems, and many more, are watching this incident and know that the very same crisis looms in their future. Maybe they will change course, too, before the inevitable. [....]

  No one will learn their lesson. This has been happening for decades and no one has learned anything from it yet. This is the defining hubris of this generation of software development.

  I have been saying this for YEARS. I could not agree more with this post. Bravo! (via Oisin)

  Tags: via:oisin supply-chain-attacks security infosec npm dependencies exploits javascript coding development

• xcapture and xtop

  "0x.Tools: X-Ray vision for Linux systems". Linux Performance Analysis with Modern eBPF and DuckDB; dig into the captured DuckDB files using "xtop":

  "xtop is like the Linux top tool, but extended with x-ray vision and ability to view your performance data from any chosen angle [..]. This enables dimensional performance analysis on Linux and tools like top for wall-clock time and much more. You can use it for system level overview and drill down into indivual threads’ activity and even into kernel events like lock waits or memory stalls."

  Tags: os debugging sysadmin ops monitoring xtop xcapture ebpf linux duckdb syscalls

• The Elephant in The Biz: outsourcing of critical IT and cybersecurity functions risks UK economic security

  This is pretty messy. UK companies have taken to outsourcing core IT and infosec to low-cost service providers, then inevitably get hacked -- then make huge insurance claims and look for government support.

  We’ve ended up in a situation where to deliver shareholder value, large organisations are incentivised to outsource core IT and cybersecurity functions to a low cost managed service providers abroad — and then when hit with ransomware, the insurance will cover paying the ransom (some insurers will actually push for payment to criminal groups, to cover their potential losses).

  This cycle plays into the ransomware economy, where the same criminal groups can then reinvest the money into purchasing exploits and gaining initial access to other organisations. Because ransomware is such big business, many of the groups have far bigger research and development funds than the organisations they’re attacking. Especially when the organisations they’re attacking have outsourced key areas to low cost providers.

  The net effect is ransomware and extortion groups continue to gain access to more organisations, and risk UK economic security. It is only a matter of time before they hit some kind of essential UK service that directly impacts millions of people — by which point millions of people will be asking what is being done about the problem. And the answer is: not enough. When we’re at the stage of having to look at urgent furlough schemes for JLR’s suppliers to rightly save jobs, it isn’t so much a sign as the canary in the coalmine has died, but that the coalmine is also about to collapse on people.

  Also this is terrible PR for Tata Consultancy Services, wow.

  Tags: tata tcs security infosec lapsus outsourcing it uk ransomware insurance

• Hosting a WebSite on a Disposable Vape :: BogdanTheGeek's Blog

  Turns out disposable vapes contain a quite capable ARM microcontroller!

  So here are the specs of a microcontroller so bad, it’s basically disposable: - 24MHz Coretex M0+; - 24KiB of Flash Storage; - 3KiB of Static RAM; - a few peripherals, none of which we will use.

  A cool hack ensues.

  Tags: computers hosting hacking diy electronics arm microcontrollers kernel vapes

• Defeating Nondeterminism in LLM Inference - Thinking Machines Lab

  Reproducibility is a bedrock of scientific progress. However, it’s remarkably difficult to get reproducible results out of large language models.

  For example, you might observe that asking ChatGPT the same question multiple times provides different results. This by itself is not surprising, since getting a result from a language model involves “sampling”, a process that converts the language model’s output into a probability distribution and probabilistically selects a token.

  What might be more surprising is that even when we adjust the temperature down to 0This means that the LLM always chooses the highest probability token, which is called greedy sampling. (thus making the sampling theoretically deterministic), LLM APIs are still not deterministic in practice (see past discussions here, here, or here). Even when running inference on your own hardware with an OSS inference library like vLLM or SGLang, sampling still isn’t deterministic (see here or here).

  The levels of non-deterministic variation throughout the LLM stack discussed here are massive! It's kinda crazy that this doesn't produce incorrect output more often.

  Tags: llms ml machine-learning ai determinism testing inference reproducibility randomness floating-point