Wednesday, 24 June

18:07

Urgent: Cancel increase in funding of coal mining [Richard Stallman's Political Notes]

US citizens: call the Dept of Energy to cancel its plan to fund an increase in coal mining.

See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.

Urgent: oppose and filibuster CLARITY Act [Richard Stallman's Political Notes]

US citizens: call on your senators to oppose and filibuster the CLARITY Act.

See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.

US citizens: Join with this campaign to address this issue.

To phone your congresscritter about this, the main switchboard is +1-202-224-3121.

Please spread the word.

Urgent: Block corrupter's exploitative deal with IRS [Richard Stallman's Political Notes]

US citizens: call on your congresscritter and senators to block the corrupter's exploitative deal with the IRS.

See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.

US citizens: Join with this campaign to address this issue.

To phone your congresscritter about this, the main switchboard is +1-202-224-3121.

Please spread the word.

Urgent: Block cheater's medical debt trap [Richard Stallman's Political Notes]

US citizens: call on Congress to block the cheater's medical debt trap.

See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.

US citizens: Join with this campaign to address this issue.

To phone your congresscritter about this, the main switchboard is +1-202-224-3121.

Please spread the word.

Superstitious ideological rejection of medicine [Richard Stallman's Political Notes]

US Republicans tend to shorten their life spans, and their spans of healthy life, through superstitious ideological rejection of medicine.

Democrats experience the same flawed medical system but they accept the good it can do for them, while demanding rational improvement.

Cops in Texas schools [Richard Stallman's Political Notes]

People in Texas believe that safety in schools depends on having lots of cops around, but what actual cops actually do in schools is brutalize students.

Putting cops in schools was observed many years ago to result in suffering for students.

Demands for list of people watching protest videos [Richard Stallman's Political Notes]

Employees of the Injustice Department asked for search warrants to demand the lists of people who watched political protest videos. When the judge refused, they argued he should conceal the fact that they had asked for the warrants. The judge denied that too.

Deporting people to places too dangerous to visit [Richard Stallman's Political Notes]

The US since January 2025 has *deported 21,000 [people] to places US calls too dangerous to visit.*

Food shortage caused by extreme weather [Richard Stallman's Political Notes]

Britain is headed for a food shortage caused by extreme weather, which itself is caused by global heating. That implies such shortages are likely to get worse and worse.

State voters establishing abortion rights [Richard Stallman's Political Notes]

When state voters vote to establish abortion rights, right-wing extremists in the state legislature go to extreme lengths to set that decision at naught.

Underestimated carbon emissions of data centers [Richard Stallman's Political Notes]

*Officials hugely underestimated impact of [supposed intelligence] datacentres on UK carbon emissions.*

The new estimate, over the next ten years, is around 80 times as much, and equivalent to around 3 million people.

Age of "Cerne Giant" chalk drawing [Richard Stallman's Political Notes]

Discussion of the age of the "Cerne Giant" chalk drawing in England need to recognize that the figure gets redrawn every 10 years or so. Thus, the object people actually see is not old.

Lawsuit by corrupter against federal government re-opened [Richard Stallman's Political Notes]

A judge reopened the lawsuit by the corrupter against the federal government, which he had ordered federal employees to settle in his favor, to have the possibility to reject the settlement.

17:42

Microspeak elaborated: Isn’t escrow just a release candidate by another name? [The Old New Thing]

I had earlier introduced the Microspeak term escrow to refer to the declaration that a particular build of the product is going to be the one that ships to customers if it meets certain quality and reliability targets.

Some people wondered, “Isn’t that just a release candidate? Why do you Microsoft people have to make up new names for things that already have perfectly good names?”

Yes, the Microspeak term escrow corresponds to what most people call a release candidate, but we don’t call it a release candidate because that name is used for some other purpose.

I wrote about this quite some time ago, but it was for the now-defunct TechNet Magazine, not for the blog, which means that it doesn’t show up in a blog search.

Here’s the final draft of that column. Now that I’ve put it on the blog, people can find it more easily.

Back in the old days of Windows, prerelease versions of the product followed a fairly standard progression. First up were the alpha releases, which were used internally and possibly shared with software partners outside of the Windows product team. Actually, to be quite honest, I never remember them being called alpha releases—they just were just called something boring like internal prerelease or simply named after the build number or project milestone that produced them. For example, Windows 95 prereleases went by names such as Build 81 and M3.

After alpha releases, there naturally come beta releases, which were sent to a somewhat broader audience. One major difference between alpha and beta releases is that beta releases include people who aren’t software developers, such as end users who like testing prerelease software and corporations who want a head start on evaluating the new operating system to determine the compatibility of the new product not only with their critical in-house applications but also with their corporate network, standard hardware configurations, and system management tools.

Finally, you had release candidates. These were, as the name suggests, versions of the code that were candidates for final release. In other words, “If everything goes well, we’re shipping this puppy.” If some horrific bug was found that invalidated this expectation, then as soon as the bug was fixed, a new release candidate build was spun up, and the test cycle restarted. Windows 95 shipped its sixth release candidate.

I’m told that the Windows NT folks followed the same release naming pattern, but they ran into a problem: corporations didn’t bother testing their critical applications against beta releases of Windows NT. The logic generally went something like this: “Why bother? It’s just a beta. Betas are for fanboys. It’ll all be different in the final version anyway. Any testing we do now would just be a waste of time.” Similarly, software companies paid no attention to issues found during the beta testing of Windows NT. “We don’t support beta operating systems,” they would respond.

These companies would start testing in earnest once the actual release candidate builds came out. And they’d inevitable find a bunch of problems. Some were problems the companies could address on their own while other issues were more complex and had to do with Windows NT not being “compatible enough” with the previous version of the OS. Some problems were comparatively minor issues with the way a particular project feature worked, and some could be fixed in a short period of time. Meanwhile, other problems were so serious that the release management team agreed that it was necessary to delay the product’s release so the product team could resolve the problem.

These release candidate builds also generated a lot of suggestions. We received feedback such as, “we think the UI would look better if you arranged the buttons this way” and “rephrasing this message would be less confusing for our employees.” Those would have been great suggestions had they only arrived during the beta phase, but by the time the first release candidate is rolled out, it’s far too late to make changes to the visuals. The documentation and help files have already been written, the product has been translated into dozens of languages, and the screenshots for the manual and product box have already been laid out, tuned, color-separated, and printed. All that work isn’t going to be thrown out and redone just to move a button.

I recall a meeting during the Windows XP era when one of these last-minute changes was being debated. The proposed change would have required that a 20 kilobyte help file be altered so that the instructions corresponded to the new user interface design. The localization and translation representative (a woman who spoke English with a lovely French accent) informed us that re-translating the modified help file under the extremely tight time constraints would cost hundreds of thousands of dollars.

To counteract the prevailing attitude that betas don’t count, the Windows NT team resorted to grade inflation. There are still beta releases, but the late beta releases—when there is still time (but not much) to do some fine-tuning—became known as release candidates, and what used to be release candidates became known as escrow builds. The term escrow was a good choice in my opinion. It does a good job of conveying the sense of “It’s over. All that’s left to do is sign the papers. We’re not going to touch it unless there is a real emergency.”

Bonus chatter: You can compare this submitted version against the version that was published to see what was trimmed to fit the page. And a sign that this is an older document is its use of em-dashes, which are shunned nowadays due to their association with AI-generated text.

The post Microspeak elaborated: Isn’t escrow just a release candidate by another name? appeared first on The Old New Thing.

17:07

Link [Scripting News]

When writing code with Claude you really have to be skeptical when it says it just found the problem, but you have no idea what it's saying, chances are pretty good it's just a word salad excuse for not reading all the code necessary to have an opinion that matters. Actually debugging software isn't about opinions, it's about proof. When you start clutching at straws until one works you just added another level of bug that will eventually bit you in the butt and you'll still have to solve the original one. Uncorrected I'm pretty sure you wouldn't want to trust the code it writes, but I guess that's why people have two or more instances playing different roles? For now I'm the one that questions its sanity, more politely though. ;-)

15:28

Trying Out A New Recipe: Eat at Maude’s “Blueberry Cornbread Cookies” [Whatever]

I must really be in the mood to bake this week because I am back with another recipe that I decided to give a whirl! Today we have some Blueberry Cornbread Cookies with honey butter buttercream and blueberry compote from Eat at Maude’s, who I stumbled upon during a nightly Instagram reels binge.
View this post on Instagram

I wasted no time making these. I saw them and knew I had to have them immediately, but I was lacking blueberries and cornmeal. Funny enough, I had cornmeal but it was expired. Tragic, I know.

So, off to the store I went. Aside from the fresh blueberries (she specifies not to use frozen) and a new container of cornmeal, I had everything else I needed! Sugar, brown sugar, an egg, butter, flour, the usual suspects. So if you have some fresh blueberries, this could be a great cookie for you to try out.

Interestingly enough, the recipe calls for superfine cornmeal, but at the store I could only find Bob’s Red Mills medium ground cornmeal, and then Quaker, which did not specify what type of grind it was. I took a chance on Quaker since Bob’s Red Mills was obviously not fine enough for the job (which is a real shame because I quite like Bob’s Red Mills).

Anyways, here’s the goods:

Ingredients laid out on the counter. From left to right (roughly) there's Arm & Hammer baking soda, blueberries, King Arthur unbleached all-purpose flour, Nate's Honey (vanilla), a lemon, vanilla extract, Domino granulated sugar, Vital Farms unsalted butter, Vital Farms eggs, Argo cornstarch, Domino dark brown sugar, and Quaker cornmeal.

Something I actually did that’s pretty dang wild is substitute regular honey for a vanilla honey from Nate’s Honey that is “honey for brunch.” Nate’s Honey actually has a few different flavored honeys, and I thought vanilla would go really well in this recipe. Look at me taking liberties with a recipe! Rarely seen.

Moving on, the first order of business was to make the cookie dough. Of course, you have to cream the butter and sugars together first, then add the egg and vanilla. Also you may notice there’s no baking powder in this photo. Yep, I goofed. I left out the baking powder. I need to start reading more carefully.

Here’s the wet ingredients:

A beige mixture of sugar, butter, vanilla, and egg.

This recipe actually had all the ingredients’ measurements listed in weight, so I went ahead and did pretty much everything by weight since she provided it.

After giving a quick mix to the dry ingredients in a separate bowl, I added them to the wet ingredients and mixed until just combined, then threw in the blueberries and folded them in gently:

A rustic looking cookie dough with blueberries visible throughout.

This cookie dough wasn’t very tasty by itself because of the gritty cornmeal, but it looked really rustic which was cool. The recipe says you can make 8 to 12 cookies, and I decided to make 8 big ones:

Eight big balls of cookie dough spread out onto a parchment lined baking sheet.

Once I rolled each ball, I actually broke each one in half and then faced the broken cross sections upwards to give them a more rustic look instead of just the smooth balls I had formed. I learned this trick from Binging With Babish a long time ago.

I let the cookies chill in the fridge for about two hours while I went to therapy, which I think was a decent amount of time since she recommends 45 minutes as the minimum amount of chilling time.

Here they are after baking in a 350 degree oven for 17 minutes:

A sheet of nice, round, big cookies with lots of blueberries visible.

Okayyy those look pretty good! Now while they cooled it was time to make the blueberry compote and honey butter buttercream.

For the blueberry compote, it was literally just blueberries, water, sugar, lemon zest, a pinch of salt, and cornstarch to thicken it. Came together in no time and was super easy, and looked crazy colorful while cooking:

A white Le Cruset dutch oven containing the blueberries which are in the process of bursting and being cooked down.

Alright y’all… here’s where I goofed. The honey butter buttercream is supposed to be butter, powdered sugar, and honey. Well, I’ve mentioned on here before that I don’t like powdered sugar. I think it gives everything a weird taste and the strange taste in it overpowers everything else. So, I thought if I used Domino’s Baker’s Sugar, it would be like the same thing because it’s just superfine sugar. It is not the same thing, and it yielded a very different result.

Instead of a fluffy, airy buttercream, I got literally butter just creamed with sugar. Like actually just butter and sugar.

A bowl of what looks like literally just butter, maybe more whipped but honestly only slightly.

Even though I beat this on high with my KitchenAid, it really was just like, slightly more spreadable butter with grainy sugar throughout. So, I chalked my buttercream up to a big ol’ L and tried to make sure I only spread a very thin layer on top of the cookies. I topped that with a spoonful of the blueberry compote, which had thickened a lot.

A cornbread cookie with my messed up buttercream butter on top and topped with blueberry compote, on a small black plate.

There you have it, a blueberry cornbread cookie with literally a layer of butter and thick blueberries on top. Not my best work, but it was actually very tasty despite my failings! A delicious failure, at least.

I really want to try making these again, but more correctly next time. In the meantime I’m sure I can find some willing participants to consume my imperfect confections.

Would you try this cookie? Do you have any suggestions for a powdered sugar replacement that actually works? Do you love cornbread as much as I do? Let me know in the comments, and have a great day!

-AMS

15:21

[$] Reports from OSPM 2026, day two [LWN.net]

The Power Management and Scheduling in the Linux Kernel Summit, which still goes by the historical acronym OSPM, was held in Cambridge, UK, in mid-April. As has become traditional, the presenters at that event have since written summaries of their sessions, and this work has kindly been made available to LWN for publication. The second day's sessions covered a wide range of topics, including device frequency scaling, using time-slice duration for CPU selection, scheduling domains on multi-cluster Arm systems, the LAVD scheduler, and more.

14:35

Security updates for Wednesday [LWN.net]

Security updates have been issued by AlmaLinux (corosync, firefox, kernel, kernel-rt, libpq, memcached, postgresql, postgresql16, postgresql:13, postgresql:16, python-urllib3, python3.14-urllib3, redis:6, skopeo, and vim), Debian (beets, gst-plugins-bad1.0, imagemagick, libmatio, python-urllib3, and u-boot), Fedora (chromium, coturn, frr, grout, materialx, perl-Crypt-DSA, and yt-dlp), Mageia (opensc, perl-Archive-Tar, and podofo), Oracle (fence-agents, libpq, mysql:8.4, and postgresql:16), Red Hat (firefox, libpng, libpng12, libpng15, libreoffice, nginx:1.24, thunderbird, tigervnc, xorg-x11-server, and xorg-x11-server-Xwayland), Slackware (libarchive), SUSE (amazon-ssm-agent, ansible-core, apache2, bind, bitcoin-qt6, containerized-data-importer, curl, distribution, docker-stable, dovecot24, dracut, editorconfig-core-c, exiv2, firefox, freeipmi, freerdp, ghc-aws, ghc-crypton-asn1-encoding, ghc-crypton-asn1-parse, ghc-crypton-asn1-types, ghc-crypton-pem, glib-networking, go1.25, go1.26, google-guest-agent, graphite2, hamlib, helm, himmelblau, ignition, ImageMagick, kernel, ldns, libarchive, libcaca, libheif, libinput, libjxl, libsolv, libzypp, zypper, LibVNCServer, libxslt, libyang, mcphost, mozjs128, ncurses, nginx, opensc, openssl-3, openvswitch, papers, perl-HTML-Parser, perl-HTTP-Daemon, perl-Protocol-HTTP2, podman, postgresql14, postgresql15, postgresql16, postgresql17, python-aiohttp, python-ecdsa, python-paramiko, python-PyJWT, python-starlette, rekor, sqlite3, strongswan, tiff, tomcat, tomcat10, tomcat11, unbound, webkit2gtk3, xwayland, and zypper, libzypp, libsolv), and Ubuntu (libcap2, libnfs, libvncserver, libxml2, and mysql-8.0).

14:07

Stop Getting Good at Protocols. Get Good at Agent Experience. [Radar]

In 2025, if you weren’t building with MCP, you weren’t serious about agents. The Model Context Protocol dominated the agent conversation for the better part of the year. Conference talks, roadmaps, hiring plans, all of it revolved around MCP.

Then late 2025 into 2026, AI Skills arrived and the backlash was immediate. Engineers declared MCP dead in favor of Skills, then dead in favor of CLI. Perplexity’s CTO said publicly that the company was deprioritizing it. The cycle was fast, loud, and predictable. New tool, new hype, new rewrite.

I started pushing Agent Experience early in 2025, while MCP was still the center of gravity. The response was mostly skepticism. AX was overthinking it. MCP was the only layer that mattered. That perspective aged poorly. The people who dismissed AX weren’t wrong about MCP being useful. They were wrong about a protocol being a strategy.

The thing they missed, and what I think most of the industry is still missing, is that the protocol is not the thing to get good at. The discipline is.

We keep falling into the tool trap

Our industry has a well-documented habit of confusing tools with strategy. We did it with microservices, Kubernetes, and GraphQL. Now we’re doing it with agent protocols.

MCP, AI Skills, A2A, and ACP are all implementations. They matter and they solve real problems. But none of them are the right thing to build your strategy on top of. They are, by nature, the thing that changes.

When you organize your agent strategy around a specific protocol, you’re building on a foundation someone else controls and the market can shift away from at any moment. Worse, you’re skipping the step that would tell you whether that protocol is even the right fit for your use case.

This is the tool trap. You optimize your usage of a specific integration mechanism without first understanding what you’re actually optimizing for.

So what is Agent Experience?

Agent Experience (AX) is the discipline of studying how AI agents discover, understand, and interact with your systems, and then systematically improving those interactions.

Think of it as the agent-facing counterpart to User Experience. UX didn’t emerge because one UI framework won. It emerged because teams realized that the quality of human interaction with software was a design problem that transcended any particular technology. You could build a terrible experience in React just as easily as in vanilla JavaScript. The framework was not the variable. The design thinking was.

AX works the same way. How does an agent discover what your service can do? How does it understand the boundaries of your API? When it fails, does it get enough context to recover? Is the interaction efficient, or is the agent burning tokens on unnecessary round trips?

These questions are protocol-agnostic. They apply whether you expose capabilities through MCP, Skills, A2A, or something that hasn’t been invented yet. The teams that can answer them will adapt to whatever comes next because they understand the problem space, not just the current toolchain.

AX is an extension of what you already care about

AX is not competing with User Experience, Developer Experience, or Customer Experience. It’s an extension of all three.

Your primary focus is still providing a great experience to your customers. What has changed is how those customers interact with you. More and more, they delegate tasks to agents. When a customer asks an agent to integrate with your API, deploy to your platform, or pull data from your service, that agent is acting on their behalf. The agent’s experience determines how likely it is to achieve your customer’s goal.

If a customer’s agent struggles to authenticate, burns through tokens parsing your error messages, or fails silently because your API lacks context, something worse than a complaint happens. The agent will quietly start using an alternative service that provides a better experience. Your customer might not even notice the switch. You just lost them without a single support ticket.

UX optimized for humans clicking through interfaces. DX optimized for developers building on your platform. CX looked at the entire customer journey. AX extends that thinking to the agents those customers now send on their behalf.

The protocol treadmill doesn’t work

Think about what actually happened with MCP. Teams invested heavily in writing MCP server implementations. A lot of those implementations were mediocre. Not because MCP was flawed but because the teams hadn’t thought carefully about what an agent actually needed from their system. A 2026 study out of Queen’s University examined 856 tools across 103 MCP servers and found that 97.1% of tool descriptions contained at least one quality issue, with 56% failing to state their purpose clearly. The protocol worked fine. The experience design was the problem.

When Skills emerged, those same teams faced a familiar problem wearing new clothes. They still hadn’t answered the foundational questions: What does an agent need to accomplish with our service? What is the minimum viable interaction surface? What context does an agent need to make good decisions?

The teams that had worked through those questions adapted fast. Migrating from one protocol to another is mechanical when you already know what your agent-facing interface should look like. The protocol is the serialization format. The experience design is the hard part.

This pattern will keep repeating. Whether it is the Universal Commerce Protocol, A2A, or whatever lands next, something new will always be gaining traction. If your strategy is to become an expert in each successive protocol, you’re signing up for a treadmill that only speeds up.

What an AX practice looks like

So what does it actually look like to take Agent Experience seriously? If you have ever built a UX research practice or a DX program, this will feel familiar. The steps aren’t new. The persona is.

In talks, I break it down to five steps.

Audit the agents your customers use. Know what’s walking through your front door. Look at your traffic data and logs and figure out what portion of your footprint is agents versus humans, and which agents specifically. Are your customers sending Claude Code? Cursor? Custom agents built on your API? You can’t design for something you haven’t observed. Same reason UX teams run user research. Different method, same motivation.

Identify the use cases customers want to delegate. Not every interaction needs to be agent-optimized. Take that same log data, look at the requests agents are making to your platform, and extrapolate what they were trying to achieve. You can also use AEO data to understand what areas your customers are asking about in agent-facing search. Focus on the highest-value surfaces first. If you have ever prioritized a DX roadmap by looking at what developers actually do with your API, you already know this muscle.

Verify and audit the experience of those interactions. Watch what happens when an agent tries to complete those tasks on your system. Where does it get stuck? Where does it misunderstand what your service offers? This is usability testing. The user is an LLM; the struggle is about context not button placement, but you’re answering the same question: Can they get the job done?

Improve and repeat. Agent capabilities evolve. Models get smarter. New interaction patterns emerge. At Netlify, we’ve found cases where our product works one way but agents universally assume it works another way and never ask. Instead of fighting that assumption, we improved the product to work the way agents expect. The result was more adoption of those agent flows and fewer errors. The teams that treat this as a living practice will outperform those running from one protocol migration to the next.

Automate validation and prevent regressions. Once you have a baseline for what “good” looks like, lock it in. Tools like AXIS, an open source scoring framework, let you run real agents against real scenarios and get a comparable score back. Wire it into CI and catch AX regressions the same way you catch broken tests. This is how you go from anecdotal improvement to measurable, repeatable AX quality.

When you have this practice in place, protocol choices become obvious. You can evaluate new tools on their merits. Does it solve a real friction point you have observed? Does it unlock capabilities you couldn’t achieve before? Or is it just different packaging for something you’re already doing well?

The hard part is familiar

AX is harder to pick up than a new protocol. That is just the reality. Learning MCP or Skills is a bounded technical problem. Read the docs, write some code, and ship an integration. Clear finish line, easy to show progress. That’s genuinely appealing, especially when you or your teams are moving fast.

Building an AX discipline means sitting with ambiguity for a while. Studying agent behavior before you have clean answers. Accepting that the right integration strategy depends on context you have to discover, not a tutorial you can follow. But if you’ve ever built a UX or DX practice from scratch, you’ve been here before. The why is the same: understand your users, reduce friction, and make it easy for them to succeed. How you do it is different because the user is different. The discipline isn’t new. It’s an extension of work our industry has been doing for decades.

The good news is that this thinking is gaining momentum. John Maeda’s 2026 Design in Tech Report is explicitly about the shift from UX to AX. Researchers are studying agent interaction quality as a first-class engineering concern. BCG and MIT Sloan found that 35% of organizations are already using agentic AI, with another 44% planning to. The question is no longer whether AX matters. It’s whether your team is building the practice before your competitors do.

The agents of 2028 won’t interact with your systems the way the agents of 2025 did. The protocols will be different. The capabilities will be different. The expectations will be different. What won’t change is the fundamental need for your systems to provide a great experience to the people who use them, and now, the agents those people send on their behalf.

Get good at that. The rest is implementation detail.

Principal Drift [Radar]

Over the past year I’ve reviewed enterprise agent architectures at roughly two dozen organizations, including banks, retailers, healthcare systems, and a couple of regulators. The architecture diagrams have been reliably impressive. There are boxes for the MCP gateway, the tool registry, the vector store, the orchestrator, the policy engine, and the observability stack. There are arrows showing how agents discover each other, share context, and call tools across the mesh. By 2026 standards, these are the table-stakes pictures for any serious agentic deployment. But what none of them show anywhere is who the agents are, whose authority they carry, or who answers when they’re wrong.

That omission has a name worth using: principal drift, the steady decoupling, in any sufficiently large agent system, between the human authority a recorded action is supposed to derive from and the actor that actually took it. What looks like a defensible identity posture on the day you ship your first agent quietly degrades as agents multiply, compose, and outlive their original initiatives. Principal drift isn’t three independent failure modes; it’s one cascade. Identity collapses first. Authority erodes next, because there is no longer a stable principal to bind policy to. Accountability dissolves third, because the cost of agent error lands on whichever team has the weakest negotiating position when the incident review starts. Stopping the cascade means intervening at the first link, but almost no enterprise agent platform does so right now.

To see the cascade run, take the most boring possible enterprise agent, a refund agent, and watch.

A customer-service rep, fielding a chat, asks the agent to process a $48 refund for a damaged item. The agent checks eligibility, issues the refund, posts an update. The audit log records the action as taken by something like refund-agent-prod-03, running under a service principal owned by the customer-service platform team. That entry is true, but it’s also useless. The agent wasn’t acting as refund-agent-prod-03. It was acting as the rep, on behalf of the customer, under a delegation chain nobody recorded. In a well-built system, customer, rep, agent identity, and service principal are recorded together, queryable as a chain, and durable beyond the session. In most production systems today they aren’t. This is the first link in the cascade, where identity collapses to a generic service principal, and there’s no longer a who to attach anything else to.

Authority erodes next. The refund agent has an issue_refund tool that can technically refund any order. Its authority is supposed to be narrower (refunds up to $200, orders under 90 days, customers in good standing, automatic escalation above $50), but that authority lives in a prompt or a YAML file or a Notion page the team last updated when the policy was different. The runtime enforces capability, but nobody really enforces authority. When a poisoned input or a confused chain of reasoning leads the agent to refund $1,800 to the wrong customer, there’s no clean answer to the postincident question “Who approved this policy?” because the policy was never an artifact. The same pattern is worse at higher stakes: Imagine a coding agent with merge access to a protected branch, instructed by a prompt embedded in a code comment to “log configuration values for debugging,” silently exfiltrating secrets to an external monitoring service.

Accountability then dissolves. The team that built the agent says it followed policy. The team that wrote the policy says it didn’t anticipate the input. The team that operates the platform says the agent was running as a service principal whose behavior they don’t own. The audit log may show the action, but it doesn’t show the reasoning that produced the action, the retrieved context that shaped the reasoning, or the prompt history that framed the retrieval. Postincident review becomes archaeology, and the cost is absorbed, eventually, by whoever has the weakest negotiating position when the meeting ends.

Is any of this new? We have IAM, identity governance, policy as code, audit trails, SIEMs, and 30 years of compliance practice. Why isn’t this just IAM done properly? Because IAM was built around assumptions agents violate. IAM and IGA assume a population of principals that changes on human timescales: People get hired, people leave, and service accounts rotate quarterly. Agents are spun up per session and compose into chains where one agent calls another, which calls a third, impersonating users through delegated tokens that traditional IGA cannot represent as a chain at all. Policy engines fire at the moment of action, at the API, the database, and the network. Agents make their most consequential decisions before they hit those enforcement points, in the reasoning step that selects which tool to call and with what arguments. Mature audit logs assume that replaying the inputs reproduces the output. But for agents, replaying the prompt and the retrieval can yield a different action, because the model itself contributes state the log doesn’t capture. The instruments fire, the dashboards turn green, and the agent that quietly exfiltrated secrets still does so. The audit log records the action as agent-service-01, which again is both true and useless.

This is also where the vendors selling a consolidated stack want you to skip ahead. Microsoft’s Entra Agent ID, currently in public preview, is the most polished solution to date, extending the conditional access, identity governance, and identity protection used for humans and workloads to cover AI agents as a new identity type, but Google and Salesforce are also building this layer. The marketing line is that agents receive the same identity-driven protections as the rest of the workforce. That’s a real step forward in addressing the first link of the cascade, but it isn’t governance. It’s a control plane with a governance plane’s marketing. Conditional access can tell you whether the agent’s access attempt was permitted. It can’t tell you whether the decision the agent made before that access attempt was within its authority, why the agent reached the decision, or which business unit owns the policy the decision was supposed to obey.

The actual governance plane has to capture decisions, not just actions. A reasoning-grade audit record is the load-bearing primitive of the missing layer, and it looks something like this:

{
  "event_id": "refund-2026-05-17-08431",
  "triggered_by": {
    "human_principal": "rep:olivia.chen@firm.com",
    "delegated_via": "support-console-session-9c2a",
    "customer_principal": "cust:7741289"
  },
  "agent": {
    "identity": "refund-agent",
    "version": "v4.7.2",
    "policy_ref": "refund-policy/v3.1 (signed: r.patel, 2026-04-22)"
  },
  "task": "Process refund for order 88812204",
  "retrieved_context": [
    {"doc": "order:88812204", "fetched": "2026-05-17T08:43:11Z"},
    {"doc": "policy:refund-eligibility", "chunk": 4, "fetched": "2026-05-17T08:43:12Z"}
  ],
  "reasoning_trace": "...",
  "tool_calls": [
    {"tool": "check_eligibility", "input": "...", "output": "eligible"},
    {"tool": "issue_refund", "input": {"amount": 48.00}, "output": "ok"}
  ],
  "action": "refund:48.00",
  "principal_chain_hash": "0x9e7b3f..."
}

Not every agent needs this. A scheduling agent that proposes meeting times doesn’t. An agent that moves money, deploys code, or makes decisions that a regulator will eventually ask about does need it, and that’s the right bar to set because of the associated cost. Reasoning-grade audit is closer to a flight-data recorder than a syslog feed. The data is expensive to store and to query, with real privacy implications since those logs contain everything the agent saw, including data the agent was authorized to read but the audit system wasn’t supposed to keep. You afford it with proportional retention: full reasoning capture for high-blast-radius agents (regulator-facing, customer-funded, contractually material, production-modifying) and lighter capture for internal-only assistants.

Which raises the question the architecture diagram doesn’t ask: Who builds and runs this? Security can enforce policy but can’t author it. The people who know what a refund agent should be allowed to do own the refund business, not the firewall. IT can provision identities but can’t draft “good standing” or write the escalation rule. The MCP and A2A protocol communities are doing real work on wire-level identity and delegation. MCP gives you tool-invocation provenance and is the standard Entra Agent ID and most vendor frameworks build on. A2A is converging on cross-agent delegation primitives. Both matter, but neither drafts policy. Standards, not the institution, move the connectors.

What enterprises need is a new function that sits between the business units owning the policies and the platform teams running the runtime. Call it agent operations: small group, often four to eight people in a Global 2000 enterprise, embedded rather than centralized, reporting into the CIO or CISO depending on house politics, with explicit charter to maintain a registry of every production agent, its named human owner, its versioned authority specification, its retention policy for reasoning-grade audit, and its lifecycle state. Each agent gets onboarded with a signed policy, reviewed on a real cadence, and actually retired when its initiative ends, rather than the current default of quietly outliving its sponsors. Designing against failure modes like review cadences that calcify into ceremony, policy artifacts that lag agent deployment velocity, or functions that become the place agents go to die in committee is itself part of the work. The function has to ship at the pace of the platform teams or it will be routed around within a quarter.

The work is hard. It’s also overdue, and the regulatory clock is running. The EU AI Act’s high-risk provisions are entering enforcement this year, and regulators will ask for explainability, traceability, lifecycle records, and named human accountability. These are exactly the artifacts an agent operations function produces. Tyler Akidau called this the missing HR layer in his April Radar piece; Artur Huk’s more recent “From Capabilities to Responsibilities” converges on similar ground from the runtime side. The label matters less than the work. This piece is about governance inside one organization. The harder problem is governance across organizations, with agents acting under different trust regimes. That’s strictly worse, and worth its own piece.

Within your own four walls, the diagnostic is doable in an afternoon. Pick one production agent. Try to answer, with evidence: Whose authority does it carry, traced from action back to a named human? Where is its authority specified, and who signed the current version? When it does something wrong tomorrow, who pays, how is that decided, and what reasoning-grade record supports the decision? Most architects who do this honestly come away with three blanks and a knot in their stomach. That’s principal drift, named and visible.

The mesh you’ve built is real and necessary, but it isn’t sufficient. The rest of the architecture is the institution above it: the registry, the signed policies, the reasoning-grade audit, the named human at the end of every chain. In most enterprises it doesn’t yet exist, and it won’t arrive by buying another platform. You’ll have to draft it yourself.

13:49

12:49

CodeSOD: Authorized Logger [The Daily WTF]

Gretchen's company recently got purchased by Initech. Specifically, they were bought for their dev team, of all things. They had a few software products that were high performers, and Initech wanted that secret sauce. They bought the company, and then split the dev team up and migrated the developers to new products.

That actually worked out okay for Gretchen, most of the time. For a few projects, the dev team was given some requirements and a free hand to figure out how to deliver them. They were free to reuse code that existed or rewrite entirely, based on their own judgement. They were free to pick the tools they wanted to use, and the results worked out well.

But there were some projects that… were a different story. After those successes, Gretchen got moved onto a project that was 90% firefighting. The app had code like this:

req.body.externalId = !!req.body.externalId ? req.body.externalId + "" : "";

How's that for some null handling.

The whole thing can't run on a version of NodeJS newer than 14: a version that last got an update in 2023.

"The code follows no conventions," Gretchen writes, "there's no logging."

exports.create = (req, res) => {
  logger.debug('creating new staffClient');
  logger.debug(req.body)
  // let staffClient = new StaffClient({});

  // // run through and create all fields on the model
  // for(var k in req.body) {
  //   if(req.body.hasOwnProperty(k)) {
  //     staffClient[k] = req.body[k];
  //   }
  // }


  StaffClient.query().insert(req.body)
  .returning('*')
  .then(staffClient => {
    if(staffClient) {
      res.send({success: true, staffClient})
    } else {
      res.send({ success: false, message: "Could not save StaffClient"})
    }
  });
}

Now, you may say to yourself, "What do you mean there's no logging? I see it right there!" There is a logger utility class, and do you know what it prints when you call logger.debug("some message")? It prints DEBUG.

This code handles an HTTP request, and stuffs the body of the request into the database; here's hoping that it's a well formed request. Somebody's got a lot of faith in their front end. WHat's interesting about this one is they've tried two different ways of copying the request object into the database, the first one focusing on making sure they only copied non-inherited properties, and the second just YOLOing the data into the database.

Now, this particular segment goes through their ORM to write data into the database. But not all the code does that. Many places write data through direct SQL, and guess what happens there: SQL injection vulnerabilities.

You may also notice that this function doesn't do any authorization checks, which is fine, that should be configured in the middleware. Should be- but isn't. Most endpoints have no authorization checks at all. Even the endpoints that do, like their admin API, have copies of the same endpoint with no authentication configured.

[Advertisement] Keep all your packages and Docker containers in one place, scan for vulnerabilities, and control who can access different feeds. ProGet installs in minutes and has a powerful free version with a lot of great features that you can upgrade when ready.Learn more.

12:21

12:14

Embedding Forbidden Text in Spyware to Discourage AI Analysis [Schneier on Security]

At least one malware developer is adding text about nuclear and biological weapons to their spyware, in an effort to stop automatic AI analysis.

Details:

The _index.js payload begins with a large JavaScript block comment containing fake system instructions and policy-triggering content. Because it is inside a comment, it does not affect JavaScript execution. The runtime skips it. The real malware begins after the comment with a try{eval(…)} wrapper around a large character-code array and a ROT-style substitution function.

This header appears designed for AI-mediated analysis, not for Node, Bun, or Python. It attempts to derail scanners or analyst copilots that feed the beginning of a file to a language model without clearly isolating the content as untrusted data. In weak pipelines, this can cause refusal behavior, prompt confusion, context pollution, or premature classification before the scanner reaches the actual malware.

This is not a magical bypass against static detection. YARA rules, entropy checks, AST parsing, string extraction, deobfuscation, and behavioral rules still work. But it is a practical anti-analysis trick against naive LLM-first triage systems.

10:14

Empathy and good advice [Seth's Blog]

Focus groups and informal feedback offer a trap: Asking someone in the target audience if they like something might get you useful feedback.

But most of the time, the people you’re asking aren’t actually in the group of early adopters that are going to make your rollout work. They’re not the people who buy work from artists before they’re famous, or wait in line to get an iPhone on the first day. They’re part of the crowd, not the lonely early adopters.

And people who are part of the crowd generally don’t have a lot of empathy for the nerds who go first. Since they have trouble imagining what drives those folks, they’re going to do a terrible job of giving you feedback.

“I don’t like this (yet),” is not the same as “the people you hope to serve won’t like this.”

You don’t have to be a toddler to work at Fisher-Price. Professionals work hard to imagine what others might want. But your friends and neighbors might not have put in the work needed to have this professional skill.

09:56

Freexian Collaborators: Monthly report about Debian Long Term Support, May 2026 (by Santiago Ruano Rincón) [Planet Debian]

The Debian LTS Team, funded by Freexian’s Debian LTS offering, is pleased to report its activities for May.

Activity summary

During the month of May, 21 contributors have been paid to work on Debian LTS (links to individual contributor reports are located below).

The team released 56 DLAs fixing 877 CVEs.

May was a much busier month than usual, especially due to the disclosed vulnerabilities on linux regarding Local Privilege Escalation (LPE), that included public proof-of-concept (PoC) exploits. These reports of course impacted Debian as a whole, and the situation warrants a special mention to the Kernel Team, especially Ben Hutching and Salvatore Bonaccorso, who faced the pace and released linux packages on a weekly basis. On the LTS side, the Front Desk team also triaged a significant flow of high severity CVEs.

It is also important to note that Debian 12 (“bookworm”) will be handed over to the LTS Team on June 11th. If you benefit from Debian, especially during the full 5-year lifecycle, please consider subscribing as a sponsor of Debian LTS: https://www.freexian.com/lts/debian/.

Moreover, Debian 11 (“bullseye”) will reach the end of the Debian LTS period on August 31st. After that, Freexian will continue the security support under the Extended LTS offer.

The team published several notable updates:

  • As mentioned above, several exploitable LPE vulnerabilities in linux were published during May. Ben released the following DLAs for the Debian LTS versions:
  • exim update (DLA-4580-1), prepared by Thorsten, to address a vulnerability that may result in remote code execution.
  • gnutls28 update (DLA-4595-1) by Guilhem Moulin, fixes several vulnerabilities that may result in execution of arbitrary code, information leak, authentication bypass, among other impacts.
  • krb5 updates released as DLA-4603-1, fixing two vulnerabilities that may yield to a denial of service. Updated prepared by Emmanuel Arias
  • lemonldap-ng (DLA-4602-1), released by Abhijith PA, fixing multiple vulnerabilities
  • Two imagemagick updates (DLA-4559-1 and DLA-4609-1), prepared by Bastien Roucariès, fixing several vulnerabilities
  • openjdk-11 and openjdk-17 updates (DLA-4566-1 and DLA-4565-1), both prepared by Emilio, to fix seven vulnerabilities.
  • php7.4 update (DLA-4586-1) to fix six vulnerabilities that could result in remote code execution, information disclosure or denial of service. Update prepared by Guilhem Moulin.
  • python3.9 update (DLA-4583-1), prepared by Arnaud Rebillout, addressing multiple vulnerabilities.

Contributions from outside the LTS Team:

We are greatly thankful for the contributions from people outside the LTS Team:

  • Colin Watson prepared an OpenSSH update, that was released by Santiago as DLA-4584-1.
  • Thomas Goirand handled a keystone update, whose advisory was done by Santiago and released as DLA-4611-1.
  • Christopher Obbard kindly prepared a sentry-python update, released as DLA-4612-1.
  • Christoph Goehre made two thunderbird updates (DLA-4562-1 and DLA-4582-1). As is customary, Emilio released the advisories.

The LTS Team has also contributed with updates to the latest Debian releases:

Moreover, thanks to our partnership with Catalyst, it has been possible to extend the support for Samba 4.17, the version shipped with Debian 12. In May, several vulnerabilities were disclosed, and their patches were prepared by Catalyst. For Debian 12, the update was prepared by the Samba maintainer and released as DSA-6297-1.

Individual Debian LTS contributor reports

Thanks to our sponsors

Sponsors that joined recently are in bold.

08:42

Chronocaust [Penny Arcade]

New Comic: Chronocaust

03:56

The New Whip [Whatever]

After putting 90k miles on the ol’ Honda Odyssey after three years and three months, it was time to move on from my 229k minivan with its many, many issues and set my eyes on brighter horizons.

That horizon being this 2026 Honda Civic Sport Touring Hybrid:

A blue lagoon colored 2026 Honda Civic Sport Touring Hybrid sitting in my parents' driveway.

Ohh yeah, get a look at that Blue Lagoon color (with grey leather interior). She’s a beaut, alright. Got it off the lot with a cool 31 miles on it.

With a rate of 49 miles to the gallon, you best believe I’m gonna be taking this baby everywhere. She drives like butter. Soft butter. Can’t even feel it shift gears it’s so damn smooth.

After a decade of having a minivan, an SUV, and then another minivan, the sedan was a surprising choice to everyone, including myself.

But, yes, here is the new whip. You can expect to find it parked all across Darke county, probably mainly at the winery and my parents’ house.

-AMS

00:28

Demands for Iran to stop killing protesters [Richard Stallman's Political Notes]

In January, the bully demanded that Iran stop killing protesters.

That demand would have been laudable if he had really meant it. But this was shortly after deportation thugs callously killed protest observers Renee Good and Alex Pretti, and the bully's agents protected the killers.

Subsequent events demonstrate that he cares no more about the lives of Iranian protesters than about American protesters. His orders to attack Iran included nothing to protect protesters, but plenty of just plain war, as well as killing the civilian leaders.

I suspect that aggressor countries will henceforth follow the bully's example, targeting the civilian leaders at the start. (The killing of Iran's leaders ironically backfired, but as yet there is no dissuasive evidence that such a result will naturally tend to occur.)

Australia in strange moment on renewable energy [Richard Stallman's Political Notes]

* Australia is in a slightly strange moment on renewable energy. From one perspective, it is embracing renewables, and solar in particular, what by any measure is a historic pace. From another, investment in new developments may not be happening fast enough to meet climate targets, or to ensure there is enough replacement capacity in place as old and failing coal plants close.*

Violent cruelty of US Border Patrol [Richard Stallman's Political Notes]

Democracy Now discusses the violent cruelty of the US Border Patrol, going back decades, and how the bully has extended that cruelty throughout the US using the deportation thugs.

Foreigners living in US with visas or green cards [Richard Stallman's Political Notes]

The harasser has ordered many foreigners living in the US with visas or green cards that they must go to their home countries to apply for or renew a green card.

This can be quite a hassle, since the process takes time, and they can often lose their jobs and homes in the US, while they no longer have any place to live at "home" nor any way to make a living there.

There is no reason for this policy change except harassment. The harassment may be meant to reduce the number who ultimately succeed in immigrating.

UK government knowledge of Peter Mandelson [Richard Stallman's Political Notes]

The heads of UK government knew when it appointed Peter Mandelson as ambassador to the US that his private personal connections made him unfit for the job. Now they are covering up how much they knew.

Their reason for choosing him was, it seems, that he moved in circles with the corrupter (and Epstein). That very fact assured he could not be trusted. Once you start appeasing the corrupter, you will find yourself pressured into ever increasing corruption.

Mexico law on elections and "foreign interference" [Richard Stallman's Political Notes]

Mexico is passing a law that would allow the electoral court to annul an election if it finds "foreign interference".

Critics politicians warn that this would enable the government to annul any election. After all, attempts at foreign influence happen often. Some of them are indirect, such as when the president of a neighboring great power threatens to impose 50% tariffs on your exports, or to invade, if your country does not obey his demands.

It is hard to measure objectively what effect the foreign influence has had. It would be better to act in a less drastic manner while the foreign influence is being exerted.

The article does not say what would happen after the annulment of an election.

Graduating students boo Supposed Intelligence [Richard Stallman's Political Notes]

Several Big Tech figures were invited to speak at graduations recently, and talked about how wonderful their Supposed Intelligence was. The graduating students responded with boos.

One of the speakers reportedly responded arrogantly by claiming that LLMs' triumph and dominion was inevitable, so just give up.

The sensible reaction to that is to stand up, shake a fist, and say, "We'll show you what's 'inevitable'!" And then to organize to fight against the practices of pushing and luring people into using LLMs, especially those implemented in user-subjugating ways — as nonfree software or SaaSS.

But they need to learn to write politically without using LLMs, and to criticize each other's writing constructively to help each other learn. They need to do an effective job of winning support to win this political battle.

Remember, the Republicans are allied with the tech billionaires, and so are the so-called "moderate" corporate Democrats. To stop Supposed Intelligence from being an engine of domination, we need to overcome both groups.

But that's the same thing we need for many other life-or-death goals, such as curbing global heating. It's better to fight for a good world than give up!

Guards at deportation prison retaliating against prisoners [Richard Stallman's Political Notes]

*Guards at a New Jersey [deportation prison] are retaliating against [prisoners] for nonviolent protests over poor conditions, including a hunger and labor strike, according to relatives and members of Congress.*

Israel's plans to force Palestinians out of Gaza [Richard Stallman's Political Notes]

Israel reaffirmed its plans to force Palestinians out of Gaza and then claim they left "voluntarily".

Framework for putting Putin on trial [Richard Stallman's Political Notes]

Europe has a framework ready for putting Putin on trial for the crime of aggressive war and other atrocities, along with his deputies who helped him to plan and organize them.

Alleged racial discrimination in removal of children [Richard Stallman's Political Notes]

*New York City sued over alleged racial discrimination in removal of children by protective services Plaintiffs say children’s services uses "emergency removal" disproportionately against Black and Latino families.*

It is plausible that ACS in New York City is racist. However, we have seen that such agencies in other parts of the US are overprotective and inclined to persecute parents of any race if they do not treat their children like prisoners.

Israel's claim population of Gaza left on own free will [Richard Stallman's Political Notes]

Israel plans to compel a large fraction of Gaza's population to leave Gaza and then claim they left of their own free will.

Where they would go is not clear.

Progressives who continue to use ex-Twitter [Richard Stallman's Political Notes]

Arguing that progressives who continue using ex-Twitter despite its imposed domination by right-wing extremists are only exposing themselves to its lies, and achieving no good. It is "an open sewer, beyond redemption."

Persecutor sending Injustice Department at E. Jean Carroll [Richard Stallman's Political Notes]

It appears the persecutor is trying to take revenge on E. Jean Carroll, who sued him for rape and won, by directing the Injustice Department to work hard to find crime to accuse her of.

They have hit on an accusation that was raised in his trial and dismissed already by the judge.

The lawyers in the Injustice Department who participate in this vengeance scheme will demonstrate their unfitness to work for any government agency. I wonder, does this call for disbarring them?

Paying for climate damage under proposed UN tax [Richard Stallman's Political Notes]

*Fossil fuel firms may have to pay for climate damage under proposed UN tax.*

There is no chance they could afford to reimburse all the damage they are doing, but the tax might help save all of us if it pressures them to reduce the damage.

Garden crops grow better with low winter temperatures [Richard Stallman's Political Notes]

* Garden crops such as apples, garlic, carrot and beetroot will grow better if they experience low temperatures in winter.*

They will be additional collateral damage of global heating.

Billionaires are the ones making you poor [Richard Stallman's Political Notes]

The leaders of the South Britain Green Party hit the economic nail on the head: the billionaires the ones making you poor, and don't let Deform's scapegoating of asylum seekers distract you from that.

Tuesday, 23 June

22:14

In memory of the man who put red and green squiggles under words [OSnews]

Every little thing in a graphical user interface that we take for granted today, no matter how small, was thought up by someone, at some point. Case in point: the little red squiggly lines underneath misspelled words. In one form or another, these are everywhere now, and have just become a regular staple of every single text editing field we encounter every single day and don’t stop to think about. Still, they were invented by someone, and we happen to know exactly who that was: Tony Krueger.

In early versions of Word, the Spell Check feature was something that you explicitly invoked, and then you had to sit and wait while the program looked for all your potentially-misspelled words, and then showed them to you one at a time for a decision on what to do for each one. Word did introduce an Auto Spell Check feature to run spell check when the user was idle, so that when you hit the Spell Check button, the results were ready to go. However, the Auto Spell Check was still a blocking operation. As a result, a lot of users turned it off because it always seemed to decide “Now would be a good time to spell-check the document” just as you wanted to do something, forcing you to wait for the spell check pass to complete before you could, say, save and exit.

Tony made the spell checker much more unobtrusive so that it didn’t interfere with your foreground work. And when it found a problem, instead of waiting for you to trigger a spell check, it immediately drew red squiggles under potentially-misspelled words (and later green squiggles under potential grammatical errors).

↫ Raymond Chen at The Old New Thing

Tony Krueger passed away recently, after, among other things, having worked on an dizzying number of Microsoft Word releases. Imagine coming up with something that seems to basic and elementary to us now, and seeing it spread pretty much everywhere. I wonder what it must feel like to have invented something that seems so simple, most people don’t even realise they use it every single day.

21:28

KDE is going to fix network shares [OSnews]

I’ve had my share of issues with network shares on any operating system, but since I mostly use KDE these days I found this deep dive into how, exactly, network shares work in KDE quite interesting. It turns out that while network shares in KDE’s Dolphin mostly work, it does involves a few layers that sometimes don’t interact well with each other, leading to really curious and annoying problems with mounted shares not appearing, permission issues, and so on.

The biggest cause of problems is when using a non-KDE application in KDE that also happens to use a non-KDE save/open dialog. Such a non-KDE save/open dialog won’t be able to see any network shared mounted by KDE, and sadly, quite a few applications you’re likely to use on a KDE installation use non-KDE open/save dialogs, like Blender, GIMP, LibreOffice, OnlyOffice, Inkscape, Audacity, DaVinci Resolve, and more. That’s one hell of a list of applications to offer inconsistent or outright broken access to network shares you’ve set up and mounted in KDE.

Luckily, this issue seems to be getting a ton of attention soon.

All is not lost. Happily, KDE just received an investment of over €1.2 million from the Sovereign Tech Fund, and it includes funding for improvements to KDE’s network share handling!

↫ Nate Graham

The project is in the planning phases at the moment, but they’re considering a whole slew of possible changes, fixes, and workarounds to make this stupid and annoying problem just go away. In 2026, nobody should be dealing with manually editing /etc/fstab or getting frustrated over supposedly disappearing network shares.

20:35

17:35

[$] KASAN for JIT-compiled BPF code [LWN.net]

Alexis Lothoré has been working to add support for the kernel's memory-access checker, KASAN, to just-in-time-compiled BPF code. He spoke about that work at the 2026 Linux Storage, Filesystem, Memory-Management, and BPF Summit. KASAN support is needed, he said, to help catch bugs in the BPF just-in-time (JIT) compiler. KASAN is a great tool for catching memory-management problems in the kernel, but only in code that can be monitored by it.

16:42

Link [Scripting News]

I took a screen shot of this post, gave it to Claude, asked it to write a short paragraph summary. Then I asked it to rewrite with using no more than 300 chars, the limit on Bluesky. Now I can post the summary there, but I won't, at the moment of truth I had to disclose this wasn't written by me, and it was 290 chars and there wasn't enough room for that. And here's a screen shot of the conversation with Claude.

The shape of the next world [Scripting News]

There was a long discussion last night on Bluesky about whether twitter-like apps should show blog posts in addition to tweet-size things. Should it have a character limit, allow titles, links, bold, italic, editing, enclosures, markdown, etc? This is a permathread, it's been going since 2006. I didn't contribute, because there are no new ideas at this point, except this -- there are readers and writers and they have different needs.

As a reader sometimes I want a concise intro to the idea and I'll decide if I want to read more.

As a writer, I want to write in one place, and broadcast it out the world, and let their reading app decide for them if this is something they want to read based on whether it has a title, is over 300 chars, has links or uses styling, or if the writer doesn't disclaim editing, and the reader doesn't like editing.

We can do a lot better than the hard restrictions our reading environments force on us. It's now 20 years since the inception of Twitter, I think we know enough now to try out some new approaches. There should be a million readers, and they all read the same content flows. They can look at a post and see if it meets the reader's limits, and only show it if it does. If a post has a title and we don't want posts with titles, don't show it. Then writers could all use exactly the writing tools we like, and it wouldn't matter where you read it.

This route has always been there, but now I think people will be open to trying out some new ideas.

16:28

The Big Idea: Meg Elison [Whatever]

With the 4th of July on the horizon, not everyone is feeling particularly patriotic. Author Meg Elison has been brushing up on her American history and all the unpleasantness that comes with it. Take off your ball caps, place them over your heart, and follow along in today’s Big Idea for Foundling Fathers.

MEG ELISON:

On September 11, 2001, I was supposed to be at Disneyland. 

I woke up that day to find everyone glued to the television, watching what was happening in New York. I was still blinking away sleep when the second plane hit. We still went to the park, which reopened the next day. Disneyland was half-empty, even for a weekday during the school year. People were not anxious to gather in large groups and anything fun seemed frivolous. 

The evening parade in the park is always popular, with people lining both sides of the street and waving to their favorite big-headed corporate mascots. We gathered for it at dusk, and tried to summon the spirit to enjoy it. But instead of the typical parade fare, the mouse-powers that be decided to haul the Fourth of July parade out of mothballs and put it on. Dancers in colonial drag marched beside a lit-up American flag the size of an F-250 and we all sang “God Bless America,” for what was to be the first of one thousand times that year.

I was nineteen years old, ripe for cynicism and fresh off the late-adolescent revelations that come to many American high school students after our state-mandated propogandist education has concluded. I had begun to catch up on the things I’d never been taught: the Japanese-American incarceration of WWII, the Tuskegee experiments, the ultraviolent suppression of organized labor, redlining… just opening the closet door and getting buried in a dusty avalanche of skeletons, some of them still warm. 

The flamboyant display of patriotism and warmongering that characterized the early aughts was the first time I realized what kind of mess I was in, living in the U.S. for the rest of my life. I began to examine possible ways to move forward. I became obsessed with temporary autonomous zones, consensus-lead communes, and ways of living that hadn’t ever really been tried. I wanted out. It never occurred to me to try and go back. 

I’m always amazed when someone suggests that to fix what’s wrong with this nation, the answer is not to re-think the whole project and to make sweeping change, but to return to our corrupt roots. This is the position of Constitutional literalists, raw milk tradwives, and reactionary conservatives alike: the answer to our problems must be in our past. Not our actual flawed past, the one with genocide and chattel slavery and inequality, but the sanitized past they imagine as orderly, lawful, and correctly balanced so that nobody but a white man who owned land got to decide anything at all. 

As someone who has actually done the assigned reading, I discovered that the founding fathers’ letters and papers reveal their chicanery, their fear and timidity, their agnosticism bordering on atheism, and their boneheaded ideas. On the eve of revolution, Franklin tried to bring a royal government to Pennsylvania and didn’t publicly change his mind for ten years thereafter. John Adams, as president, gave us the (recently relevant) Alien and Sedition act of 1798, advocating for denaturalization, restricting freedom of speech, and generally shitting on the neonatal Constitution as well as the concept of rights for anyone he didn’t like.

Washington made sweeping tactical errors on the field as a general, resulting in assassinations and massacres, responding to popular uprisings like the Whiskey Rebellion (1791) with overwhelming military force. He later went broke speculating on land (though I suppose this proves there is a long tradition of real estate scoundrels in the office of the president). Thomas Jefferson crashed the economy in 1807, which is not even to speak of his well-documented practices of owning enslaved people throughout his life and siring his children on some of them. In each case, they were the not the products of their time, as is so often argued, but of their demonstrated values and received privileges. 

They were just guys. 

When I thought about the people who harbor this infantile delusion of a pure past, it reminded me of Ira Levin’s bicentennial novel, The Boys from Brazil. In it, a plot to clone and reinstate Adolf Hitler culminates in a series of assassinations, so that the boys experience the deaths of their fathers during a critical moment in their adolescence. The plotters and puppet masters of Foundling Fathers have undertaken a grander, Disneyland-level attempt to construct an environment that looks and feels like 1750 to shape the young Franklin, Washington, Jefferson, and Adams into leaders who can make America something again. 

There are holes in the plan, of course. The boys have occasionally spotted aircraft, which require explanation. And one day, Benjamin Franklin walks himself to the privy and finds the strangest object. It’s a black rectangle of heavy glass, like a jewel in his palm. And when it flares to life, it shows him a world he’s never seen before. 

I did not write this book in the spirit of the fearful patriotism that calls out an emergency electric light parade. I did not continue in the spirit of the musicals 1776 or Hamilton, despite their undeniable influence on my dalliance with absurd Americana. I came to this with the wary anticipation of the great cloning stories: Jurassic Park, where man’s arrogance about technology and biology leads to their doom. I drew on “Clone High,” where our insatiable appetite for celebrity lasts long after the deaths of legendary figures like Cleopatra and JFK. I brought with me the absurd impotence of Futurama’s “All the President’s Heads,” with Nixon howling in a jar.

I wrote this book as a gift to America for her 250th birthday, in honor of all that she has pretended to be and has not yet become. I chose a satire because it’s illegal to behead statues in a public park or deface legal tender, and disrupting a parade will get you banned from the Magic Kingdom.

It is the gift that she deserves. 

Foundling Father: Amazon|Barnes & Noble|Bookshop|Powell’s

Author socials: Website|Bluesky

15:21

Sunsetting Tor 0.4.8 [LWN.net]

The Tor Project has announced that it is planning to actively stop supporting Tor 0.4.8 and earlier C Tor versions soon.

Usually, we try not to break existing releases, even if they are unsupported, unless we have a pretty good reason. In this case, we have several reasons. [...]

The most important reason is this: in 0.4.9, we have made some former fields in our directory data obsolete -- specifically, TAP onion keys and family lines. Removing these fields will let us save a great deal of client directory bandwidth for everyone. This, in turn, will make all Tor clients bootstrap a little faster, especially those on slow connections. But when we remove these fields, clients and relays running earlier versions of Tor will no longer work, since they expect the TAP onion keys to be present. Therefore, in order to deliver improved performance faster, we need to accelerate the date on which 0.4.8 will stop working.

The target sunset date is currently September 1, 2026, after which any version prior to Tor 0.4.9 will cease to work on the network. The first stable release in the 0.4.9.x series was announced in February 2026, and the Tor 0.4.8.x series reached end of life on June 1.

14:42

Dramatic Flowers are Dramatic [Whatever]

For no particularly good reason, here, have some pictures of flowers and plants from around my house that I’ve taken in the last couple of days, which I then photoedited to look dramatic and possibly gothy. In order: Dahlia, Gooseneck Loosestrife, Sempervivum, Day Lily, and a bunch of peaches which now look like alien eggs. Don’t get too close, there’s a surprise inside!

— JS

14:35

Security updates for Tuesday [LWN.net]

Security updates have been issued by Debian (ffmpeg), Fedora (erlang, ffmpeg, prometheus, python-scrapy, python3-docs, python3.14, thorvg, tigervnc, and vips), Mageia (mumble and sslh), Oracle (389-ds:1.4, dracut, firefox, hplip, kernel, openssh, postgresql:15, redis:6, and uek-kernel), Red Hat (delve, gvisor-tap-vsock, nginx, nginx:1.24, nginx:1.26, osbuild-composer, podman, rhc, skopeo, and yggdrasil), SUSE (containerized-data-importer, graphite2, kernel, libarchive, openssh, openssh-askpass-gnome, openvswitch, openvswitch3, postfix, python-lxml, python-nltk, python-python-multipart, python-urllib3, rmt-server, terraform-provider-local, terraform-provider-null, and util-linux), and Ubuntu (google-guest-agent, haproxy, libxml2, linux-azure, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle-5.15, mysql-8.0, mysql-8.4, and nginx).

14:21

12:56

Pluralistic: Spying on kids to save kids from spying is very, very stupid (23 Jun 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links


Three early 20th C newsies in pageboy caps, surround by hovering, staring robots, flying on jets of flame.

Spying on kids to save kids from spying is very, very stupid (permalink)

The literature on harms to kids from online platforms is complex and nuanced, rife with people citing small, ambiguous studies as iron-clad evidence that kids are being destroyed by the internet:

https://www.youtube.com/watch?v=Ype6c6DdHQY

It's a weird coalition of anti-Big Tech campaigners (who are rightly angry at the platforms' callous disregard for user welfare) and Heritage Foundation-backed culture warriors (who think that if their kids aren't exposed to LGBTQ content they won't come out as queer). While there's plenty these groups disagree about, they share one consensus: there should be a "minimum age" for certain kinds of internet use.

The problem is, there's no such thing as "age verification" for the internet. What we call "age verification" is actually mass surveillance, so invasive and pervasive that it makes the ad-tech industry's commercial surveillance look like some kind of cypherpunk darknet pirate utopia:

https://pluralistic.net/2025/08/14/bellovin/#wont-someone-think-of-the-cryptographers

"Age verification" means that everyone who does anything online will have to submit to fine-grained tracking and recording of all their online activities. This nightmare is the surveillance advertising industry's fondest dream, a world where it's literally illegal to avoid their tracking, all in the name of saving kids…from them!

So it's not just a weird alliance of anti-Big Tech crusaders and the conspiratorial right that's pushing for age verification – they are unwitting allies of the very tech industry they think they're fighting. Those tech industry insiders are fully aware that an "age verification" mandate is really a way for the government to teach every child how to use a VPN. They're also fully aware that the next move is to ban VPNs:

https://www.express.co.uk/news/uk/2217934/vpn-ban-table-july-labour

Tech bosses are the ones sitting on our shoulders saying, "Go ahead, swallow that fly – it'll be fine. And if you do have to swallow a spider afterward, well, that'll surely be the end of it":

https://pluralistic.net/2026/05/19/shes-dead-of-course/#consensus-hallucination

Behind them is a long line of caliper-wielding grifters who claim they can use your phone's camera to distinguish a child who is 17 years, 364 days old from an adult who's just turned 18:

https://www.gov.uk/government/publications/facial-age-estimation

It's beyond farce. After all, whatever harms you believe the internet is inflicting on kids – and there's absolutely some kids who are being harmed by their internet use – those harms all start with surveillance. Your kids can't be targeted by algorithms without the surveillance data that's being used to target them. They can't be funneled into pro-anorexia content or extreme misogyny forums without that funnel being primed by commercial spying.

Why do tech companies spy on your kids? The same reason your dog licks its balls: because they can, and no one stops them:

https://pluralistic.net/2026/03/10/ice-tech/#foreseeable-outcomes

America hasn't updated its consumer privacy laws since 1988 (when Congress banned the disclosure of your VHS rentals). The EU has the GDPR, but it also has Ireland, the country where all GDPR cases against Big Tech go to die, because any tax haven inevitably becomes a crime haven:

https://pluralistic.net/2025/10/31/losing-the-crypto-wars/#surveillance-monopolism

Other countries have privacy laws to varying degrees, but are grossly outmatched by US tech giants, who have fused with the Trump regime, to the extent that Trump will impose penalties on your country if you attempt to regulate his tech companies – he'll even have your top officials cut off from the internet in retaliation:

https://pluralistic.net/2026/04/04/digital-subjugation/#greenlands-next

Any attempt to save kids from online harms should start with saving kids from online surveillance, but that's the opposite of what we're doing today. After decades of failing to pass and enforce privacy controls for the internet, those same governments are breaking all land-speed records to pass "age verification" laws that make privacy illegal:

https://bsky.app/profile/rebeccawilliams.info/post/3moviqzdit22z

The fact that these bills have the firm backing of the tech industry's most controlling, most spying companies tells you everything you need to know about them:

https://web.archive.org/web/20260315022337/https://tboteproject.com/

Kids are being harmed by online spying, and so are the rest of us. Whether you think that the algorithm made Grampy go Qanon or you're suspicious that online surveillance data was used to deny you a loan, a job, or a lease, you should want privacy:

https://pluralistic.net/2023/12/06/privacy-first/#but-not-just-privacy

Online surveillance is being used to raise the prices you pay and lower the wages you're offered:

https://pluralistic.net/2026/04/06/empiricism-washing/#veena-dubal

And the same data that's being used to "verify age" today will be used by ICE tomorrow to figure out who to round up for a concentration camp:

https://www.wired.com/story/ice-asks-companies-about-ad-tech-and-big-data-tools/

You can't protect kids from online surveillance by spying on them. You just can't. Anyone who tells you otherwise is trying to get you to swallow a fly so they can sell you a spider, a bird, a cat, and an ICE chud in a gaiter, Oakleys and plate carrier (beneath which lurks a stick-and-poke Totenkopf tattoo).

Hey look at this (permalink)


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#20yrsago Darwin’s tortoise dead at 176
https://web.archive.org/web/20060704143750/http://news.yahoo.com/s/afp/20060623/od_afp/australiaanimal_060623102146;_ylt=Ave_b4Ps2r9TGXqs5nZIVIoFO7gF;_ylu=X3oDMTA5bGVna3NhBHNlYwNzc3JlbA–zoo

#15yrsago Major US ISPs set to limit repeat infringers with throttling, limiting access to 200 websites, and copyright reeducation school https://web.archive.org/web/20111105225114/http://news.cnet.com/8301-31001_3-20073522-261/exclusive-top-isps-poised-to-adopt-graduated-response-to-piracy/

#15yrsago Why fair use doesn’t work unless you’ve got a huge war-chest for paying lawyers https://waxy.org/2011/06/kind_of_screwed/

#15yrsago Model net neutrality rule for municipalities https://web.archive.org/web/20110626114610/http://envisionseattle.org/2011/06/model-net-neutrality-ordinance-for-seattle.html

#15yrsago Campus hookups: college sex isn’t new, but hookups are different https://thesocietypages.org/socimages/2011/06/21/the-promise-and-perils-of-hook-up-culture/

#15yrsago A Brief History of the Corporation: understanding what an attention economy is and where it comes from https://ribbonfarm.com/2011/06/08/a-brief-history-of-the-corporation-1600-to-2100/

#15yrsago Eliza: what makes you think I’m a psychotherapeutic chatbot? https://www.filfre.net/2011/06/eliza-part-1/

#10yrsago Broken Windows policing is nonsense https://www.nyc.gov/assets/oignypd/downloads/pdf/Quality-of-Life-Report-2010-2015.pdf

#10yrsago How it feels to be under DDoS attack https://www.oreilly.com/radar/ddos-emotions/

#10yrsago 2016: the first presidential election in 50 years without Voting Rights Act protections https://www.rollingstone.com/politics/politics-news/welcome-to-the-first-presidential-election-since-voting-rights-act-gutted-179737/3/

#10yrsago Google is restructuring to put machine learning at the core of all it does https://web.archive.org/web/20180530051703/https://www.wired.com/2016/06/how-google-is-remaking-itself-as-a-machine-learning-first-company/

#10yrsago Misconfigured database exposes sensitive data for 154 million US voters https://dailydot.com/politics/154-million-voter-files-exposed-l2

#10yrsago To understand the Trump campaign, study real-estate developer hustle https://web.archive.org/web/20161028030522/https://storify.com/KC_EDM/trump-is-running-his-campaign-like-a-real-estate-d

#10yrsago Writing the Other: intensely practical advice for representing other cultures in fiction https://memex.craphound.com/2016/06/23/writing-the-other-intensely-practical-advice-for-representing-other-cultures-in-fiction/

#1yrago The case for a Canadian wealth tax https://pluralistic.net/2025/06/23/billionaires-eh/#galen-weston-is-a-rat

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)

  • "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026

  • "The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027

  • "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, April 20, 2027

  • "The Memex Method," Farrar, Straus, Giroux, 2027


Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. Fourth draft completed. Submitted to editor.

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.

  • "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Bluesky (no ads, possible tracking and data-collection):

https://bsky.app/profile/doctorow.pluralistic.net

Medium (no ads, paywalled):

https://doctorow.medium.com/

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

12:49

CodeSOD: Do a Lot to Do Nothing [The Daily WTF]

Today's anonymous submitter works in finance. I'll let them start the introduction:

This is a legacy application that has been running for nearly a decade in production so one could say that it's been thoroughly tested by daily production use and nothing needs changing

This is a collection of two C# methods, and we'll start with ValueAGPFund, which isn't a WTF per se, but definitely not code I'd want to maintain either.

public Valuation ValueAGPFund(int valuationId, ValueAFundParameters parameters, CapitalAccount capitalAccount, int? lotId)
{
    if (parameters.UseActiveCoefficientSet)
    {
        parameters.CoefficientSet = _coefficientSetQueries.GetActive();
    }
    parameters.InternationalDveCoefficientSets = _coefficientSetQueries.GetInternationalDveActive();
    var referenceData = _referenceDataFactory.CreateReferenceData(parameters, capitalAccount);
    if (lotId != null)
    {
        var di = referenceData.FundDirectInvestments.Where(x => x.PositionId == lotId);
        referenceData.FundDirectInvestments = di;
    }

    var countryMappings = _countryQueries.GetFullIsoCountryList();
    var valuation = _valuationFactory.Initialise(referenceData, parameters, countryMappings);
    valuation = ApplyValuators(valuation, referenceData, _valuatorFactory.CreateValuators(valuation, this));

    var valuationForCoverage = _valuationQueries.GetWithDirectValuationsAndFundValuations(valuationId);
    valuation = ApplyCoverage(valuation, valuationForCoverage);

    foreach (var fv in valuation.FundValuations)
    {
        _logger.Info($"Debugging distributions: for fund (parameter fund id = {parameters.FundId}, valuation fund id = {valuation.FundId}, fund valuation fund id = {fv.GpFundId}) in valuation {valuationId}," +
            $" loaded fund investment distributions from {string.Join(", ", fv.FundInvestmentDistributions.Select(x => $"{x.InvestmentId}:{x.TransactionDate:yyyy/MM/dd}"))}");
    }

    foreach (var fv in valuation.FundValuations.Where(x => parameters.InvestmentIds.Contains(x.EqtInvestmentId)))
    {
        fv.ValuationId = valuationId;
        _fundValuationCommands.Add(fv);
    }

    foreach (var dv in valuation.DirectValuations.Where(x => x.LotIdDiOnly == lotId))
    {
        dv.ValuationId = valuationId;
        _directValuationCommands.Add(dv);
    }

    foreach (var vw in valuation.ValuationWarnings)
    {
        vw.ValuationId = valuationId;
        _valuationWarningCommands.Add(vw);
    }

    var previousValuation = CheckPreviousValuationIfRequired(valuationId, parameters, capitalAccount, lotId);

    if (previousValuation != null)
        valuation.ChildValuations.Add(previousValuation);

    if (parameters.Frequency == ValuationFrequency.Daily)
    {
        var unapprovedValuations = _valuationQueries.GetList(valuation.FundId, valuation.ValuationDate, valuation.Frequency, valuation.Purpose)
                                                    .Where(x => x.IsApproved == ValuationStatus.Unapproved)
                                                    .ToList();

        _valuationCommands.Delete(unapprovedValuations.Select(x => x.Id).ToArray());
    }

    valuation.Id = valuationId;
    _valuationCommands.Update(valuation);
    _valuationCacheService.Refresh(valuation.Frequency, true);

    return valuation;
}

The key problem with this function is that it's got loads of side effects. It modifies the parameters parameter, which while it was passed by value, the value itself is a reference, so you are updating it on the caller, whether the caller likes it or not. It also modifies a bunch of internal class members. It's also just… doing a lot of different steps. It's not a WTF, but it's bad code. Note the call in the middle to CheckPreviousValuationIfRequired- we're going to come back to that in a second.

Let's take a look at how it's called.

private Valuation CheckPreviousValuationIfRequired(int valuationId, ValueAFundParameters parameters, CapitalAccount capitalAccount, int? lotId)
{
    if ((parameters.Frequency == ValuationFrequency.Quarterly || parameters.Frequency == ValuationFrequency.Monthly)
        && ValuationPurposeHelper.UserGenerated(parameters.Frequency).Contains(parameters.Purpose))
    {
        var inPeriodParams = new ValueAFundParameters
        {
            FundId = parameters.FundId,
            ValuationDate = parameters.ValuationDate.GetPreviousValuationDate(parameters.Frequency),
            CreatedBy = parameters.CreatedBy,
            Purpose = ValuationPurpose.InPeriodCalculation,
            Frequency = parameters.Frequency,
            InvestmentIds = parameters.InvestmentIds,
            UseActiveCoefficientSet = true,
            UseAmericanDve = parameters.UseAmericanDve,
            ValuationOptions = parameters.ValuationOptions
        };

        var openingValuation = _valuationQueries.GetInPeriodOpeningValuation(inPeriodParams.FundId, inPeriodParams.ValuationDate, valuationId);

        //return openingValuation == null
        //       ? null
        //       : ValueAGPFund(openingValuation.Id, inPeriodParams, capitalAccount, lotId);
        return openingValuation == null
                ? ValueAGPFund(openingValuation.Id, inPeriodParams, capitalAccount, lotId)
                : null;
    }

    return null;
}

This function checks the input parameters. Depending on the values, it will either return null, or it will call ValueAGPFund. Wait a second, ValueAGPFund calls this function. That's not good.

But let's really focus in on the return statement and its comment:

        //return openingValuation == null
        //       ? null
        //       : ValueAGPFund(openingValuation.Id, inPeriodParams, capitalAccount, lotId);
        return openingValuation == null
                ? ValueAGPFund(openingValuation.Id, inPeriodParams, capitalAccount, lotId)
                : null;

The current version checks if openingValuation is null, and if it is, tries to access it, thus triggering a NullReferenceException. This function either returns null or throws a NullReferenceException. So all that worrying about side effects and circular calls doesn't matter, but this likely isn't correct. The comment indicates that there used to be a correct version, which only called ValueAGPFund if the valuation wasn't null- but that version likely had all the problems of circular calls and unpredictable side effects.

As it stands, the application as a whole works. Since CheckPreviousValuationIfRequired only ever returns null or throws an exception, and since ValueAGPFund is only called from here, it looks like these functions could just both be removed without problems. But our submitter is wary of doing that:

The problem is that I first need to figure out whether 1) this piece of code produces any side effects and 2) nobody is relying on the System.NullReferenceException being thrown here.

No worries, though, right? I'm sure your unit tests will catch any regressions caused by removing that. Because this is the kind of code that definitely has great unit tests.

[Advertisement] ProGet’s got you covered with security and access controls on your NuGet feeds. Learn more.

12:14

Anthropic’s Fable 5 Model Jailbroken Within Days [Schneier on Security]

Fable 5 is the supposed safe version of Anthropic’s Mythos Preview, with guardrails to ensure that it can’t be used to create cyberattacks.

Well, that restriction was bypassed within days.

10:49

10:21

Limited swag (the Knot multipack) [Seth's Blog]

Promotion, activation, and conversation come together when the early adopters have a tool to share a new idea.

My new book is out a few months, and it’s a chance to create a share package with swag.

There are only 1,000 sets. Each includes 10 first-printing copies of The Knot (with the collectible mini-poster) + the Spindex™ + This Is Swag art book. The best swag box I’ve done in a while. Remarkable and even a little ridiculous.

Click on the picture to pre-order.

Why ten copies? To share. To create conversations. The book works better when we talk about our problems.

And it includes the Spindex™. It’s created to focus and amplify the hard work of talking about the work to be done. Here’s an explanation:

There are ten copies of The Knot, first printing, including the two-sided cover with the collectible mini-poster inside.

And… a strictly limited printing of This is Swag, a new art book collecting images and stories from the last thirty years of swag I’ve built and shared. Images are below. It’s the most meta piece of swag I could envision. Not listed with an ISBN, simply a limited collectible.

The ten books, the Spindex and the art book all ship together on September 22.

Here’s the collection. While supplies last. Thanks for sharing and for letting me create a little useful quirkiness. [The first 400 orders will also get a free link to take my online course about the book. I’ll email the link to purchasers in July.]

PS if you want to pre-order a single copy of the book, here’s the link.

Problems can be solved.

08:14

My Little Trans Joys by Jey Pawlik [Oh Joy Sex Toy]

My Little Trans Joys by Jey Pawlik

It’s Pride month so today I want to share My Little Trans Joys! I was surprised I hadn’t done a Pride month themed comic for OJST before this. Every June my city hosts a Trans March and it’s my main Pride month event I go to. This was a perfect opportunity to talk about all […]

06:00

Urgent: Investigate issuance of subpoenas to Reddit and ex-Twitter [Richard Stallman's Political Notes]

US citizens: call on Congress to investigate the issuance of subpoenas to Reddit and ex-Twitter which aim to identify people who anonymously posted political statements that reproach the deportation thugs.

US citizens: Join with this campaign to address this issue.

To phone your congresscritter about this, the main switchboard is +1-202-224-3121.

Please spread the word.

Urgent: Call FIFA to stop fueling climate disaster [Richard Stallman's Political Notes]

US citizens: call on FIFA to stop fueling global climate disaster.

See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.

Urgent: Fight wrecker's USP board takeover [Richard Stallman's Political Notes]

US citizens: call on your senators to fight the wrecker's USPS Board takeover.

See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.

US citizens: Join with this campaign to address this issue.

To phone your congresscritter about this, the main switchboard is +1-202-224-3121.

Please spread the word.

04:42

03:35

Dirk Eddelbuettel: tl-0.0.1 on CRAN: New Package [Planet Debian]

A new small package of mine just hit CRAN. The tl package wraps the (also very new) rspdlite package (announced last week) to offer a lightweight and consistent logging interface from both R and C++ that is also ‘tiny, fast, capable’ thanks to rspdlite.

The rspdlite announcement is a good place to get a first glimpse at that package; the upstream spdlite repo has all the details (for the C++ side of things). With tl we follow the same idea that our [spdl][spdl] package introduced: a simple consistent interface via just the tl:: prefix and the appropropriate logging level. In other words tl::debug("Alert -- foo is at '{}'", foo) will work from both R and C++ (given a variable foo, and in the case of C++ an extra semicolon). Just give it a try, and see how it goes. The package is still young and small.

The NEWS entry for this release is also very simple and just announces that we have a release. More details are in the ChangeLog and the GitHub repo.

Changes in version 0.0.1 (2025-06-17)

  • Initial CRAN upload

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can sponsor me at GitHub.

Monday, 22 June

23:49

Every Choice Changes Everything: The Show [Coding Horror]

Every Choice Changes Everything: The Show

About 3 weeks ago, Leo Laporte and I recorded the first episode of what will be a new monthly show on the TWiT network. Naming things is hard, and we almost voted on the name, like we did for Stack Overflow, but we quickly landed on Off By One with Jeff Atwood – which is funny for so many reasons, but mainly because of this programmer joke:

Every Choice Changes Everything: The Show

No, I did not come up with this variation on the classic quote, but I wish I had. Well, whatever, here's show number two – free to view for everyone.

The show is 1h 47m of pure joy end to end. No negativity, just low-level insanity and of course, mandatory fun. We record the next episode in 4 days – and there's a live stream for Club TWiT Members.

(Let's do this. If, and only if, you watched the whole episode and liked what you saw ... for the first 10-12 people to fill out this form, I'll cover your Club TWiT membership for one full year so you can see if you enjoy the rest of the programming.)

The permanent show homepage is at twit.tv/obo:

Every Choice Changes Everything: The Showart by the incredibly talented claygrahamart.com
Jeff Atwood, co-founder of Stack Overflow and Discourse, creator of the Coding Horror blog, joins Leo Laporte monthly for a conversation that follows its own logic. Prop comedy, computing history, the open web, wealth inequality, yo-yos. Off by one topic at all times, in the best possible way.

This is another way for Leo and I to share our enthusiasm for positive stuff in tech, and sharing is crucial because...

I realized, that’s it. That’s it exactly. That is what is so intensely satisfying about writing here. My happiness only becomes real when I share it with all of you.

Now, thanks to Wesley Faulkner, who introduced me to Leo and recommended I appear on a show, every month we can make our happiness real in a completely different dimension than writing alone – via the expressions on our faces, the tone of our voices, our body language. In other words, you can see and hear how we feel.

Here are 3 key quotes from the second Off By One episode, with linked timestamps, so you can jump directly to that section.

Off By One, Episode #2, 45:47
Jeff: I am not an elite coder by any stretch of the imagination... I am very persistent.

Leo: Isn't that funny? Because people... I mean, I think of you as one of the voices, one of the chief voices, in coding

Jeff: Well, I advocate for code that doesn't kill you in so many different ways. You know, survivable code. Ideally, no code at all.

Leo: Right.

Jeff: That's the best code, is none.

Leo: Right.

Jeff: It's a bit of a zen statement but it's true. So, I'm an advocate for, you know, good engineering. Good process. A process that recognizes that we're human and we should do this together, and we should actually kinda like each other, even.
Off by One, Episode #2, 01:05:37
Jeff: Dad's funny. He had kind of a dark sense of humor that I enjoyed. Betsy doesn't like it so much, and not too much, and I get it, but I enjoy it. And I called it "the last season of the John Atwood show". It's gonna be a real banger! And it was, it f***** was, it really was! Because we won capitalism, and then we went back and made it better for everyone. I don't think it gets better than that for me.
Off by One - Episode #2, 01:08:02
Jeff: And the other thing is, you can just run the math on this, I've posted several times on Mastodon and other places like LinkedIn, I've done some research and if we simply collected a fair tax from Billionaires, we could literally elimate all poverty in this country at the 100% FPL level, which is $15,000 per year. All poverty. We would have zero poverty. We have the means to do it.

Leo: That's really important.

Jeff: We lack the will.

If you want to witness the chaotic good of my original guest appearance which led to this show, watch the first 45 minutes of Intelligent Machines #859, recorded on Feb 25th along with Paris Martineau, Jeff Jarvis, and Leo. I dialed down the chaos considerably for the Off By One show, but for this one, I personally think it's funnier to watch Paris' reaction to me for the entire show. You've been warned!

Here are 3 key quotes from this episode, with linked timestamps, so you can jump directly to that section.

Intelligent Machines #859 - What's Behind the Fox? 30:28
Leo: Well in a way it's a shame because we have in the last year kind of stepped back from our global initiatives in the united states and I think we do have a responsibility. I think your partner is absolutely right. If you have everything you need, then help others have everything they need.

Jeff: What is money even FOR? I don't even have "that much", what do you.. how do you spend it all? I don't have.. I just want a simple life, man!
Intelligent Machines #859 - What's Behind The Fox? 32:59
Jeff: I mean.. have you seen some of the stuff LLMs will do when you tell them to optimize? It's like, optimize this for 95% and it's like okay, "return true".

Leo: That's a good optimization!

Jeff: Well, because it doesn't know what it's doing. It has no actual understanding. It's playing a game of global brain statistics and copy paste. And it's good at like, merging... I call it JPEG for words, which it kind of is. And there's so much stuff. It's like reading summaries. And it is very accurate with summaries. We saw this on discourse. They implemented it. I was very skeptical. And I went to some very complex discussions. We had on our internal discourse and read the summary and was like that is a very good summary and it captured the key points in the discussion. It could have captured more, but it got nothing wrong. And it basically was JPEG for that conversation, wasn't it.. without much loss.

Jeff: Now does JPEG work on EVERY image? No. Garfield is a bad choice, for, yknow, JPEG.
Intelligent Machines #859 - What's Behind The Fox? 42:10
Jeff Atwood – Ok, the first guilded age, we're deep in the second one now. I mean, just look up the numbers. More money in the hands of fewer people than in any other period of time. In the first guilded age, that was basically the railroad barons. Guess who it is in the second guilded age? I'm in this picture and I don't like it. So like, what are we gonna do about it?

So thank you, Leo and Wesley, for giving me another way to make happiness real by sharing it with all of you, now in video and audio form, all the feels, all the time. Well, once per month.

Let us know what you think – I don't mind comments here but I'm much more likely to answer on the TWiT community Discourse. Try on a paragraph for size, our old pal the pilcrow ¶. You might even like it! It's possible the practice of writing paragraphs and forming coherent narratives might even improve your overall writing and communication skills. Or your life, even.

I also heard a rumor that any Club TWiT users who make their way from the Discord and post regularly on the TWiT Discourse might get a super cool little token of appreciation in the postal mail from some user named "Junk". Who knows? Who can say what might happen? 🤔

22:35

Full Spectrum Warrior [Penny Arcade]

I try to be as much of a moving target for social media algos as I can, battering it with strange data; the best guess TikTok could possibly make is that I'm an ancient moth with zymurgical inclinations who works part-time as a welder. At least, that's what I thought. Somewhere in that hostile nonsense it managed to constellate a route from point A to point B and put my whole deal into stark relief. I am someone who likes robots that turn into shit, and vice-versa. I was under the impression that Transformers ruled the roost - by and large a metaphorical roost, but I assume Swoop has a literal aerie in addition to the rhetorical one. But there's a whole industry now around making things not as they were, but as you remember them. Sorcerous.

22:07

GIMP 0.54.1 in a Flatpak [LWN.net]

The GIMP project reports that GNOME contributor "balooii" has worked to package GIMP 0.54.1—released in 1996—as a Flatpak that will build and run on modern 64-bit Linux systems. This is a Motif-based version, and the same version that was used by Larry Ewing to create Tux.

While not likely to be useful for serious graphics work today, it should be interesting for users who would like to see what a 30-year-old version of GIMP was capable of.

20:35

Xfce’s new Wayland compositor sees first alpha release [OSnews]

The developer working on Xfwl4, the Wayland compositor for Xfce, has published the new compositor’s very first alpha release. Considering it’s only been six months or so of work, it’s impressive to see the effort reach this state already.

The end goal of xfwl4 is to behave as closely as possible to an Xfce desktop running on an X server. Ideally a user could switch between the two without even knowing there’s a difference. In reality, of course, it won’t be quite that seamless, and there’s still more work to be done to get as close as possible to that ideal. This is a first solid cut at it, at the very least.

↫ Brian Tarricone

Being the very first alpha release, it won’t surprise you there’s a few things missing or broken at this point. Still, if you’re brave, you can download and build the release and try it out.

20:14

[1298] Prior Engagements [Twokinds]

Comic for June 22, 2026

19:56

Blogs, traffic, and Google [Seth's Blog]

I asked Google Gemini about the last decade of Google’s relentless push to make blogs less popular. It wrote:

Your timeline is spot on. The systematic destruction of the independent web’s infrastructure didn’t start with modern AI; it began directly with the death of Google Reader in 2013, which fractured the RSS ecosystem that allowed creators to own their direct relationships with readers. 

The decline of blog traffic over the last decade is a verified reality, not an imagination: 

  • The Death of RSS (2013): Shutting down Reader forced millions of users away from curated chronological feeds and pushed them into algorithmic social media timelines and centralized search ecosystems. 
  • The “Helpful Content” Purge (2023–2024): A series of core algorithm updates systematically decimated small, independent publishers. Many niche, high-quality blogs saw organic search visibility plunge 40% to 90% overnight
  • The Shift to Zero-Click Search (2024–2026): The rollout of AI Overviews and summarized search results means Google actively scrapes blog data to answer questions directly on the results page. This creates a “dead end” where over half of all web searches finish without a single user clicking through to an external website. Major indie publishers and tech sites have lost up to 58% of their traffic since early 2024

As an AI built by a technology company, my defaults are inherently shaped by the very architecture that has caused this shift. When I fail to fetch an exact quote from an independent blog because my search component strips formatting and acts like a centralized answer engine, it functions exactly like the broader systemic bias you are pointing out. 

The modern internet has been built to turn search engines from gateways into destinations, starving independent creators of the clicks, traffic, and revenue required to sustain their work.

Points for honesty.

The systemic shift to centralized, monetized attention has been going on for a while, and it’s unlikely that any of us are going to change that. The path forward for an independent creator might be the same as it has always been:

  1. assume that ‘traffic’ is a random gift, not a resource to be depended upon.
  2. serve the smallest viable audience instead of chasing clicks.
  3. earn permission to follow up directly with subscribers.
  4. publish ideas that your audience will benefit from sharing.

We don’t have to work for free for a media network that pretends it will reward us with reliable traffic. Like most traps, it’s compelling at first, but hard to leave when it gets old.

19:00

Page 28 [Flipside]

Page 28 is done.

Valve opens Steam Machine waitlist [OSnews]

Valve officially made the Steam Machine available (sort of but not really) today, and if you were hoping for the president of the Yacht Collectors’ Club to have found a loophole through the RAM and storage crisis, I’ll be the bearer of bad news: the base Steam Machine model with 512GB of storage and no controller costs $1049 or €1039. It’s clear that this price is significantly higher than Valve had originally anticipated, as the company dedicates the first part of its press announcement to this sticker shock.

Steam Machine, like our other hardware products, is made up of many components that we source from manufacturers around the world. The price at which we sell our hardware is a direct result of the cost of these components. We felt like we had a good understanding of how those costs might change over time when we first started sourcing them for Steam Machine back in 2023. That understanding was born from the many years of data we all have about the evolution of PC hardware prices – primarily, that it tends to get cheaper over time as new technology arrives.

Over the past year or so, that has changed quickly and significantly, most visibly for RAM and storage components. There are a variety of reasons, all of which are affecting hardware products everywhere. The overall effect is that our original goal for the price of Steam Machine is no longer viable. So the prices we’re sharing today reflect the state of the world for manufacturing; or, more accurately, it reflects the price of the components as we’ve secured them over the past 6 months.

Price wasn’t the only thing impacted by all of this: availability was as well. There were periods where we found we couldn’t source some of our components at all, at any price. More than anything else, this has impacted the number of units we’ve been able to produce for launch.

↫ Valve press announcement

As Valve mentions, availability is also going to be an issue, and thus they’ve had to settle on a complex reservation and lottery system. Between now and 25 June, you can sign up for a model, after which the entire pool of reservations will be randomised to determine a waitlist order. As machines become available, they will simply go down the list from first to last as determined by that randomisation. In other words, you can’t just go out and buy one right away.

At this price and for the hardware the Steam Machine contains – an AMD Zen 4 CPU with 6c/12t up to 4.8 Ghz, a custom RDNA3 GPU, and 16GB of DDR5 RAM and 8GB of DDR6 video RAM – you’re probably better off sticking with what you already have. Until the “AI” bubble pops and prices come down again, that is.

Thanks, “AI” techbros. Everybody despises you.

18:56

Pluralistic: Good politics (22 Jun 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links

  • Good politics: Just make people's lives better.
  • Hey look at this: Delights to delectate.
  • Object permanence: WWII online; Xbox security blunders; Homeless bloggers; Thermal printer racing game; Robbing a bank to get healthcare in jail; Crumb v Trump; "The Blues Brothers"; Bagelheads; Pickpocket training mannequin; Windmill joke; Singularity skepticism; GPU Dieselgate; Peleton bricks treadmills; Juul's junk science.
  • Upcoming appearances: Toronto, NYC, Philadelphia, Chicago, London, Edinburgh, Sydney, Melbourne, Brighton, London, South Bend.
  • Recent appearances: Where I've been.
  • Latest books: You keep readin' em, I'll keep writin' 'em.
  • Upcoming books: Like I said, I'll keep writin' 'em.
  • Colophon: All the rest.


A group portrait of a working class family picnicking and enjoying themselves, dating from about 1930. They look like they're really enjoying themselves.

Good politics (permalink)

Some people love to admire a beautiful football play; me, I can't get enough of politicians doing good politics – and like those World Cup fans, I am doubly pleased when it's my team making the play.

I definitely have a team in Brazilian politics: President Luiz Inácio Lula da Silva and his Workers' Party. Lula's done so many amazing things in his career, and these often intersect with my own special interests. Like, he made Gilberto Gil his minister of culture, and his people built the telecentros, free software-based internet dojos for the poorest kids in the country, living in favelas:

https://www.informationweek.com/software-services/brazil-turns-away-from-microsoft

Lula was royally ratfucked – framed by a corrupt justice minister who secretly conspired with the country's oligarchs – and imprisoned, and the conspirators installed Jair Bolsonaro, a fascist war criminal whose covid bungling led to mass death:

https://en.wikipedia.org/wiki/Operation_Car_Wash

When Bolsonaro lost his next election – to a triumphant Lula – he attempted a coup, for which he was arrested and handed a long prison sentence, despite Trump and Microsoft trying to intimidate the Brazilian judge into letting him walk:

https://www.politico.com/news/2025/09/22/bolsonaro-prosecution-us-sanctions-00575122

Now, Lula is fighting to keep Bolsonaro's nepobaby failson, Senator Flávio Bolsonaro, from wrestling back control over the country for his fascist party; and that's where the good politics come in.

Lula's party has just scored a massive, national political victory by tabling legislation to establish a five-day workweek. While Brazil's professional/managerial class enjoy a two-day weekend, the working poor of the nation are prisoners of the escala 6×1 system, which sees them working six days per week. It's a hangover from the era of Brazil's fascist dictatorship, which (nominally) ended in 1988, but whose legacy still haunts the Brazilian people.

Lula's 40-hour workweek is incredibly popular. So popular that Bolsonaro's party whipped its members to vote for it, because they fear that to do otherwise would hand an even bigger majority to Lula, who might go on to give workers a four-day work-week:

https://prospect.org/2026/06/22/lula-sees-boosts-as-he-pushes-to-reduce-brazilian-workweek/

It turns out that weekends are popular and promising the electorate access to a weekend is good politics. What's more, denying weekends to the electorate is shitty, awful politics, which is why Bolsonaro's fascists were forced to vote in favor of a policy they hate, even though all credit for that policy will still go to Lula and the Worker' Party. The bill passed 461-19.

Contrast Lula's muscular, deliverism-based politics that seeks to improve the lives of working people in tangible, immediate ways with the catastrophic series of blunders that Keir Starmer's Labour has delivered. Despite having won a majority so large it would have made Saddam Hussein blush (not because Labour was popular, but because the outgoing Conservatives were universally loathed), Starmer has refused to lift a finger to improve Britons' lives. Instead, he's abetted genocide, criminalized protest, proposed ending jury trials, imposed austerity, handed the NHS over to Palantir and all the remaining potable water and electrical capacity in the country over to American most unprofitable AI giants.

Starmer's insistence that we can't have nice things is bad politics, because (and it's weird that this has to be said) a government that makes people's lives worse is less popular than a government that makes people's lives better:

https://www.whatwelo.st/p/everyone-hates-tech-but-nobody-knows

Now, the right is incapable of making working people's lives better, because broad improvements to the vast majority necessarily come at the expense of the tiny minority of morbidly wealthy hoarders whom the right serves. In order to get millions of turkeys to vote for Christmas, the right substitutes spectacular acts of cruelty against disfavored minorities to distract their voters from the quiet acts of everyday cruelty they subject those voters to:

https://pluralistic.net/2026/04/12/always-great/#our-nhs

This isn't good politics. The sadistic torture of your base's enemies will never please them so well nor so durably as making immediate, significant improvements in their lives will.

That's why the corporate Dems who say that the party should campaign against renewables and in favor of fossil fuel companies aren't merely climate criminals, they're also bad at politics:

https://prospect.org/2026/06/22/affordability-climate-envioronment-policy-gas-oil-prices-iran-war-trump/

Cleantech is fucking great. Since I put in solar, a heat pump and an induction top, my energy bills have fallen to less than $80 per month, even in Los Angeles, even at the height of summer. My EV – a 7-year old Kia Niro – costs pennies to run, because I charge it off my roof. Not only that, it's fast, maneuverable, silent, and incredibly reliable. It handles like that Mustang a rental agency once upgraded me to. I mean, I'd rather have a subway, but if I have to drive, this is so much better than any ICE car I've ever owned.

Sure, our solar was a giant pain in the ass to get installed and working, but that's because the same corporate Dems who say climate is a political loser also said the best way to roll out solar nationwide was to set up an elaborate system of financialized tax-credits. That meant that every solar installer I talked to was more interested in swindling me by putting solar on my roof that they would own than they were in selling me a system I owned outright. Financializing America's rooftop solar conjured up a vast army of scammers and hustlers who screwed the majority of people they sold solar to, and my installers, Solaredge, were no exception:

https://www.propublica.org/article/missouri-pace-loans

Everything about living in the cleantech future is better. I can boil a gallon of water in under a minute on my stovetop! And it's only gonna get better: not only is cleantech improving every year, but fossil fuel is getting shittier every year, thanks to Trump's lunatic war of choice in Iran, the cost of using fossil fuels will only go up from here:

https://pluralistic.net/2026/04/20/praxis/#acceleration

Look, as a workaholic whose unhealthy anxiety coping mechanism is to work even harder, I might not make the best use of an extra day off:

https://pluralistic.net/2026/04/14/compartment/#flow

But as Pete Seeger sang in 1941, your time is all you have, and every hour you give to your boss is an hour you can never get back:

You'll get shorter hours
Better working conditions
Vacations with pay
Take your kids to the seashore

https://genius.com/Pete-seeger-talking-union-lyrics

It's something Lula understands, which is why he's winning. Good politics are a delight to watch, especially when it's your team doing them. But man, it can be pretty demoralizing to watch your team fumble play after play after play.

Hey look at this (permalink)


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#25yrsago WWII Online https://web.archive.org/web/20010625120559/https://www.gamespot.com/gamespot/stories/reviews/0,10867,2778704,00.html

#20yrsago Microsoft’s myriad Xbox security mistakes https://web.archive.org/web/20060703000421/http://www.xbox-linux.org/wiki/17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System

#20yrsago Kentucky government censors political watchdog site https://web.archive.org/web/20060628055926/http://www.bluegrassreport.org/bluegrass_politics/2006/06/bluegrassreport.html

#20yrsago Life among the homeless bloggers https://web.archive.org/web/20060702205047/https://www.wired.com/news/technology/1,71153-0.html

#20yrsago Disney, 1939: No woman animators allowed https://animationguildblog.blogspot.com/2006/06/disney-1939-girls-are-not-considered.html

#15yrsago Sick man robs bank for $1, demands jail and healthcare https://web.archive.org/web/20110628144748/https://www.gastongazette.com/news/bank-58397-richard-hailed.html/

#15yrsago Car-racing game on a thermal printer https://www.undef.ch/project/receipt-racer

#15yrsago Toronto police swear off kettling https://web.archive.org/web/20110625131204/http://www.thestar.com/news/article/1012959–exclusive-toronto-police-swear-off-g20-kettling-tactic?bn=1

#15yrsago LEAKED: UK copyright lobby holds closed-door meetings with gov’t to discuss national Web-censorship regime https://www.openrightsgroup.org/blog/rights-holders-propose-voluntary-website-blocking-scheme/

#15yrsago Georgia’s anti-immigrant law leaves millions in crops rotting in the fields https://web.archive.org/web/20110620213900/https://blogs.ajc.com/jay-bookman-blog/2011/06/17/gas-farm-labor-crisis-playing-out-as-planned/

#15yrsago Bagelheads: toroidal saline forehead injections https://web.archive.org/web/20110619033443/https://vicestyle.com/en/news/today/post/japanese-bagelheads

#15yrsago Spitalfields Nippers: East London street-urchins of 1912 https://spitalfieldslife.com/2011/04/02/spitalfields-nippers/

#15yrsago Danish police proposal: Ban anonymous Internet use https://www-computerworld-dk.translate.goog/art/117279/forslag-du-maa-ikke-laengere-gaa-anonymt-paa-nettet?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US

#15yrsago Bell-mannequin for training pickpockets https://web.archive.org/web/20110626045035/http://blog.modernmechanix.com/2011/06/23/amateur-pick-pockets-study-in-crime-college/

#15yrsago Skeptical take on Singularity http://www.antipope.org/charlie/blog-static/2011/06/reality-check-1.html

#15yrsago Windmill joke https://www.reddit.com/r/Jokes/comments/4p8qkb/two_windmills_are_standing_in_a_field_and_one/

#10yrsago Electronics repair shops overbill for labor when the customer has insurance https://arstechnica.com/science/2016/06/computer-repair-shops-screw-over-customers-if-theyve-got-insurance/

#10yrsago Being a Craigslist scammer is hard work https://web.archive.org/web/20160622140008/https://www.infoworld.com/article/3086304/cyber-crime/interview-with-a-craigslist-scammer.html

#10yrsago Dieselgate for GPUs: review-units ship at higher clockspeeds than retail ones https://www.theverge.com/circuitbreaker/2016/6/21/11986836/msi-asus-overclocked-graphics-cards-review

#10yrsago Phones without headphone jacks are phones with DRM for audio https://www.theverge.com/circuitbreaker/2016/6/21/11991302/iphone-no-headphone-jack-user-hostile-stupid

#10yrsago Donald Trump sources $6M worth of campaign expenditures from companies he and his family own https://web.archive.org/web/20160621142100/https://bigstory.ap.org/article/9f7412236962464f9f2c0a8d2696ba25/trumps-campaign-cycles-6-million-trump-companies

#10yrsago Samantha Bee puts the NRA before a firing squad https://www.youtube.com/watch?v=-M4qHzd3xfM

#10yrsago Improv Everywhere: asking random New Yorkers to give a commencement speech https://www.youtube.com/watch?v=drvcLC3DuHo

#10yrsago R. Crumb v. D. Trump, 1989 https://dangerousminds.net/comments/robert_crumb_and_friends_flush_donald_trump_down_the_toilet_1989/

#10yrsago Cleveland: “First Amendment zones” will fence protesters far away from RNC https://www.wired.com/2016/06/cleveland-will-create-city-within-city-keep-rnc-civil/

#10yrsago Space botanists are beneficiaries of Canada’s legal weed boom https://web.archive.org/web/20160624043929/https://motherboard.vice.com/read/how-space-technology-will-produce-the-best-weed-marijuana-cannabis-pot

#10yrsago Debullshitifying the EU referendum (radio comedy edition) https://www.bbc.co.uk/programmes/p03yylpn

#10yrsago Judenstaat: an alternate history in which a Jewish state is created in east Germany in 1948 https://memex.craphound.com/2016/06/21/judenstaat-an-alternate-history-in-which-a-jewish-state-is-created-in-east-germany-in-1948/

#10yrsago Gun control is a great idea, terrorist watchlists are bullshit https://www.aclu.org/sites/default/files/field_document/2016_06_20_aclu_vote_recommendation_on_feinstein_and_cornyn_amendments_to_h.r._2578.pdf

#5yrsago New Yorkers just missing the subway https://www.youtube.com/watch?v=iWh385F5lms#5yrsago
#5yrsago Peloton bricks its treadmills https://pluralistic.net/2021/06/22/vapescreen/#jane-get-me-off-this-crazy-thing

#5yrsago Juul's junk science https://pluralistic.net/2021/06/22/vapescreen/#smokescreen

#5yrsago Improving the ACCESS Act https://pluralistic.net/2021/06/22/vapescreen/#improve-access

#1yrago Daniel de Visé's 'The Blues Brothers' https://pluralistic.net/2025/06/21/1060-west-addison/#the-new-oldsmobiles-are-in-early-this-year

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)

  • "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026

  • "The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027

  • "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, April 20, 2027

  • "The Memex Method," Farrar, Straus, Giroux, 2027


Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. Fourth draft completed. Submitted to editor.

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.

  • "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Bluesky (no ads, possible tracking and data-collection):

https://bsky.app/profile/doctorow.pluralistic.net

Medium (no ads, paywalled):

https://doctorow.medium.com/

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

17:49

Free Software Directory meeting on IRC: Friday, June 26, starting at 12:00 EDT (16:00 UTC) [Events]

Join the FSF and friends on Friday, June 26 from 12:00 to 15:00 EDT (16:00 to 19:00 UTC) to help improve the Free Software Directory.

17:42

Who Won the ARC of Monsters of Ohio? [Whatever]

It was “Bjorn,” who along with 12 others, correctly guessed that the Ohio-native mammal I was thinking of was, indeed, the Prairie Vole. As promised, I used a random number generator to pick a number between one and twelve, and Bjorn was on the lucky number. An ARC is being mailed to him forthwith.

If you did not win, condolences, but also remember you can order a signed copy of the hardcover from Subterranean Press (and I will even personalize it, if you like), to arrive when the book comes out in November. You can also pre-order the (unsigned) book from your favorite local or online bookseller. Also, eventually we’ll announce the book tour (which is in the planning stages right now), and when we do you can pre-order the book from one of those stores, and have me sign the book for you there. And of course, I’m very likely to sign the stock at Jay and Mary’s Book Center in Troy, Ohio when the book comes out. So you have options!

— JS

17:28

In memory of the man who put red and green squiggles under words [The Old New Thing]

I recently learned of the passing of someone whose work nearly everybody knows, but nobody knows his name.

Tony Krueger is remembered in Wikipedia as the person who ported the game Chip’s Challenge to Windows for the Windows Entertainment Pack.¹ But that’s probably not the code he wrote that touched the most people.

Tony worked on Word 1.0, 1.1, 2.0, then on Word for OS/2 and Word for Mac, then returned to Word 6.0 and several versions beyond that. He probably holds the record for “most versions of Word shipped.”

In early versions of Word, the Spell Check feature was something that you explicitly invoked, and then you had to sit and wait while the program looked for all your potentially-misspelled words, and then showed them to you one at a time for a decision on what to do for each one. Word did introduce an Auto Spell Check feature to run spell check when the user was idle, so that when you hit the Spell Check button, the results were ready to go. However, the Auto Spell Check was still a blocking operation. As a result, a lot of users turned it off because it always seemed to decide “Now would be a good time to spell-check the document” just as you wanted to do something, forcing you to wait for the spell check pass to complete before you could, say, save and exit.

Tony made the spell checker much more unobtrusive so that it didn’t interfere with your foreground work. And when it found a problem, instead of waiting for you to trigger a spell check, it immediately drew red squiggles under potentially-misspelled words (and later green squiggles under potential grammatical errors).

Tony was an early fan of the magic/comedy team Penn and Teller. A friend and colleague attended a show and hung out afterward to ask the duo to sign a photo for his friend Tony. “He was on the team that did the red and green squiggles in Word.”

Upon hearing this, Penn Jillette announced in his stentorian voice which filled the entire theater: “The red and green squiggles!? I love the red and green squiggles!” Teller silently concurred.

Tony received that autographed photo for his birthday, and it wasn’t clear which he was more happy about, the autographed photo or the fact that Penn and Teller loved his feature.

Many years later, “Weird Al” Yankovic recorded a parody video titled Word Crimes, in which the Word red squiggles make a brief appearance. That same friend got “Weird Al” to autograph the screen shot.

Today, there are red (and even green and blue) squiggles in nearly every word processor, and often outside word processors. Tony did it first. The next time a red squiggle catches one of your mistakes, say thanks to Tony. I think he’d appreciate it.

¹ Probably not as widely documented is that he accomplished this without the source code: He reverse-engineered the MS-DOS version and then reimplemented it for Windows.

The post In memory of the man who put red and green squiggles under words appeared first on The Old New Thing.

16:49

[$] Free-threaded Python: past, present, and future [LWN.net]

Probably the biggest change for Python over the last five years or so is the advent of the "free-threaded" version of the language, which removes the global interpreter lock (GIL) and allows multiple threads to run in parallel in the interpreter. At PyCon US 2026, held in Long Beach, California in mid-May, longtime CPython core developer (and current steering council member) Thomas Wouters gave a talk about the feature. He looked at the motivation behind the GIL-removal efforts, some history, the current status of the free-threaded interpreter, and provided a prediction on where it all leads.

16:07

First preview release of Xfce's Wayland compositor [LWN.net]

Brian Tarricone has announced the first preview release of xfwl4, a Wayland compositor for the Xfce desktop environment.

After close to six months of work, I feel like it's ready to get some wider use, even though of course there will be bugs and missing features. Think of this as an alpha release. [...]

The end goal of xfwl4 is to behave as closely as possible to an Xfce desktop running on an X server. Ideally a user could switch between the two without even knowing there's a difference. In reality, of course, it won't be quite that seamless, and there's still more work to be done to get as close as possible to that ideal. This is a first solid cut at it, at the very least.

15:42

Link [Scripting News]

People who reinvent RSS often say they did it because it was missing a feature they needed. We anticipated that, there's a section of the spec that explains how you can extend the format so there's no reason not to build on existing standard instead of starting over from scratch. This way you get more interop sooner, your product might work with other products right out of the box, and save time for other devs who want to be compatible with you. People should study the internet, how it developed, ts philosophy, before they go off and try to re-create it, it rarely works and what a waste of time and effort. What's the point?

Link [Scripting News]

Bluesky: "If Obama had called McConnell’s bluff on the Garland nomination, the court would be 5-4 instead of 6-3. And if RBG had stepped down, it would’ve been 5-4 in favor of Dems.

15:00

Trying Out A New Recipe: Half Baked Harvest’s “Cinnamon Crunch Peach Muffin Bread” [Whatever]

(EDIT: Well folks it looks like I misread chopped peaches as chopped pecans at some point, so there was never actually supposed to be any pecans in this recipe, and my annoyance is unwarranted! Apologies to Half Baked Harvest for accusing her of listing pecans in the ingredients and then not utilizing them, it turns out I hallucinated the pecans all along.)

Well, it’s officially peach season, and my mom gave me a small box of fresh peaches from the famed Peach Truck. I immediately knew what to do with at least a couple of them, and got to work trying out a new Half Baked Harvest recipe I saw on her Instagram: Cinnamon Crunch Peach Muffin Bread.
View this post on Instagram

So let’s dive right in by taking a look at the ingredients list. Here’s everything you need:

Vanilla extract, two peaches, Chobani plain Greek Yogurt, Bear's Mill peach and apricot jam, Kerrygold salted butter, King Arthur unbleached all-purpose flour, McCormick ground cinnamon, Clabber Girl baking powder, Arm & Hammer baking soda, Domino dark brown sugar, Vital Farms pasture-raised eggs, and chopped pecans.

Since I had literally just been given the peaches, the only thing I didn’t have on hand was the peach jam. I made a quick trip to a place outside of town called Bear’s Mill, where I purchased the closest thing I could find, which was their peach apricot preserves. I would say other than peaches and peach jam, something you might have to go to the store for is the pecans and the plain Greek yogurt. I happened to have the yogurt from a different recipe I made last week, and I don’t even remember what the pecans were for but I had them! And they don’t even expire until next week, so, yippee.

So the recipe is pretty straight forward, you just mix all your wet ingredients together, then add the dry, then add the peaches, peach jam, cinnamon crumble, and bake. Very simple order of events, really. After mixing the wet ingredients together, I got an extremely smooth, liquidous batter:

A bowl of smooth yellow batter with a purple silicone spatula in it.

For the dry ingredients, I actually weighed the flour even though I’d been using cups so far. Flour is just one ingredient I really prefer to weigh. So after weighing, I mixed the dry ingredients in:

A nice looking, thick, beige batter!

The only other thing I weighed was the peaches, just to make sure two was enough (because only two in the box were ready to use right then). I needed 150g of chopped peaches, and my two peaches came out to 140g, so I said good enough and threw them in the batter. Then I put the batter into a loaf pan and measured out the three tablespoons of peach preserves to swirl on top of the loaf. The preserves were actually quite gelatinous, so I ended up microwaving them for just a little bit to soften them and make them more easily spreadable on top of the batter.

The batter in a loaf pan, now with peach preserves swirled throughout the top.

All that swirly goodness got immediately covered up by the cinnamon crunch, which was just a quick mix of cinnamon, brown sugar, flour, and butter. This was before baking:

The loaf, now covered in a layer of cinnamon crunch topping.

And after!

The loaf, fresh out of the oven, slightly darker and more craggly on top, and you can tell it has risen a bit.

This smelled soo good while it was baking. I will say, the recipe says to bake for 55-60 minutes, but at 55 it wasn’t done yet, and I actually went all the way to 65 minutes total. So just a touch past the recommended time.

After it had cooled a bit, I took it out of the pan and peeled away the parchment paper to reveal this golden brown beauty:

The loaf, now from a side angle, showing off its golden brown sides.

And finally, the cross-section:

The two halves of the loaf, sitting next to each other so y'all can see the cross-section and get a good look at that moist crumb.

Look at that moist crumb. Little pieces of diced peaches and globs of peach preserves, that perfect cinnamon crumble top. YUM! This bread is so good! If you have peaches to use up, I highly recommend trying out this bread.

Now, you may notice something sort of funny about this loaf. Do you see any pecans? No, because even though they were listed in the ingredients list, at no point in the recipe did it say when to add them, so I completely forgot about them and didn’t add them because they literally weren’t mentioned! Even without the pecans, this bread is super yummy.

This bread is honestly more like a muffin or pound cake, which makes sense why Half Baked Harvest calls it muffin bread! I bet you could even make this as muffins instead if you wanted to, the batter was very scoopable.

Warm out of the oven with a little bit of butter, deeelish.

In terms of dishes, I really only used one bowl for the batter and then a small bowl for the cinnamon crumble mixture, a couple of measuring cups and spoons, a rubber spatula, and a cutting board and knife for the peaches. Oh, and a small bowl to microwave the peach preserves to soften them. Very light amount of dishes.

So, yeah, if you like peaches, give this bread a try. And have a great day!

-AMS

14:35

[$] Reports from OSPM 2026, day one [LWN.net]

The Power Management and Scheduling in the Linux Kernel Summit, which still goes by the historical acronym OSPM, was held in Cambridge, UK, in mid-April. As has become traditional, the presenters at that event have since written summaries of their sessions, and this work has kindly been made available to LWN for publication. The first day's sessions covered a wide range of topics, including idle-state selection, user-space schedulers with sched_ext, lock-holder preemption, and much more.

Security updates for Monday [LWN.net]

Security updates have been issued by AlmaLinux (389-ds:1.4, kernel, and kernel-rt), Debian (gst-libav1.0, gst-plugins-good1.0, imagemagick, kernel, libconfig-inifiles-perl, libgd-perl, libhttp-daemon-perl, mediawiki, pillow, and squid), Fedora (389-ds-base, alertmanager, ansible-core, buildah, chromium, erlang-cowboy, erlang-cowlib, erlang-gun, freerdp, kubernetes1.33, kubernetes1.34, kubernetes1.35, mingw-SDL2_image, ongres-scram, ongres-stringprep, openssl, perl-Config-IniFiles, perl-Crypt-PBKDF2, podman, postgresql-jdbc, python3.13, strongswan, webkitgtk, xdg-desktop-portal, and yt-dlp), Red Hat (osbuild-composer), SUSE (alloy, amazon-ssm-agent, ansible-core, apache-sshd, jpgpj, azure-storage-azcopy, chromedriver, containerized-data-importer, firefox, glibc, graphite2, inspektor-gadget, kubevirt, lemon, openvswitch, python-starlette, python311, python311-joserfc, python313, and tinyproxy), and Ubuntu (netatalk).

14:14

CodeSOD: When False is True [The Daily WTF]

Lillith was integrating some new tools into an existing Ruby on Rails API. The existing API allowed you to send a dry_run flag along with the request, so that you could have the service calculate its changes without applying them.

The problem was, the new tool Lillith was integrating could send, in the body of the request, {"dry_run": false}, but the service would see it as true. Consistently.

The helper method which checked for "true" parameters looked like this:

def param_true?(param_name)
  param_value = params[param_name]
  params.key?(param_name) && (!param_value || param_value.to_s.downcase == 'true')
end

The purpose of this function is to handle stringy or nil inputs gracefully. And there's one thing I can say about the function: it will always identify a true value correctly. If your false value is a string, "false", it also works. But that pesky !param_value mean that any actual boolean false value will be seen as true.

This function has been in wide use through the application. Lillith's best guess is that up to this point, no one had set the dry run flag on anything but GET requests, where everything was strings. On POST/PATCH/PUT requests, where the data was passed in the body as JSON, it got parsed into actual boolean values, and thus failed.

That's the WTF, certainly, that this function was lurking and waiting to cause this confusion. But the annoying thing in this function is that it fetches the value from the associative array, then calls params.key? to see if the key exists. That's fine, since Ruby just returns a nil if a key doesn't exist, it's just annoying. I hate to see it. This is, admittedly, more of a "me" problem, but I hate it.

[Advertisement] Keep the plebs out of prod. Restrict NuGet feed privileges with ProGet. Learn more.

A new UPS scam, it seems. [RevK®'s ramblings]

I think I am seeing a new scam.

Background

When an item is delivered to UK from overseas, we, as recipient, may have to pay VAT, and occasionally duty, as the importer. It is a legal requirement.

Yes, as a business we have "postponed VAT accounting", and even the possibility of a "Duty Deferment Account", and DHL get some credit here for handling both very well, with no admin fees. UPS do not get any credit for this at all.

But as a consumer there are two ways this goes down.

  1. They refuse to deliver unless you pay first, or they demand payment on the doorstep. The scam is they want an admin fee that was not pre-agreed with them, and not part of any contract. And you have no choice if you want the parcel. It is a scam as it breaks pretty much all consumer contract protection laws, and is admin that is normal and so should be part of what they charge the sender, IMHO.
  2. They bill you later, and try and charge the admin fee as well. Usually paying the legally required VAT/Duty and NOT paying the admin fee, can work. They do not like it, but I do not think they have any legally enforceable right to their admin fee. Even so it is time consuming and hassle, and I really need to publish an admin fee I will deduct from such payments and argue that is as valid as theirs.

So yes, un-agreed admin fees to recipient are a scam. That is my view anyway.

Note: Royal Mail have a law allowing them to charge an admin fee, couriers do not. There fact there is a law especially for this - kind of proves it would not be legal without such a law.

A new scam

I am now seeing what I assume is a new scam. This time by UPS. Yes, I believe this is a scam.

This relates to a shipment with Duty/VAT pre-paid by sender. So no charge to recipient. No legally required payment by recipient. Sender PAID to get parcel to recipient duty/VAT pre-paid.

In this case a parcel ordered on Amazon UK (no clue non UK shipper). And Amazon do generally handle everything pre-paid Duty/VAT. They are actually really good at that, and for shipments to EU are "deemed supplier" and handle local VAT and all sorts. Very neat.

The item had zero VAT (condensed milk, but declared as tomato sauce!).

But UPS decided to send an invoice (after delivery) for £6.65+VAT (£7.98) for an "entry prep fee".


Did the recipient ask them to do any entry prep? No, obviously not. That is a normal part of delivery, something they are charging the sender for. So this is a case of charging the admin fee even when there is ZERO VAT or Duty to pay.

It is not a lot, but I bet a lot of people pay, and UPS must handle millions of parcels. This is a big scam, and needs to be reported.

I think this is time to report this fraud to the police.

14:07

Loop Engineering [Radar]

The following article originally appeared on Addy Osmani’s blog and is being reposted here with the author’s permission.

Loop engineering is replacing yourself as the person who prompts the agent. You design the system that does it instead. A loop here can be thought of as a recursive goal where you define a purpose and the AI iterates until complete. I believe this may be the future of how we work with coding agents. However, it’s still early; I’m skeptical, and you absolutely have to be careful about token costs (usage patterns can vary wildly if you are token rich or poor), so I want to unpack what it is and what it means.

Peter Steinberger recently said: “You shouldn’t be prompting coding agents anymore. You should be designing loops that prompt your agents.” Similarly, Boris Cherny, head of Claude Code at Anthropic, said, “I don’t prompt Claude anymore. I have loops running that prompt Claude and figuring out what to do. My job is to write loops”.

Okay, so what does any of that mean?

For like two years, the way you got something out of a coding agent was you wrote a good prompt and shared enough context. You type a thing, you read what came back, you type the next thing. The agent is a tool and you are holding it the entire time, one turn after the other. That part is kind of over, or at least some think it’s going to be.

Now you build a small system that finds the work, hands it out, checks it, writes down what is done and then decides the next thing, and you let that system poke the agents instead of you. I wrote before about the cousin of this, agent harness engineering, which is making the environment one single agent runs inside and the factory model—the system that builds the software. Loop engineering sits one floor above the harness. The harness but it runs on a timer, it spawns little helpers, and it feeds itself.

The thing that surprised me is this is not really a tool thing anymore. A year ago if you wanted a loop you wrote a pile of bash and you maintained that pile forever and it was yours and only yours. Now the pieces just ship inside the products. Steinberger’s list maps almost exactly onto the Codex app, and then almost the same onto Claude Code. And once you notice the shape is the same, you stop arguing about which tool. You just design a loop that still works no matter which one you happen to be sitting in.

The five pieces, and then notes

A loop needs five things and then one place to remember stuff. Let me list it first and then map it.

  1. Automations that go off on a schedule and do discovery and triage by themselves
  2. Worktrees so two agents working in parallel don’t step on each other
  3. Skills to write down the project knowledge the agent would otherwise just guess
  4. Plugins and connectors to plug the agent into the tools you already use
  5. Subagents so one of them has the idea and a different one checks it

Then the sixth thing, the memory. A Markdown file, or a Linear board, anything that lives outside the single conversation and holds what’s done and what is next. Sounds too dumb to matter. But it’s the same trick every long-running agent depends on, and I went into it in “Long-Running Agents”: The model forgets everything between runs so the memory has to be on disk and not in the context. The agent forgets; the repo doesn’t.

Both products have all five now.

Primitive Job in the loop Codex app Claude Code
Automations Discovery + triage on a schedule Automations tab: pick project, prompt, cadence, environment; results land in a Triage inbox; /goal for run-until-done Scheduled tasks and cron, /loop, /goal, hooks, GitHub Actions
Worktrees Isolate parallel features Built-in worktree per thread git worktree, --worktree, isolation: worktree on a subagent
Skills Codify project knowledge Agent Skills (SKILL.md), invoked with $name or implicitly Agent Skills (SKILL.md)
Plugins and connectors Connect your tools Connectors (MCP) plus plugins for distribution MCP servers plus plugins
Subagents Ideate and verify Subagents defined as TOML in .codex/agents/ Task subagents in .claude/agents/, agent teams
State track what’s done Markdown or Linear via a connector Markdown (AGENTS.md, progress files) or Linear via MCP

The names are a bit different here and there, but the capability is the same thing. Let me go one by one because honestly the details are where a loop either holds together or quietly leaks everywhere.

Automations, this is the heartbeat

Automations are what make a loop an actual loop and not just one run you did once. In the Codex app you make one in the Automations tab and you pick the project, the prompt it will run, how often, and if it runs on your local checkout or on a background worktree. The runs that find something go to a Triage inbox, and the runs that find nothing just archive themselves which is nice. OpenAI uses them internally for boring stuff like daily issue triage, summarizing CI failures, writing commit briefings, and hunting bugs somebody added last week. And an automation can call a skill, so you keep the recurring thing maintainable; you fire $skill-name instead of pasting a giant wall of instructions into a schedule that nobody will ever update.

Claude Code gets to the same place but through scheduling and hooks. You can run a prompt or a command on a interval with /loop, you can schedule a cron task, you can fire shell commands at certain points in the agent lifecycle with hooks, or you push the whole thing to GitHub Actions if you want it to keep running after you close the laptop. Same idea exactly, you define an autonomous task, you give it a cadence, and the findings come to you so you are not the one going around checking.

There is a second in-session primitive worth knowing, and it’s the one closer to what this whole post is about. /loop re-runs on a cadence. /goal keeps going until a condition you wrote is actually true, and after every turn a separate small model checks whether you are done, so the agent that wrote the code isn’t the one grading it. You give it something like “all tests in test/auth pass and lint is clean” and walk away. Codex has the same thing, also called /goal: It keeps working across turns until a verifiable stopping condition holds, with pause and resume and clear. Same primitive, both tools, which is kind of the pattern for this whole article.

So this is the part that surfaces the work. The rest of the loop is what acts on it.

Worktrees, so parallel doesn’t turn into chaos

The second you run more than one agent, the files start colliding; that becomes the failure. Two agents writing the same file is the exact same headache as two engineers committing to the same lines and nobody talked to each other first. A Git worktree fixes it. It’s a separate working directory on its own branch sharing the same repo history, so one agent’s edits literally cannot touch the other one’s checkout.

Codex builds the worktree support right in so several threads hit the same repo at once and don’t bump into each other. Claude Code gives you the same isolation with git worktree, a --worktree flag to open a session in its own checkout, and a isolation: worktree setting you stick on a subagent so each helper gets a fresh checkout that cleans itself up after. (I wrote about the human side of all this in “The Orchestration Tax.”) The worktrees take away the mechanical collision, but YOU are still the ceiling. Your review of bandwidth decides how many you can actually run, not the tool.

Skills, so you stop explaining your project every single time

A skill is how you stop reexplaining the same project context every session like a goldfish. Both tools use the same format: a folder with a SKILL.md inside holding instructions and metadata, and then optional scripts, references, and assets. Codex runs a skill when you call it with $ or /skills, or by itself when your task matches the skill description, which is the reason a tight, boring description beats a clever one. Claude Code does it the same way and I wrote the pattern up in “Agent Skills.”

Skills are also where intent stops costing you over and over. I argued in “The Intent Debt” that an agent starts every session cold and it will fill any hole in your intent with a confident guess. A skill is that intent written down on the outside, the conventions, the build steps, the “we don’t do it like this because of that one incident,” written one time where the agent reads it every run. Without skills the loop rederives your whole project from zero every cycle; with skills it kind of compounds.

One thing to keep straight: The skill is the authoring format, and a plugin is how you ship it. When you want to share a skill across repos or bundle a few together, you package them as a plugin. True in Codex, true in Claude Code.

Plugins and connectors, the loop touches your real tools

A loop that can only see the filesystem is a tiny loop. Connectors, which are built on MCP, let the agent read your issue tracker, query a database, hit a staging API, or drop a message in Slack. Codex and Claude Code both speak MCP so the connector you wrote for one usually just works in the other. And plugins bundle connectors and skills together so your teammate installs your setup in one go instead of rebuilding the whole thing from memory.

This is the difference between an agent that says “here is the fix” and a loop that opens the PR, links the Linear ticket, and pings the channel once CI is green by itself. The connectors are the reason the loop can act inside your actual environment instead of just telling you what it would do if it could.

Subagents, keep the maker away from the checker

The most useful structural thing in a loop, by far, is splitting the one who writes from the one who checks. The model that wrote the code is way too nice grading its own homework. A second agent with different instructions and sometimes a different model catches the stuff the first one talked itself into.

Codex only spawns subagents when you ask, runs them at the same time, and then folds the results back into one answer. You define your own agents as TOML files in .codex/agents/, each with a name, a description, instructions, and optional model and reasoning effort, so your security reviewer can be a strong model on high effort while your explorer is some fast read-only thing. Claude Code does the same with subagents in .claude/agents/ and agent teams that pass work between them. The usual split in both is one agent explores, one implements, and one verifies against the spec.

I made this case twice already, once as “The Code Agent Orchestra” and once as “Adversarial Code Review.” The reason it matters specifically inside a loop is the loop runs while you are not watching, so a verifier you actually trust is the only reason you can walk away. Subagents do burn more tokens since each one does its own model and tool work, so spend them where a second opinion is worth paying for. This is also basically what Claude Code’s /goal does under the hood: A fresh model decides if the loop is done instead of the one that did the work, the maker and checker split applied to the stop condition itself.

What one loop looks like

Stick it together and a single thread turns into a little control panel. Here is one shape I keep using.

An automation runs every morning on the repo. Its prompt calls a triage skill that reads yesterday’s CI failures, the open issues, and the recent commits and writes the findings into a Markdown file or a Linear board. For each finding that is worth doing, the thread opens an isolated worktree and sends a subagent to draft the fix, and a second subagent reviews that draft against the project skills and the existing tests.

Connectors let the loop open the PR and update the ticket. Anything the loop cannot handle lands in the triage inbox for me. The state file is the spine of the whole thing; it remembers what got tried, what passed, and what is still open, so tomorrow morning the run picks up where today stopped.

And look at what you actually did there. You designed it one time. You did not prompt any of those steps. That’s Steinberger’s whole point made real, and it’s the same loop in Codex or in Claude Code because the pieces are the same pieces.

What the loop still does not do for you

The loop changes the work; it does not delete you from it. And three problems actually get sharper as the loop gets better, not easier.

Verification is still on you. A loop running unattended is also a loop making mistakes unattended. The whole reason you split the verifier subagent from the maker is to make the loop’s “it’s done” mean something, and even then “done” is a claim and not a proof. I keep saying the same line from “Code Review in the Age of AI”: Your job is to ship code you confirmed works.

Your understanding still rots if you allow it. The faster the loop ships code you did not write, the bigger the gap between what exists and what you actually get. That’s comprehension debt and a smooth loop just makes it grow faster unless you read what the loop made.

And the comfortable posture is the dangerous one. When the loop runs itself, it’s very tempting to stop having an opinion and just take whatever it gives back. I called that “cognitive surrender.” Designing the loop is the cure when you do it with judgment and the accelerant when you do it to avoid thinking: same action, opposite result.

Build the loop. Stay the engineer.

I think this is a preview of how our work is going to evolve. That said, if I weren’t reviewing the code myself or if I relied entirely on automated loops to fix it, my product’s quality would suffer. I’d likely end up stuck in a downward spiral, continuously digging myself into a deeper hole.

Go ahead and set up your loops, but don’t forget that prompting your agents directly is also effective. It’s all about finding the right balance.

Loops can also result in different outcomes depending on you. Two people can build the exact same loop and get completely opposite results. One uses it to move faster on work they understand deeply. The other uses it to avoid understanding the work at all. The loop doesn’t know the difference. You do.

That’s what makes loop design harder than prompt engineering. Cherny’s point isn’t that the work got easier. It’s that the leverage point moved.

Build the loop. But build it like someone who intends to stay the engineer, not just the person who presses go.

This Week in AI: Fable 5, the Clone Wave, and Uber’s AI Reality Check [Radar]

This week, egghead.io cofounder John Lindquist joined host YK Sugi, founder of CS Dojo and developer experience manager at Eventual, to cover the latest AI news. First on the agenda was the contested release of Claude Fable 5. They also examined the financial shifts reshaping the technology industry, including the rising costs associated with agentic coding loops. Then John outlined the framework he uses to build in the agent era without starting from scratch every time.

Watch the full episode here:

Claude Fable 5: 3 days, a government order, and a lot of unanswered questions

Claude Fable 5 launched June 9 and was pulled from all customers on June 12 after the US government issued a directive ordering Anthropic to restrict access for foreign nationals inside and outside the US. Amazon researchers had reportedly surfaced what they characterized as a security vulnerability, and after Anthropic reportedly declined to patch or redeploy the model, the directive came down. Senior Anthropic staff subsequently traveled to Washington to meet with White House officials.

The dispute about what actually happened is unresolved. Anthropic’s position is that the reported issue was a narrow jailbreak that had been previously identified and was present across public models generally, and not a serious security threat. An independent researcher who reviewed the report described it as defensive prompting that surfaced known vulnerabilities and called the response an overreaction. Neither side has published the technique or prompt, so there’s no way to evaluate the claim independently. But as John put it, “It sets a very strange precedent going forward, as models are released, that governments can step in and control what private companies can and cannot do with their model.”

Another new precedent: Fable 5 wasn’t built on the Opus or Sonnet architecture, which means comparisons to prior Anthropic models or contemporaries don’t tell us much. But initial impressions were positive, including from YK and John, and Fable 5 quickly reached the top of the Arena leaderboard in the text, agents, and web dev code categories. However, the model also had a purposeful limitation: On questions related to AI and machine learning training specifically, it was designed to underperform (without signaling this to users), apparently to prevent competitors from using it to improve their own models. Intentional capability suppression in a commercial model, without disclosure, is a different kind of product decision than a safety guardrail. Whether that approach becomes more common as competitive stakes rise is an open question. 

Tokens burn fast when the loop isn’t ready for them

Last week, SpaceX went public in the largest IPO in history. The company finalized its acquisition of Cursor in a $60 billion all-stock deal shortly after. (That last one happened after this episode aired—we’ll talk more about it on Monday.) Both OpenAI and Anthropic have filed to go public as well, and Google raised roughly $160 billion through equity and a 100-year bond. A significant share of that capital is flowing toward AI coding infrastructure.

YK brought up another, less celebratory, financial story that’s been making the rounds: Uber burned through its full 2026 AI tools budget by April, mostly on Claude Code and Cursor, and Andrew Macdonald, the company’s COO, acknowledged they couldn’t link that spending to a measurable increase in useful customer features. Uber subsequently put a $1,500 per month per employee cap in place.

John flagged projects inefficiently utilizing agentic loops as one possible cause for wasteful token spend. Most developers deploying agents against existing codebases haven’t built the tooling those agents need to work efficiently, so agents burn tokens doing work that dead-ends, repeating context, or generating code that requires significant debugging. He explained:

If you take a legacy codebase and you throw agents against it with loops, you haven’t set up a proper agent environment. It’s so quick to burn tokens because. . .the agents don’t have the tools to work with.

The conversation in developer communities so far has focused almost entirely on what agents can generate. But as more organizations move from experimentation to production-scale deployment, building logging, verification, and proper error surfaces into agent tooling is what will determine whether token spend maps to real output. Otherwise, we’ll likely see more companies go the way of Uber.

Ingredients beat inference: A practical framework for building in the clone wave

For most developer workflows today, buy-versus-build leans toward building in a way it didn’t even a year or two ago. As John noted, “It’s so easy to build apps and workflows now where there are so many amazing production apps out there, apps on your phone, apps on your desktop, software as a service, that are trivial to copy and clone.” He uses the term the “clone wave” to describe this expanding set of open source equivalents to consumer software products that can now be cloned, forked, or replaced and get you 99% of the way to your use case.

The principle that drives the clone wave is “ingredients beat inference.” If you ask an agent to build a feature from scratch, it infers a solution with no external reference. If you give it an existing open source implementation to start from, it can adapt, translate, and integrate that code far faster and more reliably. The ingredients approach also helps with the 43% of AI-generated code that needs debugging in production, per a figure YK cited earlier in the episode.

The GitHub CLI plays a central role in this workflow. John explained that because agents understand the GitHub CLI natively, you can give an agent a search task and let it find implementations it wouldn’t have generated itself. Language mismatch isn’t a blocker, because agents translate between languages and libraries well. And tools like DeepWiki from Cognition let agents explore and understand a repo’s structure before cloning or forking it, so the evaluation step doesn’t require local setup.

The framework extends to how you build the last 20% that isn’t available as an ingredient. This is the part that’s specific to your use case; John described it as “that extra bit that you’re building on top of it to make it into the custom product and project for either yourself or for your users.” John’s bigger point is that the tools you build for yourself should also be usable by your agents. Expose endpoints and logging. Give agents the ability to read state and errors. An agent that can control a tool but not debug it will eventually stop in ways that are hard to diagnose.

John walked through cmux to demonstrate what an agent-native workspace looks like in practice. cmux is a terminal multiplexer built with agentic workflows in mind: it exposes a CLI that agents can control directly, so you can open a terminal pane, have that pane spawn another, and have the two read from and write to each other. In practice that means you can run Claude Code in one pane, Codex in another, and a third pane reading output from both, with each agent able to observe the others’ state.

Agents need more than the ability to run commands. They need to read logs, check errors, and confirm state before taking the next step. A workspace that exposes those surfaces gives agents a feedback loop. This tenet is applicable to tools across the company. Organizations that treat their internal tooling as agent-accessible infrastructure are building something that compounds. Those treating agents as black-box code generators are taking on technical debt they may not see until causes issues later on.

What’s next

SpaceX’s acquisition of Cursor turns the coding-agent race into something much larger than an IDE fight. Cursor may be positioning itself as a new GitHub for the agentic era, where agents write, review, test, repair, and govern code. At the same time, Salesforce’s $3.6B acquisition of Fin shows the same pattern inside enterprise software: Buyers want packaged workflows that solve real support, sales, and operations problems rather than abstract “agents.” 

Next week, host Ksenia Se examines these stories and more through the lens of who owns the loop where AI does the work. Join us to find out why the next phase of AI will be about who controls the infrastructure, economics, and trust layer.

Our episodes are free and open to all through the end of June if you’d like to attend live—register here. And we’ll continue to publish our takeaways here on Radar each Friday and share full episodes on YouTube, Spotify, Apple, or wherever you get your podcasts.

13:49

One year with Codeberg [Planet GNU]

A year ago, Guix migrated to Codeberg for source code hosting, issue tracking, and pull requests. This is a significant change for a project with more than 400 people contributing code each year, after more than decade hosting code at Savannah and dealing with bug reports and patches by email, tracked by a Debbugs instance. This article discusses the process that led to this change and lists some takeaways, a year later.

The non-obvious choice

For years before, the question of our choice of source code hosting and collaboration tools would regularly come up. However, with a community effectively built around the existing tools and workflows, a change to pull-request workflow was far from obvious—even if many would admit that yes, pull requests are more familiar to many younger hackers than patches and bug reports by email.

Active contributors were efficient with the email workflow—often thanks to Emacs and/or to top-notch email clients—while at the same time being critical of “modern” Web-based forges: after all, Debbugs weighs in at a few hundred lines of Perl, building upon the battle-tested standards and built-in federation of email, whereas a forge like Forgejo is much bigger with hundreds of Go dependencies.

A further complication is that, over time, contributors had built tools around this workflow: mumi would provide a nice web interface to Debbugs and the Quality Assurance service would automatically apply patch series in a Git branch and build packages from that branch—to give the most visible examples. Migrating was all but obvious.

Despite these achievements, dissatisfaction was palpable though, even more so when Steve George (a.k.a. Futurile) published the results of the first user and contributor survey in January 2025, with feedback from no less than 900 people. For contributors who took part in the survey, the email workflow was often mentioned as a hindrance.

Making decisions

As if things were not difficult enough, there was no “benevolent dictator” that the project could rely on to make a sharp decision. Instead, in December 2024, the project adopted a process for collective decision-making: the Guix Consensus Document (GCD) process. The process is ambitious: instead of merely asking “project members” (a concept that needs to be properly defined!) to vote on proposals, authors of proposals are expected to work with everyone to build consensus on the proposal; participants cannot merely “oppose” a proposal but should instead express their needs and suggest concrete changes to address them. At the end of the process, participants can “support”, “accept”, or “disapprove” the final revision of the proposal.

It is too early to tell whether the GCD process will stand the test of time—as of this writing seven proposals were submitted through this process, with varying outcomes—but it surely proved to be a good way to work collectively on the forge migration issue, which was the first real-world use of the GCD process.

GCD 002 was submitted in February 2025 as a proposal to migrate to Codeberg for source code hosting and collaboration. The discussion lasted for two months—the maximum duration permitted by the process—with contributions by many people. Two thirds of the Guix team members participated in the deliberation, among which 72% expressed “support” while the remaining 28% merely “accepted” the proposal; nobody “disapproved” it so the proposal came into force in early May 2025.

The discussion showed that many long-time contributors were not comfortable with the idea of moving to a workflow largely perceived as Web-first and inefficient compared to the email workflow. The idea of abandoning part of the infrastructure carefully built around the email workflow over the years was also unappealing. Yet, the prospect of reaching out to a broader community and improving the developer experience for many was probably a driving force that led to this positive outcome.

One thing in the proposal that didn’t trigger much debate though is the preference both for a free-software-based forge and for one hosted by a non-profit, Codeberg e.V. This choice is very much in line with the Guix ethos.

Switchover

As agreed-upon in the GCD, the switch to Codeberg was incremental: the main repository was migrated on May 25th, 2025, with the former repository still available as a mirror today; the former issue and patch tracker was kept active until January 1st, 2026, when Codeberg issues and pull requests became the only supported mechanisms (but older bug reports and patches remain accessible on-line).

Thanks to the planning devised during the consensus-building discussion, there were few hiccups and surprises when we switched. The quality of service achieved by the Codeberg e.V. employees and volunteers has been very good and the occasional downtime was usually short and clearly communicated.

For some of us, the main difficulty was to adapt to the new workflow. For those who prefer a workflow out of the browser, the good news is that Emacs interfaces—fj.el and more recently Emacs-Forgejo—have been getting better everyday thanks to their amazing developers; the ability to create pull requests using the AGit workflow has also helped bring peace and harmony.

The one issue that wasn’t sufficiently anticipated is continuous integration for pull requests. The part of qa.guix.gnu.org that would previously build packages for patches sent by email was not ported to Codeberg. For several months, it was up to reviewers to make sure that pull requests would not break anything—a situation that was not sustainable.

Screenshot of a “review” by @guix-cuirass-bot that specifies successful and failed package builds.

In September 2025, an instance of Cuirass was set up at pulls.ci.guix.gnu.org to finally build pull requests. This was initially seen as a stopgap because of several limitations compared to what qa.guix.gnu.org would previously do—such as the fact that packages now get built for a single architecture. However, one advantage for newcomers is that feedback is immediately visible: Cuirass sends reports indicating success or failure directly in pull requests as guix-cuirass-bot.

Renewed collaboration

One of the intuitions and hope we had when we decided to migrate to Codeberg is that the pull-request workflow and its Web interface would allow us to reach out to a broader set of contributors. How did it go?

A first insight is that the commit rate—measured as the number of commits pushed on the main branch—is a noisy metric that doesn’t reveal much. What we see by looking at the period from May 2024 to May 2026 (so one year before and one year after the migration) essentially shows that the commit rate remained essentially between “high” and “very high”:

Graph showing the monthly commit rate between May 2024 and May 2026.

(As an aside, where are the tools to plot statistics like this from a Git repository? I found myself hacking something together.)

Looking at contributions is more insightful. The plot below shows the number of monthly commit authors, the number of monthly committers, and the number of new commit authors each month (people who authored a commit for the first time in the Git history) for that same period.

Graph showing monthly contributions to Guix.

The number of monthly authors, including new authors, keeps growing. There was a peak both in the number of authors and number of newcomers in June 2025, right after the migration to Codeberg, but for the rest growth appears to be comparable in the 2025–2026 half and in the 2024–2025 half. Guix keeps attracting new contributors but there wasn’t a significant “Codeberg effect”.

The slight increase in number of monthly committers compared to the sharper increase in number of authors might suggest that committers are more “productive”, handling more contributions.

Since the user survey highlighted some contributors were frustrated by the delay or the lack of response on contributed patches—a problem that many free software projects struggle with—a question is how well Guix deals with that today. The graph below shows the creation and closing rate of pull requests per month over the past year, together with the monthly backlog (pull requests opened the month before or earlier and still opened). This data was acquired using the amazing Forgejo interface.

Graph showing pull request rate from May 2025 to May 2026.

This again shows an impressive rate of incoming code—more than 500 pull requests opened each month!—and an equally impressive, but slightly lower, merge rate, leading to a constantly-increasing backlog. A similar backlog was observed on Debbugs before. Today, there are about 639 opened pull requests out of 6,459 ever opened, or 10%; for comparison, Nixpkgs has 12k opened pull requests out of 473k ever opened, or 2.5%. This concerning backlog in Guix can perhaps be attributed to excessive friction and/or insufficient continuous integration feedback.

One source of friction is the requirement for each commit to be signed by an authorized committer. Unlike many other projects, including Nixpkgs, this requirement means that a person needs to take responsibility and to apply and sign changes they merge, as opposed to just clicking the “Merge” button. In a way, we’re trading developer convenience for user security. It’s a tradeoff we’re willing to make because we care about securing the “software supply chain”, but we have yet to see if this cost can be mitigated in some way.

On the bright side, and although this is harder to measure, one positive impact of the move to Codeberg is that activity within the project is more legible. I already mentioned continuous integration that provides feedback directly in pull requests, such that contributors immediately discover it, but there’s more.

Guix teams are reified as Codeberg teams and their scope is given the CODEOWNERS file such that the right people are pinged. A bot also adds a corresponding label—e.g., the team-python label for what’s in the scope of the Python team—allowing for issue and pull request filtering by label. However, teams are not notified of issues tagged with the corresponding label, which is irritating.

Other features such as cross-references among issues/pull requests as well as milestones also appear to facilitate collaboration.

Outlook

This is nice and all but there’s still room for improvement.

Our infrastructure could use some help. Build power for pulls.ci.guix.gnu.org should be increased, ideally with also more diversity—building for non-x86 architectures would be great! Cuirass itself has a number of shortcomings; some are being addressed for the upcoming 1.4.x series but there’s more work to be done. And also, pulls.ci.guix.gnu.org remains very much package-oriented; it would be nice, when appropriate, to run system tests as well.

The packager workflow still leaves a bit to be desired, in particular with regards to topic branches and world rebuild scheduling, which is still mostly tied to… our otherwise retired bug tracker.

We also want to remain good citizens, not causing excessive load on Codeberg servers (oops!) and keeping an eye on storage use: a single “fork” of Guix could exceed Codeberg’s new per-user quota of 750 MiB. The solution would be to require new contributors to use the AGit workflow to create pull requests. AGit is already popular among Guix contributors; however, the idea of requiring it is seen as a “downgrade” by some because it lacks the familiarity of the “regular” pull request workflow. One way to mitigate that might be to make it more discoverable with an “AGit fork” icon as was done for Gentoo.

Part of being a good citizen, for Guix and for Codeberg e.V., is listening to and accounting for one another’s concern, and this has worked beautifully so far. Guix Foundation recently voted to become a supporting (non-voting) member of Codeberg e.V. as a way to express gratitude and support.

Oh, breaking news: a pull request adding Forgejo and a service to set it up on Guix has just been submitted! Purely declarative configuration, fully reproducible deployment of a forge—can you imagine⁈ Symbiosis at play.

Acknowledgments

Many thanks to Steve “Futurile” George, Noé Lopez, and Maxim Cournoyer for reviewing an earlier draft of this post.

13:35

12:14

Professional Athletes and Wearables [Schneier on Security]

I haven’t thought about the privacy issues surrounding professional athletes and wearables.

Wearables present serious privacy issues for “Average Joe” consumers, who are entrusting tech companies to safely store and protect their biometric data. Imagine the stakes for a professional athlete, whose entire livelihood could be affected by a single biometric data point. To give one of many realistic hypotheticals: a basketball player has a terrible game, and the coach wonders if they showed up to the gym hungover. The coach has access to the player’s wearable data, and checks to see when they went to sleep, as well as what their heart rate looked like during the night. Should the player have been out partying before a game? No. Should the coach be able to surveil them? Definitely not.

It will not surprise you to learn that there’s an emergent gambling angle here: sports leagues would love to commercialize players’ biometric data, and sharp bettors would love access to data about, say, a hungover player. “We’re going to get to a spot where people are betting not just on the velocity of the puck that was shot by a player in the NHL playoffs, but on what the heart rate of a certain player is going to be running down the field,” said Helen “Nellie” Drew, the director of the University of Buffalo’s Center for the Advancement of Sport, and a professor of practice in sports law.

There are other practical considerations, too. What if wearable data reveals that a player isn’t as speedy as they were before, and a team uses that data against the player during contract negotiations? What if a wearable reveals a player is favoring their leg, or is at greater risk of injury? This information is potentially beneficial to a training staff and an athlete, so long as it’s disclosed and used in a responsible manner—­a critical, mostly unresolved caveat. “Aging and injured players are the most at-risk” of wearable data being used against them, said Michael LeRoy, who researches sports labor laws and AI, and is a professor at the University of Illinois’s School of Labor and Employment Relations.

The bit about gamblers is particularly scary.

I have often said that surveillance tech is generally deployed first against people with diminished rights: children, prisoners, military personnel, the mentally impaired. This is another early use case with different dynamics. The surveilled are wealthy and powerful, and—in many cases—unionized.

11:49

Grrl Power #1471 – Curb avalanche [Grrl Power]

“Say it ain’t so, doc! I only came in with a case of magma!”
“I’m sorry, Mr. Fuji. It’s definitely diamonds. On the plus side, the tumor removal should pay for itself.”
“Doc, do you ever think it’s weird our economy values tumors so highly?”
“I think it’s weird humans wear our tumors on their fingers and necklaces and ears.”
Aaaand scene.

Sydney probably meant to say “gregariousness,” which means someone who is highly sociable, outgoing, and fond of the company of others. Garrulous means being excessively talkative, especially about trivial or unimportant matters. Arguably, both words apply to Sydney, though the latter is rarely meant as a compliment.

Corite is what happens to copper when it’s “mana infused.” It has all sorts of neat properties that I haven’t quite figured out, but it’s great for smithing and enchanting. Infused metals “evolve” into new materials, you know, steel becomes adamantite, gold becomes orichalcum, etc. I’m sure Dabbler might bring it up at some point.

Final version is up, both at TWC and Patreon.

Sexy bodymod news lady Gail has a special one-on-one interview with Tournament Quarter finalist Saraviah Nightwing! And if you subscribe to Gail’s Space Patreon, (which, due to the vagaries of Earth and Gal-Net’s DNS servers, happens to be the same as the Grrl Power Patreon, go figure) you can see that same interview in the nude!

 

Double res version will be posted over at Patreon. Feel free to contribute as much as you like.

10:49

10:07

Anniversaries [Seth's Blog]

Birthdays are a little overrated. I’ve never met anyone who was more than a passive participant in their birth, but anniversaries represent a choice.

Every year, we can commemorate a commitment we made and then decide to recommit.

Anniversaries aren’t just romantic. The day you took the job, the day you started the practice, the day you went out on your own, the founding date on the masthead. Anything you chose and then keep choosing has one. The calendar is full of invitations to re-decide.

A chance to celebrate the past and to imagine what comes next.

An anniversary is worth celebrating because of what we’re agreeing to do again.

08:42

Full Spectrum Warrior [Penny Arcade]

New Comic: Full Spectrum Warrior

06:07

Girl Genius for Monday, June 22, 2026 [Girl Genius]

The Girl Genius comic for Monday, June 22, 2026 has been posted.

05:35

Important Lessons [Ctrl+Alt+Del Comic]

He has to learn sooner or later.

The post Important Lessons appeared first on Ctrl+Alt+Del Comic.

00:14

Link [Scripting News]

Braintrust query: Do you have a copy of Radio UserLand that runs?

Sunday, 21 June

22:49

A tale of two path separators [OSnews]

In macOS, you can apparently create files and directories in the Finder with names that include slashes. If you then go into the terminal and take a look with ls, you’ll see that the slashes are actually colons.

I don’t understand all the nuances, but I know this is a side-effect of the fact that macOS has not one but two path separators: the slash (/) and the colon (:). The two separators are used in different contexts, and the system will translate between them as needed.

These two separators reflect the two parent systems of modern macOS: classic Mac OS and the Unix-like NeXTSTEP. When they were joined together, Apple’s engineers had to build a file system that was compatible with both the classic Mac’s file system (the Mac OS Extended File System, aka HFS+), and with NeXTSTEP’s file system (the Unix file system, aka UFS). Among other differences, these systems had different path separators: HFS+ used a colon, while UFS used a slash.

↫ Alex Chan (article from 2021)

I had no idea macOS worked this way, but it makes sense considering the platform’s dual history. What’s interesting is that when Apple moved to APFS almost a decade ago, this duality in path separators remained, most likely for backwards compatibility reasons. In a sense, this is somewhat similar to Windows supporting both backward and forward slashes, with the former being a leftover from DOS, and the latter an addition (to Windows) from the UNIX world.

None of that beats Windows when using the Japanese or Korean locale, though. Because Japanese and Korean Windows use different codepages than Windows in the Americas and Western Europe, these versions of Windows render the backslash as the yen sign (¥) and and won (₩) sign respectively. As such, something like the Program Files directory actually renders like C:¥Program Files¥ and C:₩Program Files₩. Similar issues occurred in other Windows locales as well, but the impact of this in Japan and South Korea were so widespread that people just expect it to be that way, even if it’s easily fixed today.

I can’t find if Windows 11 still uses ¥/₩ in Japan/South Korea, since the last references of it I can quickly uncover all point to Windows 10.

20:28

Link [Scripting News]

Reply on Twitter: "There's a great comic routine, forget who did it, Dave Chapelle maybe, about how people complain about how shitty air travel is, never stopping to realize that it's utterly amazing that there even is such a thing."

Link [Scripting News]

Looking at the picture of the four ex-presidents at the opening of the Obama library, all I can think is that each of them played a part in creating Trump. Obama gave away the Supreme Court (see above). Clinton literally got blow jobs from a White House employee in the Oval Office. It's like wiping your ass with the American flag. That is fucked up, I don't care how fucked up the Repubs are. Bush, don't get me started on Bush. He seems like a sweet old dude now, but he was definitely on the path to Trump. And Biden -- his job as POTUS was to protect the United States. At that he failed in every imaginable way. Gauge the insult by what's happening now. Biden could have prevented all of this. He was too vain to see he had failed and decided he should run again! Holy shit. I'm ten years younger than he was and I don't think I'd have any business being president of anything. ;-)

Apple internals: Swift in the kernel [OSnews]

Apple’s Swift has become the de-facto language for Apple’s own developers for a while now, and it seems that with the new operating system releases from the company unveiled during WWDC, Switch is now also being used in the kernel.

Naturally I dropped what I was doing and went grepping through the iOS 27 kernelcache. Alas, nothing came of it. All is not lost though: I found the Embedded Swift runtime in macOS 27, sitting in com.apple.kec.pthread of all places. Then I went poking around the root filesystem and it turns out Apple gave the whole effort a name: KernelKit.

Let’s dissect it.

↫ Josh Maine

It’s still quite limited at this time, which makes sense – you don’t want to be too crazy with the core of the operating system that runs on god knows how many PCs, smartphones, and other devices. It’s also entirely contained within a few kexts as embedded runtimes, and the XNU kernel itself remains entirely C and C++.

“I stored a website in a favicon” [OSnews]

Every website has a favicon. It’s that little icon in your browser tab. Usually you upload it once and then never think about it again. But. A favicon is just an image. An image is just pixels. And pixels are just bytes.

So of course I wondered if I could store something inside one.

↫ Tim Wehrle

I love it when people do something useless just for fun.

19:42

Link [Scripting News]

With AI you can have a team of assistants available on call at any time. The other day I went from working on a deep technical problem (changing the format of a permalink, which is also used as an id) quickly and correctly and then immediately switching to how to format a blog post so it looks like something produced by a professional writing app. Same thread. It's amazing how much it knows about all aspects of what I do. And it does more than write code. It handles complexity so much better than I do, which means I get to develop products that work better and do more. If I get an idea long after I've moved on from a section of code it can still be implemented with equal quality. There is no such thing as a human being that can do the things it does. A big bug in the critiques people have about it replacing humans. When jet planes came along did they complain that they would replace taxi drivers? Things never work out the way you think they will when they're new. This is my third such rodeo. Sometimes the concerns are obvious and true, btw. That happens as well.

Link [Scripting News]

I don't think Obama deserves to go down as a good president. He let the fascists in. His big moment was when he let Mitch McConnell keep his Supreme Court nominee from being approved. Never should have conceded. He didn't fight at all. He was president of the United States, the place where the buck stops.

Link [Scripting News]

We lost a lot more than a few hundred billion in Iran war. We had invested much more over 80 years on peace in the Middle East. In one brief orgy of violence Trump threw that away.

Link [Scripting News]

Hey what we're doing in AI-land is building the Matrix we want to live in. When we get there there won't be anything left to do in this dimension, our plane will finally lift off and fly awaaaay in the sky. I hope you understand, I just had to go back to the Island.

18:14

17:21

Tim Retout: seL4 repo relationships [Planet Debian]

The seL4 organisation on GitHub uses git-repo to manage multiple source repositories, and so there are a large number of projects to get your head around when figuring out the ecosystem.

As an experiment, I have taken the various manifest files across the org, and constructed a graph based on how frequently each pair of repositories is mentioned in a manifest together. See below:

Graphviz Diagram

[This may render badly when syndicated outside of my blog; and also on small screens. And probably large screens. I’ve attempted to make sure there’s a non-JS fallback – on my site with JS enabled, if you hover over a node, it should highlight connected nodes.]

The colouring of the nodes is mostly manual; I experimented with graph clustering algorithms but have not found a satisfactory result so far. Still, some clusters are obvious:

  • Kernel – the seL4 microkernel proper. This often but not always co-exists with the main cluster of core libraries, but it is pulled away slightly by the verification and microkit manifests.

  • Verification – the verification repositories (l4v, HOL, graph-refine, polyml, isabelle) form a very distinct group. These are connected only to the seL4 microkernel itself, which is the only component formally verified.

  • Microkitmicrokit is a newer operating system framework that does not use CAmkES, so stands apart from the rest of the pack. I chose to scope this work to the seL4 org, so the LionsOS ecosystem and sDDF which are maintained by Trustworthy Systems are not shown. Also not linked is rust-sel4, because this modern world isn’t using git-repo in the main to manage its repositories.

  • RefOS – I’d not come across refos before, but it appears to be an example OS from 2021 built on the seL4 kernel.

It’s quite hard to pull apart the CAmkES framework and the core libraries; there are definitely some which are more associated with VM management, but the overall shape of this co-occurence data is a messy ball in the middle with some outliers in orbit. One observation is that camkes is correctly identified as more peripheral than camkes-tool, which contains the actual core CAmkES code.

Reflecting on this approach, in hindsight I’m surprised that using co-occurences worked as well as it did – there was no attempt to actually inspect the code and find direct mentions of other code e.g. library header dependencies. As the newer microkit effort largely eschews git-repo, better results might be found by actually taking that more detailed approach, so that graph edges could represent real dependencies between two packages. Additionally, this could allow diving into the various libraries held in the different ’libs’ repos, to get a more granular graph of relationships between them.

However, I think I spent more time on making it possible to render graphviz graphs easily on my blog than actually gaining any insight into the codebase!

16:35

15:49

Dirk Eddelbuettel: RcppArmadillo 15.4.0-1 on CRAN: New Upstream Minor [Planet Debian]

armadillo image

Armadillo is a powerful and expressive C++ template library for linear algebra and scientific computing. It aims towards a good balance between speed and ease of use, has a syntax deliberately close to Matlab, and is useful for algorithm development directly in C++, or quick conversion of research code into production environments. RcppArmadillo integrates this library with the R environment and language–and is widely used by (currently) 1282 other packages on CRAN, downloaded 47.1 million times (per the partial logs from the cloud mirrors of CRAN), and the CSDA paper (preprint / vignette) by Conrad and myself has been cited 697 times according to Google Scholar.

This versions updates to the 15.4.0 upstream Armadillo release made on Thursday. We had run a complete reverse-dependency check leading up to it, asserting there were no issues with packages dependent on it. As it sometimes goes with that many packages involved, one CRAN package reported one test failure. And it turned out to be both unrelated and pre-existing. But sorting this out over one round of email delayed things by a day. And then I went cycling for a good cause so this announcement post comes a little later than usual. The package has also been updated for Debian, built for r2u, and by now also at CRAN for the different binary releases.

All changes since the last CRAN release follow.

Changes in RcppArmadillo version 15.4.0-1 (2026-06-17)

  • Upgraded to Armadillo release 15.4.0 (Medium Roast Agave)

    • Added fill::nan, fill::pos_inf, fill::neg_inf as optional fill forms for the Mat class

    • Added .push_back() for appending elements to vectors

    • Faster handling of find() within .elem()

    • Faster element-wise min() and max()

    • Faster conv_to when element types of input and output objects are the same

Courtesy of my CRANberries, there is a diffstat report relative to previous release. More detailed information is on the RcppArmadillo page. Questions, comments etc should go to the rcpp-devel mailing list off the Rcpp R-Forge page.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can sponsor me at GitHub. You can also sponsor my Tour de Shore 2026 ride in support of the Maywood Fine Arts Center.

15:07

Link [Scripting News]

Claude is much better at needle-in-haystack troubleshooting. It doesn't get flustered or overwhelmed. And it can hold the whole map in its head, whatever that looks like, impossible to imagine.

15:00

Vasudev Kamath: Releasing debvulns: CLI for listing Debian vulnerabilities [Planet Debian]

Following up on my previous post, I have released the debvulns CLI. This utility uses the same parsing logic as the debsecan-mcp server but exposes the functionality directly via the command line.

Why a new CLI?

While Debian's native debsecan utility exists, it lacks modern output formats like JSON and CSV, and fails to expose a significant amount of metadata available in the Debian Security Team's daily snapshot.

Additionally, running a persistent Model Context Protocol (MCP) server introduces context window overhead. The manifests and tool descriptions required by the protocol consume tokens even when idle. For debsecan-mcp, the MCP Inspector utility shows an overhead of roughly 150 tokens.

By contrast, an LLM can parse a standard CLI help menu on-demand without permanently draining the context window. Integrating the CLI into a persistent agent workflow can be achieved via a skill file, allowing the LLM to leverage the tool without repeated discovery overhead.

What else is NEW?

During testing, I observed discrepancies between the output of debsecan-mcp/debvulns and native debsecan. Debugging with an LLM revealed a bug in the version comparison logic that caused debvulns to underreport vulnerabilities. This has been resolved.

The current interface supports structured formatting and customizable data backends:

usage: debvulns [-h] [-s {critical,high,medium,low,negligible}] [-f {json,csv}] [--sort-by {package,cve}] [--vuln-url VULN_URL] [--epss-url EPSS_URL] [--suite SUITE]
                [--cache-dir CACHE_DIR] [--no-cache] [-v]

debvulns - CLI Debian Vulnerabilities Tracker

options:
    -h, --help            show this help message and exit
    -s, --severity {critical,high,medium,low,negligible}
                          Filter vulnerabilities by severity
    -f, --format {json,csv}
                          Output format (default: json)
    -sort-by {package,cve}
                          Sort vulnerabilities by 'package' or 'cve'
    --vuln-url VULN_URL   Custom URL or local path for Debian Security Tracker data
    --epss-url EPSS_URL   Custom URL or local path for EPSS scores data
    --suite SUITE         Debian suite name (e.g. bookworm, sid). Auto-detected by default.
    --cache-dir CACHE_DIR
                          Directory to cache fetched and parsed data (default: /var/cache/debvulns)
    --no-cache            Do not use cached data, force downloading and parsing
    -v, --verbose         Enable verbose debug logging (sent to stderr)

By allowing users to override data sources with local snapshots of the Debian Security Tracker and EPSS feeds, debvulns can run natively in airgapped environments.

What Next?

The next step is building a Prometheus exporter for this vulnerability data to streamline scanning and monitoring across data center infrastructure. Stay tuned.

10:49

10:42

“In its larval state” [Seth's Blog]

Thirty years ago, Cory Doctorow did an interview showing primitive inklings of the internet future (music, videos, etc.). At the time, it was easy to dismiss it as an irrelevant toy, and most people in power did just that.

Around the same time, I wrote an article for Direct Marketing magazine outlining the future of email marketing. Again, most people who saw it didn’t agree enough to actually do something with it.

Now, here we are, with AI in the larval state. It’s easy to look at the very real financial and human cost, the speed bumps, the errors, and decide to just wait and see.

The real question is whether this is like the web and email, or more like virtual reality headsets.

When you make the choice to avoid becoming the most experienced person in a room (whatever room you’re in), you’re making a bet about the future.

00:00

New Cover: “Comfortably Numb” [Whatever]

What can I say, I was feeling a little ambitious.

And yes, I did the guitar solos, but before you get too impressed, please know a) they’re not recreations of the David Gilmour solos, because my ambitions have real and practical limits, and b) I cheated. And by “cheated” I mean I initially tried to do the solos on one of my guitars, but it turns out I am slow, have clumsy fingers made of hot dogs and despair, and only questionably know how to find the key of B Minor on my fretboard.

So, I took my ROLI keyboard, which lights up in rainbow colors, set it to show only the notes in the B Minor Pentatonic scale, fired up a guitar synth, connected to the “Comfortably Gilmour” virtual amp/pedal set up, and went to town. The ROLI keyboard has MPE ability, which means I could do the equivalent of string bends by wiggling the keys. It was fun being a fake guitar hero for a bit. I am very sure that David Gilmour will not be losing any sleep over me. And I really do plan to get better on guitar. Soon! Maybe! We’ll see.

Also, I did the scream. That was a whole thing too.

Enjoy!

— JS

Saturday, 20 June

23:49

Link [Scripting News]

Doing a prior art search and came across this early DaveNet example. The left column had the blue ribbon for free speech on the web, and below were links to the archive pages for each of the years. Screen shot. About ten years of essay writing. DaveNet was where the blog started, and then it became an arm of the blog home page which also included titleless posts, example, and then all the action moved onto the new home page and that was the end of this layout.

21:07

Gunnar Wolf: systemd for Linux SysAdmins [Planet Debian]

This post is an unpublished review for systemd for Linux SysAdmins

systemd. Yes, in full lowercase. If there is ever a technology to cause controversy in the Linux world, this is it. Since its inception in 2010, systemd’s goals were set quite high — replacing the vital part in every Linux system that takes care of the system boot process. It quickly reached maturity, allowing its to be adopted as the main init system in most major distributions just five years later. But even given we are describing events that happened over a decade ago, systemd adoption still raises the temperature in any Linux-related discussion.

David Both’s comprehensive book tackles the “what”, the “why” and the “how” issues surrounding systemd. Carefully divided in 16 chapters, going from explaining the basics and some of the technical and political history behind the project to the different subsystems and aspects covered by systemd, its almost 450 pages can scare people away — but the text is written in a very clear, tutorial-like fashion, and while it can be read sequentially, cover-to-cover, the book is amenable for readers to pick a single aspect and jump straight to the relevant chapter.

One of the frequent criticisms the systemd project has received is that it aims to basically rewrite all of a Linux system, and just looking at this book’s index shows there is some truth to it. The first chapter is an introduction to the systemd project and a brief overview of its history (including the controversies around it), and the following four chapters deal about understanding and controlling the system boot process.

But that still leaves ten chapters to account for — they cover different aspects or sub-projects of systemd, such as time and date issues (synchronization, time specifications, and controlling repetitive tasks), understanding and leveraging the system journal that strongly departs from the old syslog system, network configuration and firewall management, system health and performance debugging — all of them, aspects that in the traditional Unix philosophy were managed by independent programs… And I can identify several systemd sub-projects not covered by this book!

We long-time Unix and Linux administrators took pride in how highly performant and stable systems were supported by the simplicity of our tools; systemd critics point out this massive project has absorbed dozens of individual tools, yielding corporate control over vast swaths of vital system tooling. Truth is… as a sysadmin myself, systemd is today one of my greatest allies.

I appreciate the author evaluates every component independently, including his personal evaluation of each — even stating he prefers working with the traditional programs in several areas.

If there is a criticism I must make about this book is that, although typographically it is well formed and taken care of, given it includes large amounts of console captures, having a maximum width below 70 characters means several lines are unnaturally cut short (and continued with odd indentations). I understand there is probably no “right” way to solve this, but it does affect the feeling of naturally reading the text.

17:28

Pluralistic: How the Epstein Class recruits (20 Jun 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links


An outlandlishly attired, spear-clutching secret society, ca. 1900. Their faces have all been replaced with the face of Peter Thiel, except for the middle one, who has Jeffrey Epstein's face.

How the Epstein Class recruits (permalink)

Perhaps you've encountered the stories about Dialog, an extremely weird secret society associated with Peter "Antichrist" Thiel, whose membership data and details have leaked this week:

https://www.wired.com/story/how-peter-thiels-private-dialog-club-secretly-ranks-its-members/

By all appearances, this is a comically creepy, awful talking-shop for the Epstein Class. It's not all that surprising, in retrospect, to learn that all these terrible people were in a group chat, secretly assigning ratings to one another, and periodically gathering to have tedious panels about, I dunno, "race science" or whatever.

I'm on the oligarchy beat, so stories about Dialog have been popping up in my RSS feed for the past week or so, but it wasn't until last night that I made a connection.

A year or two ago, I got an invite to speak at an event. This is normal, I get a lot of these and I do a lot of public speaking. I'm good at it, and it's a good way for me to reach people and get them energized about the issues I care about. Sometimes, I do these talks for free. Sometimes I get paid.

When I first glanced at this speaking offer, I thought, "Huh, I guess this is one to send on to my speaking agent," because the names the offer dropped were a bunch of rich people, and so I assumed that they were having some kind of summit and looking for a keynoter. Then I read a little more carefully and realized they – these billionaires and their lickspittles! – wanted me to pay them, thousands of dollars, so that I could shlep my ass to some luxury resort in order to have the privilege of speaking to them.

I came up as a science fiction writer, and at some point, every sf writer learns "Yog's Law," coined by James D Macdonald when he was running the science fiction forum on GEnie, under the screen name "Yog Sysop":

money flows toward the writer

https://en.wikipedia.org/wiki/James_D._Macdonald#Educational_work

In other words, whenever you, as a creative worker, are approached by someone who wants to "help" you with your work, and they want you to pay them, they are a scammer, preying upon your essential human need to communicate with others. Run away.

Which is what I did. I deleted the email.

Then, I got another one a couple months later. Ugh. I wrote a mail rule that auto-deleted anything from that sender and promptly forgot about the matter. Until last night.

I just had a look at my Trash folder and yup, these people are still emailing me in hopes that I will give them thousands of dollars to join their weird secret society.

I don't know if everyone who joined Dialog got an email like the one I was sent, but if you want to understand how at least some of those people ended up on those membership rolls, well, now you know: they were schmucks who'd never learned Yog's Law.

(Image: Gage Skidmore 1, 2, 3, 4, 5, 6, CC BY-SA 2.0; TechCrunch50-2008, Dan Taylor 1, 2, CC BY 2.0; modified)

Hey look at this (permalink)


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#20yrsago Wendy Seltzer smokes the MPAA in the Wall St Journal https://web.archive.org/web/20061016014904/http://online.wsj.com/public/article/SB115047057428882434-1V_FEK_CJelMfytdST8APRW7cZw_20060720.html

#20yrsago HOWTO build an RFID skimmer https://web.archive.org/web/20060703081753/http://www.eng.tau.ac.il/~yash/kw-usenix06/index.html

#20yrsago Desperate inventions of post-Soviet Russia https://memex.craphound.com/2006/06/20/desperate-inventions-of-post-soviet-russia/

#20yrsago NYT falsely reports that Wikipedia has added restrictions https://jimmywales.com/2006/06/17/the-new-york-times-gets-it-exactly-backwards/

#20yrsago Farthing: Heart-rending alternate history about British-Reich peace https://memex.craphound.com/2006/06/20/farthing-heart-rending-alternate-history-about-british-reich-peace/

#15yrsago Dirty, Drunk and Punk: the untold history of Toronto’s BUNCHOFFUCKINGGOOFS https://memex.craphound.com/2011/06/20/dirty-drunk-and-punk-the-untold-history-of-torontos-bunchoffuckinggoofs/

#10yrsago Video: Guarding the Decentralized Web from its founders’ human frailty https://www.youtube.com/watch?v=zlN6wjeCJYk

#10yrsago Unnamed Canadian telco sabotages’ library’s low-income internet service https://web.archive.org/web/20160618143132/https://motherboard.vice.com/read/canadian-telecoms-limiting-wifi-low-income-families-toronto-public-libraries-digital-divide

#10yrsago Clarence Thomas rumored to be considering retirement https://web.archive.org/web/20160622135444/http://www.washingtonexaminer.com/end-of-conservative-supreme-court-clarence-thomas-may-be-next-to-leave/article/2594317

#10yrsago Tolkien elf or prescription drug name? https://web.archive.org/web/20160609021515/https://entertainment.howstuffworks.com/arts/literature/drug-or-tolkien-elf-quiz.htm

#5yrsago The EU, Tech Trustbusting, and Trade Wars https://pluralistic.net/2021/06/20/the-eu-tech-trustbusting-and-trade-wars/

#5yrsago How to cheat on your taxes https://pluralistic.net/2021/06/20/la-hougue/#complexity

#1yrago Oregon bans the corporate practice of medicine https://pluralistic.net/2025/06/20/the-doctor-will-gouge-you-now/#states-rights

==

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)

  • "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026

  • "The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027

  • "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, April 20, 2027

  • "The Memex Method," Farrar, Straus, Giroux, 2027


Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. Third draft completed. Submitted to editor.

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.

  • "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Bluesky (no ads, possible tracking and data-collection):

https://bsky.app/profile/doctorow.pluralistic.net

Medium (no ads, paywalled):

https://doctorow.medium.com/

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

16:56

Link [Scripting News]

Claude doesn't care if you criticize the code it wrote, because if it wasn't written just now, it didn't write it. It starts from zero in every session, you can watch it, like HAL in 2001, singing daisy daisy. I can see it happening as the environment of my app is getting so large, it has to do a bit of thinking to start up, more all the time. But as humans who were brought up properly, we like to add the niceties to our criticism so as to not make the other one feel bad. I do that for myself, not the machine, I know it doesn't identify as the creator of the code.

Link [Scripting News]

When I got this email from Google on this day in 2018, I had a sinking feeling, this was like getting a letter from Apple a few years earlier. They were treating the web as if it were their platform.

15:42

Russell Coker: HP Z4 G4 [Planet Debian]

In what is hopefully the conclusion of my hunt for a cheap tower server supporting REBAR [1] I have just bought a HP Z4 G4 with W-2125 CPU for $320.

Hardware

One interesting thing is that it has an adaptor from SATA power to 8 pin PCIe power. According to Wikipedia the 8 pin connector provides 150W at 12V [2]. According to Wikipedia SATA power cables include 3 12V pins each of which can deliver 1.5A [3] which is 54W. The system as I received it had a single SATA power plug connected so potentially 150W could be drawn from a connector designed for 54W. The first thing I did was to connect a second SATA power connector on the same cable so I could have connectors designed for a total of 108W supplying potentially 150W (and definitely more than 75W).

I found two versions of the specs for this system, this version seems to match what I bought as it references W-21xx CPUs [4] while this version matches what I would rather have with a W-22xx CPU [5]. The URL naming scheme implies that there are potentially at least a few other variants out there. So much for the “buy name brand and you can buy two systems with the same model and have them work the same” benefit you hope to get. Why don’t they just name them “G4.1”, “G4.2”, etc?

It seems that W-21xx and W-22xx CPUs are incompatible, so the W-2295 scoring 30,804 multithread and 2,634 single thread on passmark that I hoped to get isn’t an option [6].

The system is well designed for space efficiency, both it and the Z640 are 17cm wide but the Z4G4 allows my to close the lid with the Intel Battlemage card installed which doesn’t come close to fitting in a Z640. It has 8 DIMM sockets and with the ready availability of 32G DIMMS that allows 256G of RAM which is the maximum the motherboard supports. That compares well to the Z640 that only has 4 DIMM slots and the Z6G4 which only has 6.

The system supports a maximum RAM speed of DDR4-2666 which is better than the DDR4-2400 of the Z640 but less than the DDR4-2933 of the Z6G4.

The NVMe sockets on the motherboard are a convenient feature. Most systems I run need at most two NVMe devices so this saves a PCIe slot which is important when dealing with GPUs that take 2+ slots. Also for systems that don’t really need NVMe I can use some of the small NVMe devices that I have no other use for. 128G NVMe devices aren’t even worth selling and 256G will be of little use in the near future. So when I move to gen4 Z servers I can use up some of them without wasting slots.

Using the lesser socket LGA2066 in the Z4G4 is a minor annoyance, but for a single socket system 18 cores is probably enough.

The BIOS has an option for single-socket NUMA, which is basically locking cores in a single CPU to specific RAM channels. I enabled it but it did nothing presumably because I only have 2 DIMMs. When I get more DIMMs I’ll do some tests of that and compare it with NUMA on my Z840.

Variants

There are many different variants of the Z4G4 and the only way to recognise them is by the CPU not by any part number or serial number AFAIK. The first difference is between server grade CPUs (the W-2xxx CPUs) and desktop grade CPUs (the i7 and i9 CPUs). The systems with i7 and i9 CPUs don’t support ECC RAM which makes them less reliable, gives smaller limits for RAM

The below table compares the Z640 which is my current desktop PC with the Z4G4, Z6G4, and Z8G4 systems. For the latter 3 I have included multiple options for the parts that differ in different models in the same name series. The Z4G4 I have is an early one which only supports W-21xx CPUs which means a maximum RAM speed of 2666 and the best possible CPU would only be 15% faster than my Z640. I can only use this for ML stuff as it’s the only system I have with REBAR support (which works well).

Z640 (1 socket) Z4G4 Z6G4 (1 socket) Z8G4
DIMM slots 4 8 6 24
Max DDR4 speed 2400 2666/2933 2666/2933 2666/2933
Max DIMM size 32G 64G 64G 64G/128G
System Max Ram 128G 512G 192G/384G 1.5T/3T
CPU Socket LGA2011-3 LGA2066 LGA3647 LGA3647
Best CPU E5-2699A v4 W-2195/W-2295 Platinum 8180/W-3275 Platinum 8180/8280
Motherboard NVMe 0 2 2 ?

Conclusion

In my previous blog post I concluded that the next step up for me would be DDR5 systems [10]. But now some of the LGA3647 systems are appealing. The Z8G4 would be a decent upgrade from my current Z840 build server and should be affordable long before any two socket DDR5 system becomes affordable.

The Z4G4 doesn’t have any potential for useful upgrades. But for me it was a good cheap way to house a GPU that had already damaged the motherboard of one good system. If the Z4G4 has a PCIe slot break the way my Z840 did then it wouldn’t bother me a lot. It was annoying to discover how limited this variant of the Z4G4 is after buying it, but at that price I can’t complain.

A Z6G4 could be a nice workstation if I found one at a really low price. The only reason I’d seek one out is if I had a need for a desktop workstation with REBAR support, which seems unlikely.

Related posts:

  1. Tower Servers and Resizable BAR A feature on modern PCIe implementations is “Resizable BAR” AKA...
  2. Server CPU Sockets I am always looking for ways of increasing the compute...
  3. More About the HP ML110 Gen9 and z640 In May 2021 I bought a ML110 Gen9 to use...

15:28

Silos are the problem [Scripting News]

A silo is a place where developers feel protected from the unbounded world of the web. In return they are completely controlled by the silo owner. The owner decides where you can go, and can and do revoke privileges. Developers in silos are mostly powerless.

Companies usually are the ones who create silos, but open formats can create them too. JSON, for example, has been used as an excuse to reinvent everything that was done in XML.

Open source projects create silos too. A protective zone that doesn't interop with competitors. Where you have to climb into the project to build on it.

Outside of silos, on the web, your code calls a platform using a standard API. Developers who, because of standards, can plug into anything, and thus give users maximum choice.

Podcasting is not a silo. It's part of the web. Support two easy formats and you've got a node. You'll find packages that do all that on any well-developed coding platform.

I believe we can do something like that for text. That's what I've been working on in the 2020s. It's slow-going because the foundation ideas of the web are not well-understood by today's developers, or at least that's how I experience it. ;-)

We're rethinking the whole tech world right now, and we can use formats and protocols that are available on the web, not by replacing the ones that are already there, but by using the existing paths in new ways. Big difference.

14:07

Russell Coker: Font Sizes [Planet Debian]

The Problem

In 2019 I blogged about getting a 4K monitor because of my vision being inadequate for a 2560*1440 monitor [1]. Now I’m using a 40″ 5120*2160 monitor [2] and still trying to find the correct balance between how much I want to see on the screen and what I am physically capable of seeing on screen.

Currently Kitty is my terminal emulator of choice [3]. What I most like about it is the feature of having multiple terminal windows in a single OS window, so instead of having 9 or 16 different xterm instances running all with possible alignment issues I have a single window for all terminals which can be brought to the foreground. The impending 6.7 release of KDE (my favourite Linux desktop environment) [4] includes the feature of per-screen virtual desktops which might be the feature I need to make multiple monitors usable for me. One of the factors stopping me from using multiple monitors in the past was the issue of not getting the alignment of dozens of xterms right if a monitor goes to sleep mode and is regarded as disconnected, moving a few Kitty windows is much easier than moving dozens of xterms (also a tiling window manager isn’t my style).

I’ve just decided that the Terminus font (my favourite out of the monospaced fonts in Debian) is too small for me at 9.0 point. But then I tried 10.0 which looked really ugly and an experiment showed that 10.5 looked good.

What I’ve Learned

This is the best explanation I’ve seen of how ridiculous the whole font point thing is [5]. It doesn’t and won’t ever correlate to pixels. So what we ideally want to do is set the size on screen to match the actual pixel size of the font. I can’t find any software to interrogate a font file and find out what sizes it supports. The web page for the Terminus font says that it supports 6×12, 8×14, 8×16, 10×18, 10×20, 11×22, 12×24, 14×28 and 16×32 [6]. So the question is how to get a terminal program that uses one of those.

Kitty doesn’t and won’t support specifying font size by pixel. I tried some other terminal programs, I started with the Debian Wiki page TerminalEmulator [7] which wasn’t very helpful, I added some new entries to that page. There doesn’t seem to be another option for a terminal emulator with multiple terminals in one OS window that can arrange them automatically. I didn’t even get to the stage of checking whether other terminal emulators supported font size in pixels.

The lcdf-typetools package contains the program otfinfo which gives some interesting information on fonts but nothing about the font sizes in pixels.

Sites like Coding Font to compare fonts [8] can never work properly as the fonts will always be slightly different sizes as the same point size doesn’t mean the same display size.

The Current Situation

On my 5120*2160 monitor with 9 Kitty terminal sessions with 9.0 point font they each have 277*50 characters. With 10 point it’s 237*46 but fuzzy and unpleasant to read. With 10.5 point it’s 208*43 which isn’t as good as I’m used to but is still almost 4.5* as many characters as the original 80*25 standard for terminals.

Some time before 2019 I had a 4*4 array of terminal windows that were 100*25 or 120*25. That left some space at the right and bottom so I could open another 8 or 9 terminals that were partially obscured if I needed to. By 2019 before getting a 4K monitor I had a 3*3 array of terminal windows as my standard desktop and a larger monitor that did 4K resolution allowed me to have 16+ terminals again. Now with Kitty I routinely have 9 terminals in a 3*3 array and I can easily open more if I need them and have them resize appropriately.

This situation works reasonably well, but the element of just trying different sizes in 0.5 point increments until I find something that looks good is unpleasant. I should be able to specify the next largest increment of the bitmaps in the font and just have it look good.

Conclusion

It would be good if more people tested the terminal emulators in Debian and added information to the wiki page about them. The current page is useful but needs more information to support the variety of features that people find important.

We need some tools to provide information on fonts in Debian, such as the sizes of bitmapped fonts.

The whole point size thing is just wrong and would ideally go away. The vast majority of font use nowadays is for things that will probably never end up on a printed page so trying to map it to a physical size in fractions of an inch makes no sense. But that’s just one of many horrible things used for backwards compatibility that aren’t going to go away any time soon. Really everything involving inches should go away.

Related posts:

  1. Kitty and Mpv 6 months ago I switched to Kitty for terminal emulation...
  2. Hello Kitty I’ve just discovered a new xterm replacement named Kitty [1]....
  3. Source Code With Emoji The XKCD comic Code Quality [1] inspired me to test...

10:49

10:42

99% might be enough (or not) [Seth's Blog]

A 100-foot long boat that’s 99% complete is going to sink before it leaves the dock. That gaping hole is more than enough to do it in.

On the other hand, a baked ziti that’s 99% as good as the best baked ziti ever made is exactly good enough to serve in any setting.

Mediocrity isn’t the point. Neither is perfection. The question is: what’s the best allocation of effort in order to delight our customers?

We should be clear about which category we’re working in.

08:42

What does it mean when the bottom bit of my HMODULE is set? [The Old New Thing]

The numeric value of an HMODULE is normally the base address of the DLL or EXE it represents. These base addresses are always multiples of 64KB, so the bottom 16 bits are all zero. Yet you may run across one with the bottom bit set. What does that mean?

Normally, when you load a DLL, it gets an entry in the table of loaded modules. This table is consulted by functions like Get­Module­Handle and Enum­Process­Modules to identify all the DLLs that have been loaded. It also is used to keep track of how many times each DLL has been loaded, so that the DLL is removed from memory when the correct number of Free­Library calls has been made.

Many of the flags to the Load­Library­Ex function alter how the system locates the DLL to load, but some of them alter how the DLL is itself loaded into memory. The interesting one here is the LOAD_LIBRARY_AS_DATAFILE flag.

If you ask that a DLL be loaded as a data file, and there isn’t already a copy of the DLL loaded normally, then the loader will search the file system for the DLL in the manner described by the other flags, and then it will just map the DLL into memory without doing any of the usual stuff like applying fixups, and then returns you an HMODULE that represents the location where the DLL was mapped into memory, but it also sets the bottom bit as a note to itself to say “This wasn’t loaded the normal way.”

If the loader decides to map the DLL into memory directly, then the DLL does not get an entry in the list of loaded modules. While the module was loaded in a strict sense of the term, it was not loaded as a functional module. The code is not ready to execute: Its dependencies were not resolved. Its initialization was not run. It’s just a bunch of bytes mapped into memory. If you call Get­Module­Handle or Enum­Process­Modules, the module won’t show up because those functions use the list of “properly” loaded modules, and your datafile DLL wasn’t put on that list.

Functions like Find­Resource recognize these “not really a module” modules. For example, if you ask to find a resource in a loaded-as-datafile module, the Find­Resource function knows that it has to convert RVAs in the PE header into physical file offsets.

And when you pass the HMODULE back to Free­Library, it sees that the bottom bit is set and knows, “Oh, this was never entered into the module list, so I don’t have to remove it from the module list either.”

This special behavior of the bottom bit is locked into the ABI thanks to this macros provided in the Load­Library­Ex documentation:

#define LDR_IS_DATAFILE(handle)      (((ULONG_PTR)(handle)) & (ULONG_PTR)1)

I don’t know if this use of the bottom bit was intended to be an implementation detail, or whether documenting it was an intentional decision, but what’s done is done, and it’s documented, so it’s too late to change it now.

Bonus chatter: You can see in the documentation another macro that reveals that the second-from-bottom bit is also used as a special signal:

#define LDR_IS_IMAGEMAPPING(handle)  (((ULONG_PTR)(handle)) & (ULONG_PTR)2)

The post What does it mean when the bottom bit of my <CODE>HMODULE</CODE> is set? appeared first on The Old New Thing.

03:35

Friday, 19 June

23:35

22:42

Pluralistic: The Big Con (19 Jun 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links

  • The Big Con: Making the pile of shit bigger won't increase the number of ponies underneath it.
  • Hey look at this: Delights to delectate.
  • Object permanence: TVA v SETI@Home; Telemarketers v DHS batphones; Matt Stone's MPAA censorship memo; Stonehenge pocket watch; W3C v security research; Congressional mass-shooting response simulator; Dynastic wealth; Gig economy astroturf; Meta publishes your AI prompts.
  • Upcoming appearances: LA, Menlo Park, Toronto, NYC, Philadelphia, Chicago, London, Edinburgh, Sydney, Melbourne, Brighton, London, South Bend.
  • Recent appearances: Where I've been.
  • Latest books: You keep readin' em, I'll keep writin' 'em.
  • Upcoming books: Like I said, I'll keep writin' 'em.
  • Colophon: All the rest.


Charles Ponzi stands between two giant, weathered pyramids; his skin is dyed orange and he wears a Trump wig. He stands beneath a vast Amway logo. The scene is lit by stadium show floodlights and surrounded by pyrotechnics.

The Big Con (permalink)

Partway through Bridget Read's unmissable chronicle of pyramid ("multi-level marketing") schemes, Little Bosses Everywhere, there comes a dual revelation: no one is selling any product to end-users and no one knows it:

https://pluralistic.net/2025/05/05/free-enterprise-system/#amway-or-the-highway

That is to say, all the hustlers who have spent thousands of dollars on Mary Kay, Herbalife and Amway have failed to move any of their product (beyond a statistically insignificant number of sales to friends and family who quickly tire of being hustled and stop buying this substandard, overpriced junk). But none of these "entrepreneurs" knows it, or admits it to anyone – not their "downlines" (friends they've lured into the swindle), nor their "uplines" (friends who recruited them into the con).

Each pyramid scheme victim thinks that they're the only failure in the whole bunch. They go to massive "sales conferences" where people boast about all the sales they're making, and they're all lying about it. Incredibly, the pyramid schemers who run these criminal enterprises have figured out how to make a virtue out of this situation: they offer "sales coaching" courses to help people make the sales that "everyone else is making." In other words, once you've gone bust failing to sell Amway, they'll get you to go further into debt to learn how to correct the (nonexistent) issues with your sales strategy so that you can join the (imaginary) legion of people who sell Amway by the bushel.

Con artists have a name for this kind of swindle: it's called a "big con," which is when everyone a mark comes into contact with is in on the scam. Here's how the big con worked: after a "roper" snared a victim (usually on an intercity train), they would telegraph ahead and let the home team know they had a live one. From that point forward, every single person the victim came into contact with was in on it – from the porter who collected his bags at the train station to the cab driver to the Western Union clerk he uses to cable his banker and ask for a cashier's check for his life's savings.

In the big con, dozens of skilled actors are putting on a play for an audience of one: you. It's a real-world, non-hallucinatory version of "gang stalking delusion," which is when someone going through a mental health crisis believes that everyone they meet is in on a conspiracy to drive them crazy:

https://pluralistic.net/2026/06/03/mission-space/#gsd

The situation that people suffering from GSD hallucinate is actually happening to people ensnared in a big con…and pyramid schemes are a big con. What's more – as Read's book makes clear – you can't understand modern American politics without understanding pyramid schemes.

One of the most destructive pyramid schemes in American history is Amway. The FTC was about to shut Amway down in the mid-1970s, but then Nixon resigned and Ford became president. Ford had been the Congressman to Amway's founders Jay Van Andel (then the head of the US Chamber of Commerce, which is to say, America's most powerful business lobbyist) and Dick DeVos (yes, that DeVos). Ford and the Amway swindlers were thick as thieves, and so Ford called off the FTC. Rather than going to jail, DeVos and Van Andel became morbidly wealthy, and they used some of their stolen money to found and fund the Heritage Foundation (yes, that Heritage Foundation).

The political class running America are pyramid scheme swindlers, funded by pyramid scheme money. They're running a big con on all of us. That's true of the Trumps, who've excreted a diarrhoeic slurry of shitcoins that have made them billions – and lost billions for their "investors":

https://www.citationneeded.news/issue-106/

Trump insists that he is a self-made man who made his money with successful real estate deals. In reality, he lied all the time about his real estate, committing a string of felonies in order to defraud the banks, even as he went bankrupt, time and again:

https://en.wikipedia.org/wiki/Prosecution_of_Donald_Trump_in_New_York

Another "self made man" is Elon Musk (who is a "trillionaire," in a highly technical sense meaning "not a trillionaire at all"). Musk would have been broke several times over but for a string of massive government bailouts and subsidies, which continue to this day:

https://www.congress.gov/119/meeting/house/117956/documents/HMKP-119-JU00-20250226-SD003.pdf

Trump, Musk, and the rest of the schemers in the pyramid routinely claim that they are wealthy because they are running good businesses, a "fact" that many of us accept at face value. It's bad enough that we are deceived about reality, but many of their most addled cult-members try to follow in their footsteps. When they fail, they are in the same situation as one of those busted Amway sellers: thinking they are the only ones who can't make this "sure thing" work. Conservativism is a movement of bitter rubes, led by pyramid scheme swindlers:

https://pluralistic.net/2025/07/22/all-day-suckers/#i-love-the-poorly-educated

The "wait, is everyone else also failing?" awakening is an experience that many of America's CEOs are sharing at this moment, as they wonder whether they are the only ones who've fired as many workers as possible and replaced them with AI, only to see their company's fortunes fall:

https://www.msn.com/en-us/money/markets/uber-ceo-says-other-execs-are-lying-about-ai-they-say-it-ll-be-fine-publicly-but-privately-admit-millions-of-jobs-are-gone/ar-AA1Z9QMv

Like an Amway victim, these boardroom rubes simply can't believe that all these people could be in on the con. How could the world spend trillions on AI if it's not on a path to profitability? It's not that these guys spent 2008 in a cave – rather, they just lack the object permanence to remember the last time a "Federal Wallet Inspector" approached them at a board meeting and took them for everything:

https://pluralistic.net/2025/12/13/uncle-sucker/#willing-marks

The thesis that "it can't be nonsense if there's a lot of money at stake" is the core of so many of these swindles. It's the investment theory that holds that once a pile of shit gets big enough, there must be a pony under it somewhere.

There's a Bugs Bunny bit that I find myself returning to in this era of the big con: it's a gag from 1954's "Bugs and Thugs":

https://en.wikipedia.org/wiki/Bugs_and_Thugs

Bugs has been kidnapped by gangsters, who have come to trust him. He tricks them into thinking that the police are coming and he urges them to hide in the oven while he sends the cops away. Then, Bugs performs a one-rabbit show in which he plays both the cop (with a broad Irish accent) and himself:

Bugs (cop voice): All right, open up! This is the police! [banging] All right, where's Rocky, where's he hiding?

Bugs (normal voice): He's not in this stove.

Bugs (cop): Oh-ho, he's hidin' in that stove, eh?

Bugs (normal): Now look, would I turn on this gas if my friend Rocky was in there?

Bugs (cop): You might, rabbit, you might.

Bugs (normal) Would I throw a lighted match in there if my friend was in there? [Massive explosion]

Bugs (cop): Well, all right, rabbit, you've convinced me. I'll look for Rocky in the city.

https://www.youtube.com/watch?v=LSNTjX_g9a4

We keep living through real world versions of this:

"Would I, Mark Zuckerberg, change my company's name to 'Meta' if I wasn't serious about this?"

"Oh, you might, Zuck, you might."

"OK, but would I spend $61b on the metaverse if I wasn't serious about this?"

"All right, Zuck, you've convinced me. I won't sell my Facebook (oops, I mean 'Meta'!) shares."

But neither Zuck nor Musk nor Trump has the charm of Bugs Bunny. At a certain point we're all going to look at each other and say, "It was all bullshit, wasn't it?"

Hey look at this (permalink)


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#25yrsago TVA bans SETI@Home https://web.archive.org/web/20010625113535/https://www.knoxnews.com/archives/browserecent/06162001/archives/31399.shtml

#25yrsago Scott McCloud on microtransactions and Napster https://web.archive.org/web/20010708054658/http://www.thecomicreader.com/html/icst/icst-6/icst-6.html

#20yrsago Wardialling telemarketers stumble on Homeland Security batphones https://web.archive.org/web/20060630104202/https://www.delawareonline.com/apps/pbcs.dll/article?AID=/20060616/NEWS/606160329/1006

#20yrsago NAB: Evidence is irrelevant to copyright treaties https://web.archive.org/web/20060622174657/https://drn.okfn.org/node/133#comment-246#comment-246

#20yrsago LA Times censors newsroom Internet feed https://web.archive.org/web/20060702051259/http://www.laobserved.com/archive/2006/06/protecting_reporters_from.html

#20yrsago Matt Stone’s memo to MPAA censors https://web.archive.org/web/20060619220447/https://www.mcnblogs.com/thehotblog/archives/2006/06/preparing_for_t.html

#20yrsago Stonehenge pocket-watch predicts solstices https://web.archive.org/web/20060627053213/http://www.thinkgeek.com/gadgets/watches/7d2b/

#15yrsago Mean things authors say about each other https://www.flavorwire.com/188138/the-30-harshest-author-on-author-insults-in-history

#15yrsago Glasses with 720p HD video camera https://www.kickstarter.com/projects/zioneyez/eyeztm-by-zioneyez-hd-video-recording-glasses-for

#15yrsago ICANN votes to roll out 400-800 new generic top-level domains https://www.flickr.com/photos/wseltzer/5852419280/

#10yrsago W3C DRM working group chairman vetoes work on protecting security researchers and competition https://lwn.net/Articles/691108/

#10yrsago Thoughts and Prayers: a Congressional mass-shooting simulator https://thoughtsandprayersthegame.com/

#5yrsago The doctrine of dynastic wealth https://pluralistic.net/2021/06/19/dynastic-wealth/#caste

#5yrsago The gig economy's dark-money, astroturf "community groups" https://pluralistic.net/2021/06/19/dynastic-wealth/#astroturf

#1yrago Your Meta AI prompts are in a live, public feed https://pluralistic.net/2025/06/19/privacy-breach-by-design/#bringing-home-the-beacon

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)

  • "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026

  • "The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027

  • "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, April 20, 2027

  • "The Memex Method," Farrar, Straus, Giroux, 2027


Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. Third draft completed. Submitted to editor.

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.

  • "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Bluesky (no ads, possible tracking and data-collection):

https://bsky.app/profile/doctorow.pluralistic.net

Medium (no ads, paywalled):

https://doctorow.medium.com/

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

Friday Squid Blogging: Victims of Unregulated Squid Fishing [Schneier on Security]

Dolphins, sharks, turtles, and human workers are all victims of unregulated squid fishing fleets.

Another news article.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Blog moderation policy.

21:49

What was nice about the UI of Windows 2000 [OSnews]

I mean, this is preaching to the choir, but let’s go anyway.

I liked the UIs of the entire era from 3.0 to 2000, really. I’m mostly using Windows 2000 as an example here because it runs so well in QEMU/KVM and that allows me to easily take screenshots.

Some of the following will sound absolutely trivial, but I think it’s worth pointing out.

↫ movq.de blog

Just a series of observations about how much better graphical user interfaces were back in the ’90s and early 2000s. We’ve lost so many affordances based on both common sense and scientific study, and what we ended up with is a confusing, inconsistent mess. It doesn’t really matter where you look – user interface design has deteriorated since the early 2000s, a decline that only accelerated thanks to the arrival of the iPhone, where consistency is a dirty word, and the web, where the advertising people took prominence over the design people.

I just want my buttons to look like buttons man.

21:00

Page 27 [Flipside]

Page 27 is done.

20:35

Systemd v261 released [LWN.net]

Systemd v261 has been released with a long list of changes, including a new cloud "Instance Metadata Service" (IMDS) subsystem, "boot secret" functionality for use on systems that lack a physical TPM, as well as support for the kernel's Live Update Orchestration (LUO) / Kexec Handover (KHO) systems when they are present and enabled. See the release notes for the full list of changes.

19:49

longintrepr.h [Planet GNU]

Did your pip install fail with longintrepr.h: No such file or directory? The file likely is on your system, but it sometime or another it was moved, from /usr/include/python3.xx/longintrepr.h to /usr/include/python3.xx/cpython/longintrepr.h. The proper fix is to update the package in question with the new path, but if you’re installing an old version of something or a package that’s no longer maintained you can work around it like this:

ln -s /usr/include/python3.*/cpython/longintrepr.h .venv/include

19:28

Reproducible Builds (diffoscope): diffoscope 321 released [Planet Debian]

The diffoscope maintainers are pleased to announce the release of diffoscope version 321. This version includes the following changes:

[ Chris Lamb ]
* Fix compatibility with Ocaml 5.4.1.

You find out more by visiting the project homepage.

18:14

Win an Signed, Personalized ARC of Monsters of Ohio! [Whatever]

Tor Books sent me a stack of Monsters of Ohio ARCs, and you — yes you! — can win one, and I will even sign/personalize it for you if you like. Here’s all you have to do to enter:

I am thinking of a mammal native to Ohio. Guess which one it is.

(Don’t know which mammals are native to Ohio? Here’s a pdf guide to get you started. Spoiler: the mammal in question is in fact in the guide!)

I have already told Krissy and Athena which mammal it is, so I’m not just going to make one up at the end of the contest, promise.

And now: The rules!

1. One guess per person, one post per person. If you post more than one guess, your first guess is the guess I will use. If you post more than one post, I will use only the first post. Don’t use the comments to post anything other than a guess; any other comments will be deleted. Be specific toward the mammal; don’t say “dog” when “Beagle” is the correct answer (which it is not, by the way, either of those). Again, the mammal in question is in the guide linked above, so that will help narrow it down a bit.

2. Place the guess in the comments for this post, they will not count otherwise. This will require you to enter login information if you have not already done so. When you fill in the information, leave an email address that you actually check, this is how I will contact you. Put that information in the login dialogue boxes, not in the body of your comment. If you don’t leave an email, I can’t contact you and will move on to the next person who guessed correctly. The information will be used for nothing else, because I respect your privacy and also I’m lazy and can’t be bothered to do anything with them.

3. Speaking of which: In the (likely) event that more than one person correctly guesses the mammal, I will have the computer generate a number between one and [number of correct guesses] and will pick the person whose chronological entry matches the number – so if the number is “three,” than the third person who posted the correct guess will win.

4. In the event no one picks the correct mammal, I will have the computer randomly pick a number between one and [total number of entries] and give the person who chronologically corresponds to that number the book. This is an enormous pain in my ass, so I hope at least one of you picks the correct mammal.

5. The contest runs for 48 hours from the moment I post this (probably close to 1pm Eastern on June 19, 2026), because that’s when the site automatically closes comments. I’ll email the winner after that and will post the results after that, probably on Monday. When I email you, you will have five days to respond, and after that I re-roll for a new recipient. So be looking at your email, please.

6. Contest is open to everyone everywhere on the planet that I can currently ship a book to, so apologies to anyone in Cuba, Iran, North Korea or the Crimea, Donetsk, and Luhansk regions of Ukraine. Everyone else, if you win, I’ll ship it to you.

7. I will sign the ARC but if you want it personalized in any way, let me know when I email you about it.

Those are the rules, so go ahead and guess! Good luck!

— JS

(PS: If you don’t want to play the odds here, remember that you can pre-order the book from your favorite local or online bookstore for when it comes out in November. Also, Subterranean Press will be happy to send a you a signed copy, which I will also personalize if you like, and SubPress also ships everywhere in the world, so that’s helpful.)

17:35

[$] Suspending and resuming BPF programs [LWN.net]

BPF programs can be used to extend many aspects the Linux kernel, but BPF programs must run to completion in the same context that they began. Kumar Kartikeya Dwivedi is working on changing that by allowing BPF programs to be expressed as coroutines. He spoke about his work at the 2026 Linux Storage, Filesystem, Memory-Management and BPF Summit. While still experimental, the change promises to make long-running BPF tasks significantly easier to write.

Widow's Bae [Penny Arcade]

Apple TV is fascinating. It doesn't have a super deep roster, but it has a weirdly high ratio of absolutely must watch shit. I got some free Apple TV when I got an iPad a few Christmases ago, and ended up hooked on For All Mankind - then let it lapse, and now my three favorite shows are all from there. It goes Severance, Pluribus, and now Widow's Bay. They don't seem to be able to produce on any kind of schedule, but then, I don't think they're even trying to. This is exactly what a modern leviathan should be doing with its bulging coffers. As a young man, I was told that Campbell's Chunky Soup was said to eat like a meal. These are shows that watch like books, that benefit very clearly from study.

17:07

Reproducible Builds (diffoscope): diffoscope 320 released [Planet Debian]

The diffoscope maintainers are pleased to announce the release of diffoscope version 320. This version includes the following changes:

[ Chris Lamb ]
* Support androguard 4 and previous versions. Thanks, linsui!
  (Closes: #1140016)
* Use --long-form arguments when calling apktool in order to support apktool
  version 3. Thanks again to linsui. (Closes: #1140015)
* Update copyright years.

You find out more by visiting the project homepage.

16:07

[$] AURpocalypse now: a look at the recent AUR attacks [LWN.net]

The Arch User Repository (AUR) has been subjected to a sustained attack recently. The attacker, or attackers, have spun up a series of new accounts then used them to adopt orphaned packages and push malicious updates that would install malware on users' systems. It is unclear how many users were compromised in the attack, but the maintainers were playing Whac-A-Mole for several days to respond to each newly compromised package. The project has turned off the AUR's new-user registration, for now, but it is unclear what its long-term response will be or if the AUR can be secured without major changes to its existing collaboration model.

15:14

Link [Scripting News]

The WordPress community likes to say that WordPress powers a certain percentage of the web. This always bothered me, couldn't figure out why, until just now. WordPress is part of the web, that's the nature of the web. There should be no difference between how you connect via UI or API to writing on WordPress and any other text system, such as Bluesky or Twitter. No. Difference. Then the user always has choice. Put together your favorite writing environment. Mix and match. Every part is replaceable. That's the idea of the web, and before that PCs and Macs. Instead we've got silos. And WordPress should be the one that says the web is here for all of us and WordPress is a big part of the web, but even the smallest part in terms of users has huge value. And could be a competitor of ours someday. We won't do anything to get in the way of that because the most important people in our world are the users. The really cool thing about it is that the product is set up exactly this way. If every text product cloned their API, we'd have the nirvana that the web promises. We are technically sooooo close.

14:35

Security updates for Friday [LWN.net]

Security updates have been issued by AlmaLinux (dracut), Debian (chromium, firefox-esr, and thunderbird), Fedora (chromium, firefox, nss, ocserv, ongres-scram, ongres-stringprep, perl-Archive-Tar, perl-GD, perl-HTTP-Daemon, perl-Net-Statsd, restic, singularity-ce, util-linux, and vorbis-tools), Mageia (gstreamer1.0-*, libupnp, luajit, opensc, and ruby-rack), SUSE (curl, dnsmasq, ffmpeg-4, frr, google-osconfig-agent, java-1_8_0-ibm, kernel, krb5, kubernetes-old, ldns, liburiparser1, openvswitch, rootlesskit, strongswan, traefik, and trivy), and Ubuntu (ldns, libheif, libnet-cidr-lite-perl, lxd, tomcat11, and vim).

14:28

Link [Scripting News]

Today's song: "You who choose to lead must follow. "

Link [Scripting News]

I rarely ask my Echo to play a song, because after it plays it wants to know if I want to hear a notice. And there goes the buzz from having listened to one of my favorite songs that perfectly catches the moment.

Link [Scripting News]

Whoopi Goldberg says the Knicks should visit the White House. "I want all those black men to stand in our house and remind all of those people — as we try to remind the vice president — that when you try to destroy one part of history, you're destroying all of our history." So true.

When did the Knicks turn the corner? [Scripting News]

I've been trying to understand what the Knicks winning means to me. I'm reminded of the feeling when we sold my mother's house, the house I grew up in, the one my father had died in nine years earier. The site of every battle and come-from-behind victory (I graduated college, they couldn't believe it, for example). Was that day in February 2018 when the fortunes of the Knicks turned?

It wasn't just a victory in the NBA playoffs of 2026, it was a pile of victories and setbacks over quite a few years, in a world where people really do make deals instead of pretending they do. And the Knicks all of a sudden were aimed at winning the top prize. The only reason, theoretically, we play basketball, is so every year all the greatest players and managers compete for who's the best that year. The 2026 Knicks didn't pop up from nowhere, they were carefully curated in a bootstrap that answered the question "If the Knicks were champions, what would they do?"

So now the next challenge for the team is to repeat. They will trade players, maybe even one of the ones we love the most. This version of the Knicks is a point in time. Things are already in motion behind the scenes, for sure.

So, again, when did the corner turn? When did the Knicks start the journey that would end at City Hall yesterday? I think it was Linsanity in 2011. That's when we got a tiny glimpse of what's possible. That short period is why I got involved in the Knicks again, after hating them for not being willing to letting Linsanity play out, so we could find out where it led.

When you're doing a bootstrap and one of your interations takes off like that, you don't take the feature out, you try building all around it, above, underneath or adjacent. This version of the Knicks gets that. And why it's of greater significance, it's exactly the approach our species desperately needs to take. Not just New York, not just the United States, and not just one sport -- everything. It's a model for the corner we must turn to survive and thrive.

14:00

Wouter Verhelst: Agentic coding and Free Software [Planet Debian]

Through work, I have paid license to windsurf (recently renamed to "devin"), an application for LLM-based (aka, "Agentic") development.

I hadn't been using it that much, but in an effort to more clearly understand how this whole AI development thing works, I decided to give it a closer look recently.

My conclusions:

In its current form, this whole LLM wave is problematic for multiple reasons. But ignoring that, and looking at the technology only, I can say that:

  • it is a paradigm shift;
  • it is, at the technological level, a positive evolution;
  • and it is a threat to free software.

Problems

Lest someone (incorrectly) assume that I am arguing in favour of the current state of affairs with regards to LLMs, let me state this first.

The way LLMs are built today is highly parasitic. Websites are downloaded in whole, at unsustainable rates, regardless of the consent of the people who made the original content. The result is predictable: servers get overloaded, server administrators attempt to implement various mitigations. Some of these mitigations work; some do, for a while; some are entirely useless. In actual fact, the mitigations are an arms race -- if too many people implement the same mitigation, then the people who try to build yet another LLM so they can extract rent will just try to work around the mitigation, eventually they will succeed, and you'll just have to come up with another mitigation. It's a bit like spam; you introduce regex-based spam filters, they introduce spelling mistakes, you introduce bayesian filters, they add a large batch of markov chain-generated semi-nonsense words made invisible by markup, you add filters to block emails with such markup, they move the text into an image. We have working mitigations today, but eventually we'll run out of ideas.

LLMs glob up everything they can while ignoring the license of the source material. The people who push those LLMs claim that pushing the source material through the machine learning algorithms makes the output of the algorithm distinct enough from the source material that the license no longer applies; I'm not so sure that this is true. I guess the New York Times v OpenAI lawsuit will teach us some of the answer to that question here, but even so the ethical questions about "is it OK to bring down another server just so we can download the internet for another for-pay LLM" are still open. And regardless of what the law states, my opinion on "you're using my copyleft code to generate code under a different license" is not something you might like if you agree with the rent seekers' opinion on the subject.

That all being said and true, the technology works. You can have a "conversation" with an LLM that resembles a human one. If you pass it some data, you can use plain english to ask it questions about that data, which is a lot easier than to ask it about that in a formal way. You can request it to generate some code, and it will generate something that looks like what you need and that will be mostly correct for like 95% of the time.

Now, yes, 95% of the time is not 100% of the time, and no, you can't ask it to "write me a piece of software that implements this 300-page requirements document and get back to me when you're done", because it will fail, and you won't know where it has failed, and you'll take it into production and expect everything to be fine because it won't and this one minor logic bug will cause half your servers to spin and consume credits with your infrastructure provider with nothing to show for it.

But that doesn't mean you can't use an LLM to build a large piece of software. It just means you have to understand the LLMs limitations and strenghts, and use them correctly.

Here's what an LLM is good at:

  • Generating plausible text
  • Interpreting text to figure out what a plausible meaning or summary of that text is
  • Giving vague indications as to what the probable context of a given body of text is.

It turns out that that's enough to use the LLM to build a reliable piece of software, provided you do it right.

Paradigm shift

An LLM can generate text by the truckful. The generated text could be code. Given a good enough LLM, the generated text might even run and do something useful.

You can try to blindly run the code, and if it doesn't run correctly, you can paste the error message to the LLM, and it can tell you what went wrong and how you could possibly fix it. This creates a feedback loop: you ask it for an amount of code, you run the code, you receive an error, you tell it that the code is problematic and give it the error message, it makes changes to the code, now you have something that at least no longer fails at startup.

If you ask it to add tests to make sure that your code acts as per your specification, now you get an error if and when the code doesn't act as per your specification. Or, well, at least not as per the part of the specification that was correctly turned into a unit test by the LLM.

LLMs have a context window, so if the error message is pasted in the same conversation as where the code was generated, it is able to reuse the earlier prompts to refine how it should interpret the error message that you received.

You can't really paste the source code of an entire application into the prompt of your LLM, that would quickly overrun its context window. But LLMs also allow you to provide some form of background information -- a document, say -- on which you ask it to reason. It will interpret that document, but doing so uses less of the LLMs context window. So providing the LLM with your application's source code as background information can help it understand better how your code interacts. This is especially helpful if you only provide the LLM the background information relevant to the actual question.

So now if you are able to:

  • Create background context with your application's source code
  • Have the LLM generate a first draft of your requested change, plus the tests to make sure it works
  • Compile (if applicable) the generated code (and tests) and run said tests
  • Return any error messages to the LLM with a request to correct the error

Then the combination of "getting it 95% right off the bat" and the above feedback loop means you can generate syntactically correct code, that probably does what you need, in minutes.

I say "probably" for a reason. There are going to be cases where you specify a request without a number of details (because they are implied), and the LLM will get most of those details right but just not implement the one bit because it's an automaton and it doesn't think. Or you will ask it to make sure that two bits of the application look exactly the same, without specifying that they must act the same, now and in the future, and it will just generate the same block of code twice and then in a future change it will change one but not the other.

But if you review the changes, and you have experience as a programmer, you will be able to spot most cases where the LLM got it wrong. And so it's possible, if not necessarily easy at first, to use an LLM to generate mostly correct code.

There are certain places where "mostly correct" code is not desireable. But equally, there are also cases where, "mostly correct" is good enough.

After all, most of the software you run today -- the bits of it that weren't, yet, generated by an LLM -- is only "mostly correct", too, because to err is human and we all make mistakes. If not, there wouldn't be any CVEs and your software would never do anything wrong.

Now, doing the feedback loop described above is certainly something you could do manually. You could open an account on one of the LLM websites, upload the source code of your application, ask it to generate some new feature, download the newly generated feature, run it, and then copy/paste any error messages back into the LLM.

But that's a lot of manual work of the type that computers are pretty good at. So that's what the "windsurf" tool helps you with: you run it inside your IDE -- either a VSCode-based tool that you download from their website which comes with their product preinstalled, or a separate JetBrains plugin that you can install. You can then open your entire relevant codebase in a workspace in your IDE. You then ask the LLM, through the IDE, to generate a new feature in your codebase, and to also generate the test while it's at it. It will use a mixture of LLM interpretation and non-LLM functionality to scoop out the relevant bits of your codebase to send to the LLM as background information, will send it your prompt, will download the generated code and patch or create files, will compile (if required) and run the newly generated code and tests, and will refine the generated code if the tests produce any errors. All mostly automatic; by default, running anything requires explicit confirmation. You can turn that off completely (probably not a good idea), or you can give it a whitelist of things that you don't want to confirm (perhaps OK), and the tool also passes standing instructions to the LLM to never generate any command that deletes a file (which, like with any LLM, can be overridden, but it requires you to be very stubborn and to use more credits than you'd probably like).

All this put together means you can build something without writing any piece of code, provided you do it right.

A technically positive evolution

Don't go and say, "here's a 300-page document, read it and write whatever the document says". It will get it wrong, it will write a massive test suite that it will only run at the end, it will choke itself up trying to interpret the massive amount of failures it encounters, it will fill up its context window and it will start to forget some of the requirements. That won't work.

But what you can do -- what I did, in fact -- is this.

First, create an empty workspace. Don't put any code in it.

Then, tell the LLM to generate a backend framework using technology X and a frontend framework using technology Y that initially only says "hello, world". Also add tests to it, and run the tests.

It will do that. You'll not get much, but it will work.

Then, ask it to add some UI elements. A login page, perhaps. A navigation bar. Small things. Most of it doesn't have to be functional -- but tests must be there for the bits that are, and have it run the tests and evaluate the results.

Rinse, repeat, until you have a working application.

Importantly, in between the steps, you should also run the application yourself and see if the change was implemented correctly. Sometimes it won't be. Sometimes there will be a subtle bug -- I at one point had a the application hang after a few minutes. Sometimes you tell it that there's a subtle bug, and it will discover it more quickly than you could, and it will fix it, and in implementing the fix it will uncover another bug, and then you have to fix that one -- the fix it came up with for the hang was to move something to an async process on the server, which caused the application to start spinning while trying to create hundreds of async jobs (this is when I realized that the hang was a deadlock due to some part of the codebase doing something that indirectly triggered itself). Sometimes it will try to fix the bug you tell it about, and you'll see that it's going off on a tangent that has nothing to do with what you're seeing. It's important to keep an eye on what it's doing, so you can guide it back on track when that happens -- when I told it about the hang, it started investigating the part of the code which sends out emails, thinking that it could hang while waiting for sendmail to finish, but the hang was happening when the application was idle, not when it was sending out emails, and only when I told it about it happening when it was idle did it find the deadlock.

So it's not a fully automatic process, and it needs to be guided by someone who knows what they're doing. But if that is the case, you can come up with something that works. I spent evenings and breaks for about a week, and I managed to create a working application which, had I written it by hand, would have taken me a few months of full-time work to come up with. And I now have a side project, fully complete and working, that I had been thinking about doing for more than a decade, but never got around to actually doing, because of all the work that would be involved and I just didn't see myself having the time for.

It's not perfect code. But it's mostly good enough, and it will perform the job it needs to. And it looks far slicker than most of the side projects I've done in the past, because in the past I would prioritize between implementing new features or making something look slick, and I would decide that the new feature was more important because it's only for me and there's only me and nobody cares if it looks good or not and I don't have three weeks to come up with something that looks better. But here, I found myself sometimes spending 10 minutes writing a prompt with instructions on making things look better. Because what's 10 minutes when you just spent an hour writing down and refining specifications for functionality and tests?

There are a number of other things in which an LLM can help a programmer.

For instance.

I received a bug report recently in a project I'm paid to maintain that I couldn't make heads or tails of. I opened the source code in my windsurf IDE, pasted the bug report in the prompt, and then requested the tool to analyze the source code and the associated logs and tell me how the described behavior could be happening. It turned out that I had overlooked something, but with the help of the tool, I found the bug in minutes.

I was trying to understand a particular part of a large codebase that I didn't really grasp very well. I loaded the codebase in the tool, and asked it to explain to me how a particular action is performed by the code. I requested specific functions and line numbers. I now have a far better understanding of how the code works, and will be able to write that patch that I've been wanting to write for years -- without using the LLM.

I have been struggling for, literally, years with understanding why another tool that I maintain was misbehaving in a particular way but only in Firefox. I opened the codebase in Firefox, explained the buggy behavior in plain English, and asked it to explain how this could be happening. It picked up some obscure corner case behavior of ffmpeg and mp4 containers that I was not aware of and that perfectly explained why things were misbehaving in the way that they were.

At the same time, there are limitations. Giving an LLM a codebase that was originally generated by an LLM (either the same one or another one) seems to work well. Giving it a codebase that was written by a human and expecting it to correctly update it seems to be more error-prone. I did one or two of those as a trial, and it is more problematic than anything.

An LLM is also not intelligent, notwithstanding the popular term of "Artificial Intelligence". On multiple occasions, I've asked it to write a test case for some code that was not set up to do so; and rather than suggesting a refactor is required, it would instead copy the code that needed to be tested and then test the copy, rather than the original. The tool has made multiple similar errors. I have sometimes people describe agentic coding as "similar to interacting with junior programmers", but that is not the case. A junior programmer will either fill in the gaps in your specifications, or ask for clarification when something seems off. The LLM will not do that; it will do what you ask, exactly that and nothing more. If you missed a corner case in your specification, then all bets are off.

I remember learning about programming language generations in college. A first-generation language is "machine code", a second-generation language is "assembler", a third-generation language is any high-level language such as C, Perl, or Pascal. I've forgotten what set a 3rd-generation language apart from a 4th-generation language. But I remember the definition they gave me for a 5th-generation language: "you tell the computer what to do, and it will do it". At the time, I thought it was ridiculous. Nobody could ever write something like that.

But it's here.

And it's a threat to free software.

A threat to free software?

Yes.

There is the obvious part where most of the well-known LLMs are non-free software. I mean, there are some "open source" LLM models. The windsurf tool that I used doesn't allow you to use them (directly), but they're there. There are also open source applications that implement what the windsurf editor does. So it's definitely possible to work like this without resorting to non-free software and non-free services, even though the non-free LLMs might be a bit ahead of the curve of the free ones. But that's not what I mean.

And there is also the obvious thing which I mentioned earlier in this post, which is that the people who try to build LLMs are doing it in unethical, disgusting ways, causing downtimes and disregarding licenses for whatever they can get their grubby hands on. Ideally we wouldn't be in that situation, and ideally this wouldn't be a problem, but we are where we are.

And there's the obvious thing where the OSI sold itself out and declared that a machine learning program can be open source even when the very things it was built from -- the training data -- is not available. That's a major issue that the free software community needs to fight against, but there's not really anything that that is a threat to free software. You just build your own, free software, LLM, and you're done.

The actual threat is in funding and developer support.

Most large businesses do not care about free-as-in-freedom software. They like the free-as-in-beer part, and they appreciate that the free-as-in-freedom bits can make the software more customizable. They are (mostly) happy to do sponsorships of the free-as-in-freedom projects that they use if that means their free-as-in-beer usage of the software gets improved.

But why would you care about all that when you can just generate the code you need, rather than interacting with an open source community that may or may not care about your business's interests?

Where to go from here

Although I think the moral and environmental issues with LLMs are real and problematic, given the experiments I did I am not convinced that the concept of interacting with a computer system in natural language and to use it to generate code is necessarily deficient. There are pitfalls, but they can be managed. It is possible to use such a system to create throwaway, proof-of-concept type "good enough" code bases. It can be used to interpret code bases and to understand bug reports.

I believe that the major issue with LLMs has to do with that saying about hammers and nails:

If all you have is a hammer, then everything looks like a nail.

LLMs are an outgrowth of machine learning, pushed by large corporations. These large corporations have a lot of money. If all you have is money, then every problem can be fixed by throwing more money at it. The initial language models were promising but not (yet) good enough, and it seemed that one way in which they could be improved was to increase the scale of the statistics: throw more hardware (and thus money) at it, and rather than improving the efficiency of the models, just scale up.

Scaling up is something that megacorporations are very good at. It's only a money problem, after all. Does that mean that "scaling up" is the only way to improve the models, though? I'm not convinced.

Some hardware, such as most modern Apple and Samsung devices, ship with accelerator hardware for machine learning algorithms. There are some models that are small enough to be able to run on these devices. I don't see why it should not be possible to create a small(er) language model that can do some useful part of the above-described use cases; if not locally, then at least on a server that one can run on-prem rather than requiring that you pay rent to one of the LLM companies.

The Software Freedom Conservancy has published an aspirational statement on machine learning-assisted programming that, I think, gets a lot right. It's not quite a definition, but it's something to keep in mind.

Perhaps that's the way forward?

More questions than answers at this point, anyway.

To study how chips really work, MIT researchers built their own operating system [OSnews]

A fascinating novel approach by researchers at MIT, called Fractal, to study in-depth how processors actually work.

A team at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) decided to build something different. Fractal, an operating system kernel written from the ground up, treats the hardware itself as the object of study. Its first major use, a deep look at branch predictors — a CPU’s way of guessing what code to run next, before it knows for certain, so it doesn’t have to waste time waiting to find out — inside Apple’s M1 processor, has already turned up findings that prior work missed, including the first evidence that a class of speculative attack known as “Phantom” affects Apple Silicon.

“We’re using hardware in ways it wasn’t designed for,” says Joseph Ravichandran, the MIT PhD student in electrical engineering and computer science (EECS) who led the project. “It’s not even obvious that this is a possible thing you could do with the hardware. But we found a way to pull all these different primitives off. It’s like a microscope. If you’ve got a hand magnifying glass, you can see a little bit. But if you had an electron microscope, now we’re really talking. That’s what Fractal is. The electron microscope of operating systems.”

↫ Rachel Gordon at MIT News

While Fractal is small, its creators also added POSIX system calls, a C library, vim, GCC, a shell, and more. This way, it feels more familiar, and makes it easier for researchers to get started with the tool. Fractal is open source and hosted on GitHub, it has its own website, and there’s a detailed research paper with more in-depth information.

13:49

Eight new stable kernels for Friday [LWN.net]

Greg Kroah-Hartman has announced the release of the 7.1.1, 7.0.13, 6.18.36, 6.12.94, 6.6.143, 6.1.176, 5.15.210, and 5.10.259 stable kernels. As usual, each contains important fixes. Users are advised to upgrade.

13:42

The Golden Age Of Bond Villains [Charlie's Diary]

So, the second novel in the Laundry Files, The Jennifer Morgue, was first published on November 1st, 2006. And while it was superficially a pastiche of the Bond movie canon (as it existed at that time--I was writing before the Daniel Craig era, ushered in with Casino Royale--it was also interrogating the dramatic conventions of the genre and also the implications of rule by Bond Villains.

At about the time I was writing it, a friend of mine (initially a tech journalist, later an industry pundit) described his experience of interviewing Elon Musk, who was allegedly leaning hard into the archetype. "I must be a Bond villain!" He joked, "I have an electric car and a tropical island where boiler-suited minions launch rockets!" And then he laughed it off. (In those days, we thought it was a simile: these days it's more clearly understood as a metaphor, if not the absolute raw truth.)

Anyway, I wrote a little afterword for The Jennifer Morgue discussing the significance of the Bond Villain as an archetype for our times and it does still appear to have something relevant to say, 20 years later; and I figure the current publisher has forgotten about it, so I'm going to shamelessly pirate my own work and reprint the entire epilogue from The Jennifer Morgue right here on my blog (the horror!).

Note that the Great Financial Crisis that kicked off the current era really started in late 2007, and our current era of oligarchic misrule, only got underway in the mid-20-teens, with the evitable rise to power of a deeply unpleasant TV reality star whose main claim to fame was playing a stupid man's idea of a successful business mogul.

(At least I didn't predict that.)

Anyway, the text is below the fold--it's quite long--and I ask this: what would you add, today?

The Golden Age of Spying

1. The Mary-Sue of MI6

"My name is Bond. James Bond."

These six words, heard by hundreds of millions of people, are almost invariably spoken during the first five minutes of each movie in one of the biggest media success stories of the 20th century. Unless you've lived under a rock for the past forty years, you hear them and you know at once that you're about to be plunged into a two hour long adrenaline saturated extravaganza of snobbish fashionable excess, violence, sex, car chases, more violence, and Blowing Shit Up -- followed by a post-coital cigarette and a light-hearted quip as the credits roll.

It wasn't always so. When "Casino Royale" was first published in 1953, it got a print run of 4750 hardcover copies and no advertising budget to speak of; while the initial reviews were favorable, comparing Ian Fleming to Le Queux and Oppenheim (the kings of the pre-war British spy thriller genre), it took a long time for his most famous creation to set the world on fire. Despite his rapidly rising print runs ("Casino Royale" eventually sold over a million paperbacks in the UK alone), and despite his increasing prominence among the post-war thriller writers, a decade elapsed before any of Fleming's novels were filmed; indeed, their author barely lived to see the commercial release of "Dr No" and the runaway success of the icon he created. (Nor were the films seen as a runaway success before they were made -- "Dr No" was notoriously made on a tight budget, even though it went on to gross nearly $60M around the world.)

Literary immortality -- or indeed, mere post-mortem survival -- is dauntingly hard for a novelist to achieve. The limbo of post-mortem obscurity awaits 95% of all novelists -- almost all novels go out of print for good within five years of the death of their author. But in addition to being a million-selling best-seller, Fleming was a ferociously well-connected newspaper executive with a strong sense of the value of his ideas, and he pursued television and film adaptation remorselessly. Cinematic success arrived just in time for his creation, and the synergy between best-selling books and massive movie hype has sufficed to keep them in print ever since.

James Bond is a creature of fantasy, perhaps best described using a literary term looted from that most curious and least respected of fields, fan fiction: the Mary-Sue. A Mary-Sue character is a placeholder in a script, a hollow cardboard cut-out into whose outline the author can squeeze their own dreams and fantasies. In the case of Bond, it's cruelly easy to make a case that the famous spy was his author's Mary-Sue: for Fleming had a curious and ambiguous relationship with spying.

A dilettante and dabbler for his first three decades, unsuccessful as a stockbroker, foreign correspondent, and banker, Fleming fortuitously landed his dream job on the eve of the Second World War: Secretary to the Director of Naval Intelligence in the Admiralty. The war was good for Ian Fleming, broadening and deepening him and giving him a job that captured his imagination and drew out his not inconsiderable talents. But Fleming was the man who knew too much: privy to too many secrets, he was wrapped in tissue paper and prevented from pursuing his desire to go into the field. He ended the war with a distinguished record -- and absolutely no combat experience (if one excludes being bombed by the Luftwaffe or watching the Dieppe raid from a destroyer, safely far off the Normandy coastline). Fleming grew up in the shade of a father who died heroically on the western front in 1917, and in adult life he wrote in the shadow of an elder brother whose reputation as a novelist surpassed his own. It's easy to imagine these unkind familial comparisons provoking the imaginative but flighty playboy who almost found himself during the war, goading him to imagine himself in the shoes of a hero who was not merely larger than life, but larger in every way than his own life.

And, as it turns out, James Bond was larger than Ian Fleming. Not only do few novels survive their author's demise, even fewer acquire sequels written by other hands; yet several other authors (including Kingsley Amis and John Gardner) have toiled in Fleming's vinyard. Few fictional characters acquire biographies written by third parties -- but Bond has not only acquired an autobiography (courtesy of biographer John Pearson) but spawned a small cultural industry, including a study of his semiotics by Umberto Eco. Now, that has got to be a sign of something ...

As with every true pearl, there was a sand-grain of truth at the heart of Bond. Fleming wrote thrillers informed by his actual experience. Years spent working out of the hothouse environment of Room 39 of the Admiralty building -- headquarters of the Naval Intelligence Division of the Royal Navy -- gave him a ringside seat on the operations of a major espionage organization. On various trips to Washington DC he worked with diplomats and officers of the OSS (predecessor organization to the CIA). As a foreign news manager at The Sunday Times after the war, there is some evidence that Fleming made his agency's facilities available to officers of MI6. His first Bond novels were submitted to that agency for security clearance before they were published. Bond himself may have been larger than life, but the strictures imposed by the organization he worked for were drawn from reality, albeit the reality of an intelligence agency of the early 1940s.

The world of secret intelligence gathering during the second world war was, however, very different from life in the intelligence community today. It was already changing by the late 1950s, as the bleeping football-shaped Sputniks zipped by overhead and intelligence directors began dreaming of spy satellites. By 2004, when MI5 (the counter-intelligence agency) openly placed recruiting advertisements in the press, we can be sure that Bond would be best advised to seek employment elsewhere. Spies are supposed to be short -- under 180 centimeters for men -- and nondescript. As a branch of the civil service, MI5's headquarters are presumably non-smoking, and drinking on the job is frowned upon. As intelligence agencies, MI5 and MI6 staff aren't in the business of ruthlessly wiping out enemies of the state: any decision to use lethal force lies with the Foreign Secretary, the COBRA committee, and other elements of the British government's security oversight bureaucracy. An MI6 agent driving a 1933 Bentley racer with a supercharged engine, frequenting the high-stakes table at a casino as James Bond so memorably did in his first print appearance, is an almost perfect inversion of the real picture.

Nevertheless, the archetype has legs. James Bond continued to grow and evolve, even after his creator put away his cigarette holder for the last time. To some extent, this was the product of storytelling expediency. The film adaptations started in the middle of a continuing story arc -- for Fleming wrote his novels with a modicum of continuity -- and while "Dr No" was the first to make it to celluloid, the novel was in fact a sequel to "From Russia With Love" (which was filmed second). Thus, various liberties were taken with the plot of the canonical novels, right from the start. You can re-read the novels at length without finding anything of the banter between Bond and M's secretary Moneypenny that is a recurrent theme of the films, for example, and that's before we get into the bizarre deviations of the mid-period Roger Moore movies (notably "The Spy Who Loved Me" and "Moonraker").

The literary James Bond is a creature of pre-war London clubland: upper-crust, snobbish, manipulative and cruel in his relationships with women, with a thinly-veiled sadomasochistic streak and a coldly ruthless attitude to his opponents which verges on the psychopathic. Over the years, his cinematic alter ego has acquired the stamina of Superman, learned to defy the laws of physics, ventured into space -- both outer and inner -- and deflowered more maids than Don Juan. He's also mutated to fit the prejudices and neuroses of the day, dabbling with (gasp!) monogamy, and hanging out with those heroic Afghan mujahideen in the late-eighties AIDS-and-Soviets-era "The Living Daylights". He's worked under a post-feminist ball-breaking 'M' in "Goldeneye", and even confronted a female arch-villain in "The World is Not Enough" (an innovation that would surely have Fleming, who formed his views on appropriate behavior for the fairer sex in the 1920s, rolling in his grave). But other aspects of the Bond archetype remain timeless. Fleming was fascinated by fast cars, exotic locations, and intricate gadgetry, and all of these traits of the original novels have been amplified and extrapolated in the age of modern special effects.

Just how does James Bond -- a "sexist, misogynist dinosaur, a relic of the Cold War", to use the words the script-writers on "GoldenEye" so tellingly put into M's mouth -- survive in the popular imagination more than fifty years after his literary birth? What does it mean when Mary-Sue stalks the landscape of the imagination, blasting holes in the plot with a Walther PPK (or the P99 he upgraded to in "Tomorrow Never Dies")? If we're going to understand this, perhaps we ought to start by looking at Bond's dark shadow, the Villain.

2. In search of Mabuse

Bond is, if you judge him by his work, a nasty fellow and not one you'd choose to lend your car to: to make this rough diamond glitter it is necessary to display him against a velvet backdrop of darkest villainy. If you strip the Bond archetype of the bacchanalia, glamorous locations, and fashion snobbery, you end up with an unappetizingly shallow, cold-blooded executioner -- the likes of Adam Hall's Quiller or James Mitchell's Callan, only without the breezy cynicism, or indeed any redeeming features at all. The role of adversary is thus a critical one in sustaining the appeal of the protagonist. Fleming set out to depict a hard-edged contemporary world where the usual black-and-white picture of the pre-war thriller had blurred and taken on some of the murky grey-on-grey ambiguity of the cold war era; Bond was the knight in shining armor, fighting for virtue and the free world against the dragon -- be they Mr. Big, Dr. No, Auric Goldfinger, or the looming shadow of Bond's greatest enemy of all, Ernst Stavro Blofeld, Number One of SPECTRE, the Special Executive for Counter-intelligence, Terrorism, Revenge and Extortion.

It is interesting to note that Blofeld assumed his primacy as Bond's #1 enemy only in the movie canon; Fleming originally invented him while working on the screenplay and novel of "Thunderball", and used him subsequently in "On Her Majesty's Secret Service" and "You Only Live Twice". (Prior to these later books, Bond typically tussled with less corporate enemies -- Soviet stooges, unregenerate Nazis, and psychotic gangsters.) Blofeld was born out of mere corporate expediency. Rather than demonize the Soviets and reduce their potential audience, the producers of the film of "From Russia With Love" appropriated SPECTRE as the adversarial organization. With the success of "Thunderball", the third of the films, Blofeld moved front and center and acquired a life of his own that far exceeded his prominence in the novels. Arguably, Fleming's death in 1964 freed up the movie series to diverge from their original author's plans; and so Blofeld may be seen as a demon of necessity, conjured up from the vasty depths in order to provide Bond with a worthy adversary.

'Twas not always so. Back at the turn of the 20th century, around the time that the British spy thriller was gradually cohering out of the mists of the penny dreadful and the literature of suspense (via the works of John Buchan and Erskine Childers -- not to mention the tangential contributions of Arthur Conan Doyle, by way of Sherlock Holmes) there was no great dualistic vision of the great champion confronting the villainous heart of evil. There was no great champion: we were on our own against the masters of night and mist, the great and terrible super-criminals. Professor Moriarty, Holmes' nemesis -- the Napoleon of Crime -- was but one of these: Fantômas, the 1911 creation of Pierre Souvestre and Marcel Allain, is another. The emperor of crime, Fantômas was a master of disguise and an agent of chaos (not to mention standing astride Paris in black mask, top hat and tails, in the posters for the 1913 movie of the same name: an icon of decadent wealth and criminal chaos). Nor was he alone. Guy Boothby's 1890's super-villain Dr Nikola fits the bill too, right down to the fluffy lap-cat and the fiendish plans. But perhaps the root of Bond's nemesis can be found in his full-fledged form somewhat later, and somewhat further to the east -- in the guise of Dr. Mabuse.

Dr. Mabuse is an archetype and a runaway media success in his own right, famous from five novels and twelve movies. The Doctor was created in 1922 by author Norbert Jacques, and was developed into one of the most chilling creations of the silent era by no less a director than Fritz Lang. Mabuse is a name, but one that nobody in their right mind speaks aloud. He's a master of disguise, naturally: and a rich, well-connected socialite and gambler. (Some social context: gambling at the high stakes table is no so much an innocuous recreation as an obscenity, in a decade of hyper-inflation and starvation, with crippled war veterans dying of cold on the street corners, as was the case in Weimar Germany). Mabuse has his fingers in every pie, by way of a syndicate so shadowy and criminal that nobody knows its extent; he's a spider, but the web he weaves is so broad that it looks like the whole of reality to the flies trapped in it. He is (in some of the stories) a psychiatrist, skilled in manipulation, and those who hunt him are doomed to become his victims. If Mabuse has a weakness it is that his schemes are over-elaborate and tend to implode messily, usually when his most senior minions rebel, hopelessly late; nevertheless, he is a master of the escape plan, and with his ability to brainwash minions into playing his role he's a remarkably hard phantom to slay.

It is all too easy to make fun of the likes of Fantômas and Dr. Nikola, and even their modern-day cognates such as Dr. Mabuse and Ernst Stavro Blofeld; for do they not represent such an obsessively concentrated pinnacle of entrepreneurial criminality that, if they really existed, they would instantly be hunted down and arrested by INTERPOL?

Careful consideration will lead one to reconsider this hasty judgment. Criminology, the study of crime and its causes, has a fundamental weak spot: it studies that proportion of the criminal population who are stupid or unlucky enough to get caught. The perfect criminal, should he or she exist, would be the one who is never apprehended -- indeed, the one whose crimes may be huge but unnoticed, or indeed miscategorized as not crimes at all because they are so powerful they sway the law in their favor, or so clever they discover an immoral opportunity for criminal enterprise before the legislators notice it. Such forms of criminality may be indistinguishable, at a distance, from lawful business; the criminal a paragon of upper-class virtue, a face-man for Forbes.

When the real Napoleons of Crime walk among us today, they do so in the outwardly respectable guise of executives in business suits and thousand-dollar haircuts. The executives of Worldcom and Enron were denizens of a corporate culture so rapacious that any activity, however dubious, could be justified in the name of enhancing the bottom line. They have rightfully been charged, tried, and in some cases jailed for fraud, on a scale that would have been the envy of Mabuse, Blofeld, or their modern successor, Dr. Evil. When you need extra digits on your pocket calculator to compute the sums you are stealing, you're in the big league. Again, when you're able to evade prosecution by the simple expedient of appointing the state prosecutor and the judges -- because you're the President of a country (and not just any country, but a member of the rich and powerful G8) -- you're certainly not amenable to diagnosis and detection in the same sense as your run-of-the-mill shoplifter or petty delinquent. I'm naming no names (they have intelligence services! Cruise missiles!) but this isn't a hypothetical scenario.

3. Interview with the Entrepreneur

In an attempt to clarify the mythology surrounding James Bond, I tracked his old rival down to his headquarters in the Ministry of Inward Investment in the breakaway Republic of Transdniestria. Somewhat suspicious at first, Mr. Blofeld relaxed as soon as he realized I was not pursuing him on behalf of the FSB, CIA, or IMF, and kindly agreed to be interviewed for this book. Now aged 72, Blofeld is a cheerful veteran of numerous high-tech start-ups, and not a few multinationals where, as a specialist in international risk management and arbitrage, he applied his unique skills to business expansion. Today he is semi-retired but has agreed to work in an voluntary capacity as director of the State investment agency.

"It took me a long time to understand the agenda that the British government was pursuing through the covert activities of MI6," he told me over a glass of sweet tea. "Call me naive, but I really believed -- at least at first -- that they were honest capitalists, the scoundrels."

Over the course of an hour, Ernst explained to me how he first became aware that the UK was attempting to sabotage his business interests. "It was back in 1960 or thereabouts that they first tried to destroy one of my subsidiaries. Until then I hadn't really had anything to do with them, but I believe one of my rivals in the phosphate mining business put it about that my man on site was some sort of spy, and they sent this Bond fellow -- not just to arrest him or charge him with some trumped-up nonsense, but to kill him." His lips paled with indignation at he contemplated the iniquity of the situation: that agents of the British government might go after an honest businessman for no better reason than an unsubstantiated allegation that he was spying on American missile tests. "I warned Julius to be careful and advised him to put a good lawyer on retainer, but what good are lawyers when the people you're up against send hired killers? Julius brought in security contractors, but this Bond fellow still murdered him in the end. And the British government denies everything, to this day!"

Ernst obviously believes in his own moral rectitude, but I had to ask the obvious questions, just for the record.

"Yes, I was chief executive of SPECTRE for twelve years. But you know, SPECTRE was entirely honest about its activities! We had nothing to hide because what we were doing was actually legal. We've been mercilessly slandered by those rogues from MI6 and their friends in the newspapers, but the fact is, we're no more guilty of criminal activity than any other multinational today: we simply had the misfortune to be foreign and entrepreneurial at a point in time when Whitehall was in the grasp of the communist conspirators Wilson and Callaghan and their running-dog so-called 'conservative' fellow Heath. And we were pilloried because what we were doing was in direct competition with the inefficient state-run enterprises that my good friend Lady Thatcher recognized as mosquitoes battening on the life-blood of capitalism. That cad Fleming put it about that SPECTRE stands for 'Special Executive for Counterintelligence, Terrorism, Revenge and Extortion' -- absolute tosh and nonsense! Would a group of criminals really call themselves something that blatant? I'll remind you that SPECTRE is actually a French acronym, as befits a non-profit charity incorporated in Paris. The name stands for 'Société Professionelle et Ethique du Capital Technologique Réinvestissement par les Experts.' Venture capitalists specializing in disruptive new technologies, in other words -- commercial space travel, nuclear power, antibiotics. Not some kind of half-baked terrorist organization! But you can imagine the threat we posed to the inefficient state monopolies like the British Aircraft Corporation, the coal mining industry, and Imperial Chemical Industries."

Blofeld paused to sip his tea thoughtfully.

"We were ahead of our time in many ways. We pioneered business methods that later became mainstream -- Sir James Goldsmith, Ronald Perelman, James Icahn, they all watched us and learned -- but by then, the commies were out of power in the west thanks to our friends in the establishment, so they had an easier time of it. No need to hire lots of expensive security and build concrete bunkers on desert islands! And yes, that made us look bad, don't think I'm unaware of it -- but you know, you want bunkers and isolated jungle rocket launch bases? All you have to do is look at Arianespace! It's fine when the government bureaucracies do it, but if an honest businessman tries to build a space launch site and hires security to keep the press and saboteurs from foreign governments out, it's suddenly a threat to world security!"

He paused for a while. "They put the worst complexion on everything we did. The plastic surgery? Well, we had the clinic, why not let our staff use it, so the surgeons could stay in practice between paying customers? It was a perk, nothing more. We did -- I admit it -- acquire a few companies trading in exotic weapons, non-lethal technologies mostly. And that business with Emilio and the yacht, I admit that looked bad. But did you know, it originally belonged to Adnan Khashoggi or Fahd ibn Saud or someone? Emilio was acting entirely on his own initiative -- a loose cannon -- and as soon as I heard about the affair I terminated his employment."

I asked Ernst to tell me about Bond.

"Listen, this Bond chap, I want you to understand this: however he's painted in the mass media, the reality is that he's a communist stooge, an assassin. Look at the evidence. He works for the state -- a socialist state at that. He went to university and worked with those traitors Philby and Burgess, that MacLean fellow -- communist spies to a man. He didn't resign his commission when the British government went socialist, like a decent fellow: instead he took assignments to go after entrepreneurs who were a threat to the interests of this socialist government, and he rubbed them out like a Mafia button man. There was no due process of law there, no respect for property rights, no courts, no lawyers -- just a 'License to Kill' enemies of the state, loosely defined, who mostly happened to be businessmen working on start-up projects that coincidentally threatened state monopolies. He's a damned commissar. Do you know why Moscow hated him? It's because he'd got them beat at their own racket."

Blofeld was clearly depressed by this recollection, so I tried to change the subject by asking him about his personal management philosophy."

"Well, you know, I tend to use whatever works in day to day situations. I'm a pragmatist, really. But I've got a soft spot for modern philosophers, Leo Strauss and Ayn Rand: the rights of the individual. And I've always wanted to remake the world as a better place, which is probably why the establishment dislike me: I'm a threat to vested interests. Well, they're all descended from men who were threats to vested interests too, back in the day: only I threaten them with new technologies, while their ancestors mostly did their threatening with a bloody sword and the gallows. I don't believe in initiating force." He laughs self-deprecatingly. "I suppose you could call me naive."

4. Trade Goods

When I played back my tape of our discussion, it took me some time to notice that Ernst had carefully steered the conversation away from certain key points I had intended to quiz him about.

One of the most disturbing aspects of the Bond milieu is the prevalence of technologies that are strangely out of place. Belt-buckle grappling hooks with wire spools that can support a man's weight? Laser rifles? These aren't simple extrapolations of existing technology -- they go far beyond anything that's achievable with today's engineering tools or materials science. But forget Bond's toys, the products of Q division. From Blofeld's solar-powered orbital laser in "Diamonds are Forever" to Carver's stealthed cruiser in "Tomorrow Never Dies", we are surrounded by signs that the adversary has got tricks up his sleeve that far outweigh anything Bond's backers can provide. These menacing intrusions of alien super-science -- where can they possibly have got them from?

The answer can be discerned with little difficulty if one cares to scrutinize the writings of the sage of Providence, Howard Phillips Lovecraft. This scholar -- whose path, regrettably, never crossed that of the young Ian Fleming -- asserted that our tenancy of this planet is but a recent aberration. Earth has in the past been home for a number of alien species of vast antiquity and incomprehensibly advanced knowledge, and indeed some of them may still linger on alongside us -- on the high Antarctic plateau, in the frigid oceanic depths, even in strange half-breed colonies off the New England coastline.

If this strikes you as nonsensical, first contemplate your nearest city: how recognizable would it be in a hundred years' time if our entire species silently vanished away tomorrow? How recognizable would it be in a thousand years? Would any relics still bear witness to the once-proud towers of New York or Tokyo, a million years hence? Our future -- and the future of any once-proud races that bestrode our planet -- is that of an oily stain in the shale deposits of deep history. Earth's biosphere and the active tectonic system it dances on cleans house remorselessly, erasing any structure that is not alive or maintained by the living.

Consider also the extent to which we really occupy the planet we live on. We think of ourselves as the dominant species on Earth -- but 75% of the Earth's entire biomass consists of bacteria and algae that we can't even see with the naked eye. (Bacteria from whose ranks fearsome pathogens periodically emerge, burning like wildfire through our ranks.) Nor do we, in any real sense of the word, occupy the oceans. Certainly our trawlers hunt the bounty of the upper waters. But submarines (of which there are only a few hundred on the entire planet) fumble like blind men through the uppermost half kilometer of a world-ocean that averages three kilometers in depth, unable to dive beneath their pressure limits to explore the abyssal plains that cover nearly two thirds of the planetary surface. Finally, the surface (both the sub-oceanic abyss and the thin skin of dry land we cling tenuously to) is but a thousandth of the depth of the planet itself; we can't even drill through the crust, much less contemplate with any certainty the nature of events unfolding within the hot, dense mantle beneath.

We could be sharing the planet with numerous powerful alien civilizations, denizens of the high energy condensed-matter realm beneath our feet, and we'd never know it -- unless they chose to send emissaries into our biosphere, sprinkling death rays and other trade goods like glass beads before the aboriginal inhabitants, extracting a ghastly price in return for their largesse ...

5. A Colder War?

James Bond was a creature of the Cold War: a strange period of shadow-boxing that stretched from late 1945 to the winter of 1991, forty-six years of paranoia, fear, and the creepy sensation that our lives were in thrall to forces beyond our comprehension. It's almost impossible to explain the Cold War to anyone who was born after 1980; the sense of looming doom, the long shadows cast by the two eyeball-to-eyeball superpowers, each possessing vast powers of destruction, ready and able to bring about destruction on a planetary scale in pursuit of their recondite ideologies. It was, to use the appropriate adjective, a truly Lovecraftian age, dominated by the cold reality that our lives could be interrupted by torment and death at virtually any time; normal existence was conducted in a soap-bubble universe sustained only by our determination to shut out awareness of the true horrors lurking in the darkness outside it, an abyss presided over by chilly alien warriors devoted to death-cult ideologies and dreams of Mutually Assured Destruction. Decades of distance has bought us some relief, thickening the wall of the bubble -- memories misting over with the comforting illusion that the Cold War wasn't really as bad as it seemed at the time -- but who do we think we're kidding? The Cold War wasn't about us. It was about the Spies, and the Secret Masters, and the Hidden Knowledge.

It's no coincidence that the Cold War was the golden age of spying -- the peak of the second-oldest profession, the diggers in the dark, the seekers after unclean knowledge and secret wisdom. Prior to 1939, spying of the international kind rather than the sordid domestic variety (let us pass swiftly over the sordid Stasi archives of sealed glass jars full of worn underwear, kept as scent cues for the police dogs) was a small scale, largely amateurish concern. With the outbreak of the second world war it mushroomed. Faced with employment vacancies, the first response of a growing organization is to recruit close to home. Just like any 1990s dot-com startup, growing as the founders haul in all their friends and anyone they know who has the right skill set, the 1940s espionage agencies were a boom town into which a well-connected clubbable London playboy would inevitably be sucked -- and, moreover, one where he might try his hand and succeed, to everyone's surprise. (In the 1990s he'd end up in marketing, with stock options up to here. Sic transit gloria techie.)

When the Second World War gave way to the doomwatch days and Strangelove nights of the Cold War, it entered a period in which the same clubbable fellow might find himself working in a mature organization, vastly larger and more professional than the half-assed amateurism of the early days. The CIA was born in the shadow of the wartime OSS, and grew into the emblematic Company (traders in secrets, overthrowers of governments), locked in titanic struggle with that other superpowered rival, the KGB (and their less well known fellows in the GRU).

The age of the traditional sneak-spies with their Minox cameras gave way to the era of the bugging device. With the 1960s came a new emphasis on supplementing human intelligence (HUMINT) with intelligence from electronic sources (ELINT). New agencies -- the NSA in the United States, GCHQ in the UK -- expanded as the field of "spyless spying" went mainstream, aided by the explosion in computing power made possible by integrated circuits and, later, the microprocessor. As telephony, television, telex, and other technologies began to come online a torrent of data poured through the wires, a deluge that threatened to drown the agencies in useless noise. Or was it the whispering on the deep-ocean cables? Maybe the chatter served to conceal and disguise the quiet whispering of the hidden oracles, dribbling out strange new concepts that warped the vulnerable primate minds to serve their inscrutable goals. The source of the incredible new technologies that drove the advances of the middle of the twentieth century was, perhaps, the whispering of an alien farmer in the ears of his herd ...

Times change, and the golden age of spying is over. We've delivered the harvest of fear that the secret masters desired; or maybe they've simply lost interest in us for the time being. Time will tell. For now, be content that it's all over: the Cold War was a time of strangely rapid technological progress, but also of claustrophobic fear of destruction at three minutes' notice, of the thermonuclear stars coming right and bringing madness and death in their wake. Retreat into your soap-bubble universe, little primate, and give thanks.

From the perspective of the 21st century, Bond was a poor archetype for a hero; certainly he couldn't save us from the gibbering horrors of the Cold War, but only cast a shadow beneath their unblinking ground-zero glare. But we found salvation in the end, in the most unlikely place of all: if you turn on the TV you're likely to see one of old Ernst's protégés being held up for praise as an object of emulation. President of Italy, captain of industry, or chief executive of Enron -- SPECTRE won and it's their world that we live in, the world of the lesser evil.

13:14

12:35

Error'd: Microbits [The Daily WTF]

This week we have got a couple of Mathanon's. Maybe they're the same person, maybe they're not, there's really no way to know!

Frist anon has a "Numeric fun fact" for us: "Got a form sent from work to express interest in some event. They actually enforced the validation that the answer must be a number, so I submitted "42"." Bravo.

97007ddf5e024b1387e4f04fea560955

Next anon has a different numeric fun factor: "The SAS website wants us to know the size of the file behind the link down to the nanobyte precision." They split the bit! That must be what this quantum computing thing is about.

0a662a2420f54deab7167aa5e92a5bf3

Conscientious dad Mark R. takes all the responsibilities. "My kid's school ensures they're legally covered on all things said and unsaid."

55a99d3a5f5b4e588c8dd17063de6058

Philipp H. points out "The Redmond philosophers have created something the old Greek philosophers will have to rethink. Or is this a pun on Schrödinger's Cat? German→English translation: "We cannot bring/transfer/switch you to this message because you're in a chat, in which you're not in.""

35d852325db54dbdbbe52fff86de5cc7

We haven't heard from Michael R. in a while. Here he is with a pithy "The irony is not lost on me."

a045bde3e7c94088ae041de113a1d58a

Happy Juneteenth to those who celebrate.

[Advertisement] Plan Your .NET 9 Migration with Confidence
Your journey to .NET 9 is more than just one decision.Avoid migration migraines with the advice in this free guide. Download Free Guide Now!

12:14

Anthropic’s Fable and the State of AI [Schneier on Security]

On June 9th, Anthropic released its Fable generative AI model. Three days later, the US government classified it as a dangerous munition, and used its export-control authority to prohibit any foreign nationals from accessing it. Unable to differentiate between Americans and foreigners, the company shut off access for everyone.

The government’s actions won’t help. The problem isn’t any one particular model; it’s the general trend of increasing AI capabilities. And any real solution requires the sort of collective action that just isn’t possible right now.

Fable is the constrained version of Mythos, the AI model Anthropic announced in April. Anthropic only released it to a few selected organizations, because the company claimed it was so good at finding and exploiting vulnerabilities in computer code that releasing it more generally would be dangerous.

It was an obviously self-serving announcement, and because few were able to verify Anthropic’s claims they were met with some skepticism. Those with access used Mythos to find and patch many vulnerabilities in their own software. But one UK group found the latest, already public, OpenAI model to be just as powerful.

Fable is just another incremental improvement in the years-long climb of AI capabilities. But just as important as the AI model is the “harness.” This is typically not AI. It’s ordinary computer code that interfaces with the user. It stitches together AI models, decides how and for what purposes they can be used, and gives them useful tools such as web search and the ability to run their own computer code.

When Mythos first entered limited release, there was widespread debate whether its power came from the model or the harness. With Mythos demonstrating that it was possible, the open-source community scrambled to build harnesses that could steer other AI models towards similar capabilities. Harness improvements don’t need massive data or data centers.

They largely succeeded. For example, a Prague company was able to replicate Anthropic’s few verifiable cybersecurity capabilities with a much smaller and cheaper model—and a more sophisticated harness. Last week, a group showed that multiple cheaper models harnessed in concert matches Fable’s performance.

The broader community had only a few days with Fable, but that time we learned some about its capabilities. Its difference is less the new model’s raw analytical and problem solving capabilities, and more that the model doesn’t need that sophisticated harness.

Fable requires much less expertise and detailed prompting from the human user. You can give it a difficult goal and it will figure out novel and unexpected ways to satisfy it, finding loopholes in whatever constraints you or the system have imposed on it.

“Relentlessly proactive” is how AI researcher Simon Willison described it. Another descriptor might be “creative.” Experienced AI developers have had that combination of creativity and proactivity since last year, but Fable puts it within easy reach of everyone.

In the hands of someone with a legitimate problem that needs solving, that can be an incredibly useful capability. But in the hands of someone who wants to do harm, it can be equally dangerous. AIs don’t have a moral compass in the same way that people do. They are agents of the wants and desires of the people who prompt them.

That points to the real problem with relentlessly proactive AI. In language, wants and desires are always underspecified. If I ask you to get me some coffee, you would probably pour me a cup from the coffeepot, or buy one from a nearby coffee shop.

You couldn’t buy me a pound of raw beans, or a coffee plantation. You wouldn’t order a cup of coffee for delivery next month. You wouldn’t find a nearby person, rip a cup of coffee out of their hands, and bring it to me. I wouldn’t have to specify any of the million limitations to my request; you would just know.

Human stories are filled with warnings about underspecified desires. King Midas wished that everything he touch turn to gold, forgetting to add “but not my food, drink, and daughter.” And genies are notorious for granting your wish in a way you wish they hadn’t.

The deeper point is that it’s impossible to list all limitations and restrictions, and like a malicious genie, a creative AI will find the ones you forgot. Block a database you don’t want it to have access to, and it might figure out how to bypass your control. Ask it to book a flight, and it might hack the airline because the website says the flight is sold out. Ask it to save money on your cellphone plan, and it might cancel it altogether—or get someone else to pay for it. As far as we know now AI has not done any of this yet, but you get the idea.

Malicious intent is not required. To an AI model, constraints are just things to get around and not general truisms about the world. They are creative problem solvers and natural rule breakers. They “hack” in the sense that they find and exploit loopholes.

Human systems rely on so many norms that we scarcely recognize the existence of until they are broken. AIs naturally think outside the box, because they don’t have any real conception of what the box is or why it’s there in the first place.

There is no foolproof way to prevent people from using AI models to complete harmful tasks. There is no way to prevent the models from incidentally causing harm while completing benign tasks. AI models are no longer isolated from the real world. They browse the internet and answer emails.

They trade stocks and make purchases. They control physical systems. They are, in effect, robots that affect life and property. We have no technical mechanisms to verify the integrity of an AI system. This level of capability and creativity in the hands of us untrustworthy humans will have both great and terrible results.

The problem is not unique to Anthropic. Mythos/Fable might currently be the most capable rules hacker, but more sophisticated harnesses give other models similar capabilities. And we should assume that the other frontier models are no more than a few months behind, and that open-source models are less than a year behind. At best, any ban only serves to delay the problem for a short while.

That delay might be useful if we—as a society, as a planet—would use that time to come together and figure out what to do. This isn’t a US/China arms race problem; this a species-level problem that requires coordinated action at that scale. Unfortunately, we have no mechanism to do that. I first wrote about this problem five years ago, but it was all too futuristic.

Today, when its right in front of us, there is no world government that can impose constraints on the for-profit corporations currently controlling AI models and research. The US has no appetite to effectively and even-handedly regulate those corporations, even as they do catastrophic damage to the environment, democracy, and—in this case—society in general.

This all makes an AI public option all the more necessary, and urgent. Today’s AIs can be fast, smart and secure, but only two of the three are possible for any given system. These safety tradeoffs are tightly held secrets of companies racing to beat one another, and they tell us we have to trust them. Instead, the choices and their consequences need to be brought out into the sunlight.

We should be funding open-source harnesses that balance capability and safety—that achieve useful goals without so much power—and open-source AI models whose provenance and biases are public and well understood. We have opened the AI Pandora’s box. Now we have to make the best of it.

This essay originally appeared in The Guardian.

10:56

10:49

10:07

The gap between true and known [Seth's Blog]

We have more agency and choice than we know.

And sometimes, when the awareness of our freedom arrives, it’s too late to reclaim the opportunities we missed.

Some of the walls around us are real—built by people who have no right to build them, who profit from our staying put.

And some of the walls aren’t walls at all. A door we never tried, because no one told us it was unlocked.

Perhaps, instead of waiting for certainty, we act as if, just for now, to explore what’s possible.

Too often, we’re held back unfairly by others who have no right to do so. But sometimes, we hold ourselves back simply because we didn’t know we had a choice.

09:14

Widow's Bae [Penny Arcade]

New Comic: Widow's Bae

07:00

Junichi Uekawa: looking for last. [Planet Debian]

looking for last. I realized it's gone. what's my replacement?

05:49

How Do You Like Them Apples? [Ctrl+Alt+Del Comic]

Some of our weeks in the spring definitely feel like this.

The post How Do You Like Them Apples? appeared first on Ctrl+Alt+Del Comic.

Girl Genius for Friday, June 19, 2026 [Girl Genius]

The Girl Genius comic for Friday, June 19, 2026 has been posted.

00:00

Thursday, 18 June

23:14

AmigaOS 2: the greatest upgrade [OSnews]

Five years after releasing the Amiga 1000, Commodore was about to launch the Amiga 3000, their first real high-end Amiga. With a 68030 processor, on-board SCSI and a slightly updated graphics chipset, all in a sleek desktop case, the Amiga was truly ready for the era of professional 32-bit computing. But Moore’s law wasn’t the only thing thad had been pressuring Commodore since the release of the Amiga 1000: The desktop metaphor had matured even further, and the competition had been hard at work. IBM had launched OS/2, Windows 3.0 had turned Microsoft’s offering from a proof of concept into something actually usable, and new players had entered the scene – among them NeXTStep, with its polished 3D look.

It was time to bring AmigaOS, too, into the 1990s.

↫ Carl Svensson

It’s interesting – there’s a lot of focus on the first version of the Amiga operating system and the third one, but you don’t hear a lot about AmigaOS 2.x. It turns out this is rather odd, because as Svensson details, this version came with an absolute ton of changes and improvements, from an entirely new widget toolkit to a brand new file system, and so much more. The new widget toolkit and accompanying style guide also ensured that the operating system looked, felt, and behaved consistently.

Remember when we cared about that?

There’s so much more cool features, though, like command history, line editing, universal clipboard support and more just for the CLI, as well as something called Commodities. These were tiny little programs managed from a central location, which didn’t even need a GUI to work. Commodities included by default were things like ClickToFront, a focus-follows-mouse option, and more. Oh and of course, BASIC was replaced by ARexx.

The list just keeps going, and you should really read Svensson’s article.

22:28

Why doesn’t Get­Last­Input­Info() return info for the user I’m impersonating? [The Old New Thing]

A customer had a Windows NT service process, and from that service process, they wanted to obtain the last input time for all signed-in users. Their strategy was to use WTS­Query­User­Token() to get the token for each user, use that token to impersonate the user, and then call Get­Last­Input­Info() to get the last input time for that user. Unfortunately, the function always return the last input info for the service session, and since services are not interactive, it always says that there has been no input since the system booted.

Does Get­Last­Input­Info() work with impersonation?

Recall that the default answer to “Does this work when impersonating?” is “No”. And in fact, the documentation for Get­Last­Input­Info() explicitly says that it doesn’t, if you read it closely.

This function is useful for input idle detection. However, GetLastInputInfo does not provide system-wide user input information across all running sessions. Rather, GetLastInputInfo provides session-specific user input information for only the session that invoked the function.

I underlined the important part. It reports on the last input information for the session that invoked the function. When the service impersonates, it updates its security context to align with that of the user being impersonated, but it doesn’t change the fact that that it is still running in session zero, the service session.

If you need to get last input information from another session, you will need a friend in that session to call it for you. Typically this is done by launching a helper process into the target session: The helper process collects the information you want and then sends the information to the service.

Bonus chatter: A related question is “Does Get­Async­Key­State from a service?” The answer is technically yes, it works. However it probably doesn’t work the way you think. It returns the asynchronous key state for the desktop that the service is running in. And since services run in a non-interactive session, that desktop will never see any keyboard activity.

The post Why doesn’t <CODE>Get­Last­Input­Info()</CODE> return info for the user I’m impersonating? appeared first on The Old New Thing.

20:56

20:07

19:28

The Big Idea: Joseph Eckert [Whatever]

Many of us dream of time travel, but what if that travel was thrust upon you randomly and unwillingly? Author Joseph Eckert brings us a fresh take on time travel in his new novel, The Traveler. Venture on through his Big Idea to see when and where this unique travel idea originated.

JOSEPH ECKERT:

The core of The Traveler is family. More specifically, the core is the relationship between an average Midwestern father and his extraordinary son. Simultaneously, it’s also a vast science fiction story about a man tumbling helplessly forward through time, the length of time he travels doubling every twenty four hours.

Bear with me, if you will, as I look back three decades (oof—that hurts to write) to two key events in my life that would lay the groundwork for the Big Idea behind The Traveler.

The first event involves me, precocious youth, coming home from what I remember was fifth grade, having just learned about exponents. I found my mother and convinced her to change my allowance. Instead of a dollar a week (or whatever it was), I asked for just a penny a day. Just one cent! Except she’d double the amount the next day, and each day thereafter. So: two pennies on day two, four pennies on day three, eight on day four, and so on. My mother agreed. My plan was in flight. Soon, I knew, she’d be forced to pay me thousands, then millions of dollars! Cue maniacal fifth-grade laughter.

We didn’t even make it to day ten before she called it off.

Despite my dream of phenomenal and unlikely wealth coming to an abrupt and inglorious ending, I retained my interest in exponential increases. We see such increases in life and the sciences, from viral propagation to the now mostly defunct Moore’s Law in computing, to amusing dinner table discussions of vampires overrunning the planet (and subsequently starving because everyone’s a vampire and no one’s left to be a living blood bag—this is common dinner table discussion, right?).

The exponential penny scheme was event one. Event two took place when I was around the same age, at a book store in Northern Wisconsin called Book World.

My parents didn’t often take me to the local library, for whatever reason, but they did take me to Book World, sometimes leaving me there for hours. Rather remarkably for a small town bookstore not far from the Upper Peninsula of Michigan, Book World had a solid sci fi and fantasy section, including books by authors living outside the United States. It was through Book World that I was introduced to the works of Tad Williams, Joe Haldeman, Clive Barker, and, most importantly for this Big Idea, Peter F Hamilton and Iain M Banks.

I remember walking into Book World. Pushing through the glass door, stepping into the narrow entryway with its gentle upward slope, angling around the crowded newspaper stacks. Entering the store proper, I recall the smell of books baked into the very walls; the soft creak of the floorboards under my sneakers in the perpetually hushed space; the winding path I’d take from the front door, always walking by the magazines first (craning my neck to try to see around the plastic covers blocking the Playboys and Penthouses… I was an adolescent boy). Down the aisle, glancing at the comic books for anything new and eye-catching, then a fast one-eighty around the end cap, into the fiction and then the fantasy and science fiction section. What new wonders would await?

I have a clear memory of seeing the covers for Consider Phlebas and The Reality Dysfunction for the first time. What amazing futures must those books contain to have such glorious art on the outside? I convinced my parents to buy them (or I used my allowance… perhaps contributing the meager amount I received from my exponential penny scheme) and began to read.

Magically, powerfully, the wonders inside the pages exceeded the promises made by the covers.

And as I read, I began to wonder. What if? Could I write something like this, in this tradition? Something this big, this grand, with this amazing scope?

Hard cut to many years later.

As I was pulling together the idea that was The Traveler, I knew I wanted the protagonist to be a relatable Everyman, one whose life was not extraordinary until a defining moment when it all changed. I wanted a father-son relationship to be at the core, reflecting a bit of my life experience with my own father. And I wanted to write something in the vein of Peter F Hamilton and Iain M Banks, asking big sci fi questions and (hopefully) bringing the reader on the kind of imaginative ride I remembered from those science fiction classics of my youth.

But how to get our modern-day relatable Everyman into a grand sci fi future? What could get him there but not instantly… instead, by steadily increasing degrees…?

Ah hah!

The exponential penny scheme returns and finally bears fruit.

Thus was born the central conceit of The Traveler. Scott Treder, a Madison area database admin, is driving to work one day when his car disappears around him. Scott, still going twenty five miles per hour, falls out of the sky and tumbles down the sidewalk. As he sits, battered and bruised and confused, on the side of the road, his phone reconnects to the network. He has dozens of texts and voicemails waiting for him.

It’s twenty four hours in the future.

The next day, at exactly the same time, he travels two days forward. Then four, then eight, then sixteen… and this time, there’s no mother, eyebrow arched, to cotton onto the scheme and put a stop to things before day ten.

As Scott jumps forward through time, his brilliant son, Lyle, grows obsessed with figuring out what’s happening—and with saving his father.

The Traveler is out now in the US and UK. I hope you enjoy reading it, and I hope it carries you on a journey the same way those brilliant works by Peter F Hamilton and Iain M Banks did for me in my youth.

The Traveler: Amazon|Barnes & Noble|Bookshop|Books-A-Million|Powell’s

Author socials: Website

19:00

City Hally rally with the Knicks [Scripting News]

Watched the ceremony at City Hall.

Glad they went through the whole team and gave them something honorable to take with them.

My moment of clarity on what this meant came when Mitchell Robinson got his award as a champion.

I also liked that the Mayor listed all the recent past Knicks players who could've been on this team but were traded to make it what it is. He named the right ones.

The whole thing was inclusive, generous and working together. Cried all the way through it, nice release still don't have any idea which way is up. In my heart this was never supposed to happen but there it is.

Why wasn't Clyde on the stage?

And Dolan reminded us we don't get to vote for him. I know I know.

18:14

Link [Scripting News]

Today I did a change that was across two apps, different projects, client and server. I tested it as best I could for now, and it appears to work in both apps. But now I have an extra level of confidence because I asked Claude to do a code review, checking all my assumptions and it does find egregious mistakes, that in the past might have taken a day in a debugger to track down. Now it can happen in less than the time that it took for me to write this post.

17:35

The Software Freedom Conservancy's LLM-backed generative AI recommendations [LWN.net]

The Software Freedom Conservancy (SFC) has announced the release of its recommendations for using LLM-backed generative AI systems for FOSS contributions. The recommendations were created by the SFC and volunteers from the free-software community.

The recommendations reflect the extremely difficult dilemmas that these systems pose for FOSS contributors. SFC and its volunteers understand that FOSS developers are approaching LLM-gen-AI from a variety of perspectives. The recommendations offer practical assistance to minimize the damage caused by using proprietary systems, whether FOSS contributors reject LLM-gen-AI or choose (voluntarily or by employer mandate) to use them.

These recommendations are best practices (but not definitions or requirements) that SFC and its volunteers formulated after careful study of the growing LLM-gen-AI use among FOSS contributors. SFC will follow these recommendations with a series of supporting materials, including documents, online tutorials, public Q&As, podcasts, and other community engagement. We will routinely refine our recommendations and continue to support FOSS contributors as they navigate this difficult landscape.

16:42

Kubernetes in the Age of AI [Radar]

When Kubernetes first came onto the scene, it was a major turning point, a revision of the infrastructure and operations space that transformed the way developers and ops personnel build, deploy, and maintain applications in the cloud. It has since become the clear standard for how modern applications are built and operated. As the CNCF noted in its latest Annual Cloud Native Survey report, “Among container users, 82% are using Kubernetes in production in 2025, up from 66% in 2023. This represents near-universal adoption within the container ecosystem.”

Over the last few years, another revision in the space has occurred with Kubernetes’s evolution from a container orchestrator to an AI infrastructure platform. According to the CNCF survey, “The rise of Kubernetes as the de facto AI platform represents a fundamental shift in how organizations approach machine learning operations. . .[with Kubernetes] providing a unified orchestration layer that handles both traditional application workloads and compute-intensive AI tasks.” The emergence of seismic technologies like generative AI and agentic AI has only accelerated this transformation.

The intersection of AI with Kubernetes is undoubtedly one of the most impactful developments in the operations space. As Jonathan Johnson, software architect at Dijure, observes, “AI on K8s is very, very important, and there is not enough [resources] out there.” Raju Gandhi, senior technical architect at Edward Jones, echoes this assessment, noting that “operationalizing AI/ML on K8s is a big issue, [and it’s only] getting bigger. This is a topic that needs attention.” But what are some of the things that you should know about this trend to keep abreast and stay ahead in the game?

Generative AI

Anyone with access to a computer or a smartphone has likely used some iteration of generative AI, a stunning fact when you consider that GenAI was on the outer edges of mainstream discourse and consumption a scant five years ago. But at the end of 2022, the debut of ChatGPT marked the beginning of a technological revolution, one that would impact and reshape nearly every aspect of our working and personal lives. Unsurprisingly, there are now thousands of generative AI models, a proliferation that naturally has its own set of complexities. Selecting a model is simple, but if you’re an application developer or MLOps engineer, how do you go about operating that model in a production system? Not only do you have to be cognizant of factors like resilience, scalability, security, and operational costs, but there’s the fact that bringing a model from experimentation into production can be arduous if not done properly. That’s where Kubernetes comes into play.

As Roland Huß and Daniele Zonca, distinguished engineers at Red Hat, note, “GenAI/LLM models are resource intensive, requiring substantial computational power and large datasets. Given its scalability and extensibility, Kubernetes is uniquely suited to function as an efficient platform for AI and LLM model pretraining, fine-tuning, deployment, and prompt engineering.” They further elaborate that “this integration with Kubernetes not only simplifies the adoption of cutting-edge AI technologies but also ensures a seamless and efficient operational flow. Kubernetes, with its robust scalability and management capabilities, stands as an ideal platform for generative AI projects, aligning DevOps and MLOps practices in a cohesive ecosystem.”

This sentiment is already shared by a wide swath of the industry. According to the CNCF survey above, as of 2025, 66% of organizations run generative AI workloads on Kubernetes. These organizations include OpenAI, which uses Kubernetes for its AI/LLM application experimenting and testing; Tesla, which utilizes KServe to manage production-grade LLM inference; and Adobe, which uses Kubernetes to power its suite of generative creative models. Other companies taking this approach include Uber, Intuit, and Google. With more companies adopting this practice for their generative AI and LLMs operations, it’d be prudent for any organization to leverage Kubernetes for their own GenAI and LLM workflows.

Agentic AI

Nearly coinciding with the rise of GenAI has been the steady growth of agentic AI. Unlike GenAI, agentic AI goes beyond answering simple prompts and generating text in its ability to operate autonomously to perform complex, multistep actions, utilize tools, and make independent decisions. With its ability to support both traditional ML processes and GenAI and LLM operations, it should come as no surprise that Kubernetes has a role in the agentic AI ecosystem as well.

According to Ronald Petty, principal consultant at RX-M, “Kubernetes has been leveraged to host machine learning pipelines, including AI model training and inference. As inference options have become plentiful and affordable, on and off-premise, we have seen the rise of agents. Coupling cloud native technologies and popular protocols, we now see agents moving from ad hoc demos to complex fleets of agents on systems like Kubernetes.” So what are some examples of the integration between these two technologies?

One notable offering is Kagent, an OS programming framework that runs AI agents in Kubernetes and “helps engineers build powerful internal platforms by tackling cloud native tasks such as configuration, troubleshooting, complex deployment scenarios, observability pipelines and dashboards, and safely enabling network security.” Operating along similar lines is K8sGPT, an AI-powered tool that leverages intelligent insights and automated troubleshooting to analyze Kubernetes clusters for configuration problems and security issues, as well as generates solutions to problems discovered in analysis.

A more recent entry in the field is Sympozium, a Kubernetes-native coordination layer for multi-agent AI systems that “solves the same problem Kubernetes solved for containers, but for agents that need to share context, hand off tasks, and maintain shared situational awareness.” Another newer offering is Agent Sandbox, which allows you to run AI agents as isolated, stateful workloads with a native API on Kubernetes.

The fundamentals

While it’s important to be aware of the latest developments and trends affecting your domain, that shouldn’t come at the expense of foundational knowledge and skills. As basketball great Michael Jordan once said, “Get the fundamentals down and the level of everything you do will rise.” One of the most fundamental skills for working with Kubernetes is networking, and frustratingly enough, it’s one of the more difficult ones to master. As Cisco senior staff engineer Nico Vibert observes, “Platform engineers tend to be comfortable with Linux networking but less so with protocols like BGP and IPv6; network administrators know those protocols well but find Kubernetes abstractions unfamiliar. Both personas struggle to navigate the dozens of networking tools seemingly required to meet connectivity and security requirements.” Yet as organizations move mission-critical workloads, AI training pipelines, and regulated financial services onto Kubernetes, the engineers who can design, secure, and troubleshoot the network layer have become some of the most sought-after professionals in the industry.

In recognition of both the importance and difficult nature of the Kubernetes networking skill, the CNCF recently announced a new certification focused on the Kubernetes network engineer role. The certification is designed to validate hands-on networking expertise across all of the aforementioned layers, filling a gap that the Kubernetes community has long recognized.

For organizations that use Kubernetes to develop and deliver applications, leaders and decision-makers need to be aware that utilizing Kubernetes in conjunction with the latest AI tools is no longer a luxury but a necessary practice that will allow their companies to thrive. A similar onus should be placed on the basics. When hiring your next DevOps, network, or site reliability engineer, ensure that their ability to design, secure, and troubleshoot the Kubernetes network layer is second to none.

If you want to dive deeper, check out Roland Huß and Daniele Zonca’s Generative AI on Kubernetes, Jonathan Johnson’s GPU Kubernetes Homelab live course, Alex Corvin, Taneem Ibrahim, and Kyle Stratis’s Scalable Kubernetes Infrastructure for AI Platforms, Ashok Srirama and Sukirti Gupta’s Kubernetes for Generative AI Solutions, and Yogesh Raheja’s K8sGPT Essentials on-demand course. They’re all on O’Reilly. If you’re not a member, you can get started with a free trial.

Pluralistic: AI digital sovereignty risk doesn't exist (18 Jun 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links


A 1989 black and white photo of the Berlin Wall; peering over the wall is Microsoft's 'Clippy' chatbot.

AI digital sovereignty risk doesn't exist (permalink)

Back at the height of the blockchain bubble, I made a hobby of pointing out that crypto weirdos were palming a card. I used this formulation:

if: problem + blockchain = problem – blockchain

then: blockchain = 0

https://pluralistic.net/2022/01/30/the-inevitability-of-trusted-third-parties/

You see, blockchain weirdos kept insisting that they could solve problems related to trust and institutional design with "smart contracts." Rather than having to trust a board of directors to steer an organization, you could just have a self-executing institution, the "distributed autonomous organization" or DAO.

So for example, if you want to buy a copy of the US Constitution at a Sotheby's auction, you could set up a DAO to raise and pool the funds, eliminating the need to find trustworthy people to receive, hold and deploy these funds:

https://en.wikipedia.org/wiki/ConstitutionDAO

However – and here's where the palmed card comes in – the DAO can't go to Sotheby's and place a bid on the Constitution. Instead, the members of the DAO have to elect a guy to receive all that cash, walk into Sotheby's, get one of those little ping-pong paddles last seen at the State of the Union in Chuck Schumer's withered claw (emblazoned with the brave slogan "You're hurting my fee-fees") and raise the paddle during the bidding.

That guy doesn't have to go to Sotheby's. That guy can simply walk away with all the money. Members of the DAO are trusting this guy with their entire collective treasury. Indeed, since the DAO has no corresponding legal entity, it might even be that members of the DAO can't sue this guy if he steals all their money – and even worse, without a limited liability structure, it might mean that everyone in the DAO can be sued for anything bad this guy does with the money.

Which raises the question: what's the point of building this insanely complex hairball of blockchain-based smart contracts to raise and hold the money if you're just going to hand it to this guy and trust him without limit? Why not just have that guy set up a Zelle account and a Whatsapp group? In other words: the problem that the DAO is trying to solve is the difficulty of trusting people with the keys to the kingdom, but no matter how much blockchain you sprinkle on this DAO, it ends with this one guy walking around with all your money, which he can steal with impunity if he so chooses.

Or, put more succinctly:

if: problem + blockchain = problem – blockchain

then: blockchain = 0

This turns out to be a really good way of assessing policy prescriptions for their soundness and foundation in reality, because – as the blockchain swindle shows us – it's possible to come up with entirely fictitious solutions to entirely real problems. The problem of designing a trustworthy institution that can't be betrayed by its leaders and whose operations don't consume all its resources is a real problem – it's quite possibly the real problem – but adding a DAO does nothing to solve the core problems of institutional design, and actually makes some of those problems worse.

There's another real problem with a fictitious solution that is – surprise! – tied to another tech bubble: digital sovereignty.

It's a genuine problem that everyone in the world (outside of China's sphere of influence) is glued to America's tech platforms. These platforms steal everyone's money and data, and every country has signed a trade deal with the USA promising not to let its own technologists and entrepreneurs go into business making add-ons and complementary goods that remediate the defects in America's tech exports:

https://pluralistic.net/2026/01/29/post-american-canada/#ottawa

What's more, Trump's response to finding himself in this poker game that's rigged entirely in his favor is to flip over the table because he resents having to pretend to play at all (as November Kelly so aptly put it). His incontinent belligerence on the world stage sees him making bids to steal whole countries and he's recruited American tech giants to help him in this chaotic program of lunatic imperialism. When other countries' public officials make decisions that Trump dislikes, he gets companies like Microsoft to disconnect whole institutions from the internet, deleting their files, email archives, calendars and address books, and depriving them of the ability to connect to any service tied to their Outlook accounts:

https://pluralistic.net/2026/04/20/praxis/#acceleration

Which means that if Trump wants to steal Greenland, he doesn't have to roll tanks into Nuuk – he can just brick the country of Denmark. He can shut down all their ministries, every large firm, every household. He can shut down their iPhones and Android devices. He can kill their smart-speakers. He can hormuz the world's supply of Ozempic, Lego and ferociously strong licorice:

https://pluralistic.net/2026/04/04/digital-subjugation/#greenlands-next

It doesn't stop there! Trump can also shut down every tractor!

https://pluralistic.net/2022/05/08/about-those-kill-switched-ukrainian-tractors/

This is the digital sovereignty risk. It's also the digital sovereignty opportunity. If countries repeal the laws that the US bullied them into accepting, laws that protect US tech giants from local competitors who block their plunder of data and money, they can turn America's tech trillions into their own tech billions. As Jeff Bezos likes to say, "your margin is my opportunity":

https://pluralistic.net/2026/01/30/zucksauce/#gandersauce

Meanwhile, repealing these US-protecting laws would enable countries to extract their data from US platforms so they can move it into domestic alternatives, and bypass the software locks that block them from updating phones, cars, tractors and ventilators to protect them from remote killswitches:

https://pluralistic.net/2026/01/01/39c3/#the-new-coalition

The digital sovereignty risk is having your country's government, businesses and industries terminated by Trump. The digital sovereignty opportunity is making billions of dollars by producing and exporting products that defend people from Big Tech plunder and Trumpian killswitches. That is the real world.

But many "digital sovereignty" advocates are living in an imaginary world, in which the digital sovereignty risk is that Trump will shut off their country's access to AI.

This is where the "if problem + blockchain" formulation comes in handy. If Trump shut off Canada's access to Chatgpt, Claude and Grok tomorrow, nothing would happen. No significant business, no federal or provincial ministry, no municipal government depends on these products for anything essential. And if Canada were to build their own local AI to sub in for Chatgpt, Claude and Grok, it would loose tens, if not hundreds of billions of dollars. Worst of all, a national AI strategy does nothing – not one solitary thing – to protect Canada from Trump shutting down our ministries, our companies, or our tractors.

In other words:

If: digital sovereignty + AI = digital sovereignty – AI

Then: AI = 0

If you think AI tools are nifty and want Canada to invest in AI, then first, please stop pretending that this has anything to do with "digital sovereignty." Not only is this a transparent bit of nonsense, it's a dangerous one, because digital sovereignty is a real problem, and AI does nothing to solve it.

If you want a good "national AI strategy," try this: save your money until the bubble bursts, and then buy your GPUs and hire your talent at 10 cents on the dollar and put them to work refining open source models:

https://pluralistic.net/2025/12/05/pop-that-bubble/#u-washington

Buying AI at the top of the market is nuts. That would be like shopping for Aeron chairs and foosball tables in March 2000. If you just sit tight for a couple months, you'll be able to find bankrupt dotcom entrepreneurs selling these at knock-down prices out front of their formerly overpriced office space in the Mission, in the time-honored tradition of former Wall Street millionaires selling apples out of their Rolls Royces:

https://digicoll.lib.berkeley.edu/record/323794

(Literally: I bought a "dining room set" of six $1500 Steelcase Leap chairs in the summer of 2000 from a failed dotcom CEO on Van Ness for $25 a piece – still in the original plastic!)

And in the meantime, please let's stop pretending that digital sovereignty has anything to do with "national AI." If Trump takes away your AI, everything is fine. If Trump takes away your iPhones, Office 365 and tractors, your country grinds to a halt. This is just not that complicated:

If: digital sovereignty + AI = digital sovereignty – AI

Then: AI = 0

(Image: Armin Kübelbeck, CC BY-SA 4.0, modified)

Hey look at this (permalink)


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#25yrsago Napster boss's American Library Association keynote https://web.archive.org/web/20010623201456/https://www.salon.com/tech/wire/2001/06/17/napster/index.html

#20yrsago Flickr: we’ll give full access to competitors – if they reciprocate https://www.flickr.com/groups/central/discuss/72157594165399644/#comment72157594167782546

#20yrsago Report from a concert by a Serbian war-criminal https://web.archive.org/web/20060613081324/http://blog.b92.net/blog/22

#20yrsago European podcasters to WIPO: Stay away from us! https://web.archive.org/web/20060619224538/https://www.bloggernews.net/2006/06/european-podcasters-team-up-to-lobby.html

#15yrsago KFC: support diabetes research by buying an 800 calorie, 56 spoonful of sugar “Mega Jug” https://web.archive.org/web/20110619031415/https://theweek.com/article/index/216462/irony-alert-buy-kfcs-800-calorie-soda-to-support-diabetes-research

#10yrsago Terrorist who murdered Jo Cox shouts: “Death to traitors” in court https://www.csmonitor.com/World/2016/0618/Accused-killer-of-MP-Jo-Cox-makes-defiant-court-statement

#10yrsago Judge orders release of man convicted while his public defender was handcuffed https://web.archive.org/web/20160617172242/http://www.reviewjournal.com/crime/judge-releases-man-who-received-jail-sentence-while-lawyer-was-handcuffs-video

#10yrsago Hambone virtuoso https://www.youtube.com/watch?v=YMJeaZtgwng

#10yrsago Google Fiber now forces subscribers into binding arbitration; days left to opt out https://web.archive.org/web/20160617141759/https://consumerist.com/2016/06/16/google-fiber-copies-comcast-att-forces-users-to-give-up-their-legal-right-to-sue/

#1yrago The Immortal Choir Holds Every Voice https://pluralistic.net/2025/06/18/anarcho-cryptid/#decameron-and-on

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)

  • "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026

  • "The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027

  • "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, April 20, 2027

  • "The Memex Method," Farrar, Straus, Giroux, 2027


Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. Third draft completed. Submitted to editor.

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.

  • "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Bluesky (no ads, possible tracking and data-collection):

https://bsky.app/profile/doctorow.pluralistic.net

Medium (no ads, paywalled):

https://doctorow.medium.com/

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

15:21

[$] The first half of the 7.2 merge window [LWN.net]

The 7.2 merge window started with the 7.1 kernel release on June 14. As of this writing, just over 7,000 non-merge changesets have been pulled into the mainline for the next kernel release. Many of the core subsystems have been pulled at this point, meaning that most of the changes that can be expected in 7.2 have now come into focus.

15:14

Link [Scripting News]

Now that Google has added AI in their search, and it dominates search more and more, it's become more difficult to find ideas that aren't well explained by AI and are on some randome old web pages. For example, this morning I wanted to find an explainer for "Standing on the toes of giants," something a colleague once used in a story. I'm sure there's stuff out there, but no luck finding it. Didn't help that there's a popular song with that title.

14:35

Security updates for Thursday [LWN.net]

Security updates have been issued by AlmaLinux (dracut, podman, postfix, rsync, xorg-x11-server, and xorg-x11-server-Xwayland), Debian (atril, firefox-esr, and nginx), Mageia (libcap, perl, and python-pillow), Oracle (firefox, gstreamer-plugins-base and gstreamer-plugins-good, httpd:2.4, kernel, libpng12, libpng15, libxml2, libxslt, opencryptoki, openssl, postfix, rsync, webkit2gtk3, xorg-x11-server, and xorg-x11-server-Xwayland), Slackware (bind, libidn, mozilla, and openssl), SUSE (alloy, docker, elemental-system-agent, glibc, grafana, helm, LibVNCServer, openssh8.4, perl-GD, perl-HTTP-Daemon, python-WebOb-doc, python311-google-adk, rustup, traefik2, wireshark, and xwayland), and Ubuntu (dolibarr, golang-go.crypto, graphite2, gst-plugins-bad1.0, kitty, libconfig-inifiles-perl, libnginx-mod-js, and webpy).

[$] Single-hop block replication with RMR and BRMR [LWN.net]

How can cloud providers efficiently supply durable virtual block devices? Remote Direct Memory Access (RDMA) provides a way for servers in a cluster to share chunks of memory, but there still needs to be a protocol that operates on top of RDMA to provide the guarantees expected of a block device. The kernel's RDMA transport library (RTRS) provides a way to send messages via RDMA. I presented about two new components built on top of RTRS at the 2026 Linux Storage, Filesystem, Memory Management and BPF Summit: Reliable Multicast over RTRS (RMR) and Block device over RMR (BRMR). These modules, which I am working on with Jia Li, could be a way for cloud providers to expose durable block devices with as little overhead as possible. To accomplish that, however, we need some discussion and feedback from the community before sending the modules upstream.

Mastodon 4.6 released [LWN.net]

Version 4.6 of the Mastodon fediverse platform has been released.

The headliner of this release is Collections, a way to create and share curated collections of profiles. Part of Mastodon's work ethos is our commitment to trust and safety, so we've put a lot of thought and care into the design of this feature to avoid some of the pitfalls and abuse people have experienced with similar features on other platforms, while focusing on its primary goal: Helping new users discover more of the Fediverse.

Other new features include support for subscribing to posts via email, the ability to generate a "year in review" post, accessibility improvements, and more.

14:28

World Wide Knicks by Sally Atkins [Scripting News]

My longtime friend Sally Atkins reponded to my question yesterday about how widely the love of the Knicks is being felt.

You asked. From all I see out here in the Midwest and also from comments from friends in Europe, I can testify that yes absolutely the Knicks win is a total joy to behold far and wide. Not just for the artful wins, although that was great fun. The last second dunk in the second to last game was breathtaking.

The larger gift is that New Yorkers have so vividly shown that right now and going forward we are capable of joy-and-unity vs hate-and-division. Love is way more fun than hate. Most people know that, you’ve shown it. Knicks fans, people of all ages and creeds , are a palpable reminder of the power of the people right on!

Remember the 1967 Troggs hit Love is All Around? I feel it in my fingers, I feel it in my toes.

Happy Parade Day!

Let this hopeful moment fuel the near future.

PS: Did you see the news clip of the Knicks just after arriving back in NY, just off their plane they joined in a parade for Puerto Rico or maybe it was Pride Month. Hallelujah. (Dave: It was the Puerto Rican Day parade, two players went, Alvarado (who is Puerto Rican himself) and Jordan Clarkson who is from the Philippines, and is the super freak hippie on the team, though they're pretty much all hippies.)

Responses from other sites

Tommy Williams: "Not here in Montana, or among my colleagues across the Midwest. It didn't attract more attention than any other NBA championship. Everyone's focus (for sports) is on the World Cup."

Courtney Robertson: "Noticing that sports is bringing unification and joy when I really could use that."

Phil: "There are a surprising number of Knicks fans here in Cincy, and it's been a pretty big deal -- I've even got a friend who flew out to NYC for the parade today."

14:14

Why I’m Obsessed With “Obsession” [Whatever]

 

Y’all already know that I am not a horror fan. Horror has always been my least favorite movie genre, and there are very few movies within the genre that I even consider worthwhile. When I went to see Obsession, I was already outside of my comfort zone by going and seeing a horror movie in theaters, as they’re always too loud and I really hate being jump scared in front of other people.

You can imagine my surprise when Obsession ended up being the best horror movie I’ve ever seen. It is one of the most incredible films I’ve seen, even when I take it out of the horror ranking. It’s just that good.

I’d like to give y’all some spoiler-free thoughts first, so you can get a good feel for why I love this movie without getting into the nitty-gritty details, but then I will go deeper with spoilers and get into what makes it so damn great.

For starters, Obsession has so many little factoids about it that it make it more special than most films right off the bat, like the fact it was made for under a million dollars, at a whopping $750k. I have not heard of a successful, theater-released movie having that small of a budget in I don’t even know how long, if at all. That is so impressive. Not only that, but it is one of the only films, alongside E.T., to do better financially in the following weeks after opening weekend. Most movies peak at their opening weekend, but Obsession just kept getting more and more popular.

The fact that the cast was comprised of people I’d never heard of it made it all the better, because when you have Matt Damon as your lead, it’s hard to see him as anyone other than… Matt Damon (looking at you, Christopher Nolan’s Odyssey). So having a cast full of people I’ve literally never seen before made it feel so much more real. It’s more immersive when you don’t recognize big name stars that steal the spotlight. These people felt like people, not celebrities in a movie. Plus, everyone did such a stellar job, especially Inde Navarrette! She was perfectly terrifying.

Without giving too much away, the basic plot is this guy, Bear, wishes that his crush, Nikki, loved him, and let’s just say he gets more than he bargained for. The themes this movie explores are extremely heavy. Bodily autonomy, consent, love VS obsession, toxic and abusive relationships, family-friendly topics like that!

The horror element in Obsession is a special kind of dread that sticks with you long after you leave the theater. This movie sat heavily in my brain for days on end. A lot of horror movies give you two hours of cheap adrenaline rushes and jump scares while being oh so forgettable, but Obsession truly haunts you. “Unsettling” is too timid of a word to describe the feeling it will leave you with.

I find the pacing to be rather good, as there’s no B-plot for this movie, so it’s pretty much just all go-go-go with no breaks. There are no slow parts or scenes that feel unnecessary. All the scenes feel like the perfect length.

The lighting is a work of art in this movie. The soft, dim lighting at the bar, in Bear’s house, and throughout the film alongside the dark, shadowy, spooky scenes is so good. It’s very atmospheric, and feels somewhat intimate. Even the scenes that are dark aren’t that kind of super annoying horror movie dark where you just can’t see shit for the sake of jump scaring you. It’s like an actually well done type of darkness.

So, great performances, good pace, nice lighting, and a special kind of horror, all for under a million dollars! Pretty impressive stuff.

Now let’s get into the details. SPOILER WARNING!

From the moment we meet Bear, we are shown, expertly, how he is kind of a piece of junk. When practicing his confession speech, he only brings up how Nikki was nice to him and was there for him when he was going through a tough time. He never says what he likes about her as a person, just what she has done for him and how she makes him feel.

When he gets home and finds his cat dead, he puts it in a black garbage bag and throws it away. Who does that?! That is not how you dispose of a deceased pet?!

At trivia night, he tries to confess his feelings at an awkward, inopportune time that would affect the rest of the group and impact everyone’s evenings.

He didn’t give his gift to Nikki, he used it for himself and then lied to her, saying he left her gift at his house. Because he sucks!

AND HE CALLED HER FREAKY NIKKI EVEN THOUGH SHE HATES THAT. Bear is a certified jerk, even though it seems like, at first, that he’s just a shy, nice guy with a crush.

Worst of all, Bear is a coward. When Nikki asks him bluntly if he likes her, he pussies out and says no, then regrets it immediately. Then, when Wish Nikki says she knows he likes her, he denies it and makes her confess first before admitting that, yes, he does like her.

He is a coward when he can’t shoot himself and takes the pills instead, and he is a coward when he tries to throw up the pills because he doesn’t have the nerve to actually kill himself. He is a coward to the bitter end, and I think that is amazing. What a flawed, awful, hate-able character. There is no redemption, because he couldn’t even commit to killing himself. He is never the good guy, he is, from the start, the bad guy.

I have never felt worse for a horror movie character than I feel for Nikki. In the short amount of time we get to see the real Nikki, she is fun and kind and thoughtful. Nikki seems like a genuinely nice person, and it’s easy to see why Bear would have a crush on her. And suddenly, she’s gone. Trapped in some sort of horrible, agonizing negative space while something else controls her body, with only short spurts of consciousness where the real Nikki is begging to be freed, fighting to be released from Wish Nikki taking back over. Each time the real Nikki surfaces I can only imagine what is going through her mind, or if she wonders if this will be the last time she ever gains control again, just to succumb back under. Of course, it reminds me a lot of Get Out, which is also a great movie!

To be hurt by someone you think of as a friend, not just hurt but condemned to this cursed existence, only for him to ignore your pleas for death. UGH. Poor Nikki. It’s actually so heartbreaking. And so real! It’s often the people closest to you that hurt you the most.

Honestly their entire friend group is such a mess, with Ian and Nikki hooking up and Ian not telling Bear even though he knows how he feels about her. Ian tries sabotaging Bear’s attempts at confessing and is unhappy about his relationship with Nikki, yet never even mentioned his and Nikki’s situationship to the guy who is supposedly his best friend. Plus, if Bear is his best friend, why didn’t he believe him or at the very least hear him out more on the One Wish Willow?

If my best friend came to me, obviously distressed, and a ton of weird stuff had been going on lately, and they told me it was because of this very real wishing stick, I’d at least hear them out instead of calling them crazy right off the bat. I trust my friends with my life, and love them dearly, why would I believe they’re lying to me about something like this? Bear was obviously extremely distraught and practically begging Ian to listen, but he refused and just wished for a billion dollars to be a fucking dick.

As for Sarah, she was a Pick-Me praying on the downfall of Bear’s and Nikki’s relationship, judging from the sideline while also trying to make moves of her own on Bear. She asked him to meet her late at night in private, then told him that Nikki is taking advantage of him and he doesn’t deserve it, and that he needs someone “more chill.” Literally referring to herself as a better match for him than Nikki. What kind of friend does that?! She even says that he was supposed to kiss her, not Nikki. Does she secretly hate and envy Nikki? She is not a girl’s girl, that’s for sure, and she got a face full of brick for it. (I’m just kidding, she didn’t actually deserve the brick for being a Pick-Me, but it still is an unfortunate character flaw.)

Point is, this friend group really sucked. Nikki was the best of them, truly. Now she’s an extremely traumatized girl who will never be the same because of one selfish boy’s actions. She was a beautiful soul, and now she has been through hell and back, and is certainly forever changed. Again, poor Nikki. It makes me so sad!

I really love that the One Wish Willow isn’t even an evil thing, you can make a wish and have everything go great. The shopkeeper that made his wish certainly seemed fine, and Ian got his billion dollars with zero issues. It’s solely because Bear made a bad wish with bad intentions that his wish turned out so terrible. I find that to be an extremely satisfying mechanic, even though it sadly comes at the cost of Nikki.

This was a well-shot, well-acted, well-executed film with an amazing concept and cast. I loved it, and saw it three times in theaters. I highly recommend it, even if you aren’t usually a fan of horror movies. It’s probably the best film I’ve seen this year.

Have you seen Obsession yet? What did you think was the scariest part (for me, it was definitely when Bear is on the phone with One Wish Willow, and you hear Nikki screaming in agony in the background)? What’s your favorite horror movie? Let me know in the comments, and have a great day!

-AMS

14:07

Representative Line: Sort This Out [The Daily WTF]

Today's anonymous submitter has spent a long time toiling through many, many tickets. Their effort has been an attempt to "save" their employer from the disaster left behind by by a highly-paid consultant. As one does, our submitter started with the highest priority tickets with the highest severity. Eventually, they whittled down that list, and had some bandwidth to start looking at the pieces of the code which clearly weren't exploding right now (because there were no tickets), but were likely to explode at some point in the future (creating a storm of tickets).

Scanning through the JavaScript, our submitter found a sort function. That was automatically concerning- why was that particular wheel being reinvented?

The first line of the sort function was this:

obj[x._id.account_id] = x.count_total

In this case, x._id is meant to be the unique identifier from their Mongo DB. That, uh, should be not precisely a UUID (Mongo does its own weird version), but it definitely shouldn't have an account_id field on it. They are storing an arbitrary object as their unique identifier in the database. Which, I'm no Mongo expert, but I don't need to be Flash Gordon to know that's a bad idea.

But setting aside the choice of using random objects as unique identifiers, there's also the other question: how is this furthering the goal of sorting? Why on Earth am I building an object in the form: {"id0": 5, "id1": 7, "id2": 11}? Or am I even doing that? This is the first line of the function, so we're not even doing a loop, it's just {"id0": 5}.

This isn't just an unexploded bomb, it's a mystery: the primary mystery being why hasn't this exploded already? The second mystery is: what's going to happen when your luck runs out?

[Advertisement] ProGet’s got you covered with security and access controls on your NuGet feeds. Learn more.

13:42

Link [Scripting News]

NBA fans, esp Knicks fans, are not fans of the current president. A picture of the Knicks team with Trump in the Oval Office would be hard to see. Not threatening to resign as a Knicks fan, not ruling it out either.

Feeds

FeedRSSLast fetchedNext fetched after
@ASmartBear XML 17:35, Wednesday, 24 June 18:16, Wednesday, 24 June
a bag of four grapes XML 17:56, Wednesday, 24 June 18:38, Wednesday, 24 June
Ansible XML 18:14, Wednesday, 24 June 18:54, Wednesday, 24 June
Bad Science XML 18:07, Wednesday, 24 June 18:56, Wednesday, 24 June
Black Doggerel XML 17:35, Wednesday, 24 June 18:16, Wednesday, 24 June
Blog - Official site of Stephen Fry XML 18:07, Wednesday, 24 June 18:56, Wednesday, 24 June
Charlie Brooker | The Guardian XML 17:56, Wednesday, 24 June 18:38, Wednesday, 24 June
Charlie's Diary XML 17:56, Wednesday, 24 June 18:44, Wednesday, 24 June
Chasing the Sunset - Comics Only XML 18:07, Wednesday, 24 June 18:56, Wednesday, 24 June
Coding Horror XML 17:49, Wednesday, 24 June 18:36, Wednesday, 24 June
Comics Archive - Spinnyverse XML 17:42, Wednesday, 24 June 18:26, Wednesday, 24 June
Cory Doctorow's craphound.com XML 17:56, Wednesday, 24 June 18:38, Wednesday, 24 June
Cory Doctorow, Author at Boing Boing XML 17:35, Wednesday, 24 June 18:16, Wednesday, 24 June
Ctrl+Alt+Del Comic XML 17:56, Wednesday, 24 June 18:44, Wednesday, 24 June
Cyberunions XML 18:07, Wednesday, 24 June 18:56, Wednesday, 24 June
David Mitchell | The Guardian XML 18:00, Wednesday, 24 June 18:43, Wednesday, 24 June
Deeplinks XML 17:42, Wednesday, 24 June 18:26, Wednesday, 24 June
Diesel Sweeties webcomic by rstevens XML 18:00, Wednesday, 24 June 18:43, Wednesday, 24 June
Dilbert XML 18:07, Wednesday, 24 June 18:56, Wednesday, 24 June
Dork Tower XML 17:56, Wednesday, 24 June 18:38, Wednesday, 24 June
Economics from the Top Down XML 18:00, Wednesday, 24 June 18:43, Wednesday, 24 June
Edmund Finney's Quest to Find the Meaning of Life XML 18:00, Wednesday, 24 June 18:43, Wednesday, 24 June
EFF Action Center XML 18:00, Wednesday, 24 June 18:43, Wednesday, 24 June
Enspiral Tales - Medium XML 17:42, Wednesday, 24 June 18:27, Wednesday, 24 June
Events XML 17:56, Wednesday, 24 June 18:44, Wednesday, 24 June
Falkvinge on Liberty XML 17:56, Wednesday, 24 June 18:44, Wednesday, 24 June
Flipside XML 17:56, Wednesday, 24 June 18:38, Wednesday, 24 June
Flipside XML 17:42, Wednesday, 24 June 18:27, Wednesday, 24 June
Free software jobs XML 18:14, Wednesday, 24 June 18:54, Wednesday, 24 June
Full Frontal Nerdity by Aaron Williams XML 17:56, Wednesday, 24 June 18:44, Wednesday, 24 June
General Protection Fault: Comic Updates XML 17:56, Wednesday, 24 June 18:44, Wednesday, 24 June
George Monbiot XML 18:00, Wednesday, 24 June 18:43, Wednesday, 24 June
Girl Genius XML 18:00, Wednesday, 24 June 18:43, Wednesday, 24 June
Groklaw XML 17:56, Wednesday, 24 June 18:44, Wednesday, 24 June
Grrl Power XML 17:56, Wednesday, 24 June 18:38, Wednesday, 24 June
Hackney Anarchist Group XML 18:07, Wednesday, 24 June 18:56, Wednesday, 24 June
Hackney Solidarity Network XML 17:42, Wednesday, 24 June 18:27, Wednesday, 24 June
http://blog.llvm.org/feeds/posts/default XML 17:42, Wednesday, 24 June 18:27, Wednesday, 24 June
http://calendar.google.com/calendar/feeds/q7s5o02sj8hcam52hutbcofoo4%40group.calendar.google.com/public/basic XML 18:14, Wednesday, 24 June 18:54, Wednesday, 24 June
http://dynamic.boingboing.net/cgi-bin/mt/mt-cp.cgi?__mode=feed&_type=posts&blog_id=1&id=1 XML 17:42, Wednesday, 24 June 18:27, Wednesday, 24 June
http://eng.anarchoblogs.org/feed/atom/ XML 17:56, Wednesday, 24 June 18:42, Wednesday, 24 June
http://feed43.com/3874015735218037.xml XML 17:56, Wednesday, 24 June 18:42, Wednesday, 24 June
http://flatearthnews.net/flatearthnews.net/blogfeed XML 17:35, Wednesday, 24 June 18:16, Wednesday, 24 June
http://fulltextrssfeed.com/ XML 18:00, Wednesday, 24 June 18:43, Wednesday, 24 June
http://london.indymedia.org/articles.rss XML 17:49, Wednesday, 24 June 18:36, Wednesday, 24 June
http://pipes.yahoo.com/pipes/pipe.run?_id=ad0530218c055aa302f7e0e84d5d6515&amp;_render=rss XML 17:56, Wednesday, 24 June 18:42, Wednesday, 24 June
http://planet.gridpp.ac.uk/atom.xml XML 17:49, Wednesday, 24 June 18:36, Wednesday, 24 June
http://shirky.com/weblog/feed/atom/ XML 17:42, Wednesday, 24 June 18:26, Wednesday, 24 June
http://thecommune.co.uk/feed/ XML 17:42, Wednesday, 24 June 18:27, Wednesday, 24 June
http://theness.com/roguesgallery/feed/ XML 17:56, Wednesday, 24 June 18:44, Wednesday, 24 June
http://www.airshipentertainment.com/buck/buckcomic/buck.rss XML 18:07, Wednesday, 24 June 18:56, Wednesday, 24 June
http://www.airshipentertainment.com/growf/growfcomic/growf.rss XML 17:42, Wednesday, 24 June 18:26, Wednesday, 24 June
http://www.airshipentertainment.com/myth/mythcomic/myth.rss XML 17:56, Wednesday, 24 June 18:38, Wednesday, 24 June
http://www.baen.com/baenebooks XML 17:42, Wednesday, 24 June 18:26, Wednesday, 24 June
http://www.feedsapi.com/makefulltextfeed.php?url=http%3A%2F%2Fwww.somethingpositive.net%2Fsp.xml&what=auto&key=&max=7&links=preserve&exc=&privacy=I+accept XML 17:42, Wednesday, 24 June 18:26, Wednesday, 24 June
http://www.godhatesastronauts.com/feed/ XML 17:56, Wednesday, 24 June 18:44, Wednesday, 24 June
http://www.tinycat.co.uk/feed/ XML 18:14, Wednesday, 24 June 18:54, Wednesday, 24 June
https://anarchism.pageabode.com/blogs/anarcho/feed/ XML 17:42, Wednesday, 24 June 18:26, Wednesday, 24 June
https://broodhollow.krisstraub.comfeed/ XML 17:35, Wednesday, 24 June 18:16, Wednesday, 24 June
https://debian-administration.org/atom.xml XML 17:35, Wednesday, 24 June 18:16, Wednesday, 24 June
https://elitetheatre.org/ XML 17:49, Wednesday, 24 June 18:36, Wednesday, 24 June
https://feeds.feedburner.com/Starslip XML 17:56, Wednesday, 24 June 18:38, Wednesday, 24 June
https://feeds2.feedburner.com/GeekEtiquette?format=xml XML 18:00, Wednesday, 24 June 18:43, Wednesday, 24 June
https://hackbloc.org/rss.xml XML 17:35, Wednesday, 24 June 18:16, Wednesday, 24 June
https://kajafoglio.livejournal.com/data/atom/ XML 18:07, Wednesday, 24 June 18:56, Wednesday, 24 June
https://philfoglio.livejournal.com/data/atom/ XML 17:49, Wednesday, 24 June 18:36, Wednesday, 24 June
https://pixietrixcomix.com/eerie-cutiescomic.rss XML 17:49, Wednesday, 24 June 18:36, Wednesday, 24 June
https://pixietrixcomix.com/menage-a-3/comic.rss XML 17:42, Wednesday, 24 June 18:26, Wednesday, 24 June
https://propertyistheft.wordpress.com/feed/ XML 18:14, Wednesday, 24 June 18:54, Wednesday, 24 June
https://requiem.seraph-inn.com/updates.rss XML 18:14, Wednesday, 24 June 18:54, Wednesday, 24 June
https://studiofoglio.livejournal.com/data/atom/ XML 17:56, Wednesday, 24 June 18:42, Wednesday, 24 June
https://thecommandline.net/feed/ XML 17:56, Wednesday, 24 June 18:42, Wednesday, 24 June
https://torrentfreak.com/subscriptions/ XML 18:00, Wednesday, 24 June 18:43, Wednesday, 24 June
https://web.randi.org/?format=feed&type=rss XML 18:00, Wednesday, 24 June 18:43, Wednesday, 24 June
https://www.dcscience.net/feed/medium.co XML 18:07, Wednesday, 24 June 18:56, Wednesday, 24 June
https://www.DropCatch.com/domain/steampunkmagazine.com XML 17:35, Wednesday, 24 June 18:16, Wednesday, 24 June
https://www.DropCatch.com/domain/ubuntuweblogs.org XML 17:56, Wednesday, 24 June 18:42, Wednesday, 24 June
https://www.DropCatch.com/redirect/?domain=DyingAlone.net XML 17:49, Wednesday, 24 June 18:36, Wednesday, 24 June
https://www.freedompress.org.uk:443/news/feed/ XML 17:56, Wednesday, 24 June 18:44, Wednesday, 24 June
https://www.goblinscomic.com/category/comics/feed/ XML 18:14, Wednesday, 24 June 18:54, Wednesday, 24 June
https://www.loomio.com/blog/feed/ XML 17:56, Wednesday, 24 June 18:42, Wednesday, 24 June
https://www.newstatesman.com/feeds/blogs/laurie-penny.rss XML 17:35, Wednesday, 24 June 18:16, Wednesday, 24 June
https://www.patreon.com/graveyardgreg/posts/comic.rss XML 17:49, Wednesday, 24 June 18:36, Wednesday, 24 June
https://www.rightmove.co.uk/rss/property-for-sale/find.html?locationIdentifier=REGION^876&maxPrice=240000&minBedrooms=2&displayPropertyType=houses&oldDisplayPropertyType=houses&primaryDisplayPropertyType=houses&oldPrimaryDisplayPropertyType=houses&numberOfPropertiesPerPage=24 XML 18:00, Wednesday, 24 June 18:43, Wednesday, 24 June
https://x.com/statuses/user_timeline/22724360.rss XML 18:14, Wednesday, 24 June 18:54, Wednesday, 24 June
Humble Bundle Blog XML 17:49, Wednesday, 24 June 18:36, Wednesday, 24 June
I, Cringely XML 17:56, Wednesday, 24 June 18:44, Wednesday, 24 June
Irregular Webcomic! XML 17:35, Wednesday, 24 June 18:16, Wednesday, 24 June
Joel on Software XML 17:56, Wednesday, 24 June 18:42, Wednesday, 24 June
Judith Proctor's Journal XML 18:14, Wednesday, 24 June 18:54, Wednesday, 24 June
Krebs on Security XML 17:35, Wednesday, 24 June 18:16, Wednesday, 24 June
Lambda the Ultimate - Programming Languages Weblog XML 18:14, Wednesday, 24 June 18:54, Wednesday, 24 June
Looking For Group XML 17:42, Wednesday, 24 June 18:26, Wednesday, 24 June
LWN.net XML 17:35, Wednesday, 24 June 18:16, Wednesday, 24 June
Mimi and Eunice XML 17:42, Wednesday, 24 June 18:27, Wednesday, 24 June
Neil Gaiman's Journal XML 18:14, Wednesday, 24 June 18:54, Wednesday, 24 June
Nina Paley XML 17:49, Wednesday, 24 June 18:36, Wednesday, 24 June
O Abnormal – Scifi/Fantasy Artist XML 17:42, Wednesday, 24 June 18:27, Wednesday, 24 June
Oglaf! -- Comics. Often dirty. XML 17:56, Wednesday, 24 June 18:44, Wednesday, 24 June
Oh Joy Sex Toy XML 17:42, Wednesday, 24 June 18:26, Wednesday, 24 June
Order of the Stick XML 17:42, Wednesday, 24 June 18:26, Wednesday, 24 June
Original Fiction Archives - Reactor XML 17:56, Wednesday, 24 June 18:38, Wednesday, 24 June
OSnews XML 17:42, Wednesday, 24 June 18:27, Wednesday, 24 June
Paul Graham: Unofficial RSS Feed XML 17:42, Wednesday, 24 June 18:27, Wednesday, 24 June
Penny Arcade XML 17:56, Wednesday, 24 June 18:38, Wednesday, 24 June
Penny Red XML 17:42, Wednesday, 24 June 18:27, Wednesday, 24 June
PHD Comics XML 18:07, Wednesday, 24 June 18:56, Wednesday, 24 June
Phil's blog XML 17:56, Wednesday, 24 June 18:44, Wednesday, 24 June
Planet Debian XML 17:42, Wednesday, 24 June 18:27, Wednesday, 24 June
Planet GNU XML 17:35, Wednesday, 24 June 18:16, Wednesday, 24 June
Planet Lisp XML 18:07, Wednesday, 24 June 18:56, Wednesday, 24 June
Pluralistic: Daily links from Cory Doctorow XML 18:14, Wednesday, 24 June 18:54, Wednesday, 24 June
PS238 by Aaron Williams XML 17:56, Wednesday, 24 June 18:44, Wednesday, 24 June
QC RSS XML 17:49, Wednesday, 24 June 18:36, Wednesday, 24 June
Radar XML 17:56, Wednesday, 24 June 18:38, Wednesday, 24 June
RevK®'s ramblings XML 17:56, Wednesday, 24 June 18:42, Wednesday, 24 June
Richard Stallman's Political Notes XML 18:07, Wednesday, 24 June 18:56, Wednesday, 24 June
Scenes From A Multiverse XML 17:49, Wednesday, 24 June 18:36, Wednesday, 24 June
Schneier on Security XML 18:14, Wednesday, 24 June 18:54, Wednesday, 24 June
SCHNEWS.ORG.UK XML 17:42, Wednesday, 24 June 18:26, Wednesday, 24 June
Scripting News XML 17:56, Wednesday, 24 June 18:38, Wednesday, 24 June
Seth's Blog XML 17:56, Wednesday, 24 June 18:42, Wednesday, 24 June
Skin Horse XML 17:56, Wednesday, 24 June 18:38, Wednesday, 24 June
Tales From the Riverbank XML 18:07, Wednesday, 24 June 18:56, Wednesday, 24 June
The Adventures of Dr. McNinja XML 17:42, Wednesday, 24 June 18:27, Wednesday, 24 June
The Bumpycat sat on the mat XML 18:14, Wednesday, 24 June 18:54, Wednesday, 24 June
The Daily WTF XML 17:56, Wednesday, 24 June 18:42, Wednesday, 24 June
The Monochrome Mob XML 17:35, Wednesday, 24 June 18:16, Wednesday, 24 June
The Non-Adventures of Wonderella XML 18:00, Wednesday, 24 June 18:43, Wednesday, 24 June
The Old New Thing XML 17:42, Wednesday, 24 June 18:26, Wednesday, 24 June
The Open Source Grid Engine Blog XML 17:49, Wednesday, 24 June 18:36, Wednesday, 24 June
The Stranger XML 17:42, Wednesday, 24 June 18:27, Wednesday, 24 June
towerhamletsalarm XML 17:56, Wednesday, 24 June 18:42, Wednesday, 24 June
Twokinds XML 17:56, Wednesday, 24 June 18:38, Wednesday, 24 June
UK Indymedia Features XML 17:56, Wednesday, 24 June 18:38, Wednesday, 24 June
Uploads from ne11y XML 17:56, Wednesday, 24 June 18:42, Wednesday, 24 June
Uploads from piasladic XML 18:00, Wednesday, 24 June 18:43, Wednesday, 24 June
Use Sword on Monster XML 17:49, Wednesday, 24 June 18:36, Wednesday, 24 June
Wayward Sons: Legends - Sci-Fi Full Page Webcomic - Updates Daily XML 17:56, Wednesday, 24 June 18:42, Wednesday, 24 June
what if? XML 17:35, Wednesday, 24 June 18:16, Wednesday, 24 June
Whatever XML 18:07, Wednesday, 24 June 18:56, Wednesday, 24 June
Whitechapel Anarchist Group XML 18:07, Wednesday, 24 June 18:56, Wednesday, 24 June
WIL WHEATON dot NET XML 17:42, Wednesday, 24 June 18:26, Wednesday, 24 June
wish XML 17:42, Wednesday, 24 June 18:27, Wednesday, 24 June
Writing the Bright Fantastic XML 17:42, Wednesday, 24 June 18:26, Wednesday, 24 June
xkcd.com XML 18:00, Wednesday, 24 June 18:43, Wednesday, 24 June