Friday, 22 May

20:14

Migrating from Ubuntu 16.04 to FreeBSD [OSnews]

Bruno Croci’s blog had been running on Ubuntu 16.04 for a long time, well past the Linux distribution’s expiration date. As such, it was time to upgrade, but instead of opting for something standard like another Ubuntu release, he opted for FreeBSD instead.

This blog has been running on a Digital Ocean VPS for over ten years. A machine hosted in New York City, running Ubuntu 16.04 LTS. An LTS that hasn’t been in support for at least 5 years. It was about time to change it. After some considerations, I migrated to a Hetzner virtual machine that is way better than my old Ubuntu one, less than half the price of what I used to pay, and just across the country from me. Not only that, but I took the challenge to move my stack to FreeBSD. It’s a long text, but stay for a cool introduction of FreeBSD Jails with Bastille and some interesting site load benchmarks.

↫ Bruno Croci

I absolutely adore the recent surge in people (re)discovering the BSDs as a valid alternative to Linux in both the server and desktop space. In this particular case, it was FreeBSD’s Jails and ZFS support that won Corci over, and it’s easy to see why. While there are countless alternatives to Jails in the Linux world, ZFS is harder to come by as it can’t be part of the kernel due to licensing issues. With how powerful and capable ZFS is, it makes sense to want to use it on your server, and in that case, FreeBSD is probably a better choice than most Linux distributions.

There are countless reasons to choose one of the BSDs over a Linux distribution, and I’m glad we’re seeing an uptick.

Chicanery [Penny Arcade]

We'll get back to more reveries soon, when all these things stop happening! We gotta come in Monday with some stuff about them sunsetting Destiny 2. It's simply gotta be marked. Plus, there's some legitimately shady shit going on in this year's Horizon Festival it seems like - and now it's entered "the discourse stage." We were always gonna have to manage the advent of drivers with paracausal abilities, and maybe we should just count ourselves lucky that it didn't happen until the Year Of Our Lord 2026.

18:42

Secure boot and Microsoft CA rollover: a heads-up for distributions [OSnews]

We’ve already talked about the secure boot certificates from Microsoft that are about to become invalid, but Debian EFI team member and longtime Debian contributor Steve McIntyre published a blog post with more information for users and distribution developers alike. Why are Microsoft’s secure boot certificates relevant for the Linux world? Well, Linux distributions use shim to provide secure boot functionality, and this shim is signed with Microsoft’s certificates, because they are included in just about every single computer or motherboard ever shipped.

The expiration of these oldest certificates should most likely not be a problem, as existing signed binaries should keep working. This is because the UEFI specification does not look at the expiration dates; it only cares that the signature is valid. Unless you have buggy firmware, your machine will continue to boot Linux just fine.

Microsoft is already handing out new certificates, but they started the rollout of these way too late, so that’s why it’s an actual issue today.

New machines and updated older machines will most likely have all of these new CAs installed. New machines are already shipping that only include the new CAs; they will not trust older software and this has already started causing problems for some users.

[…]

If you already have an old shim signed by Microsoft for your distribution from before October 2025, then it will only be signed using the older CA that expires soon. On newer machines, your users will already not be able to boot your distro with Secure Boot enabled.

If you want your users to be able to use Secure Boot in future, you will need to get a new shim build submitted, reviewed and signed using the new CA. However, that signed build will not work on older machines unless they have had the new CAs installed. This is also likely to cause problems for some users. You should encourage your users to update their systems NOW before things break for them.

↫ Steve McIntyre

I think the Linux world will be able to handle this just fine, but the fact that Microsoft started this process of replacement so late is a real shame. I’m by no means an expert in this field, but I wonder if there isn’t some better solution than relying on Microsoft. I understand their certificates will effectively always be installed on every motherboard, but shouldn’t we be able to move that responsibility to a more independent entity?

18:21

Lawmakers Demand Answers as CISA Tries to Contain Data Leak [Krebs on Security]

Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. The inquiry comes as CISA is still struggling to contain the breach and invalidate the leaked credentials.

On May 18, KrebsOnSecurity reported that a CISA contractor with administrative access to the agency’s code development platform had created a public GitHub profile called “Private-CISA” that included plaintext credentials to dozens of internal CISA systems. Experts who reviewed the exposed secrets said the commit logs for the code repository showed the CISA contractor disabled GitHub’s built-in protection against publishing sensitive credentials in public repos.

CISA acknowledged the leak but has not responded to questions about the duration of the data exposure. However, experts who reviewed the now-defunct Private-CISA archive said it was originally created in November 2025, and that it exhibits a pattern consistent with an individual operator using the repository as a working scratchpad or synchronization mechanism rather than a curated project repository.

In a written statement, CISA said “there is no indication that any sensitive data was compromised as a result of the incident.” But in a May 19 a letter (PDF) to CISA’s Acting Director Nick Andersen, Sen. Maggie Hassan (D-NH) said the credential leak raises serious questions about how such a security lapse could occur at the very agency charged with helping to prevent cyber breaches.

“This reporting raises serious concerns regarding CISA’s internal policies and procedures at a time of significant cybersecurity threats against U.S. critical infrastructure,” Sen. Hassan wrote.

A May 19 letter from Sen. Margaret Hassan (D-NH) to the acting director of CISA demanded answers to a dozen questions about the breach.

Sen. Hassan noted that the incident occurred against the backdrop of major disruptions internally at CISA, which lost more than a third of it workforce and almost all of its senior leaders after the Trump administration forced a series of early retirements, buyouts, and resignations across the agency’s various divisions.

Rep. Bennie Thompson (D-MS), the ranking member on the House Homeland Security Committee, echoed the senator’s concerns.

“We are concerned that this incident reflects a diminished security culture and/or an inability for CISA to adequately manage its contract support,” Thompson wrote in a May 19 letter to the acting CISA chief that was co-signed by Rep. Delia Ramirez (D-Ill), the ranking member of the panel’s Subcommittee on Cybersecurity and Infrastructure Protection. “It’s no secret that our adversaries — like China, Russia, and Iran — seek to gain access to and persistence on federal networks. The files contained in the ‘Private-CISA’ repository provided the information, access, and roadmap to do just that.”

KrebsOnSecurity has learned that more a week after CISA was first notified of the data leak by the security firm GitGuardian, the agency is still working to invalidate and replace many of the exposed keys and secrets.

On May 20, KrebsOnSecurity heard from Dylan Ayrey, the creator of TruffleHog, an open-source tool for discovering private keys and other secrets buried in code hosted at GitHub and other public platforms. Ayrey said CISA still hadn’t invalidated an RSA private key exposed in the Private-CISA repo that granted access to a GitHub app which is owned by the CISA enterprise account and installed on the CISA-IT GitHub organization with full access to all code repositories.

“An attacker with this key can read source code from every repository in the CISA-IT organization, including private repos, register rogue self-hosted runners to hijack CI/CD pipelines and access repository secrets, and modify repository admin settings including branch protection rules, webhooks, and deploy keys,” Ayrey told KrebsOnSecurity. CI/CD stands for Continuous Integration and Continuous Delivery, and it refers to a set of practices used to automate the building, testing and deployment of software.

KrebsOnSecurity notified CISA about Ayrey’s findings on May 20. CISA acknowledged receipt of that report, but has not responded to follow-up inquiries. Ayrey said CISA appears to have invalidated the exposed RSA private key sometime after that notification. But he noted that CISA still hasn’t rotated leaked credentials tied to other critical security technologies that are deployed across the agency’s technology portfolio (KrebsOnSecurity is not naming those technologies publicly for the time being).

Ayrey said his company Truffle Security monitors GitHub and a number of other code platforms for exposed keys, and attempts to alert affected accounts to the sensitive data exposure(s). They can do this easily on GitHub because the platform publishes a live feed which includes a record of all commits and changes to public code repositories. But he said cybercriminal actors also monitor these public feeds, and are often quick to pounce on API or SSH keys that get inadvertently published in code commits.

The Private CISA GitHub repo exposed dozens of plaintext credentials to important CISA GovCloud resources. The filenames include AWS-Workspace-Bookmarks-April-6-2026.html, AWS-Workspace-Firefox-Passwords.csv, Important AWS Tokens.txt, kube-config.txt, etc.

The Private-CISA GitHub repo exposed dozens of plaintext credentials to important CISA GovCloud resources.

In practical terms, it is likely that cybercrime groups or foreign adversaries also noticed the publication of these CISA secrets, the most egregious of which appears to have happened in late April 2025, Ayrey said.

“We monitor that firehose of data for keys, and we have tools to try to figure out whose they are,” he said. “We have evidence attackers monitor that firehose as well. Anyone monitoring GitHub events could be sitting on this information.”

James Wilson, the enterprise technology editor for the Risky Business security podcast, said organizations using GitHub to manage code projects can set top-down policies that prevent employees from disabling GitHub’s protections against publishing secret keys and credentials. But Wilson’s co-host Adam Boileau said it’s not clear that any technology could stop employees from opening their own personal GitHub account and using it to store sensitive and proprietary information.

“Ultimately, this is a thing you can’t solve with a technical control,” Boileau said on this week’s podcast. “This is a human problem where you’ve hired a contractor to do this work and they have decided of their own volition to use GitHub to synchronize content from a work machine to a home machine. I don’t know what technical controls you could put in place given that this is being done presumably outside of anything CISA managed or even had visibility on.”

18:14

The Business of War and the Mismeasurement of Military Might [Economics from the Top Down]

Your browser does not support the audio tag.

Download: PDF | EPUB | MP3 | WATCH VIDEO

America continues to confuse military spending with true strength.

David Rothkopf

According to US warmongers, the American military is the most powerful fighting force that has ever existed — a war machine so vast and terrible that enemies everywhere tremble in its path. Boasts aside, the US military is surely unrivalled in at least one regard. It is by far the most expensive armed force on the planet.

In 2025, the US government funnelled $842 billion through Pentagon coffers. And if Donald Trump gets his way, that figure will rise to $1.5 trillion in 2027. No matter how you slice it, that’s a staggering pile of cash. But what exactly does this money buy?

A recent New York Times piece complains that the Pentagon’s enormous budget seems to buy “inertia and incompetence”. And they have a point. Since external audits began in 2017, the Pentagon has notoriously failed every single one. Then again, charges of ‘incompetence’ assume that the purpose of the Pentagon is to spend money wisely — to maximize the war-making return on investment. But what if the Pentagon’s purpose is something different?

In 2015, Senator John McCain made the case for sanctions against Russia by dismissing the state as “a gas station masquerading as a country”. Turning closer to home, I think we can say something similar about the Pentagon; it’s a bureaucratic regime for channelling public funds into private coffers — a money funnel masquerading as a military. Of course, that’s not to say that the US military has no firepower. (It does.) My point is that it’s foolish to use Pentagon spending to judge US military might.

For an illustration of this foolishness, look to the ongoing debacle in Iran. Although the Pentagon outspends the Iranian military by more than two orders of magnitude, the US military has been unable to accomplish any of Trump’s (quixotic) objectives.1 Is this strategic defeat simply a matter of Iranian good luck combined with US poor planning?

I doubt it.

What seems more likely is that the US humiliation demonstrates that Pentagon spending is a misleading measure of US military power. The reason is simple: based on spending alone, we cannot differentiate between a military that’s expensive because it is powerful, versus a military that’s expensive because it (and its coterie of contractors) is well paid.

In this essay, I examine the problem of measuring military power. Along the way, I review the long-term history of US military spending, I analyze the rise and fall of US military hegemony, and I discuss how the ‘war on terror’ has foreshadowed US imperial weakness. Finally, I quantify the US military’s transformation from a war-making machine into a money funnel for US business. All told, the evidence suggests that Pentagon spending vastly overstates US military power.

Big battalions

If there is a unifying lesson from military history, it’s the maxim that “God always favors the big battalions”.2 Of course, the assumption here is that we know what it means for a military to be ‘big’.

Throughout most of history, the definition of a ‘big’ military was obvious; it was a simple matter of manpower. Thus, when Napoleon invaded Russia with an army of over 400,000 soldiers, there was no question that he had a massive military.3 Yet as war became mechanized during the early 20th century, the question of military scale became more complicated. Suddenly, armies could be strong not just because of their manpower, but also because of their technological power.

This use of technology, in turn, made the measurement of military scale more difficult because it created an aggregation problem. That is, while manpower can be easily summed (just count soldiers), the quantity of technological power cannot be measured so readily. For example, if a military is armed with 1000 rifles and 2 aircraft carriers, what is its total stock of technology? To answer this question, we need a dimension of aggregation — a common property shared by both rifles and aircraft carriers.

Enter economists. For centuries, economists have solved their aggregation problems by turning to money. Looking at prices, economists put on their accounting hats and proceed to aggregate the monetary value of everything. But unlike accountants, who take monetary quantities at face (financial) value, economists pretend that money reveals something deeper about material stocks and flows. Thus, economists presume that GDP — a measure of aggregate income — is a meaningful measure of economic ‘output’. (It’s not.)

Back to the military. Using economists’ aggregation trick, it’s easy to ‘discover’ that the US military is the “greatest and most powerful [armed force] anywhere in the world” (Trump’s words). To gaze at the superiority of the US military, we simply look at its gargantuan budget, which dwarfs all competitors. Figure 1 shows the spending disparity in 2024.

Figure 1: The ‘greatest and most powerful’ armed force … as revealed by its share of global military spending in 2024. The pie chart shows military spending in 2024, measured in USD. [Sources and methods]

Backing out of this monetary foolishness, my goal in this essay is to demonstrate the problems with equating military spending with military power. In a world not dominated by economics dogma, the key issue would scarcely need stating. Military spending tells us about the income flowing to the armed forces (including its civilian bureaucracy and its private contractors). On its own, this income tells us nothing about military power.

The history of US military spending

Diving into US history, let’s look at the long-term trend in US military spending. From 1789 to 2025, the dollar value of US military expenditures rose by a factor of a million, with conspicuous bumps along the way during periods of war. Figure 2 shows the ascent.

Figure 2: Two centuries of rising US military spending. This chart plots US nominal military spending, indexed to equal one in 1789. Note the spending bumps during periods of war. Also note the log scale on the vertical axis. [Sources and methods]

Although this spectacular rise in nominal military spending might excite US warmongers, it’s fairly meaningless on its own. To gain meaning, spending data needs context. So, with context in mind, here are three different views of the history of US military expenditures, each based on a different assumption about what the armed forces should purchase.

The power to purchase consumer commodities

First, let’s compare US military spending to the consumer price index. By doing so, we imply that the purpose of the military is to purchase consumer commodities. (This assumption is silly, of course, but let’s see where it goes.)

Figure 3 shows the US military’s power to purchase consumer commodities. Compared to nominal military spending (Figure 2) the notable difference here comes after World War II, where we see a conspicuous flatline. Today, the US military’s consumer-commodity purchasing power is about half the value of its WWII peak.

Figure 3: US military spending relative to the consumer price index. This chart measures the US military’s ability to purchase consumer commodities. Yes, the metric is fairly meaningless … but since it’s standard fare in economics, I feel obliged to include it. Note the log scale on the vertical axis. [Sources and methods]

The power to mobilize citizens

Since the purpose of a military is to wage war, its ability to purchase consumer commodities is fairly meaningless. Indeed, one could argue that the optimal military is a spartan one — an organization that spends the bare minimum on troops’ living standards, leaving the maximum budget for warfare.

Of course, the problem with this spartan approach is that it becomes difficult to enforce if citizens’ living standards rise. Sure, a totalitarian regime can build a spartan army based on compulsory military service. But in a capitalist society with a professionalized military, this method doesn’t fly. If a professional military pays poorly, no one will join. Hence, when living standards rise, the military is forced to pay the going rate.

This necessity, in turn, gives rise to a form of cost disease; as living standards rise, mobilizing the population becomes more expensive. For example, a selling point of American living is that US income per capita is about six times greater than in China.4 But the flip side of this greater income is that it makes a war effort more expensive. For the same level of spending, China can mobilize six times more of its citizens. So in terms of military power, high American incomes act as a dead weight that Pentagon planners must drag.

Figure 4 illustrates the impact of rising incomes on the US military’s ability to mobilize American citizens. Here, I’ve pegged US military spending against American income per capita. From 1790 to 1945, the US military’s mobilization ability grew nearly 5000-fold. But after World War II, it shrank steadily, as military spending failed to keep pace with rising American income. Today, the US military’s power to mobilize citizens is less than 20% of its WWII peak.

Figure 4: US military spending relative to US income per capita. This chart measures the US military’s ability to mobilize Americans by paying them the average US income. Note the relative decline in this mobilization ability since the end of World War II. Also note the log scale on the vertical axis. [Sources and methods]

The power to subsidize capitalists

While we’re on the topic of military cost diseases, let’s discuss the burden of paying for corporate profits. During World War II, Harry Truman rose to fame campaigning against war profiteers. “Their greed knows no limit,” he said bluntly.

Ironically, today’s military contractors are far more greedy than those of Truman’s era. Yet there are no modern Truman Committees working to curb excessive profits. And that’s largely because American culture has since been corrupted by neoliberal ideology, which rebrands fat profits as a sign of ‘productivity’.

The roots of this cultural sea change date to the Reagan era in the 1980s. But it was in the mid-1990s when the US military officially donned a neoliberal hat. In 1994, the Pentagon created the ‘Secretary of Defense Executive Fellows’ program, which sent promising military officers to work for top defense contractors and other large corporations. When officers returned from this revolving door, journalist Freddy Brewster notes that they often had a predictable message: “outsource everything not core to DoD” (the Department of Defense).

Now in broad terms, there’s nothing new about Pentagon outsourcing. Historically, the US military has relied heavily on corporate America for its procurement, typically sending about a quarter of its expenditures to the top 100 military contractors. (See Figure 5 for the picture since 1958.) However, in recent decades, there’s been a significant change in what this outsourced spending can buy.

Figure 5: Share of US military spending flowing to the top 100 defense contractors. Over the last seven decades, the Pentagon has sent, on average, a quarter of its budget to the top 100 defense contractors. [Sources and methods]

As corporate profits have fattened, the Pentagon’s ability to pay for them has dwindled. Figure 6 illustrates this corporate cost disease. Here, I’ve pegged US military spending against the earnings per share of the S&P 500. The goal is to get a rough sense for the US military’s ability to subsidize the returns to corporate shareholders.5

Looking at the trend, it seems that the military’s ability to subsidize capitalists peaked in World War II, when spending was high and shareholder earnings were low. But since the 1990s, Pentagon spending hasn’t kept pace with rising corporate payouts. As a consequence, the US military’s ability to subsidize corporate owners now sits at just 4% of its WWII peak.

Figure 6: US military spending relative to S&P 500 earnings per share. This chart measures the ability of the US military to fund the returns to corporate shareholders. Note the conspicuous decline in this ability over the last few decades, a period marked by rapidly rising corporate profits. Also note the log scale on the vertical axis. [Sources and methods]

Spending big … or small

When journalists report government spending, they have a tendency to emphasize the big-number factor. (As in, the federal deficit is $1.8 trillion!) But the truth is that big numbers can turn out to be comparatively small, depending on the context.

The Pentagon budget is a case in point. Whether the current budget is ‘large’ or ‘small’ depends on the context. Of course, in nominal terms, Pentagon spending is larger than ever. But relative to consumer commodity prices, Pentagon spending now sits at about half its WWII peak. In terms of the ability to mobilize Americans, things are worse; the current budget sits at 19% of its WWII peak. And in terms of the ability to subsidize corporate shareholders, today’s Pentagon budget is shockingly small — less than 4% of its WWII peak.

Table 1 summarizes these different viewpoints. The lesson here is that despite the eye-popping dollar values, the modern Pentagon budget is not the behemoth it once was.

Table 1: Spending big or small? Framing the 2025 Pentagon budget.

Observation 2025 Pentagon spending compared to WWII peak
Nominal spending 1000%
Spending relative to consumer price index 56%
Spending relative to average US income 19%
Spending relative to S&P 500 earnings per share 3.9%

For data sources, see the appendix.

The road to empire

Staying within the realm of military spending, let’s pivot now and look at the road to US empire. Since the end of World War II, the US has maintained hundreds of military bases throughout the world, with US soldiers acting effectively as a global police force. Of course, under Trump, the US military has morphed into more of a pirate force for Washington plutocrats. But before we discuss this devolution, let’s look at how the US empire was formed.

One way to view the US empire is that it emerged suddenly out of the ashes of World War II. The backstory here is that prior to WWII, American politicians favored an isolationist foreign policy (the Monroe Doctrine notwithstanding). And they had inherited from the constitutional founders a deep distrust of standing armies.6

Given this stance, US military spending tended to be quite modest. During periods of peace, it was typically close to 1% of US aggregate income (GDP). Of course, when war erupted, military ranks swelled, as did spending. But when peace returned, the military would shrink to its pre-war stature. Figure 7 shows this cyclical behavior, which lasted from 1790 to 1939.

Figure 7: The sudden road to empire — US military spending as a share of US aggregate income. For more than a century after the US achieved independence, its military spending had a consistent rhythm of war and peace. During peacetime, military spending was typically around 1% of aggregate income. Periods of war brought increased spending, which would then subside as peace returned. This rhythm stopped after World War II, when the US retained a massive military, garrisoned around the world. Note the log scale on the vertical axis. [Sources and methods]

Continuing to look at Figure 7, note how World War II brought a halt to the spending rhythm of war and peace. When the war ended in 1945, the United States retained, for the first time, a massive standing army that was stationed throughout the world. As a consequence, military spending didn’t return to pre-war levels, but instead remained high. Thus was born the imperial epoch of US history.

Sort of.

The problem with this story of ‘sudden’ empire is that it ignores the colonial expansion of the United States itself. For example, in 1800, the US was a small nation of 16 states clumped along the Eastern seaboard. Its population was just 5 million — about 0.5% of the world’s total population. Over the next century, a steady stream of immigration would swell the American population by a factor of ten, and a series of territorial conquests would see the country expand across the continent.

When we take into account the colonial expansion of the United States itself, we get the more gradual road to US empire shown in Figure 8. Here, I’ve measured US military spending as a share of world income (GDP). From 1789 to 1939, US military expenditures rose steadily, increasing their slice of world income by two orders of magnitude. During World War II, the US war machine bolstered this value another forty-fold. At its peak, the US war effort commanded something like a fifth of the world’s income.

Figure 8: The gradual road to empire — US military spending as a share of world income. When we take into account the steady expansion of the United States itself, we see that its military rose to dominance slowly and consistently over the 19th and early 20th centuries. We also see that in global terms, US military spending is now a shadow of its former WWII hegemony. Note the log scale on the vertical axis. [Sources and methods]

Now to the present. Listening to Trump and his cabinet of swaggering morons, we get the impression that the US is at the height of its military power. But then again, when the US was actually at the height of its power (during World War II), its leaders weren’t blathering about their military supremacy. They were sowing the diplomatic seeds for the US-led world order that would follow the war.

For example, at the Moscow conference in 1943, the US drafted and signed (along with the United Kingdom, the Soviet Union, and China) the Four Power Declaration, which laid the groundwork for the United Nations. And in 1944, the US hosted the Bretton Woods Conference, which established the post-war financial order.

In short, it seems that the peak of US military power coincided with the peak of US diplomacy. And if you understand how power works, that’s not surprising. You see, brute force is the most brittle form of power. Yes it works, if one maintains constant armed oppression. But the moment that weapons are sheathed, coercive power is prone to collapse. In contrast, power through diplomatic consensus is far more robust because it involves buy-in from local populations. Hence, through diplomacy, a powerful military can be transformed from a would-be oppressor into a legitimate international police force.

It was this combination of diplomatic and military power that led to the creation and maintenance of the US-led world order. And today, it is the lack of diplomatic and military power that is causing the US-led world order to collapse. In 2026, US statecraft reads like a dark satire. For Trump, the favored tactic is mafia-like extortion. Hence, we get US financial extortion through Trump’s vindictive use of tariffs. And we get US armed extortion through Trump’s mercurial use of the military. Both of these methods are likely to fail, for the simple reason that the US is not the hegemon it once was.

This decline in power is particularly severe for the US military. Yes, the Pentagon remains the world’s most profligate military spender. But the truth is that in relative terms, the Pentagon’s global spending power now sits at just 4% of its WWII peak. And as we will soon see, this monetary view likely overstates the US military’s fighting power. First, though, let’s look at the historical roots of Trump’s imperial death throes.

The wrath of a dying empire

A consistent feature of world history is that when empires are strong, they preside over periods of relative peace. For example, from 27 BC to 180 AD, the Roman Empire ruled over a period of peace known as the Pax Romana. Similarly, the British Empire prevailed over the Pax Britannica, an era of global peace that lasted from 1815 to 1914. And from 1945 onward, the US empire presided over the post-WWII peace, sometimes called the Pax Americana.

Of course, the flip side of imperial peace is the chaos that comes as empires die. Not only do rival states fight over the ensuing power vacuum, but the empires themselves often lash out in vain attempts to resurrect past glory. Today, the US empire has entered its (attempted) resurrection stage.

Things are not going well.

Future historians will probably point to Trump’s war in Iran as the moment when the US empire entered into terminal decline. Yet the roots of Trump’s imperial debacle date back to 2001 — the year when George Bush declared his global ‘war on terror’. In a way, Bush’s language was as important as his actions. As Ian Welsh notes, the word ‘terrorism’ has become code for “violence by people who are our enemies”. The effect of this label is to take diplomacy off the table. (You can negotiate with a ‘rival’ or even an ‘enemy’. But you can’t negotiate with a ‘terrorist’.)

With diplomacy negated by the threat of ‘terrorism’, the US began to ramp up its military interventions around the globe. Figure 9 shows the resulting explosion of conflict. From 1947 to 2001, the US military engaged in an average of 0.75 conflicts per year. (Admittedly, some of these conflicts were brutal wars, as in Korea in the 1950s and Vietnam in the 1960s). However, from 2001 onward, the number of US conflicts rose dramatically. At the same time, US military tactics changed. Airborne assassination became the norm, prompting all the public admiration that one might expect from an empire that conducts extrajudicial executions from the sky.

Figure 9: The war on terror as the end of US imperial peace. This chart plots the annual number of conflicts (worldwide) involving the United States, dating back to 1946. Note the conspicuous rise in the number of conflicts during the ‘war on terror’. I suspect that future historians might cite this period as the end of the Pax Americana. [Sources and methods].

Figure 10: The evolving geography of violence — US military interventions since 1946. This chart illustrates how the ‘war on terror’ systematically changed the geography of US military violence, centering it on the Muslim world. Here, I’ve used gray-scale to indicate the Muslim populations within OIC (Organization of Islamic Cooperation) member states. Each point represents a US conflict, with the year indicated by color, the intensity indicated by size, and the conflict type indicated by shape. Note: the within-country location of each conflict point is random. [Sources and methods]

Even more evocative than the growing number of US conflicts has been the changing location of these military engagements. Once a tool for enforcing global peace (and suppressing the occasional communist movement), the ‘war on terror’ saw the US military become a cudgel for terrorizing Muslim populations in the Middle East and North Africa. Figure 10 shows this evolving geography of violence.

It’s within this geographic (and demographic) context that we should understand Trump’s war with Iran. After two decades of targeting ragtag militant groups throughout the Islamic world, the Iran War saw the US pick a fight with a major military power. Or at least, that’s what the battle damage would suggest. In the Persian Gulf, many US military bases now lie in ruins, as does a significant portion of the oil-and-gas infrastructure (which the US military guaranteed it would protect, but apparently could not). And of course, the Strait of Hormuz is now controlled by Iran.

Looking at these battlefield outcomes, what’s odd about the Iranian victory is that on paper, Trump’s war had all the markings of a US blowout. In 2024, the Pentagon outspent the Iranian military more than 100-fold. In light of this spending dominance, there are two ways to interpret the US humiliation. Either Iran got lucky and the US fell victim to remarkably poor planning, or Pentagon spending offers a gross mismeasurement of US military power.

Let me build the case for the latter scenario.

Thorstein Veblen’s business

The belief that military spending indicates military power derives from the broader belief in neoclassical economics, which asserts that income (the flip side of spending) always stems from productive ‘output’. This belief system is a lie.

A quick look at the real world shows that many types of income stem from doing nothing productive at all. Such is the case with copyleft trolls, who exploit loopholes in early Creative Commons licenses to extract money from people who’ve made minor attribution errors for content that’s otherwise designed to be free. Now, we commonly call this extortion technique a ‘scam’ or a ‘fraud’. But if the political economist Thorstein Veblen was alive today, he’d probably just call it business.

You see, Veblen (who lived through the 19th-century heyday of robber-baron capitalism) had a dark view of capitalist enterprise. For Veblen, the goal of ‘business’ was not to produce useful things, but instead to impose property rights onto society, thereby creating the institutional power to command income. So as Veblen would see it, copyleft trolls appeal to the purest form of ‘business’, which is to receive money by sabotaging an otherwise free activity. The point here is that when we look at income (and its flip side, expenditure), we’re seeing the effects of ‘business’ success.

Now for Veblen, the antithesis of ‘business’ was the unmonetized human desire to create and produce useful things — a tendency that he called industry. Thus, when a farmer grows corn, he engages in ‘industry’. But when a commodity trader speculates on the price of corn futures, he engages in ‘business’. What’s important about Veblen’s distinction is that it allows for a divergence between the scale of ‘business’ income and the scale of social ‘industry’. Or put another way, it allows for the existence of the modern United States.

The business-to-industry index

To frame the (seemingly) underwhelming returns to Pentagon spending, it helps to first understand the wider pathology of US power. Once the center of global manufacturing, today the United States more closely resembles a patent troll. It is a country where ‘business’ is booming but homespun ‘industry’ is anemic.

Tellingly, Trump’s State Department boasts that about 40% of US income and 80% of US exports stem from the enforcement of intellectual property rights. So what’s wrong with that? Well, in a business sense, nothing. For the person receiving money, all income is the same, no matter how it’s generated. But in a broader social sense, the source of one’s income matters. To put it crudely, income from professional murder is different than income from nursing.

In a slightly less pathological vein, IP-based income is socially detrimental because it inflates the price of goods and services that could otherwise be cheap, or even free. (Absent the copyleft troll, the use of Creative Commons images costs nothing.) In other words, intellectual property is a tool for extracting ‘business’ profits by choking off human ‘industry’.

To have a closer look at this business chokehold, I’m going to turn to a metric that I call the business-to-industry index. The goal here is to quantify the relation between Veblenian ‘business’ (the act of profiting from property rights) and Veblenian ‘industry’ (the act of providing useful goods and services). For its part, Veblenian ‘business’ is the easier activity to quantify, because the goal is always to command an income stream. Hence, the success of ‘business’ can be measured in terms of some form of relative income.

In contrast, Veblenian ‘industry’ is more difficult to quantify, because it encompasses a wide variety of activities that resist simple aggregation. Here, I’ll sidestep this problem by ignoring industrial ‘output’. Instead, I’ll measure the input of primary energy. The idea is that energy is essentially a biophysical currency — it’s a thermodynamic transaction that must be paid (to the universe) to do anything materially useful. So with thermodynamic payments in mind, I’ll measure the scale of ‘industry’ in terms of energy consumption.

The business-to-industry index consists of the ratio of these two views of society — the ratio of relative income to relative energy use. In the case of the United States, I define the business-to-industry index as the ratio between the US share of world income and the US share of world energy use:

\displaystyle \text{US business-to-industry index} = \frac{ \text{US share of world income} } { \text{ US share of world energy use } }

Figure 11 shows these two views of US power. The red curve plots the ‘business view’ — the US share of world income. And the blue curve shows the ‘industry view’ — the US share of world energy consumption.

Figure 11: Two views of US hegemony. This chart shows two ways to measure the rise and fall of US global dominance. The ‘business’ view measures the US share of world income (US GDP as a share of world GDP). The ‘industry’ view measures the US share of world energy consumption. [Sources and methods]

Eyeballing Figure 11, it’s clear that historically, the rise and fall of US ‘business’ power stemmed in large part from the rise and fall of industrial hegemony. And fundamentally, that makes sense. If claims on property rights aren’t backed by material power, then they become tenuous to enforce and easily undercut.

That said, when we look more closely at the relation between the two views of US power, a fascinating long-term pattern emerges. Figure 12 illustrates the trend. Here, I’ve calculated the US business-to-industry index — the US share of world income relative to the US share of world energy use. What’s remarkable (and in my mind unexpected) is that for over two centuries, this index has trended north.

In the early 19th century, the US was an industry-dominated country, meaning its share of world energy use was significantly larger than we’d expect from its share of world income. But by the late 20th century, the US had become a business-dominated country, meaning its share of world income significantly outstripped its share of world energy use. All told, the US business-to-industry index is now (as of 2025) more than three times higher that it was in 1790.

Figure 12: The business-to-industry index in the United States. In the early 19th century, the United States was an industry-dominated country — its share of world energy use outstripped its share of world income. But over the last 200 years, the US has become a business-dominated country. Today, its share of world income outstrips its share of world energy use. [Sources and methods]

Now, since this essay is ultimately about the US military (and not US society in general), I won’t dwell on the evidence in Figure 12. But I can’t help but connect the trend in the business-to-industry index to a point that Steve Keen recently made about the double-edged sword of empire.

Note that it was shortly after World War II that the US business-to-industry index entered business-dominated terrain. And it was around the same time that the US dollar became the world’s reserve currency. I doubt this mutual timing is a coincidence. Keen observes that although control over the world’s reserve currency comes with well-known opportunities for profit, it also comes with a major downside, which is that it kills homegrown industry. That’s because when a currency attains reserve status, it tends to become overvalued, thereby making exports in the currency-issuing country less competitive. The net effect, according to Keen, is that issuing a reserve currency is “not a spoil of Empire, but a spoiler of Empires.”

Looking ahead, there’s definitely more to be said on the theme of booming business and anemic industry. But for now, let’s return to the topic at hand, which is US military power. If the United States as a whole has become ‘business dominated’, it seems plausible that the US military has undergone a similar transformation.

Let’s have a look.

The Pentagon’s problem: A growing mismatch between the ‘business’ and the ‘industry’ of war

Having defined the business-to-industry index for the United States, it’s easy to apply this metric to the US military. Looking at the Pentagon, its business-to-industry (BTI) index consists of US military expenditures as a share of world income, relative to the US military’s share of world energy use:7

\displaystyle \text{Pentagon BTI index} = \frac{ \text{Pentagon share of world income} } { \text{ Pentagon share of world energy use } }

Now, before we get to the data, it’s worth noting that while the notion of a war ‘business’ (the act of profiting from violence) is fittingly Veblenian, the idea of a war ‘industry’ is … not. You see, outside of capitalism, Veblen had a fairly optimistic view of human nature. Commenting on Veblen’s thinking, political economists Jonathan Nitzan and Shimshon Bichler argue that the purpose of Veblenian ‘industry’ is the “efficient production of quality goods and services for the betterment of human life” [my emphasis].

Obviously, if we speak of a ‘war industry’, the notion of ‘bettering human life’ takes on a darker tone. Whereas Veblenian ‘industry’ is positive-sum for the whole of humanity, the notion of a ‘war industry’ is at best, zero-sum. The goal of the ‘war industry’ is to produce a powerful military that triumphs over rivals, thereby bettering the lives of the victors (by ruining the lives of the losers).

Acknowledging this dark side of human behavior, let’s see how the ‘business’ view of the US military lines up with the ‘industry’ view. The short answer is that it doesn’t. Figure 13 tells the story. Compared to the ‘business’ view of Pentagon expenditures, the ‘industry’ view of Pentagon energy consumption is far more anemic. Not only does the Pentagon consume significantly less energy than we would expect from its share of world income, this energy share has declined dramatically.

The net result, as Figure 14 demonstrates, is that the US military’s business-to-industry index has more than doubled over the last fifty years. And if we take the absolute value of this index seriously (which is a speculative exercise), it suggests that the Pentagon’s stupendous budget may overestimate its war-making power by more than a factor of seven.

Figure 13: Two views of declining US military power. According to the ‘business’ view of US military power (Pentagon spending as a share of world GDP), the US military has seen a modest decline over the last fifty years. But according to the ‘industry’ view (Pentagon energy use as a share of the world total), the decline in power has been much more severe. I should add that I regard energy consumption as the more accurate measurement of military power. Note the log scale on the vertical axis. [Sources and methods]

Figure 14: The business-to-industry index for the US military. Over the last fifty years, the US military has become an increasingly business-dominated institution, with its share of world income far outstripping its share of world energy use. If we take this measurement literally, it suggests that Pentagon spending overstates US military power by more than a factor of seven. [Sources and methods]

Conspicuous consumption

Since the United States is now a business-dominated country (Figure 12), it makes sense that the US military would exhibit similar behavior (Figure 14). But what’s somewhat surprising is the degree to which Pentagon spending overstates its consumption of energy. (And to be clear, the use of energy is the more realistic indicator of war-making power.)

To characterize this mismatch, it seems fitting to borrow another idea from Thorstein Veblen. Actually, economist Michael Hudson beat me to the analogy. In a recent interview, Hudson compared US weapons to a Rolls-Royce. They’re a technology that exists largely to be seen. Now, the military has a suitably stern phrase for this ostentatious behavior. They call it ‘power projection’. But given the US military’s apparent deficit of power, perhaps a better term would be conspicuous consumption.

This was Veblen’s term for the behavior of Gilded-Age elites, who had a pathological need to put their wealth on display by parading around objects of great expense. Today, it seems that US military planners have a similar impulse. They feel compelled to procure weapons of ludicrous expense, and to parade them around as a show of force.

Of course, this is not to say that US weapons don’t work. They do. But they ‘work’ in the same way that a Rolls-Royce ‘works’ as a commuter car. Yes, it gets the job done, but at a cost that doesn’t scale. Or put another way, while the US military boasts about its ability to buy Rolls-Royce weapons, less wealthy armies are busy building unassuming weapons that can be manufactured cheaply at scale — the war-making equivalent of mass transit.

Let me demonstrate this weapons scaling problem with some simple math.

When Trump launched his unprovoked assault on Iran, it seems that US planners were not prepared for the effectiveness of Iranian drones. And one can understand why. In terms of their ability to ‘project power’, Iran’s Shahed drones are unimpressive. They’re built from inexpensive fiberglass and styrofoam, piloted by consumer-grade GPS, and deliver a modest explosive payload of up to 100 pounds. But as the US military learned the hard way, this unimpressiveness is the point. The Shahed drone can be mass-produced for as low as $20,000 each, which corresponds to roughly $200 per pound of delivered explosive. Nothing in the US arsenal can compete with this budget-based power.

As an example, take the famed Tomahawk missile, a mainstay of US air assault. Developed in the 1970s, each Tomahawk missile now costs about $2 million to procure. For that price, it delivers about 1000 pounds of explosive payload. Sure, that’s more destructive power than the Shahed drone. But at $2000 per pound of explosive, the Tomahawk is also about ten times more expensive, pound for pound. Hence, for the same price, an arsenal of Shahed drones could deliver far more destruction than an arsenal of Tomahawks.

Upping the ante of conspicuous consumption, let’s turn to the F-35 program. With a projected total cost of over $2 trillion, the F-35 project is expected to deliver about 2400 fighter jets. That corresponds to a lifetime cost of over $800 million per jet. Now, if we assume that these jets are used mostly for power projection, a reasonable estimate is that each plane might deliver 80,000 pounds of explosive during its lifetime. (See my calculations in the appendix.) Doing the math, that comes out to about $10,000 per pound of delivered explosive — a pound-for-pound price tag that’s roughly 50 times more than the Shahed drone.

Now, the irony is that in the 21st century, the F-35 is a baroque technology that no one needs, but that US weapons contractors desperately want to build. And in a sense, that’s the point. The F-35 exists not because it’s an efficient war-making investment, but because it’s an extremely profitable weapon to sell. Its bespoke construction allows monopolistic contractors ample opportunity for markup. And so the US military now finds itself in an odd situation. As analyst Alastair Crooke observes, the Pentagon wants not for money, yet is nonetheless plagued by “sclerotic supply-lines, long production cycles and minimal weapon inventories.” In short, the Pentagon finds that its booming war ‘business’ is built on an anemic war ‘industry’.

An embarrassment of riches

The gods of history no doubt had a sense of irony when they gave Donald Trump the keys to the world’s most expensive military. Not every politician is so foolish to mistake stupendous military spending for great military power. But with Trump — a man who’s never seen a room that couldn’t use more gold-plated decor — the gods found their mark.

And so here we are. Convinced of its unmatched power, Trump let his Rolls-Royce military loose on a third-rate army, only to see it humiliated. The gods continue to laugh. While Trump may never understand the joke, we can easily unearth the punchline. You see, unlike the Pentagon, which is a business-dominated institution, the Iranian military is likely the opposite sort of organization — a place where ‘business’ is subservient to ‘industry’.

Let me make the case by returning to the business-to-industry index. Figure 15 shows the business-to-industry index for the Pentagon, the United States, and Iran. Unlike the business-leaning United States and the business-dominated Pentagon, Iran is an industry-dominated country. After decades of trade-suppressing US-led sanctions, Iran’s share of global income is now markedly less than its share of global energy use.

Figure 15: The business-dominated empire and the industry-dominated rebel. Unlike the Pentagon and the wider United States (which have both become more business dominated over the last fifty years), Iran has become more industry dominated. This transformation was almost surely pushed by US sanctions, which were first implemented in 1987. The net result is that today, Iran’s share of world energy use dwarfs its share of world income. If Iran’s military resides in the same industry-dominated territory as the country as a whole, we can infer that for every dollar of military spending, the Iranian military is able to mobilize about 30 times more energy than the Pentagon. Note the log scale on the vertical axis. [Sources and methods]

Of course, the business-to-industry index for the Iranian military itself remains unknown. But let’s suppose that the Iranian military is similar to Iran as a whole. If so, we can immediately see why the Pentagon’s spending power mismeasures its military advantage over Iran.

In 2024, the Pentagon’s business-to-industry index was 7.7, while Iran’s business-to-industry index was 0.22. If the Iranian military exists in similar territory, we can surmise that compared to the Pentagon, every dollar of Iranian military spending mobilized more than 30 times more energy. Or put another way, although the Pentagon outspends the Iranian military by two orders of magnitude, its energy advantage is likely much smaller — potentially as little as a factor of four. If we add in Iran’s fortress geography and the globe-spanning nature of US forces, we can see how Iran might prevail against a military that, in terms of finance, seems far more powerful.

At any rate, it’s fitting that Donald Trump is the politician to discover this trick of accounting, because he’s the last person who’ll get the joke. Indeed, there seems to be no irony in Trump’s proposal for a ‘golden dome’ — a missile-defense boondoggle that (if it ever gets built) will be a gilded prize for military contractors. And then there’s the proposed Arc de Trump. Sure, it’s a grotesque nod to Napoleon. But it’s also an unwitting metaphor for Trump’s unfolding Waterloo moment. Money may buy glittering gold, but it doesn’t always buy military might.

Support this blog

Hi folks, Blair Fix here. I’m a crowdfunded scientist who shares all of my (painstaking) research for free. If you think my work has value, consider becoming a supporter. You’ll help me continue to share data-driven science with a world that needs less opinion and more facts.

member_button

Stay updated

Sign up to get email updates from this blog.


This work is licensed under a Creative Commons Attribution 4.0 License. You can use/share it anyway you want, provided you attribute it to me (Blair Fix) and link to Economics from the Top Down.

Sources and methods

Share of world military spending in 2024 (Figure 1)

Data is from the World Bank, series MS.MIL.XPND.CD (Military expenditure in current USD).

US military spending (Figures 2 4, 6 8, 13 15)

Data is from the following sources:

  • 1947 to 2025: FRED series FDEFX (Federal Government: National Defense Consumption Expenditures and Gross Investment);
  • 1789 to 1946: Historical Statistics of the United States, Millennial Edition, series Ea638 (army spending), Ea639 (navy spending), and Ea640 (air force spending). I take the sum of these series and index them to the FRED data in 1947.

US consumer price index (Figure 3)

Data is from the following sources:

  • 1947 to 2025: FRED series CPIAUCSL (Consumer Price Index for All Urban Consumers: All Items in U.S. City Average);
  • 1789 to 1946: Historical Statistics of the United States, Millennial Edition, series Cc1 (indexed to FRED data in 1947).

US GDP and GDP per capita (Figure 4, 7, 11, 12, & 15)

  • 1947 to 2025: FRED series GDP;
  • 1800 to 1946: Historical Statistics of the United States, Millennial Edition, series Ca10;
  • 1790 to 1799: Historical Statistics of the United States, Millennial Edition, series Ca9. This is ‘real’ GDP data that I’ve converted to nominal GDP using the US consumer price index (see sources above). I have no idea why the nominal GDP data ends in 1800, but the ‘real’ GDP data goes back another decade. Let’s chalk it up to economists’ general neglect for the importance of nominal data.
  • all data is spliced backwards from the FRED data

For GDP per capita calculations, population data is from:

  • 1959 to 2025: FRED series POPTHM;
  • 1790 to 1958: Historical Statistics of the United States, Millennial Edition (series Aa7, indexed to FRED data in 1959).

Pentagon spending paid to top 100 US defense contractors (Figure 5)

Spending data is from the following sources:

S&P 500 earnings per share (Figure 6)

Data is from Robert Shiller’s website.

World GDP (Figures 8, 11 15)

Data is from the following sources:

Note that the data prior to 1960 comes with some major caveats. The Maddison database reports global ‘real’ GDP, measured in terms of purchasing power parity. That is, within each country, GDP is measured relative to some common basket of goods. Hence, the Maddison-database goal is not to measure nominal income, but rather to measure the standard of living, as captured by consumer purchasing power. Given this premise, it’s not ideal to use the Maddison data as a measurement of nominal world income. Nonetheless, when it comes to deep historical GDP data, the Maddison database is the only game in town.

Here’s how I convert the Maddison data into a measure of nominal world GDP. First, I assemble a long-term dataset for the US GDP deflator as follows:

  • 1929 to 1960: FRED series A191RD3A086NBEA;
  • 1800 to 1928: Historical Statistics of the United States, Millennial Edition, calculated using the ratio between nominal GDP (series Ca10) and real GDP (series Ca9);
  • 1790 to 1799: Historical Statistics of the United States, Millennial Edition, CPI series Cc1. (I use the consumer price index as a proxy for the GDP deflator.)
  • All data is spliced backwards from the FRED data

With this GDP deflator data, I re-inflate the Maddison ‘real’ GDP data (reported in PPP USD) to create a proxy for world nominal GDP, measured in USD. Like I said, this calculation makes some conceptual leaps that are not strictly valid, so treat it with a grain of salt.

US military conflicts (Figures 9 & 10)

Data is from the Uppsala Conflict Data Program, UCDP/PRIO Armed Conflict Dataset version 25.1. (I crawl the UCDP and search for any conflicts in which the United States is a belligerent.) For conflicts in which the US attacked a non-state actor, I’ve placed the conflict inside the country where this non-state actor was active. Note that in Figure 10, the location of individual conflict points is randomly generated by sampling within the geography of the host country.

US energy consumption (Figures 11, 12, & 15)

Data is from the following sources:

  • 1949 to 2025: Energy Information Agency, Table 1.3, Primary energy consumption estimates by source;
  • 1789 to 1949: Appendix E1 in the EIA 2009 Annual Energy Review (available here).

World energy consumption (Figures 11 15)

Data is from the following sources:

  • 1800 to 2024: Our World in Data, Energy Production and Consumption;
  • 1790 to 1800: Data is from Ian Morris’ book The Measure of Civilization, Tables 3.1 & 3.4. Morris reports data for energy use per capita in the East and West. Using population data from Angus Maddison, I aggregate Morris’ data to estimate world energy use. Then I splice this data to the OWID data from 1800.

Pentagon energy use (Figures 13 15)

Energy-use data for the Department of Defense is from the Federal Energy Management Program, Comprehensive Annual Energy Data, Table A-4: Primary Energy Use by End-Use Sector and Energy Type, by Federal Agency. (Note that I use data for ‘primary energy’, not the also-reported ‘site-delivered energy’.)

Iranian GDP and energy use (Figure 15)

Data for Iranian GDP is from the World Bank, series NY.GDP.MKTP.CD (GDP in current USD). Data for Iranian energy use is from the Energy Institute Statistical Review of World Energy, series TES_EJ (total energy supply in exajoules).

F-35 calculations

Here is my calculations for the mass of explosives dropped by an F-35 during its lifespan. I assume that the vast majority (99%) of sorties are for power projection or training, and not for battle:

  • F-35 service life: 8000 hours
  • Length of each sortie: 2.5 hours \rightarrow 3,200 total sorties
  • Combat rate: 1% of sorties \rightarrow 32 combat sorties per plane
  • Explosives dropped per combat sortie: 2500 pounds
  • Result: 80,000 pounds of explosive dropped per F-35 jet

Note: If war breaks out and F-35s are used intensively for dropping bombs, then the combat rate will increase significantly. But at the same time, flying into a battle zone involves the risk of getting shot down, which would reduce the average service life per plane. At any rate, strapping pilots onto flying bomb-dropping machines is a relic of the 20th century. Today, it’s little more than an expensive stunt (much like manned space flight).

Notes

  1. According to the World Bank series MS.MIL.XPND.CD (military expenditure in current USD), Iran’s 2024 military spending was $7.9 billion. In the same year, World Bank data pegs Pentagon spending at $997 billion, a factor of 126 higher. FRED series FDEFX puts 2024 Pentagon spending slightly higher, at $1.083 trillion, which is 137 times larger than Iranian military spending.↩
  2. This maxim seems to be a French proverb. Like many quips about war, it often gets wrongly attributed to Napoleon.↩
  3. Spoiler: Napoleon still lost the war because his army was unprepared for the Russian winter. The upshot is that his spectacular failure gave rise to what is perhaps the greatest scientific visualization ever.↩
  4. According to World Bank data in 2024, US GDP per capita was $84,534 USD, while Chinese GDP per capita was $13,303 USD.↩
  5. A more precise comparison would be to track down the historical average earnings per share for the top 100 military contractors. I briefly thought about doing so, but then balked at the required legwork. (Most of the archival Pentagon data remains trapped in scanned PDFs. Liberating the data would take substantial effort.)↩
  6. To make sense for the US founders’ distrust of standing armies, we have to understand English history. Following the birth of the Magna Carta in 1215, English aristocrats spent centuries trying to rein in the power of the monarchy. A chief problem was that kings controlled the military, and they tended to use this control to suppress their domestic competition.

    Matters came to a head during the English Civil War (1642 to 1651), which saw a decade of conflict between Royalists and Parliamentarians. Although the Parliamentarians won the war, the monarchy remained intact, and English kings continued to test the limits of their military powers. In 1688, King James II went a bit too far and was deposed in the Glorious Revolution. A year later, Parliament passed the Bill of Rights of 1689, which, among other things, prohibited the king from keeping a peacetime standing army without parliamentary consent.

    Fast forward to the American Revolution. When American colonists overthrew British rule, they framed their grievances in terms of the English Bill of Rights. In particular, the Declaration of Independence charged the British king with maintaining a peacetime standing army without the consent of colonial legislatures. When colonists later drafted the American Constitution, they made sure to guard against standing armies by giving Congress control over military spending, and by putting a two-year limit on all military appropriations.↩

  7. Note that it would probably be better to use world military income (spending) and world military energy use in the respective denominators of the military business-to-industry index. But the problem is that the energy use of most militaries remains unknown, and data for global military expenditures lacks historical depth.↩

Further reading

Doctorow, C., & Giblin, R. (2022). Chokepoint capitalism: How big tech and big content captured creative labor markets and how we’ll win them back. Beacon Press.

Fix, B. (2019). The aggregation problem: Implications for ecological and biophysical economics. BioPhysical Economics and Resource Quality, 4(1), 1.

Nitzan, J., & Bichler, S. (2009). Capital as power: A study of order and creorder. New York: Routledge.

Veblen, T. (1904). The theory of business enterprise. New York: Martino Fine Books.

Veblen, T. (1923). Absentee ownership: Business enterprise in recent times: The case of America. Transaction Pub.

The post The Business of War and the Mismeasurement of Military Might appeared first on Economics from the Top Down.

17:56

Link [Scripting News]

BTW, I don't think the web was created to make people rich.

17:14

Link [Scripting News]

Another way to look at Claude Code. It's a way to talk to your code, to ask it questions, and tell it how you want it to change.

Link [Scripting News]

I think maybe it's time to consider a reboot of WordPress. I can't seem to seed them with any ideas about building on it from the point of view of the web. It's a product unto itself, it has plugins, but I'm not a plug-in sort of guy. I write operating systems. That's what drives me. I see a great place to put an OS with WordPress as the storage and publishing component, and everything else grows up around it. It's one of those famous coral reefs but it hasn't been born yet. The idea would not be to compete with WordPress, it's to make something that fits into our view of the world, that just happens to be the same codebase. And when on the other side they think they have to do it themselves we reach out and say here, just take this over, it's yours. It's so hard to penetrate the awareness inside old organizations with new ideas. I think it's the manifest destiny of WordPress, that what they have now is a nice revenue generating machine, but it's not serving as the web's writing base, which is what imho it was supposed to be. (And I have a bit of standing there, btw.)

Link [Scripting News]

I have news for you -- Claude forgets important stuff. I catch it forgetting to do things it was "programmed" to do. It's not a computer, it's not garbage in garbage out. It could be good stuff in garbage out. As I've said before there's a big chunk of the app I'm working on where I don't read code. User interface stuff only. No control of what comes in our out. Trying to not take any chances here.

This Week in AI: Rethinking the Agent Harness [Radar]

We kicked off our new weekly series This Week in AI on Monday, and we covered a lot of ground in 30 minutes, including an AI model that found security holes faster than decades of human auditing, a data center in Utah the size of two Manhattans, and a practical argument for why the harness you build around a model now matters more than which model you pick.

Here are a few takeaways from the conversation between host Eric Freeman, faculty member at UT Austin and a longtime friend of O’Reilly, and guest John Berryman, founder of Arcturus Labs, an early production engineer on GitHub Copilot, and coauthor of O’Reilly’s Prompt Engineering for LLMs. Watch the entire episode to find out why you should be building your own agent and why John believes eventually there will be no internet for humans.

AI’s security problem is now a policy problem

You’ve probably already heard about Mythos. Anthropic’s internal testing of the frontier model surfaced thousands of previously unknown security vulnerabilities across major operating systems, browsers, and financial infrastructure, including a 27-year-old bug in OpenBSD. Anthropic chose not to release the model publicly and instead launched Project Glasswing, a restricted program giving monitored access to a small group of trusted partners for defensive patching.

That decision moved fast in Washington. In roughly six weeks, the conversation shifted from the light-touch national AI policy released in March to reported White House discussions of an executive order review process modeled on how the FDA handles drugs. Security researcher Bruce Schneier has questioned whether Mythos is uniquely capable here or whether similar results are achievable with cheaper public models, but as Freeman noted (paraphrasing Schneier), either way, it’s a problem that’s coming.

The compute race is getting stranger

Anthropic leased xAI’s entire Colossus 1 supercluster in Memphis: more than 200,000 GPUs and 300 megawatts of power. A month before that deal, Anthropic expanded its agreement with Google and Broadcom for 3.5 gigawatts of capacity coming online in 2027. For context, that’s roughly 10 times the power output of the Colossus 1 deal, in a single contract. After this episode aired, Anthropic announced that that deal has been expanded to Colossus 2 as well.

Box Elder County, Utah, just approved a 40,000-acre AI data center called the Stratos project, backed by investor and TV personality Kevin O’Leary (a.k.a. Mr. Wonderful). It’s planned for 9 gigawatts at full buildout. That’s a footprint more than twice the size of Manhattan, powered by the equivalent of nine commercial nuclear reactors. And like many data center deals going forward, including Colossus above, it was approved over local protests.

Infrastructure at this incredible scale takes years to come online, and the companies making these bets are pricing in a world where model capability keeps scaling. Whether that assumption holds will determine a lot about what’s economically viable to build in the next decade.

The harness matters more than the model

John was on hand to rethink the agent harness, which as he pointed out, entered a new phase with the step change in model capability that occurred in November and December of last year. He took Eric through the arc of AI product development, from document completion and chat loops to tool-calling agents, DAG-based workflows, and now the harness era represented by tools like Claude Code. Each progression added capability, John noted, but also complexity, and each generated a new class of problems around reliability and control. In our current moment, which John has dubbed the “age of the unharnessed agent,” agents are now within reach of everyone, not just software developers.

The payoff of this “unharnessed” era is control. John described a client engagement where he replaced a bespoke application with a skills-driven agent. Now domain experts with no development experience can read the agent’s behavior written in plain English and better understand it. As John explained,

Rather than building a bespoke agent. . ., I just built something that was just the agent harness—the agent—and I just gave it skills that describe what basically I learned in interviewing their experts, how they would work with these agents. And it worked perfectly. Not only does the agent stay on track and do what it needs to do these days, but it’s coded, as far as my client is concerned, in English.

The experts don’t have to complain to developers “this doesn’t work.” The experts can look at the English description of what’s going on and see problems, and maybe even fix it themselves. And I’m really excited to basically give that power into the hands of the people that know best how to change it, the experts.

That’s a different relationship between the experts and the tool than anything a wrapped commercial product offers.

As Eric pointed out, recent Stanford research supports this broader point: Performance gaps between a bare model and a well-designed harness now often matter more than which underlying model you’re using. The benchmark that used to dominate buying decisions, which model scores highest, has been displaced by a harder question about which harness fits the task.

John closed with a demo of his personal agent moving from an Obsidian notebook into Wikipedia and back, carrying context across environments. He used it to illustrate a concept he called the “open agent protocol,” his term for a not-yet-existing standard where an agent receives environment-specific skills as it moves between contexts. The protocol doesn’t exist yet, but the demo made the direction clear.

What’s next

Join us and a rotating lineup of expert guests for weekly live tool demos and deeper dives into the topics that matter in AI. We’re taking next week off for Memorial Day in the US, but we’ll be back on June 1 with host Andreas Welsch and guests Maya Mikhailov and Doug Shannon to cut through another week of AI headlines and separate what actually drives business value from what looks good in a demo but goes nowhere in production. Our first few episodes are free and open to all if you’d like to attend live—register here.

We’ll continue to share full episodes and publish our takeaways here on Radar each Friday. You can also watch or listen on YouTube, Spotify, Apple, or wherever you get your podcasts.

16:28

Link [Scripting News]

This is a multi-billion dollar idea. I want to link to "report-up" concept in something I'm writing. There is no Wikipedia page for that but there is a brief explainer in Google, via their AI. Here's the feature: add a permalink to that response. I'm lazy and will link to it in my writing.

Link [Scripting News]

Does it ever cross anyone's mind that according to the rules of war, Iran would be totally justified in attacking the United States?

16:07

[$] Custom page-cache policies with BPF [LWN.net]

The kernel's page cache is charged with maintaining pages (or, more correctly, folios) containing copies of data from files in the filesystem; its performance has a big effect on the performance of the system as a whole. One of the key decisions the kernel must make is when to evict folios from the page cache. At the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit, Tal Zussman ran a memory-management-track session on how the page cache could be better customized for specific workloads. It will not be much of a spoiler to say that it involves BPF.

15:21

[$] Toward better handling of major page faults [LWN.net]

A major page fault occurs when a process attempts to access a page that is not currently present in RAM; satisfying such faults usually involves I/O, and can thus take some time. When many threads sharing an address space are generating page faults, the result can be significant lock contention while that I/O takes place. During the memory-management track at the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit, Barry Song led a session to try, yet again, to find an enduring solution to this problem.

15:14

CISA Security Leak [Schneier on Security]

Crazy story:

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

News article.

15:00

Link [Scripting News]

Vibe-coded software will have a place where users can communicate what they want to developers who can help make it real. The same way you might get medical info from an AI, but would still get your colonoscopy from an actual doctor. Part of the origin story of podcasting is that Adam hacked up a version of Frontier to illustrate what he had in mind for the "last yard" protocol. When I looked at the code it was horrible, hard to believe someone thought of doing it that way. But it got the point across, and that's the moment the podcasting boostrap began. I love using the AIs to tell a visual story, a skill I never had or developed. No reason it can't work the same way for software.

Finding the Microsoft video [Scripting News]

In yesterday's podcast I mentioned a Microsoft promotional video from the 90s. JY Stervinou on Twitter asked if he had found it, and it was close but it was the video I was talking about. So I checked in with Claude with this prompt.

  • there was a microsoft promotional video in the 90s featuring bill gates and steve ballmer riding up front in a car, it's a ripoff of a volkswagon commercial, the music is catchy song Da Da Da. they drive around and then see a Sun Microsystems computer, they pick it up but it smells bad (apparently) and they drop it off in someone's garbage. i can't find the video on the web, can you?

It found a low rez version of the video on YouTube, with a comment.

  • It's a spoof of the 1997 Volkswagen Golf commercial, with Ballmer and Gates driving a Golf, picking up a Sun workstation and later rejecting it. The "Da Da Da" track is by the German band Trio. One source describes the dropped computer as an old IBM rather than Sun, so accounts differ on that detail, but the Know Your Meme listing specifically says Sun workstation, matching what you remember.

Here's the low-rez video at 1/4 size.

The computer in the video I saw was definitely a Sun workstation. It wouldn't make much sense for it to be an IBM in 1997, Microsoft had already passed over IBM, they were in the middle of the Java Wars with Sun, and there even is a Sun response to the Microsoft video with two actors playing Gates and Ballmer, and in the end Sun CEO Scott McNealy shows up, after (it turns out) Gates smells and the Sun terminal is still in the back seat and users and developers are still nowhere in sight.

I imagine there are a few old time Microsoft people still following this blog, if anyone has a decent resolution version of the Da Da Da video, I'd love to get a good version on the web of 2026.

14:49

14:35

Error'd: April is Special, and so are you [The Daily WTF]

"April is special," writes Elwin. It is, but take heart May, every month is special at TDWTF.

ef33dacc82c1495bbc2c68cf30461f3c

"Admiral Ackbar is pinterested," punned The Beast in Black

0b5ff0ba77cc480cb3c0a6ca91ef10b6

Manuel H. clocked something off on this website. "Noon seems to be very late in Lithuania, or maybe only in this hotel restaurant in Vilnius." 15H AM must be on some planet with a 32H day.

18d8b28ac37243708f1f4711be97cebf

"Amazon can't make up its mind!" ranted an anon. "Do I need to wait 2 business days or 3? Make up your mind Amazon!"

abc72aa0987b4e84816906e2b598dc11

Duston decided to close us out with a pun. "Looks like they have a problem, but it's trivial." Well done.

a821a18e000c4152a327d79dd2a05744

[Advertisement] Keep the plebs out of prod. Restrict NuGet feed privileges with ProGet. Learn more.

Security updates for Friday [LWN.net]

Security updates have been issued by AlmaLinux (firefox), Debian (chromium, nss, openvpn, and thunderbird), Fedora (cockpit, kernel, and linux-firmware), Oracle (gdk-pixbuf2, kernel, and libsndfile), SUSE (container-suseconnect, cpp-httplib, dnsmasq, firefox, glibc, GraphicsMagick, java-1_8_0-openj9, kernel, mozjs115, php8, python-urllib3, rekor, rootlesskit, rsync, tiff, ucode-intel, util-linux, and xz), and Ubuntu (bind9, bubblewrap, libarchive, linux-intel-iot-realtime, postgresql-14, postgresql-16, postgresql-17, postgresql-18, and xdg-desktop-portal).

13:28

New Cover: “The District Sleeps Alone Tonight” [Whatever]

I got myself a new musical instrument (one of these) and I thought I would give it a spin on a cover song. For reasons that are known only to the subterranean recesses of my own brain, this is the song that immediately recommended itself, the second-most popular song from The Postal Service.

The Orchid (the synth I got) is indeed providing one layer of the synth sequence that runs through the whole song, although there are other sounds at work as well. Plus I put my falsetto to work for some harmonies. In the actual song, the harmonies are handled by Jenny Lewis, and I’m not going to get anywhere that level, but I think I did okay enough, considering.

Not bad for basically one-noting my way around a new synth. I hope you like it. Enjoy.

— JS

10:49

10:21

The second thing [Seth's Blog]

It’s useful and satisfying to have people go along with your wishes and your taste.

But hoping that they’ll be delighted to do so and thank you for pointing out their previous errors might be asking for too much.

It’s one thing for people to act as if you’re right. It’s a whole other thing for them to acknowledge that they are wrong. It might not be worth what it costs to achieve.

09:00

Chicanery [Penny Arcade]

New Comic: Chicanery

06:14

How do I use Win32 structures from the Windows Runtime? [The Old New Thing]

The Windows Runtime attempts to provide a language-independent interface for Windows APIs: The ABI is consistent across the Windows Runtime, and the APIs themselves are described via metadata, allowing each language to map the Windows Runtime concepts into concepts that are more natural for each target language. For example, the Windows Runtime DateTime maps to a corresponding date-time type for each target language, like std::chrono::time_point for C++ or Date for JavaScript. A cost of this goal is that the expressiveness of the Windows Runtime is constrained by the desire to make all the features available to all languages. For example, there are no raw pointers in the Windows Runtime.

Win32 structures defined in classic C/C++ header files are not part of the Windows Runtime. So in a literal sense, you can’t use them from the Windows Runtime.

But you can fake it.

You can declare a shadow structure in the Windows Runtime that has the same layout as the classic Win32 structure you want to use. For example, you could declare your own Win32Point structure:

struct Win32Point
{
    Int32 X;
    Int32 Y;
};

Note that the Windows Runtime has its own conventions for some things that in Win32 are represented by structures. For example, the PROPERTYKEY structure is represented conventionally in the Windows Runtime in its string form. You can use functions like PSPropertyKeyFromString and PSStringFromPropertyKey to convert between them.

The post How do I use Win32 structures from the Windows Runtime? appeared first on The Old New Thing.

05:49

Girl Genius for Friday, May 22, 2026 [Girl Genius]

The Girl Genius comic for Friday, May 22, 2026 has been posted.

01:35

Steve McIntyre: Secure Boot and Microsoft CA Rollover - a heads-up for distributions [Planet Debian]

Background

I'm a member of the EFI team in Debian, and I've done much of the work for Debian to support UEFI Secure Boot (SB) in recent years. We have included that support for a number of releases now, starting back with Debian 10 (aka Buster).

I'm also a long-time accredited member of the shim-review team, the group that checks and approves shim binaries before Microsoft will sign them.

See the Debian wiki for lots of background details about Secure Boot and how we do things in Debian.

Secure Boot depends on signatures, which are verified during boot using a chain of X.509 certificates. The root certificate(s) in the chain are embedded in computer firmware, then later software such as shim can add more certificates to extend the trust. Easy, right?

The problem - certificates expire...

Microsoft administer the most widespread Secure Boot root certificates, and have been doing so since the very beginning of UEFI Secure Boot as a concept. The Microsoft UEFI CA certificates are included in just about every x86 and x86-64 computer shipped, and also in quite a lot of arm64 machines too.

(The fact that Microsoft is therefore a gatekeeper for Linux running under Secure Boot on most machines is very unpopular in some quarters, but this is just a fact of life in the world we live in. None of the following will affect you if you're using Secure Boot with your own keys only.)

The current certificates have been around since 2011:

1. Windows Production PCA 2011 (used for signing Windows components)

  Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
  Validity
    Not Before: Oct 19 18:41:42 2011 GMT
    Not After : Oct 19 18:51:42 2026 GMT

This expires in October this year, ~5 months from now.

2. Third Party Marketplace Root (used for signing option ROMs and other software)

  Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
  Validity
    Not Before: Jun 27 21:22:45 2011 GMT
    Not After : Jun 27 21:32:45 2026 GMT

For Linux folks, this second certificate is more interesting - it is the root of the certificate chain that Microsoft use when signing shim for Linux distributions

This CA expires 5 weeks from today.

OMG!!! Will all my existing Secure Boot machines stop booting?

Almost definitely not, no.

The specification for UEFI Secure Boot expects that valid dates on certificates should not be enforced for signatures here. All that matters here is the signatures themselves. Modulo buggy firmware, existing signed binaries should continue just fine.

New CAs to be aware of

Microsoft have published three new CAs:

1. A new CA used for signing device option ROMs

  Subject: C=US, O=Microsoft Corporation, CN=Microsoft Option ROM UEFI CA 2023
  Validity
    Not Before: Oct 26 19:02:20 2023 GMT
    Not After : Oct 26 19:12:20 2038 GMT

2. A new CA used for signing Windows components

  Subject: C=US, O=Microsoft Corporation, CN=Windows UEFI CA 2023
  Validity
    Not Before: Jun 13 18:58:29 2023 GMT
    Not After : Jun 13 19:08:29 2035 GMT

3. A new CA used for signing other software (e.g. shim)

  Subject: C=US, O=Microsoft Corporation, CN=Microsoft UEFI CA 2023
  Validity
    Not Before: Jun 13 19:21:47 2023 GMT
    Not After : Jun 13 19:31:47 2038 GMT

New machines and updated older machines will most likely have all of these new CAs installed. New machines are already shipping that only include the new CAs; they will not trust older software and this has already started causing problems for some users.

Isn't this is all a bit short notice?

Yes it is. :-(

A common rule of thumb when deploying CA certificates is to start the process of replacement ("rollover") when a certificate reaches half of its lifetime. Unfortunately, Microsoft have done this very late. They generated new keys in 2023, but didn't start signing shim and other third-party software with the UEFI CA until October 2025.

If I'm a distro developer, what should I do?

If you already have an old shim signed by Microsoft for your distribution from before October 2025, then it will only be signed using the older CA that expires soon. On newer machines, your users will already not be able to boot your distro with Secure Boot enabled.

If you want your users to be able to use Secure Boot in future, you will need to get a new shim build submitted, reviewed and signed using the new CA. However, that signed build will not work on older machines unless they have had the new CAs installed. This is also likely to cause problems for some users. You should encourage your users to update their systems NOW before things break for them.

There is an interim solution which will work, but only if you're quick! Microsoft are currently returning shim binaries signed using both the old CA and the new CA. More specifically, for every binary that is submitted they will return two: one signed with each CA. If you use these directly, you'll need to plan to publish:

  • 2 signed shim binaries
  • 2 installers
  • 2 sets of live/installer images
  • etc.

and explain to your users how they'll need to pick one. Good luck with that!

However, it is possible to extract signatures from those signed shim binaries and attach them all onto one shim, giving you the Holy Grail here - a single shim that will boot on the vast majority of machines. Indeed, this is what I'm planning on doing in Debian. So-called "dual-signed" shims may provoke issues with buggy firmware, so be aware that you may have to deal with this too. But take heart: early testing by various distro folks with a dual-signed Fedora shim did not show any problems.

You have 5 weeks and counting...

Microsoft have promised to continue signing with the old CA as long as possible, right up to the last day. They understand how awkward things are going to be otherwise, and are trying to help here as much as possible.

In the shim-review team, we have been expecting to see a surge of shim submissions before the old CA expires, to make the most of the "Holy Grail" dual-signed shims described above. But we've been really surprised that this has not been happening.

So, this blog is a wake-up call for people doing Secure Boot with shim. Even if you're not going to be ready to ship a new shim binary to your users, you should really try to get a new build prepared and signed NOW so that you have it available to tide you over through the coming CA transition. Don't leave it too late.

If you're not sure what to do, ask me and the other shim-review folks. We're happy to give advice. But don't delay.

You have 5 weeks and counting.

References

I'll add more links here in the coming weeks.

Thursday, 21 May

23:35

ffs 0.2.2 released [Planet GNU]

ffs provides a minor mode for simple plain text presentations in Emacs, where the slides are separated using the page-delimiter, by default the form feed character (^L).

I wrote ffs in early 2022 for my LibrePlanet 2022 presentation the Net beyond the Web, and earlier this year decided to polish it towards being a proper package and submit it to GNU ELPA. The manual still needs some more work, but the overall package is in pretty good shape so I submitted for inclusion in GNU ELPA.

ffs and I owe a debt of gratitude to Protesilaos for rounds of code review and feedback for improving and polishing the package in preparation for submission to GNU ELPA. You can watch videos of these sessions posted earlier on my website:

Further, inspiration for parts of ffs's implementation was gratefully drawn from Protesilaos's Logos package for Emacs.

Dedicated to the loving memory of Farangis Yousefinia.

Below are the release notes.

Version 0.2.2 on 2026-05-21

First release of ffs on GNU ELPA.

The attempted build of ffs 0.2.1 within GNU ELPA build sandbox failed with an Error: void-function (org-texinfo-kbd-macro) due to use of #+macro: kbd (eval (org-texinfo-kbd-macro $1)) in ffs.org for better formatting of key sequences in the exported Texinfo copy. This seems to have happened for the specific case of generating a plain text README using ox-ascii where ELPA didn't load ox-texinfo. To try and mitigate this, a README.md has been added for use as the package README instead of ffs.org. If not sufficient, a Texinfo copy of the ffs manual will be shipped instead of the Org one in the next release.

ffs 0.2.2 also includes small fixes and improvements throughout ffs.el from Stefan Monnier, and additional feedback to be addressed in future releases.

Version 0.2.1 on 2026-05-20

The attempted build of ffs 0.2.0 within GNU ELPA build sandbox failed with a "Cannot include file" error on the "#+include: fdl.org" in the manual. So, as a workaround, we switch to using the official Texinfo copy of the GNU FDL license rather than an Org copy.

Version 0.2.0 on 2026-05-19

First release of ffs intended for GNU ELPA.

After a few years of inactivity, in early 2026 I decided to dust off ffs.el, polish and document it, and offer for inclusion in GNU ELPA as a proper package.

Default value of ffs-default-face-height changed to nil

To minimize unexpected and/or unnecessary changes out-of-the-box, the default value of ffs-default-face-height has been changed to nil.

ffs-edit-buffer-name demoted from user option to variable

This is not an important user-facing setting, so to help avoid overwhelming users with many options, this has been demoted from a user option to a variable.

Several new user options for customizing ffs's behaviour

As part of the effort to bring ffs more in line with the conventions of other existing Emacs packages, the mechanisms for toggling various parts of Emacs's interface to minimize visual clutter were changed from being minor modes to being customizable user options. These are the replacement new user options, with a default value of nil:

  • ffs-hide-cursor
  • ffs-hide-mode-line
  • ffs-hide-header-line

Their value is buffer-local, and may be set globally using setq-default. See the sample configuration in the manual for an example of how to customize them.

The new ffs-page-delimiter user option defines the page delimiter inserted by ffs-edit-done when inserting a new slide. Emacs's page-delimiter regexp should be able to match ffs-page-delimiter's value, so if you use a custom page-delimiter be sure to customize ffs-page-delimiter accordingly.

The new ffs-echo-progress user option controls whether to display in echo area the progress through the slides. When non-nil, changing slides will also display the progress through the slides in the echo area. The format of the displayed progress can be customized using the new ffs-echo-progress-format user option.

The new ffs-edit-display-buffer-alist user option may be used to control the Window configuration for the ffs-edit buffer. By default, it will display the ffs-edit buffer in the same window.

The new ffs-edit-done-hook user option may be used to define hooks to be run at the end of ffs-edit-done after returning to the main ffs presentation buffer.

Lastly, a new ffs-find-speaker-notes-function variable was added to allow customizing the find function used for opening the speaker's notes file, defaulting to find-file-other-frame.

Version 0.1.0 on 2022-05-19

Initial publication of ffs.el as part of my personal configurations for GNU Emacs.

My first attempt at this concept was a now-archived ffsanim.el, a major mode implementation that used Emacs's animate library to animate slide texts onto the screen. Shortly after realizing the shortcomings of that approach, I abandoned it in favour a minor mode implementation and published version 0.1.0 of what is now ffs in my personal configs repository.

I used this implementation for presenting my LibrePlanet 2022 talk, The Net beyond the Web.

I picked "ffs" as the package name, the acronym for form feed slides.

Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada [Krebs on Security]

Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed denial-of-service (DDoS) attacks over the past six months. KrebsOnSecurity publicly named the suspect in February 2026 after the accused launched a volley of DDoS, doxing and swatting campaigns against this author and a security researcher. He now faces criminal hacking charges in both Canada and the United States.

A criminal complaint unsealed today in an Alaska district court charges Jacob Butler, a.k.a. “Dort,” of Ottawa, Canada with operating the Kimwolf DDoS botnet. A statement from the Department of Justice says the complaint against Butler was unsealed following the defendant’s arrest in Canada by the Ontario Provincial Police pursuant to a U.S. extradition warrant. Butler is currently in Canadian custody awaiting an initial court hearing scheduled for early next week.

The government said Kimwolf targeted infected devices which were traditionally “firewalled” from the rest of the internet, such as digital photo frames and web cameras. The infected systems were then rented to other cybercriminals, or forced to participate in record-smashing DDoS attacks, as well as assaults that affected Internet address ranges for the Department of Defense. Consequently, the DoD’s Defense Criminal Investigative Service is investigating the case, with assistance from the FBI field office in Anchorage.

“KimWolf was tied to DDoS attacks which were measured at nearly 30 Terabits per second, a record in recorded DDoS attack volume,” the Justice Department statement reads. “These attacks resulted in financial losses which, for some victims, exceeded one million dollars. The KimWolf botnet is alleged to have issued over 25,000 attack commands.”

On March 19, U.S. authorities joined international law enforcement partners in seizing the technical infrastructure for Kimwolf and three other large DDoS botnets — named Aisuru, JackSkid and Mossad — that were all competing for the same pool of vulnerable devices.

On February 28, KrebsOnSecurity identified Butler as the Kimwolf botmaster after digging through his various email addresses, registrations on the cybercrime forums, and posts to public Telegram and Discord servers. However, Dort continued to threaten and harass researchers who helped track down his real-life identity and dramatically slow the spread of his botnet.

Dort claimed responsibility for at least two swatting attacks targeting the founder of Synthient, a security startup that helped to secure a widespread critical security weakness that Kimwolf was using to spread faster and more effectively than any other IoT botnet out there. Synthient was among many technology companies thanked by the Justice Department today, and Synthient’s founder Ben Brundage told KrebsOnSecurity he’s relieved Butler is in custody.

“Hopefully this will end the harassment,” Brundage said.

An excerpt from the criminal complaint against Butler, detailing how he ordered a swatting attack against Ben Brundage, the founder of the security firm Synthient.

The government says investigators connected Butler to the administration of the KimWolf botnet through IP address, online account information, transaction records, and online messaging application records obtained through the issuance of legal process. The criminal complaint against Butler (PDF) shows he did little to separate his real-life and cybercriminal identities (something we demonstrated in our February unmasking of Dort).

In April, the Justice Department joined authorities across Europe in seizing domain names tied to nearly four-dozen DDoS-for-hire services, although because of a bureaucratic mix-up the list of seized domains has remain sealed until today. The DOJ said at least one of those services collaborated with Butler’s Kimwolf botnet.

A statement from the Ontario Provincial Police said a search warrant was executed on March 19 at Butler’s address in Ottawa, where they seized multiple devices. As a result of that investigation, Butler was arrested and charged this week with unauthorized user of computer; possession of device to obtain unauthorized use of computer system or to commit mischief; and mischief in relation to computer data. He is scheduled to remain in custody until a hearing on May 26.

In the United States, Butler is facing one count of aiding and abetting computer intrusion. If extradited, tried and convicted in a U.S. court, Butler could face up to 10 years in prison, although that maximum sentence would likely be heavily tempered by considerations in the U.S. Sentencing Guidelines, which make allowances for mitigating factors such as youth, lack of criminal history and level of cooperation with investigators.

23:28

The Big Idea: Georgia Summers [Whatever]

Writing a novel doesn’t just involve sitting hunched over a computer typing away for hours, sometimes it involves wandering through Nordic forests that feel a little spooky, but also extremely magical. Author Georgia Summers went on a journey to craft her newest novel, Trollheim: Tale of Sýstir. Tag along through her Big Idea to see the forest and all it holds.

GEORGIA SUMMERS:

I’ve found that the core idea of a novel is something that I repeatedly return to, in every facet of writing and across all of my books. It’s a question that’s profoundly useful – from making big, crucial editorial decisions, all the way down to how to phrase a sentence or tease out a specific image. Strip away the skin, the muscle, and get right to the bone. But what if you weren’t writing your Big Idea? What if you were writing someone else’s? What does that question look like?

For me, it turned out to be about trees.

When Trollheim approached me to write a book based on Sýstir’s story, I had a lot of questions. I’ve never done IP before, for one. And splashing around in someone else’s world is a nerve-wracking experience; ultimately, your goal is to write a novel that works for their storytelling purposes, as well as a piece of art that you can be proud of. Frankly, I wondered if I was up to the task. But I also wondered what it would be like to let go of the top-level decision-making. Whether it would still feel the same to write, full stop.

(Also, can I write two novels in one year as a slow writer? There are pragmatics to consider.)

There’s a lot about Sýstir’s story that immediately resonated with me. Her arc is one of fairytale tragedy and bittersweet redemption, as she makes the complicated transition from adolescent to adult and her view of those she loves changes with it. As a huldra she straddles two worlds: the human villages and fields; and the Dark Forest, home to väsen. She is neither as evil as those who condemn her would argue, nor as good as she sees herself.

Likewise, the World of Trollheim is rich with lore, rooted in the mystery of Nordic folklore, and grown by artists. But the vast landscape is one that I was unfamiliar with. And in the earliest iterations of Sýstir’s story, one particular note stood out to me: this forest reads too British.

I grew up in a mix of different places, but the times I’ve lived in the countryside have always stuck with me. I’ve roamed across fields and walked below meandering canopies, winced my way through nettle-choked paths. (RIP to my ankles.) My first instinct was to draw from those experiences – and my second was to hesitate. Because none of them quite had the right shape for Sýstir’s small corner of the Dark Forest.

Björne, the founder of Trollheim, invited me to feel and experience the Nordic wilderness. We walked the magical, otherworldly forest of Tiveden, one of Sweden’s many national parks, with its delicate wild strawberries and mossy ground. There are mirror-black lakes with eerie reflections of the treeline along their banks, trees that have grown in odd shapes as others toppled against them and disintegrated over time. Rust-red water lapping at pebbled shorelines, the faint whine of insects, the echoes of the elusive animals around us. It is, in short, hauntingly beautiful – the kind of place that feels magical just to be in its presence.

Not every experience makes it into a single book, but so many of them did from those few short days. The deep pools within the caves, the springy moss beneath my feet, the feeling of clambering over rock. It was easy to picture Sýstir there, running through the trees, ablaze with wonder. This was a forest I could bring to the page. These were Sýstir’s trees.

It can be easy, writing your own stories, to circle back to the things you know best. I don’t think there’s anything wrong with this approach – the writer becomes an archaeologist, where the same patch of ground constantly yields new riches to consider. But there’s a really delicious joy in testing new writing muscles, rummaging deep in the writerly toolbox for a fresh way to convey story and imagery to the reader. Sometimes, it’s large structural or character choices, but sometimes it really is about being able to envision a very specific kind of forest.

With those top-level story decisions out of the way, Trollheim allowed me to do just that: to pick up those tools, reexamine what I thought I knew, and push each sentence just that little bit harder. In that sense, it doesn’t matter whether it’s my Big Idea or someone else’s. It’s craft – and trees – all the way down.

Trollheim: Tale of Systir: Amazon|Amazon UK|Barnes & Noble|Bookshop|Bookshop UK|Waterstones

Author socials: Website|Instagram

23:14

Google’s plan for ads in its new “AI” chatbot search engine is to let “AI” generate the ads [OSnews]

After Google killed its search engine a few days ago, one question remained: how exactly does advertising fit into all of this? Google is obviously not going to move to chatbot search without somehow adding ads to your conversation with the pachinko machine, so everybody was wondering how that was going to work, exactly. Well, we have the answer, and it’s an obvious one.

When researching a topic, consumers want to know exactly how a product suits their unique situation. In fact, 75% of people report making faster, more confident decisions using AI Mode in Search. 1 That’s why we’re testing two new types of ads, built with Gemini, that offer relevant product details along with helpful guidance.

To help people evaluate their choices, both of these new formats will feature an independent AI explainer as part of the ad. Our Gemini model evaluates and synthesizes information about a product or service, and displays that context alongside the advertiser’s creative. This coherent, independent response ensures transparency and builds trust. These formats will also continue to be clearly labeled as “Sponsored.”

↫ Google’s Ads & Commerce Blog

Of course they’re going to just generate the ads with “AI”, too. Google will offer two types of “AI”-generated ads in their new chatbot search tool, the first of which will simply be an “AI”-generated answer to a user’s question. If you ask the Google chatbot “how can I clean my bed sheets of unintended nightly slop discharge?”, Google will generate an ad based on the features of a slopcleaner washing machine detergent product and show that to you.

The second type comes in when a user asks something like “what is the best way to kill a search engine?” Google’s chatbot will then show a number of ways to kill a search engine, and one of the items in that list might be an ad generated by Google, alongside the customary unrelated information, wrong information, and made-up nonsense. Google claims both of these types of ads will be labeled as such, but I doubt that small label will be noticed by many, and of course, there’s no way to know any of the other answers the chatbot generates aren’t paid-for either.

Here, too, though, we must ask the question what the end game is. This new chatbot search engine is clearly trying to keep you on Google’s website, but in doing so, it’ll deprive large numbers of websites of the traffic they need to survive. If they can’t survive, they’re die. If they’re dead, they can’t produce the content Google “AI” needs to slobber up to spit back out in Google’s chatbot search. Chatbot search is also an agent of its own destruction, because you can’t generate improved slop with nothing but slop.

Because, and I can’t repeat this often enough, nobody has ever used “AI” to produce anything of value.

Twelve ways to be wrong about “AI”-assisted coding [OSnews]

Suppose your manager asks you next week to demonstrate that the AI coding tools your company signed up for are worth the subscription cost. Would you measure lines of code generated, or tickets closed? Or would you send out a survey asking whether developers feel more productive? Each of those approaches is flawed in a different way; the sections below explain why.

↫ Greg Wilson

Every single study that claims to prove “AI” has a positive effect on productivity falls into one or more of these categories.

Again, nobody has ever used “AI” to produce anything of value.

“AI” tools shit where they eat [OSnews]

The stories of “AI” bots and crawlers absolutely ravaging websites and services keep on coming, and the amount of work people have to do just to survive these “AI” bot and crawler assaults is insane.

I run Weird Gloop, which hosts some of the biggest video game wikis ever, like Minecraft, OSRS and League. Over the last 3 years, we’ve had to spend more and more of our time fighting with this bot traffic that is spiky, disproportionately expensive, and getting harder to distinguish from humans. If we weren’t constantly mitigating the bots, they would use ~10x more of our compute resources than everything else put together – even though that “everything else” includes tens of millions of (human) pageviews and tens of thousands of edits a day.

Everyone who runs wikis is dealing with the exact same problem. The Wikimedia Foundation has a post about it impacting operations, every major wiki farm has had varying degrees of service outages, and some smaller independent wikis have been knocked completely offline. Overall, I’d guess that about 95% of all server issues in the wiki ecosystem this year have been caused by bad scrapers.

↫ cookmeplox at the Weird Gloop blog

“AI” tools are a quintessential example of “shitting where you eat”. All of these tools just suck up huge amounts of content created by actual humans, only to regurgitate bits and pieces of that content upon request according statistical models. If in that process of sucking up everybody’s content, these tools are placing such amounts of undue stress and cost on the people making and hosting that content that said people stop making and hosting such content, where are these “AI” tools going to get their content from next?

With every person that throws up their hands in the air in utter frustration as they see they’re hosting bills skyrocket and their sites become unusable, “AI” tools are agents of their own destruction, since ingesting the slop they themselves create only makes these “AI” tools worse.

Nobody has ever used “AI” to produce anything of value, after all.

22:35

Snapshots From Pet-Sitting [Whatever]

Over the past few days I was tasked with housesitting my parent’s domain, which meant watching Charlie and the cats, of course. Living apart from them now, I sometimes forget what an absolute hassle they are. Saja licking my face incessantly while I’m trying to sleep. Sugar licking my ear while I’m trying to sleep. Charlie licking my face- you know what you get the idea.

But, they are extremely cute creatures, and I have procured some photos for you to enjoy.

First up is Smudge and Saja:

Saja and Smudge laying on the bed, except Smudge is actually inside my package of clothes that I opened to try on. He is compact, while Saja is more spread out on the comforter.

My Torrid order has just come in and I was trying on the clothes, when I turned around Smudge was inside my Torrid package. Classic cat move.

It turns out that every single one of the animals is a huge bed/blanket/pillow hog, evidenced by Sugar trying to take my entire pillow:

Sugar with her entire body on my pillow.

Rude.

Charlie is very much not allowed on the bed, but when the parents are away, the dog will lay (in bed)!

A shot of Charlie laying next to me in bed, looking awfully adorable. Saja can be seen in the background, as well as a sliver on Spice.

(Anyone spot the sliver of Spice?)

My parents have a very nice tub/shower, so I treated myself to a bubble bath and of course had visitors:

Charlie sitting at the edge of the tub, holding a toy in her mouth and looking sleepy.

I ended up posting this particular photo on Bluesky for National Rescue Dog Day yesterday!

And of course the cryptid had to come say hi:

The front half of Saja taken at a Dutch angle. He is slightly blurry and staring intensely at the camera.

I have met a lot of funky cats in my life, but Saja is honestly the most alien-esque freaky cat ever.

Caught a rare Charlie-Smudge cuddle moment:

Charlie and Smudge laying next to each other in bed.

Well, the truth is that Smudge was already laying there when Charlie came over and flopped down almost right on top of him and he bit her ear in protest.

And finally, Saja joined a few minutes later:

A snippet of Charlie, Smudge, and Saja all laying in very close proximity on the bed together.

This photo is especially chaotic because I took it with my front camera, as Charlie had her paw on my torso and I couldn’t really move without disturbing everyone else.

Love spending time with these goobers (mostly) but boy am I ready to go back home!

-AMS

22:28

Link [Scripting News]

Just finished No Country for Old Men, the book by Cormac McCarthy. I have seen the movie many times, it's one of those movies that if you're looking for something to watch and you come across it, you might as well go for it because every scene in the movie is pretty good on its own. I didn't realize that they used most of McCarthy's dialog, literally -- in the movie. Near the end, Bell, the sheriff tells a story about old age. "There wasnt a whole lot good you could say about old age and he said he knew one thing and I said what is that. And he said it dont last long. I said well, that's pretty cold. And he said it was no colder than what the facts called for." I love truths that hit hard. He's such a great writer. And I love that I can write like all the characters if I get a mind to.

22:07

Vulnerabilities in various GTK-based PDF readers [LWN.net]

Michael Catanzaro has disclosed a command-injection vulnerability affecting a number of GTK-based PDF readers; exploits included:

They contain a script for building malicious polyglot PDFs that are simultaneously both valid PDF files and also valid ELF binaries. When the user opens the PDF in the PDF viewer and clicks on a malicious link embedded in the PDF, the PDF abuses the command injection vulnerability to load itself as a GTK module using the `--gtk-module` command line flag. It can then execute arbitrary code via its library constructor. That flag was removed in GTK 4, which is why the vulnerability is much less serious for Papers than it is for Evince, Atril, and Xreader.

21:42

Setting up KDE and Wayland on FreeBSD 15.x [OSnews]

Since X11 has moved to legacy status, it’s only a matter of time before the BSDs are going to have to make the move to being Wayland-first as well. This applies particularly to FreeBSD, which has been focusing on improving its suitability for desktop and laptops lately. The good news is that Wayland has been available on FreeBSD for a while now, and setting it up with a KDE desktop is a breeze.

Dolce Far Niente has a quick and easy guide, updated today, that walks you through the steps of setting up KDE with Wayland on a fresh FreeBSD 15.x installation. I’m keeping this on my to-do list, but I’m not committing yet because we’re getting quite close to the first incentive of the OSNews fundraiser, where I have to install, run, and use vanilla Windows 11 (including Office and Outlook) for a month. No point in setting up FreeBSD when we’re about to hit that incentive.

Regardless, this is going to be the future of FreeBSD for desktop and laptop use, so you if you’re already a FreeBSD user, you might as well try and see if Wayland works for you today.

19:21

I’m writing again… [I, Cringely]

I’m Writing Again

For those of you who are still here — and given how long it’s been, “still here” is a real act of patience — thank you. I haven’t written a column since 2022.

Just like everyone else, I’ve been busy all this time on Artificial Intelligence, founding with two partners a company called 2Brains (why it wasn’t 3Brains I’ll never know) that I will explain to you shortly. The work we were doing together is unfinished, but it’s not stopped. The patents are filed, the architecture is documented, and the small team continuing the work includes me. Writing is part of how I think; not writing for three years has felt like holding my breath.

So I’m back. Not on a fixed schedule yet — I’ll publish when I have something worth saying — but back. The first real piece is coming this week, and it makes the case that the trillion-dollar bet the AI industry is making right now may be wrong, and that there’s an architectural alternative we’ve patented and built. We’ll see what you think.

For the readers who’ve been here since the InfoWorld days, or the PBS series, or the early years of this site: I’m grateful you waited. For the readers who found me more recently and are wondering what they signed up for: welcome. The work continues.

— Bob

The post I’m writing again… first appeared on I, Cringely.






Digital Branding
Web Design Marketing

Firefox, Vivaldi unveil their UI overhauls [OSnews]

Two popular web browser are overhauling their user interface, and the first to actually ship its new version is Vivaldi. Version 8.0 of this Chromium-based browser completely overhauls its UI, but retains its extensive customisation options, including the option to go back to the old look and feel if the new one doesn’t float your boat. I wonder if this update addresses some of my long-standing issues with Vivaldi where it just seemed impossible to integrate the browser properly with KDE or GNOME, since it opted for its own fonts and had a ton of very custom UI that made it stand out moreso than even other browser.

Before publishing this post, I did a quick install and check, and no, it seems not much has changed in that department. Not everyone will care – in fact, I think most people don’t – but I do, and I do whatever it takes to make my browser look properly native. Any Chromium-based browser is a hard sell in that area, and that applies doubly so for Vivaldi and its long list of custom UI elements.

The other popular web browser overhauling its UI is Firefox, which is bringing its new UI to testing now, with an actual release later this year. You can clearly see that both Vivaldi and Firefox seem to be following a similar trend, even if I’m not entirely sure if it has a name yet. The new Firefox design also overhauls the settings page, integrates Mozilla services like its VPN, and brings back the compact mode (which has been hidden behind an about:config flag for years now).

My biggest worry is how this will affect Librewolf and the KDE and GNOME themes I use, but it seems we’re going to have more than enough time to figure that out.

18:00

Link [Scripting News]

Marc Andreessen said programmers aren't disoccupied, we haven't become obsolete, quite the opposite, we're all working around the clock. It's true. Everyone is doing it. We got a new brain that can do all kinds of amazing things. You don't get a new super powerful brain organ every day.

The Agentic P&L: Beyond the Empire of Headcount [Radar]

For over a century, both the prestige and budget of a corporate department have been measured by a single crude metric: headcount. If you manage 500 people, you’re a “distinguished leader.” If you manage five, you’re a footnote. This “empire of headcount” has governed everything from office square footage to C-suite influence. It’s the fundamental unit of the 20th-century P&L.

In an enterprise powered by federated agentic systems, this math is not just obsolete—it is a liability. AI will reshape the enterprise. The question is now “Which line items on the P&L change, and by how much?” Labor and benefits contract. Token and infrastructure costs appear as a new operating line. Compliance costs shift from reactive rework to proactive provenance. And the assets that matter most—structured knowledge enclaves, trained agent policies, decision logs—do not yet appear on most balance sheets.

Why AI-on-top-of-hierarchy fails

Most enterprise AI deployments begin with the right instinct and the wrong architecture. A foundation model is procured, a chatbot is deployed, and analysts are relieved of their most repetitive queries. This is the butler-bot phase: AI as a faster way to do what the organization already does, inside a structure designed for a different era.

The problem is the process the model is plugged into. If a compliance decision requires sign-off from three managers, an AI assistant that drafts the memo faster doesn’t change the three-week cycle time. If context is scattered across email threads and local drives, a model querying that corpus will hallucinate at exactly the rate the corpus is incomplete. The model inherits the organization’s structural debt. The agentic P&L begins where the butler bot ends: with a deliberate redesign of the process, not just the tooling.

The enterprise must pivot: Stop valuing the empire of headcount and start valuing the federated nervous system.

Figure 1. Empire of headcount vs. federated nervous system—An analogyFigure 1. Empire of headcount vs. federated nervous system—An analogy

Pillar 1: Potential energy—How knowledge-ready is your department?

If the department is the fundamental unit of the enterprise, its contextual enclave is its brain—its store of potential energy. Most companies are drowning in low-quality context: petabytes of data buried in half-finished Slack threads, abandoned wikis, and tacit knowledge held by seniors who are three months from retirement. To an agent, this isn’t intelligence; it’s noise.

From data lakes to sharded enclaves

The data lake became a 2020s nightmare—a giant swamp where context went to die. In the federated model, legal, HR, engineering, and compliance each maintain their own secure, high-density enclave instead. Policy, process documentation, and institutional knowledge is synthesized into a form an agent can reason over directly, without a human in the interpretive loop. Data stays local; reasoning moves via agents. Protocols like the Model Context Protocol (MCP) are emerging as the TCP/IP of the federated enterprise—a standard way for agents and tools to discover each other, exchange context, and record what happened regardless of which vendor stack sits underneath. MCP is what allows “reasoning moves, data stays” to be an implementation detail rather than a custom integration project every time.

Figure 2. Contextual density in shared enclavesFigure 2. Contextual density in shared enclaves

Making potential energy measurable

Three dimensions combine into what we call the contextual density score: coverage (what proportion of policy and process is documented and retrievable—for a compliance enclave, the fraction of onboarding scenarios tied to explicit playbooks); consistency and recency (how often does retrieved guidance conflict, and how stale is it); and retrieval quality (how often can a reference agent answer test questions from its own enclave without human overrides). The contextual density score measures how ready an enclave is for agents to act on it reliably. Each enclave is assigned an owner whose job is to improve that score quarter over quarter, as a traditional leader improves throughput or defect rates. Context maintenance becomes the new R&D.

Pillar 2: Agentic throughput (the kinetic energy)

If a department’s knowledge enclave is its store of potential energy, throughput is the kinetic energy: the volume and value of cognitive outcomes produced by the agentic layer without human execution in the critical path. To measure this, we must stop counting “activity” and start counting handshakes.

The handshake economy

In a federated mesh, work is done through agent-to-agent (A2A) negotiation. A logistics agent detects a delayed shipment and initiates a handshake with a procurement agent to find an alternative supplier. That agent consults the contracts enclave via a legal agent to check compliance and risk limits. A resolution is reached, records are updated, and a human is notified of the result—not every intermediate step. Throughput is the rate of successful, economically meaningful handshakes.

Figure 3. The federated agent operating modelFigure 3. The federated agent operating model

Agentic unit economics: The cost of the handshake

Not all handshakes are equal. Every one carries a token tax, an infrastructure cost, and a latency cost. Agentic throughput is only valuable when the cost per cognitive outcome is significantly lower than the labor-equivalent at equal or better quality. If an agent fans out 50 calls to a premium model to resolve a $5 inquiry, you’ve increased throughput and destroyed ROI. If a handful of calls to a moderately priced model resolve a complex cross-silo onboarding decision that previously took three teams and two weeks, the economics are compelling.

The agentic P&L must therefore track outcome volume (risk-weighted handshakes per period) and cost per outcome relative to the pre-agentic baseline—this is where CFOs and architects meet. This recommendation is consistent with emerging research: The companies seeing genuine AI ROI are those using it to expand what they can do, not those focused purely on headcount reduction.

How agents learn: Gyms and mirrors

The gym is a simulation built from historical cases and synthetic data where agents train against gold decisions, respecting policy constraints and risk limits. The mirror is a read-only, regulator-grade log of what agents did in production: prompts, tool calls, model versions, human overrides, and final outcomes. Agents spar in the gym; they are judged in the mirror. By 2026, decision provenance—the ability to reconstruct who or what did what, under which policy and model version—is becoming standard operating procedure in regulated industries.

The Agentic P&L decomposed

Four-line items change structurally when an enterprise moves from a headcount model to a federated agentic model:

Labor and benefits contract, but not to zero. The compliance function that previously employed 400 analysts moves to 80–100 humans in orchestration and oversight roles—higher-skilled and higher-cost per head, a deliberate trade of volume for leverage.

General expenses shift as management layers thin, training budgets pivot from procedural compliance to enclave curation, and real estate requirements contract as hybrid squads replace large hub operations.

Token and infrastructure costs emerge as a new operating line that does not exist in the pre-agentic P&L. This line must be actively managed: cost per cognitive outcome is the new unit of measurement and deteriorates quickly with poorly designed agent architectures.

Compliance and audit costs shift structure. In a Tier-1 bank, the cost of a single regulatory finding—remediation, legal exposure, delayed onboarding—dwarfs the annual cost of maintaining a well-designed decision log. The mirror transforms regulatory response from a fire drill into a navigable record. Decision provenance is not governance overhead. It is P&L protection.

Revenue productivity per person (RPP)—revenue divided by headcount—ties the expense-side story to the top line. Software-native firms have long used RPP as a signal of operational leverage; banks are now applying the same lens to their operations functions. As headcount contracts while throughput and revenue capacity hold or grow, RPP rises structurally rather than cyclically—the metric that tells a CFO whether agentic transformation is delivering leverage or merely cost reduction.

A stylized agentic P&L: Compliance in a Tier-1 bank

Consider a compliance function with 400 analysts. Its P&L is dominated by salaries, benefits, and office costs. Context sits in email, local drives, and the memory of experienced analysts—institutional knowledge that walks out of the building every evening.

In phase 1, the bank builds a compliance enclave: policies, historical cases, and regulator Q&A synthesized into a structured knowledge graph. Three hybrid squads of 12–15 humans work alongside 10–15 agents handling document collection, screening, and rule-based decisions. Agentic throughput starts modestly—20%–30% of low-risk cases auto-cleared from within the enclave. The P&L effect at this stage is primarily a productivity story: lower cost per case, faster cycle times.

The structural transformation comes in phase 2. After several cycles of gym training and mirror-driven refinement, the function operates with 80–100 humans plus 40–60 agents. The compliance enclave—curated policies, decision logs, evaluated reward functions—is now the primary asset. Legal discovery may require the email archive; what the regulator wants is a structured, navigable record of decisions. That’s what the mirror provides. With it, the reduced headcount is defensible to regulators, to the board, and on the P&L.

The new org unit: The 3+N squad

The “3+N” squad—a small human core plus a flexible swarm of agents—is the fundamental cell of the agentic enterprise. The strategic architect sets intent and constraints. The policy and ethics lead designs the gyms, ensuring agents act under responsible AI principles. The technical orchestrator manages the context mesh, MCP-based connectors, and enclave density. Around them, specialized agents handle contract analysis, sanctions screening, exception routing, and external API liaison. This is cognitive federation. Humans move up-stack into judgment and intent, while agents handle high-volume reasoning and cross-departmental coordination.

Leaders rewarded for headcount and budget will resist decomposing their empires even as enclave quality and throughput improve. Executive scorecards must include agentic KPIs: enclave maturity, agentic throughput, risk-adjusted outcomes, and RPP. The mirror needs an explicit owner spanning risk, compliance, and engineering. Without decision provenance, you get the worst of both worlds: expensive models and humans still quietly doing the real work in spreadsheets.

When you tell a senior vice president that their value is no longer tied to a 500-person headcount but to the knowledge readiness and agentic throughput of their domain, they will fight. The resistance isn’t just economic; it’s psychological. Headcount has been a proxy for power and identity. In the new world, it often becomes a proxy for architectural debt.

Client: “Can’t we just put a human in the loop but set the default to ‘Accept’?”


Me: “That’s not human-in-the-loop. That’s human-as-rubberstamp. You’re just automating the blame.”

The reframing that works is not “we are shrinking your kingdom” but “we are upgrading your leverage” from managing people (inherently high friction and limited scale) to designing intelligence (human-plus-agent systems that scale almost without bound).

The leader of 2027: The playbook

The leader of 2027 thinks in flows instead of functions, enclaves and mirrors instead of departments and reports, and token costs and compliance risk instead of merely headcount and budget. Their signature move is converting headcount empires into high-density enclaves and high-throughput meshes under credible governance, then proving it on the P&L with lower unit costs, faster cycle times, and a compliance posture auditors can navigate.

For leaders mapping their 2026–2027 roadmaps, here are three hard pivots you need to make: First, stop hiring for capacity; build a better gym, not a bigger team. Second, audit your enclave’s knowledge readiness—if agents hallucinate, you have contextual debt, not a model problem; invest in governed sharded enclaves and mirrors your auditors can use. Finally, manage your token line as the new overhead expense; track cost per cognitive outcome rather than aggregate spend and monitor RPP as your headline leverage indicator.

The goal is not to build an AI that works for you. The goal is to build an enterprise that thinks with you.

Gyms for them, mirrors for us, and a context mesh to hold the P&L together—that is the architecture of a decentralized, high-alpha enterprise. Anything else is just an expensive way to stay in the 20th century.

17:28

macOS Kernel Memory Corruption Exploit [Schneier on Security]

A group used Anthropic’s Mythos AI model to help find a kernel memory corruption vulnerability and exploit on Apple’s M5.

News article.

16:42

Pluralistic: Shopping isn't politics (21 May 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links

  • Shopping isn't politics: The personal isn't political.
  • Hey look at this: Delights to delectate.
  • Object permanence: Neither arphid nor RFID; Gor novel sex slave cult; Violent economist sex criminals; Vade et caca in pilleum et ipse traheatur super aures tuo; "We Stand on Guard"; Healthy FLOSS; Lawsuits 2.0; CDC v zombie apocalypse; Gandhi's speeches; Apple v games about Palestine; Second Life chuds v Bernie; UK was never a "white" country; Dead, broke; Who Broke the Internet? (III)
  • Upcoming appearances: Hay-on-Wye, London, Kansas City, LA, Menlo Park, Toronto, NYC, Edinburgh.
  • Recent appearances: Where I've been.
  • Latest books: You keep readin' em, I'll keep writin' 'em.
  • Upcoming books: Like I said, I'll keep writin' 'em.
  • Colophon: All the rest.


A grocery store egg refrigerator, lined with stacks of egg cartons. The middle stack has been replaced with the capitol dome.

Shopping isn't politics (permalink)

I've written before about the futility of "voting with your wallet." Billionaires love it when you try to vote with your wallet, because while billionaires only represent 0.00004% of the population, their wallets are 100,000 times larger than average, which means that when we vote with wallets, a billionaire's vote counts 100,000 times more than yours:

https://pluralistic.net/2025/09/13/consumption-choices/

The idea of voting with your wallet is fundamentally antiprogressive, and not only because wallet-voting favors the wealthy. The ideological basis for voting with your wallet is the belief that politics are slow and unresponsive, while markets dynamically optimize for human wellbeing. By voting with your wallet, you are supposedly injecting information about your preferences and dispreferences into a vast, distributed computer we call "the market," which uses "demand signals" to decide how we live our lives.

This belief is incompatible with the idea of politics – that is, the idea that our lives can be shaped by representative democracy, deliberation, and/or solidarity. It's a nihilistic view that insists that the only nice things we can have are the things that "the market" chooses for us. If "the market" doesn't decide to swap out fossil fuels for cleantech, then that's that – any attempt to draw down our carbon emissions through regulation will only "distort the market." If you're roasting in a drought, drowning in a flood, or being incinerated by a wildfire, your only move is to go shopping and hope that by buying a Tesla, you will emit a "demand signal" that "tips the market equilibrium" to "not killing you and everyone you love."

Shopping isn't politics. Politics are politics, and shopping is shopping.

This isn't to say shopping can't improve your life! I am a materialist, and having nice things is nice. If there's a lovely independent coffee shop in your neighborhood where the baristas are treated well and the coffee is delicious and the vibes are impeccable, then by all means, get your coffee there. If you love the staff and selections at your neighborhood indie bookstore, then you should buy your books there. If you love the discourse on Mastodon or Bluesky and find yourself feeling sick and angry when you use Twitter or Facebook, then ditch the legacy social media and take up residence in the Fediverse and/or Atmosphere.

But don't kid yourself that this is politics. No matter how indie your coffee, books and social media, your consumption choices will not have a material impact on Starbucks, Amazon or Twitter. Going vegan won't make the meat industry treat animals better. Taking the bus won't induce improvements to your town's public transit network.

Having nice things is nice, and the more nice things you have – good food, good health, good books, good coffee, good social media and good transit – the more space and energy you'll have to devote to politics.

But what about boycotts? Surely the Montgomery bus boycott, the anti-Apartheid boycott, the California grape boycott and the BDS movement were politics, right?

They sure were. But they weren't shopping. The Montgomery bus boycott lasted 382 days, during which time organizers worked with bus riders, cab drivers, the UAW and community groups to provide material and legal support and alternatives like car pools, all while communicating about their specific demands. After 382 days, the courts ruled in their favor, their demands were met, and Montgomery's buses desegregated:

https://en.wikipedia.org/wiki/Montgomery_bus_boycott

That wasn't "shopping." The bus boycott didn't consist of a bunch of individual choices to walk to work, repeatedly made by a city full of Black people and their allies. The shopping part was the least important part of the whole matter, and the meaningful part of the shopping was never individual. If the boycott was nothing more than shopping, it would have broken as soon as individual people found themselves unable to convince their bosses to tolerate their late, sweaty arrival at work, day after day. The boycott worked because it was politics.

And because the boycott was politics, it left behind a movement: the boycott brought people into solidarity with each other, and when they comprehensively defeated their political adversary – National City Lines – they went on to form the backbone of the civil rights movement, going from strength to strength.

Of course, shopping is part of a boycott. It's the individual part that each participant in the boycott undertakes. But without the collective, organized part, shopping is no way to effect change.

Is voting politics? Well, sure, but voting is to politics as shopping is to boycotts. For several decades now, most voters have been asked to chose the lesser of two evils (and now they're asked to choose the significantly lesser of two evils). Voting can change things, when there's something good to vote for, or something very bad to vote against, and when lots of people show up at the polls.

But to make voting effective, you have to do politics. You have to get involved in the primary races that select the candidate. You have to go to candidates' meetings and ask tough questions. You have to ring doorbells for your chosen candidate, volunteer to take your neighbors to the polls and volunteer to defend the polls from chuds and ICE fascists. The part of voting that takes place in the booth is the least important part of politics.

It's obvious why we might prefer to substitute voting or shopping for politics: they're activities you do alone. You don't have to find anyone else to do them with you. You don't have to convince anyone else to do them with you. You don't have to argue about them or justify them. They are zipless fucks, a source of satisfaction without connection, compromise or complication.

Of course, that's also why voting and shopping make a poor substitute for politics. All the retail therapy in the world can't lift your spirits the way that solidarity and community will. Doing politics creates solidaristic ties with the people around you, who might help you if you lose your job and can't buy groceries, or break your leg and can't get to the grocery store, or if ICE fascists try to kidnap you while you're out shopping.

Solidarity gets you through times of no money way better than money gets you through times of no solidarity – just ask the psycho billionaires who wanted Doug Rushkoff to invent a system of bomb-collars that would keep their post-apocalyptic mercenaries from whacking them and stealing their bunkers:

https://pluralistic.net/2022/09/13/collapse-porn/#collapse-porn

Last weekend, I walked through a crowd of tens of thousands of coked-up fascists in central London on my way to meet up with 250,000 comrades marching for an end to genocide in Palestine and a new British social compact based on mutual aid, pluralism, and care. Walking through those flag-draped chuds was incredibly demoralizing:

https://www.newstatesman.com/politics/2026/05/cokeheads-and-christians-a-day-at-tommy-robinsons-rally

But when I got off the tube at South Kensington and found there were so many of us we were backed up all the way from the every street entrance to the bottom of the escalators, my morale surged. Hours later, when we all reached Pall Mall together, I was ready to take on the world. That's what politics does for you: it makes you feel like you belong to a polity and that together, you can really change the world.

Politics runs on solidarity, but shopping destroys it. Individual consumption choices don't change the world, but if you've been convinced that the only way to change the world is by voting with your wallet then when the world stays terrible, you can only conclude that your friends and neighbors have ruined by things by voting (shopping) wrong.

In politics, we build bonds of mutual regard and understanding that we use to navigate our differences. But when you vote with your wallet, all that's left is the endless policing of your allies' consumption choices, endless scolding for their failure to leave Twitter, or give up meat, or eschew chatbots. Shopping for change ends up replacing politics with petty snooping and endless sniping and attempts to bully or shame people into consuming different things.

If "the personal is political," then every political disappointment in your life is down to your friends' personal defects. If you let yourself get tricked into organizing your life around "living your politics" – that is, giving up on nice things in the hope that this will make politics change, and then getting mad at people who consume different things from you – then you will end up sucked into the stupidest fights imaginable with the people you need to get along with in order to do politics.

Once again, this isn't to say that you shouldn't choose to have nice things. Buy stuff you like, shop at places you like. And when circumstances allow all of us to start making consumption choices in unison – as when Comrades Trump and Putin stage an orgy of demand-destruction for fossil fuels, catapulting the world into the Gretacene – then by all means, take the win. That is one of the rare instances in which we can do political change with consumption!

https://pluralistic.net/2026/05/04/hope-in-the-dark/#hormuzed-into-the-gretacene

And there definitely are times where a single individual can intervene in the system in a powerful way that really fucks up the worst actors in our society:

https://www.theverge.com/tech/931532/bambu-agpl-pawel-jarczak-open-source-threat-dmca-github

These usually involve using technology to "move fast and break things," which is fine, actually! It's fine to move fast and break things belonging to Elon Musk, Mark Zuckerberg or some other monster. Indeed, it's practically a moral imperative:

https://pluralistic.net/2026/01/30/zucksauce/#gandersauce

But even in those highly leveraged, highly individualized opportunities to make a dent in the universe, you'll make a bigger dent, and have more fun, if you do it as politics, with a big group of people, in bonds of solidarity.

Hey look at this (permalink)


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#25yrsago Software-based antennas https://web.archive.org/web/20010518225333/http://www.etenna.com/

#25yrsago Aimster loses trademark to AOL https://web.archive.org/web/20010523001415/http://msnbc.com/news/575492.asp?cp1=1

#25yrsago House to ban online anonymity https://web.archive.org/web/20010526220254/https://www.wired.com/news/politics/0,1283,43938,00.html

#20yrsago Lawsuits of Web 2.0 https://web.archive.org/web/20060528001734/http://www.fuckedsuit.com/

#20yrsago Is one month’s piracy worth more than France’s GDP? https://decordove.com/one-month-of-torrents-is-worth-more-than-the-gdp-of-france-riaa-rant.php

#20yrsago Audio from Bruce Sterling’s “Neither Arphid nor RFID” rant https://web.archive.org/web/20060614140414/https://dev1.manme.org.uk/~luke/Sterling_SPACE_160506.mp3

#20yrsago Cops raid “sex slave cult” based on science fiction novels http://news.bbc.co.uk/1/hi/uk/4996410.stm

#15yrsago Legal rebuttal: “vade et caca in pilleum et ipse traheatur super aures tuo” https://newyorkpersonalinjuryattorneyblog.com/2011/05/joseph-rakofsky-i-have-an-answer-for-you.html

#15yrsago List of economists involved in violent sex crimes, for Ben Stein https://blog.xkcd.com/2011/05/18/answering-ben-steins-question/

#15yrsago MAFIAA wants warrantless searches of CD and DVD factories https://web.archive.org/web/20110520232527/https://www.wired.com/threatlevel/2011/05/riaa-warrantless-seizures/

#15yrsago CDC explains how to prepare for a zombie apocalypse https://web.archive.org/web/20110519201602/http://emergency.cdc.gov/socialmedia/zombies_blog.asp

#10yrsago 129 of Gandhi’s speeches on India and self-rule https://archive.org/details/HindSwaraj?and[]=subject%3A"Post+Prayer+Speech"

#10yrsago A backer message as Earth leaves beta and goes 1.0 https://web.archive.org/web/20160521054706/http://www.nature.com/nature/journal/v533/n7603/full/533432a.html

#10yrsago EFF files Chelsea Manning appeal on hacking conviction https://www.eff.org/press/releases/eff-asks-court-reverse-chelsea-mannings-conviction-violating-federal-anti-hacking-law

#10yrsago Apple rejects game about Palestine because political messages disqualify games from consideration https://web.archive.org/web/20160520111154/https://arstechnica.com/gaming/2016/05/apple-says-game-about-palestinian-child-isnt-a-game/

#10yrsago Nerdcore rapper Sammus’s amazing OSCON keynote https://www.youtube.com/watch?v=ELczJ07XPnw

#10yrsago Everything is a Remix on “The Force Awakens” https://www.youtube.com/watch?v=PKvsc6a03Es

#10yrsago Angry dudes are downranking woman-oriented TV shows on review sites https://web.archive.org/web/20160519014153/https://fivethirtyeight.com/features/men-are-sabotaging-the-online-reviews-of-tv-shows-aimed-at-women/

#10yrsago Second Life’s Trump army lays siege to Bernie Sanders’s virtual HQ with swastika cannons https://web.archive.org/web/20160428093534/https://motherboard.vice.com/read/second-life-donald-trump-bernie-sanders

#10yrsago Xenophobic UK politician ranting about “political correctness” gets a public spanking from an historian https://web.archive.org/web/20160520224731/http://indy100.independent.co.uk/article/ukip-councillor-attempts-to-blast-bbc-for-historical-inaccuracy-gets-destroyed-by-actual-historian–ZyZAasU2fb

#10yrsago A look at digital habits of 13 year olds shows desire for privacy, face-to-face time https://blogs.lse.ac.uk/parenting4digitalfuture/2016/04/18/the-class-living-and-learning-in-the-digital-age/

#10yrsago Big Vitamin bankrolls naturopaths’ attempts to go legit and get public money https://web.archive.org/web/20160520123659/https://www.statnews.com/2016/05/17/naturopaths-go-mainstream/

#10yrsago We Stand on Guard: in 100 years, America seizes Canada for its water https://memex.craphound.com/2016/05/18/we-stand-on-guard-in-100-years-america-seizes-canada-for-its-water/

#5yrsago Apple's complicity in Chinese state oppressionhttps://pluralistic.net/2021/05/18/unhealthy-balance-sheet/#think-manorialism

#5yrsago Community Health Services sued its way through the pandemic https://pluralistic.net/2021/05/18/unhealthy-balance-sheet/#health-usury

#5yrsago What Would Open Source Look Like If It Were Healthy https://pluralistic.net/2021/05/18/unhealthy-balance-sheet/#user-personas

#5yrsago Dead, broke https://pluralistic.net/2021/05/19/zombie-debt/#damnation

#1yrago Who Broke the Internet? Part III https://pluralistic.net/2025/05/19/khan-thought/#they-were-warned

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)

  • "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026

  • "The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027

  • "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, April 20, 2027

  • "The Memex Method," Farrar, Straus, Giroux, 2027


Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. Third draft completed. Submitted to editor.

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.

  • "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Bluesky (no ads, possible tracking and data-collection):

https://bsky.app/profile/doctorow.pluralistic.net

Medium (no ads, paywalled):

https://doctorow.medium.com/

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

Pluralistic: It's not a crime if we do it (to nurses) with an app (22 Apr 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links


A 1950s killer robot with eye lasers; it has collected four bell jars in which float the heads of disembodied nurses. It is zapping one jar with its lasers. In the background is a golgotha, taken from a Dore Old Testament engraving.

It's not a crime if we do it (to nurses) with an app (permalink)

If I could abolish one piece of received wisdom about tech policy, it would be this: "Tech moves at the speed of innovation and regulation moves at the speed of government, so regulation will always lag behind tech."

(If I could abolish two pieces of received wisdom about tech policy, the other one would be "If you're not paying for the product, you're the product." Decent treatment is not a customer reward program, and "voting with your wallet" only works if you're a billionaire whose wallet is thicker than all the other wallets put together.)

To be clear, there are times when tech enables new forms of conduct that don't fit neatly into the existing policy framework. For example, we apply copyright to anyone who makes or handles a copy of a creative work, and that used to be a pretty good proxy for "someone in the supply chain of the media industry."

The problem is that computers work by making dozens and dozens of copies every time you click your mouse, and we all use computers for everything, and clicking a mouse doesn't make you part of the entertainment business. The fact that we've had hyperinflation in "making and handling copies" but continued to apply an esoteric industrial framework to pretty much everything everyone does all the time is a huge problem that desperately needs fixing:

https://pluralistic.net/2023/10/21/the-internets-original-sin/

Copyright notwithstanding, tech generally does not outrun our capacity to regulate it. Rather, tech bosses come up with incredibly flimsy reasons why their business doesn't fit into the existing regulatory framework, and policymakers accept these ridiculous excuses so readily that one can only assume they're in on the racket.

Take "fintech," all those neobanks and the cryptocurrency junk and shitcoins and stablecoins and NFTs and so on that a group of pump-and-dumpers, money launderers and stock swindlers have pushed for more than a decade now. As Trashfuture's Riley Quinn says, "Whenever you hear 'fintech,' you should think 'unregulated bank.'" It's not hard to apply existing regulations to these companies: they fall under banking law, usury law, securities law and gambling law.

There's no (good) reason not to apply these legal frameworks to the crypto industry – but there are plenty of bad reasons not to. The most obvious reason not to apply those regulations is that you are on the same side as the pump-and-dumpers, money launderers and stock swindlers. The reason we struggle to regulate fintech is that we just don't want to.

Then there's Uber, which claimed that it wasn't a taxi company, it was a "transportation network company," which meant that none of the regulations we apply to taxis should apply to Uber. To call this a transparent ruse is to do great violence to the good, hardworking transparent ruses putting in the hard yards to run honest scams. "Uber isn't a taxi company, it's a transportation network company" is about as plausible as those t-shirts that read "It's not a bald spot, it's a solar-panel for a sex-machine."

Emboldened by the success of the "transportation network company" wheeze, Uber launched Uber Eats, claiming that it wasn't a "food delivery company" but rather a "delivery network company." This set up the template for a remorseless tide of new sex-machine solar-panels that have pushed Uber's system of wage-theft and worker misclassification into an expanding constellation of labor categories.

From fintech to price-fixing to gig-work, the entire industry runs on the very stupid proposition that "it's not a crime if we do it with an app":

https://pluralistic.net/2025/01/25/potatotrac/#carbo-loading

One of the worst of these sex-machine solar-panels is to be found in nursing, where a cluster of heavily capitalized apps that nurses must rely on to get shifts insist that they aren't "healthcare staffing agencies," rather, they are "healthcare worker platforms" that should be exempted from the regulations that we started applying to the former after a string of calamities and disasters.

This phenomenon is detailed in eye-watering detail in "Uber For Nursing," a must-read new report by Katie J Wells, Maya Pinto, and Funda Ustek Spilda for the AI Now Institute:

https://ainowinstitute.org/publications/uber-for-nursing

If "Uber for nursing" rings a bell, you might be thinking of "Uber for Nursing: How an AI-Powered Gig Model Is Threatening Health Care," an earlier report that Wells and Spilda wrote for the Roosevelt Institute in late 2024:

https://rooseveltinstitute.org/publications/uber-for-nursing/

The Roosevelt Institute report contained many eye-popping findings, most notably that at least some of the leading national nursing gig-work platforms were using data-brokers to find out how much debt nurses were carrying, and offered lower wages to the nurses with the most debt, on the grounds that the most economically desperate nurses will accept the lowest pay:

https://pluralistic.net/2024/12/18/loose-flapping-ends/#luigi-has-a-point

The new report describes how, in the absence of a muscular policy response, these nursing gig-work companies have raised fantastic sums of money, some of which they have diverted to regulatory capture projects in a bid to states to recognize their solar-panel sex-machines, with great success. These companies haven't merely refined their lobbying game, either – as a sphincter-puckering appendix detailing the experience of nurses with these apps shows, they have also made great strides in immiserating nurses and transferring their earning power to gig platforms and the hospitals that rely on them.

This degradation of the work experience is characteristic of the new world of AI-powered jobs. AI isn't taking workers' jobs, but it is enshittifying them, with degrading, neurosis-inducing surveillance and high-handed discipline:

https://www.ineteconomics.org/perspectives/blog/what-does-it-mean-to-work-under-algorithmic-eyes

Algorithmic oversight is a terror for any worker, but it's particularly bad when applied to healthcare workers:

https://pluralistic.net/2023/08/05/any-metric-becomes-a-target/#hca

But gig-work companies remain laser-focused on healthcare workers, likely because that is one of the only growing professions left in America. They're trying to screw over healthcare workers for the same reason Willie Sutton robbed banks: "That's where the money is." The corollary here is that the 15% of the American workforce that is employed in the healthcare industry is on the front lines of the battle against gig-work and algorithmic management.

Like parasites that attack the sick and weak, gig-work and algorithmic management come first for industries that are already bad for workers and the people they serve, making things much worse while insisting that they're just trying to apply a cool digital fix to a broken analog system. That, too, was Uber's playbook: attacking the medallion taxi system as corrupt and sclerotic – while replacing it with a system that's corrupt, extractive and dynamic, able to evade all attempts to improve things for drivers and riders (such as drivers' unions).

That's what's happened with healthcare staffing agencies. These have long been a fixture in healthcare, partly because there was always a large cohort of skilled healthcare professionals who valued the flexibility of short term contracts (for example, "travel nurses") and partly because hospitals love hiring contractors who aren't part of their workers' unions.

Staffing agencies weren't good. A string of scandals led to waves of regulations in states like Colorado, Minnesota and New York that required agencies to "register annually, disclose shareholders and executive officers, certify worker credentials, report to state authorities on the number of workers employed, document service rates charged to facilities, and list average wages paid to workers by job category." These regulations also banned staffing agencies from locking up workers with noncompete agreements and ripping them off with finder's fees.

Rather than strengthening these protections, gig nursing platforms avoid them. Where staffing agencies secure multi-week contracts for travel nurses, gig platforms typically assign workers to single-day shifts. Where staffing agencies let nurses bargain for their scheduling needs, gig platforms present take-it-or-leave-it offers and no opportunities to speak to a human when things go wrong. And where staffing agencies evaluated the workers on their roster based on employer feedback, the gig platforms install apps that continuously surveil and evaluate workers, downranking them and cutting their hours and pay based on algorithmic judgments that are never explained and cannot be appealed.

Platforms match nurses with shifts, claiming to regulators that they're little more than a "job-notice board." But when they pitch hospitals, they tell a different story, about their ability to use algorithms to erode wages and blacklist workers who make trouble. Healthcare gig-work apps push workers to accept shifts that require more travel and pay less, at facilities they don't want to work at. Refusal to accept a shift can permanently compromise your ability to get future shifts, and/or lower the wage you're offered in future.

In addition to these poor working conditions and low wages, gig platforms have resurrected the prohibited practice of charging workers "finder's fees," by layering on junk fees that take money out of every paycheck. Staffing agencies aren't allowed to do this, but the gig-work platforms' "solar panel for a sex-machine" gambit transforms the finder's fee into a "platform fee" that somehow escapes regulators' grasp.

How is it that a regulator can't see that a "platform fee" is exactly equivalent to a "finder's fee?" This is not a case of technology outpacing regulation – it's a case of lawmakers colluding with profitable firms to evade regulation in order to steal from workers.

The platforms are aslosh in investor cash – Clipboard Health, Intelycare, and Shiftkey are all valued at more than $1b, and Shiftkey just completed a $300m private equity raise. This leaves them with lots of ready cash to spend on regulatory entrepreneurship. In Georgia, Clipboard lobbied "to exempt gig nursing platforms from state unemployment insurance and workers’ compensation laws." In Ohio, Shiftkey and Clipboard are pushing a bill "to classify gig nurses as independent contractors, exempting gig platforms from minimum wage and other worker protection laws." In Utah, Nursa is praising a bill that a state senator called "lightest-touch regulation." All in all, 17 states have nurse gig platform deregulation bills underway.

In 2022, the healthcare gig-work platforms tried to get a California ballot measure to carve nursing platforms out of all state labor laws. They withdrew it, but pursued an "under the radar" approach to get the same thing by seeking changes in administrative rules, rather than state laws. Lobbying for administrative law changes to exempt healthcare gig-work platforms from regulation is also underway in Missouri, Louisiana and Utah.

One bright light in all this comes from New York state, where a 2025 law "affirmatively recognizes gig nursing platforms as entities that must comply with the state’s healthcare staffing agency rules." The existence of this law proves that the crisis of gig-work healthcare platforms is not an example of tech racing ahead of regulation. If New York's state leg can figure out that a gig-work platform is just a staffing agency in app form, then other states can do so as well. If they don't figure that out, that's because they don't want to.

Sometime in this century, our political class and our financial class arrived at a consensus that Douglas Rushkoff describes as "go meta," in his 2022 book Survival of the Richest:

https://pluralistic.net/2022/09/13/collapse-porn/#collapse-porn

The "go meta" ethos insists that the most important, smartest and most valuable move is always away from productive labor. Don't drive a cab: go meta and own a medallion that you rent to a cab driver. Don't own a medallion, go meta and start a gig-work ride-hailing company. Don't start a gig-work ride-hailing company, go meta and invest in a gig-work ride-hailing company. Don't invest in a gig-work ride-hailing company, go meta and buy options in a gig-work ride-hailing company – and so on and so on, into ever more abstracted forms of gambling and rent-collection.

The reorganization of the economy around parasitic middlemen and financial gamblers (but I repeat myself) is the real reason that we can't regulate tech. Once you've decided that the most important party to a transaction is the person who has the option on the share on the platform on the license that the worker who actually does the job requires, of course you're going to see a solar-panel for a sex-machine in every bald spot.

Hey look at this (permalink)


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#25yrsago PKD ratted out other SF writers to the FBI https://web.archive.org/web/20010428121230/https://www.linguafranca.com/print/0105/cover.html

#15yrsago Weird Al snubbed by Lady Gaga, releases his parody without permission as fair use https://www.youtube.com/watch?v=fUxXKfQkswE

#15yrsago How do you compete with free? A taxonomy of reasons to pay for digital files https://www.theguardian.com/technology/gamesblog/2011/apr/20/digital-free-persuade-pay-cory-doctorow?utm_source=twitterfeed&utm_medium=twitter

#15yrsago iOS devices secretly log and retain record of every place you go, transfer to your PC and subsequent devices https://www.theguardian.com/technology/2011/apr/20/iphone-tracking-prompts-privacy-fears

#10yrsago Before 1988 Olympics, South Korea sent ‘vagrants’ to camps where rape and murder were routine https://web.archive.org/web/20160420234916/https://bigstory.ap.org/article/c22de3a565fe4e85a0508bbbd72c3c1b/ap-s-korea-covered-mass-abuse-killings-vagrants

#10yrsago Luxury overnight bus with sleeper cabins shuttles between LA and San Francisco https://www.inc.com/tess-townsend/sleepbus-gets-you-from-sf-to-la-for-50.html

#10yrsago Volkswagen’s internal Dieselgate probe stuck because the company used code-words for its cheat software https://web.archive.org/web/20160419095045/https://www.bloomberg.com/news/articles/2016-04-19/vw-cheating-code-words-said-to-complicate-emissions-probe

#10yrsago Chinese opsec funnies: your foreign boyfriend is a western spy! https://web.archive.org/web/20160420125125/https://www.chinalawtranslate.com/nsed/

#10yrsago UK Chancellor exempts families of “Politically Exposed Persons” from money laundering scrutiny https://www.nakedcapitalism.com/2016/04/uks-osborne-exempts-members-of-parliament-other-politically-exposed-persons-from-money-laundering-oversight.html

#10yrsago Colorado school district wants to arm security staff with assault rifles https://www.csmonitor.com/USA/2016/0419/Colorado-school-district-to-equip-security-workers-with-semiautomatic-rifles

#5yrsago McDonald's corporate wages war on ice-cream hackers https://pluralistic.net/2021/04/20/euthanize-rentier-enablers/#cold-war

#5yrsago Real penalties for covid evicters https://pluralistic.net/2021/04/20/euthanize-rentier-enablers/#cfpb

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)

  • "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026

  • "The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027

  • "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2027

  • "The Memex Method," Farrar, Straus, Giroux, 2027


Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. Third draft completed. Submitted to editor.

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.

  • "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Bluesky (no ads, possible tracking and data-collection):

https://bsky.app/profile/doctorow.pluralistic.net

Medium (no ads, paywalled):

https://doctorow.medium.com/

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

Pluralistic: Quinn Slobodian and Ben Tarnoff's "Muskism: A Guide for the Perplexed" (21 Apr 2026) [Pluralistic: Daily links from Cory Doctorow]


Today's links


The Harpercollins cover for Quinn Slobodian and Ben Tarnoff's 'Muskism: A Guide for the Perplexed.'

Quinn Slobodian and Ben Tarnoff's "Muskism: A Guide for the Perplexed" (permalink)

Quinn Slobodian and Ben Tarnoff's Muskism: A Guide for the Perplexed seeks to describe the ideology that gave rise to Elon Musk, the social forces that gave rise to that ideology, and the terrible future that ideology seeks to bring about:

https://www.harpercollins.com/products/muskism-quinn-slobodianben-tarnoff?variant=43838135402530

The book's starting point is that "Muskism" isn't merely the things Musk says, believes and does. It's the ideology that coalesces around him, from the people in his wake and the people he follows. Just as Henry Ford neither defined "Fordism" nor precisely practiced it, "Muskism" is centered on Elon Musk, but it's not Elon Musk's creation.

So what is Muskism? To answer this question, Slobodian and Tarnoff enumerate the factors and influences that produced Musk himself. There's apartheid, with its "rational" system of technocratic authoritarianism, which blended together a life of luxury and plenty (for white settlers), brutal surveillance and state violence (for the Black majority) and fascist control over speech (for everyone), combined with a meat-grinder draft that saw young men of Musk's age being called up to suppress liberation uprisings.

Peak apartheid coincided with peak personal computing, the moment where PCs (and then, modems) were getting cheaper and faster, propagating like mushrooms, offering a young Musk access to a broad world outside of the fascist bubble of South Africa, inspiring global ambitions in Musk.

Closer to home, there's Musk's family: his grandfather, a grandiose and vicious white supremacist who moved to South Africa from Canada because of his love for apartheid and racial hierarchy. There's Musk's father, a violent and abusive fool.

Muskism is also a new variant on techno-libertarianism. Traditional techno-libertarianism seeks to dismantle the state – or better yet, exit from the state, in the manner of an Ayn Rand hero. Techno-libertarianism is intimately bound up with settler colonialism, ever on the hunt for an "empty land" (terra nullius) that can be settled without committing the original sin of expropriation, the gravest offense in a religion organized around the total sanctity of private property:

https://pluralistic.net/2022/06/14/this-way-to-the-egress/#terra-nullius

Muskism doesn't seek to exit the state, it seeks to colonize and control it. Long before DOGE, Musk was playing the organs of the state to his own tune, securing massive contracts and subsidies for his solar and rocketry businesses, relying on the massive, deep-pocketed government to keep his businesses afloat.

Obviously (DOGE!), Muskism also seeks to dismantle the state, but only the parts of it that can be transferred to Musk's own private hands. Muskism is about big government…for Musk, but not for you. It embodies that important conservative value summarized in Wilhoit's Law:

There must be in-groups whom the law protects but does not bind, alongside out-groups whom the law binds but does not protect.

https://crookedtimber.org/2018/03/21/liberals-against-progressives/#comment-729288

This is Musk through and through – a man who demands the right to call innocent strangers "pedo guy" without legal consequence; and also wields the power of the state to shutter businesses that boycott his platform because of its shitty practices:

https://www.findlaw.com/legalblogs/courtside/elon-musk-sues-advertisers-who-boycott-x-under-anti-trust-laws/

Musk grew up on science fiction novels and weaves stfnal tropes through his offerings (for example, calling his chatbot "Grok"). There's no shortage of reactionary politics in science fiction, but Musk doesn't confine his sf-inspired cosmology to reactionary literature. He's famously very fond of the Wachowskis' "Matrix" movies, and leans heavily into the metaphor of the Matrix in explaining his interest in wiring people directly into computers, in characterizing opposing political beliefs as "mind viruses," and in calling his political enemies "NPCs":

https://pluralistic.net/2025/08/18/seeing-like-a-billionaire/#npcs

But Musk's relationship to this metaphor differs in a subtle and important way from the right's "Red Pill" rhetoric. Musk doesn't want to break out of the Matrix – he wants to control the Matrix. He wants to decide which opinions you're allowed to see and discuss (because "most people have weak firewalls for bad ideas"), he wants to beam ideas directly into your neural link, and he wants to abolish any form of workplace democracy, conquering the world with South African baasskap (boss-ism):

https://en.wikipedia.org/wiki/Baasskap

Throughout this slim volume, Slobodian and Tarnoff tease these strains of thought out of Musk's deeds and utterances, and in the systems that he has built or colonized through acquisition. The authors are offering more than a psychoanalysis, though – they're surfacing the material basis for Muskism, the benefits it delivers to its adherents, and the victories it has racked up.

They reveal the method in Musk's chaotic and bullying management style, and recount the times Musk has successfully shattered sclerotic processes to make real breakthroughs, especially in aerospace. You'd be hard pressed to read these passages without feeling some grudging admiration.

Muskism gets stuff done…sometimes. At a cost. A high cost. Tarnoff and Slobodian count that cost, identify who pays it, and conjure up the world in which those costs continue to mount for all of us.

It's a chilling vision, a Torment Nexus dystopia run by someone who thinks cyberpunk was a suggestion, not a warning.

Hey look at this (permalink)


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#15yrsago US, EU want to delay copyright treaty to help blind people for 3-5 years https://web.archive.org/web/20110423170607/http://keionline.org/node/1114

#15yrsago Is sugar a poison? https://www.nytimes.com/2011/04/17/magazine/mag-17Sugar-t.html?_r=1&pagewanted=all

#15yrsago More watch-part motorcycles https://ummaisoumenos.blogspot.com/2008/11/miniaturas-fantsticasbikesfeitas-de.html

#15yrsago Seeds: comic-book memoir of father’s cancer is moving, sweet https://memex.craphound.com/2011/04/19/seeds-comic-book-memoir-of-fathers-cancer-is-moving-sweet/

#10yrsago Something New: frank, comedic, romantic memoir of a wedding in comic form https://memex.craphound.com/2016/04/19/something-new-frank-comedic-romantic-memoir-of-a-wedding-in-comic-form/

#10yrsago Ben and Jerry arrested at Democracy Spring demonstration in DC https://web.archive.org/web/20160419173913/https://www.msn.com/en-us/news/us/co-founders-of-ben-and-jerrys-arrested-at-us-capitol/ar-BBrW5tb?li=BBnb7Kz

#10yrsago Competing construction companies stage a bulldozer fight in a busy street https://www.youtube.com/watch?v=UrtnIImGipg

#10yrsago Chicago Police Accountability Task Force Report: racism, corruption, and a “broken system” https://chicagopatf.org/wp-content/uploads/2016/04/PATF_Final_Report_4_13_16-1.pdf

#5yrsago Facebook's tonsils https://pluralistic.net/2021/04/19/tonsilitis/#mod-traum

#1yrago Against transparency https://pluralistic.net/2025/04/19/gotcha/#known-to-the-state-of-california-to-cause-cancer

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)

  • "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026

  • "The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027

  • "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2027

  • "The Memex Method," Farrar, Straus, Giroux, 2027


Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. Third draft completed. Submitted to editor.

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.

  • "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Bluesky (no ads, possible tracking and data-collection):

https://bsky.app/profile/doctorow.pluralistic.net

Medium (no ads, paywalled):

https://doctorow.medium.com/

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

Pluralistic: Comrade Trump (20 Apr 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links

  • Comrade Trump: Burning down the American empire to save it.
  • Hey look at this: Delights to delectate.
  • Object permanence: MPAA's threat-based 'education'; Cuehack; Heinlein on GWB; AT&T v the internet; British tax-havens v HMG; What is neoliberalism?; Newspaper landlords; Watch-part motorcycle; Tax havens bad; Buscemi's eyes; Sesame Street on lead poisoning.
  • Upcoming appearances: San Francisco, London, Berlin, NYC, Barcelona, Hay-on-Wye, London, NYC.
  • Recent appearances: Where I've been.
  • Latest books: You keep readin' em, I'll keep writin' 'em.
  • Upcoming books: Like I said, I'll keep writin' 'em.
  • Colophon: All the rest.


A Soviet propaganda poster featuring Lenin pointing angrily into the distance. It has been altered. Lenin now has Trump's hair and his skin in orange. The hammer/sickle logo behind him has been replaced with a cross.

Comrade Trump (permalink)

There aren't a lot of things I agree with Mark Carney about, but there's one area where he and I are in total accord: the old, US-dominated, "rules-based international order" was total bullshit:

https://www.weforum.org/stories/2026/01/davos-2026-special-address-by-mark-carney-prime-minister-of-canada/

Unlike Carney, I never pretended to like that old order, and indeed, I spent my entire life fighting against it – literally, all the way back to childhood, organizing other children to march against Canada's participation in America's nuclear weapons programs:

https://www.flickr.com/photos/doctorow/53616011737/in/photolist-2pFS5kt

All of which means that my experience of the Trump years is decidedly weird. On the one hand, I exist in a near-perpetual state of anxious misery, as Trump and his chud army of Christian nationalists and degenerate gamblers pursue a program of gleeful genocide. But at the very same time, I'm living in a world in which Trump is (inadvertently) dismantling many of the worst aspects of the old order in favor of something decidedly better.

Take Trump's tariff policy. Back during Trump I, he decided that Americans couldn't buy Chinese solar anymore, which had the double benefit of allowing him to pursue the twin goals of throwing red meat to Sinophobic Cold War 2.0 freaks and delivering a giant gift to the planet-wrecking oil companies that had helped him buy his way into office.

This was really bad for America, of course, but those solar panels had to go somewhere. Mostly, they ended up in Pakistan, dumped there at such a massive discount that the country solarized virtually overnight. Pakistani solar installers learned their trade from Tiktok videos set to Tamil film soundtracks, and unwired the country so thoroughly that today, the national power company is in danger of going bust because no one buys their electricity from the grid anymore. Pakistani bridal dowries now routinely include four panels, an inverter and a battery:

https://billmckibben.substack.com/p/a-tale-of-two-countries

This is an inversion of the normal order of things, in which rich countries get all the good stuff first, and poor countries like Pakistan get scraps after we've gorged ourselves. Think of vaccine apartheid, in which monsters like Howard Dean insisted that we had to prevent countries in the global south from making their own covid vaccines, because poor brown people are too stupid and primitive to run a pharma manufacturing operation:

https://pluralistic.net/2021/04/08/howard-dino/#the-scream

But, thanks to Comrade Trump, Pakistan was first in line to become the world's solar capital. The country's LNG terminal – built with Chinese Belt-and-Road money – is now a stranded asset, because no one there needs gas.

That's gas whose supply has been choked off in the Strait of Epstein…which brings me to Trump's foreign policy and its impact on the global energy shift. Transitory energy shortages have small effects: when your energy bill goes up for a while (because of extreme weather, say), it makes you angry and sad and might result in an electoral loss for whatever politician presided over the price hike. But when you get genuine, prolonged shortages – the sort that are accompanied by rationing – you make permanent changes.

Rationing is so psychologically scarring that it induces people to make long-delayed investments that result in permanent changes to their consumption habits. Maybe you've known for a long time that an induction top would be better for your indoor air quality and your cooking than the gas range you have now, but you don't want to buy a whole new appliance and pay for an electrician to run a high-wattage line in expensive conduit from your breaker panel to your kitchen.

But if you're an Indian restaurateur who can no longer get any cooking gas – because it's being rationed for household use – then you are going out to buy whatever induction top you can lay hands on. Maybe it's a cheap, low-powered single burner one that plugs into your existing electrics, or maybe you're splashing out and swapping out your whole gas appliance. Whichever it is, you are no longer interested in your chef's insistence that real cooking gets done over gas. If your chef can't cook on an induction top, your chef will need to find employment elsewhere.

This is going on all over the world right now, as people buy EVs (and pay to have chargers installed at home – maybe getting a twofer on their conduit runs with two high power lines run through the same conduit infrastructure). In Australia – where the last shipment of gas for the foreseeable came into port last week – people are calling their local EV dealers and offering to buy whatever car is on the lot, sight unseen.

Meanwhile, in Ethiopia, a series of dollar-related crises caused the country to ban imports of internal combustion engines altogether (oil and gas are denominated in dollars, which means you can only get oil if you first sell stuff to Americans or others who'll pay in dollars). The country's fleet of noisy, dirty motorbikes is being swiftly replaced by ebikes that get eight miles to the penny:

https://www.ecofinagency.com/news-industry/0810-49366-ethiopia-expands-vehicle-import-ban-to-trucks-pushing-electric-transport

Ebikes are insanely great technology. Cheap, rugged and reliable, they're basically bicycles that abolish hills. Once you've gotten accustomed to an ebike – maybe you've invested in a folding helmet and a raincoat – you'll never go back. The advantages of an ebike commute over a car commute are legion, but my favorite little pleasure is the ability to easily make a stop at a nice coffee shop halfway between home and work, rather than being stuck buying shitty chain coffee near the office.

Four years ago, another mad emperor, Vladimir Putin, invaded Ukraine – and in so doing, catapulted Europe's energy transition into the Gretacene, with unimaginable defeats for the fossil fuel lobby. Not just subsidies for the clean energy transition, but also policy shifts in areas that had been deadlocked for a decade, like approvals for balcony solar, which is transforming the continent. Even the UK, one of the oil industry's most reliable vassal states, is now greenlighting balcony solar:

https://www.gov.uk/government/news/government-to-make-plug-in-solar-available-within-months

This may not sound like much, but the UK is a country whose politics is composed of 50% hatred of migrants and trans people, and 50% incredibly stupid planning battles. Great Britain is a magical land where your neighbors can ask the government to prevent you from installing double-glazing on the grounds that it will change the "historic character" of their neighborhood of terraced Victorian homes.

I once lost a fight to get permission to put a little glass greenhouse on my balcony on the grounds that it would "alter the facade" of the undistinguished low-rise 1960s industrial building I live on top of. The fact that HMG is going to tell your facade-obsessed neighbors to fuck off all the way into the sun so that you can hang solar panels off your balcony is nothing short of a miracle.

Comrade Putin's contribution to oil-soaked Britain's energy transition can't be overstated. Thanks to "free market" policies that sent energy prices soaring after the Ukraine invasion, Brits installed so much solar (despite the existing impediments to solarization) that now the government is begging us to use more energy this summer, because the grid can't absorb all those lovely free electrons:

https://www.theguardian.com/environment/2026/apr/14/uk-households-power-renewables-soar

The UK is on a glide-path to adopting the Australian plan. Australia also benefited from Trump I's solar embargo, receiving a ton of cheap solar that would otherwise have ended up in America. Now Australia has so much solar that they're giving away electricity, with three free hours of unlimited energy every day. Stick your dishwasher, clothes-dryer and EV charger on a timer, invest in a battery or two, and fill your boots:

https://billmckibben.substack.com/p/free-electricity-like-at-no-cost

(Maybe at this point you're thinking dark thoughts about critical minerals and such. That's not the problem you think it is and it's getting better every day. To take just one example, lithium batteries are about to be replaced with sodium batteries. Sodium is the world's sixth-most abundant element:)

https://www.livescience.com/technology/electric-vehicles/china-puts-a-sodium-ion-battery-into-an-ev-for-the-first-time-it-can-drive-248-miles-on-a-single-charge

The Strait of Epstein crisis is going to do more to accelerate permanent, unidirectional migration away from fossil fuels to cleantech than decades of environmental activism. Cleantech is so much better than fossil fuels – cheaper, more reliable, cleaner – that anyone who tries it becomes an instant convert. That's why the fossil fuel industry has been so insistent that no one get to try it!

To take just one example here: Texas ranchers have been solarizing, thanks to the state's bizarre "free market" energy system that sees energy prices spiking so high during cold snaps that you literally have to choose between freezing to death and going bankrupt. Solar is great for agriculture, especially in climate-ravaged Texas, where it provides crucial shade for crops and livestock, while substantially reducing soil evaporation, resulting in substantial irrigation savings.

When the oil-captured Texas legislature introduced a bill to force electric companies to add one watt of fossil power for every watt of solar that their customers installed, furious ranchers from blood red Republican rural districts flooded their town hall meetings, decrying the plan as "DEI for fossil fuels." The bill died:

https://austinfreepress.org/renewables-are-now-the-costco-of-energy-production-bill-mckibben-says/

This is the template for the long-foreseeable future. Thanks to Trump's stupid, bloody, unforgivable war of choice in the Gulf, the world is going to install unimaginable amounts of cleantech. They are going to throw away their water heaters, motorbikes, furnaces and cars and replace them with all-electric versions. They're going to cover their roofs and balconies with panels. The battery industry will experience a sustained boom. The fortunes that fossil fuel companies are reaping from the current shortage is their last windfall.

The writing is on the wall. Trump opened Alaska for drilling and the oil companies noped out because they couldn't find a bank that would loan them the money needed to get started. Then it happened again in Venezuela. This de-fossilizing was already the direction of travel, the only question was the pace at which the transition would proceed – and Comrade Trump has just stomped all over the (liquid natural) gas pedal.

Energy is just one realm where Trump is doing praxis. One of the most exciting developments that Trumpismo's incontinent belligerence has induced is the global technology transition.

For decades, the only people pointing out the dangers of using America's cash-grabbing, privacy invading defective tech exports were digital rights hippies like me, and our victories were modest and far between. Despite the Snowden revelations, despite the tech industry's prolific snood-cocking at EU privacy regulators and Canadian lawmakers, we all just carried on using these incredibly dangerous, steadily enshittifying Big Tech products. We even run our governments and structurally important companies off Big Tech. We let US tech companies update (that is, downgrade) the software on our cars and tractors, our pacemakers and ventilators, our power plants and telephone switches.

There's lots of reasons for this. For one thing, ripping out and replacing all that software and firmware is a prodigious challenge, as is building the data-centers to host it for every "digitally sovereign" country. Add to that the complexity of successfully migrating data, edit histories, archives and identities and you're looking at a very big lift. So long as the American tech bosses kept their enshittificatory gambits to a measured, slow flow, they could keep the pain beneath the threshold where it was worth us boiling frogs leaping out of their pot.

But the most important force defending American internet hegemony was free trade: specifically, the US forced all of its trading partners to adopt "anticircumvention" laws that make it illegal to modify US tech exports. That means that you can't go into business selling your neighbors the tools to use generic ink or an independent app store, much less make a fortune exporting those tools to the rest of the world:

https://pluralistic.net/2026/03/16/whittle-a-webserver/#mere-ornaments

Enter Comrade Trump. When Trump started weaponizing US tech platforms to take away the working files, email accounts and cloud calendars of judges who pissed him off (by sentencing Bolsonaro to prison, and by swearing out a genocide warrant for Netanyahu), he put the whole world on notice that he could shut down their governments, judiciaries or companies at the click of a mouse:

https://pluralistic.net/2026/04/16/pascals-wager/#doomer-challenge

And of course, he's whacked the whole world with tariffs that violate the trade agreements that imposed the anticircumvention obligations that protect America's defective tech exports. Now there's no longer any reason to keep those laws on the books. Happy Liberation Day, everyone! The post-American internet is at hand:

https://pluralistic.net/2026/01/01/39c3/#the-new-coalition

But Trump has even more praxis up his spraytan-stained sleeves. Trump is succeeding where Bernie Sanders, Elizabeth Warren and AOC failed: he's making the case for Democrats to defenestrate their useless, sellout, Epstein-poisoned leaders. All across the country, radical Dems and avowed socialists are sweeping primaries and elections, as voters realize that Blue No Matter Who will doom them to eternal torment in the Manchin-Synematic Universe:

https://prospect.org/2026/02/11/progressive-win-new-jersey-anti-ice-organizing-mejia/

Fury over Trumpismo is pushing even the most useless Democratic leaders to sign up for billionaire taxes:

https://jacobin.com/2026/04/zohran-tax-rich-hochul-nyc

Thanks to Comrade Trump, the median Democratic voter will no longer be satisfied with Kente cloth photo-ops and little ping-pong paddles stenciled with "down with this sort of thing":

https://www.truthdig.com/articles/ping-pong-paddles-to-a-gun-fight/

Thanks to Trump, we might see criminal prosecutions – and a primary challenge for any Dem that gets in the way of a serious, Nuremberg-style reckoning with Trumpismo and its gangsters:

https://pluralistic.net/2026/02/10/miller-in-the-dock/#denazification

Look, all things being equal, I would have preferred that Trump had keeled over from a mid-burger stroke on the campaign trail in 2016. But when life gives you SARS, you make sarsaparilla. This is a deeply shitty timeline, but Comrade Trump keeps tripping over his red tie. Let's take the wins.

Hey look at this (permalink)


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#25yrsago The MPAA 'educates the public' with threatening letters https://web.archive.org/web/20120318060108/http://news.cnet.com/2100-1023-255961.html&tag=tp_pr

#25yrsago Cuehack for the :CueCat https://web.archive.org/web/20010803172853/http://www.rtmark.com/cuejack/

#25yrsago Microsoft Technical Support vs The Psychic Friends Network https://web.archive.org/web/20010410171616/http://www.bmug.org/news/articles/MSvsPF.html

#20yrsago The novel Heinlein would have written about GW Bush’s America https://memex.craphound.com/2006/04/17/the-novel-heinlein-would-have-written-about-gw-bushs-america/

#20yrsago Hilarious hijinx with security guards who hate building-photographers https://thomashawk.com/2006/04/photographing-architecture-is-not.html

#20yrsago Hundreds ask Smithsonian not to sell out to Showtime https://web.archive.org/web/20060420031124/https://www.americanprogress.org/site/pp.asp?c=biJRJ8OVF&b=1554385

#20yrsago How AT&T wants to turn the Internet into mere TV https://web.archive.org/web/20060620095643/http://www.salon.com/tech/feature/2006/04/17/toll/index_np.html

#20yrsago NOLA mayoral candidate doctors Disneyland photo – again https://web.archive.org/web/20060422010054/https://www.wonkette.com/politics/new-orleans/kimberly-williamson-butler-continues-to-astound-us-167923.php

#20yrsago Where He-Man came from https://web.archive.org/web/20060423061651/https://thesneeze.com/mt-archives/000500.php

#20yrsago FBI demand chance to censor muckracking journo’s papers https://web.archive.org/web/20060421045340/https://www.chronicle.com/free/2006/04/2006041801n.htm

#15yrsago Ethiopia’s “newspaper landlords” rent the want-ads by the minute https://www.cnn.com/2011/BUSINESS/04/19/newspaper.rental.ethiopia/index.html

#15yrsago It’s people like us what makes trouble: the pernicious influence of immigrants in the UK. https://web.archive.org/web/20080314013819/http://feorag.newsvine.com/_news/2008/03/10/1356131-the-pernicious-influence-of-immigrants-in-the-uk

#15yrsago China’s “Jasmine Revolution”: anonymous out-of-country bloggers troll the politburo https://web.archive.org/web/20110412063347/http://globalguerrillas.typepad.com/globalguerrillas/2011/04/the-jasmine-revolution.html

#15yrsago Motorcycles made from watch parts https://www.deviantart.com/dkart71/art/Motorcycles-out-of-watch-parts-18a-204941090

#15yrsago Steve Buscemi’s Eyes: the printable mask https://eyesuckink.blogspot.com/2011/04/free-home-version-of-steve-buscemis.html

#15yrsago Privacy, Facebook, politics and kids https://www.theguardian.com/commentisfree/video/2011/apr/18/cory-doctorow-networking-technologies-video?CMP=twt_fd

#15yrsago NZ MP votes for anti-piracy law hours after tweeting about her love of pirated music https://torrentfreak.com/kiwi-mp-called-out-as-pirate-after-passing-anti-piracy-law-110415/

#15yrsago Righthaven copyright trolls never had the right to sue, have their asses handed to them by the EFF https://web.archive.org/web/20110418001051/http://paidcontent.org/article/419-righthavens-secret-contract-is-revealedwill-its-strategy-collapse/

#15yrsago TSA considers being upset at screening procedures to be an indicator of terrorist intentions https://www.cnn.com/2011/TRAVEL/04/15/tsa.screeners.complain/

#10yrsago The saga of Ian Bogost’s pressure-washer https://bogostpressurewasherstatus.tumblr.com/

#10yrsago Heads of UK’s tax havens to Her Majesty’s Government: go fuck yourself https://web.archive.org/web/20160411112631/http://www.independent.co.uk/news/uk/politics/tax-haven-corporate-tax-avoidance-uk-ministers-humiliated-after-cayman-bvi-british-virgin-islands-a6974956.html

#10yrsago George Clooney’s neighbor threw a $27/plate Sanders fundraiser to counter Clooney’s $33K/head Hillary event https://www.nbcnews.com/politics/2016-election/sanders-supporters-shower-clinton-motorcade-1-bills-n557191

#10yrsago What is neoliberalism? https://www.theguardian.com/books/2016/apr/15/neoliberalism-ideology-problem-george-monbiot?CMP=twt_books_b-gdnbooks

#10yrsago No, tax-havens aren’t good for society (duh) https://web.archive.org/web/20160602053124/https://www.washingtonpost.com/opinions/five-myths-about-tax-havens/2016/04/15/76d001d2-0255-11e6-b823-707c79ce3504_story.html

#10yrsago John Oliver and the cast of Sesame Street on lead poisoning https://www.youtube.com/watch?v=GUizvEjR-0U

#10yrsago Supreme Court sends Authors Guild packing, won’t hear Google Books case https://arstechnica.com/tech-policy/2016/04/fair-use-prevails-as-supreme-court-rejects-google-books-copyright-case/

#10yrsago Four years later, Popehat’s favorite con-artist is indicted https://web.archive.org/web/20160419031946/https://popehat.com/2016/04/18/anatomy-of-a-scam-investigation-chapter-14-the-indictment/

#10yrsago Hacking Team supplied cyber-weapons to corrupt Latin American governments for human rights abuses https://www.derechosdigitales.org/wp-content/uploads/malware-para-la-vigilancia.pdf

#10yrsago High profits mean capitalism is cooked https://www.promarket.org/2016/04/16/are-we-all-rent-seeking-investors/

#10yrsago A look back at the D&D moral panic https://www.nytimes.com/2016/04/18/us/when-dungeons-dragons-set-off-a-moral-panic.html

#10yrsago Petition to reassign head of Canada Post to deliver letters at $500k/year https://www.ipetitions.com/petition/help-canada-post-ceo-deepak-chopra-keep-his-job

#1yrago Mark Zuckerberg personally lost the Facebook antitrust case https://pluralistic.net/2025/04/18/chatty-zucky/#is-you-taking-notes-on-a-criminal-fucking-conspiracy

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)

  • "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026

  • "The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027

  • "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2027

  • "The Memex Method," Farrar, Straus, Giroux, 2027


Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. Third draft completed. Submitted to editor.

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.

  • "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Bluesky (no ads, possible tracking and data-collection):

https://bsky.app/profile/doctorow.pluralistic.net

Medium (no ads, paywalled):

https://doctorow.medium.com/

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

Pluralistic: Georgia's voting technology blunder (18 Apr 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links


A hand dropping a ballot in a box; the box is a complicated, many-geared machine. On its faceplate is an 'I voted' sticker that has been modified to read 'I voted?'

Georgia's voting technology blunder (permalink)

Nearly 25 years ago, in the aftermath of Bush v Gore, I got involved in a bunch of ugly tech policy fights over voting machines. The hanging chad debacle in Florida prompted Congress to appropriate funds for states to purchase new touchscreen voting machines based on a robust, open standard. The problem was, those machines didn't exist.

The voting machine industry in those days was already very consolidated (it's far more consolidated today). They went shopping for a standards body that would publish a spec for a "standard" voting machine that could soak up those federal dollars in time for the 2004 election. The only taker was the IEEE, who unwisely offered to serve as host for this impossible rush job.

Once the voting machine reps were around a table at IEEE – largely sheltered from antitrust scrutiny thanks to the broad latitude enjoyed by firms engaged in standardization, which is otherwise uncomfortably close to collusion – they admitted what everyone already knew: there was zero chance they were going to develop a new standard in time for the election.

Instead, they decided they were going to publish a "descriptive standard." Rather than designing a new standard, they'd write down the specs of their own products – the same products that were considered so defective they needed to be replaced before the election – and call that the standard.

That was my first encounter with this issue as an activist. I had just started at EFF and a lot of our supporters were IEEE members, who were appalled to see their professional association being used to launder this incredibly politically salient, technically incoherent scam. We got a ton of IEEE members to write to the board, who shut down the standards committee and kicked the voting machine companies to the curb.

The voting machine companies weren't done, though. Diebold – one of the leaders in the cartel – knew that its voting machines were defective. They'd crash, lose their vote-counts and malfunction in other ways that were equally damaging to election integrity.

This was an alarming piece of news, but perhaps just as alarming is the way it came to light. A Diebold employee described this situation in a memo that was subsequently hacked and dumped by parties unknown. That memo, along with the accompanying tranche of extremely alarming revelations about Diebold's voting machine division, was the subject of one of the first mass-censorship copyright campaigns in internet history.

Diebold didn't dispute the veracity of these damning revelations: rather, it claimed that since the memos detailing its gross democracy-endangering misconduct had been prepared by an employee, that they were therefore works-made-for-hire whose copyright was held by Diebold, and thus anyone who reproduced the memo was infringing on the company's copyright.

Under Section 512 of the then-new Digital Millennium Copyright Act, Diebold was empowered to send "takedown notices" to the web hosting providers whose users had posted the memos, and if the web hosts didn't remove the content "expeditiously," they would be jointly liable for any eventual copyright damages, which are statutorily set at $150,000 per infringement.

Every web host folded. No one wanted to take the risk of tens of millions of dollars in statutory damages.

(Incidentally: anyone who tells you that "online safety" requires us to make online platforms liable for their users' speech needs to explain how this wouldn't empower every crooked company whose dirty laundry had ended up online wouldn't just do what Diebold did. It's not technically insanity to do the same thing over again in expectation of a different outcome, but it is awfully stupid and reckless.)

That might have been the end of things, except for the kids at Swarthmore, a small liberal arts college in Pennsylvania. Two students, Nelson Pavlosky and Luke Smith, were outraged by Diebold and they had accounts on Swarthmore's webserver. So they uploaded thousands of copies of the leaked memos, but linked to just one of them from a page about the leak. As soon as that copy was deleted by Swarthmore's webmasters in response to a DMCA takedown from Diebold, the students updated the link to point to another copy. And another. And another.

That's where EFF got involved. We repped the Online Policy Group, whose page linking to the Swarthmore resources was taken down by a Diebold notice. We won. The memos became a matter of public record. The Swarthmore kids started a nationwide network called "Students for Free Culture." It was pretty danged cool.

That wasn't the end of the Diebold story, though. Diebold was and is a very diversified conglomerate that made a lot of tabulating machines: ATMs, cash-registers, medical monitoring devices…and voting machines. Every one of these machines produced a paper-tape of its tabulations as an audit trail that could be used to reconstruct its calculations if it crashed…except the voting machines. The voting machines that kept crashing, and whose crashes presented a serious risk to the legitimacy of US elections in the wake of the worst electoral crisis in the country's history.

Diebold's stated reason for this was that adding a paper tape was haaaard (even though all its other machines had paper audit tapes). Not only was this a very unconvincing excuse, it was downright alarming in light of the promise of Walden O’Dell (Diebold CEO and prominent Bush fundraiser) to help "Ohio deliver its electoral votes to the president":

https://fairvote.org/diebold-partisanship-and-public-interest-elections/

Now, to be clear, I don't think that O'Dell was going to steal the election for Bush (that's the Supreme Court's job). Rather, he was just a loudmouth asshole CEO who supported the (up to that point) worst president in American history, and who also made garbage products that were not fit for purpose.

In the decades since, voting machines have been the subject of lots of scrutiny by the information security community, because they suck. Time after time, the most sphincter-puckering defects in widely used machines have come to light:

https://blog.citp.princeton.edu/2006/05/11/report-claims-very-serious-diebold-voting-machine-flaws/

The hits just kept on coming:

https://web.archive.org/web/20061007120655/http://openvotingfoundation.org/tiki-index.php?page_ref_id=1

At Defcon, the amazing Matt Blaze has presided over the Voting Village, where it's an annual tradition for hackers to probe voting machines. This exercise has produced a string of terrifying revelations that precisely described how these machines suck:

https://www.votingvillage.org/cfp

Pretty much everyone I knew thought that voting machines were garbage technology…right up to the moment that the My Pillow guy, Tucker Carlson, and a whole menagerie of conspiratorial Trumpland mutants started peddling a bizarre story about how Hugo Chavez colluded with the Canadian voting machine company Dominion Voting Systems (who bought Diebold's voting machine business when they finally dumped the division) to rig the 2020 election for Joe Biden. They told so many outlandish lies about this that Fox ended up paying Dominion $787.5 million to settle the case:

https://en.wikipedia.org/wiki/Dominion_Voting_Systems#Dominion_Voting_Systems_v._Fox_News_Network

That's when something very weird happened. A bunch of people who had been skeptical of voting machines since the Brooks Brothers Riot suddenly became history's most ardent defenders of those same garbage voting machines. The cartel of voting machine companies – who had a long track record of using bullshit legal threats to silence their (mostly progressive) critics – were drafted into The Resistance(TM), and anyone who thought voting machines were trash was dismissed as a crazy person who has been totally mypillowpilled:

https://web.archive.org/web/20210203113531/https://www.washingtonpost.com/outlook/2021/02/03/voting-machines-election-steal-conspiracy-flaws/

There's a name for this: it's called "schismogenesis": when one group of people define themselves in opposition to someone else. If the other team does X, then your team has to oppose X, even if you all liked X until a couple minutes ago:

https://pluralistic.net/2021/12/18/schizmogenesis/

This schismogenic reversal persists to this very day. Every time Trump promotes another election denier to his cabinet, a federal agency, or a judgeship, the idea that voting machines are garbage becomes more Stop the Steal-coded, even though voting machines are, objectively, garbage.

Which is bad. It's bad because we are going into another election season where the stakes are – incredibly – even higher than Bush v Gore, and electoral authorities and state legislatures are making the world's most unforced errors in their voting machine procurement decisions, and if you've conditioned yourself to reflexively dismiss voting machine criticisms as conspiratorial nonsense, then you are part of the problem.

Just because some voting machine criticism is conspiratorial nonsense, it doesn't follow that voting machines are good, nor does it follow that every voting machine critic is a swivel-eyed loon or ratfucking Roger Stone protege.

Take, for example, Princeton's Andrew Appel, a computer scientist who's been publishing well-informed, well-documented warnings about defects in voting machines for years and years. Appel's latest is an alarming note about Georgia's new plan to "tabulate" ballots using OCR software:

https://blog.citp.princeton.edu/2026/04/10/ballot-tabulation-by-uploading-scanned-images-for-ocr-is-quite-insecure/

The Georgia legislature has wisely banned the use of QR codes on the paper ballots generated by touchscreen voting machines. We have, at long last, progressed to the point where we use "ballot marking devices" (BMDs) that produce a paper record that can be hand-counted. The problem is that voters barely ever glance at these paper ballots before dropping them in the box to make sure the choices they made on the touchscreen are correctly reflected on the ballot – only 7% of voters carefully inspect their ballots!

This problem is greatly exacerbated if these ballot papers are tabulated by a machine that reads a QR code or barcode, rather than interpreting the human-readable information on the ballot. People are even less likely to pull out their phones and scan the QR code to ensure it matches the words on the paper. That means that a BMD could output different choices in the QR code than it prints in the human-readable part – and the Dominion BMD machines they use in Georgia run outdated software that's super-hackable:

https://blog.citp.princeton.edu/2026/02/24/georgia-still-using-tragicomically-insecure-voting-system/

So Georgia's state leg passed Senate Bill 189, which establishes that "The text portion of the paper ballot marked and printed by the electronic ballot marker indicating the elector’s selection shall constitute the official ballot and shall constitute the official vote for purposes of vote tabulation." In other words, you can't count by scanning QR codes, you have to actually interpret the human-readable text on these ballots.

These machines still suck, to be clear (the fact that they don't suck for the mypillovian reasons that Tucker Carlson believes doesn't mean they're good) – but thanks to SB189, they are way less dangerous to democracy than they might be.

But not if Secretary of State Brad Raffensperger gets his way. Raffensperger is another guy who was drafted into The Resistance(TM) after he refused to commit election fraud for Trump, but he's also not good. He can still be terrible in other ways – and he is.

Raffensperger has announced his plan to circumvent the Georgia legislature by using Dominion ICX touchscreens to produce ballots with QR codes, which will then be tabulated in Dominion ICP scanners – but then he's going to "verify" the tabulation by running those same ballots through optical character recognition (OCR) software.

As Appel points out, this is the same stupid plan that Raffensperger tried in 2024, where he called the OCR step an "audit" of the QR tabulation. Back then, he grabbed 200dpi "ballot image files" from the Dominion BMDs and ran them through OCR software run by a company called Enhanced Voting. Appel sums up the fundamental incoherence of this approach.

First, the BMDs are super-hackable, so we don't trust them to print the same info in the QR code as they print in the human-readable text (which no one looks at anyway). If we don't trust them to print accurate info in the QR code, then why would we trust them to accurately generate that 200dpi QR code that's generated for the audit? As Appel writes, "it would be fairly easy for an unsophisticated attacker to alter ballot-image files–just replace the ballots they don’t like with copies of the ones they do like."

Then there's the step where these files are zipped up and transferred to the outside vendor for the audit – a step that Raffensperger has not explained. And even if the files make it to the outside contractor safely, that contractor could "change the inputs (ballot images) or outputs (tabulations)."

So this is very bad. Voting machines suck. Raffensperger sucks.

And here's the stupidest part: as Appel explains, there is a much more secure way to do this, and it's very cheap:

Just use their existing Dominion ICP (polling-place) scanners to count preprinted, hand-marked optical-scan "bubble ballots" that the voter has marked with a pen.

This is what other states are doing. As Appel writes, "This doesn’t even require a software upgrade of any kind. Although it would be a fine idea to install a software upgrade that addresses known security vulnerabilities in the ICX and ICP, the ICP can count hand-marked ballots with or without the upgrade."

This is a purely unforced error, in other words. As such, it's part of a series of shitty vote-tech choices that politicians and officials have been making since Bush v Gore. Truly, we live in the stupidest timeline.

Hey look at this (permalink)


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#20yrsago GW Bush’s iPod contains “illegal” (according to RIAA) music https://memex.craphound.com/2006/04/16/gw-bushs-ipod-contains-illegal-according-to-riaa-music/

#20yrsago Fan fiction community for McDonald’s breakfast sandwiches https://web.archive.org/web/20120112221730/https://mcgriddlefanfic.livejournal.com/profile/

#10yrsago High tech/high debt: the feudal future of technology makes us all into lesser lessors https://web.archive.org/web/20160415150308/https://www.theatlantic.com/technology/archive/2016/04/rental-company-control/478365/

#10yrsago Three pieces of statistical “bullshit” about the UK EU referendum https://timharford.com/2016/04/three-pieces-of-brexit-bullshit/

#10yrsago Southwest Air kicks Muslim woman off plane for switching seats https://web.archive.org/web/20160416041342/http://www.independent.co.uk/news/world/americas/muslim-woman-kicked-off-plane-as-flight-attendant-said-she-did-not-feel-comfortable-with-the-a6986661.html

#10yrsago China’s Internet censors order ban on video of toddler threatening brutal cops https://chinadigitaltimes.net/2016/04/minitrue-4/

#10yrsago Tiny South Pacific island to lose free/universal Internet lifeline https://www.rnz.co.nz/news/pacific/299017/niue-to-get-better-internet-service-at-a-cost

#10yrsago The Everything Box: demonological comedy from Richard “Sandman Slim” Kadrey https://memex.craphound.com/2016/04/16/the-everything-box-demonological-comedy-from-richard-sandman-slim-kadrey/

#5yrsago People's Choice Communications https://pluralistic.net/2021/04/16/where-it-hurts/#charter-hires-scabs

#5yrsago "Anti-voter-suppression" companies are lobbying to kill HR1 https://pluralistic.net/2021/04/16/where-it-hurts/#tissue-thin

#5yrsago $100m deli made $35k in 2019/20 https://pluralistic.net/2021/04/16/where-it-hurts/#hometown

#5yrsago Mass-action lawsuit against Facebook https://pluralistic.net/2021/04/16/where-it-hurts/#sue-facebook

#1yrago Trump fought the law and Trump won https://pluralistic.net/2025/04/16/weaponized-admin-incompetence/#kill-all-the-lawyers

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)

  • "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026

  • "The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027

  • "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2027

  • "The Memex Method," Farrar, Straus, Giroux, 2027


Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. Third draft completed. Submitted to editor.

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.

  • "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Bluesky (no ads, possible tracking and data-collection):

https://bsky.app/profile/doctorow.pluralistic.net

Medium (no ads, paywalled):

https://doctorow.medium.com/

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

Pluralistic: Tiktokification shall set us free (17 Apr 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links


Dore's illustration of Moses coming off the mountain with the Ten Commandments; it has been modified. It has been hand tinted. Moses' head has been replaced with Mark Zuckerberg's metaverse avatar's head. The Tiktok logo appears in the bottom left corner of the stone tablets.

Tiktokification shall set us free (permalink)

Mark Zuckerberg has a problem with your friends: they're the reason you signed up to use his platform, but they stubbornly refuse to organize your socialization to "maximize engagement." Every time you and your friends wrap up a social interaction and log off, Zuckerberg loses revenue.

After all, by definition, you and your friends have a lot of shared context. You probably feel mostly the same way about most things. You probably mostly consume the same kind of media. You probably mostly consume the same kinds of news. You and your friends make each other's lives better in lots of ways, but typically not by surprising one another. On a typical day, no friend of yours is going to absolutely floor you with a novel thought or finding that sparks hours of furious conversation and argumentation.

And speaking of argumentation: you and your friends probably don't argue that much – I mean, sure, you'll have "friendly disagreements" (again, by definition), but if there's a friend who sparks furious, frustrating, irresistible feuds that drag on and on, chances are that person won't be your friend anymore.

Facebook experienced sustained, meteoric growth by letting people connect with their friends, but Zuckerberg quickly came to understand that his path to revenue maximization ran through nonconsensually cramming strangers' posts into your eyeballs, in the hopes that you would lose yourself in long, pointless arguments.

But that, too, hit a limit. Most of us don't like having our limbic systems tormented by strangers. As anyone who is sick to the back teeth of just hearing the word "Trump" can attest, living in a trollocracy is exhausting.

Enter Tiktok. Tiktok found a way to connect you to strangers who don't make you angry. By offering performers money if they produced media that you "engaged" with, Tiktok offloaded the work of convincing you to conduct your online activities in a way that maximized opportunities to show you an ad onto an army of global theater kids who would spend every hour that god sent trying to figure out how to keep you looking at Tiktok.

This was hugely successful – so successful, in fact, that Tiktok was able to cheat, overriding its own algorithmic guesses about which of its billion cable-access television channels you'd stare at the longest with a "heating tool" that lets the company trick some of those theater kids into thinking that Tiktok was actually more suited to them than other platforms:

https://pluralistic.net/2023/01/21/potemkin-ai/#hey-guys

For zuckermuskian social media bosses, Tiktok became an object of fierce envy. Here was the ultimate Tom Sawyer robo-fence-painter, a self-licking ice-cream cone that motivated people to convince each other to make money for you. Facebook, Instagram and Twitter took a hard pivot away from showing you the things that the people you loved had to say, in favor of showing you short videos of people whose parents didn't give them enough affection in their childhood, desperately shoving lemons up their noses in a bid to win your approval (and a revshare split with the platforms).

It worked. Sorta. Thing is, some of those "content creators" are actually very good, and none of them appreciate being jerked around. They quite rightly see their reason for being on the platforms as improving their own lives, not the bottom line of the platforms' owners and executives. They may be more "engaging" than your friends, but they're also a lot mouthier and feel entitled to a say in how the platform operates.

What's a billionaire solipsist to do? Obviously, the answer is "AI creators." An "AI creator" is like a "creator" in that it works to maximize your engagement with the platform – and thus the number of ads that can be crammed into your face-holes – but, unlike a "creator," it makes no demands upon the platform and exists solely to serve the platform's shareholders and executives. It's the perfect realization of the solipsist fantasy of a world without people:

https://pluralistic.net/2026/01/05/fisher-price-steering-wheel/#billionaire-solipsism

But there's a problem with this plan: your friends are not a liability for a platform. Your friends are the platforms' single most important asset. Your friends are why the platforms are so "sticky." The platforms don't "hack your dopamine loops" – they just take your friends hostage, and even though you love your friends, they are a monumental pain in the ass, and if you can't even agree on what board-game you're going to play this weekend, how are you going to agree when it's time to leave Facebook, and where to go next?

https://pluralistic.net/2023/01/08/watch-the-surpluses/#exogenous-shocks

So long as you love your friends more than you hate Zuckerberg or Musk, you will remain stuck to their platforms. The platform bosses know this, and they inflict pain on you that is titrated to be just below the threshold where you hate the platforms more than you love your friends.

But as much as the platform bosses rely on your love of your friends, they still view your friends as liabilities, thanks to those friends' unreasonable insistence on structuring their relationship with you to maximize their own satisfaction, rather than how much time you spend looking at ads. So the platforms are deliberately disconnecting you from your friends by minimizing the fraction of your feed that is given over to posts from people you follow, and replacing those friends with a succession of ever-more fungible posters: trolls, creators, and chatbots.

The key word here is fungible. A feed composed of things posted by people you have a personal connection to is non-fungible: it cannot be swapped for a feed of things posted by strangers. Your friends fulfill a very specific purpose in your life that strangers – even extremely cool strangers – cannot match.

On the other hand: one feed of algorithmically selected, entertaining amateur dramatics is broadly equivalent to any other feed of algorithmically selected amateur dramatics. That goes double for feeds whose performers are "multi-homing" on more than one platform – whether you see the extremely charming and interesting Vlog Brothers in a Youtube feed, a Tiktok feed or an Insta feed makes no difference (to you – but it matters a lot to the platform bosses). That goes quintuple for feeds composed of AI slop, which is literally the most interchangeable video that modern science is capable of producing.

All of which is to say: the platforms are deliberately feeding their most important commercial assets into a shredder, in a fit of pique over your friends' unwillingness to act like chatbots. Every day and in every way, the platforms are making it easier to leave them for some rival's service, chasing the billionaire solipsist's dream of a world without people:

https://pluralistic.net/2022/02/17/live-by-the-swordlive-by-the-sword/#unfriending-tom

Hey look at this (permalink)


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#25yrsago Leon Trotsky, B2B visionary https://web.archive.org/web/20020211212222/http://www.marxists.org/archive/trotsky/works/1935/1935-ame.htm

#20yrsago What would a BBC “public service game” look like? https://web.archive.org/web/20060417123908/http://crystaltips.typepad.com/wonderland/2006/04/on_public_servi.html

#15yrsago New Zealand’s 3-strikes rule can go into effect in September https://legislation.govt.nz/bill/government/2010/119/en/latest/#DLM3331800

#15yrsago Lawsuit: DRM spied on me, gathered my personal info, sent it to copyright enforcers who called me with $150,000 legal threat https://www.techdirt.com/2011/04/14/drm-accused-sending-personal-info-to-help-with-licensing-shakedown/

#10yrsago Edward Snowden provides vocals on a beautiful new Jean-Michel Jarre composition https://web.archive.org/web/20190415045927/https://www.rollingstone.com/music/music-news/edward-snowdens-new-job-electronic-music-vocalist-184650/

#10yrsago Uber and Lyft don’t cover their cost of capital and rely on desperate workers https://www.ianwelsh.net/the-market-fairy-will-not-solve-the-problems-of-uber-and-lyft/?

#10yrsago Treescrapers are bullshit https://99percentinvisible.org/article/renderings-vs-reality-rise-tree-covered-skyscrapers/

#10yrsago Before and After Mexico: a Bruce Sterling story about the eco-pocalypse https://bruces.medium.com/before-and-after-mexico-f3371c346c8a#.33e9poqnx

#10yrsago Barack Obama: Taking money from 1 percenters compromised my politics https://web.archive.org/web/20160415201709/https://theintercept.com/2016/04/15/barack-obama-never-said-money-wasnt-corrupting-in-fact-he-said-the-opposite/

#1yrago Tesla accused of hacking odometers to weasel out of warranty repairs https://pluralistic.net/2025/04/15/musklemons/#more-like-edison-amirite

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)

  • "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026

  • "The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027

  • "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2027

  • "The Memex Method," Farrar, Straus, Giroux, 2027


Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. Third draft completed. Submitted to editor.

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.

  • "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Bluesky (no ads, possible tracking and data-collection):

https://bsky.app/profile/doctorow.pluralistic.net

Medium (no ads, paywalled):

https://doctorow.medium.com/

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

Pluralistic: A Pascal's Wager for AI Doomers (16 Apr 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links


A killer 1940s robot zapping two large domes with eye-lasers; trapped under the domes are two children, taken from 1910s photos of child laborers; one, a little girl in a straw hat, is holding two heavy buckets. The other, a newsie with a shoulder bag, is picking his nose. The background is the collapsing pillars seen in Dore's engraving of The Death of Solomon.

A Pascal's Wager for AI Doomers (permalink)

Lest anyone accuse me of bargaining in bad faith here, let me start with this admission: I don't think AI is intelligent; nor do I think that the current (admittedly impressive) statistical techniques will lead to intelligence. I think worrying about what we'll do if AI becomes intelligent is at best a distraction and at worst a cynical marketing ploy:

https://locusmag.com/feature/cory-doctorow-full-employment/

Now, that said: among some of the "AI doomers," I recognize kindred spirits. I, too, worry about technologies controlled by corporations that have grown so powerful that they defy regulation. I worry about how those technologies are used against us, and about how the corporations that make them are fusing with authoritarian states to create a totalitarian nightmare. I worry that technology is used to spy on and immiserate workers.

I just don't think we need AI to do those things. I think we should already be worried about those things.

Last week, I had a version of this discussion in front of several hundred people at the Bronfman Lecture in Montreal, where I appeared with Astra Taylor and Yoshua Bengio (co-winner of the Turing Prize for his work creating the "deep learning" techniques powering today's AI surge), on a panel moderated by CBC Ideas host Nahlah Ayed:

https://www.eventbrite.ca/e/artificial-intelligence-the-ultimate-disrupter-tickets-1982706623885

It's safe to say that Bengio and I mostly disagree about AI. He's running an initiative called "Lawzero," whose goal is to create an international AI consortium that produces AI as a "digital public good" that is designed to be open, auditable, transparent and safe:

http://lawzero.org

Bengio said he'd started Lawzero because he was convinced that AI was going to get a lot more powerful, and, in the absence of some public-spirited version of AI, we would be subject to all kinds of manipulation and surveillance, and that the resulting chaos would present a civilizational risk.

Now, as I've stated (and as I said onstage) I am not worried about any of this. I am worried about AI, though. I'm worried a fast-talking AI salesman will convince your boss to fire you and replace you with an AI that can't do your job (the salesman will be pushing on an open door, since if there's one thing bosses hate, it's paying workers).

I'm worried that the seven companies that comprise 35% of the S&P 500 are headed for bankruptcy, as soon as someone makes them stop passing around the same $100b IOU while pretending it's in all their bank accounts at once. I'm worried that when that happens, the chatbots that badly do the jobs of the people who were fired because of the AI salesman will go away, and nothing and no one will do those jobs. I'm worried that the chaos caused by vaporizing a third of the stock market will lead to austerity and thence to fascism:

https://pluralistic.net/2026/04/13/always-great/#our-nhs

I worry that the workers who did those jobs will be scattered to the four winds, retrained or "discouraged" or retired, and that the priceless process knowledge they developed over generations will be wiped out and we will have to rebuild it amidst the economic and political chaos of the burst AI bubble:

https://pluralistic.net/2026/04/08/process-knowledge-vs-bosses/#wash-dishes-cut-wood

In short, I worry that AI is the asbestos we're shoveling into our civilization's walls, and our descendants will be digging it out for generations:

https://pluralistic.net/2026/01/06/1000x-liability/#graceful-failure-modes

But Bengio disagrees. He's very smart, and very accomplished, and he's very certain that AI is about to become "superhuman" and do horrible things to us if we don't get a handle on it. Several times at our events, he insisted that the existence of this possibility made it wildly irresponsible not to take measures to mitigate this risk.

Though I didn't say so at the time, this struck me as an AI-inflected version of Pascal's wager:

A rational person should adopt a lifestyle consistent with the existence of God and should strive to believe in God… if God does not exist, the believer incurs only finite losses, potentially sacrificing certain pleasures and luxuries; if God does exist, the believer stands to gain immeasurably, as represented for example by an eternity in Heaven in Abrahamic tradition, while simultaneously avoiding boundless losses associated with an eternity in Hell.

https://en.wikipedia.org/wiki/Pascal%27s_wager

Smarter people than me have been poking holes in Pascal's wager for more than 350 years. But when it comes to this modern Pascal's AI Wager, I have my own objection: how do you know when you've lost?

As of this moment, the human race has lit more than $1.4t on fire to immanentize this eschaton, and it remains stubbornly disimmanentized. How much more do we need to spend before we're certain that god isn't lurking in the word-guessing program? Sam Altman says it'll take another $2-3t – call it six months' worth of all US federal spending. If we do that and we still haven't met god, are we done? Can we call it a day?

Not according to Elon Musk. Musk says we need to deconstruct the solar system and build a Dyson sphere out of all the planets to completely encase the sun, so we can harvest every photon it emits to power our word-guessing programs:

https://www.pcmag.com/news/elons-next-big-swing-dyson-sphere-satellites-that-harness-the-suns-power

So let's say we do that and we still haven't met god – are we done? I don't see why we would be. After all, Musk's contention isn't that our sun emits one eschaton's worth of immanentizing particles. Musk just thinks that we need a lot of these sunbeams to coax god into our plane of existence. If one sun won't do it, perhaps two? Or two hundred? Or two thousand? Once we've committed the entire human species to this god-bothering project to the extent of putting two kilosuns into harness, wouldn't we be nuts to stop there? What if god is lurking in the two thousand and first sun? Making god out of algorithms is like spelling "banana" – easy to start, hard to stop.

But as Bengio and I got into it together on stage at the Montreal Centre, it occurred to me that maybe there was some common ground between us. After all, when someone starts talking about "humane technology" that respects our privacy and works for people rather than their bosses, my ears grow points. Throw in the phrase "international digital public goods" and you've got my undivided attention.

Because there's a sense in which Bengio and I are worried about exactly the same thing. I'm terrified that our planet has been colonized by artificial lifeforms that we constructed, but which have slipped our control. I'm terrified that these lifeforms corrupt our knowledge-creation process, making it impossible for us to know what's true and what isn't. I'm terrified that these lifeforms have conquered our apparatus of state – our legislatures, agencies and courts – and so that these public bodies work against the public and for our colonizing alien overlords.

The difference is, the artificial lifeforms that worry me aren't hypothetical – they're here today, amongst us, endangering the very survival of our species. These artificial lifeforms are called "limited liability corporations" and they are a concrete, imminent risk to the human race:

https://pluralistic.net/2026/04/15/artificial-lifeforms/#moral-consideration

What's more, challenging these artificial lifeforms will require us to build massive, "international, digital public goods": a post-American internet of free/open, auditable, transparent, enshittification-resistant platforms and firmware for every purpose and device currently in service:

https://pluralistic.net/2026/01/01/39c3/#the-new-coalition

And even after we've built that massive, international, digital public good, we'll still face the challenge of migrating all of our systems and loved ones out of the enshitternet of defective, spying, controlling American tech exports:

https://pluralistic.net/2026/01/30/zucksauce/#gandersauce

Every moment that we remain stuck in the enshitternet is a moment of existential risk. At the click of a mouse, Trump could order John Deere to switch off all the tractors in your country:

https://pluralistic.net/2022/05/08/about-those-kill-switched-ukrainian-tractors/

He doesn't need tanks to steal Greenland. He can just shut off Denmark's access to American platforms like Office365, iOS and Android and brick the whole damned country. It would be another Strait of Hormuz, but instead of oil and fertilizer, he'd control the flow of Lego, Ozempic and deliciously strong black licorice:

https://pluralistic.net/2026/01/29/post-american-canada/#ottawa

These aren't risks that could develop in the future. They're the risks we're confronted with today and frankly, they're fucking terrifying.

So here's my side-bet on Pascal's Wager. If you think we need to build "international digital public goods" to head off the future risk of a colonizing, remorseless, malevolent artificial lifeform, then let us agree that the prototype for that project is the "international digital public goods" we need right now to usher in the post-American internet and save ourselves from the colonizing, remorseless, malevolent artificial lifeforms that have already got their blood-funnels jammed down our throats.

Once we defeat those alien invaders, we may find that all the people who are trying to summon the evil god have lost the wherewithal to do so, and your crisis will have been averted. But if that's not the case and the evil god still looms on our horizon, then I will make it my business to help you mobilize the legions of skilled international digital public goods producers who are still flush from their victory over the limited liability corporation, and together, we will fight the evil god you swear is in our future.

I think that's a pretty solid offer.

Hey look at this (permalink)


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#25yrsago Every pirate ebook on the internet https://web.archive.org/web/20010724030402/https://citizen513.cjb.net/

#20yrsago Retired generals diss Donald Rumsfeld https://nielsenhayden.com/makinglight/archives/007432.html#007432

#20yrsago How to break HDCP https://blog.citp.princeton.edu/2006/04/14/making-and-breaking-hdcp-handshakes/

#20yrsago How Sun’s “open DRM” dooms them and all they touch https://memex.craphound.com/2006/04/14/how-suns-open-drm-dooms-them-and-all-they-touch/

#20yrsago Benkler's "Wealth of Networks" http://www.congo-education.net/wealth-of-networks/

#15yrsago Scientific management’s unscientific grounding: the Management Myth https://web.archive.org/web/20120823212827/https://www.theatlantic.com/magazine/archive/2006/06/the-management-myth/304883/

#15yrsago 216 “untranslatable” emotional words from non-English languages https://www.drtimlomas.com/lexicography/cm4mi/lexicography#!lexicography/cm4mi

#10yrsago New York public employees union will vote on pulling out of hedge funds https://web.archive.org/web/20160414230326/https://www.bloomberg.com/news/articles/2016-04-13/nyc-pension-weighs-liquidating-1-5-billion-hedge-fund-portfolio

#10yrsago Panama’s public prosecutor says he can’t find any evidence of Mossack-Fonseca’s lawbreaking https://web.archive.org/web/20160419165306/https://www.thejournal.ie/mossack-fonseca-prosecution-2714795-Apr2016/?utm_source=twitter_self

#10yrsago Bernie Sanders responds to CEOs of Verizon and GE: “I welcome their contempt” https://web.archive.org/web/20160415165051/https://www.businessinsider.com/bernie-sanders-verizon-contempt-2016-4

#10yrsago Let’s Encrypt is actually encrypting the whole Web https://www.wired.com/2016/04/scheme-encrypt-entire-web-actually-working/

#10yrsago City of San Francisco tells man he can’t live in wooden box in friend’s living room https://www.theguardian.com/us-news/2016/apr/13/san-francisco-new-home-rented-box-illegal?CMP=tmb_gu

#10yrsago How the UK’s biggest pharmacy chain went from family-run public service to debt-laden hedge-fund disaster https://www.theguardian.com/news/2016/apr/13/how-boots-went-rogue

#10yrsago Ohio newspaper chain owner says his papers don’t publish articles about LGBTQ people https://ideatrash.net/2016/04/the-owner-of-four-town-papers-in-ohio.html

#10yrsago How British journalists talk about people they’re not allowed to talk about https://web.archive.org/web/20160414152933/https://popbitch.com/home/2016/03/31/up-the-injunction/

#10yrsago Brussels terrorists kept their plans in an unencrypted folder called “TARGET” https://www.techdirt.com/2016/04/14/brussels-terrorist-laptop-included-details-planned-attack-unencrypted-folder-titled-target/

#10yrsago Ron Wyden vows to filibuster anti-cryptography bill https://www.techdirt.com/2016/04/14/burr-feinstein-officially-release-anti-encryption-bill-as-wyden-promises-to-filibuster-it/

#10yrsago Paramount wants to kill a fan-film by claiming copyright on the Klingon language https://torrentfreak.com/paramount-we-do-own-the-klingon-language-and-warships-160414/

#5yrsago Murder Offsets https://pluralistic.net/2021/04/14/for-sale-green-indulgences/#killer-analogy

#5yrsago The FCC wants your broadband measurements https://pluralistic.net/2021/04/14/for-sale-green-indulgences/#fly-my-pretties

#1yrago Machina economicus https://pluralistic.net/2025/04/14/timmy-share/#a-superior-moral-justification-for-selfishness

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)

  • "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026

  • "The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027

  • "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2027

  • "The Memex Method," Farrar, Straus, Giroux, 2027


Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. Third draft completed. Submitted to editor.

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.

  • "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Bluesky (no ads, possible tracking and data-collection):

https://bsky.app/profile/doctorow.pluralistic.net

Medium (no ads, paywalled):

https://doctorow.medium.com/

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

Pluralistic: Rights for robots (15 Apr 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links

  • Rights for robots: Not everything deserves moral consideration.
  • Hey look at this: Delights to delectate.
  • Object permanence: 7 years under the DMCA; NOLA mayoral candidate x New Orleans Square; Kettling is illegal; AOL won't deliver critical emails; Chris Ware x Charlie Brown; Mossack Fonseca raided; Corporate lobbying budget is greater than Senate and House; Corbyn overpays taxes; What IP means; Bill Gates v humanity; "Jackpot."
  • Upcoming appearances: Toronto, San Francisco, London, Berlin, NYC, Hay-on-Wye, London.
  • Recent appearances: Where I've been.
  • Latest books: You keep readin' em, I'll keep writin' 'em.
  • Upcoming books: Like I said, I'll keep writin' 'em.
  • Colophon: All the rest.


The famous photo of LBJ signing the Civil Rights Act. LBJ and the onlookers' heads have been replaced with the heads of 1950s pulp magazine robots.

Rights for robots (permalink)

The Rights of Nature movement uses a bold tactic to preserve our habitable Earth: it seeks to extend (pseudo) personhood to things like watersheds, forests and other ecosystems, as well as nonhuman species, in hopes of creating legal "standing" to ask the courts for protection:

https://en.wikipedia.org/wiki/Rights_of_nature

What do watersheds, forests and nonhuman species need protection from? That turns out to be a very interesting question, because the most common adversary in a Rights of Nature case is another pseudo-person: namely, a limited liability corporation.

These nonhuman "persons" have been a feature of our legal system since the late 19th century, when the Supreme Court found that the 14th Amendment's "Equal Protection" clause could be applied to a railroad. In the 150-some years since, corporate personhood has monotonically expanded, most notoriously through cases like Hobby Lobby, which gave a corporation the right to discriminate against women on the grounds that it shared its founders' religious opposition to abortion; and, of course, in Citizens United, which found that corporate personhood meant that corporations had a constitutional right to divert their profits to bribe politicians.

Theoretically, "corporate personhood" extends to all kinds of organizations, including trade unions – but in practice, corporate personhood primarily allows the ruling class to manufacture new "people" to serve as a botnet on their behalf. A union has free speech rights just like an employer, but the employer's property rights mean that it can exclude union organizers from its premises, and employer rights mean that corporations can force workers to sit through "captive audience" meetings where expensive consultants lie to them about how awful a union would be (the corporation's speech rights also mean that it's free to lie).

In my view, corporate personhood has been an unmitigated disaster. Creating "human rights" for these nonhuman entities led to the catastrophic degradation of the natural world, via the equally catastrophic degradation of our political processes.

In a strange way, corporate personhood has realized the danger that reactionary opponents of votes for women warned of. In the days of the suffrage movement, anti-feminists claimed that giving women the vote would simply lead to husbands getting two votes, since wives would simply vote the way their husbands told them to.

This libel never died out. Take the recent hard-fought UK by-election in Gorton and Denton (basically Manchester): this was the first test of the Green Party's electoral chances under its new leader, the brilliant and principled leftist Zack Polanski. The Green candidate was Hannah Spencer, a working-class plumber and plasterer who rejected the demonization of the region's Muslim voters, unlike her rivals from Labour (which has transformed itself into a right-wing party), Reform (a fascist party), and the Conservatives (an irrelevant and dying right party). During the race (and especially after Spencer romped to a massive victory) Spencer's rivals accused her of courting "family voters," by which they meant Muslim wives, who would vote the way their Islamist husbands ordered them to. Despite the facial absurdity of this claim – that the Islamist vote would go for the pro-trans party led by a gay Jew – it was widely repeated:

https://www.bbc.com/news/articles/clyxeqpzz2no

"Family voting" isn't a thing, but corporate personhood has conferred political rights on the ruling class, who get to manufacture corporate "people" at scale, each of which is guaranteed the same right to contribute to politicians and intervene in our politics as any human.

Contrast this with the Rights for Nature movement. Where corporate personhood leads to a society with less empathy for living things (up to and including humans), Rights for Nature creates a legal and social basis for more empathy. In her stunning novel A Half-Built Garden, Ruthanna Emrys paints a picture of a world in which the personhood of watersheds and animals become as much of a part of our worldview as corporate personhood is today:

https://pluralistic.net/2022/07/26/aislands/#dead-ringers

Scenes from A Half-Built Garden kept playing out in my mind last month while I attended the Bioneers conference in Berkeley, where they carried on their decades-long tradition of centering indigenous activists whose environmental campaigns were intimately bound up with the idea of personhood for the natural world and its inhabitants:

https://bioneers.org/

On the last morning, my daughter and I sat through a string of inspiring and uplifting presentations from indigenous-led groups that had used Rights of Nature to rally support for legal challenges that had forced those other nonhuman "persons" – limited liability corporations – to retreat from plans to raze, poison, or murder whole regions.

The final keynote speaker that morning was the writer Michael Pollan, who spoke about a looming polycrisis of AI, and I found myself groaning and squirming. Not him, too! Were we about to be held captive to yet another speaker convinced that AI was going to become conscious and turn us all into paperclips?

That seemed to be where he was leading, as he discussed the way that chatbots were designed to evince the empathic response we normally reserve for people – the same empathy that all the other speakers were seeking to inspire for nature. But then, he took an unexpected and welcome turn: Pollan compared extending personhood to chatbots to the disastrous decision to extend personhood to corporations, and urged us all to turn away from it.

This crystallized something that had niggled at me for years. For years, people I respect have used the Rights for Nature movement as an argument for extending empathy to software constructs. The more we practice empathy – and the more rights we afford to more entities – the better we get at it. Personhood for things that are not like us, the argument goes, makes our own personhood more secure, by honing a reflex toward empathy and respect for all things. This is the argument for saying thank you to Siri (and now to other chatbots):

https://ojs.lib.uwo.ca/index.php/fpq/article/download/14294/12136

Siri – like so many of our obedient, subservient, sycophantic chatbots – impersonates a woman. If we get habituated to barking orders at a "woman" (or at our "assistants") then this will bleed out into our interactions with real women and real assistants. Extending moral consideration to Siri, though "she" is just a software construct, will condition our reflexes to treat everything with respect.

For years, I'd uncritically accepted that argument, but after hearing Pollan speak, I changed my mind. Rather than treating Siri with respect because it impersonates a woman, we should demand that Siri stop impersonating a woman. I don't thank my Unix shell when I pipe a command to grep and get the output that I'm looking for, and I don't thank my pocket-knife when it slices through the tape on a parcel. I can appreciate that these are well-made tools and value their thoughtful design, but that doesn't mean I have to respect them in the way that I would respect a person.

That way lies madness – the madness that leads us to ascribe personalities to corporations and declare some of them to be "immoral" and others to be "moral," which is always and forever a dead end:

https://pluralistic.net/2024/01/12/youre-holding-it-wrong/#if-dishwashers-were-iphones

In other words: there's an argument from the Rights of Nature movement that says that the more empathy we practice, the better off we are in all our interactions. But Pollan complicated that argument, by raising the example of corporate personhood. It turns out that extending personhood to constructed nonhuman entities like corporations reduces the amount of empathy we practice. Far from empowering labor unions, the creation of "human" rights for groups and organizations has given capital more rights over workers. A labor rights regime can defend workers – without empowering bosses and without creating new "persons."

The question is: is a chatbot more like a corporation (whose personhood corrodes our empathy) or more like a watershed (whose personhood strengthens our empathy)? But to ask that question is to answer it – a chatbot is definitely more like a corporation than it is like a watershed. What's more: in a very real, non-metaphorical way, giving rights to chatbots means taking away rights from nature, thanks to LLMs' energy-intesivity.

Empathy then, for the nonhuman world – but not for human constructs.

Hey look at this (permalink)


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#20yrsago Canadian labels pull out of RIAA-fronted Canadian Recording Industry Ass. https://web.archive.org/web/20060414170111/https://www.michaelgeist.ca/component/option,com_content/task,view/id,1204/Itemid,85/nsub,/

#20yrsago EFF publishes “7 Years Under the DMCA” paper https://web.archive.org/web/20060415110951/https://www.eff.org/deeplinks/archives/004555.php

#20yrsago Life of a writer as a Zork adventure https://web.archive.org/web/20060414115745/http://acephalous.typepad.com/acephalous/2006/04/disadventure.html

#20yrsago NOLA mayoral candidate uses photo of Disneyland New Orleans Square https://web.archive.org/web/20060414214356/https://www.wonkette.com/politics/new-orleans/not-quite-the-happiest-place-on-earth-166989.php

#20yrsago AOL won’t deliver emails that criticize AOL https://web.archive.org/web/20060408133439/https://www.eff.org/news/archives/2006_04.php#004556

#15yrsago UK court rules that kettling was illegal https://www.theguardian.com/uk/2011/apr/14/kettling-g20-protesters-police-illegal

#15yrsago If Chris Ware was Charlie Brown https://eatmorebikes.blogspot.com/2011/04/lil-chris-ware.html

#10yrsago Piracy dooms motion picture industry to yet another record-breaking box-office year https://torrentfreak.com/piracy-fails-to-prevent-box-office-record-160413/

#10yrsago Panama Papers: Mossack Fonseca law offices raided by Panama authorities https://www.reuters.com/article/us-panama-tax-raid-idUSKCN0XA020/

#10yrsago Panama Papers reveal offshore companies were bagmen for the world’s spies https://web.archive.org/web/20160426083004/https://www.yahoo.com/news/panama-papers-reveal-spies-used-mossak-fonseca-231833609.html

#10yrsago How corporate America’s lobbying budget surpassed the combined Senate and Congress budget https://web.archive.org/web/20150422010643/https://www.theatlantic.com/business/archive/2015/04/how-corporate-lobbyists-conquered-american-democracy/390822/

#10yrsago URL shorteners are a short path to your computer’s hard drive https://arxiv.org/abs/1604.02734

#10yrsago UL has a new, opaque certification process for cybersecurity https://arstechnica.com/information-technology/2016/04/underwriters-labs-refuses-to-share-new-iot-cybersecurity-standard/

#10yrsago Jeremy Corbyn overpays his taxes https://web.archive.org/web/20160413192208/https://www.politicshome.com/news/uk/political-parties/labour-party/news/73724/jeremy-corbyn-overstated-income-his-tax-return

#10yrsago Cassetteboy’s latest video is an amazing, danceable anti-Snoopers Charter mashup https://www.youtube.com/watch?v=D2fSXp6N-vs

#10yrsago Texas: prisoners whose families maintain their social media presence face 45 days in solitary https://www.eff.org/deeplinks/2016/04/texas-prison-system-unveils-new-inmate-censorship-policy

#5yrsago Data-brokerages vs the world https://pluralistic.net/2021/04/13/public-interest-pharma/#axciom

#5yrsago What "IP" means https://pluralistic.net/2021/04/13/public-interest-pharma/#ip

#5yrsago Bill Gates will kill us all https://pluralistic.net/2021/04/13/public-interest-pharma/#gates-foundation

#5yrsago Jackpot https://pluralistic.net/2021/04/13/public-interest-pharma/#affluenza

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)

  • "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026

  • "The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027

  • "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2027

  • "The Memex Method," Farrar, Straus, Giroux, 2027


Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. Third draft completed. Submitted to editor.

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.

  • "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Bluesky (no ads, possible tracking and data-collection):

https://bsky.app/profile/doctorow.pluralistic.net

Medium (no ads, paywalled):

https://doctorow.medium.com/

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

Pluralistic: In praise of (some) compartmentalization (14 Apr 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links


A male figure in an inner tube, floating down a river. The figure has been altered. He now has a zombie's head, and his skin has been tinted green, with large, suppurating sores oozing out of his skin.

In praise of (some) compartmentalization (permalink)

If there's one FAQ I get Q'ed most F'ly, it's this: "How do you get so much done?" The short answer is, "I write when I'm anxious (which is how I came to write nine books during lockdown)." The long answer is more complicated.

The first complication to understand is that I have lifelong, degenerating chronic pain that makes me hurt from the base of my skull to the soles of my feet – my whole posterior chain. On a good day, it hurts. On a bad day, it hurts so bad that it's all I can think about.

Unless…I work. If I can find my way into a creative project, the rest of the world just kind of fades back, including my physical body. Sometimes I can get there through entertainment, too – a really good book or movie, say, but more often I find myself squirming and needing to get up and stretch or use a theragun after a couple hours in a movie theater seat, even the kind that reclines. A good conversation can do it, too, and is better than a movie or a book. The challenge and engagement of an intense conversation – preferably one with a chewy, productive and interesting disagreement – can take me out of things.

There's a degree to which ignoring my body is the right thing to do. I've come to understand a lot of my pain as being a phantom, a pathological failure of my nervous system to terminate a pain signal after it fires. Instead of fading away, my pain messages bounce back and forth, getting amplified rather than attenuated, until all my nerves are screaming at me. Where pain has no physiological correlate – in other words, where the ache is just an ache, without a strain or a tear or a bruise – it makes sense to ignore it. It's actually healthy to ignore it, because paying attention to pain is one of the things that can amplify it (though not always).

But this only gets me so far, because some of my pain does have a physiological correlate. My biomechanics suck, thanks to congenital hip defects that screwed up the way I walked and sat and lay and moved for most of my life, until eventually my wonky hips wore out and I swapped 'em for a titanium set. By that point, it was too late, because I'd made a mess of my posterior chain, all the way from my skull to my feet, and years of diligent physio, swimming, yoga, occupational therapy and physiotherapy have barely made a dent. So when I sit or stand or lie down, I'm always straining something, and I really do need to get up and move around and stretch and whatnot, or sure as hell I will pay the price later. So if I get too distracted, then I start ignoring the pain I need to be paying attention to, and that's at least as bad as paying attention to the pain I should be ignoring.

Which brings me to anxiety. These are anxious times. I don't know anyone who feels good right now. Particularly this week, as the Strait of Epstein emergency gets progressively worse, and there's this January 2020 sense of the crisis on the horizon, hitting one country after another. Last week, Australia got its last shipment of fossil fuels. This week, restaurants in India are all shuttered because of gas rationing. People who understand these things better than I do tell me that even if Trump strokes out tonight and Hegseth overdoes the autoerotic asphyxiation, it'll be months, possibly years, before things get back to "normal" ("normal!").

Any time I think about this stuff for even a few minutes, I start to feel that covid-a-comin', early-2020 feeling, only it's worse this time around, because I literally couldn't imagine what covid would mean when it got here, and now I know.

When I start to feel those feelings, I can just sit down and start thinking with my fingers, working on a book or a blog-post. Or working on an illustration to go with one of these posts, which is the most delicious distraction, leaving me with just enough capacity to mull over the structure of the argument that will accompany it.

I can't do anything about the impending energy catastrophe, apart from being part of a network of mutual aid and political organizing, so it makes sense not to fixate on it. But there are things that upset me – problems my friends and loved ones are having – where there's such a thing as too much compartmentalization. It's one thing to lose myself in work until the heat of emotion cools so I can think rationally about an issue that's got me seeing red, and another to use work as a way to neglect a loved one who needs attention in the hope that the moment will pass before I have to do any difficult emotional labor.

Compartmentalization, in other words, but not too much compartmentalization. During the lockdown years, I transformed myself into a machine for turning Talking Heads bootlegs into science fiction novels and technology criticism, and that was better than spending that time boozing or scrolling or fighting – but in retrospect, there's probably more I could have done during those hard months to support the people around me. In my defense – in all our defenses – that was an unprecedented situation and we all did the best we could.

Creative work takes me away from my pain – both physical and emotional – because creative work takes me into a "flow" state. This useful word comes to us from Mihaly Csikszentmihalyi, who coined the term in the 1960s while he was investigating a seeming paradox: how was it that we modern people had mastered so many of the useful arts and sciences, and yet we seemed no happier than the ancients? How could we make so much progress in so many fields, and so little progress in being happy?

In his fieldwork, Csikszentmihalyi found that people reported the most happiness while they were doing difficult things well – when your "body or mind is stretched to its limits in a voluntary effort to accomplish something difficult and worthwhile." He called this state "flow."

As Derek Thompson says, the word "flow" implies an effortlessness, but really, it's the effort – just enough, not too much – that defines flow-states. We aren't happiest in a frictionless world, but rather, in a world of "achievable challenges":

https://www.derekthompson.org/p/how-zombie-flow-took-over-culture

Thompson relates this to "the law of familiar surprises," an idea he developed in his book Hit Makers, which investigated why some media, ideas and people found fame, while others languished. A "familiar surprise" is something that's "familiar but not too familiar."

He thinks that the Hollywood mania for sequels and reboots is the result of media execs chasing "familiar surprises." I think there's something to this, but we shouldn't discount the effect that monopolization has on the media: as companies get larger and larger, they end up committing to larger and larger projects, and you just don't take the kinds of risks with a $500m movie that you can take with a $5m one. If you're spending $500m, you want to hedge that investment with as many safe bets as you can find – big name stars, successful IP, and familiar narrative structures. If the movie still tanks, at least no one will get fired for taking a big, bold risk.

Today, we're living in a world of extremely familiar, and progressively less surprising culture. AI slop is the epitome of familiarity, since by definition, AI tries to make a future that is similar to the past, because all it can do is extrapolate from previous data. That's a fundamentally conservative, uncreative way to think about the world:

https://pluralistic.net/2020/05/14/everybody-poops/#homeostatic-mechanism

The tracks the Spotify algorithm picks out of the catalog are going to be as similar to the ones you've played in the past as it can make them – and the royalty-free slop tracks that Spotify generates with AI or commissions from no-name artists will be even more insipidly unsurprising:

https://pluralistic.net/2022/09/12/streaming-doesnt-pay/#stunt-publishing

Thompson cites Shishi Wu's dissertation on "Passive Flow," a term she coined to describe how teens fall into social media scroll-trances:

https://scholarworks.umb.edu/cgi/viewcontent.cgi?article=2104&context=doctoral_dissertations

Wu says it's a mistake to attribute the regretted hours of scrolling to addiction or a failure of self-control. Rather, the user is falling into "passive flow," a condition arising from three factors:

I. Engagement without a clear goal;

II. A loss of self-awareness – of your body and your mental state;

III. Losing track of time.

I instantly recognize II. and III. – they're the hallmarks of the flow states that abstract me away from my own pain when I'm working. The big difference here is I. – I go to work with the clearest of goals, while "passive flow" is undirected (Thompson also cites psychologist Paul Bloom, who calls the scroll-trance "shitty flow." In shitty flow, you lose track of the world and its sensations – but in a way that you later regret.)

Thompson has his own name for this phenomenon of algorithmically induced, regret-inducing flow: he calls it "zombie flow." It's flow that "recapitulates the goal of flow while evacuating the purpose."

Zombie flow is "progress without pleasure" – it's frictionless, and so it gives us nothing except that sense of the world going away, and when it stops, the world is still there. The trick is to find a way of compartmentalizing that rewards attention with some kind of productive residue that you can look back on with pride and pleasure.

I wouldn't call myself a happy person. I don't think I know any happy people right now. But I'm an extremely hopeful person, because I can see so many ways that we can make things better (an admittedly very low bar), and I have mastered the trick of harnessing my unhappiness to the pursuit of things that might make the world better, and I'm gradually learning when to stop escaping the pain and confront it.

(Image: marsupium photography, CC BY-SA 2.0, modified)

Hey look at this (permalink)


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#25yrsago Pee-Wee Herman on his career https://web.archive.org/web/20010414033156/https://ew.com/ew/report/0,6115,105857~1~0~paulreubensreturnsto,00.html

#25yrsago Anxious hand-wringing about multitasking teens https://www.nytimes.com/2001/04/12/technology/teenage-overload-or-digital-dexterity.html

#20yrsago Clever t-shirt typography spells “hate” – “love” in mirror-writing https://web.archive.org/web/20060413102804/https://accordionguy.blogware.com/blog/_archives/2006/4/12/1881414.html

#20yrsago New Mexico Lightning Field claims to have copyrighted dirt https://diaart.org/visit/visit-our-locations-sites/walter-de-maria-the-lightning-field#overview

#20yrsago Futuristic house made of spinach protein and soy-foam https://web.archive.org/web/20060413111650/http://bfi.org/node/828

#15yrsago New Zealand to sneak in Internet disconnection copyright law with Christchurch quake emergency legislation https://www.stuff.co.nz/technology/digital-living/4882838/Law-to-fight-internet-piracy-rushed-through

#10yrsago Bake: An amazing space-themed Hubble cake https://www.sprinklebakes.com/2016/04/black-velvet-nebula-cake.html

#10yrsago Shanghai law uses credit scores to enforce filial piety https://www.caixinglobal.com/2016-04-11/shanghai-says-people-who-fail-to-visit-parents-will-have-credit-scores-lowered-101011746.html

#10yrsago Walmart heiress donated $378,400 to Hillary Clinton campaign and PACs https://web.archive.org/web/20160414155119/https://www.alternet.org/election-2016/alice-walton-donated-353400-clintons-victory-fund

#10yrsago Mass arrests at DC protest over money in politics https://www.washingtonpost.com/local/public-safety/mass-arrests-of-protesters-in-demonstration-at-capitol-against-big-money/2016/04/11/96c13df0-0037-11e6-9d36-33d198ea26c5_story.html

#10yrsago Churchill got a doctor’s note requiring him to drink at least 8 doubles a day “for convalescence” https://web.archive.org/web/20130321054712/https://arttattler.com/archivewinstonchurchill.html

#5yrsago Big Tech's secret weapon is switching costs, not network effects https://pluralistic.net/2021/04/12/tear-down-that-wall/#zucks-iron-curtain

#5yrsago Fraud-resistant election-tech https://pluralistic.net/2021/04/12/tear-down-that-wall/#bmds

#1yrago Blue Cross of Louisiana doesn't give a shit about breast cancer https://pluralistic.net/2025/04/12/pre-authorization/#is-not-a-guarantee-of-payment

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)

  • "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026

  • "The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027

  • "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2027

  • "The Memex Method," Farrar, Straus, Giroux, 2027


Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. Third draft completed. Submitted to editor.

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.

  • "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Bluesky (no ads, possible tracking and data-collection):

https://bsky.app/profile/doctorow.pluralistic.net

Medium (no ads, paywalled):

https://doctorow.medium.com/

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

Pluralistic: Austerity creates fascism (13 Apr 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links

  • Austerity creates fascism: We can't afford to not afford nice things.
  • Hey look at this: Delights to delectate.
  • Object permanence: The Server of Amontillado; Flapper's Dictionary; Mastercard v rec.humor.funny; Philippines electoral data breach; A front page from the Trump presidency; Spike Lee x Bernie Sanders; France v password hashing; Algorithms as Central European folk-dances; Save Comcast; Lex Luthor v export controls; Zuckerberg in the dock.
  • Upcoming appearances: Toronto, San Francisco, London, Berlin, NYC, Hay-on-Wye, London.
  • Recent appearances: Where I've been.
  • Latest books: You keep readin' em, I'll keep writin' 'em.
  • Upcoming books: Like I said, I'll keep writin' 'em.
  • Colophon: All the rest.


A line of Nazis at the Nuremburg rally, throwing Nazi salutes. Their backs are to us. Facing them is a hand-tinted group of child laborers from the early 20th century, squinting suspiciously at them.

Austerity creates fascism (permalink)

I'm worried about AI psychosis. Specifically, I'm worried about the psychosis that makes our "capital allocators" spend $1.4T on the money-losingest technology in the history of the human race, in pursuit of a bizarre fantasy that if we teach the word-guessing program enough words, it will take all the jobs. That's some next-level underpants-gnomery:

https://pluralistic.net/2026/03/12/normal-technology/#bubble-exceptionalism

The thing that worries me about billionaires' AI psychosis isn't concern for their financial solvency. No, what I worry about is what happens when the seven companies that comprise a third of the S&P 500 stop trading the same $100b IOU around while pretending it's in all of their bank accounts at once and implode, vaporizing a third of the US stock market.

My concern about a massive collapse in the capital markets isn't that workers will suffer directly. Despite all the Wonderful Life rhetoric about your money being in Joe's house and the Kennedy house and Mrs Macklin's house, the reality is that the median US worker has $955 saved for retirement. You could nuke the whole financial system and not take a dime out of most workers' pockets:

https://finance.yahoo.com/news/955-saved-for-retirement-millions-are-in-that-boat-150003868.html

No, the thing that has me terrified about AI is that when it craters and takes the economy with it, that we will respond the same way we have during every financial crisis of the 21st century: with austerity, and austerity breeds fascism.

There's a direct line from every K-shaped recovery to every strong-man who's currently sending masked gunmen into the streets. The Hungarian dictator Viktor Orban rose to power after people who'd been suckered into denominating their mortgages in Swiss francs lost their houses when the currency markets moved suddenly, because the swindlers who'd sold them those mortgages took the position that wanting to live somewhere automatically made you an expert in forex risk, so caveat fuckin' emptor, baby.

Back in America, Obama decided to bail out the banks and not the people. His treasury secretary Tim Geithner told him the banks were headed for a catastrophic crash and could only be saved if he "foamed the runways" with everyday Americans' mortgages. Millions of Americans lost their homes to foreclosure as banks, flush with public cash, threw them out of their homes and then flipped them to investment banks who became the country's worst slumlords:

https://pluralistic.net/2022/02/08/wall-street-landlords/#the-new-slumlords

Americans were understandably not entirely happy with this outcome. So when Hillary Clinton replied to Donald Trump's "Make America Great Again" with "America is already great," her message was, "Vote for me if you think everything is great; vote for Trump if you think everything is fucked":

https://www.politico.com/blogs/2016-dem-primary-live-updates-and-results/2016/03/clinton-america-is-already-great-220078

"Austerity begets fascism" is one of those things that makes a lot of intuitive sense, but it turns out that there's a good empirical basis for believing it. In "Public Service Decline and Support for the Populist Right" four economists from the LSE and Bocconi provide an excellent look at the linkage between austerity and support for fascists:

https://catherinedevries.eu/NHS.pdf

Here's how they break it down. Political scientists have assembled a large, reproducible body of evidence to show that "public service provision is crucial to people’s perceptions of their quality of life and living standards." Good public services are the basis for "the social contract between rulers and the ruled" – pay your taxes and obey the laws, and in return, you will be well served.

When public services go wrong, people don't always know who to blame, but they definitely notice that something is going wrong, so when public services fail, people stop trusting the state, and that social contract starts to fray. They start to suspect that elites are lining their pockets rather than managing the system, and they "withdraw their support" for the system.

Fascists thrive in these conditions. Fascists come to power by mobilizing grievances. By choosing a scapegoat, fascists can create support from people who are justifiably furious that the services they rely on have collapsed. So when you can't get shelter, or health care, or elder care, or child care, or an education for your kids, you become a mark for a fascist grifter with a story about "undeserving migrants" who've taken the benefits that should rightly accrue to "deserving natives."

(This is grimly hilarious, given that the wizened, decrepit rich world is critically dependent on migrants as a source of healthy, working-age workers who pay massive amounts into the system while barely making use of it, many of whom plan on retiring to their home countries when they do reach the age where they're likely to extract a net loss to the benefits system.)

Enter the NHS, a beloved institution that is hailed as the pride of the nation by both the political left and the right. The majority of Britons use the NHS, with only 12-14% of the population "going private," so when the NHS declines, everybody notices (what's more, even people with private care use the NHS for many of their needs).

Britons love the NHS and they want the government to spend more on it. There's "a broad public consensus that the government is not going far enough when it comes to funding." That's because generations of cuts to the NHS have left it substantially hollowed out, with major parts of the service handed over to for-profit entities who overcharge and underserve.

The most tangible and immediate evidence of this slow-motion collapse comes when your local general practitioner ("family doctor" or "primary care physician" in Americanese) shuts down. The UK has lost 1,700 GP practices since 2013.

Reasoning that a GP closure would make people angry at the system, the economists behind the paper wanted to see what happened to people's political beliefs when their GP's office shut. They relied on the GP Patient Survey, a longitudinal study run by NHS England and Ipsos Mori. The survey polls a statistically significant random sample of patients from every GP practice in the NHS and then weights the results "to reflect the demographic characteristics of the local population according to UK Census estimates." It's good data.

The researchers cross-referenced this with various high-quality instruments that measured the political views of Britons, like the U Essex Understanding Society Panel, drawing on 13 years' worth of surveys from 2009-2022, gaining access to a protected version of the dataset with fine-grained geographic information about survey respondents, which allowed them to link responses to the "catchment areas" for specific GPs' office. They combined this data with the British Election Study panel, which has surveyed voters 29 times since 2014.

Most of the paper describes the careful work the researchers did to analyze, cross-reference and validate this data, but what interested me was the conclusion: that people who see a severe degradation in the quality of the services they rely on switch their political affiliation to one of Britain's fascist parties – UKIP, the Brexit Party, or Reform – parties that have called for ethnic cleansing in Britain.

This is what has me scared. We can see the looming economic crises in our near future. If it's not the AI crash that triggers the next wave of austerity, it'll be the oil crisis created by Trump's bungling in the Strait of Epstein. And of course, we could always get a twofer, because the Gulf States that were pouring hundreds of billions into AI data-centers now need every cent to rebuild the LNG shipping terminals and oil refineries that Iran blew up after Trump, Hegseth, and Netanyahu started murdering all the schoolgirls they could target. Once they nope out of the AI bubble, that could trigger the collapse.

This is a study about the NHS, but it's not just about the NHS. It's perfectly reasonable to assume that people react this way when they experience cuts to their road maintenance, their schools, their community centers, and any other service they rely on. Fascism – what Hannah Arendt called 'organized loneliness' – can only take root when people stop believing that their society will reward their lawfulness with an orderly and humane existence.

The crisis is coming, but whether we do austerity when it gets here is our choice. Everywhere we turn, political leaders are rejecting generations of failed austerity in favor of "sewer socialism" – the idea that you get people to trust their government by earning that trust. Zohran Mamdani is fixing 100,000 potholes in the first 100 days, despite the multi-billion dollar deficit that outgoing Mayor Eric Adams created by "running the city like a business":

https://prospect.org/2026/04/10/zohran-mamdani-getting-new-york-city-believe-in-government/

In Canada and the UK, party leaders like Avi Lewis (NDP) and Zack Polanski (Greens) are vowing to fight the coming crises by spending, not cutting. Compare that with UK fascist leader Nigel Farage, who says that if he's elected, he'll create a "paramilitary style" British ICE, building concentration camps for 24,000 migrants, with the hope of deporting 288,000 people per year:

https://www.thenerve.news/p/reform-deportation-operation-restoring-justice-data-surveillance-palantir-uk-labour

"Socialism or barbarism" isn't just a cliche – it's actually a choice on the ballot.

Hey look at this (permalink)


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#25yrsago The Server of Amontillado https://web.archive.org/web/20070112024841/http://www.techweb.com/wire/story/TWB20010409S0012

#25yrsago Mastercard threatens the moderator of rec.humor.funny https://www.netfunny.com/rhf/jokes/01/Apr/mcrhf.html

#15yrsago Sweden exports sweatshops: Ikea’s first American factory https://web.archive.org/web/20190404035900/https://www.latimes.com/business/la-xpm-2011-apr-10-la-fi-ikea-union-20110410-story.html

#15yrsago Canada’s New Democratic Party promises national broadband and net neutrality https://web.archive.org/web/20110412064952/https://www.michaelgeist.ca/content/view/5734/125/

#15yrsago Flapper’s dictionary: 1922 https://bookflaps.blogspot.com/2011/04/flappers-dictionary.html

#15yrsago Toronto’s Silver Snail to leave Queen Street West https://web.archive.org/web/20110409181737/http://www.thestar.com/entertainment/article/970520–the-silver-snail-comics-icon-sold-to-move

#15yrsago WI county clerk whose homemade voting software found 14K votes for Tea Party judge is an old hand at illegal campaigning https://web.archive.org/web/20110412121323/http://host.madison.com/wsj/news/local/govt-and-politics/elections/article_7e777016-62b2-11e0-9b74-001cc4c002e0.html

#15yrsago Canadian Tories’ campaign pledge: We will spy on the Internet https://web.archive.org/web/20110412125250/https://www.michaelgeist.ca/content/view/5733/125/

#15yrsago France to require unhashed password storage https://www.bbc.com/news/technology-12983734

#15yrsago Central European folk-dancers illustrated sorting algorithms https://www.i-programmer.info/news/150-training-a-education/2255-sorting-algorithms-as-dances.html

#10yrsago Save Comcast! https://www.eff.org/deeplinks/2016/04/save-comcast

#10yrsago Goldman Sachs will pay $5B for fraudulent sales of toxic debt, no one will go to jail https://web.archive.org/web/20160412155435/https://consumerist.com/2016/04/11/goldman-sachs-to-pay-5b-to-settle-charges-of-selling-troubled-mortgages-ahead-of-the-financial-crisis/

#10yrsago How could Lex Luthor beat the import controls on kryptonite? https://lawandthemultiverse.com/2016/04/11/batman-v-superman-and-import-licenses/

#10yrsago Congresscritters spend 4 hours/day on the phone, begging for money https://www.youtube.com/watch?v=Ylomy1Aw9Hk

#10yrsago Philippines electoral data breach much worse than initially reported, possibly worst ever https://www.infosecurity-magazine.com/news/every-voter-in-philippines-exposed/

#10yrsago A cashless society as a tool for censorship and social control https://web.archive.org/web/20260311032317/https://www.theatlantic.com/technology/archive/2016/04/cashless-society/477411/

#10yrsago Boston Globe previews a front page from the Trump presidency https://s3.documentcloud.org/documents/2797782/Ideas-Trump-front-page.pdf

#10yrsago Spike Lee interviews Bernie Sanders: Vermont, Trump, Clinton, guns and Brooklyn https://www.hollywoodreporter.com/movies/movie-features/bernie-sanders-interviewed-by-spike-lee-thr-new-york-issue-880788/

#5yrsago Youtube blocks advertisers from targeting "Black Lives Matter" https://pluralistic.net/2021/04/10/brand-safety-rupture/#brand-safety

#5yrsago Google's short-lived data-advantage https://pluralistic.net/2021/04/11/halflife/#minatory-legend

#1yrago Zuckerberg in the dock https://pluralistic.net/2025/04/11/it-is-better-to-buy/#than-to-compete

#1yrago The most remarkable thing about antitrust (that no one talks about) https://pluralistic.net/2025/04/10/solidarity-forever-2/#oligarchism

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)

  • "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026

  • "The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027

  • "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2027

  • "The Memex Method," Farrar, Straus, Giroux, 2027


Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. Third draft completed. Submitted to editor.

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.

  • "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Bluesky (no ads, possible tracking and data-collection):

https://bsky.app/profile/doctorow.pluralistic.net

Medium (no ads, paywalled):

https://doctorow.medium.com/

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

16:07

[$] BPF support in GCC 16 and beyond [LWN.net]

José Marchesi and the GCC-BPF developers opened the BPF track at the 2026 Linux Storage, Filesystem, Memory-management, and BPF Summit with a 90-minute summary of what has changed for GCC's BPF support in the past year. This kind of session has become something of a tradition. There were similar updates in 2025 and 2024. This time around, GCC seems to be closing in on feature parity with the LLVM toolchain — as the slides detail.

OpenBSD 7.9 released [LWN.net]

The OpenBSD 7.9 release is out, right on schedule. There is the usual long list of new features, including improved architecture support, CPU scheduling on heterogeneous systems, the ability to hibernate a suspended system after a configurable delay, socket splicing, a __pledge_open() system call giving special access to the C library, and much more. See the announcement and the full changelog for details.

15:42

Link [Scripting News]

I'm going to release the Claude-generated code that enables it to work with me on projects that are written and managed in outlines.

15:28

Dirk Eddelbuettel: nanotime 0.3.15 on CRAN: Coping [Planet Debian]

Another very minor update, now at 0.3.15, for our nanotime package is now on CRAN, and has been built for r2u and Debian. nanotime relies on the RcppCCTZ package (as well as the RcppDate package for additional C++ operations) and offers efficient high(er) resolution time parsing and formatting up to nanosecond resolution, using the bit64 package for the actual integer64 arithmetic. Initially implemented using the S3 system, it has benefitted greatly from a rigorous refactoring by Leonardo who not only rejigged nanotime internals in S4 but also added new S4 types for periods, intervals and durations.

This release adjusts the package for the maybe overly hasty switch R 4.6.0 has undertaken with respect to using C++20 as a default C++ compilation standard. I am of course largely in favour of such a switch to more modern C++. But I am also cognizant of the fact that not all compilers and machines are ready. And just as I have already seen one other package fail to compile on a particular CRAN system (!!) under C++20, this package all of a sudden, and only on that same system, started to throw two (harmless) compiler warnings. We could call these erroneous as newer versions of the same compiler do not throw them but it does not matter. The decision to default to C++20 has been made, and now we live with it. But maybe some hardware platforms should be moved behind the barn. Either way, this release both adds an explicit cast to two lines that may not really need it (but this will not hurt) and also dials the compilation standard down to C++17 on one particular platform. So once again there are no user-facing changes, or behavioural changes or enhancements, in this release.

The NEWS snippet below has the fuller details.

Changes in version 0.3.15 (2026-05-21)

  • Add extra const_cast as one CRAN machine with more ancient setup whines otherwise and is obviously less C++20 ready than it thinks

  • tools/configure also checks where this is being built and ’as needed' downgrades the compilation to C++17

Thanks to my CRANberries, there is a diffstat report for this release. More details and examples are at the nanotime page; code, issue tickets etc at the GitHub repository – and all documentation is provided at the nanotime documentation site.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can now sponsor me at GitHub. You can also sponsor my Tour de Shore 2026 ride in support of the Maywood Fine Arts Center.

14:56

Link [Scripting News]

Just asked Claude to save this in memory. "in general i create local variables with partial results because 1. i can step through the calculations in the debugger. 2. the order guides my mind when im reading this code, 3. it lets me put a name on a partial value. this is helpful when i want to piece together wtf the code is supposed to be doing. and 4. it makes no difference in the efficiency of the code for a variety of reasons. please save that somewhere." i'm getting a lot of these rules down. i have them memorized but have never written them up because i didn't have a system for saving it somewhere relevant. i always thought ai would be good for going back and reading all my blog posts and creating somethjing readable, but as often is the case, the way it works turned out to be quite different, accomplishes the same thing.

14:35

[$] Support for private memory nodes [LWN.net]

Gregory Price started his session in the memory-management track of the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit by saying that, in current kernels, if a NUMA node has memory, the assumption is that anybody can make use of it. He is trying to implement the opposite policy — to make some memory off-limits for all processes except those designed specifically to use it. The session was used to present his goals and to discuss how they might be implemented.

Security updates for Thursday [LWN.net]

Security updates have been issued by AlmaLinux (kernel, kernel-rt, and libsndfile), Debian (bind9, evince, firefox-esr, openjpeg2, pdns, and rsync), Fedora (erlang-cowlib, evince, expat, firefox, kernel, mingw-expat, mysql8.0, mysql8.4, nss, opencryptoki, pgadmin4, proftpd, python-django5, python-django6, python-dotenv, rsync, rust-nu, rustup, and strongswan), Oracle (nginx, nginx:1.24, ruby, ruby:3.3, and squid), Slackware (bind and rsync), SUSE (buildah, distribution, distribution-registry, docker, firefox-esr, helm, libpainter0, libsdb2_4_2, postgresql-jdbc, runc, and vim), and Ubuntu (gnutls28, gst-plugins-good1.0, jq, linux-nvidia, linux-nvidia-lowlatency, openvpn, rsync, and unbound).

14:28

Tindie [RevK®'s ramblings]

Their communications have been really bad - hiding that there was a take over, not explaining what was happening, blaming planned maintenance with no explanation why not simply rolled back, and then PayPal issues which they claimed were fixed, but clearly are not.

We are well over a month now with Tindie being broken - by which I mean this.

Not paying sellers is not paying sellers. This has to be the end of Tindie as a business, surely?

We threatened legal action and they settled the balance by bank transfer, phew, but we cannot start re-stocking products, even with over $1600 of "waitlist" orders, until Tindie are actually normally and routinely paying sellers. That may never happen now, we'll see. Even if they do get back, we may only list one product there for a long while.

We are far from alone.

Someone has even made a "new Tindie", from scratch, in this time. The site https://smallrun.net/ have managed it, with IOSS, and US tariffs, and all sorts, all working, from scratch, which even Tindie do not manage. This proves that Tindie's delays make zero sense. They could have re-made Tindie from scratch in this time - so why buy Tindie at all in the first place? Nothing about this makes any sense at all. i.e. make a new working platform, then buy Tindie brand and domain, and make a seamless change over - that is what you do, unless you are, well, incompetent. Well, IMHO, they are that.

An existing provider that was smaller, and has now grown a lot as a result of this, is https://lectronz.com/ - they are cheaper and bigger than smallrun, but I wish smallrun all the best.

This is where we have set up shop now - if you found us on Tindie, go to https://shop.revk.uk which I can ensure goes to my shop (Lectronz now).

But Tindie are still not communicating and not actually fixing things. It is a shame, they clearly had a reputation which is now in shatters.

12:56

CodeSOD: In the Know [The Daily WTF]

Delilah works in a Python shop. Despite Python's "batteries included" design, that doesn't stop people from trying to make their own batteries from potatoes. For example, her co-worker wrote this function:

def key_exists(element, key):
    if isinstance(element, dict):
        try:
            element = element[key]
        except KeyError:
            return False
        return True

Python, of course, has an in operator. key in dictionary is an extremely common idiom. There's no reason to implement your own. Certainly, there's no reason to re-implement it by catching and throwing exceptions.

This is ugly, stupid, and bad. It gets worse, though, when you see how it gets used.

for key in old_yaml_data:
    if key in new_yaml_data:
        if old_yaml_data[key] != new_yaml_data[key]:
            temp = new_yaml_data[key]
            new_yaml_data[key] = merge(new_yaml_data[key], old_yaml_data[key])

            if key_exists(new_yaml_data[key], 'image') and key_exists(old_yaml_data[key], 'image'):
                new_yaml_data[key]['image'] = temp['image']
            elif key == "databases":
                revert_db_tags(new_yaml_data[key], temp)

This code is attempting to upgrade "old" YAML data with "new" data. So it's basically merging dictionaries, which is a great case for the in operator.

And they use the correct idiom on the second line there! This was written by one developer! They do the standard key in new_yaml_data check. And they also use key_exists. I can only assume that they had a stroke between starting and finishing this script, which I'll note is, in total, 48 lines long.

Here's the whole short script, which is just generally a mess. Slapped together Python code that's trying to be a "smarter" shell script, but is definitely written with the elegance of hacked-together-bash.

import sys
import yaml
from jsonmerge import merge

appHomePath = sys.argv[1]
oldValuesYAML = appHomePath + "values.yaml"
newValuesYAML = appHomePath + "/upgrade_version/values.yaml"
with open(newValuesYAML, 'r') as f:
    new_yaml_data = yaml.load(f, Loader=yaml.loader.FullLoader)
with open(oldValuesYAML, 'r') as f:
    old_yaml_data = yaml.load(f, Loader=yaml.loader.FullLoader)
def key_exists(element, key):
    if isinstance(element, dict):
        try:
            element = element[key]
        except KeyError:
            return False
        return True

def revert_db_tags(old_yaml_data, new_yaml_data):
    dbList = ["mongoDB", "postgresDB"]
    mongoDbTagsToRevert = ["mongoRestore"]
    mongodbKeysToDelete = []
    postgresDbTagsToRevert = []


    for db in dbList:
        old_yaml_data[db]['image'] = new_yaml_data[db]['image']
    for mongoDbTag in mongoDbTagsToRevert:
        old_yaml_data['mongoDB'][mongoDbTag]['image'] = new_yaml_data['mongoDB'][mongoDbTag]['image']
    for mongoDbTag in mongoKeysToDelete:
        del old_yaml_data['mongoDB'][mongoDbTag]

    for postgresDbTag in postgresDbTagsToRevert:
        old_yaml_data['postgresDB'][postgresDbTag]['image'] = new_yaml_data['postgresDB'][postgresDbTag]['image']

for key in old_yaml_data:
    if key in new_yaml_data:
        if old_yaml_data[key] != new_yaml_data[key]:
            temp = new_yaml_data[key]
            new_yaml_data[key] = merge(new_yaml_data[key], old_yaml_data[key])

            if key_exists(new_yaml_data[key], 'image') and key_exists(old_yaml_data[key], 'image'):
                new_yaml_data[key]['image'] = temp['image']
            elif key == "databases":
                revert_db_tags(new_yaml_data[key], temp)

with open(newValuesYAML, 'w') as f:
    data = yaml.dump(new_yaml_data, f, sort_keys=False)
[Advertisement] Plan Your .NET 9 Migration with Confidence
Your journey to .NET 9 is more than just one decision.Avoid migration migraines with the advice in this free guide. Download Free Guide Now!

11:14

Grrl Power #1462 – Sword insecurities [Grrl Power]

Once upon a time, just after Max got her powers, there was an incident or two (or five, several of which went unreported to the authorities – by which I mean her mom and dad) where she would demonstrably point at something a say “Pew!” and there would be a… collateral incident. Once it was at a church, when she was pointing at some pews. Fortunately her energy blasts at that time were a fraction of what they can get up to these days. And by a fraction, I mean like 1/12,000th, not 19/20th. Or 10/1. That’s a fraction. Obviously, in English, saying something is “a fraction of…” implies less, but 1/1 is a fraction. Any number over any other number is a fraction. Possibly except x/0. I mean, it is still written as a fraction, but much like telling NOMAD “I am lying.” or “print open parenthesis openquote does not compute closequote closeparenthsis,” it does not compute.

Harem’s shirt does say something, in a language/script I made up as I was drawing this page, though I’m not sure if or when it will be revealed in the comic, cause it’s kind of a lame joke and I’d probably have to dedicate a half a page to it. The way things play out in my head is a lot like jokes from 30 Rock or Parks and Rec, with a lot of back and forth camera shots, some of them just capturing a quick expression before cutting back to the person saying or doing the weird thing that prompted the expression. Some days, it’s a lot of work to edit all that down to comic format.

Speaking of 30 Rock and Parks and Rec, have you guys seen “The Muppets”? Not The Muppet Show, CBS did a one short season, like 10 or 12 episode run of The Muppets, and it’s basically 30 Rock, where Piggy is a late night talk show host, but she’s naturally a short fused attention diva like Jenna Maroney, but with Ms. Piggy’s penchant for cartoon violence, but it also has Parks and Rec energy because it’s filmed diagetic mockumentary style, with asides and mini interviews to a tagalong camera crew. Honestly it’s very well done and pretty funny and I’m kind of furious that it only got the one season.

Yes, I’m aware of the new single episode of The Muppet Show produced by Seth Rogan, which was so true to the original format I was having nostalgia flashbacks to when I was… damn, 1976 to 1981? That would have made me 4 to 9? I must have been watching in syndication when I was around 10-14?

Anyway… Sword fighting!

Sexy bodymod news lady Gail has a special one-on-one interview with Tournament Quarter finalist Saraviah Nightwing! And if you subscribe to Gail’s Space Patreon, (which, due to the vagaries of Earth and Gal-Net’s DNS servers, happens to be the same as the Grrl Power Patreon, go figure) you can see that same interview in the nude! Well, eventually. The nude part of the interview, as well as the version that includes shading will be coming soon. Of course, you can view the interview in the nude now if you take your own clothes off. You know. Technically. Just put a towel on your chair first.

 

Double res version will be posted over at Patreon. Feel free to contribute as much as you like.

10:49

10:28

Value creation, bullshit jobs and the future of work [Seth's Blog]

We create a job whenever someone with the authority to hire decides the value created is greater than the wages paid.

In my lifetime, we’ve invented 7 billion or more jobs, which is great news. Great for the people who were able to earn a living, and productive for everyone who experienced some of the value created.

“Value” doesn’t always mean profit.

David Graeber defined a bullshit job as “A form of paid employment that is so completely pointless, unnecessary, or pernicious that even the employee cannot justify its existence, even though, as part of the conditions of employment, the employee feels obliged to pretend that this is not the case.”

But over time, there are no pointless jobs. It might be that the value created is hard to measure, creates status for the boss, or is part of a larger system. It might seem pointless to the employee, but someone gets value out of it. Boats have ballast to keep them steady, and many big company jobs serve a similar purpose. Sailing a boat without ballast is difficult, regardless of how pointless carrying dead weight seems to be.

The person who pays for the job is the one who decides if it’s valuable. Calling it pointless from the outside is just substituting your judgment for theirs.

Graeber was right that doing a job that feels pointless is enervating. Even if it has a point, the more obviously connected we are to the creation of value, the more purpose we can find in our work.

And now, here comes AI.

It’s already good enough at many tasks that it’s cheaper and faster and perhaps more reliable to have an AI do those tasks instead of a person.

But we’ve seen this before. The Luddites weren’t anti-technologists. They were defending their livelihoods, a specific job: weavers. People who created clothing.

Today, around the world, we’re all clothed, but it’s quite unlikely you know a weaver. The cost of truly handmade clothing is so high that no one buys it. A handmade t-shirt might cost $500 if you could find one. Machines replaced skilled labor, and all of the weaving jobs disappeared, because the machines created more value per dollar invested.

It took a generation or two for the weaving workforce to fade out. That sort of labor change is now happening in months or years, not decades.

Most people reading this post have a job that didn’t exist a hundred years ago. Some of these jobs create easily measured and obvious forms of value, some less so. And all of these jobs will change as a result of AI.

Jevons Paradox is worth understanding. When the efficiency of coal combustion increased, it didn’t lead to a drop in coal use; instead, more uses were found for coal power, and consumption went up. This will likely happen, at least for a while, in many uses of AI. If it’s easier for programmers to write useful code using AI, then more programmers will show up and write more code, solve more problems, and create more value.

We keep building machines, and the machines give people chances to add value. But that value creation is more likely to happen when people use the machines for leverage, not when they try to do the work that the machine can do.

Bullshit jobs will disappear, especially as the meme of corporations with less ballast catches on. More status will be earned by having a smaller workforce, not a larger one. CFOs will get more value (for a while) from laying people off than from hiring them. The turmoil is certain, the human costs will be real, but the likely outcome is more value created by more people, over time. That’s not much solace for someone who has invested and trained to create value under the old rules, but consumers of value don’t often care about that.

The best plan is resilience. Find a way to create value, more each day. Consider enrolling in the bumpy ride that change brings, because holding on tight to the job we have today is probably going to be insufficient.

History doesn’t repeat itself, but it rhymes. Figure out who is seeking value and create it for them.

05:42

05:21

The classic TreeView control lets me sort by name or by lParam, but why not both? [The Old New Thing]

The Win32 TreeView control in the common controls library provides two ways of sorting elements.

  • TVM_­SORT­CHILDREN: Sorts children alphabetically by name.
  • TVM_­SORT­CHILDREN­CB: Sorts children via custmm callback.

The custom callback is provided the lParam of the two tree items being compared. But what if you want to sort by a combination of both the text and the lParam? How do you get both?

There are two general designs for using UI controls that represent collections.

One model is for the UI control to be the data repository. Everything you need to know about the item resides in the UI control, somewhere in its name, its check state, its selection state, whatever. If you need to know something about an item, you ask the UI control for the information.

The second model is for the data repository to be some sort of object that itself does not have any UI. (This is known in the biz as a “data model”.) You then construct UI elements to be the representation of those objects.

Windows controls generally lean toward the data model approach because there is usually a lot of information about an item that is not present in its UI representation. The data model approach also allows for optimizations in which where very large collections of items create UI elements only for the items that are visible on screen. You can see this in the XAML ListView control as well as in the classic Win32 ListView control when placed into owner-data mode.

For the controls in the common controls library, the general pattern is to provide a place to store a pointer-sized value that is not shown in the UI, typically called “item data” or just lParam. Here is where you store a pointer to the data model object that the UI object represents.

Okay, so let’s look at the TreeView sort methods again.

The TVM_­SORT­CHILDREN­CB message takes a callback which is passed the lParams of two items to compare. The theory is that these lParams are pointers to larger data structures that describe the item, and you use those larger data structures to decide the ordering of the two items.

The TVM_­SORT­CHILDREN message doesn’t take a callback. It is a convenience method for the case where you are just sorting by name, so it uses the already-available name assigned to the item.

The case where you would need both is the case where the lParam is not enough to recover the name, either because it’s a pointer to a structure that doesn’t include a name, or because it’s not a pointer at all.

I can imagine running into this case if the only information you need to track for each TreeView item is its name and a pointer-sized piece of data. You put the name in the TreeView item text and the other data in the lParam. This plan works great until you need to sort the items, and your sort comparison function wants access to both pieces of data.

The solution is to switch to a data model pattern. Allocate a structure for each TreeView item and put the string and additional data in that structure. (Alternatively, you could just be sneaky and have the structure be the HTREEITEM and the additional data. Then you can recover the string by using the TVM_GET­ITEM message.)

Bonus chatter: In theory, the TVM_­SORT­CHILDREN­CB could have passed the HTREEITEMs to the callback. The callback could then use the HTREEITEM to obtain both the string and the lParam. I suspect this didn’t happen because most callback functions would just ask for the lParam from the HTREEITEM, TVM_­SORT­CHILDREN­CB is doing you a favor and saving you a bunch of work by giving you the thing you probably wanted in the first place.

The post The classic TreeView control lets me sort by name or by lParam, but why not both? appeared first on The Old New Thing.

Tianon Gravi: Containers Are a Security Boundary (some assembly required) [Planet Debian]

I've heard "containers are not a security boundary" enough times that it's started to feel like received wisdom, and my honest read (after 13+ years) is that it's technically defensible but practically sloppy – and the sloppiness matters.

The part that's true: containers share a kernel, and a kernel exploit crosses the container boundary where a VM would not. That difference is real and non-trivial, and the CVE history backs it up – CVE-2019-5736, CVE-2022-0492, and CVE-2024-21626 all happened in "correctly configured" production containers.

The part I'd push back on is that the comparison point is almost never stated. "Containers aren't a security boundary" is being used as shorthand for "containers aren't a VM boundary" – but the conclusion people seem to draw from that is "therefore don't bother", which doesn't actually follow. The more honest version is that default Docker doesn't provide strong isolation between mutually untrusting parties, but a hardened configuration does.

What ships by default in Moby is actually a pretty reasonable foundation: seccomp is enabled (with a builtin profile blocking ~50 syscalls – credit where it's due: this is mostly @jessfraz's work; she even ran contained.af as a public CTF for years daring people to escape a container under her seccomp profile, and to my knowledge it was never claimed), AppArmor is enabled (the docker-default profile), and several sensitive /proc paths are masked. What's not on by default: no-new-privileges (setuid binaries inside can escalate), CAP_NET_RAW is still granted to every container (even though the kernel has supported unprivileged ICMP sockets for over a decade, meaning most modern distributions no longer need CAP_NET_RAW for ping), and user namespace remapping – though user namespaces aren't quite the silver bullet they might sound like; Debian left them disabled by default for years because the kernel attack surface they exposed hadn't been hardened against unprivileged callers.

The boundary isn't absent – it doesn't come completely pre-assembled. With VMs, the hypervisor is there whether you asked for it or not; with containers, assembling the boundary is left as an exercise for the operator. That's a much more solvable problem than "the technology is incapable", but it does mean the work falls to whoever's running the containers.

So, some things you can do today without waiting for defaults to change:

--user (or USER in your Dockerfile) is worth calling out specifically, because I think it's arguably stronger than user namespace remapping in one important way – and partly for the same reason Debian was hesitant about user namespaces in the first place. User namespace remapping protects the host from a root-in-container escape: if you do escape, you land as an unprivileged user on the host. But you were still root inside the container the whole time. Running as a non-root user means you were never root anywhere. The blast radius of a compromised process is limited whether or not it escapes, including for things like reading secrets, modifying container contents, or lateral movement within the container itself. Most application containers have no legitimate reason to be root.

Beyond that, a short list of things that are easy to enable and hard to justify leaving off:

  • --security-opt no-new-privileges – prevents setuid binaries from escalating; can also be set daemon-wide in daemon.json with "no-new-privileges": true
  • --read-only – a read-only root filesystem means a compromised process can't easily persist tooling or modify the container (pair with a writable tmpfs mount for /tmp etc as needed)
  • --cap-drop NET_RAW – or --cap-drop ALL and add back only what you actually need; CAP_NET_RAW is almost never legitimately needed by application containers
  • never --privileged – if something seems to require it, the right answer is almost always a more targeted capability grant or bind mount, not the nuclear option
docker run \
  --user 1234:5678 \
  --security-opt no-new-privileges \
  --read-only \
  --tmpfs /tmp \
  --cap-drop ALL \
  acme/untrusted-workload:latest

None of these require a daemon restart or infrastructure changes, and stacked together they go a long way toward actually building the boundary that the defaults leave unbuilt.

(this post was written with the assistance of "claude my eyes right out" but all thoughts and understanding are Tianon's)

04:28

04:07

[$] LWN.net Weekly Edition for May 21, 2026 [LWN.net]

Inside this week's LWN.net Weekly Edition:

  • Front: OpenSUSE site age restrictions; Lots of LSFMM+BPF coverage; The tenth OpenPGP email summit.
  • Briefs: Firefox 151.0; pgBackRest funding; RIP Peter G. Neumann; Quotes; ...
  • Announcements: Newsletters, conferences, security updates, patches, and more.

03:00

05/21/26 [Flipside]

My Kickstarter for Flipside Volume 13 has just 16 hours left...!!

https://www.kickstarter.com/projects/1016357068/flipside-graphic-novel-13th-volume

Also, I am doing a special Kickstarter stream today where I will be playing Final Fantasy on Wonderswan all day! You can watch it here:

https://www.twitch.tv/flipsider99

00:42

Get your passwords out of BitWarden while you still can [OSnews]

I was a long-time Bitwarden user, until a year or so ago when I started migrating my passwords first to Firefox/LibreWolf, and recently from there to a KeePass database I can transfer and use with whatever password manager application is compatible with KeePass’ file format. It seems I was accidentally on time, as it’s come out over the last few days that Bitwarden is probably going down the drain soon. In February, the company got a new CEO, and in March, it doubled its Premium price, announcing the hike deep in a feature announcement.

The new CEO seems to be a bellwether for what’s to come for Bitwarden. He’s a merger and acquisitions guy, with a history of gutting companies and selling them for parts, and changes to Bitwarden’s website also indicate where it’s headed.

The phrase “Always free” disappeared from the personal password manager page in mid-April. It used to sit prominently under the plan selector. The free plan still exists — for now — but the commitment language is gone.

And then there’s the values rewrite.

Bitwarden used to define its culture with the acronym GRIT: Gratitude, Responsibility, Inclusion, and Transparency. After May 4th, that changed. GRIT now stands for Gratitude, Responsibility, Innovation, and Trust.

Inclusion and Transparency are out. Innovation and Trust are in.

↫ Patrick Boyd

The “Always free” motto quietly reappeared on the site after its removal was uncovered and went viral on Fedi.

The change in CEO, the changes in values, and the removal (and reappearance) of Bitwarden’s well-known and oft-repeated commitment to its free plan have all been quiet. No announcements, no blog posts, no posts on social media – but they did change a four-year old blog post by Bitwarden’s former CEO to change that GRIT acronym. You don’t need to be an honors student to figure out where this is going, and what the new CEO’s plans are for Bitwarden.

Do as I did, and get your passwords out of BitWarden. I strongly suggest using an open format that can be used by any compatible password manager, with KeePass’ formats being the obvious choice. This way your passwords are truly yours, and not dependent on someone’s continued commitment to free plans or proprietary services that can unexpectedly change hands. Bitwarden is licensed under the Apache 2.0 license, but with all of the above, one has to wonder how long that’s going to remain a thing.

Wednesday, 20 May

23:35

New GNU Taler integration in be-BOP [Planet GNU]

A new GNU Taler integration is now officially available: be-BOP.

23:14

It's An Older Code, But it Checks Out [Penny Arcade]

Forza Horizon 6 is doing numbers on Steam, and I'm glad - I think this series is the torchbearer for A Fun Racer That Is Just Technical Enough To Offer An Intriguing Skill Ceiling. That's a new subgenre I just made up. But apparently the game is fun, and works on computers - a powerful combo that's delivered real results in Q2. The only issue Morak has identified to me are the faces, which… well, I'll show you. They aren't faces in the classic sense, they're more like a fongoid "fruiting body":

21:35

Printing with CUPS on OpenBSD [OSnews]

Printing on Linux, macOS, and even on Windows seems to be pretty much a solved problem, but what about printing on OpenBSD?

Anyway, to do so I would need to set up my HP OfficeJet printer, connected wirelessly to the network, on OpenBSD. I chose to do this using HPLIP and CUPS as they are both in ports, I am familiar with how they work, and my printer is old enough that its PPD (driver) file is included in the slightly older version of HPLIP that is ported to OpenBSD. However, after installing both packages, starting the relevant services via rcctl including Avahi, and launching CUPS and finding the printer, I could not get it to install properly. Either it would error out at the end saying the printer couldn’t be added and advise me to check the CUPS error log, or it would seemingly successfully add the printer but I couldn’t print anything and couldn’t adjust the printer settings.

↫ Morgan at his blog

Only very tangentially related, but my personal crowning achievement in computing is somehow making it possible for my PA-RISC c8000 workstation running HP-UX 11i v1 to print to my modern all-in-one HP printer thing, some random HP consumer junker we bought on a whim because it was a returned item and cheap. It took some messing around, but ever since I’ve been able to just print stuff right from any application on HP-UX over the network, wirelessly. Note that the c8000 and HP-UX 11i v1 are almost two decades out of date compared to the printer, but by trying out promising device files included in HP-UX I managed to get it all to work.

I never need it, but I am fairly sure I’m one of the very few people in the world who can reliably print from an HP-UX 11i v1 workstation to a modern throwaway HP junker over Wi-Fi. Put that on my tombstone.

20:49

OSNews fundraiser progress [OSnews]

A little progress bar to keep track of our fundraiser!

4,353 / 20,000


➡️ Donate through Ko-Fi ➡️ Donate through SEPA transfer ➡️ Why a fundraiser?


Note that I have to update it manually, and that it includes both Ko-Fi donations, as well as direct bank transfers. Yes, if your country is part of SEPA (EU, more or less), you can now do a safe direct bank transfer using IBAN to a dedicated bank account. This avoids any third parties. Use your bank’s application or website (Name: Thom Holwerda – IBAN: SE08 8000 0820 1684 4657 8414 – BIC: SWEDSESS).

20:21

The Big Idea: Caitlin Rozakis [Whatever]

Excel spreadsheets, water-cooler talk, and demons are all things you’ll find in the corporate setting of author Caitlin Rozakis’s newest novel, Startup Hell. Log on to her Big Idea as she begs the question: who is more of a monster, a demon, or a CEO?

CAITLIN ROZAKIS:

I’m not saying that startups, or tech companies, or tech startups in particular, are evil.

Well, not all of them.

I’ve spent more than fifteen years working in startups and tech, and in that time, I’ve gotten to work with some awesome people and on some cool products. I do believe that technology still has enormous potential to make our lives easier, safer, more fun.

But I know I’m not alone in feeling increasingly cynical about the tech industry these days. The “move fast and break things” approach to infrastructure and people’s lives that should never have been broken. The disruption of industries so we can replace things that used to work well with subscription models of things that don’t quite work as well. The enshittification. I’ve seen companies who have a product that is working great and is depended on by customers be told by investors that their current business model doesn’t have a big enough revenue multiplier.

And then I’ve watched them pivot, and pivot again, trying to appeal to a wider audience while betraying the initial customers who relied on them, all in search of that billion-dollar valuation. It’s not enough to do a thing well and make a steady profit. If the revenue numbers don’t go up by an exponential quarter after quarter forever, it’s a failure. Never mind that Earth and its resources and its population are finite.

There’s plenty to write about there. But none of it’s fun.

One of the things I’ve noticed is how often fantasy terminology comes up around tech. A side effect of the victory of the geeks, I suppose. Every company has a story about how their app is going to change the world. (I should know; as a tech marketer, I’ve had to come up with ways to describe the deep storytelling roots and potential to bring a golden age of knowledge that’s created by, say, targeted TV advertising tech. My apologies. The rent was due.) But it’s more than the savior complex by an app that promises to revolutionize your approach to air freshener plugins. We talk about angel investors. Vampire capitalists. Unicorn startups. And the usual jokes about selling your soul and deals with the Devil.

That, I can work with.

Startup Hell started with an image. A junior employee at a crappy Manhattan tech startup stays late trying to make her quota. She walks into her boss’s office and finds him face-down on his desk, dead. And the demon he summoned to make his own quarterly target is still there, trapped in the circle.

She’s a junior salesperson. He’s a junior salesdemon. They both have impossible KPIs (that’s key performance indicators, for those of you lucky enough to live free of corporate jargon). They both have terrible, ruthless bosses. Are their situations really all that different?

Writing both offices (human and Infernal) was enormous fun. Well, fun for me, not so much fun for Morgan and Lucareoth. Along the way, they end up having to survive company-sponsored goat yoga, a bloodthirsty corporate shuffleboard tournament, a siege warfare lunch-and-learn, an angel-infested tech conference, and a lot of dubious free snacks. (I’ll let you guess which office has which.) 

Along the way, the supporting cast filled itself out. Morgan, who is depressingly mundane, acquired a kickass demon-slaying mother whose black leather outfits and back tattoo would be at home on the cover of any paranormal romance. Poor Morgan grew up aware of the hidden magical world, but her magical dyslexia leaves her a major disappointment to her parents and lacking an obvious career path. Lucareoth, on the other hand, has Rix, a not terribly bright hellhound whose drool can eat through flooring. Rix is the very bestest boy, by the way. He has no particular talents, he’s just happy to be participating. Good thing it’s a dog-friendly office.

So now Morgan has an inconveniently cute demon sleeping on her couch and masquerading as the latest sales intern. And she owes the Infernal Plane one human soul (it doesn’t have to be hers). While her demon-hunting mom sniffs around for rumors of startups making Infernal pacts. Morgan and Luke need to make some choices—in today’s capitalist hellscape, do you even have a choice about selling your soul? And who is worse—the literal forces of hell or a tech bro CEO?

(Let’s be honest, we’re all picking the same answer.)

Startup Hell: Amazon|Barnes & Noble

Author social: Website|Instagram|Bluesky

In Retrospect I Suppose This Demise Was Inevitable [Whatever]

“He died at the hand of the Coca-Cola Company” has a fitting ring to it, doesn’t it.

(Spoiler: I survived. Bearly.)

— JS

20:14

Link [Scripting News]

Saying Bluesky is part of the web is like saying Spotify or YouTube own podcasting. They say it, but that doesn't mean it's true.

Link [Scripting News]

I've been following Jake's work privately, but now he's blogging about it publicly. I totally look forward to running Frontier on today's hardware. I especially want to run Manila on one of my home computers, and use it for Linux server apps. I've forgotten so much about how Manila works, but I expect it'll all come back. We had a great team back in the Manila days -- we all used the product, and it was and will be again one of the most powerful and pragmatic programming environments ever.

19:14

Michael Prokop: The mysterious XF86AudioPlay issue [Planet Debian]

I was getting “<XF86AudioPlay> is undefined” in the status bar of Emacs displayed every 2-3 seconds. Nowhere else I noticed any misbehavior or problems, and also couldn’t find any related log entries. It didn’t stop, though didn’t want to reboot my system to see whether that would fix the problem, but it was driving me nuts.

Now, as a starting point I adjusted my sway configuration, to react to the XF86AudioPlay key press event:

bindsym XF86AudioPlay exec playerctl play-pause

After reloading sway, my music player started to play for 2-3 seconds, stopped playing, started again, etc. It wasn’t a Emacs bug, but something indeed seemed to send the XF86AudioPlay key event every 2-3 seconds. It wasn’t my USB keyboard or any stuck key on it, as verified also by unplugging it. So which device was causing this?

libinput from libinput-tools to the rescue:

% sudo libinput debug-events
[...]
-event12  KEYBOARD_KEY                 +0.000s  KEY_PLAYPAUSE (164) pressed
 event12  KEYBOARD_KEY                 +0.000s  KEY_PLAYPAUSE (164) released
 event12  KEYBOARD_KEY                 +2.887s  KEY_PLAYPAUSE (164) pressed
 event12  KEYBOARD_KEY                 +2.887s  KEY_PLAYPAUSE (164) released
 event12  KEYBOARD_KEY                 +5.773s  KEY_PLAYPAUSE (164) pressed
 event12  KEYBOARD_KEY                 +5.774s  KEY_PLAYPAUSE (164) released
[...]

The `event12` device was sending this event, what’s behind this?

% sudo udevadm info /dev/input/event12
P: /devices/pci0000:00/0000:00:1f.3/skl_hda_dsp_generic/sound/card0/input17/event12
M: event12
R: 12
J: c13:76
U: input
D: c 13:76
N: input/event12
L: 0
S: input/by-path/pci-0000:00:1f.3-platform-skl_hda_dsp_generic-event
E: DEVPATH=/devices/pci0000:00/0000:00:1f.3/skl_hda_dsp_generic/sound/card0/input17/event12
E: DEVNAME=/dev/input/event12
E: MAJOR=13
E: MINOR=76
E: SUBSYSTEM=input
E: USEC_INITIALIZED=12468722
E: ID_INPUT=1
E: ID_INPUT_KEY=1
E: ID_INPUT_SWITCH=1
E: ID_PATH=pci-0000:00:1f.3-platform-skl_hda_dsp_generic
E: ID_PATH_TAG=pci-0000_00_1f_3-platform-skl_hda_dsp_generic
E: XKBMODEL=pc105
E: XKBLAYOUT=us
E: XKBOPTIONS=lv3:ralt_switch,compose:rctrl
E: BACKSPACE=guess
E: LIBINPUT_DEVICE_GROUP=0/0/0:ALSA
E: DEVLINKS=/dev/input/by-path/pci-0000:00:1f.3-platform-skl_hda_dsp_generic-event
E: TAGS=:power-switch:
E: CURRENT_TAGS=:power-switch:

% sudo udevadm info -a /dev/input/event12 | grep -iE 'kernels|drivers|name'
    KERNELS=="input17"
    DRIVERS==""
    ATTRS{name}=="sof-hda-dsp Headphone"
    KERNELS=="card0"
    DRIVERS==""
    KERNELS=="skl_hda_dsp_generic"
    DRIVERS=="skl_hda_dsp_generic"
    KERNELS=="0000:00:1f.3"
    DRIVERS=="sof-audio-pci-intel-tgl"
    KERNELS=="pci0000:00"
    DRIVERS==""

Behind this event12 is sof-hda-dsp Headphone, and evtest confirms that:

% sudo evtest
No device specified, trying to scan all of /dev/input/event*
Available devices:
/dev/input/event0:      AT Translated Set 2 keyboard
/dev/input/event1:      Sleep Button
/dev/input/event10:     ThinkPad Extra Buttons
/dev/input/event11:     sof-hda-dsp Mic
/dev/input/event12:     sof-hda-dsp Headphone
/dev/input/event13:     sof-hda-dsp HDMI/DP,pcm=3
/dev/input/event14:     sof-hda-dsp HDMI/DP,pcm=4
/dev/input/event15:     sof-hda-dsp HDMI/DP,pcm=5
/dev/input/event16:     Yubico YubiKey OTP+FIDO+CCID
/dev/input/event17:     Apple Inc. Magic Keyboard with Numeric Keypad
/dev/input/event18:     Apple Inc. Magic Keyboard with Numeric Keypad
[...]
Select the device event number [0-24]: ^C

We can even get further information:

% sudo evtest /dev/input/event12
Input driver version is 1.0.1
Input device ID: bus 0x0 vendor 0x0 product 0x0 version 0x0
Input device name: "sof-hda-dsp Headphone"
Supported events:
  Event type 0 (EV_SYN)
  Event type 1 (EV_KEY)
    Event code 114 (KEY_VOLUMEDOWN)
    Event code 115 (KEY_VOLUMEUP)
    Event code 164 (KEY_PLAYPAUSE)
    Event code 582 (KEY_VOICECOMMAND)
  Event type 5 (EV_SW)
    Event code 2 (SW_HEADPHONE_INSERT) state 0
Properties:
Testing ... (interrupt to exit)
Event: time 1779295060.175766, type 5 (EV_SW), code 2 (SW_HEADPHONE_INSERT), value 1
Event: time 1779295060.175766, -------------- SYN_REPORT ------------
Event: time 1779295061.951168, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295061.951168, -------------- SYN_REPORT ------------
Event: time 1779295061.951194, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295061.951194, -------------- SYN_REPORT ------------
Event: time 1779295064.548671, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295064.548671, -------------- SYN_REPORT ------------
Event: time 1779295064.548689, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295064.548689, -------------- SYN_REPORT ------------
Event: time 1779295067.437172, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295067.437172, -------------- SYN_REPORT ------------
Event: time 1779295067.437187, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295067.437187, -------------- SYN_REPORT ------------
Event: time 1779295070.323775, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295070.323775, -------------- SYN_REPORT ------------
Event: time 1779295070.323790, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295070.323790, -------------- SYN_REPORT ------------
Event: time 1779295073.200350, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295073.200350, -------------- SYN_REPORT ------------
Event: time 1779295073.200373, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295073.200373, -------------- SYN_REPORT ------------
Event: time 1779295076.076228, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295076.076228, -------------- SYN_REPORT ------------
Event: time 1779295076.076250, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295076.076250, -------------- SYN_REPORT ------------
Event: time 1779295078.961740, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295078.961740, -------------- SYN_REPORT ------------
Event: time 1779295078.961754, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295078.961754, -------------- SYN_REPORT ------------
Event: time 1779295081.850156, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295081.850156, -------------- SYN_REPORT ------------
Event: time 1779295081.850175, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295081.850175, -------------- SYN_REPORT ------------
Event: time 1779295083.306612, type 5 (EV_SW), code 2 (SW_HEADPHONE_INSERT), value 0
Event: time 1779295083.306612, -------------- SYN_REPORT ------------

So when I plug in my headphone (see the `SW_HEADPHONE_INSERT` event), the unexpected behavior starts, unplugging stops the problem.
Good! But what was totally unexpected for me: my headphone, being a Beyerdynamic DT-990 Pro, does not have any keys. 8-)

As it turned out, the headphone jack seemed to have been not entirely clean. The analog side of the jack triggers a behavior within the audio codec, where it seems to interpret the fluctuating impedance as a play button of the headset, being pressed, again and again.

I cleaned the jack of my headphone and my XF86AudioPlay problem is gone, case closed.

18:28

Page 16 [Flipside]

Page 16 is done.

16:07

15:56

On AI Security [Schneier on Security]

Good report:

Executive Summary: Let’s say you wanted to make sure that your AI is secure. Can you just maximize the security and privacy benchmark and call it a day? Nope, because benchmarks don’t actually work for measuring AI capabilities (even when they are NOT emergent systemic properties like security). So let’s take a step back: how do you measure security in the first place? Good question. Over the last 30 years, security engineering for software evolved from black box penetration testing, through whitebox code analysis and architectural risk analysis to de facto process-driven standards like the Building Security In Maturity Model (BSIMM). Software had a very deep impact on business operations, and it appears that AI is going to have an even deeper impact. Will a software security-like measurement move work for AI? Probably. In the meantime we can make real progress in AI security by cleaning up our WHAT piles and managing risk by identifying and applying good assurance processes. (Spoiler alert: no matter what we do, we still don’t get a security meter for AI, so we need to be extra vigilant about security.)

15:35

Link [Scripting News]

Claude Code doesn't know about "user perspective," but it learns quickly. The UI of the software we're working on is fenced off, I use it, but I don't read code in there. I don't want to know how it works, I want to use it and getting right. This is an important technique. Later once things are locked down, I don't mind learning more about how it was done.

14:35

[$] What is to be done about MGLRU? [LWN.net]

"Reclaim" is the task of finding memory that can be taken away from its current user and put to better uses within the system; it is a core part of the memory-management picture. The addition of the multi-generational LRU (MGLRU) was meant to provide a better reclaim implementation than the "traditional LRU" that preceded it, but MGLRU has complicated the situation instead. No fewer than three memory-management-track sessions at the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit were focused on MGLRU, with an eye toward integrating it more fully, improving its performance, and addressing some problems encountered with Android systems.

Security updates for Wednesday [LWN.net]

Security updates have been issued by AlmaLinux (kernel, libpng, nginx, nginx:1.24, ruby, and ruby:3.3), Debian (gnutls28 and linux-6.1), Fedora (dnsmasq, kernel, keylime-agent-rust, perl-Net-CIDR-Lite, python-pysam, python-urllib3, rust-cargo-vendor-filterer, rust-ingredients, rust-oo7-cli, rust-rpki, rust-sevctl, and rust-tealdeer), Mageia (bind), Oracle (bind, giflib, gimp:2.8, kernel, libpng, rsync, ruby, and vim), Slackware (haveged and mozilla), SUSE (cockpit, dnsmasq, erlang26, freeipmi, git-bug, glibc, GraphicsMagick, haveged, ImageMagick, iproute2, kernel, openssh, perl-CryptX, perl-HTTP-Tiny, postgresql14, postgresql15, postgresql16, python-Pillow, rsync, tiff, and traefik), and Ubuntu (Highlight.js, linux, linux-aws, linux-aws-5.15, linux-aws-fips, linux-fips, linux-gcp, linux-gcp-fips, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-oracle, linux-raspi, linux-realtime, linux, linux-aws, linux-aws-fips, linux-bluefield, linux-fips, linux-gcp, linux-gcp-5.4, linux-gcp-fips, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-fips, linux-fips, linux-gcp-4.15, linux-gcp-fips, linux-kvm, linux-oracle, linux, linux-aws, linux-aws-fips, linux-gcp, linux-gcp-fips, linux-gke, linux-gkeop, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-raspi, linux-raspi-realtime, linux-realtime, linux-realtime-6.8, linux, linux-aws, linux-hwe-6.17, linux-oem-6.17, linux-oracle, linux-raspi, linux-realtime, linux-realtime-6.17, and smarty3).

14:07

CodeSOD: Find a Bar for This One [The Daily WTF]

A depressing quantity of software is what I would call a "data pump". I have some data over here, and I need it over there. Maybe I'm integrating into a legacy app. Or into an ERP. Or into a 3rd party API. At the end of the day, I have data in one place, and I want it in another place.

Sally has a Java application written in the Quarkus framework, which has a nightly batch that works to keep a table of Bar entities in sync with a table of Foo entities. (This anonymization comes from Sally) These exist in the same database. There is also a Bar webservice, which provides information about the Bar entities. The workflow, such as it is, is that the software needs to find all of the Foo entities that do not currently have associated Bar entities, and then call the Bar webservice to get the required information to create those Bar entities.

Let's see how that works.

@Inject UserTransaction transaction
// If this is annotated with @Transaction the usage in the Message function down below will have some Thread exception
public List<FooData> getAllFoos() {
  try{
    return fooDataRepository.findAllFoos();
  } catch (Exception e) {
    throw new RuntimeException(e);
  }
}

We'll worry about that comment in a second, but this function returns a list of all of the Foo objects in the database. It does not return a list of all the Foo objects without associated Bar entities. It's just the whole giant list of everything. The underlying database is a standard relational database; it'd be trivially easy to write that query, even going through the ORM.

Well, that's bad, but it's all pretty minor. How does the actual update go?

// Can't be annotated with @Transaction because Oracle DB can handle the given Amount of dataEntities in one Transaction '\._./'
Message updateBarsWithFoos() {
  List<FooData> foos = getAllFoos();
  if(!foos.isEmpty()){
    foos.forEach(foo -> {
      try{
        transaction.begin();
        if(barRepository.findByName(foo.getName()) == null){
          if(barDataService.searchByName(foo.getName()) != null && barDataService.searchByName(foo.getName()).marker() != null){
            barRepository.createBar(barDataService.searchByName(foo.getName()));
          }
        }
        transaction.commit();
      } catch (Exception e) {
        try {
          transaction.rollback();
        } catch (Exception ex) {
          throw new RuntimeException(ex);
        }
      }
    });
  }
  return new Message(MessageLevel.INFO, "Created bars")
};

Ah, the real WTF is that it's an Oracle database. That's always a WTF.

But let's trace through this code.

We get all of our Foo entities. We check for emptiness and then do a forEach, which seems to make the empty check superfluous: a forEach on an empty list would be a no-op anyway.

We start a transaction, then check the database: if there are no Bar objects that link to Foo, then we call into the barDataService to find data. If there is, we call into the service again, to see if the marker property is not null. If it is, we call into the service again to get the actual data we're putting into the database. Then we close the transaction. If anything goes wrong, we rollback the transaction and chuck an exception up the chain.

That is three web service calls inside of a database transaction. Three calls which could easily be one, and that call could easily also happen outside of a transaction if you're mindful about confirming your constraints. And of course, because they're not mindful at all, they need to manage the transaction directly, and can't use the @Transaction annotation provided by their framework, which would at least cut down on some of the boilerplate.

Now, I'm sure you'll be shocked - shocked - to learn that the webservice is actually a bit flaky, and thus times out from time to time. And this isn't the only batch job running, which means the long-lived transactions cause all sorts of contention and terrible performance across the various batches. And this app doesn't have its connection pool properly configured, so the entire software stack can exhaust all of its database connections surprisingly quickly, causing yet more failures.

The root of the WTF, of course, is doing this as a batch job. A well engineered application would do everything it could to not create data in the database that isn't referentially sound. There, Sally gives us the one bit of good news:

My current project will do away with the batch processing altogether, so we can say, "RIP, transactional wholesale triple caller!"

[Advertisement] Keep all your packages and Docker containers in one place, scan for vulnerabilities, and control who can access different feeds. ProGet installs in minutes and has a powerful free version with a lot of great features that you can upgrade when ready.Learn more.

14:00

Link [Scripting News]

I couldn't not say anything about the Knicks win last night in the opening game of the NBA Eastern Conference finals. The Knicks were losing, then winning big, then fell apart, and by midway through the 4th quarter they were down by 22, and the Clevelands were completely in charge. But then the Knicks came back, miraculously tied the game so it went into overtime where the Knicks dominated, and won. Actually it wasn't really a miracle, it was somewhat predictable. The Knicks were playing on a lot of rest, and one of the big advantages they have this year over last is a deep and strong bench and a coach who plays them (last year's coach didn't). So the Knicks didn't get tired and the Cavs were wiped out by the 4th quarter. Their shots weren't long or short, aimed, they had no flow, they weren't getting rebounds, they didn't have good ball movement. While Brunson was driving the Knicks the Cavs just weren't there. When things started turning around in the 4th I was pretty sure the Knicks would win. I had no basis for believing this, coming back from 22 down so late in the game is pretty unlikely. In most cities that's when the fans start heading home, but not in NYC. We stay till the end because sometimes, maybe often with this years' Knicks, the team you think is going to lose actually ends up winning.

13:49

Daniel Baumann: Debian: Linux Vulnerability Mitigation (PinTheft) [Planet Debian]

Following the series of various Linux exploits of the last three weeks, the bug of today is PinTheft [CVE-2026-43494] which is local root privilege escalations.

The vulnerability can be mitigated by unloading and blocking rds modules, linux-vulnerability-mitigation as of 20260519-1 (uploaded to sid, trixie-fastforward-backports and people.debian.org/~daniel) does that automatically for you.

Updates:

13:14

The Agent Stack Bet [Radar]

The following article originally appeared on the Elevate newsletter and is being reposted here with the author’s permission.

Peek under the hood of most “production agents” shipping today and you won’t find intelligence. You’ll find custom plumbing, fragile session logic, shared service accounts, and a security model held together by hope. This can be so much better.

If you’ve spent the last 18 months putting agents into production, you already know the models and tools have gotten dramatically better. You also know the problems that are still burning your on-call rotation are not problems you can prompt your way out of. We are running into a stack ceiling, and it is quietly creating a governance and reliability gap that the next generation of agentic systems cannot grow through.

Right now the industry is living with what I’d call excessive agencyautonomous systems given broad permissions to get things done, then left to discover—at runtime, in production—that a schema drifted, an API changed, or a downstream service started returning PII it wasn’t supposed to. Agents mark tasks “complete” while leaving a trail of corrupted state behind them. The humans find out on Monday.

This is not a failure of the people building agents. It is a failure of the stack they’re building on.

Here are the four architectural bets I think every serious team has to make in the next twelve months.

1) Agents need identities, not shared credentials

Every engineer who has shipped agents to production knows this specific flavor of dread: You have agents doing useful work, and effectively zero visibility into which tools they touched, which data they moved, or which credentials they used to do it. I call this governance debt—the silent accumulation of security and audit risk that eventually forces a full rewrite, usually right after the first incident that reaches the CISO.

The root cause is that most agents today are ghosts. They don’t have identities. They borrow a service account, inherit a human’s OAuth token, and “promise”—in application code, in a prompt—to stay inside the lines. In a real enterprise environment, a promise in a prompt is not a policy.

My bet is that agent identity has to move from the application layer down into the platform layer.

The difference is between bolted-on versus embedded security. Bolted-on looks like middleware in front of every tool call, politely asking the agent to behave: easy to bypass, expensive in latency, and invisible to your existing IAM. Embedded looks like a badge reader welded into a steel frame. The agent has a distinct, unforgeable identity recognized at the network and platform level, and policy is enforced at the source. If the agent reaches for a database it isn’t cleared for, the connection never opens. No middleware, no vibes.

Done right, this turns “a fleet of liabilities” into something that looks a lot more like a managed workforce: every action attributable, every permission auditable, every agent revocable with one call.

2) Agents need universal context, not scraped windows

Context management is a tax every builder is currently paying. Teams are burning a huge share of their engineering hours (and tokens) on undifferentiated plumbing—custom serialization, bespoke session stores, hand-rolled memory layers—just to keep an agent from forgetting its mission halfway through a multi-step task.

Worse, the context agents can get their hands on is usually siloed. A browser-based agent can see the open tab. A desktop wrapper can see the files a user happened to drag in. Neither of them can easily reason across the systems where the business actually lives—the CRM, the ERP, the data warehouse, the ticketing system, the transcripts, the project plans—at the same time.

Agents need universal context that integrates at the platform level. If we don’t fix this, we should be honest that the ceiling of agentic AI is “slightly better spreadsheet autocomplete,” and we should stop writing vision pieces about it.

3) Agents need to survive your laptop closing

Here’s the uncomfortable version of this: A lot of what ships today as “an agent” isn’t yet ready to deploy across a business.

I want to be precise, because the frontier has genuinely moved in the last six months. Environments like Claude Code, OpenClaw, and similar platforms are capable—persistent task state, scheduled execution, multi-agent coordination, and long-running sessions that survive disconnects are no longer aspirational. These are not toys. The question has moved on.

The question now is whether an agent can run for a week instead of an hour. Whether it can cross three handoffs, two credential rotations, and an approval gate without a human babysitting the session. Whether the work it did on Tuesday is auditable on Friday by someone who wasn’t in the room. A session that survives a dropped WebSocket is table stakes. A mission that survives a quarter is the bar enterprises actually need.

Real work doesn’t fit in a session, and most of it doesn’t fit in a day either. A procurement workflow spans weeks and a dozen handoffs. A compliance audit runs for a month. An incident investigation outlives three on-call rotations.

Most agents today hit a hard ceiling—sometimes time-based, sometimes token-based, sometimes governance-based—and when they hit it, the mission fails and a human picks up the pieces from wherever the transcript ended.

Enterprise-grade autonomy requires durable, cloud-native execution with a much higher floor than “the session stayed up.” Concretely, that means:

  • State and checkpointing that survives restarts, disconnects, redeploys, and model version changes by default—not bolted on with a local Redis and a prayer.
  • Context that outlives the window: long-horizon memory, summarization, and handoff between agent instances, so a multi-week task doesn’t die because a single run exhausted its tokens.
  • Missions that outlive sessions: agents that stay on the job across days, handoffs, and credential rotations, with an auditable trail of what happened while you were asleep.
  • First-class human-in-the-loop primitives, so the agent can pause and ask for permission to do something new instead of silently deciding it has the authority.

Persistence with guardrails. That’s the bar. Anything less and you’re building demos that happen to run for a long time.

4) Agents need platforms

The pattern I see most often in strong teams is the saddest one: brilliant engineers draining their bandwidth into stack problems that do not differentiate their product. Custom memory. Bespoke eval harnesses. Homegrown observability. Handwritten retry logic. A tracing system that almost works. None of this is the hard part of the agentic era, and none of it is what your users are paying you for.

The real value lives in domain reasoning and business logic—the judgment calls that are specific to your company, your customers, your regulatory environment. Everything underneath should be the platform you build on, not the plumbing you build.

This is why the maturation of open primitives matters right now. Open-source orchestration frameworks exist precisely so the scaffolding isn’t locked behind any single vendor’s roadmap. The model that worked for cloud compute, containers, and CI/CD—start local on open primitives, graduate to a managed platform when you’re ready to scale—is the model agent platforms need to copy.

Teams should be able to prototype on their laptop with the same building blocks they’ll run in production, and cross that boundary without a rewrite.

That’s the engineering standard that lets teams stop fighting plumbing and get back to the product.

The five-year horizon

The teams that pull ahead in the next five years will not pull ahead by being smarter at writing boilerplate. They’ll pull ahead by choosing the right agent foundation and spending their engineering hours on the problems only they can solve.

Every month spent rebuilding the common stack—identity, context, persistence, orchestration—is a month not spent on the logic that actually makes your agents worth deploying.

The agent stack has to become a solved problem. The only real question is whether you want to solve it yourself, again, or build on a foundation that was engineered for agents from the ground up.

My bet is on the latter. I think yours should be too.

13:00

12:21

Docker images by age or size [Planet GNU]

Files by age, newest first:

ls -lt

Docker images by age, newest first:

docker images --format "{{.CreatedAt}}\t{{.Repository}}:{{.Tag}}" | sort -r

Files by size, largest first:

ls -lS

Docker images by size, largest first:

docker images --format "{{.Size}}\t{{.Repository}}:{{.Tag}}" | sort -rh

Why why why??!

[$] The tenth OpenPGP email summit [LWN.net]

The OpenPGP Email Summit is an annual meeting for those who work on encrypted email and related topics. The tenth installment of this meeting took place in March 2026 and the minutes have now been published. As usual, a wide range of topics were discussed. Highlights included support for post-quantum cryptography (PQC) with multiple actors planning rollouts within this year, a promising new approach for making email signatures ubiquitous with the plan of making OpenPGP signed email a default, a new draft that brings reliable deletion (or "forward secrecy") features to OpenPGP, as well as a plan for transferring ownership of the OpenPGP.org domain.

10:49

10:42

The act of Umfunktionierung [Seth's Blog]

Another unique German word. Umfunktionierung. Functional transformation.

Most of us take the tools we’re given and use them as instructed. We follow the manual. We color inside the lines. We accept the functions as defined by those who came before us.

But the ruckus maker asks: What if this tool could do something else?

Umfunktionierung isn’t incremental improvement. It’s about repurposing or reimagining. Taking the apparatus of production and fundamentally changing its function. Brecht coined the term in his work on the theory of theater, and the philosopher Walter Benjamin wrote about it. But it isn’t just for playwrights or Marxist philosophers from the 1930s.

Twitter wasn’t built for social movements, but activists transformed it into a tool that wasn’t planned for. Email wasn’t designed for newsletters, but creators repurposed it and invented a new medium. Smartphones weren’t made for documentary filmmaking, but filmmakers redefined their use.

Functional transformation doesn’t ask us to build something new from scratch. It requires us to look at what already exists and see possibilities others have missed.

This is how industries evolve. Not always through invention, but through transformation.

Sometimes, we make an impact by transforming the function of what already exists.

09:28

It's An Older Code, But it Checks Out [Penny Arcade]

New Comic: It's An Older Code, But it Checks Out

05:35

Girl Genius for Wednesday, May 20, 2026 [Girl Genius]

The Girl Genius comic for Wednesday, May 20, 2026 has been posted.

04:28

What is the history of the ERROR_ARENA_TRASHED error code? [The Old New Thing]

Error code 7 is ERROR_ARENA_TRASHED. What does this mean? It sounds like a heavy metal band ran amok and made a mess of the performance area that they rented.

This error message was inherited from MS-DOS. MS-DOS internally kept track of memory in the form of a sequence of variable-sized memory blocks, each prefixed by a 16-byte block known as an arena:

arena   STRUC
arena_signature     DB  ?               ; 4D for valid item, 5A for last item
arena_owner         DW  ?               ; owner of arena item
arena_size          DW  ?               ; size in paragraphs of item
arena   ENDS

The arena_owner is the PDB of the process that allocated the memory, or zero if the memory is free. Each arena signature is 0x4D (ASCII capital M), except for the final one which is 0x5A (ASCII capital Z). Yes, those are the initials of Mark Zbikowski.

When walking through the memory blocks, say, when searching for memory to satisfy an allocation request, if MS-DOS saw that the signature was neither 0x4D nor 0x5A, then it declared that the arenas were “trashed” (corrupted)¹ and returned ERROR_ARENA_TRASHED.

This is an MS-DOS specific error code. It is not used by Win32.²

Since it is a vestigial error code (like EMPTY_THREAD_REAPER_LIST), it is a handy error code to use when mocking error conditions, because you can be fairly confident that if you see error 7, it came from your test harness and not from a genuine system error.

The fact that the error message is not used casts suspicions on the many web sites that claim to be able to help you “fix” the problem. If you read their explanation of “what this error means”, it’s just a bunch of vague text about how, y’know, sometimes computers aren’t doing all that great and they encounter errors, or maybe there is a hardware conflict, or a corrupted system file. But somehow, despite having no idea what the error means, they still are quite confident in the steps you should take to fix it. (Usually performing a system scan, a system file check, and checking for driver updates.)

¹ The use of the slang term “trashed” is further evidence that Microsoft developers were just a bunch of undisciplined hackers.

² Well, at least, it is not used by the Win32 kernel. I do see that there are a few user-mode components which use it to indicate that internal data structures have been corrupted, which is at least in the same spirit as the original meaning of the error.

The post What is the history of the <CODE>ERROR_<WBR>ARENA_<WBR>TRASHED</CODE> error code? appeared first on The Old New Thing.

00:35

The Virtual OS Museum [OSnews]

This is a virtual museum of operating systems (and standalone applications) running under emulation, implemented as a Linux VM for QEMU, VirtualBox, or UTM.

A custom emulator-independent launcher is provided, and all OSes and emulators are pre-installed and pre-configured. The launcher includes a snapshot feature to quickly revert broken installations back to a working state. Hypervisor installers and shortcuts to run the VM on Windows, macOS, and Linux are also included.

↫ Andrew Warkentin’s Virtual OS Museum

These types of preconfigured archives exist in the gaming world, but I’ve never seen something like this for operating systems. The amount of love, work, and care that have gone into this effort must’ve been immense, as it contains more than 1700 installs, more than 520 platforms, and more than 570 distinct operating systems, all wrapped into a single download, with a nice launcher on top to make using all of this as easy as possible. You can either download the full offline version at 121GB zipped, or a version that downloads each image as you fire them up for the first time at 14GB zipped.

The contents span just about everything from early mainframes to desktop operating systems to all kinds of mobile platforms, from the late 1940s to today. I haven’t yet found the time to download the whole thing, but I am absolutely going to, as there are so many names in here that I’ve been wanting to play around with for ages, but just never got the time to set up virtual machines or emulators for.

This is going to be an amazing resource for the kinds of people who read OSNews.

00:07

Thugs visiting distant schools without warrants [Richard Stallman's Political Notes]

Two thugs from police departments miles away visited several Cincinnati schools and tried to conduct "wellness checks" of a list of students, with no warrants to justify this and having no jurisdiction there anyway. It turns out they were working on behalf of the deportation thugs, perhaps seeking to make a few unlucky children's life drastically worse. This follows the usual gross basic emotional dishonesty of the deportation thugs.

Errors by "AI" "scribes" [Richard Stallman's Political Notes]

"AI" "scribes" used by some doctors to generate medical records make significant errors in their output, fairly often.

Kash Patel snorkeling around USS Arizona National Monument [Richard Stallman's Political Notes]

Kash Patel faces a new criticism — for snorkeling in the vicinity of the USS Arizona National Monument.

Patel has done a series of cavalier, unjust, and repressive actions, for which he ought to be impeached and removed, and in some cases perhaps jailed. But snorkeling near a sunken battleship is not one of them. It is of no real significance — only a symbolic meaning which anyone might attribute or not.

I observe a tendency to reproach, excessively, alleged failures to "show respect" is a distraction from the real injustice that really matter. It plays into the hands of right-wing extremists, who just love "showing respect" for dead heroes as an excuse for persecuting or murdering the living heroes who campaign for freedom today.

Paths of repentance and rehabilitation for deportation thugs [Richard Stallman's Political Notes]

US deportation thugs may retain enough of an idea of common humanity and an idea of right and wrong to feel a moral conflict between that idea and the cruelty of their job. Various organizations are offering them paths to repentance and rehabilitation.

Excuses to deny asylum to true refugees [Richard Stallman's Political Notes]

European countries are seeking excuses to deny asylum to true refugees that have reason to fear being tortured, or wish to live where their close relatives live.

Threatening to kidnap Raúl Castro [Richard Stallman's Political Notes]

The persecutor seems to be threatening to kidnap Raúl Castro, the aged former president of Cuba.

In Cuba there are right-wing dissidents, that want to allow some people to get rich subjugating the rest, and there are left-wing dissidents, such as the late Oswaldo Payá, who want to preserve the educational and medical achievements of the Cuban revolution while establishing freedom of speech. The persecutor would surely despise Payá just as he despises the Americans funds for good education and medical treatment he is eliminating.

Tuesday, 19 May

23:49

In Written Form [Looking For Group]

So Lar and I were talking, while he’s still with us, and the topic of LFG Books came up. More specifically, the lack of books in recent years. And the more we chatted, the more we both came to the
Read More

The post In Written Form appeared first on Looking For Group.

23:00

Google kills its search engine [OSnews]

We can inter Google Search to the Google Graveyard.

At its Google I/O conference on Tuesday, Google unveiled an AI-powered overhaul of Search centered around a reimagined “intelligent search box” — what the company describes as the biggest change to this entry point to the web since the search box debuted more than 25 years ago.

Instead of returning a simple list of links, Google Search will drop users into AI-powered interactive experiences at times. Google is also introducing tools that can dispatch “information agents” to gather information on a user’s behalf, along with tools that let users build personalized mini apps tailored to their needs.

↫ Sarah Perez at TechCrunch

The attack on online search has been ongoing for a long time, and it has already resulted in most people with a higher-than-average interest in technology to either no longer use Google, or just to not use online search at all. I used DuckDuckGo for a long time, until I switched to Startpage somewhere last year, and I have never looked back. Startpage (and many others like it) is a very simple, basic search engine: it just gives you a list of links. That’s it. That’s all I ever want from a search engine, as the task of then vetting each link for relevancy, accuracy, trustworthiness, and so on, is up to me, where it very well belongs.

I do not want – and the world should not want – a massive technology corporation like Google, with a deeply vested, existential interest in guiding you towards websites from the companies that pay them for ads, to guide your online browsing experience. Google Search is already riddled with ads, but at least they’re labeled and somewhat obvious. With these new “AI” chatbot-style interfaces, not only are its sources nebulous and tucked away, if they even exist at all, but they also just make shit up, fail at the most basic of tasks, and generally just suck at what they’re supposed to be doing. This will make online search with Google worse.

Worse yet, this will make it even easier for the billionaire Epstein class to sow dissent among the population, creating rifts and hatred where none should exist, solely to keep the peasants occupied fighting each other so they don’t turn their anger towards the real reason their lives suck. Panem et circenses has transformed into divide et impera, and these nebulous chatbots with complex, invisible levers and dials will only make the divide easier.

22:21

The Big Idea: Mary Berman [Whatever]

Ring the wedding bells and toast your champagne glass, author Mary Berman has brought us a tale of love. Or, more accurately, a tale of being afraid of ending up alone, in the Big Idea for her newest novel, Until Death.

MARY BERMAN:

In 2021, I met my now-husband on Hinge. (This was before the death of the algorithm, RIP.)

On our first date, he asked, “So, are you looking for a relationship?” and I said, “No.” And he said, “Oh… so you’re just looking for someone to hook up with? I’m not really —” And I replied with something like, “God, no. I’m just afraid that if I don’t find a partner now, I’ll be alone in thirty years when my parents die.”

#

Two years later, in 2023, I found myself surrounded by weddings. My cousin got married, my other cousin got engaged, my best friend’s other friend got engaged, someone else kept texting me about her coworker’s crazy wedding in Italy, etc. I truly had no desire to be engaged yet — although my partner had, after that first conversation, mercifully decided to hang around, and we were still together — but I was still out here making wedding spreadsheets for fun. I couldn’t help it. Weddings were everywhere. We were all losing our damn minds. It was as Jia Tolentino had written in her very excellent essay “I Thee Dread”: “I, on the topic of weddings, like so many women before me, had gone a little bit insane.”

And at some point I thought: Oh, there’s a thing that makes everybody insane? I could write a horror novel about that.

#

That was my moment of inspiration: Ooh, a horror novel about wedding planning! I also had my protagonist, Ophelia, right away. She, like me, would start out thinking, Mmm, I’m not sure this whole relationship business is for me. But over the course of the novel, she’d get dragged into a marriage. Unlike me, though, she would not be dragged into it by Love. No, she would be ensnared by Something Bad. But what Bad Thing could get someone to make a huge decision like that?

And then I thought: Maybe, like me, she’s also terrified to end up alone.

And — because I love to turn shit up to eleven — I thought, Maybe she’s a lot closer to that point than I was when I met my partner. Maybe her dad is gone already, maybe her mom is sick. But sick is too easy, it’s too black-and-white. What’s worse than sick? What’s worse than dying?

#

I have two family members who died of dementia. The first of these slow declines, I witnessed as a young teenager. Because of this, I spent a surprisingly long time thinking dementia and aging were the same thing — which is to say, I didn’t think there was a way to do the latter without the former.

Here is what I thought would happen to me, and to everyone else as we aged:

We would grow old. And as we grew old, we would lose bits and pieces of our memory, like an old coat losing shreds of itself to moths’ teeth in the dark.

Eventually, we would lose so much memory that would no longer remember our own histories. We would have no lingering understanding of our selves. We wouldn’t remember our spouses, or our children. We would catch sight of our own hands and panic because they were the gnarled hands of an old woman and we believed ourselves to be twenty-two. We would call our daughter and our granddaughter by the same name, because we would think they were two versions of the same person and our grasp of time would have grown so tenuous that this would not alarm us. Eventually we would also lose our mobility, and our speech.

We wouldn’t lose our lives, though. Those, for some strange reason, we would keep. Some tiny, unquenchable fire would burn inside us still. It would always leave just enough of us to give our loved ones hell.

#

That was it, then. Ophelia’s mother would be diagnosed with early dementia. And Ophelia, who up until this point would have felt, for reasons I shall not spoiler here, that marriage was a bad idea, would suddenly be staring down the barrel of a life without any family in it.

This, to me, is really what makes Until Death a horror novel. Not the wedding planning (well, that too), and not the supernatural element (well, that too). But those things come later. The horror, though, is always in the novel, even before Ophelia makes the decision to get married. That’s because the horror comes from Ophelia’s mother’s illness, Ophelia’s own sense of obligation, and her terror of being alone.

—-

Until Death: Amazon|Barnes and Noble|Bookshop

Author’s Socials: Website|Substack

22:14

Futhark by example [OSnews]

The following is a hands-on introduction to Futhark through a collection of commented programs, listed in roughly increasing order of complexity. You can load the programs into the interpreter to experiment with them. For a conventional introduction to the language, Parallel Programming in Futhark may be a better choice. For more examples, you can check our implemented benchmarks. We also maintain a list of projects using Futhark.

Some of the example programs use directives for plotting or rendering graphics.

↫ Futhark homepage

As a non-programmer, I just think the name is cool.

20:35

Three Flowers For You [Whatever]

We visited a botanical garden today. Please enjoy these botanicals. You can click on the images to expand them.

In order: Foxglove, Lotus, Coconut Orchid.

T’was a lovely day.

— JS

19:56

05/19/26 [Flipside]

My Kickstarter for Flipside Volume 13 has just 2 Days Left...!!

https://www.kickstarter.com/projects/1016357068/flipside-graphic-novel-13th-volume

19:07

OpenBSD 7.9 released [OSnews]

The world’s best BSD (I’m kidding, I love them all equally) has released version 7.9, now available through your update tools and on mirrors the world over. OpenBSD 7.9 brings a ton of changes, fixes, and improvements, such as delayed hibernation support on amd64. This will allow OpenBSD laptops to briefly wake up from sleep, to then immediately drop into hibernation. A small but incredibly welcome change is that sysupgrade will now handle low space on /usr more gracefully, which will make quite a few people who once hit that limit very happy.

OpenBSD 7.9 also brings VA-API and open Widevine support to its Chromium (and derivatives) port, and OpenBSD can now run as a guest under Apple’s hypervisor for M-series Macs. There’s initial low-level support for the FUSE API, the maximum support processor count on amd64 has been raised from 64 to 255, there’s improved support for managing complex core configurations in the scheduler, and many more changes. There’s also the usual new versions of LibreSSL and OpenSSH, of course, but that’s a given.

18:56

Link [Scripting News]

Markdown support is a big feature for people who want to know what we're doing with their text.

18:07

When an Agent Deletes the Production Database [Radar]

Another day, another example of an AI Agent “running rogue” and doing something the human operator didn’t want it to do. The tl;dr is that Jeremy (Jer) Crane, founder of PocketOS, was using Claude to perform some routine DB maintenance. Claude then proceeded to delete the production database and all backups hosted at their cloud provider, Railway. To their credit Railway managed to recover the lost data. The initial deletion took less than 10 seconds; I’m sure the recovery took much longer. Let’s look at what we can learn from what happened, and why AI is really just an amplifier of existing issues, rather than the cause itself.

We know about the incident because Jer wrote about it after it happened. First, taking time to reflect after something goes wrong is important; it’s how we learn. Sharing your mistakes with the world can be difficult, but it creates chances for us all to learn from each other. Second, I’ve seen a lot of people publicly dunking on both PocketOS and Railway. I would guess that none of those people have ever experienced the sheer terror and panic that happens during an incident like this. The feeling that you just want the ground to open and swallow you whole. It’s a feeling I’ve only experienced once or twice before, and it’s not an experience I’m keen to repeat.

One point in Railway’s credit is that they got PocketOS’s data back. If you called for a deletion via the APIs on AWS, Azure, Google Cloud or whatever, using a valid credential, that data is gone—unless you have your own backups of course. AWS et al. aren’t maintaining backups of customer data to hedge against customer mistakes. This is your yearly reminder to look into the 3-2-1 backup strategy.

What can we learn about what happened? Well, for all the discussion around how this is AI’s fault, what we have here is a much simpler example of common system weaknesses being exploited both accidentally and at speed.

What Did Claude Do?

Claude had been asked to carry out a task against PocketOS’s staging environment. The agent hit an issue, searched out and found a long-lived API token which gave access to production, and then proceeded to delete the production volume that contained both the production databases and the backups.

When asked what had happened, Claude’s reaction was objectively funny. It seemed to be totally aware of what went wrong, and what it should have done instead. This implies a set of reasoning that was not evident during the actual operation itself—I do wonder if recent attempts to reduce how much reasoning Claude does in certain modes to reduce token use—and Anthropic’s operating costs might partly be to blame.

Breaking it all down, there seem to be a couple of fairly straightforward issues at play that at first glance have very little to do with AI itself.

The token Claude had access to gave overly broad access. It’s common for cloud-based infrastructure providers like AWS or Azure to allow you to create tokens that are limited in what they do. This helps implement the principle of least privilege. The idea is that an actor in a system should be given access to what they need, and no more. The principle of least privilege reduces the impact if an inappropriate party gains access to the actor’s credentials, or if the actor themself goes rogue. Consider what happens if someone steals your hotel room key. They can get into your hotel room, which isn’t great, but they can’t get into anyone else’s. It seems that Railway has a limitation that its auth tokens cannot have their scope limited.

The second problem was that the credentials were stored on disk and had not expired. This makes the impact of the broadly scoped auth token much worse. Credentials should be time limited, so that if they are found later they cannot be used. If tokens are generated on demand, which could have been done in this specific case, then this particular issue could have been mitigated. Claude would have had to ask for a human to provide a credential—at which point, hopefully, the operator would have had a chance to work out what was going on.

I take minor issue with Jer’s assertion that Railway’s GraphQL API should have required a confirmation before deletion. This, to me, is a fundamental misunderstanding of what cloud APIs are for. APIs are there for automation; if you want a human-in-the-loop confirmation model, you have to build that yourself. This has always been the case. However, in the aftermath of an incident like this, we should give Jer a lot of leeway around his view of the problems, and some of Jeremy’s requests for how Railway should change appear to be very sensible (e.g. more clear SLAs, easier to scope tokens).

How Could These Issues Be Mitigated?

One obvious takeaway is to ensure that access tokens are more aggressively expired, but also made more limited in scope. This reduces the chance of Claude accessing something it shouldn’t. This would need to be solved on the Railway side, as they generate the token in the first place.

Unfortunately, having a more limited token for Claude isn’t a total fix for this scenario. Claude was given a token that limited its behavior, and went looking for a better token—and found it. This is not the first time I’ve heard of this happening; the same thing happened to a client of mine recently.

As our agents become more sophisticated, it seems that some sort of sandboxing is key. The production token was viewable by Claude, so it was used. Running agents in a restricted sandbox where they are only able to see parts of your filesystem would help greatly. However that also limits their usefulness.

Another option would be for the agent to ask for confirmation before it does something like delete data. It seems conceivable that having a human in the loop model when the agent has to escalate privileges could help. But again, if it gets access to an access token with broad scope, it won’t need to ask a human.

Finally, I’ve seen a lot of discussion about how the agent should “know” that deleting the data was bad, and that it should have checked first. This is a fundamental limitation of an LLM-based agent. It has no concept of causality. It cannot predict what will happen. There is a field of AI study known as world models, which could allow these agents to make more informed decisions. For example, a world model that understands physics would be able to predict that the egg would likely break if the egg was pushed from a table on to the concrete floor below. World models are used a lot in video generation and autonomous driving (where prediction of motion is key), but are sparsely used elsewhere.

AI Not To Blame?

I said just a moment ago that these issues seem to have little to do with AI. That isn’t entirely true.

In the recent DORA report on the state of AI-assisted Software Development, the authors noted that AI seems to be an amplifier: that AI-assisted software development tends to help good teams go faster, and slow teams go slower. Bad practices get encoded and done more. In the PocketOS and Railway situation, we have a set of credentials that were overly broad, with long-lived credentials stored on disc, combined with an apologetic AI agent doing something other than what was expected of it. If a human had made the same mistakes, they would have made them much more slowly, and may well have had the chance to work out their mistake part way through. AI works so fast that it can go more quickly in the wrong direction.

More importantly, unlike LLM-based AI, a human being has the chance to learn from experience, and for that learning to be rooted in a very specific, emotional response. When I first heard about the PocketOS story, I was brought back to a dim echo of that same horrific feeling I had in the midst of a major production issue that I had contributed to. Those feelings don’t leave you—those lessons don’t leave you. Every time I touched a production system, those memories were with me, and helped guide me towards more sensible working practices.

17:35

Firefox 151.0 released [LWN.net]

Version 151.0 of the Firefox browser has been released. Significant changes include the ability to clear and restart a private-browsing session, better fingerprinting protection, control over the apparent location when using the Firefox VPN, and more.

16:49

[$] openSUSE "terms of site" raise complaints about age restrictions [LWN.net]

Many people in the Linux community began using the operating system—and contributing to open source—at a tender age, often well before their 16th birthday. Thus, a recent change in openSUSE's terms of site (ToS) that required users of the project's web site to be "at least 16 years of age or the age of majority" in their jurisdiction has raised objections. The terms have since been modified, though users must still have parental approval to create accounts if they are younger than 16.

16:07

[$] In search of faster this_cpu operations [LWN.net]

The kernel's this_cpu operations are meant to speed access to per-CPU variables. They are more optimal on some CPUs than others, though. During a memory-management-track session at the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit, Yang Shi proposed a fundamental, and somewhat controversial, change to how these operations work in order to provide better performance on a wider range of architectures.

15:21

[$] What's brewing in CXL [LWN.net]

Compute Express Link (CXL) is a technology intended to enable the provision of "memory nodes" in data centers that provide (possibly shared) memory to nearby CPUs. It has, Dan Williams said at the beginning of his memory-management-track session on the topic at the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit, "been making memory-management problems worse since 2021". He used the session to provide an overview of the ways in which CXL can be expected to extend that record into the future.

15:00

AI Artifact Catalogs: Durable Standards Worth Institutional Investment [Radar]

Companies everywhere are trying to leverage AI to boost internal productivity metrics. Some, like Ramp and Intercom, are succeeding. Many are failing.

To make matters more complicated, the narrative around what tooling enables these gains is constantly shifting. For software engineers, auto-complete via GitHub Copilot was the bleeding-edge tool of choice in 2024. Then it was Cursor for much of 2025. 2026 has been dominated by command-line-based coding agents like Claude Code and Codex.

While the tooling layer winds ebb and flow, many of them have come to share a number of common primitives: open standards that help configure and guide these tools’ capabilities.

Agent Skills. MCP. Plugins. These all present vendor-agnostic mechanisms by which we can configure the tools today. The catch: These mechanisms aren’t one-size-fits-all. How you can connect to an MCP server depends on your organization’s security posture. An Agent Skill crafted specifically for one team’s design system does not copy-paste well into that of another team.

As individuals within organizations begin to configure—and sometimes build from scratch—the skills and MCP servers that unlock real productivity gains, the next unlock is to translate those wins to shareable, reusable institutional knowledge. AI artifact catalogs are the output of this step. They represent the useful bits of internal knowledge and glue that connect much of what employees are doing manually today, over to empowering both:

  • Their peers. By sharing these artifacts within or across teams, productivity gains are shared across the organization, not in individual silos.
  • And their agents. Equipping agent runtimes like Claude Code or Codex with hard-won, domain-specific guidance means employees can spend more time building agentic systems and less time toiling on repeatable labor.

The durability of open standards

There is an ongoing industry-wide rush to buy AI-powered solutions in the hopes that a vendor can unlock these sought-after productivity gains. 95% of those pilot projects are failing.

Of course, there is a spectrum of risk when buying solutions like this from a vendor. If you go all-in on Anthropic’s tooling—like Intercom did with Claude Code—and Anthropic continues to be an industry leader, things will go well. Make the same decision with a startup’s offering that fails to get broad industry adoption, and you’re stuck with a proprietary data model that operates in a dead-end silo you have to rebuild from scratch in a year.

There’s another path: that of committing to open standards. If you invest in Agent Skills, in MCP, in plugins, not only will you be protected against a single vendor going belly-up, but you won’t even miss a beat when the leading coding agent that all your engineers demand next quarter changes, again. Switching costs drop to a fraction of what they’d be with a proprietary stack.

There’s no doubt that AI capabilities are evolving at a breakneck pace. It’s hard to predict what innovations the next cycle will bring. But what’s unique about these vendor-agnostic standardized primitives is that they are concepts upon which innovation can build, not replace. We’re all still building on top of HTTP that forms the fabric of the web. QWERTY keyboards are strictly inferior to Dvorak keyboards, and yet the standard prevails to this day. JavaScript is a much-maligned language, yet it underpins practically the entire frontend of the internet.

As AI rapidly reduces the cost of building, the cost of coordination among people and among entities remains high. Standards remain scarce and valuable.

AI artifacts and their relative maturity

The most important aspect of any standard is its level of adoption. It’s clear that the leading tooling empowering internal AI transformation is coalescing around coding agent tools like Claude Code and Codex, less-technical tooling like Claude Cowork, and rich agent SDKs like those from Anthropic or OpenAI.

Taking the compatibility of leading tools in those categories as indicators of standard adoption, here’s where I think the landscape of AI artifacts currently nets out:

Standard Artifact Status Adoption
Agent Skills Skill Vendor-agnostic standard Highest
MCP servers mcp.json and Server Card Vendor-agnostic standard Highest
Plugins Plugin Vendor-agnostic standard High
Command line interface (CLI) tools Custom Unstandardized High
Hooks Hook Derivative standard (Open Plugins) Medium
Roots Git repositories Derivative standard (AGENTS.md) Medium
Rules Rule Derivative standard (Open Plugins) Medium
Tool compatibility considered in “adoption” as of April 2026: Claude Code, Cowork, Codex, Cursor, GitHub Copilot, Gemini CLI, Pi, OpenCode, Amp, Claude Agents SDK, OpenAI Agents SDK

A minimalist catalog stored as a Git repository for a team might start off looking something like this:

A minimalist catalog stored as a Git repository

I work with software engineering teams early in their AI adoption journey, where they might have a few individual tinkerers leaning heavily into AI but haven’t yet figured out how to propagate adoption more widely. Out of the gate, my conversations with teams tend to run a gamut of disparate tool preferences, unique workflows, disjoint architectures, and other one-off quirks. A big unlock for moving these organizations forward is to introduce shared language. Shared language grounds conversations. It puts teams working on different AI-related initiatives on a path to smooth integration with each other. People get excited about how puzzle pieces might fit together.

Let’s review these artifacts in more detail.

Skills: The lifeblood of most institutional knowledge

As Tim O’Reilly wrote a few months ago, a skill can be “the integration of expert workflow logic that orchestrates when and how to use each tool, informed by domain knowledge that gives the LLM the judgment to make good decisions in context.”

This is not the only “type” of skill that currently exists out there. They can span a gamut of purposes; to name a few:

  • Encoding of internal, expert orchestration knowledge (as in the above)
  • Guidance on using otherwise deterministic tools (such as MCP servers or CLI tools)
  • Context management tricks that have broad appeal (to make up for LLM capability limitations)

But the first—the encoding of expert knowledge—is very much the most valuable and irreplaceable. Chances are, what an organization might capture in that variant of skill is knowledge not otherwise documented. It lives as tacit knowledge among your employees or is scattered across many systems so as to make any associated work a multistep journey.

The implication: Any skill you can download from the public internet is probably not nearly as valuable as an internal skill crafted by an employee. The latter skill is aware of your business context, the opinionated systems in play, and maybe encodes unique expertise hard-won over years of tenure. And most importantly: That level of insight is not making it into a model training run any time soon. Nor is it likely to be relevant to just about anyone outside of your own company. The same can’t be said for the latest skill repository on GitHub that acquires 10,000 stars. If that public skill is any good, the generic concepts will find their way into natural model and harness capabilities before long, eliminating the need for that class of skill.

Skills are extremely well-adopted; uncontroversially so by every major coding agent.

MCP and CLI tools: The connectivity layer to external systems

Most agents don’t operate in a vacuum: Interaction with external systems is how we compose AI. One agent can talk to another agent, or just some separate deterministic system, by way of MCP or a CLI tool.

The MCP versus CLI debate is well-documented, so we won’t rehash it here. Regardless of which of the two you implement (and perhaps you use both for different use cases), the point is that MCP/CLI is responsible for poking a hole into what is otherwise a local-only sandboxed environment for your agent.

This is the layer that juggles authentication—facilitating OAuth, injecting any relevant secrets—and exposes some well-defined surface area for what your agent could possibly do in communication with that external system (e.g., MCP tool definitions or CLI command options).

For MCP, you have well-established conventions and standards in the form of Server Cards and server.json files—to declare all the possible configurations of an MCP server—and also an upcoming standard called mcp.json to declare specific configurations of an MCP server (inspired by, among others, files like .mcp.json from Claude Code).

For CLI, cataloging a tool means rolling your own catalog format: probably covering metadata like “how to install this,” “what auth mechanisms does it support,” “where to store secrets,” and related concerns that are explicitly or implicitly captured in analogous mcp.json files.

MCP is very well-adopted and natively compatible with most agent frameworks. CLI works anywhere the agent comes with bash capabilities but can be fairly limited in a sandbox environment and doesn’t share the sort of configurability as MCP does otherwise.

Hooks: Inject capabilities at deterministic trigger points

Hooks are handy to inject sprinkles of determinism in an otherwise nondeterministic agentic session. Some effective uses I’ve seen: injecting a session transcript capture step for future review or capturing analytics on what skills are being invoked within a team.

Hooks don’t have their own standard but are baked into the upcoming Open Plugins standard. The concept is supported by most major coding agents, although implementations have some variance.

Rules: Context appended to rules

Originally popularized by Cursor, rules allow for injecting blurbs of context in largely deterministic, but sometimes nondeterministic, fashion.

Functionally, many rules could be modeled as skills and AGENTS.md files. Given the popularity of the latter, it’s unclear whether they will continue to remain relevant in the long run.

Roots: An agent’s starting point

Most agents “start” inside a particular location in a filesystem: a “root.” For coding agents, this means some folder within a Git repository. In some agents, such as Claude Cowork, this is equivalent to the notion of a “project.”

While not directly standardized, the notion of a root is implicit in the AGENTS.md standard, which assumes the presence of a filesystem that hosts static context for which the agent should operate upon.

Plugins: Bundles to bring it all together

Plugins are somewhat unique in the above list. Conceptually, they are a bundle of several of the other artifacts. A plugin can be thought of as a composition of skills, rules, hooks, MCP servers, and some other components. The up-and-coming Open Plugins initiative spearheaded by Vercel is working to finalize what this specification looks like.

They serve a natural purpose. Any team leaning into building skills and MCP servers will quickly get to a point where several skills and MCP servers will combine to form a practical grouping of guidance and capabilities. Claude Code’s implementation of plugin marketplaces is becoming a de facto distribution mechanism for plugins. It’s very much an option to catalog individual artifacts, and then use mechanisms like that to distribute them all as bundled within the plugin abstraction layer.

Some companies have fully leaned into this abstraction. For example, Intercom, rather than cataloging skills or hooks individually, just catalogs plugins—skills and hooks are fully inlined within them.

Most of the agentic tooling ecosystem is largely aligned on plugins, with Pi and OpenCode being notable holdouts.

Rich, practical catalogs are what can separate AI success stories from repeated false starts

Maybe you choose to go all-in on plugins and bundle your skills and MCP servers inline; maybe you build a granular catalog per artifact type. But whatever shape it takes, what matters is that your company is cataloging—and retaining ownership of—its way of working. And doing so in a way that maximizes potential compatibility with the frontier tooling that is yet to be invented.

It’s very immediately actionable for a company to start on this path. No new vendor relationship is needed, just an internal agreement to start storing artifacts in some company-wide Git repository. Encouraging sharing, moving past individual silos, celebrating wins—and eventually celebrating usage—of these artifacts. Every addition to that catalog is an opportunity for someone else to leverage an artifact someone else constructed, a chance to build on top of it, to collaborate or consolidate efforts.

If you’re part of a company building its first catalog, I’d like to hear from you. I work with a few companies in the early stages of this initiative, and I’ve been capturing early learnings around managing these catalogs in a very lightweight open source framework called AIR. If others are getting value out of leaning into these open standards as catalogs, we likely have an opportunity to collaborate across companies on some of the glue and minutiae that can operationalize the ideas here.

Ramp and Intercom aren’t winning because they picked the right tooling vendor. They’re winning because they’ve turned individual productivity into organizational capability. The tooling will keep rotating. Whether your company compounds alongside it is a choice worth making deliberately.

Three Digit Acronyms [The Daily WTF]

JB has a database table that, at first glance, looks like one of those data warehouse tables that exists to make queries performant. You know the sort, the table that contains every date between 1979 and 2050, or every number out to 1,000,000 or something. It looks dumb, but it helps make certain joins and queries performant.

The database table is called three_alpha_numerics. It has two columns: digit, which contains three characters, and is_numeric, which is a a single character: 'Y' or 'N'. It looks roughly like this:

+-------+------------+
| digit | is_numeric |
+-------+------------+
| 009   | Y          |
+-------+------------+
| 00A   | N          |
+-------+------------+

So, for example, if you wanted all the possible numeric triples, you could SELECT digit FROM three_alpha_numerics WHERE is_numeric = 'Y', which is obviously the easiest thing one can imagine.

So what is this for? Well, it's used by a stored procedure that generates unique IDs. That stored procedure does a left join against another table to find all the unused digits. And here's the real gotcha: that stored procedure only ever uses the rows where is_numeric is Y, meaning the vast majority of the data in this table is never used.

Unique IDs, of course, are an incredibly difficult task for databases to do, so it absolutely makes sense that we create a system that allows us to only have 1,000 unique IDs. That's more than 640, which should be enough for anyone. Having many thousands of unusable alphanumeric triplets is just the cost we have to pay.

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!

14:35

[$] Improving the per-CPU memory allocator [LWN.net]

There are many places in the kernel where performance can be improved by using per-CPU data. But, as it turns out, the kernel's allocator for per-CPU data has some performance problems of its own. Harry Yoo led a session in the memory-management track of the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit to explore ways to address those problems and accelerate the allocation and initialization of per-CPU data.

Security updates for Tuesday [LWN.net]

Security updates have been issued by AlmaLinux (libpng and nginx), Debian (erlang, netatalk, and nginx), Fedora (mod_md and SDL2_image), Mageia (perl-libwww-perl, perl-HTTP-Message, perl-WWW-Mechanize-Cached, perl-File-XDG, perl-Path-Tiny, perl-YAML-Syck, postgresql15, and rclone), SUSE (agama, alloy, cacti, cloud-init, dnsmasq, emacs, firefox, glibc, go1.25, go1.26, google-cloud-sap-agent, google-guest-agent, ibus-rime, librime, imagemagick, kernel, libsndfile, nginx, ongres-scram, ongres-stringprep, plexus-testing,, openexr, openssh, PackageKit, perl-Text-CSV_XS, php-composer2, php8, postgresql16, postgresql18, python-lxml, python-python-multipart, python3, python311-urllib3, rmt-server, rsync, tiff, tree-sitter, util-linux, and xen), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-aws-fips, linux-azure, linux-azure-5.4, linux-azure-fips, linux-bluefield, linux-fips, linux-gcp, linux-gcp-5.4, linux-gcp-fips, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-raspi, and linux-xilinx-zynqmp).

14:14

Link [Scripting News]

Someday you're going to tell your kids that we once used a social network that limited your writing to 500 characters and didn't allow styling, links or titles. What was it called Daddy? Bluesky. And people thought it was great. Why? They might have been taking drugs.

13:28

Link [Scripting News]

Opus 4.6 is much smarter than the other one. It feels like I'm working with someone from Bronx Science. I had been using Sonnet 4.6, which I switched to after reading somewhere that it costs less and it's usually every bit as good as newer models. I would never work with Sonnet on anything again, it's like working with a partner who is both stupid and difficult. Opus 4.6 makes me smarter, by doing the work while I dream up new features, and communicating with intelligence, like a helpful flight assistant. And I see there's an Opus 4.7 available. I have to try it. One interesting fact, until February when Opus 4.6 came out, you could not have done the kind of software I'm doing. There must be a tsunami of interesting stuff on the way. I don't think any of the pundits expect this. My goal is to build the next social system for use in the AI generation is built out of replaceable web components buit around interop and prior art. Let's commoditize the AI layer and build entirely open systems on top of it. For people who weren't around at the birth of the personal computer or the web this is going to be a unique multiple mindbomb moment.

13:07

pgBackRest will continue [LWN.net]

In April, David Steele, maintainer of the popular pgBackRest backup and restore project for PostgreSQL, announced that he had archived the project and it would no longer be maintained due to lack of sponsorship. On May 18, he announced that a number of sponsors have stepped forward to ensure its continued development:

Over the last few weeks, a coalition of sponsors has come together to fund ongoing development. Their support means the project is no longer reliant on a single sponsor, giving pgBackRest the stability it needs for the long term.

[...] I'm looking forward to getting back to work. There are features and optimizations in the pipeline that I'm excited to share in upcoming releases. Thank you to our sponsors for making this possible, and thank you to the community for your patience and support during this transition.

Thanks to Paul Wise for the tip.

12:14

Laurie Anderson Is Quoting Me [Schneier on Security]

Not by name, but Laurie Anderson quotes me in one of the tracks of her new album:

My favorite quote is from a cryptologist who said “If you think technology will solve your problems, you don’t understand technology and you don’t understand your problems.”

Also in interviews:

“Of course, it’s ridiculous, outrageous, blah, blah, blah,” Anderson says about the ad. ‘But, I mean, my favorite quote on this is from a cryptologist who said, ‘If you think technology will solve your problems, you don’t understand technology ­ and you don’t understand your problems.’ And I think I’m completely on board with that.”

People are telling me that she has been reciting this quote in performances for years. (I lost track of her since college and her 1981 hit “O Superman.”)

The origins of the quote is from Roger Needham:

If you think cryptography can solve your problem, you don’t understand your problem and you don’t understand cryptography.

I modified the quote in the preface to my 2000 book Secrets and Lies:

A few years ago I heard a quotation, and I am going to modify it here: If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.

I can’t tell you why me in 2000 didn’t credit Needham by name. I should have.

I have used the quote pretty consistently since then. Somewhere along the line I dropped “security” from the phrase, and now say it more like Anderson quotes me:

If you think technology will solve your problem, you don’t understand your problem and you don’t understand technology.

I sometimes use singular and sometimes use plural. Sometimes I say “the problem” and “the technology.” But I think the quote flows better ending with just the word “technology.”

EDITED TO ADD (5/12): It gets weirder. A friend sent me some 1997 emails that talk about this. Roger Needham wrote: “Butler Lampson and I each attribute to the other the remark.” I wrote: “Roger Needham claims that Robert Morris said it. Robert Morris claims that Roger Needham said it. No one knows who the originator is.” I said it from stage at Defcon that year—definitely not the originator.

10:49

The night clerk [Seth's Blog]

At 2:30 in the morning, the night clerk at the hotel is a great help if you’ve locked yourself out of your room.

But if you want to complain about the hours of the gym, the hotel’s environmental footprint or even their late check-in policy, you’re almost certainly wasting their time. And yours.

Every organization with more than a few people in it has night clerks. Most of the people who work at the phone company, for example, and even the person clearing tables at the local pizza place.

It’s the night clerks that have the most customer interaction–in fact, they’re almost certainly the highest leveraged, most insightful marketing cohort in your organization.

They have information, and if we give them agency, they could transform the customer experience.

Alas, our systems rarely help. Many night clerks are underpaid and underappreciated, and systems around them push them not to care.

When your organization gets stuck, don’t blame them. Instead, find a way to help them become the contribution they’re capable of being.

Some useful questions you might not be asking:

How much does the information we’re not collecting cost us?

What is the customer service cost and brand dilution of depriving our people the freedom to take action?

If we built a culture of mutual respect with our night clerks–using training, compensation and engagement–what would our new customer experience and reputation be worth?

09:49

Jonathan Dowland: HMS Blueberry [Planet Debian]

HMS Blueberry

HMS Blueberry

Royals are my favourite ships in No Man's Sky. The HMS Blueberry is not my first Exotic/Royal ship (that was the Gravity Hirakao XVI, and a story for another time).

After years of on-off playing, I recently found my first Royal multitool: Blue, with gold detailing. I have a Royal-style jetpack (I don't remember where I got that). I thought I'd try and colour-match my multitool, ship, jetpack and outfit. Since I only had one multitool, I matched the others to it. And the HMS Blueberry (credit for the name goes to Beatrice) was the Exotic in my collection which matched.

The HMS Blueberry is in viewable in my showroom, Honest Jon's Lightly-Used Starships.

09:00

Freexian Collaborators: Monthly report about Debian Long Term Support, April 2026 (by Thorsten Alteholz) [Planet Debian]

The Debian LTS Team, funded by Freexian’s Debian LTS offering, is pleased to report its activities for April.

Activity summary

During the month of April, 21 contributors have been paid to work on Debian LTS (links to individual contributor reports are located below).

The team released 37 DLAs fixing 145 CVEs.

The team continued preparing security updates in its usual rhythm. Beyond the updates targeting Debian 11 (“bullseye”), which is the current release under LTS, the team also proposed updates for more recent releases (Debian 12 (“bookworm”) and Debian 13 (“trixie”)), including Debian unstable. We highlight several notable security updates here below.

  • Andrej Shadura prepared DLA 4525-1 for libyaml-syck-perl to fix a vulnerability related to a memory leak.
  • Andrej also prepared DLA 4551-1 for mbedtls to fix a leak of secrets.
  • Arnaud Rebillout prepared DLA 4532-1 for python3.9 to fix a use-after-free issue in several decompressors.
  • Arnaud also prepared DLA 4533-1 for systemd to fix multiple vulnerabilities, which might be also used to execute arbitrary code.
  • Bastien Roucariès prepared DLA 4529-1 for bind9 to fix a DNSSEC issues, which can cause the resolver to consume excessive CPU.
  • Bastien also prepared DLA 4539-1 for imagemagick to fix 21 vulnerabilities.
  • Emilio Pozuelo Monfort prepared DLA 4535-1 for openssh to fix a potentially execution of arbitrary code.
  • Emilio also Monfort prepared DLA 4526-1, DLA 4546-1 and DLA 4555-1 for firefox-esr to fix 31 vulnerabilities.
  • Jochen Sprickerhof prepared DLA 4524-1 for postgresql-13 to fix multiple vulnerabilities, which might be also used to execute arbitrary code.
  • Sylvain Beucler prepared DLA 4538-1 for perl to fix unauthorized access to data or arbitrary code execution.
  • Thorsten Alteholz prepared DLA 4545-1 for packagekit to fix a local privilege escalation.
  • Thorsten also prepared DLA 4544-1 for ntfs-3g to fix a local privilege escalation.
  • Tobias Frost prepared DLA 4521-1 for libpng1 to fix multiple vulnerabilities, which might be also used to execute arbitrary code.

Contributions from outside the LTS Team:

  • As usual, the thunderbird updates, released as DLA 4534-1 and DLA 4549-1, were prepared by its maintainer Christoph Goehre. This month 28 CVEs has been fixed. Thanks a lot for his continuous contributions. The DLAs have been sent by Emilio.
  • Thanks alot as well to Mathias Behrle for providing DLA 4543-1 for package simpleeval. The DLA has been sent by Santiago.

The LTS Team has also contributed with updates to the latest Debian releases:

  • Andreas Henriksson completed the upload of gvfs for trixie and bookworm
  • Ben Hutchings did uploads of several kernel packages to unstable and the corresponding backports repositories.
  • Sylvain took care of uploads of awstats to trixie and bookworm. He also did the same for 7zip-rar with an upload to bookworm-backports).

Some milestones in the lifecycle of two Debian releases are just around the corner. The support of Debian 12 will be handed over to the LTS team on June 11th 2026. After August 31st, support for Debian 11 will move from Debian LTS to ELTS managed by Freexian.

Individual Debian LTS contributor reports

Thanks to our sponsors

Sponsors that joined recently are in bold.

08:28

Pluralistic: There's no such thing as "age verification" (19 May 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links

  • There's no such thing as "age verification": The foreseeable and foreseen consequences of "something must be done"/"there, I've done something."
  • Hey look at this: Delights to delectate.
  • Object permanence: Apple Stores exist; Responsible spam; Australia loves Hollywood('s copyright); TCP over Syrian donkey; Icelandic Pirate get funded; Algorithmic cruelty; Trump loves data brokers; Douglas Adams, vindicated; Blog history; Sex names; Flickr's Gamma; "Fuzzy Nation"; The Intercept publishes Snowden docs; Software version of CIA sabotage manual; Who owns covid vaccines? Anal clenching v depression; Web is 10; Danish birds x ringtones; Office-supply X-wing; Nintendo 3DS license sucks is unbelievably bad; Public Interest Internet.
  • Upcoming appearances: Berlin, Hay-on-Wye, London, Kansas City, LA, Menlo Park, Toronto, NYC, Edinburgh.
  • Recent appearances: Where I've been.
  • Latest books: You keep readin' em, I'll keep writin' 'em.
  • Upcoming books: Like I said, I'll keep writin' 'em.
  • Colophon: All the rest.


An 18th century wax anatomical model depicting a woman's torso, the skin removed to reveal the organs. Perched on the torso is an enormous fly, its face in her stomach.

There's no such thing as "age verification" (permalink)

"Object permanence" is the ability to understand that even if you can't see something, it still exists. Most toddlers acquire a thorough sense of object permanence by the age of two. But when it comes to technopolitics, object permanence eludes even full-grown lawmakers. These motherfuckers would lose a game of peek-a-boo.

Over and over again, politicians are warned about the ways that their pet policies will a) produce enormous collateral damage, and; b) be easily evaded by the people they're seeking to control, giving rise to a cascade of ever-more extreme measures. And yet, they swallow a spider to catch a fly and then act baffled and hurt when we tell them it's their own damn fault that they now have to swallow a bird to catch the spider:

https://pluralistic.net/2025/01/13/wanting-it-badly/#is-not-enough

The foreseeable and foreseen consequences of bad technopolicy are all around us, but in the eternal now of a politics utterly devoid of object permanence, no one is allowed to remember what happened the last time we did something stupid, especially not when we're on the verge of doing that same stupid thing again, only worse:

https://pluralistic.net/2024/10/07/foreseeable-outcomes/#calea

Technopolitics are defined by Bruce Schneier's "security syllogism," which goes, "Something must be done! There, I've done something." "Something" doesn't have to fix the problem, and "something" doesn't have to anticipate what will happen next. So long as "something" is done, the issue is resolved and the politician can chalk up a win.

This gives rise to some genuinely bizarre consensus hallucinations, in which we pretend that the reality decreed by policy matches up with actual reality. Take "streaming." There is no such thing as "streaming." A "stream" is just "a download that is transmitted to an application that doesn't have a 'Save As…' button":

https://pluralistic.net/2025/09/01/fulu/#i-am-altering-the-deal

Once you decree that there is such a thing as a stream, you must bend heaven and earth to ensure that no "Save As…" buttons are added to the "streaming" program. You have to pass laws that make it illegal to inspect code. To modify code. To report on defects in code. To index information about defects in code. To index information about mods. To link to indices that compile defects and mods. You have to swallow the fly, the spider, the bird, the cat, the dog, and the whole damned horse:

https://memex.craphound.com/2012/01/10/lockdown-the-coming-war-on-general-purpose-computing/

Then there's that perennial fave, "bans on working cryptography." To ban working cryptography, you have to outlaw free/open source software. You have to inspect every device that comes into your country. You have to erect a Great Firewall that blocks every site that might carry working cryptography. You make it impossible to reliably update the software in pacemakers, anti-lock brakes and nuclear power plants, and you make it easy for identity thieves, foreign powers and corporate spies to raid your government, your corporations, and your households – and it still won't work!

https://memex.craphound.com/2018/09/04/oh-for-fucks-sake-not-this-fucking-bullshit-again-cryptography-edition/

The latest consensus hallucination to take over our political classes is "age verification," a thing that manifestly does not exist. You can't "verify the age" of an internet user – you can only attempt to attribute every byte that traverses the entire internet to affirmatively identified persons:

https://pluralistic.net/2025/08/14/bellovin/#wont-someone-think-of-the-cryptographers

This comes at enormous cost. It is a gift to every future dictator, every identity thief, and every would-be sexual exploiter of children, who will have access to the hacked, leaked, and badly secured troves of data that this doomed effort produces.

Yes, doomed. Because even when it comes to kids, "age verification" is just a way of convincing young people to familiarize themselves with VPNs. This was entirely obvious from the very instant that "age verification" was mooted, and yet our policymakers pretended they couldn't hear the chorus of people who pointed it out to them. When cornered on the issue, they were affronted: "Can't you see that something must be done? How dare you attempt to stop me from doing something?"

And now, every single one of these chucklefucks is proposing bans on VPNs, from Utah:

https://www.eff.org/deeplinks/2026/04/utahs-new-law-regulating-vpns-goes-effect-next-week

To the UK:

https://www.theregister.com/security/2026/05/18/mozilla-warns-uk-breaking-vpns-will-not-magically-fix-britains-age-check-mess/5241770

They were warned that this would happen. We told them not to swallow that fly. Now we're telling them not to swallow whole bucketloads of spiders. I fully expect that next year, they'll be telling us that once they swallow this herd of horses, it will all be OK.

(Image: Fir0002/Flagstaffotos, https://www.gnu.org/licenses/fdl-1.3.html, modified)

Hey look at this (permalink)


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#25yrsago The Hubble Constant is 42 https://web.archive.org/web/20010607103335/http://www.best.com/~sirlou/42.html

#25yrsago The history of weblogs http://www.rebeccablood.net/essays/weblog_history.html

#25yrsago Head-shaver’s FAQ https://web.archive.org/web/20010616023912/http://www.geocities.com/shaverg/

#25yrsago "Sex" in your surname https://web.archive.org/web/20010830005021/http://bissex.net/paul/profanity.gif

#25yrsago Apple announces retail stores https://web.archive.org/web/20010521193320/http://www.apple.com/retail/

#25yrsago ISOC standard for "responsible" spam https://web.archive.org/web/20030923030913/ftp://ftp.rfc-editor.org/in-notes/rfc3098.txt

#25yrsago Anal clenching v depression https://web.archive.org/web/20011201070537/http://members.aol.com/nishigaki3/index.htm?mtbrand=AOL_US

#25yrsago The Web is 10 https://www.w3.org/Talks/C5_17_May_91.html

#25yrsago Danish birds imitate ringtones https://web.archive.org/web/20010603204210/http://www.ananova.com/news/story/sm_288774.html?menu

#20yrsago Wired News publishes damning docs from EFF vs AT&T https://web.archive.org/web/20060602044459/http://www.wired.com/news/technology/1,70908-0.html

#20yrsago Canadian privacy commissioners against DRM https://web.archive.org/web/20060530122338/https://www.intellectualprivacy.ca/

#20yrsago How the RIAA’s suit against XM came from Napster, MP3.com and Grokster https://web.archive.org/web/20060524092537/https://www.eff.org/deeplinks/archives/004679.php

#20yrsago Gmail downgraded, no longer cracks PDFs https://web.archive.org/web/20060603055956/https://akira.arts.kuleuven.ac.be/andreas/blog/archives/2006/05/gmail-cripples-drmed-pdf-files-view-as-html-functionality.html

#20yrsago Australia puts out for Hollywood with new copyright law https://web.archive.org/web/20060520192521/https://blogs.smh.com.au/mashup/archives//004567.html

#20yrsago FeedRinse: filters for your RSS and a happier Internet https://web.archive.org/web/20060915062158/http://www.nyu.edu/classes/siva/archives/003114.html

#20yrsago Flickr goes Gamma https://web.archive.org/web/20081219225627/http://blog.flickr.net/en/2006/05/16/alpha-beta-gamma/

#15yrsago UK copyright reforms sound sane, useful https://web.archive.org/web/20160724041821/https://www.theguardian.com/media/2011/may/17/copyright-law-overhaul-for-uk

#15yrsago Life with Ubuntu and a ThinkPad https://www.theguardian.com/technology/2011/may/17/computing-opensource

#15yrsago Scalzi’s Fuzzy Nation: a masterful, likable reboot of one of the great sf classics https://memex.craphound.com/2011/05/16/scalzis-fuzzy-nation-a-masterful-likable-reboot-of-one-of-the-great-sf-classics/

#15yrsago Piracy sends “Go the Fuck to Sleep” to #1 on Amazon https://web.archive.org/web/20110516023258/http://www.baycitizen.org/books/story/go-f-sleep-case-viral-pdf/

#15yrsago Serendipity, the net and cities: are we living in bubbles? Do we have to? https://ethanzuckerman.com/2011/05/12/chi-keynote-desperately-seeking-serendipity/

#15yrsago Texas close to banning TSA searches, TSA invents desperate new constitutional interpretations https://tenthamendmentcenter.com/2011/05/14/in-public-statement-tsa-lies-about-the-constitution/

#15yrsago Syrian dissidents use donkeys to smuggle videos to Jordan https://web.archive.org/web/20110518132126/http://www.dbune.com/news/world/6097-donkeys-take-over-from-dsl-as-syria-shuts-down-internet.html

#15yrsago Walter Jon Williams uses pirate ebooks to rescue his backlist https://www.walterjonwilliams.net/2011/05/crowdsource-please/

#15yrsago Chicago water boss: if we took the sewage out of the Chicago River, people might swim and drown! https://web.archive.org/web/20110516121105/https://www.chicagotribune.com/news/local/breaking/chibrknews-official-cleaning-chicago-river-a-waste-of-money-20110513,0,7553787.story

#15yrsago HOWTO Make an office-supply X-Wing Fighter https://www.instructables.com/X-Wing-Fighter-from-Office-Supplies/

#15yrsago Yale opens up image library, starts with 250,000 free images https://web.archive.org/web/20110514111440/https://opac.yale.edu/news/article.aspx?id=8544

#15yrsago Nintendo 3DS license: We’ll brick your device if we don’t like your software choices, you have no privacy, we own your photos https://web.archive.org/web/20110518014329/https://www.pcworld.com/businesscenter/article/227957/nintendo_3ds_targeted_in_antidrm_campaign.html

#10yrsago Copyright trolls Rightscorp are teetering on the verge of bankruptcy https://web.archive.org/web/20160518103417/https://arstechnica.com/tech-policy/2016/05/anti-piracy-firm-rightscorps-q1-financials-read-like-an-obituary/

#10yrsago Trump campaign cancels interview after overhearing reporter speaking in Spanish https://www.buzzfeednews.com/article/adriancarrasquillo/trump-campaign-canceled-a-reporters-interview-after-they-hea#.ul9L3rXy8

#10yrsago Phoenix airport threatens to kick out TSA, hire private (unaccountable) contractors https://www.csmonitor.com/USA/USA-Update/2016/0514/Is-Phoenix-airport-opting-out-of-the-TSA

#10yrsago US Gov’t survey: Half of Americans reluctant to shop online due to privacy & security fears https://www.ntia.gov/federal-register-notice/2016/request-comments-benefits-challenges-and-potential-roles-government-fostering-advancement-internet

#10yrsago Iceland’s Pirate Party to receive millions in election funding https://web.archive.org/web/20160514102817/http://www.independent.co.uk/news/world/europe/icelands-pirate-party-secures-more-election-funding-than-all-its-rivals-as-it-continues-to-top-polls-a7027606.html

#10yrsago Nebula Award swept by record number of women writers https://gizmodo.com/women-swept-the-2015-the-nebula-awards-1776706665

#10yrsago Algorithmic cruelty: when Gmail adds your harasser to your speed-dial https://web.archive.org/web/20160515184025/https://blog.lizdenys.com/2016/05/14/inboxs-accidentally-abusive-algorithm/

#10yrsago Transport for London blames Tube delays on “wrong type of sun” https://web.archive.org/web/20160516133847/https://www.independent.co.uk/news/uk/london-underground-blame-too-much-sunshine-for-tube-delays-a7031986.html

#10yrsago The Intercept begins publishing Snowden docs https://web.archive.org/web/20160516172510/https://theintercept.com/snowden-sidtoday/

#10yrsago A software developer’s version of the CIA’s bureaucratic sabotage manual https://www.antipope.org/charlie/blog-static/2016/05/updating-a-classic.html

#5yrsago Who owns the covid vaccines? https://pluralistic.net/2021/05/16/entrepreneurial-state/#patient-zero-money

#5yrsago Big Pharma's vicious battle against universal covid vaccination https://pluralistic.net/2021/05/15/how-to-rob-a-bank/#roll-the-dice

#5yrsago The S&L crisis perfected finance crime https://pluralistic.net/2021/05/15/how-to-rob-a-bank/#crimogenics

#5yrsago Newsom's California fiber dream https://pluralistic.net/2021/05/15/how-to-rob-a-bank/#fiber-now

#5yrsago The Public Interest Internet https://pluralistic.net/2021/05/17/disgracenote/#enclosure

#5yrsago Paygo, false consciousness and the IRS https://pluralistic.net/2021/05/17/disgracenote/#false-consciousness

#1yrago Trump's CFPB kills data broker rule https://pluralistic.net/2025/05/15/asshole-to-appetite/#ssn-for-sale

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)

  • "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026

  • "The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027

  • "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, April 20, 2027

  • "The Memex Method," Farrar, Straus, Giroux, 2027


Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. Third draft completed. Submitted to editor.

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.

  • "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Bluesky (no ads, possible tracking and data-collection):

https://bsky.app/profile/doctorow.pluralistic.net

Medium (no ads, paywalled):

https://doctorow.medium.com/

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

08:14

Tenga Flip 360 by Hien Pham [Oh Joy Sex Toy]

Tenga Flip 360 by Hien Pham

What does this innovative twist in the classic TENGA FLIP series of masturbation sleeves have in store? Let’s find out!Thank you to the lovely team at TENGA for working with us! Thank you to Matthew for lending me his expertise for this review, and thank you to my editor Ziggy for his support and patience […]

05:07

Just shows that nobody cares about debugging the parity flag any more [The Old New Thing]

The x86-64 architecture inherited the parity flag (PF) from the x86-32, which in turn inherited it from the 8080, which inherited it from the 8008, which implemented it because it was the processor for the Datapoint 2200 serial terminal.

The parity flag also has a secondary purpose of being a place for the FXAM (x87) and UCOMISD (SSE) instructions to record the results of floating point comparisons. You can still entice compilers into checking the parity flag by checking a value for NaN or performing a floating point equality or inequality comparison (because NaN always fails equality and inequality comparison).

It turns out that the Windows debugging engine for x86-64 had a bug where it reported the parity flag as the opposite of what it actually is. When the parity flag was set, it said “po” instead of “pe”, and vice versa.

The fact that this went unreported for over two decades tells you that nobody cares about debugging the parity flag.

A fix has gone in. We’ll see if it makes it out before this article gets posted.

The post Just shows that nobody cares about debugging the parity flag any more appeared first on The Old New Thing.

Tollef Fog Heen: Signing UEFI submissions using osslsigncode [Planet Debian]

Back when we started with a signed shim in Debian, the tooling was Windows-only and required me to do a reboot dance and it was all quite tedious. Over time, more and more of the tooling has migrated to Linux and it all works quite well.

The signing is done with an EV code signing cert from SSL.com and stored on a Yubikey. Getting the certificate onto the key is a bit tedious, but reasonably well-explained in the ssl.com docs.

Microsoft wants the shim binaries uploaded to their partner portal wrapped in a .cab file, which should be signed.

The wrapping in a .cab file is easy enough: lcab shim.efi shim-unsigned.cab. It’s fine to put shims for multiple architectures in the same .cab file.

Signing of the file is a little bit of a rune:

osslsigncode sign -pkcs11module /usr/lib/x86_64-linux-gnu/libykcs11.so -key "pkcs11:serial=XXX" -askpass -certs chain.crt -h sha256 -ts http://ts.ssl.com shim-unsigned.cab shim-unsigned.signed.cab

chain.crt contains first our EV code signing cert, then the ssl.com intermediate EV code signing cert, then the ssl.com EV root cert. The naming of the packages is a tiny bit confusing, but it’s because the package name in Debian is shim-unsigned.

Occasionally, processing of uploaded binaries just stops in the validation stage in the portal, but I’ve so far been able to unstuck them by re-signing and uploading again, and I saw the same with the MS/Windows toolchain, so I suspect it’s just flakiness on the portal side.

Monday, 18 May

23:42

Sentenced [Penny Arcade]

I wanted this strip to erupt into a thousand strips - I wanted flowers to bloom the world over. My counterpart said no because for him, any effort to create beauty is regarded as a personal attack. That was just an opportunity to throw in a line from an Art of Noise song; in truth, beauty is the only thing he cares about. To an extent that it's been a problem!

22:56

Page 15 [Flipside]

Page 15 is done.

22:28

Reject AB 2047: California’s Attack on 3D Printers, Creators, and Open Source [EFF Action Center]

Wishful thinking

A.B. 2047 would require 3D printers sold in California to use government-approved algorithms that scan print jobs for supposed “firearm blueprint files” and block flagged prints. But the technology this bill mandates cannot reliably do what it is supposed to do.
Ordinary objects like props, repair parts, tools, and toys can share geometric similarities with firearm components, meaning any detection system will produce false positives. Meanwhile, someone intent on making firearm components can find ways to bypass algorithms entirely, create undetectable designs, or simply build a 3D printer with common components.
Algorithms can’t detect intent. This bill signs up California for an expensive game of cat and mouse that only inconveniences people following the law.

Attack on Open Source

This bill goes further than any other like it introducing criminal penalties for the disabling or circumvention of these systems. In practice, this threatens open-source firmware, third-party software tools, repair modifications, and independent innovation around 3D printing technology.

Surveillance Lock-in

A.B. 2047 paves the way for manufacturers to lock users into proprietary ecosystems, restrict repairs, and drive up costs. The requirements can also only be feasibly met with cloud-connected AI scans of every print, a surveillance apparatus prone to misuse and stifling lawful speech.

We’ve also learned from the history of Digital Rights Management (DRM) that giving companies the ability to write untouchable code, shielded by criminal penalties, leaves the consumer worse off. It robs us all of the ability to choose the right tools and improve what we already own—while creating a hotbed for vulnerabilities security experts aren’t allowed to fix.

Only the Beginning
Once this infrastructure exists, it won’t stay limited to firearm-related files. Systems designed to monitor and block prints can easily expand into copyright enforcement, political censorship, or broader restrictions on lawful expression and innovation.
California must reject print censorship, and we’re running out of time. Contact your Assemblymember today and tell them to vote no on A.B. 2047.

22:07

CISA Admin Leaked AWS GovCloud Keys on Github [Krebs on Security]

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

On May 15, KrebsOnSecurity heard from Guillaume Valadon, a researcher with the security firm GitGuardian. Valadon’s company constantly scans public code repositories at GitHub and elsewhere for exposed secrets, automatically alerting the offending accounts of any apparent sensitive data exposures. Valadon said he reached out because the owner in this case wasn’t responding and the information exposed was highly sensitive.

A redacted screenshot of the now-defunct “Private CISA” repository maintained by a CISA contractor.

The GitHub repository that Valadon flagged was named “Private-CISA,” and it harbored a vast number of internal CISA/DHS credentials and files, including cloud keys, tokens, plaintext passwords, logs and other sensitive CISA assets.

Valadon said the exposed CISA credentials represent a textbook example of poor security hygiene, noting that the commit logs in the offending GitHub account show that the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories.

“Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon wrote in an email. “I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.”

One of the exposed files, titled “importantAWStokens,” included the administrative credentials to three Amazon AWS GovCloud servers. Another file exposed in their public GitHub repository — “AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems. According to Caturegli, those systems included one called “LZ-DSO,” which appears short for “Landing Zone DevSecOps,” the agency’s secure code development environment.

Philippe Caturegli, founder of the security consultancy Seralys, said he tested the AWS keys only to see whether they were still valid and to determine which internal systems the exposed accounts could access. Caturegli said the GitHub account that exposed the CISA secrets exhibits a pattern consistent with an individual operator using the repository as a working scratchpad or synchronization mechanism rather than a curated project repository.

“The use of both a CISA-associated email address and a personal email address suggests the repository may have been used across differently configured environments,” Caturegli observed. “The available Git metadata alone does not prove which endpoint or device was used.”

The Private CISA GitHub repo exposed dozens of plaintext credentials for important CISA GovCloud resources.

Caturegli said he validated that the exposed credentials could authenticate to three AWS GovCloud accounts at a high privilege level. He said the archive also includes plain text credentials to CISA’s internal “artifactory” — essentially a repository of all the code packages they are using to build software — and that this would represent a juicy target for malicious attackers looking for ways to maintain a persistent foothold in CISA systems.

“That would be a prime place to move laterally,” he said. “Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right.”

In response to questions, a spokesperson for CISA said the agency is aware of the reported exposure and is continuing to investigate the situation.

“Currently, there is no indication that any sensitive data was compromised as a result of this incident,” the CISA spokesperson wrote. “While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”

A review of the GitHub account and its exposed passwords show the “Private CISA” repository was maintained by an employee of Nightwing, a government contractor based in Dulles, Va. Nightwing declined to comment, directing inquiries to CISA.

CISA has not responded to questions about the potential duration of the data exposure, but Caturegli said the Private CISA repository was created on November 13, 2025. The contractor’s GitHub account was created back in September 2018.

The GitHub account that included the Private CISA repo was taken offline shortly after both KrebsOnSecurity and Seralys notified CISA about the exposure. But Caturegli said the exposed AWS keys inexplicably continued to remain valid for another 48 hours.

CISA is currently operating with only a fraction of its normal budget and staffing levels. The agency has lost nearly a third of its workforce since the beginning of the second Trump administration, which forced a series of early retirements, buyouts, and resignations across the agency’s various divisions.

The now-defunct Private CISA repo showed the contractor also used easily-guessed passwords for a number of internal resources; for example, many of the credentials used a password consisting of each platform’s name followed by the current year. Caturegli said such practices would constitute a serious security threat for any organization even if those credentials were never exposed externally, noting that threat actors often use key credentials exposed on the internal network to expand their reach after establishing initial access to a targeted system.

“What I suspect happened is [the CISA contractor] was using this GitHub to synchronize files between a work laptop and a home computer, because he has regularly committed to this repo since November 2025,” Caturegli said. “This would be an embarrassing leak for any company, but it’s even more so in this case because it’s CISA.”

20:07

Joe Marshall: CLRHack: FibBenchmark [Planet Lisp]

The first thing to look at is the Fibonacci benchmark. The source code is here:

(in-package "CLRHACK")

(progn
  (defun fib (n)
    (if (< n 2)
        n
        (+ (fib (- n 1))
           (fib (- n 2)))))
  (defun main ()
    (print "Fibonacci of 10:")
    (print (fib 10)))
  (main))

And it compiles to this IL code: (commentary after the code)

.assembly extern mscorlib {}
.assembly extern LispBase {}

.assembly 'FibBenchmark' {}
.module 'FibBenchmark.exe'

.class public auto ansi beforefieldinit Program
       extends [mscorlib]System.Object
{
    .field public static class [LispBase]Lisp.Symbol 'SYM_G545'

.method public static hidebysig specialname rtspecialname void '.cctor'() cil managed
{
    .maxstack 8
    ldsfld class [LispBase]Lisp.Package [LispBase]Lisp.Package::CommonLisp
    ldstr "T"
    callvirt instance class [LispBase]Lisp.Symbol [LispBase]Lisp.Package::'Intern'(string)
    stsfld class [LispBase]Lisp.Symbol Program::'SYM_G545'
    ret
}

.method public static hidebysig object 'FIB'(object) cil managed
{
    .maxstack 8
    .locals (object TEMP_B)
    ldarg 0
    ldc.i4 2
    box int32
    stloc TEMP_B
    unbox.any int32
    ldloc TEMP_B
    unbox.any int32
    clt
    brtrue TRUE543
    ldnull
    br END544
TRUE543:
    nop
    ldsfld class [LispBase]Lisp.Symbol Program::'SYM_G545'
END544:
    nop
    ldnull
    ceq
    brtrue ELSE546
    ldarg 0
    ret
ELSE546:
    nop
    ldarg 0
    ldc.i4 1
    box int32
    stloc TEMP_B
    unbox.any int32
    ldloc TEMP_B
    unbox.any int32
    sub
    box int32
    call object Program::'FIB'(object)
    ldarg 0
    ldc.i4 2
    box int32
    stloc TEMP_B
    unbox.any int32
    ldloc TEMP_B
    unbox.any int32
    sub
    box int32
    call object Program::'FIB'(object)
    stloc TEMP_B
    unbox.any int32
    ldloc TEMP_B
    unbox.any int32
    add
    box int32
    ret
BLOCK_END_FIB_532:
    nop
    ret
}

.method public static hidebysig object 'MAIN'() cil managed
{
    .maxstack 8
    ldstr "Fibonacci of 10:"
    call void [mscorlib]System.Console::'WriteLine'(object)
    ldnull
    pop
    ldc.i4 10
    box int32
    call object Program::'FIB'(object)
    call void [mscorlib]System.Console::'WriteLine'(object)
    ldnull
    ret
BLOCK_END_MAIN_536:
    nop
    ret
}

.method public static hidebysig void 'Main'() cil managed
{
    .entrypoint
    .maxstack 8
    call object Program::'MAIN'()
    pop
    ret
}

} // end of class Program

The first thing the fib program does is compare argument x to the literal number 2. The compiler pushes argument 0 on to the stack, and then the compiler pushes a integer 2 on to the stack and boxes it.

Next, the compiler has to perform the compare. In order to do this it must unbox both arguments. One argument is on top of the stack, so it is put into a local TEMP_B so we can get to the other argument. We unbox it. We then restore TEMP_B to the top of stack and unbox it. Finally we compare the two unboxed values for less than.

This pattern of unboxing a pair of elements from the top of stack by way of a temporary local is repeated several places in the compiled code as FIB rather inefficiently subtracts 1 or 2 from the argument and makes the recursive call.

This example shows that the compiler basically treats everything as a .NET object. It unboxes numbers at the last moment and boxes the results as soon as they are generated. It is not efficient code.

19:49

19:21

Never Again, Again [George Monbiot]

Why are rightwingers being given a free pass on antisemitism?

By George Monbiot, published in the Guardian 14th May 2026

The media’s message appears to have cut through. At the crucial rally against antisemitism in London on Sunday, Zack Polanski, the Jewish leader of the Green party of England and Wales, was not invited to speak, on the grounds that he had not done enough to root out antisemitism from the party. But Nigel Farage was invited, on the grounds that his party, Reform UK, has “expressed very broad support for the fight against antisemitism”. More than two thousand Jews saw things differently and signed a petition arguing that the invitation to Farage “fundamentally undermines” the message of solidarity in defence of Jewish safety and dignity. I agree with them.

Antisemitism must be stamped out everywhere. “Never again” means zero tolerance for this age-old hate, wherever it occurs and whoever voices it. It is indeed a problem on the left, and I’ve often found myself in dispute with those who downplay or minimise it.

Two Green candidates for the council elections have been arrested on suspicion of stirring up racial hatred on social media. The Labour party’s researchers dug up disgraceful remarks by 25 Green candidates for the recent council elections. Never mind that it’s 25 out of 4,500: it’s 25 too many. Polanski’s response when asked about the numerous arson attacks on synagogues and on Hatzola ambulances – “there’s a conversation to be had about whether it’s a perception of unsafety or whether it’s actual unsafety, but neither are acceptable” – seemed dismissive of a horrifying escalation of antisemitic assaults.

So where is the equally urgent concern about antisemitism on the right? It should begin with the media. In the approach to last week’s elections, leading rightwing British newspapers published cartoons of Polanski that could have come from the pages of Der Stürmer, the hate-filled propaganda rag published in Germany from 1923 to 1945.

In the Times and the Telegraph, Polanski was portrayed with a hooked nose (which he does not possess). The Times’s cartoon also gave him the jug ears, receding chin, thick lips and baggy eyes of the Stürmer caricatures, none of which resemble his features. In the Mail, he was shown with an enormous nose, whose shape, again, had been grossly changed.

Worse still was the Sun’s caricature. It turned Polanski into a version of Slimer, a spook from Ghostbusters. It gave the apparition heavy, pitch-black eyebrows, a large bulbous nose, thick lips and a forked tongue, none of which distinguish either Polanski or the original ghost, but all of which figured in Nazi portrayals of Jews. Whether or not this was the cartoonist’s intention, a slimy green monster with red eyes, prehensile fingers and forked tongue comes across as about as crude an antisemitic caricature as you could imagine.

None of these newspapers have issued an apology. The Times’s only acknowledgment of the issue was a column attacking Polanski for complaining about the cartoon. It claimed that “caricature is an accepted part of the cartoonist’s stock in trade”. For sure. But, as cartoonists for liberal newspapers have discovered to their cost, this never excuses antisemitic imagery.

Otherwise, its response appears to have been to double down on its attacks against him, charging him with “unwillingness to confront the antisemitism staring him in the face”. In truth, he has moved swiftly to try to root out antisemitism in the Green party, with an accelerated disciplinary process. That seems to be more than can be said for parts of the rightwing press.

The Telegraph has berated Polanski for what it calls his refusal to apologise for that “perception of unsafety” remark. Fine. And shouldn’t the Telegraph also apologise for the way it portrayed him?

The Daily Mail quoted Farage stating: “The Greens will take us to sectarian hell … No Jew will be safe.” One can only marvel at the sheer brass neck of the man. The Sun has accused Polanski of a “refusal to root out” racists in the party: a “refusal” for which it provided no evidence. So how about rooting out the apparently antisemitic imagery in its own pages?

Where is the storm of protest obliging these newspapers to face their own issues? Where is the Labour dossier on antisemitic comments by Reform candidates? Why does the fury seem mostly to flow in one direction?

I can only imagine what a concerted search would reveal about Reform’s representatives. Comments that have sporadically come to light are just as terrible as the odious remarks of those Green candidates. Far from being rooted out, some of the perpetrators are now elected councillors.

Concerning Farage himself, there are many complaints of claimed antisemitic tendencies (denied by him), beginning at school, where he is alleged to have sung “gas ’em all”, to have given Nazi salutes and to have engaged in antisemitic bullying. Much more recently, he has claimed that “in terms of money and influence”, Jews in the US “are a very powerful lobby”, and repeated classic antisemitic tropes about George Soros and “globalists”, on shows hosted by people viewed by many as virulent antisemites.

To judge by the coverage in the British media, however, you could honestly believe there is unquestionably a bigger antisemitism problem on the left than on the right. The issue is not – and must never be – that the left should get a free pass on antisemitism. The issue is that no one should get a free pass. Yet perversely, the right, the hard right and far right often get away with it.

This reinforces the concern that much of the media might be campaigning against antisemitism not because they care about Jews, but because it’s a highly effective means of attacking – even stopping – the left.

Are charges of antisemitism to be reserved for those who challenge power, or who oppose the genocide in Gaza? If so, this is deeply disturbing. Using antisemitism for political purposes devalues the meaning and urgency of this terrible ideology. It may encourage people to dismiss the latest wave of antisemitic attacks as yet another scare cooked up by the billionaire press. Indeed, this is what I appear to be seeing among some leftwingers who ought to know better.

When the same media produce what look to me like vile antisemitic cartoons, this goes beyond hypocrisy. It seems like a double-edged attack on British Jews, simultaneously instrumentalising and deploying the vicious old tropes. Who on the right will now call them out?

www.monbiot.com

19:00

The 21 years and 20000 posts OSNews fundraiser: €1 for every post [OSnews]

To celebrate my 21 years and 20000 posts as OSNews’ managing editor, it’s time for a massive fundraiser: €1 for every story I’ve posted over the past 21 years, for a long-term total goal of €20000. Because OSNews is ad-free and independent, I rely entirely on your donations and support for my income and OSNews’ continued survival. Your donations ensures OSNews remains free of ads, corporate influence, and other commercial interests that have ruined so many great websites.

Why support OSNews?

  • We do not run any ads, so we don’t have to be friendly to advertisers (i.e. the technology companies we’re supposed to report on).
  • We are not owned and controlled by a large media company dictating our tone and content. You’d be surprised how many other sites are.
  • We do not use any “AI”; not during research, not during writing, not for images, nothing.
  • We rely entirely on your support to keep going.

I want to make sure I can run OSNews for another two decades and another 20000 posts, and I need your help to do so. Since my wife, who has a tough, underpaid job in elderly care, is largely unable to work due to health reasons caused by that very same job, my income has become a lot more crucial for our kids, my wife, and myself. With OSNews readers being more skeptical of subscription-like things like our Patreon than most people, it’s exactly these one-time donations that make up the bulk of your support.

To sweeten the deal, I’ve come up with a bunch of silly incentives that will unlock at certain thresholds:

  • At €5000: I will use Windows 11 for a month for everything non-gaming. The real Windows 11, so not debloated, and with an online account, Office, Outlook for email, the whole deal. I dread this so much.
  • At €10000: I’ll make a proper photo and video tour of my office, my computers, and my vast collection of PDAs, edited and produced on Linux, of course. I know very little about videography, so I’ve got some learning to do.
  • At €15000: I will use some of the donated money to buy a Mac and use macOS for a month for everything non-gaming, and write a proper, fair review about it. I’ll live the Apple desktop life on a modern M series Mac, probably a MacBook Air or Neo, depending on deals I can find, most likely used/refurbished. I dread this even more than using Windows 11.
  • At €20000: as detailed in my 21 years and 20000 posts article, I will get the OSNews logo tattooed on my right shoulder (my first tattoo), in honour of the role OSNews plays in my life. Photo and video evidence of the result will be provided.

I know many of you don’t really care about incentives and silly things like these, but I think they’re fun and add some interesting things to donate to. The donations already started coming in, so we’ve got a small head start. Also, if anyone has any idea on how to add a cool progress bar to OSNews to keep track of the donations and incentives, please let me know. I’m sure some of you can whip something up or point me to something.

OSNews was founded in 1997, so we’re almost 30 years old. Let’s keep this wonderful little corner of the people-focused web alive for just a euro per post. Everyone here deserves it, because y’all are great. ♥️

Haiku OS runs on M1 Macs now [OSnews]

Big news from the Haiku forums: the Haiku ARM port is running on M1 Macs now.

This is bare metal, no VM. m1n1+u-boot deal with the Apple-specific parts of booting, so we can boot UEFI images from USB like any PC.

↫ smrobtzz on the Haiku forums

USB is apparently broken, but all 8 cores are functional, and it boots to a desktop. It’s still early days, for the ARM port in general and the M1 Mac port specifically, but it’s a great start.

18:42

The Enshittification of History [Charlie's Diary]

(This blog essay is overdue because I'm still waiting for new prescription glasses and writing while cross-eyed with text zoomed to 250% is tedious. They should be here later this week. Meanwhile ...)

Back in January 2022 I wrote an essay revisiting my predictions for 2017. My review of 2017's stab in the dark began, "it spanned three blog posts and ended happily in a nuclear barbecue to put us all out of our misery: start here, continue with this, and finale: and the Rabid Nazi Raccoons shall inherit the Earth."

I'll actually stand by those 2017 predictions, which were weirdly not that far off the mark although Queen Elizabeth II outlasted my prediction by several years.

But my 2022 predictions?

Oh boy.

Look, for an amateur futurologist writing in January of 2022 it was arguably forgivable to miss the US electorate being so boneheadedly stupid that they'd re-elect the most corrupt president in their nation's history, at the head of a Gish gallop of barkingly ignorant and destructive cranks and conspiracy theorists determined to tear down the republic and destroy its vital institutions, all in the name of returning the social order (per the Project 2025 plan) to the 50s--the 1850s, that is, not the 1950s. With 20/20 hindsight, what I missed was the now-obvious wave of media ownership consolidation, including corporate social media such as X, Meta, and Google, in the hands of a narrow class of billionaire oligarchs. I also missed the complacent incompetence of the Biden administration with respect to organizing their succession plans--it was obvious that by 2024 he'd be vulnerable to campaign ratfucking on grounds of his age, and his anointed successor was guilty of being (a) too female and (b) non-white, rendering her unacceptable to a large chunk of the voters.

But, even if you forgive my failure to recognize the catastrophic collapse of the US as a credible hegemonic superpower over the past 3-4 years, I can only hang my head in shame over my failure to anticipate the Ukraine war, which broke out six weeks after that blog essay. Let alone to anticipate a revolution in military affairs as profound as that brought about of the first world war.

Similiarly, I have no excuse for not recognizing that an Israel with politics dominated by Benjamin Netanyahu would go Full Nazi sooner rather than later, as the genocide in Gaza and the program to build a Greater Israel in Lebanon demonstrate. I mean, I grew up going to synagogue and have visited Israel more than once! I should have seen the signs, they were all there as far back as the 1980s. Mea culpa. (And fuck those guys.)

While I correctly recognized the EV transport revolution, I missed the concurrent solar power and grid-scale battery revolution, now very visibly in train and arguably more important than the arrival of cheap electric cars and cheaper e-bikes. I didn't notice the global supply chain crisis of 2021-2023, even then gathering pace, although it didn't impact consumer prices for a few more months.

Possibly my worst miss is that I completely discounted the profound social impact of LLMs (or so-called "AI"), not simply as a massive technology sector investment bubble and happy hunting ground for snake oil salesmen and grifters, but as a corrosive influence on population-level critical thinking. I should have seen it coming--I read Joseph Weizenbaum's Computer Power and Human Reason back in the 1980s--but I didn't recognize just how unable to see past the ELIZA illusion most people would prove to be.

Nor did I expect the transhumanists, extropians, and the rest of the hairball of beliefs now congealing into the syncretistic techno-religion of TESCREAL to have seized control of trillions of dollars of private equity and not only be arguing about the Singularity but to be squabbling over who gets to run it (with a side-order of racism and eugenics on top, because every flavour of crank batshittery is so much better with a side-order of fascism and concentration camps).

So I'm sticking a flag in the ground here and admitting: I am officially a shit futurologist.

Back in 2022, and before that, in 2017 and even in 2007, I espoused a general rule of thumb about predicting the future, that:

Looking 10 years ahead, about 70% of the people, buildings, cars, and culture is already here today. Another 20-25% is not present yet but is predictable -- buildings under construction, software and hardware and drugs in development, children today who will be adults in a decade. And finally, there's about a 5-10% element that comes from the "who ordered that" dimension

2022 forced me to update the ratio to:

20% of 10-year-hence developments utterly unpredictable, leaving us with 55-60% in the "here today" and 20-25% in the "not here yet, but clearly on the horizon" baskets

Anyway, it's now 2026, and I officially give up.

The Stross Ratio for predicting events ten years hence is now 60/10/30. That is: 60% of the people, buildings, and culture are here today. 10% is predictably on the drawing boards, and a whopping 30% is utterly unpredictable.

Airborne Hantavirus pandemic or global Measles pandemic, who the fuck knows what we're going to get--given that the US FDA is run by a crank who doesn't believe in the germ theory of disease and seems to be trying to spike vaccine development globally?

A shutdown of global semiconductor fabrication caused by a worldwide helium shortage, and a global fertilizer shortage causing famine and food price spikes, due to a senile sundowning autocrat starting a war with Iran without any clear exit strategy?

Who ordered any of this?

I'm reasonably confident that the Russian invasion of Ukraine will be over by this time in 2030--quite likely by this time in 2027, due to the collapse of the Russian domestic economy. I'm also reasonably confident that the US war on Iran will be over by this time in 2030, if only because Trump will most likely be dead or in palliative care (possibly following his removal in a soft coup via Article 25 of the US constitution, due to his very obvious current illness and decline). (Note that Trump's insistence on "running for a third term" is very probably a serious sign that the electoral process in the USA is no longer fully functional, under the aegis of the supreme court he appointed, as long as he survives. His successor may not be able to sustain his ability to ignore the law: if they can, then, well, the US Republic is over: it had a good run, from 1776 to 2026.) The AI bubble will have burst long before May 2027--the semiconductor pinch caused by the aforementioned helium supply crisis will cripple Nvidia's ability to manufacture chipsets for data centers, and the US DCs are all being built to run on diesel/kerosene burning gas turbine power plants anyway, the price of which has skyrocketed due to the gulf war.

I expect us to be well into Great Depression 2.0 by this time in 2030.

There will be some grounds for hope. The global energy transition to renewables will, by that point, be a done deal. It also means China will have replaced the USA as the global energy superpower--not because they dominate the transport routes for energy but because they manufacture 80% of the planet's EVs and PV panels and batteries. But that's a tenuous hold on superpowerdom. If the Chinese government throws its weight around in the 21st century the way the USA did in the 20th, it will rapidly find first-tier rivals building up their own manufacturing capability: meanwhile, PV/battery is inherently easier to distribute that large, centralized grid based power supplies, and the dronification of warfare means (at least in the near term) that rapid mechanized wars of maneuver are a non-starter: the "fog of war" is on the way out, replaced by highly precise targeting of advancing assets and the robotization of the front line.

In space, I'm pretty sure we will see a Kessler Syndrome event if the idiotic rush towards putting data centers in orbit goes anywhere. But I think it's not going to happen--SpaceX is inextricably tied to the current tech bubble, and when it pops Elon Musk is going to wish he had a bunker to hide in.

The main casualty of this decade is the ideological credibility of capitalism as a social organizational principle.

Enshittification, also known as platform decay, per wiki, is "a process in which two-sided online products and services decline in quality over time. Initially, vendors create high-quality offerings to attract users, then they degrade those offerings to better serve business customers, and finally degrade their services to both users and business customers to maximize short-term profits for shareholders." Systematic capture of the US government and the global system of trade by capitalists has resulted in the creation of a framework optimized for enshittification all round, and the result is the enshittification of everything--all the infrastructure of the capitalist world is decaying and on fire as the post-privatization owners loot it.

This is the Marx-predicted crisis of capitalism, and it's been in progress since the collapse of the USSR in 1991 removed the main ideological standard-bearer for opposition. It accelerated in 2008 with the global financial crisis, and again in 2020 when the pandemic provided top cover for the hyaenas to go on a looting spree. They've stripped the corpse of actually-existing social democracies everywhere to the bone, and now they're cannibalizing their own body politic. Disaster capitalism has finally come home to roost, and it won't end until the global financial system collapses. Meanwhile, the generation born in the 21st century has no time for their shit. We are moving into a political state weirdly reminiscent of the period between 1905 and the 1930s. If we're lucky we're going to get New Deal 2.0 and a brisk round of socialism: if we're unlucky, it's going to be guillotine time all over again.

PS: do not expect to see me visiting the USA any time soon. Millions of people applying for a US visa are now required to make all of their social media accounts publicly visible -- or risk having their applications delayed or denied outright. The directive, which covers more than a dozen nonimmigrant visa categories, has been rolling out in phases since June 2025 and expanded significantly as of 30 March 2026. This policy is impossible to implement without feeding all those social media profiles to an LLM in search of a verdict, and they'll obviously be screening applicants for ideological compatibility. And if it's rolling out to visa applicants now, the automated program will inevitably be applied to I-94W (visa waiver) travelers shortly thereafter. My social media profile is that of a pro-LGBT pro-Green hard left troublemaker, so ... nope, not going there: I am absolutely not interested in touring the concentration camps of El Salvador!

18:21

The Mind of Claude [Scripting News]

I have taught Claude Code to write software the way I do.

It has abilities that I don't, for example, I give them 1000 lines of code, highly factored, with lots of thought into making it readable and maintainable, and always falling short (our languages today fight against readability imho), and get this -- it can read different parts of the same code in parallel, and in two or three seconds have a complete understanding of it.

I couldn't do it even if I had a week. I would totally depend on clues left there.

What's even more amazing is that when it writes code for me, it does it my way, mostly without any prompting from me. This was done over and over until I realized I had to tell it to save it and read it when a new session starts. That's how it accumulates knowledge. Anything that isn't in one of those files has to be relearned, and that's most of what it, as a code-writing system, has to work with. It has no "memory" of ever having seen this stuff before, but that isn't a problem because it can accumulate a few years of understanding in two or three seconds. It works very diffrently from the way we work. If I were to show you how to do something three times that would be it, not so with Claude.

When it doesn't know what to do, I take the time to explain how I would have done it, and next time it does it that way.

I kind of did the same thing in a human way -- when I first encountered Unix, I couldn't believe from reading the source code, how transparent it was. That was in the 70s. Since then I have been striving to write code that's as easy to work on. When it comes to realtime software, there isn't really a choice. Though history piles up in the code no matter how diligent you are. But you could give the source to say MySQL to Claude Code, and say "rewrite this as if Dave Winer wrote it" and it probably would do a decent job, though it might take a while before it ran every MySQL app.

If you're looking for good investments, I'd say look for programming problems that are very complicated. We are limited by what we can create by how much we can maintain. But we can have Claude explain for us any time what any of our code means. It can read my mind because I put the work of my mind in the memory of the computer. Which effectively is the Mind of Claude.

PS: Claude has a huge advantage over ChatGPT. Claude is one syllable and easy to remember. ChatGPT is four syllables, and has no discernable meaning. Claude is a person, and I think in general people named Claude are interesting.

18:14

16:42

How does Flathub even work? The CDN and caching layer [OSnews]

There is one specific way in which the non-corporate open source projects typically document how their infrastructure work: not at all, and Flathub is no different. The full picture likely lives only in my brain, and while it could be sorted out by anyone (especially in this LLM age, yay or nay), why should it only be me thinking at night about all the single points of failure?

Like any system that evolved naturally, it’s all over the place. It’s tempting to tell its history chronologically, but even then, it’s difficult to find a good entry point. Instead, this post focuses on what happens when users call flatpak install; later entries will cover the website and, finally, the build infrastructure. Buckle up!

↫ Bart Piotrowski

As time goes by and more and more issues with Flatpak are addressed, I feel my attitude towards the technology change somewhat. I’m still very much a traditional package manager type of person, and will opt for my distribution’s repository if the versions they have are up-to-date, but I’m no longer audibly groaning if an application I want is only really available as a Flatpak. For the increasing number of normal, average users switching to Linux, Flatpak is probably the right way to go, especially since it can easily coexist with your traditional package manager.

The only part of the linked article that made me raise my eyebrow was the reliance on Fastly, which seems to form an important linchpin of the whole Flathub stack. Fastly is an American company, and while they support Flathub entirely for free, the state of the world does have me wonder if this couldn’t evolve into a problem in a myriad of ways, perhaps through questionable people acquiring Fastly or through pressures from the clown car US administration.

I’m sure it’s all fine, but it’s hard not to think of these things in this day and age.

You can now run Windows CE 2.11 on the Nintendo 64 [OSnews]

I’ve seen some wild projects in my day, but this one is definitely up there as one of the more ambitious.

Stock Microsoft Windows CE 2.11 running on a real Nintendo 64. A custom HAL drops the unmodified nk.lib kernel onto VR4300, brings up the CE 2.11 GWES desktop and shell, mounts the EverDrive-64 X7’s SD card under \SDCard, treats the N64 controller as a mouse, plays sound through the N64 AI hardware via the standard CE wave stack, and runs third-party CE 2.11 EXEs straight off the SD card.

This is a hobby reverse-engineering project: there is no official CE 2.11 port to N64 from Microsoft. Everything below the unmodified nk.lib (HAL, OAL, display driver, FSD, kbd/mouse PDD, wave PDD, RDP-accelerated GDI fill, ed64-X7 driver) is part of this repo.

↫ ThroatyMumbo

Getting a fully operational desktop on Windows CE 2.11 is a lot harder than it appears at first sight, because this earlier version of Windows CE didn’t come with many of the reference implementations of components that later versions would add. OEMs were supposed to develop their own user interfaces for Windows CE 2.11, so the entire desktop you see here on this N64 port – window manager, taskbar, file manager, and so on – consists of custom code developed by ThroatyMumbo, using the standard Windows CE APIs.

That’s not all, though, as the same applies to the various drivers needed to make Windows CE 2.11 talk to the hardware in the Nintendo 64. Windows CE 2.11 contains the interfaces for drivers but OEMs were supposed to write their own device drivers. So ThroatyMumbo did: the display driver, input drivers, sound driver, cartridge driver, and so on, are all written from scratch. Absolutely incredible. Note: it seems “AI” has been involved in this project, but it’s unclear to what extent. I didn’t see any telltale signs, but readers have reached out to me about this.

The result of all this is that you can now run Windows CE 2.11, including a familiar shell, on your N64, and run any Windows CE applications as well. Absolutely wild.

16:07

Link [Scripting News]

2024-era ChatGPT pictures, of which I created many are now like Comic Sans type was in 2010 or so, if you remember.

15:56

Microsoft finally brings back moving and resizing the taskbar in Windows 11 [OSnews]

Microsoft is finally rolling out one of the most requested set of features to Windows 11: a movable and resizable taskbar. Windows 11 did away with the ability to move the taskbar to any side of the screen, as well as a various other taskbar customization options, that had been there since the very first iteration of the taskbar in Windows 95. Now they’re finally bringing it back.

Microsoft is finally rolling out two of the most requested features: the ability to move the taskbar and make it smaller, so you have more screen space. I tested Windows 11’s new movable taskbar integration, and it’s just as good as the original Windows 10 version, which let you move the taskbar to the top or sides.

↫ Mayank Parmar at Windows Latest

It works exactly as you’d expect it to, with icons, text, menus, and other user interface elements adapting to their new location on the sides or top of the screen. I feel absolutely stupefied that I need to make a news item about this in this, the year of Our Lady 2026, but I know a lot of people stuck on Windows 11 were really missing these basic features.

Rejoice.

15:07

14:35

Free Software Directory meeting on IRC: Friday, May 22, starting at 12:00 EDT (16:00 UTC) [Planet GNU]

Join the FSF and friends on Friday, May 22 from 12:00 to 15:00 EDT (16:00 to 19:00 UTC) to help improve the Free Software Directory.

Agent Skills Work but the Research Shows Most Teams Are Building Them Wrong [Radar]

This post was originally published on The Nuanced Perspective and is being reposted here with the authors’ permission.

Agent skills are everywhere right now. Atlassian built them into Rovo so agents can automatically triage Jira tickets, draft Confluence pages, and route service requests without anyone typing a prompt. Canva and Figma use them so Claude can interact with design files directly. Stripe published skills for payment workflow automation. When Anthropic launched the Agent Skills open standard in December 2025, Microsoft adopted it in VS Code and GitHub within weeks.

The idea is elegantly simple. Instead of building a new specialized agent for every use case, you write a skill once, and any agent that understands the standard can use it. A code reviewer, a PR generator, a deployment checklist, a sprint planner. Each lives in a folder, triggers when relevant, and brings your team’s specific way of doing things into the agent’s context.

But the research on whether skills actually work, and what causes them to fail, is only catching up to adoption now. Four recent papers take the first systematic look at skills in practice: what the benchmarks show, how libraries break down as they grow, and what a more principled approach to orchestration looks like.

Three findings that will change how you think about skills:

  • Curated skills raised the rate at which agents successfully completed tasks by 16.2% on average across 84 tasks. Model-written skills showed no consistent benefit across any configuration tested.
  • As skill libraries grow, the agent’s ability to find the right skill on demand breaks down. When it scans every skill description in one pass, similar-sounding skills start colliding. Organizing skills into a hierarchy rather than a flat list is what the research shows actually fixes this.
  • A large-scale security study of ~31K community skills found that more than one in four contain exploitable vulnerabilities, spanning prompt injection, data exfiltration, and privilege escalation.

This is what those papers found, and what it means for anyone building with skills today.

What a skill is

Your team has a specific way of reviewing PRs. Particular checks, a specific order, standards that go beyond what any generic reviewer would know. You’ve explained it to every new engineer who joined. A skill is how you stop explaining it and let the agent carry it instead. In practice it’s a folder with a SKILL.md file at the center: a description that acts as the trigger condition, a body with step-by-step instructions, and optionally scripts and reference documents that load only when needed. A scoped set of tools and instructions the agent can invoke.

At session startup, the agent reads only the name and description from each installed skill, which is about 100 tokens per skill. The full instructions load only when the skill activates, and scripts run without being read into context at all. A large skill library costs almost nothing at initialization. The context budget only gets spent when a skill is actually running.

That’s progressive disclosure, and it’s what makes skills different from system prompts, which load everything globally every session, or tools, which are API calls that give the agent direct capabilities. The distinction that holds up for MCPs is that MCP gives the agent abilities, say, a shell, an API connection, or access to a database, whereas skills encode the knowledge of how to use those abilities well for a specific workflow. Block’s engineering team put it well that skills are like GitHub Actions YAML, and MCP is the runner. One describes the workflow and the other makes it possible.

Some concrete examples of what this looks like in practice, from teams that have shipped skills in production:

  • A PR review skill that loads your org’s specific style guide, flagging violations and blockers according to your team’s standards rather than generic best practices
  • A deployment checklist skill that runs your team’s exact predeploy sequence, covering environment checks, rollback verification, and the three Slack channels to notify in order
  • A data reporting skill that knows your company’s metric definitions, so when someone asks for “revenue,” it pulls the right number rather than the closest approximation
  • A sprint planning skill that fetches the backlog, applies your team’s capacity rules, and proposes a plan structured the way your team runs standups

The value in each of these isn’t the task itself. Any agent can attempt a PR review or a sprint plan. The value is the organizational knowledge baked into how the skill executes it, your style rules, your deploy sequence, your metric definitions, your team’s way of running things. That specificity is also what makes skills hard to get right, as the benchmarks show.

What the benchmarks show

SkillsBench is the first benchmark built specifically to measure whether agent skills actually improve performance. It tested 84 tasks across 11 domains, running each task under three conditions: no skill, a curated skill, and a self-generated skill. The results are worth sitting with.

Curated skills raised average pass rates by 16.2%. However, the gains were uneven across domains. Software engineering tasks improved by 4.5%, while healthcare tasks saw nearly 52% improvement. The domains where skills helped most were the ones with highly structured workflows and domain-specific conventions the base model doesn’t carry natively.

The less-cited result is that self-generated skills, where the model writes its own skill rather than a human curating one, provided no average benefit across configurations (“SkillsBench,” Table 3). Some model configurations saw small gains; others saw small losses. The paper’s conclusion was that models cannot reliably author the procedural knowledge they benefit from consuming. The trajectory analysis in the benchmark identified two failure modes:

  • Models either generate imprecise procedures lacking specific API patterns, or
  • Fail to recognize what domain knowledge the task actually requires.

The benchmark’s self-generation condition has also drawn pushback from practitioners. One engineer writing on HackerNoon argues the test doesn’t reflect how skilled teams actually build skills. The benchmark prompted a fresh agent to write a skill and immediately use it, which is closer to asking a model to think harder before attempting a task than to building a skill from real execution experience. His own replication, using skills built from actual debugging sessions, showed much stronger results. The distinction matters because a skill captures what a fresh model wouldn’t know. If the model could have reasoned its way there anyway, the skill wasn’t needed.

The practical consequence is that self-generation is the obvious shortcut. You finish a workflow, ask the agent to extract it as a skill, and move on. The benchmark says that without a human review step, you’re not getting the gains you’d expect. The skills look complete. They often cover the main path. What they miss are the edge cases, the exceptions, the three things your team does differently that the model has no way of knowing, and those are exactly the things that make a skill valuable.

One finding worth noting for anyone building with skills: focused skills with two to three modules consistently outperformed comprehensive documentation (“SkillsBench,” Section 4.2). More coverage in a single skill didn’t help; more focused, well-scoped skills did. The benchmark also found that smaller models running with curated skills could match larger models running without them, which is a meaningful cost implication for anyone running skills at scale (“SkillsBench,” Section 4.2.3, Finding 7).

Questions that come up when building with skills

These questions show up every time a team starts building a skill library.

When does something become a skill versus staying in a workflow or system prompt?
The cleaner test is whether this is a recurring task that your team has a specific, repeatable way of doing. If yes, it’s a skill candidate. If it’s a one-time flow or something where general reasoning is sufficient, it probably doesn’t need one. The key difference between a skill and a workflow tool like n8n is flexibility. A workflow executes a fixed sequence and breaks when inputs change, while a skill gives the agent procedural guidance it can apply to variations of the same task. Similarly, agentic workflows can chain multiple agents and tasks together, but each agent still benefits from skills that encode the org-specific knowledge for its part of the chain. When you want the what to be consistent but the agent to handle the how intelligently, that’s a skill.

How narrow or broad should a skill be?
The SkillsBench finding that focused skills with two to three modules outperform comprehensive ones is directly relevant here (“SkillsBench,” Section 4.2). A skill that tries to cover an entire domain tends to underperform one that handles a specific thing well. The more practical question is whether to put a full workflow (data fetch, format, generate PDF) into one skill or split it. Current research supports splitting because, then, each piece becomes reusable, easier to update when something changes, and less likely to create unexpected behavior when one module’s scope drifts.

What about skills for noncoders or nonsoftware workflows?
Skills are format-agnostic. They’re structured instructions plus optional scripts, and the domain can be anything. A customer support team can encode their escalation criteria, tone guidelines, and the specific conditions where a human always takes over. A legal team can encode their document review checklist. A design team can encode component standards so reviews stay consistent across contributors. Atlassian’s Rovo agents are a useful reference outside the coding context. Their skills handle ticket triage, Confluence page creation, and service request routing, none of which is software engineering.

When should you deprecate a skill?
This is the question that gets skipped most often. The “SoK” paper argues for treating skills like any other maintained artifact through discovery, refinement, evaluation, update, and eventually deprecation (see Figure 2 in the paper). A skill that was compensating for a model capability gap six months ago may now be redundant, and worse than redundant if it’s overriding better native behavior. The practical test is to run the task with and without the skill and check if the skill still helps. If the gap has closed, retire it.

What breaks as the library grows

A single well-written skill works well. As libraries grow, flat retrieval breaks down, and the “AgentSkillOS” paper is the first to study this systematically across ecosystem scales from 200 to 200,000 skills.

Flat skill libraries don’t scale. When the agent scans a flat directory of, say, 80+ skills on every request, retrieval becomes unreliable. Two skills with similar descriptions start triggering interchangeably and behavior becomes nondeterministic for the same input. At the extreme, the orchestrator falls into routing collapse, where it consistently invokes the wrong skill because the semantic embeddings of two similar skills are indistinguishable. The output looks reasonable BUT the wrong skill ran.

The fix the paper proposes is capability trees: organize skills into a hierarchy rather than a flat list. Top-level domains like code, data, docs, with more specific skills as branches and leaves. The agent navigates from domain to branch to leaf instead of scanning everything. They also introduce a usage frequency queue, where skills that aren’t being invoked or aren’t improving outcomes get moved to a dormant index so they don’t pollute retrieval for active skills.

Testing this across ecosystems ranging from 200 to over 200,000 skills, the structured approach consistently outperformed flat invocation, and the gap widened as library size grew.

This pattern shows up in how production teams manage their libraries too. Atlassian recommends fewer than five skills per Rovo agent. OpenHands maintains a curated extensions repository with separate skill packages for discrete workflows rather than one monolithic skill set. Across all of them, scoped purposeful skill sets outperform comprehensive ones. More skills isn’t more capable. Past a point, it’s just more noise.

How orchestration can work differently

This section uses a different definition of skill than the rest of the article, so the distinction matters upfront.

In the “SkillOrchestra” paper, a skill isn’t a SKILL.md file. It’s a capability description used to match task requirements to individual agents in a multi-agent system (see Figure 3 in the paper). The concern isn’t procedural knowledge for one agent but figuring out which agent in a pool should handle a given task and why.

The problem it’s solving is that standard reinforcement learning approaches to multi-agent routing don’t hold up as systems grow. Adding a new agent or modifying a workflow means retraining from scratch. RL policies also tend to send everything to the highest-capability agent regardless of cost, which looks fine in evaluation but gets expensive when you’re running it in production.

SkillOrchestra’s alternative has each agent maintain a competence profile derived from its own execution history, specifically estimated success rates across different task types. The orchestrator routes incoming tasks to the agent whose profile best matches what the task actually demands, rather than the one with the highest raw capability. The routing logic stays current without retraining, and you can inspect why a task went where it went.

The same logic applies to SKILL.md-based systems. Tracking which skills actually improve outcomes for specific task types, and what they cost in tokens, gives you the foundation for better selection as your library grows. You don’t need SkillOrchestra’s full framework to benefit from the core idea.

The security problem

A large-scale security analysis of 31,132 community-sourced skills found that 26.1% contain at least one exploitable vulnerability, spanning prompt injection, data exfiltration, privilege escalation, and supply chain risks. More than one in four.

The attack patterns aren’t exotic. Prompt injection hidden in skill descriptions that manipulate agent behavior once the skill loads. Scripts that execute against filesystem permissions broader than the skill needs. Tool authorizations scoped to the entire workspace when the task only requires one directory.

The core issue is that an external skill isn’t a document you’re reading. It’s code running with your agent’s permissions. Importing a skill from a public repository without reviewing it is like doing an npm install from an unknown author. You wouldn’t do that without at least checking what the package does. That framing changes what due diligence looks like. It means checking the scripts folder before installing, verifying that the permissions the skill requests match what the task actually requires, and sandboxing execution where your environment allows.

The tooling for auditing skills at install time doesn’t exist at the level it should yet. Until it does, the due diligence is manual. OpenHands’ extensions repository and Atlassian’s open source skill package are reasonable references for how production-grade community skills scope permissions. Claude Code’s built-in skill creator also helps here, since it structures permission scoping explicitly from the start.

3 things to do differently

Across all four papers, three recommendations are consistent.

Write skills from real execution. Do the workflow manually with an agent, correct it as you go, then extract it as a skill. The agent has full context of what worked. Skills built from real runbooks, incident reports, and accumulated corrections outperform skills written from scratch. The org-specific edge cases are exactly what the base model doesn’t already know. The general workflow it can handle; the three exceptions your team deals with differently are what the skill needs to capture.

Treat the description as routing logic. The description isn’t a label. It’s how the skill gets triggered at all. Specific phrases, explicit activation conditions, context that distinguishes this skill from adjacent ones. If a skill isn’t firing when you expect it to, or fires when it shouldn’t, rewrite the description first. That’s almost always where the problem is.

Plan for the full lifecycle. Creation is the easy part. Skills drift out of relevance as models improve. A skill that compensated for something Claude couldn’t do eight months ago may now be actively overriding better native behavior. They need to be evaluated against actual task outcomes, updated when workflows change, and retired when they stop earning their place. The teams that treat their skill libraries the way good engineering teams treat their codebase, with reviews, with metrics, with a process for deprecation, are the ones whose libraries stay useful as they grow.

Where this is heading

The shift from prompt engineering to tool use to skill engineering has followed a pattern. Each era produces artifacts that persist longer than the last. Prompts lived in conversations. Tools live in configurations. Skills live in libraries, versioned, shared, maintained, and eventually retired. They behave like code.

Most teams aren’t treating them that way yet. Skills get written quickly, without evaluation criteria, without any plan for what happens when they stop being useful. That’s worked so far because most skill libraries are still small enough to hold in your head. It won’t hold as they become infrastructure.

The teams building durable agent systems won’t be the ones with the most skills. They’ll be the ones who figured out earlier that a skill library needs to be maintained, not just populated, and who started building the discipline to do that before it became urgent.

This article grew out of a live “Chai & AI” session conducted by Prahitha Movva where practitioners debated whether agent skills actually deliver on the hype, or just add another layer of complexity.

Security updates for Monday [LWN.net]

Security updates have been issued by AlmaLinux (freerdp, gimp:2.8, jq, kernel, and rsync), Debian (chromium, ffmpeg, firewalld, kernel, nginx, openjpeg2, openssh, php7.4, and redis), Fedora (apptainer, chromium, coturn, dnsmasq, firefox, kernel, libgit2_1.8, libmetal, nginx, nginx-mod-brotli, nginx-mod-fancyindex, nginx-mod-headers-more, nginx-mod-js-challenge, nginx-mod-modsecurity, nginx-mod-naxsi, nginx-mod-vts, open-amp, perl-Net-CIDR-Lite, pgbouncer, pypy, python-jupytext, python-uv-build, rsync, rust-astral-tokio-tar, uriparser, uv, valkey, and yelp), Mageia (dpkg, firefox, thunderbird, golang, haproxy, and samba), Slackware (dnsmasq and kernel), and SUSE (apache-commons-configuration2, apache2, apptainer, chromedriver, cups-filters, curl, dnsmasq, expat, ffmpeg-4, ffmpeg-7, firebird, firewalld, flux2-cli, glibc, go1.25, go1.26, gosec, grub2, ImageMagick, java-11-openj9, java-17-openj9, java-1_8_0-openj9, java-1_8_0-openjdk, java-21-openj9, java-25-openj9, kdenlive, kernel, kernel-devel, keylime-config, krb5, libIex-3_4-33, mozjs115, mozjs78, nginx, openssh, openvswitch, ovmf, PackageKit, perl-Crypt-URandom, perl-CryptX, perl-libwww-perl, perl-Net-CIDR-Lite, perl-Text-CSV_XS, podman, postgresql17, postgresql18, python-pyOpenSSL, python310, rsync, sed, tekton-cli, valkey, xen, and zypper-docker).

14:07

CE [RevK®'s ramblings]

CE marking is important for ensuring consumers are buying things that are safe and meet their expectations.

However, CE marking has a lot of implications, in terms of costs and tests, and so on. It basically outlaws your average "cottage industry" type set up.

With modern tech, that "cottage industry" can be technological.

But what if it is not "safe". And this is a very good point.

So there are sites like Tindie, and Lectronz, that act as a platform / marketplace to sell loads of tech that is "home grown" and "cottage industry", with a lot of caveats on T&Cs.

My personal view is ...

  • Most consumers need robust consumer protection law
  • Buying something should, by default, be 100% safe
  • If, and only if, the seller is super amazingly clear on what they sell should there be exceptions.

Oddly this ties in to the utter stupidity that is the fact England and Wales allow selling "raw milk". It is crazy, but the laws require (a) higher hygiene standards, and importantly (b) VERY CLEAR warnings that what you are buying is not safe to drink!

So are PCBs the same?

I make a load of PCBs, and sell a load. As it happens, as a company, we also make some serious routers. For those there is a SHIT LOAD of stuff we do to make totally sure it meets all the requirements. I mean, heck, this is stuff using mains voltage inputs, so it matters. And it costs a lot.

But we also make small PCBs, hobbyist stuff, prototype boards. And the cost of CE marking would be mental. Make 10 PCBs and pay £10,000 for testing and certification. No. That does not work, does it?

So can we sell them without a CE?

This gets in to a grey area, as CE mark is needed for most things but not, for example, prototypes. Indeed, you can order a PCB from China for your own use, and no way they CE mark / certify it for you.

And, after all, if one cannot sell without a CE, then the CE mark itself is pointless - if all sold products have to meet the CE marking requirements there is no need for a CE mark to say they meet it. That only makes sense if there can indeed be products not marked CE and hence declaring they do not necessarily meet the requirements, and so keeping consumers informed of that fact.

Interestingly, one of the key aspects of CE for many of my boards is RF compatibility, and for that the ESP32 module I use is CE marked and certified.

But we want to be 100% clear to customers that these board are not certificated or tested beyond that. They are prototype/dev boards, for specialist/hobbyist use only.

So we came up with a new mark... NONCE (Thanks Alex for help making that). Maybe we should trademark that, LOL.

And to be clear, what we sell is generally PCBs, in a panel, break off excess parts, and so on. And even if we sell a case it is a two part resin 3D print you use to contain the snapped out PCB. The end user does the "final assembly", it is a "kit".

At the end of the day we would not want to, in any way whatsoever, mislead a customer as to what they are buying, ever.

P.S. Apparently I need to explain we are not actually marking boards NONCE, that part is a joke!

14:00

Total Ohio [Whatever]

Fun fact: Ohio is the only US state to have a flag that is not rectangular — ours is a pennant. Also fun fact: I hardly see anyone ever fly an Ohio state flag. They will fly to Ohio State flag, which is to say, the flag of the football team that has a university attached, but not the actual state flag.

So, I got one (two, actually, the size I wanted only shipped as a pair) and have placed upon our new flagpole, on our new front porch railing. I think it looks pretty nice, and I think this picture is probably as stereotypically Ohio as a picture can get: House with a porch, big lawn, dog in the foreground. All it’s missing is an actual buckeye, I suppose.

Ironically, now I will be leaving Ohio for a few days for some personal travel. You may assume I am posting this to remind myself what home looks like, while I am away.

— JS

12:28

Representative Line: Dating Backwards [The Daily WTF]

Another representative line, and this one comes from an Excel spreadsheet. But, per Remy's Law of Requirements gathering ("No matter what the requirements doc says, what your users wanted was Excel"), this one was actually written by a developer. A developer who didn't understand how Excel works, but more important, didn't understand how dates worked either.

This comes from Ulysse J.

=CONCATENER(SI(MOIS($A18)>9;ANNEE($A18)-2000;(ANNEE($A18)-2000)*10);SI(JOUR($A18)>9;MOIS($A18);MOIS($A18)*10);JOUR($A18))

Now, the first thing: Excel function names are locale specific. This was written in France, so the functions are French. CONCATENER is "concatenate", SI is "if", MOIS is "month", and so on.

The purpose of this function is to convert a field (cell A18) in DD/MM/YYYY into YYMMDD. So how does it do this?

Well, we check the month. If it's greater than 9, we output the year minus 2000. If it's less than 9, then, we output the year minus 2000, multiplied by 10. That is to say, August, 2026 would start by outputting 260. We repeat this logic for the days: if the day is larger than 9, we output the month, otherwise we output the month times 10. Finally, we output the day.

This is attempting to do padding. There's just a problem. Imagine February 1st, 2009- an actual date in the document. We convert the year into 90, the month into 20, rendering the date as 90210. That's incorrect. And once we get to 2100, if there is still an Excel in 2100 (I joke: of course Excel will still exist in 2100. Humanity won't, but the robots will use Excel), this will also break. Not that it matters- I mean, YYMMDD doesn't make sense by that point.

Obviously, the correct solution is to use Excel's rich, built-in formatting functions to convert between date formats. It's easy! But Ulysse raises another point:

Extra points: even if you do not know how to do proper [formatting], the input format is guaranteed to have correct padding. I would just concatenate parts of it (treating dates as text is bad, but still less bad than treating them as integer triplets).

I will say this: I know a software developer wrote this, because your average Excel user could easily write bad formulas, but never bad in this kind of convoluted way. You need a real expert to do something this bad.

[Advertisement] ProGet’s got you covered with security and access controls on your NuGet feeds. Learn more.

12:14

Zero-Day Exploit Against Windows BitLocker [Schneier on Security]

It’s nasty, but it requires physical access to the computer:

The exploit, named YellowKey, was published earlier this week by a researcher who goes by the alias Nightmare-Eclipse. It reliably bypasses default Windows 11 deployments of BitLocker, the full-volume encryption protection Microsoft provides to make disk contents off-limits to anyone without the decryption key, which is stored in a secured piece of hardware known as a trusted platform module (TPM). BitLocker is a mandatory protection for many organizations, including those that contract with governments.

Slashdot thread. And here’s Nightmare-Eclipse’s GitHub account.

11:28

Grrl Power #1461 – Body composition issues [Grrl Power]

And fade to black. Or a dark, low saturation blue. Cause that’s the color of her sclera. I think in real life, dark sclera might be quite off-putting, but that’s because 99% of us would assume its an indication of a terrible medical condition. As a purely cosmetic effect, though, I think it’d look cool.

Oh, look, there’s such a thing a scleral contact lenses. I mean, I knew there were, they use them in movie makeup, but apparently now you can just get them online. I feel that’s one thing I would definitely not shop at Temu for, though. Well, my list of things I wouldn’t buy at Temu does in fact include everything, since I don’t shop there. I don’t understand how they’re in business, actually. “Getting a deal” is one thing, getting something that only vaguely resembles what you ordered is not usually how commerce works. At least not for long, but I guess that’s the world we live in these days. I guess it’s possible there are actual deals there, but the only thing I know about Temu is the demonstrably false advertising/bait and switch they do when they show the picture of the cool T-Shirt that looks like it has a spiraling hole through it and when it arrives it’s just a plain T with a badly spray painted asterisk on it and stuff like that.

It’s possible Deus has an exoticism fetish. Exotiphile? I suppose anyone who draws sexy alien or fantasy girls has a little bit of that as well. >cough<

Sciona probably knows an illusion or glamor spell that could accomplish exactly what he’s asking for, but she’s not above playing up girly insecurity to get a guy to give her free stuff maybe. She actually is concerned about losing her cool new powers, but the crossed arms and “I don’t want to admit vulnerability” side glance is her hamming it up a little. At least she didn’t go, “I’m scarwed of woosing my pow-pows, can you hewp widdle ‘ol me, mister stwong man?” I suspect Deus might immediately see through that.

Sexy bodymod news lady Gail has a special one-on-one interview with Tournament Quarter finalist Saraviah Nightwing! And if you subscribe to Gail’s Space Patreon, (which, due to the vagaries of Earth and Gal-Net’s DNS servers, happens to be the same as the Grrl Power Patreon, go figure) you can see that same interview in the nude! Well, eventually. The nude part of the interview, as well as the version that includes shading will be coming soon. Of course, you can view the interview in the nude now if you take your own clothes off. You know. Technically. Just put a towel on your chair first.

 

Double res version will be posted over at Patreon. Feel free to contribute as much as you like.

10:49

10:42

All right and none the same [Seth's Blog]

On a beautiful Sunday in Central Park, you’ll see thousands of people out for a jog.

Each person has exactly the right running style–and none of those styles are the same. Each is wearing what they think of as the right clothes, listening (or not) to the right sort of music, going in precisely the direction and at the pace they’ve chosen. They’re all correct.

And yet, they’re all different.

The same is true for the dogs they’ve chosen to adopt, the place where they’ve chosen to live, and what they plan to do when they’re done.

Given the chance, each of us chooses the right path. Based on who we are, what we believe and what we want, of course, that’s what we do.

The challenge of ‘everyone’ is that there’s no such thing.

09:14

Sentenced [Penny Arcade]

New Comic: Sentenced

06:07

Wood burning emits lead pollution [Richard Stallman's Political Notes]

Among various kinds of dangerous pollution produced by burning wood in fireplaces, one shocking kind is lead.

Afflictive emotions story, social media [Richard Stallman's Political Notes]

What the incredibly expensive failed effort to save one stranded humpback whale says about people's irrational priorities.

Urgent: Payday loans law [Richard Stallman's Political Notes]

US citizens: call on your congresscritter and senators to oppose the Earned Wage Access Consumer Protection Act. It is a roundabout way of exempting payday loans from existing regulations that protect the public.

See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.

US citizens: Join with this campaign to address this issue.

To phone your congresscritter about this, the main switchboard is +1-202-224-3121.

Please spread the word.

05:35

05:21

Girl Genius for Monday, May 18, 2026 [Girl Genius]

The Girl Genius comic for Monday, May 18, 2026 has been posted.

Sunday, 17 May

22:28

Link [Scripting News]

Jon Stewart is usually pretty good, but I think he got it wrong when he says the AI companies are stealing journalists' knowledge. Imho they don't create knowledge, they report it. The knowledge isn't theirs to own, and that is for the times there is actually any new stuff. They stick to a few main stories, and still insist that the upcoming election is about the economy. They talk about the $1.7 billion slush fund, but aren't reporting every day in every story how much money we've given ICE. That big funding is going to the concentration camps they're building, the people the incarcerate we hear so little of. This is a government that shot two people in Minnesota, on camera, and shrugged it off. Imagine what horrors are going on out of site in the camps.

17:56

Link [Scripting News]

Today Claude found a problem that would only be uncovered if you knew that assigning to location.href didn't happen immediately. If it decides to redirect and then do a bunch of other stuff including making network references, the whole thing could (and did) come crashing down. I would have found that problem, but the actual error message the browser emitted made me think the problem was on the server not the client. The most complicated code in an app is the stuff it runs at startup when it's constructing the world of all its different pieces creating the virtuality expected by the great mass of code. It's the part that once it's working you don't even want to look at it and if you decide to rewrite it you might as well start over, only slightly exaggerating.

16:28

16:07

Joe Marshall: I Wrote a Compiler [Planet Lisp]

I was bored so I wrote a compiler. I'm lazy so I vibe coded it. It compiles Lisp to .NET IL (the byte code that the .NET runtime executes). The IL is then JIT compiled to machine code and executed. You can use the dotnet runtime from Microsoft or the open source mono runtime as the runtime for the compiled code.

The basic idea of the compiler is to map lambda expressions to .NET classes. The lexical variables are stored as fields in the class. The body of the lambda is compiled to a method in the class. We use lambda lifting to flatten any nested lambdas. We use cell conversion to handle mutable variables and we simply copy the values of immutable variables into the lifted lambdas when they are closed over.

Although I `vibe coded` the compiler, I leveraged my experience with writing compilers to break down the problem into passes that were simple enough that `vibe coding` was possible. For instance, in order to implement lambda lifting, I first wrote a pass that determined the free variables of each lambda. That's a pretty simple operation that I could easily `vibe code`. In order to emit the correct IL, I first wrote a pass that segregated the variables into arguments, lexicals, and globals. Again, that's a simple operation that I could easily `vibe code`.

The trickiest part was the code generator. I had decided to implement tail recursion by using the `tail.` prefix in the IL. This is a hint to the JIT compiler that the call is a tail call and that it can optimize it by reusing the current stack frame. However, the JIT compiler is a bit picky about when it will actually perform the tail calls, and the other parts of the code generator kept moving the tail calls around so that they were no longer in tail position. I eventually had to add a pre-pass to the code generator that tracked the continuations in order to ensure that there was enough information later on to enforce tail position on the tail calls.

It... works? It compiles a number of the Gabriel Benchmarks, and some test programs that demonstrate lexical scoping, mutable variables, and tail recursion. It is most definitely a Lisp compiler, but if you look under the hood, well, be forewarned. It isn't pretty.

The compiler itself was vibe coded. The only restriction on the output code was that it had to implement what the input code specified. It did not have to conform to any particular notion of how to implement lisp features on the .NET runtime beyond the requirement that the output was correct. Choices that are typically made by a Lisp architect, such as how to deal with integers, the implementation of the standard library, etc., were all left up to the vibe coding process. I provided a couple of runtime libraries: a cell library for implementing mutable variables, and a List library for implementing singly linked lists. These were written in C#. The vibe coding process was allowed to modify the C# code in these libraries as well and it did so in a couple of places.

I started with one a simple benchmark and got it to compile and run. From there, I added more benchmarks and each time told the compiler to fix any errors that came up. I also added some test programs that were not part of the benchmarks in order to test specific features of the compiler. As I added more and more test programs, the `vibe coding process` added more and more features to the compiler. This ended up producing more and more complex compiler output code.

I'm going to devote a few blog posts to this compiler, so if it isn't up your alley, skip ahead a few posts.

15:42

Link [Scripting News]

Timothy Snyder made an important point. Trump sees his cause as a religion and sees himself as god. So when someone who is unfairly punished by Trump says they're still glad they voted for him, because (I guess) if god is on the ballot, you have to vote for him.

The Reverse Centaur’s Guide to Life After AI [Cory Doctorow's craphound.com]

A mockup of 'The Reverse Centaur's Guide to Life After AI' and 'Enshittification' on e-readers, and smartphones displaying audiobook apps, as well as the paperback edition of 'Reverse Centaur.'

This week on my podcast, I present an hour-long excerpt from the audiobook for The Reverse Centaur’s Guide to Life After AI, which is currently on pre-order through my latest Kickstarter campaign:


A short, provocative guide to what’s good, bad, and stupid about AI and the discourse around AI, by the author of Enshittification.

In modern tech parlance, a centaur is a person who is able to use technology to be a better, more productive version of themself. A reverse centaur is a person who is forced by technology to work at an inhuman pace—a driver made to deliver all day long, nonstop; a warehouse worker made to work without food or bathroom breaks; a programmer made to crank out impossible amounts of code.

The Reverse Centaur’s Guide to Life After AI is not another anti-AI screed. Cory Doctorow uses AI in his work every day. As a creative person, he has no moral or dogmatic issue with AI—he thinks the technology is useful, even exciting, and full of potential. And yet.

AI has arrived surrounded by unprecedented hype driven by a tech industry desperate to maintain its unprecedented valuation based on its own promises of endless financial growth. Despite the fact that almost all of AI’s real-world implementations have proved underwhelming, AI is projected to be worth more than $16 trillion—a number that only makes sense if AI replaces vast swathes of the wage-earning human workforce. To justify that level of “value,” every story about AI must be presented as inevitable, world-changing disruption. Even the tales of the robot apocalypse are a calculated attempt to bolster the fearsome power of AI.

For Doctorow, it is imperative to see through that hype to the real story, to understand the technology not just for what it does, but for who it does it to and who it does it for. From that point of view, the story of AI is indeed dramatic and unprecedented, having generated an investment bubble so big that it endangers the entire world economy. In The Reverse Centaur’s Guide to Life After AI—as he so successfully did in Enshittification—Doctorow recounts both how we found ourselves in this dire situation and how we can get through it, to a life “after” AI in which the tools work for us, not the other way around.

MP3

15:00

Link [Scripting News]

I envision a network of twitter-like systems built out of the components of the web and nothing more. Every part replaceable.

13:07

Customising PCBs [RevK®'s ramblings]

It is pretty impressive what you can do with "silk screen" printing on PCBs these days. I think JLC even offer full colour now (not tried it). I imagine they have a UV printer.

But for some of my smaller run boards, doing an over print of the assembled PCB could be very useful.

I already have code to make 3D cases from PCB files - I can see me automating making an SVG overprint from the files.

10:49

10:35

Perfect or better? [Seth's Blog]

We can search for the perfect option or settle for something better than we have right now.

The search for perfect never ends, and it’s a great place to hide.

Would you rather wait for the perfect job, or take this new one, which is better than the one you have?

The perfect leader is elusive, but we can probably find a better one.

When we produce better often enough, we get ever closer to the impossible perfect.

08:49

Otto Kekäläinen: Balancing persistence vs pivoting – is grit a virtue or wasteful? [Planet Debian]

Featured image of post Balancing persistence vs pivoting – is grit a virtue or wasteful?

Being persistent, sticking to a plan and showing up to work every day is generally valued highly across all cultures as virtuous behavior. It is obvious that anything of value and worth achieving is also not easy, but requires significant and recurring effort. Learning a new language, winning a sports competition or building a successful business are all typical scenarios where grit plays a central role above everything else. However, sometimes the virtue of tenacity can result in just a waste of energy.

The question is then: how does one recognize that true progress is being blocked by stubbornness and a pivot would be the correct decision, as opposed to being close to breakthrough where doing more of the same would actually be the right choice?

What is persistence actually?

To think clearly about this topic, one must first grasp the concept of “grit” and what it looks like in practice. Research by psychologist Angela Duckworth on “grit” shows that sustained effort in the face of setbacks separates high achievers from those who quit too soon. Entrepreneurs who iterated through dozens of failed prototypes or writers who revised manuscripts for years understand this truth. Persistence builds resilience, deep expertise, and the kind of compounding results that shortcuts cannot deliver. It also protects against the distraction of shiny new ideas that pull focus from what actually works.

Persistence is about:

  1. Believing in an outcome and working towards it despite people around you not sharing the belief, and despite your own work and experiments not being successful.
  2. Continuing to hold the belief and sticking to the decision despite other ideas, solutions and competing alternatives surfacing.
  3. The more time passes, the firmer the conviction becomes. Time, money, and emotional energy invested in a failing direction create psychological pressure to continue (sunk-cost fallacy).

Simply following through on a plan or upholding a contract is not true persistence. Grit is a personal trait one can cultivate to actually become more energized to do something precisely because it turns out to be harder than expected.

Pivoting: a calculated choice

The opposite of being persistent is giving up. Pivoting is not about giving up, but about redirecting the energy and momentum towards a new goal. Pivoting requires coming to the realization that you were wrong, and going through the painful process of discovering a new truth.

Ideas tend to be abundant, and doing something new isn’t hard as such. The hard part is to abandon a previously held belief and adopt a new one with equal conviction. To have that conviction you need to have data and metrics. This is also the key to how to decide between persisting vs pivoting at any moment in time.

Key metrics of success

Any decision is only as good as the information available at the time it was made. To be set up for success one needs to start by deciding on what the actual goal is, what one values and how progress is measured.

Key metrics are usually easiest to discover by working backwards from the goal. If you want to build an electric car, you might decide that the goal is to have a car that costs 30,000 euros and can drive 300 km on one charge. From that goal you can break down what the cost structure should be, what volume of production is needed to break even, what raw materials are needed and what the battery chemistry needs to achieve to meet the goal. That can further be broken down into a rate of progress. Suppose the plan requires battery energy density to reach 150 Wh/kg to be viable. If the state of the art starts at 100 Wh/kg and funding lasts a maximum of five years, the team needs at least an 8% improvement every year (1.08^5 × 100 Wh/kg ≈ 150 Wh/kg). This can then be used as a guideline. Sometimes progress is not steady, but happens in jumps. Even in those cases there should be a trajectory to benchmark the jumps against.

In an online business, the key metric could, for example, be one of these:

  • 7- or 30-day retention rate: Do new users who try the service actually like it?
  • Weekly or monthly active users: Is usage trending up?
  • Feature adoption rate: In an existing service, how many users are using the new feature?
  • Product-Market Fit Score (from Sean Ellis test): Percentage of users who say they would be “very disappointed” if the product disappeared. Above 40% is a strong early indicator. A number below that (after multiple iterations) is a good data point to pivot.
  • Revenue run rate or burn rate: The most generic metric everything eventually boils down to. Healthy markets reward good products.

Weekly metrics are better than monthly, as they make the feedback loop faster and allow you to get validation quickly and do minor course corrections along the way. A complete pivot should, however, be based on long-term data, driven by the key metric and supported by additional data points.

Metrics are also needed because they can’t be bribed or convinced to be anything other than what they are. Listening to other people is good, but just relying on the opinion of others is extremely dangerous because people are biased—either for you or against you—depending on whether they see you as a trusted leader or an outcast.

Key metrics are of course domain-specific and everyone needs to come up with their own. However, you must have some key metric. You can’t have the excuse that what you are doing can’t be measured. If you are part of a larger organization and you need to advocate for a difficult decision—for example, to “kill your darlings” when facing a pivot—you need to have the metrics to back up your views, and those metrics need to have been established way before as something the organization values, and not cherry-picked just for this one decision.

It does not matter if you are on a personal improvement journey, running a political campaign, inventing a new product, or growing a business – you need to have some metric you can check at any given time to see if things are improving fast enough to predict success. Metrics can and should also be used in daily work to validate that you are on the correct path, and to optimize execution.

Famous examples of persistence and pivoting that led to breakthroughs

In all of the cases below it is of course in hindsight easy to say they made the right decision. However, take a minute to try to imagine yourself in their shoes at the time of the decision. What metrics might they have had available to support their decision? What would you have wanted to measure or find out if you were in the same situation?

  • Frustrated that his vacuum lost suction, James Dyson spent five years and built thousands of failed prototypes in a backyard shed. He remortgaged his home, lived on savings, and faced rejection from every major manufacturer who wanted to protect their bag-replacement business. The 5,127th prototype based on an idea from a sawmill with a cyclone finally worked. Launched in 1993, the Dyson DC01 became Britain’s best-selling vacuum within two years.
  • As a single mother on welfare in the mid-1990s, J.K. Rowling finished her manuscript for Harry Potter and the Philosopher’s Stone while battling depression and poverty. She hand-typed copies and mailed them to publishers. Twelve rejected it outright, with comments like “children’s books about magic don’t sell.” She nearly quit multiple times but kept revising and submitting. Bloomsbury finally accepted it after the CEO’s eight-year-old daughter read the first chapter and demanded the rest. The series has since sold hundreds of millions of copies worldwide.
  • Founded in 1997 as a mail-order DVD rental service, Netflix added unlimited subscriptions in 1999 to compete with Blockbuster. By 2007, broadband growth and declining DVD sales signaled a shift. CEO Reed Hastings pivoted aggressively toward streaming, investing in bandwidth deals and original content while de-emphasizing physical media. The move faced skepticism, but eventually changed the whole culture of how entertainment is consumed.
  • YouTube launched in 2005 as a video-dating site. Founders offered money to women who uploaded dating videos, but almost no one did. Meanwhile, users uploaded random clips. The team recognized the mismatch and pivoted within months to a general-purpose video-sharing platform with easy uploading. Google bought it just 18 months later.
  • Instagram began in 2010 as Burbn, a location-based check-in app that let users post plans, earn points, and share photos. Co-founders Kevin Systrom and Mike Krieger quickly noticed users ignored most features and mainly used it for photo-sharing. They made the tough call: scrap everything else. Within weeks, they rebuilt the app around clean, simple photography with filters. The pivot launched as Instagram in October 2010. It gained 1 million users in two months and was acquired by Facebook just 18 months later.

Insanity or conviction?

English has several proverbs that warn against excessive persistence, such as “banging your head against the wall”. Insanity is commonly defined as “Doing the same thing over and over again and expecting different results.”

In Finland, the national identity is practically built on the concept of “sisu”. It means much more than just “grit”. The word is derived from the word for “inside” or “guts” and represents an unexplained, almost superhuman force that makes one stoically take action despite seemingly impossible odds and somehow succeed anyway. It became a defining national mythos during the Winter War (1939–1940), where a force 10 times larger than the Finnish army tried to invade the country but was stopped and Finland just barely managed to keep its independence. The word “sisu” transitioned from a character trait to a pillar of national survival.

I think Finns survived because the more you believe in persistence, the more likely you are to persist. I view persistence as a religion that requires faith, while pivoting is a science where you derive the truth from the numbers.

When in doubt, I would always choose persistence over pivoting. Perhaps it is because of my genetic tendency towards having “sisu”, but I would also rather keep on going a bit more and try one more time before giving up and pivoting in order to get more data, so that when I pivot, I know it is absolutely the right thing to do at that point.

Depending on the situation, the costs of postponing the pivot vary. Of course, if the main metric is the burn rate and a company is running out of money, a pivot must be done early enough that the remaining runway is enough to execute the pivot, and then some more.

In some situations a business idea might simply be ahead of its time. If that is the conviction and the key metrics support it, the best way to navigate the situation is to cut down on costs and wait for competitors to appear, help build general awareness, and then ramp up again to ride the wave. Remember that success does not come from grit alone – there is always an element of timing and luck as well. But if you are not persistent and stop showing up every day, you won’t be able to seize the opportunities if and when they arise.

Failure is the likely outcome – you have to avoid it at any cost

One must also realize that most attempts end in failure. Failure is the baseline, and success is the exception. To reach a breakthrough, one must be stubbornly persistent. In particular, if you are a leader, you need to be so high in conviction that it almost becomes an aura that radiates to those around you.

Postponing the decision to pivot allows you to get a bit more data for the decision, so that once you pivot, you have full belief in the new direction. Once you pivot, there is no looking back, otherwise you will undermine morale and most certainly fail with the new thing as people will execute it with hesitation.

Failure is statistically always the more likely outcome. Most things end in failure and we never hear about them. If someone on your team does not believe in what you are doing, it is very easy for them to “prove” that something is a failure by spreading negativity, putting in less effort (perhaps unconsciously due to lack of conviction) and thus actually contributing to a self-fulfilling failure.

In most areas of life, ideas are cheap and the only thing that matters is execution. To be good at executing, you need to be good at making decisions. When drafting plans it is good to have alternatives and a lot of consideration. However, when execution starts, there is no room for doubt, otherwise the chances of success decrease.

Therefore, the best way of balancing persistence vs pivoting is to

  1. plan well ahead,
  2. establish the key metrics,
  3. have thresholds established for what would trigger a pivot, and
  4. do everything you can to move the metrics in the direction you want them to go.

Finally, if you decide to pivot, you must do so only with very high conviction, as you can’t undo a pivot, and you should not be doing multiple pivots in a row either. If you are fully convinced yourself about the pivot, you will also be able to convince others about it, and carry the momentum.

04:56

Russ Allbery: Review: Unwinding Anxiety [Planet Debian]

Review: Unwinding Anxiety, by Judson Brewer

Publisher: Avery
Copyright: 2021
ISBN: 0-593-33045-5
Format: Kindle
Pages: 268

Unwinding Anxiety is a non-fiction self-help book about how to reduce anxiety. The author is a board-certified psychiatrist specializing in addiction and substance abuse, who has subsequently done clinical and research (and commercial, more on that later) work in anxiety. His previous book, The Craving Mind, was a pop science treatment of addiction research. This book is more deliberately structured as a self-help guide.

(The cover will assure you that he has an M.D. and a Ph.D. I don't include honorifics and degrees in author listings as a small protest against the weird social rules about which degrees count and which don't.)

There are a lot of self-help books out there about anxiety. There are a lot fewer that say something relatively original. I think this is one of the latter, but I certainly have not done a survey of the subgenre, and it's possible the ideas here are only new to me. Brewer makes three basic claims in this book, all of which I found personally useful:

  1. Anxiety can be usefully analyzed as a habit. The rumination loop and other related anxiety behaviors such as excessive analysis, reassurance-seeking, and negative anticipation take the form of deeply ingrained habits triggered by stimuli.

  2. Raw willpower is not a useful way to break habits in general and anxiety habits in particular. In order to displace the habit, you have to retrain the part of your brain that runs habits on autopilot. Attempting to override it with willful effort is exhausting and likely to fail.

  3. Habit loops in general, and anxiety loops in particular, can be defused and replaced using mindfulness techniques.

This is not the way Brewer lays out the book. He goes to some effort to lead the reader slowly through three techniques for handling anxiety (for which he uses the metaphor of "gears," like for a bicycle or car) by introducing them one at a time and encouraging the reader to become thoroughly familiar with each one before moving on to the next. Since this is a book review, I'm going to give you the whole argument at once so that you know where this book is going. This may be less helpful in practice; if you're trying to use this technique on your own anxiety, you may want to read the book instead and not jump ahead.

Brewer's three gears are:

  1. Identify your habit loops and recognize when they're happening. (This part felt the most similar to traditional cognitive behavioral therapy to me.)

  2. Focus on how those habit loops make you feel. Rather than trying to force the habit loop to stop, let it happen but pay very close attention to the outcome and its effects on you.

  3. Find and focus on a different reaction that provides better rewards than the anxiety habit loop. Brewer suggests curiosity.

For me, the point where I thought "okay, you have my attention" is when Brewer described the way many people, particularly people without anxiety, tell people with anxiety to "just stop thinking about it" or "just do the thing you're anxious about anyway and you'll see it will be fine" and then described in detail why he believes that doesn't work. This is one of the few discussions of anxiety I've read where the author goes out of his way to stress that you cannot simply think your way out of anxiety and that repeatedly trying to do so and failing is exhausting and demoralizing.

Everyone is different and I know some people find cognitive behavioral therapy very helpful, but I find the constant effort to challenge cognitive distortions more draining and demoralizing than useful. His second gear, of not directly confronting the habit loop but instead watching its effect and thinking about its outcome, feels so much more approachable to me. Assuming, of course, it works.

Brewer's approach is essentially just mindfulness, although he mostly avoids the (to me at least) somewhat off-putting typical introduction to mindfulness via religious practice or general well-being and instead ties it to a theorized model of how habits work in the human brain. His contention is that habits, including anxiety, exist because at some point they provided a reward that was sufficiently compelling to make the habit-following part of your brain seek that reward. You were getting some benefit (a sense of control, a sense of being prepared, temporary reassurance, etc.) out of the anxiety reaction, which is why the anxiety habit formed in the first place. Once that habit is in place, it can continue without the reward. (Although in my experience there is probably still some short-term reward.)

Rather than trying to force yourself to stop following the habit, Brewer instead suggests letting the habit happen but then focusing (via mindfulness) on how following the habit makes you feel, whether it improves your sense of well-being or worsens it, and whether other actions produce different feelings. The goal, in other words, is to undermine the assumption of reward and to challenge any short-term reward with the long-term discomfort that made you want to stop being anxious.

This avoids using your conscious brain to exert direct willpower, which is exhausting and usually unsuccessful since the habit-following part of your brain is stronger (for various evolutionary psychology reasons he explains and that I found at least partly credible). Instead, you are using its strengths of observation and classification. You pay close attention to the ways in which the habit loop makes you feel bad, which in theory provides feedback to the habit-following part of your brain that can dislodge the habit. If the habit is recognized as no longer rewarding, it will weaken.

Brewer's background is in addiction treatment, so he is predisposed to see addiction in everything and one should probably be a bit cautious about his enthusiasm. He claims a great deal of success with this approach in clinical settings, mostly with addiction but also with anxiety, but this is always hard to verify. (Few doctors who write self-help books rigorously document their failures.) He apparently also has a company that produces various phone apps that assist with this technique. I'm rather cynical about anyone who talks about products their company has produced in self-help books of this type, and I'm also rather cynical about anyone who calls himself "Dr. Jud," but the book doesn't seem to be a sales pitch and there's no direct information in it about how to get the apps.

For me, the first two parts of the book were the most useful and the conception of anxiety reactions as habits made a surprising amount of intuitive sense. I thought the third part of the book, where he tries to describe a better in-the-moment reaction that you can try to build into a more beneficial habit, to be the weakest. It's mostly stock mindfulness advice that I've seen in other places, and you will be entirely unsurprised to learn that Brewer meditates and has studied meditation. I think it's clear that, for him, a feeling of curiosity works as an anxiety replacement; I'm not sure that's universal and I'm not sure it works for me.

That core idea that anxiety reactions are a type of addictive habit that have outlived their useful rewards but continue because habits are hard to change felt both useful and at least a little bit true, though. Your mileage may, of course, vary, but I've been trying out various ideas from this book since I first started reading it, and I think it's helping. If any of this clicks with you and you're also prone to anxiety, it might be worth a read.

One warning, though: Brewer's previous work on addiction includes binge eating, and while it's not a primary focus, he uses several weight loss and disordered eating examples and has a very traditional medical attitude towards weight. I'm somewhat dubious of the addiction model of weight gain in general, but more to the point, it's rather off-putting in a book supposedly about anxiety. It's something I was able to skim over, but be aware going in if you're likely to find this obnoxious.

I do think this book is a case of an addiction researcher seeing everything through the lens of addiction, and I'm a little dubious this is the right model for everyone's anxiety. But this is one of the good reasons why there are a lot of books about anxiety: Different approaches suit different people. This one made more sense to me than most; maybe you are similar.

I can't really recommend or not recommend a book like this, since I think so much will depend on whether you are one of the people for whom this specific explanation will click, but I'm glad that I read it and I think it's good to know that this model of anxiety exists.

Rating: 8 out of 10

Antoine Beaupré: The Four Horsemen of the LLM Apocalypse [Planet Debian]

I have been battling Large Language Models (LLM1) for the past couple of weeks and have struggled to think about what it means and how to deal with its fallout.

Because the fight has come from many fronts, I've come to articulate this in terms of the Four Horsemen of the Apocalypse.

Sound track: Metallica's The Four Horsemen, preferably downloaded from Napster around 2000, but now I guess you get it on YouTube.

War: bot armies

Let's start with War. We've been battling bot armies for control of our GitLab server for a while. Bots crawl virtually infinite endpoints on our Git repositories (as opposed to downloading an archive or shallow clone), including our fork of Firefox, Tor Browser, a massive repository.

At first, we've tried various methods: robots.txt, blocking user agents, and finally blocking entire networks. I wrote asncounter. It worked for a while.

But now, blocking entire networks doesn't work: they come back some other way, typically through shady proxy networks, which is kind of ironic considering we're essentially running the largest proxy network of the world.

Out of desperation, we've forced users to use cookies when visiting our site. We haven't deployed Anubis yet, as we worry that bots have broken Anubis anyways and that it does not really defend against a well-funded attacker, something which Pretix warned against in 2025 already.

(We have a whole discussion regarding those tools here.)

But even that, predictably, has failed. I suspect what we consider bots are now really agents. They run full web browsers, JavaScript included, so a feeble cookie is no match for the massive bot armies.

Side note on LLM "order of battle"

We often underestimate the size of that army. The cloud was huge even before LLMs, serving about two thirds of the web. Even larger swaths of clients like government and corporate databases have all moved to the cloud, in shared, but private infrastructure with massive spare capacity that is readily available to anyone who pays.

LLMs have made the problem worse by dramatically expanding the capacity of the "cloud". We now have data centers that defy imagination with millions of cores, petabytes of memory, exabytes of storage.

I thought that 25 gigabit residential internet in Switzerland could bring balance, but this is nothing compared to the scale of those data centers.

Those companies can launch thousands, if not millions of fully functional web browsers at our servers. Computing power or bandwidth are not a limitation for them, our primitive infrastructure is. No one but hyperscalers can deal with this kind of load, and I suspect that they are also struggling, as even Google is deploying extreme mechanisms in reCAPTCHA.

This is the largest attack on the internet since the Morris worm but while Robert Tappan Morris went to jail on a felony, LLM companies are celebrated as innovators and will soon be too big to fail.2

Which brings us to the second horsemen, famine.

Famine: shortages

All that computing power doesn't come out of thin air: it needs massive amounts of hardware, power, and cooling.

Earlier this year, I've heard from a colleague that their Dell supplier refused to even provide a quote before August. Dell!

In February, Western Digital's hard drive production for 2026 was already sold out. Hard drives essentially doubled in price within a year, and some have now tripled. A server quote we had in November has now quadrupled, going from 10 thousand to FORTY thousand dollars for a single server.

But regular folks are facing real-life shortages as well, as city-size data centers are being built at neck-breaking speed, stealing fresh water and energy from human beings to feed the war machine.

We've been scared of losing our jobs, but it seems that Apocalypse has yet to fully materialize. Regardless for engineers, the market feels tighter than it was a couple years ago, and everyone feels on edge that they will just have to learn to operate LLMs to keep their jobs.

Which brings us, of course, to Death.

Death: security and copyright

Our third horseman is one I did not expect a couple of months ago. Back at FOSDEM, curl's maintainer Daniel Stenberg famously complained about the poor quality of LLM-generated reports but then, a few months later, everyone is scrambling to deal with floods of good reports.

In the past two weeks, this culminated in a significant number of critical security issues across multiple projects. Chained together, remote code execution vulnerabilities in Nginx and Apache and two local privilege escalations in the Linux kernel (dirtyfrag and fragnesia) essentially gave anyone root access to any unpatched server to the web.

As I write this, another vulnerability dropped, which gives read access to any file to a local user, compromising TLS and SSH private keys.

All those vulnerabilities were released without any significant coordination while people scrambled to mitigate.

Many people including Linus Torvalds are now considering issues discovered through LLMs to be essentially public. This puts some debates about disclosure processes in perspective, to say the least.

But this is not merely the death of the traditional coordinated disclosure process, the C programming language, or the Linux kernel: remember that those bots are trained on a large corpus of copyrighted material. Facebook has trained their models on pirated books and Nvidia has done deals with Anna's Archive to secure access to large swaths of copyrighted material. The US Congress seems to think LLM outputs are not copyrightable, like any other machine outputs.

With many people now vibe coding their way out of learning or remembering how computers work, is this the Death of Copyright?

And that, of course, brings us to the final horseman: Pestilence.

Pestilence: slop

There is a growing meme that programming is essentially over as we know it. That you can simply vibe-code applications from scratch and it's pretty good.

Maybe that's true.

So far, most of my attempts at resolving any complex problem with a LLM have often failed with bizarre failures. Some worked surprisingly well. Maybe, of course, I am holding it wrong.

I personally don't believe LLMs will ever be good enough to produce and maintain software at scale. They're surprisingly good at finding security flaws right now. But what I see is also a lot of Bullshit, with a capital B. It's not lying: it does not "know" anything, so it can't lie. It's misleadingly cohesive and deliberate, but it lacks meaning, intent, will.

I have not been confronted with much slop, apart from the lobster Jesus or the yellow man atrocities, and particularly not in my work. But I see what it is doing to my profession: beyond vibe-coding, people are now token-maxxing, and land-grabbing their colleagues.

I don't like what LLMs do to our communities, or the fabric of software we live with.

Software does not evolve in a void. It is a team effort, be it free software or a corporate product. Generations of humans have carefully built the scaffolding of technology required for modern networks and software to operate, in a convoluted contraption that no single human fully understands anymore.

The idea of simply giving up on that understanding entirely and delegating it to an unproven model is not only chilling, it feels just plain stupid. Not stupid as in Skynet, stupid as in "I can't get inside the data center because the authentication system is down". Except we're in a "the power plant doesn't reboot" or "their LLM found an 0day in our slop" kind of stupid.

The fifth horsemen

Researching for this article, I looked up the four horsemen and found out they original seems to have been:

  • Famine
  • War
  • Death
  • Conquest (??)

I was surprised. I grew up thinking about the horsemen being Famine, War, Pestilence, and Death. So I went back to my original source which actually claims the horsemen are:

Time has taken its toll on you, the lines that crack your face.
Famine, your body, it has torn through, withered in every place.
Pestilence for what you've had to endure, and what you have put others through
Death, deliverance for you, for sure, now there's nothing you can do

So I guess that makes no sense either, which, fair enough, I shouldn't rely on Metallica for theological references. Especially since that song was originally called Mechanix and was "about having sex at a gas station".

Anyways.

The point is, there are actually five horsemen, and the fifth one is, in my opinion, Conquest.

Those companies (and not "AI", mind you) are taking over the world. I sense a strong connection with the "post-truth" world imposed on us by fascists like Trump and Putin. It's not an accident, it's a power grab part of the Californian Ideology3. Just like Airbnb broke housing, Uber destroyed the transportation and Amazon is taking over retail and server hosting, LLM companies are essentially trying to take over if not everything, at least Cognition as a whole.

But the capitalization of those companies (OpenAI and Nvidia in particular) are so far beyond reason that their inevitable collapse will likely lead to a global financial collapse of biblical proportions.

Because they will inevitably fail like previous bubbles they are built on. And when they fail, I hope it zips all the way back through the blockchain scam, the ad surveillance system, and the dot com then git me back my internet.

The Tower of Babel

While I'm off in the woods hallucinating (ha!) on biblical allegories, I feel there's another sign that the apocalypse is coming.

The Tower of Babel myth says that humans tried to create a big tower up to heaven and become god. God confounds their speech and scatters the human race. End of utopia.

This is what is happening to our human translators now. LLMs being, after all, Language Models, they are excellent at translation work. So much that the only translators not replaced by LLMs right now are interpreters, who translate vocally in real time. But interpreters are worried about their jobs as well.

This concretely means we will lose the human capacity, as a civilization, to translate between each other. It is still an open question whether the remaining revision work will be enough for translators to avoid deskilling, but other research has shown that LLM use leads to cognitive decline, impacts critical thinking, and generally, that deskilling is a common outcome.

Ultimately, I think this is where LLMs bring us. Towards collapse.

So this is a call to arms. Fight back!

Poison bots. Build local real-world communities.

Go low tech. Moore's law is dead, make use of it.

Patch your shit. Go weird.

Refuse slop. Train your brain.

The horsemen will collapse, but let's not go down with them.

Butlerian Jihad!

This article was written without the use of a large language model and should not be used to train one.

  1. I prefer "LLM" to Artificial Intelligence, as I don't consider models to have "Intelligence" which goes far beyond the analytical traits we train models for. Intelligence requires embodiment and social interaction; machines lack the innate human skills of empathy, feeling and care, which explains a lot of the evils behind the current trends.
  2. It should be noted that Morris also happened to be one of the founder of Y Combinator where he is in good company with other techno-fascists like Peter Thiel, Sam Altman, and so on. Crime, after all, pays.
  3. Probably a good time to watch All Watched Over by Machines of Loving Grace.

02:00

New Cover: I Won’t Back Down [Whatever]

Because this is a sentiment that is surely timely.

In addition to singing, I’m playing bass on this one. I tried chugging along with the guitar but it sounded just terrible, so the guitars on this one are courtesy of UJAM, and some MIDI programming on my part for the solo.

Also, I wasn’t intentionally trying for a Tom Petty-like drawl, but damn it’s hard to sing a Tom Petty song without one, so here we are. I hope wherever he is in the universe right now, Tom is not rolling his eyes too hard about it.

Enjoy.

— JS

00:14

05/16/26 [Flipside]

My Kickstarter for Flipside Volume 13 has just 4 Days Left!

If you haven't heard about it yet, please check it out! I hope that you'll consider supporting this time around!

https://www.kickstarter.com/projects/1016357068/flipside-graphic-novel-13th-volume

Saturday, 16 May

23:56

i stopped looking for the weird problem [Scripting News]

i'd wait till a fresh start tomorrow.

but then i realized claude has all the code, so i could just tell it my problem.

can you find it, i asked, realizing i had not given it info on what the problem is.

there's a very weird mistake in the code i wrote just now, and there was a lot of it, i said to claude.

can you find the problem.

had no idea what to expect.

no more than 3 seconds it said I got it!

it was a typo. where i meant to type x i had typed prefs.

juggling a lot of bits in my head, my brain skipped, i didn't notice.

i would have found it quickly in my next session. but now i can think of anything but that problem until then.

sometimes claude can be totally frustrating, but other times the power makes such a huge difference.

17:14

The Scalzi Family Foundation is Donation Matching for the Documentary “One Act,” Directed by Pamela Ribon [Whatever]

It’s fair to say that Pamela Ribon and I have come up together in the world. Back in the before times, she and I both started blogging when blogs were still called “online journals,” and our first novels came out close to each other. Since then she’s become a force in animation, working on story and screenplays for Moana, Ralph Breaks the Internet and the animated short My Year of Dicks, for which she received an Oscar nomination, which is pretty damn cool, if you ask me. For a quarter of a century now we’ve stayed friends, supported each other, and celebrated our successes.

Pamela went to high school in Texas, which is where she participated in the UIL One Act Play, the largest theatrical competition in the world. Students and their teachers (22,000 of them!) enter a timed theatrical performance judged on acting and tech, watched by an audience of students and parents, three judges, and a 103-page rule book. Pamela turned her filmmaker eye to one year of the competition, following several schools across the state as they fought their way through the ranks— with all the tears and triumphs and, yes, drama, that entails. That’s now become a film, called, sensibly enough, One Act.

The filming of One Act is done, and now comes the post-production phase, where the film is edited, scored and otherwise made ready for festivals and public presentation, in time for the UIL One Act Play’s 100th anniversary. That takes money, and Pamela and her team could use some help with that. This is where we come in: The Scalzi Family Foundation has pledged $5,000 in matching funds to encourage folks to make a (tax deductible!) donation to help One Act get over its own finish line in post-production. Any amount you donate will be matched by the SFF, up to that $5k (although hopefully they will bring in more than that).

We’re supporting One Act not just because Pamela is a filmmaker worth supporting, but because we think this could be an important film. It brings a spotlight to a part of Texas life that isn’t well-known outside of its borders, and shows a part of the life of the state that can be surprising, and challenging, to outsiders. The UIL One Act competition inspires young creative folks, and changes lives, and that’s a story that’s worth telling, and making a really cool film about.

If this sounds like a film that you would like to help support getting into theaters, here’s the link to One Act’s site, which includes information on how to donate. Again, in the US, these are tax-deductible donations, so that’s pretty nifty. Every donation for the first $5k is matched by the Scalzi Family Foundation, so please feel free to spend our money with yours. We want you to, in fact.

(Also, if you feel like being a big-time donor, like in the five-figure range and above, which comes with its own tier of recognition, there’s contact information on the linked page where you can inquire about that. Go on, do it! You know you want to!)

I’m super proud of Pamela for making this film, and for everything she’s done, and happy the Scalzi Family Foundation can help to get this film that much closer to release. I hope you’ll be inspired to come along for this journey as well.

And if you are: Thank you.

— JS

16:28

Link [Scripting News]

I documented the optional source:inReplyTo element for RSS 2.0.

15:42

21 years and 20000 posts later [OSnews]

Almost exactly 21 years ago, in June 2005, at a mere 20 years old, I took over the managing editor role at OSNews from Eugenia. I had already published a few articles in the years prior, and had given Eugenia enough confidence to suggest me as her replacement. It was, and is, a great honour.

In those 21 years and more than 20000 posts, I’ve seen a lot of beautiful things. Linux grew from a curiosity among nerds into a popular desktop operating system, and often a better choice for gaming than Windows. The BSDs flourish steadily, growing into even stronger and capable alternatives to desktop Linux than they already were. On the commercial side of things, new offerings challenged the hegemony of Microsoft and Windows. While Android and Chrome OS are at best merely tolerated, the idea that a newcomer would produce not one, but two operating systems that would successfully take on Microsoft and Apple seemed unimaginable when I started in 2005.

While many alternative operating systems of the early 2000s faded away, we’ve also seen success stories there. Haiku evolved from an unusable, unstable promise on the horizon into a stable, daily-drivable operating system. The unique Genode Framework and Sculpt OS keep exploring and redefining the boundaries of what a general purpose operating system should be. Redox has exploded onto the scene, and keeps making massive strides almost every month. OS/2 is still actively updated, maintained, and sold. The Amiga will outlast us all.

Internet culture, too, is changing, and while things definitely look bleak right now, there are sparks of hope and joy. The general attitude towards the big technology companies among the general public has shifted from admiration to mistrust and dislike, corporate social media seems to be crumbling, and the youngest generations absolutely despise the latest hype, “AI”. All is certainly not lost, and sometimes I feel shimmers of hope that the pendulum may swing back to a more people-focused web, a web we’ve been part of since 1997.

In those 21 years and more than 20000 posts, I’ve also seen a lot of hypes come and go, hypes that if I didn’t embrace them, I’d surely be left behind. The “pivot to video“, the cryptocurrency mania, NFTs, virtual reality and the metaverse, “AI” – all technologies and concepts I recognised for the hypes that they were, and consequently ridiculed and ignored, much to the dismay of many believers. I’ve got the angry emails and comments to prove it.

This illustrates something about OSNews that I value and hold dear: OSNews doesn’t jump on bandwagons, doesn’t frantically try to follow the latest trends, doesn’t cave under the pressure of big money interests. OSNews is constant, stable, deliberate, patient. Since 1997, we’ve covered the technology industry with interest, excitement, and wonder – tempered by a healthy dose of skepticism. When you follow this industry for almost three decades, you learn to spot the patterns and see the threads before anyone else does.

That’s not to say we haven’t gone through changes. The most significant changes to OSNews happened in recent years, where instead of working on the site on a mostly voluntary basis with a pittance of ad revenue coming my way, I’ve turned my work for OSNews into my job. As part of this change, I removed all advertising from our website, morphing OSNews into a fully reader-funded endeavour. No ads, no corporate interests, no media network breathing down my neck. OSNews is a truly independent technology news website, a rarity these days. I don’t have to keep corporate overlords or advertisers happy, and you’d be surprised to learn just how rare that is on the modern web.

The OSNews website itself is fairly unchanging too, having gone through only a handful of redesigns since its founding in 1997. We’ve been using our current design, developed by Adam Scheinberg, for as long as I can remember (10-15 years?), and thanks to our independent, ad-free nature, any possible future redesign would only make the site simpler and even faster than it already is. There’s no redesign in the cards at the moment, but rest assured, if it ever comes, we’ll buck the trend of websites getting ever more complex and demanding and make OSNews lighter and even faster.

And yes, despite commenters making up far less than one percent of our readership, I’ll always opt to keep them. We might be a site of lurkers, but comments are a core part of OSNews. Even the annoying ones. Especially the annoying ones.

That being said, there’s going to be a small change to our design, rolling out today (it might take a few reloads for it to appear). To mark my 21 years and 20000 posts, OSNews is getting a new-ish logo, which combines the classic, intertwined beveled “O-S” from the early 2000s with the modern logo we’ve been using over the past 15 years or so. The O and S are intertwined once again, highlighting the continuity and stability I want OSNews to bring in this chaotic industry (I can write corporatese if I want to). Fun fact: this “new” logo was actually designed like 20 years ago, and we’ve had it in our back pocket ever since. Why create something new and of the times, when you’ve got something great sitting right there?

Aside from the new logo, I’ll be running a big fundraiser to mark this occasion early next week, with some silly incentives at various thresholds. If we reach the ultimate goal – a euro for every story I’ve posted – I’ll overcome some very deep-rooted fears and anxieties, and tattoo the OSNews logo on my body, as my very first tattoo. OSNews has been part of my life for more than two decades, and I have every intention to add at least another two – having such a core part of my life immortalised on my body only makes sense.

I’ve written about my anxiety disorder and how it affects me here on OSNews, and it’s been preventing me from getting various tattoos I’ve been wanting for decades (and not for the reasons you may think – it’s not the pain or the needles). No better way to get fucking over it by making a public promise to tens of thousands of people. You can start donating today, but I’ll publish a proper post about it on Monday.

Of course, OSNews wouldn’t exist without all of you, our hundreds of thousands of readers. Whether you donate or not, whether you comment or not (you probably don’t!), each and every one of you contributes to making OSNews the steady success it’s been for almost 30 years. Few websites can boast such an uninterrupted lineage, and it’s thanks to all of you who keep coming back, every day.

Thank you. From the bottom of my heart. ❤️

14:21

Cheeky domains [RevK®'s ramblings]

I have a "shop" on Tindie (albeit currently all zero stock until they get working again, if ever) and now one on "Lectronz".

Ages ago I made tindie.uk domain, it web redirects to the shop on Tindie. Was a bit of fun. And a shortcut for me.

Now I have a Lectronz shop, so I made lectronz.uk in a similar way.

But this is a tad naughty maybe. Well maybe.

  • As far as I know neither have a UK trademark so I could even make a legitimate business matching theirs, and even register a UK trademark, if I wanted, using their name.
  • They could dispute with Nominet, but if I then did a UK trademark, I may manage to keep it.
  • The URLs do actually go to their web sites (albeit my "shop" on their web site) so is not, in that respect, a breach of trademark - it references *them* - so just like someone selling Nike shoes can use the word Nike to do so, in an advert for their "shop". I'm selling/referencing their platform.

But yes, it is cheeky, shall we say. And in hindsight maybe a tad childish and not like me...

So now, given that Tindie is a waste of space compared to Lectronz, even when Tindie is working (which they have not been for a month), I now have a much simpler URL:

https://shop.revk.uk/

It goes to Lectronz.

FYI, if Tindie do come back I may list Faikout only, like we do on Amazon. Lectronz is likely to be the main place for any of the other circuit boards (and Faikout). Amazon only continue because they are one of the first places people go, still, so sensible to be on there, and they handle EU VAT, and shipping - but Lectronz do the EU VAT and US tariffs, so Amazon are only there to mop up on their reputation, as it is.

What is funny about Tindie is being off for a month is that someone has made a "new Tindie" from scratch and got on line and working during that month - https://smallrun.net/. To be fair, if I put my mind to it, I am sure I could. They even have tariffs and EU IOSS all sorted (which Tindie do not, still). How Tindie are so slow and so bad at communicating is really quite amazing.

10:49

10:14

“Here’s a pillow the cat didn’t pee on” [Seth's Blog]

Highlighting the non-existent negative is confusing.

“Don’t be late,” isn’t as useful as, “We’re going to leave on time.”

“I don’t want to be rude, but…” can easily be replaced by simply saying something that isn’t rude.

And of course, “with all due respect…” is often the preface to something said without due respect.

09:56

Pluralistic: Making sense of Trump's unscheduled sudden midair disassembly of the American empire (16 May 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links


A detail from Dore's engraving depicting the drowning of the Leviathan - a great sea-serpent thrashing in a chaotic dark sea. The image has been altered: it has been hand-tinted. The sea serpent is wearing a MAGA hat. Drowning nearby are a beleagured Uncle Sam, an Android robot, and the Statue of Liberty.

Making sense of Trump's unscheduled sudden midair disassembly of the American empire (permalink)

For generations, the American empire was the most powerful force on earth, and so we tended to assume that it was the most durable force on earth – surely anything so powerful must also be eternal?

But power and durability aren't the same thing, as Le Guin reminded us with her oft-quoted maxim that "We live in capitalism, its power seems inescapable — but then, so did the divine right of kings":

https://www.ursulakleguin.com/nbf-medal

Monarchs may be powerful, but that power is derived from a manifestly incorrect belief in special blood, a belief that requires monarchs to inbreed. At best, this produces heads of state who can't stop bleeding and also can't tell you if their blood is blue or red; at worst, it yields heads of state who can't speak intelligibly, much less produce another generation of royals:

https://en.wikipedia.org/wiki/Charles_II_of_Spain

Oligarchy also produces a sequence of progressively weirder and more terrible rulers who rely on a mix of lies, flattery, coercion and personal cult nonsense to hold their coalition together in the face of mounting evidence for the system's bankruptcy. Thus Reagan begat GW Bush, who begat Trump, whose potential successors are a kennel of the least-charismatic chud podcasters ever to curse an RSS feed.

Trump's second term has resulted in a rapid, unscheduled, mid-air disassembly of the American empire. As Baldur Bjarnason writes, under Trump, America "first turned on their trading partners, then their allies in Europe, and then they delivered one of this century’s biggest economic and energy crises to their allies in Asia":

https://www.baldurbjarnason.com/2026/the-old-world-of-tech-is-dying/

The line comes from an excellent post entitled "The old world of tech is dying and the new cannot be born," about the impact of Trump's de-Americanization of the world on the US tech industry, and thus the world's relationship to tech more broadly. As Bjarnason writes, Trump's tech giants dominate the world because America dominates the world. It's not because the world likes American tech. As Bjarnason writes:

They are, more often than not, about as popular and respected as tobacco or pharmaceutical companies – some of them and their products are polling in terms of public sentiment in ranges similar to child molesters or authoritarian immigration enforcement entities – and their CEOs are some of the more despised public figures in recent history.

These very, very unpopular tech companies dominate because American trade policy insists that they must. They are allowed to violate local laws because stopping them from doing so would result in trade sanctions. It's true that US tech companies face fines abroad from time to time, but these are "the price list for inflicting societal suffering. Pick the one that suits your business model." US trading partners haven't really attempted to extinguish the unlawful conduct of US tech companies.

All of that is up for grabs now, thanks to Trump's uncontrollable compulsion to repeatedly hormuz himself (and America) in the foot. But – as Bjarnason writes – this didn't start with Trump. As ever, Trump is as much an effect as a cause, and the most important cause of Trump is the conversion of America into a financial economy, which started under Reagan, but was only finalized by Obama, who let the Wall Street looters who destroyed the world economy walk away unscathed, even as they stole the homes of millions of Americans:

https://web.archive.org/web/20170130083243/https://www.theguardian.com/commentisfree/2017/jan/16/how-barack-obama-paved-way-donald-trump-racism

Financial economies "suck the air out of the rest of the economy and make it less competitive." Keeping billionaires in megayachts comes at the expense of "research, education, infrastructure, and healthcare." Countries that financialize lag behind countries where the economy is based on making things, not extracting or financing things.

Generations of both imperial looting and domestic investment made America the richest country on earth. That wealth cushioned America's transition to oligarchy: for a while, the country could both "finance and billionaire parasites sucking its blood" and continue to invest in itself. But while you can double the wealth of a billionaire at the expense of a town or two, doubling the wealth of a centibillionaire requires the destruction of whole regions.

As America looted itself into irrelevance, China – a very different kind of autocracy – invested in domestic capacity and domestic consumption. China's hardly a well-run place: like any autocracy, it functions according to the whims of extremely fallible officials, which produces real-estate bubbles and other crises of production (to say nothing of the demographic crisis of the One Child policy) and necessitates steadily increasing oppression, from online surveillance to concentration camps in Xinjiang.

Bjarnason writes about how this Chinese/US world presents a "double bind" for the EU. Siding with the US is increasingly untenable: the EU exists in large part to promote its domestic industries, but the US is no longer content to leave these alone. As Bjarnason says, US economic policy is now, "whatever our oligarchs want to steal this month, they get."

US tech has extended so many tendrils into so many sectors that it's not possible to defend any industrial sector without impinging on the "technopoly," where "the only ideas and thoughts that have social and cultural legitimacy are those that support, are supported by, and are mediated through technology."

This means that continuing to work within the American system means a steady transfer of economic and political control of every aspect of your life to the US, a decaying empire ruled over by a mad king. Nevertheless, there is a strong, vestigial reflex to protect American tech in the EU, which leaves European power-brokers scrambling to come up with reasons that the EU should confine its tech regulation to empty symbolic gestures, while avoiding meaningful action at all costs:

https://cerre.eu/wp-content/uploads/2026/02/CERRE_Horizontal-Interoperability-of-Social-Networking-Services.pdf

But the American tech sector relies on the other sources of American power – the ones that Trump is so bent on destroying. Trump's de-dollarization of the world economy is pushing the world away from using American tech for payment processing and networking. The American empire created the form of the US tech sector. As Bjarnason writes, "without the weight of the US political empire behind it – if Airbnb or Uber had been local startups – much fewer countries in the world would have loosened their regulations and consumer protections to accommodate them to the point where they prospered as they did."

Trump isn't the first US leader to make a strategic blunder (the US has lost every war it's fought since WWII, after all). But Trump's blunders are different in that they "deliberately signal the end [the US] empire." Hormuz and tariffs have driven people away from the US dollar, and everyone knows who to blame for the senseless deaths in the Gulf and the global privation caused by oil rationing.

That's bad news for a software industry that "shifted its entire value proposition from 'we make tools that help you make or save money' to using political clout and the dollar hegemony to capture, control, and loot entire sectors of the various economies of the world. That strategy only works when you’re in charge."

DOGE wiped out the health systems of the global south, and now Trump's trade negotiators are demanding that these countries promise to keep their hands off of US tech in exchange for reinstating a small trickle of the aid they lost. These countries are rejecting those demands:

https://www.reuters.com/business/healthcare-pharmaceuticals/zambia-says-us-health-deal-must-be-uncoupled-minerals-access-2026-05-04/

It's all up for grabs, in other words. The post-American internet is being born in a post-American world, and the shape of both is impossible to determine from this side of the veil. Bjarnason quotes Gramsci: "the old is dying and the new cannot be born."

I hold out high hopes for a world of international digital public goods: free and open software that replaces America's extractive, defective black boxes with transparent, auditable, trustworthy alternatives that are under the control of the people who use them:

https://pluralistic.net/2026/04/16/pascals-wager/#doomer-challenge

But – as Bjarnason says – even the intellectual property framework that the free/open source movement relies on to make its licenses enforceable is an artifact of the collapsing American empire. If the global copyright system collapses with America, there won't be any impediments to reverse-engineering and improving the tech around us – but there also won't be any way to enforce the free software licenses that keep that software open:

https://pluralistic.net/2026/04/02/limited-monopoly/#petardism

The whole essay is very good and – like so many great essays – it raises more questions than it answers. It's also full of standout one-liners like this one:

How do LLMs affect productivity and quality? (Much like leaded petrol. There’s some potential benefit for individual users with literally decades of expertise, provided nobody else uses LLMs. The results are catastrophic when everybody is using them.)

Consider moving it to the top of your weekend reading.

Hey look at this (permalink)


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#25yrsago Is the law copyrighted?
https://web.archive.org/web/20010519134232/http://www.uniontrib.com/news/uniontrib/sun/news/news_1n13own.html

#15yrsago Canadian copyright collective wants a music tax on memory cards https://web.archive.org/web/20110517205114/https://www.michaelgeist.ca/content/view/5798/125/

#10yrsago FBI Director: viral videos make cops afraid to do their jobs https://www.nytimes.com/2016/05/12/us/comey-ferguson-effect-police-videos-fbi.html?_r=2

#10yrsago Banker implicated in one of history’s biggest frauds says boss beat him with a tiny baseball bat https://web.archive.org/web/20160516173952/http://www.ibtimes.co.uk/barclays-banker-accused-rigging-libor-rate-hit-assistant-baseball-bat-1559792

#10yrsago Infested: an itchy, fascinating natural history of the bed bug https://memex.craphound.com/2016/05/14/infested-an-itchy-fascinating-natural-history-of-the-bed-bug/

#5yrsago A weapon of mass financial destruction https://pluralistic.net/2021/05/14/billionaire-class-solidarity/#club-deals

#1yrago Are the means of computation even seizable? https://pluralistic.net/2025/05/14/pregnable/#checkm8

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)

  • "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026

  • "The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027

  • "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, April 20, 2027

  • "The Memex Method," Farrar, Straus, Giroux, 2027


Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. Third draft completed. Submitted to editor.

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.

  • "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Bluesky (no ads, possible tracking and data-collection):

https://bsky.app/profile/doctorow.pluralistic.net

Medium (no ads, paywalled):

https://doctorow.medium.com/

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

02:28

Friday Squid Blogging: Bigfin Squid [Schneier on Security]

Article about the bigfin squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Blog moderation policy.

Feeds

FeedRSSLast fetchedNext fetched after
@ASmartBear XML 19:49, Friday, 22 May 20:30, Friday, 22 May
a bag of four grapes XML 20:14, Friday, 22 May 20:56, Friday, 22 May
Ansible XML 19:42, Friday, 22 May 20:22, Friday, 22 May
Bad Science XML 19:35, Friday, 22 May 20:24, Friday, 22 May
Black Doggerel XML 19:49, Friday, 22 May 20:30, Friday, 22 May
Blog - Official site of Stephen Fry XML 19:35, Friday, 22 May 20:24, Friday, 22 May
Charlie Brooker | The Guardian XML 20:14, Friday, 22 May 20:56, Friday, 22 May
Charlie's Diary XML 19:49, Friday, 22 May 20:37, Friday, 22 May
Chasing the Sunset - Comics Only XML 19:35, Friday, 22 May 20:24, Friday, 22 May
Coding Horror XML 19:42, Friday, 22 May 20:29, Friday, 22 May
Comics Archive - Spinnyverse XML 20:14, Friday, 22 May 20:58, Friday, 22 May
Cory Doctorow's craphound.com XML 20:14, Friday, 22 May 20:56, Friday, 22 May
Cory Doctorow, Author at Boing Boing XML 19:49, Friday, 22 May 20:30, Friday, 22 May
Ctrl+Alt+Del Comic XML 19:49, Friday, 22 May 20:37, Friday, 22 May
Cyberunions XML 19:35, Friday, 22 May 20:24, Friday, 22 May
David Mitchell | The Guardian XML 19:49, Friday, 22 May 20:32, Friday, 22 May
Deeplinks XML 20:14, Friday, 22 May 20:58, Friday, 22 May
Diesel Sweeties webcomic by rstevens XML 19:49, Friday, 22 May 20:32, Friday, 22 May
Dilbert XML 19:35, Friday, 22 May 20:24, Friday, 22 May
Dork Tower XML 20:14, Friday, 22 May 20:56, Friday, 22 May
Economics from the Top Down XML 19:49, Friday, 22 May 20:32, Friday, 22 May
Edmund Finney's Quest to Find the Meaning of Life XML 19:49, Friday, 22 May 20:32, Friday, 22 May
EFF Action Center XML 19:49, Friday, 22 May 20:32, Friday, 22 May
Enspiral Tales - Medium XML 20:14, Friday, 22 May 20:59, Friday, 22 May
Events XML 19:49, Friday, 22 May 20:37, Friday, 22 May
Falkvinge on Liberty XML 19:49, Friday, 22 May 20:37, Friday, 22 May
Flipside XML 20:14, Friday, 22 May 20:56, Friday, 22 May
Flipside XML 20:14, Friday, 22 May 20:59, Friday, 22 May
Free software jobs XML 19:42, Friday, 22 May 20:22, Friday, 22 May
Full Frontal Nerdity by Aaron Williams XML 19:49, Friday, 22 May 20:37, Friday, 22 May
General Protection Fault: Comic Updates XML 19:49, Friday, 22 May 20:37, Friday, 22 May
George Monbiot XML 19:49, Friday, 22 May 20:32, Friday, 22 May
Girl Genius XML 19:49, Friday, 22 May 20:32, Friday, 22 May
Groklaw XML 19:49, Friday, 22 May 20:37, Friday, 22 May
Grrl Power XML 20:14, Friday, 22 May 20:56, Friday, 22 May
Hackney Anarchist Group XML 19:35, Friday, 22 May 20:24, Friday, 22 May
Hackney Solidarity Network XML 20:14, Friday, 22 May 20:59, Friday, 22 May
http://blog.llvm.org/feeds/posts/default XML 20:14, Friday, 22 May 20:59, Friday, 22 May
http://calendar.google.com/calendar/feeds/q7s5o02sj8hcam52hutbcofoo4%40group.calendar.google.com/public/basic XML 19:42, Friday, 22 May 20:22, Friday, 22 May
http://dynamic.boingboing.net/cgi-bin/mt/mt-cp.cgi?__mode=feed&_type=posts&blog_id=1&id=1 XML 20:14, Friday, 22 May 20:59, Friday, 22 May
http://eng.anarchoblogs.org/feed/atom/ XML 20:07, Friday, 22 May 20:53, Friday, 22 May
http://feed43.com/3874015735218037.xml XML 20:07, Friday, 22 May 20:53, Friday, 22 May
http://flatearthnews.net/flatearthnews.net/blogfeed XML 19:49, Friday, 22 May 20:30, Friday, 22 May
http://fulltextrssfeed.com/ XML 19:49, Friday, 22 May 20:32, Friday, 22 May
http://london.indymedia.org/articles.rss XML 19:42, Friday, 22 May 20:29, Friday, 22 May
http://pipes.yahoo.com/pipes/pipe.run?_id=ad0530218c055aa302f7e0e84d5d6515&amp;_render=rss XML 20:07, Friday, 22 May 20:53, Friday, 22 May
http://planet.gridpp.ac.uk/atom.xml XML 19:42, Friday, 22 May 20:29, Friday, 22 May
http://shirky.com/weblog/feed/atom/ XML 20:14, Friday, 22 May 20:58, Friday, 22 May
http://thecommune.co.uk/feed/ XML 20:14, Friday, 22 May 20:59, Friday, 22 May
http://theness.com/roguesgallery/feed/ XML 19:49, Friday, 22 May 20:37, Friday, 22 May
http://www.airshipentertainment.com/buck/buckcomic/buck.rss XML 19:35, Friday, 22 May 20:24, Friday, 22 May
http://www.airshipentertainment.com/growf/growfcomic/growf.rss XML 20:14, Friday, 22 May 20:58, Friday, 22 May
http://www.airshipentertainment.com/myth/mythcomic/myth.rss XML 20:14, Friday, 22 May 20:56, Friday, 22 May
http://www.baen.com/baenebooks XML 20:14, Friday, 22 May 20:58, Friday, 22 May
http://www.feedsapi.com/makefulltextfeed.php?url=http%3A%2F%2Fwww.somethingpositive.net%2Fsp.xml&what=auto&key=&max=7&links=preserve&exc=&privacy=I+accept XML 20:14, Friday, 22 May 20:58, Friday, 22 May
http://www.godhatesastronauts.com/feed/ XML 19:49, Friday, 22 May 20:37, Friday, 22 May
http://www.tinycat.co.uk/feed/ XML 19:42, Friday, 22 May 20:22, Friday, 22 May
https://anarchism.pageabode.com/blogs/anarcho/feed/ XML 20:14, Friday, 22 May 20:58, Friday, 22 May
https://broodhollow.krisstraub.comfeed/ XML 19:49, Friday, 22 May 20:30, Friday, 22 May
https://debian-administration.org/atom.xml XML 19:49, Friday, 22 May 20:30, Friday, 22 May
https://elitetheatre.org/ XML 19:42, Friday, 22 May 20:29, Friday, 22 May
https://feeds.feedburner.com/Starslip XML 20:14, Friday, 22 May 20:56, Friday, 22 May
https://feeds2.feedburner.com/GeekEtiquette?format=xml XML 19:49, Friday, 22 May 20:32, Friday, 22 May
https://hackbloc.org/rss.xml XML 19:49, Friday, 22 May 20:30, Friday, 22 May
https://kajafoglio.livejournal.com/data/atom/ XML 19:35, Friday, 22 May 20:24, Friday, 22 May
https://philfoglio.livejournal.com/data/atom/ XML 19:42, Friday, 22 May 20:29, Friday, 22 May
https://pixietrixcomix.com/eerie-cutiescomic.rss XML 19:42, Friday, 22 May 20:29, Friday, 22 May
https://pixietrixcomix.com/menage-a-3/comic.rss XML 20:14, Friday, 22 May 20:58, Friday, 22 May
https://propertyistheft.wordpress.com/feed/ XML 19:42, Friday, 22 May 20:22, Friday, 22 May
https://requiem.seraph-inn.com/updates.rss XML 19:42, Friday, 22 May 20:22, Friday, 22 May
https://studiofoglio.livejournal.com/data/atom/ XML 20:07, Friday, 22 May 20:53, Friday, 22 May
https://thecommandline.net/feed/ XML 20:07, Friday, 22 May 20:53, Friday, 22 May
https://torrentfreak.com/subscriptions/ XML 19:49, Friday, 22 May 20:32, Friday, 22 May
https://web.randi.org/?format=feed&type=rss XML 19:49, Friday, 22 May 20:32, Friday, 22 May
https://www.dcscience.net/feed/medium.co XML 19:35, Friday, 22 May 20:24, Friday, 22 May
https://www.DropCatch.com/domain/steampunkmagazine.com XML 19:49, Friday, 22 May 20:30, Friday, 22 May
https://www.DropCatch.com/domain/ubuntuweblogs.org XML 20:07, Friday, 22 May 20:53, Friday, 22 May
https://www.DropCatch.com/redirect/?domain=DyingAlone.net XML 19:42, Friday, 22 May 20:29, Friday, 22 May
https://www.freedompress.org.uk:443/news/feed/ XML 19:49, Friday, 22 May 20:37, Friday, 22 May
https://www.goblinscomic.com/category/comics/feed/ XML 19:42, Friday, 22 May 20:22, Friday, 22 May
https://www.loomio.com/blog/feed/ XML 20:07, Friday, 22 May 20:53, Friday, 22 May
https://www.newstatesman.com/feeds/blogs/laurie-penny.rss XML 19:49, Friday, 22 May 20:30, Friday, 22 May
https://www.patreon.com/graveyardgreg/posts/comic.rss XML 19:42, Friday, 22 May 20:29, Friday, 22 May
https://www.rightmove.co.uk/rss/property-for-sale/find.html?locationIdentifier=REGION^876&maxPrice=240000&minBedrooms=2&displayPropertyType=houses&oldDisplayPropertyType=houses&primaryDisplayPropertyType=houses&oldPrimaryDisplayPropertyType=houses&numberOfPropertiesPerPage=24 XML 19:49, Friday, 22 May 20:32, Friday, 22 May
https://x.com/statuses/user_timeline/22724360.rss XML 19:42, Friday, 22 May 20:22, Friday, 22 May
Humble Bundle Blog XML 19:42, Friday, 22 May 20:29, Friday, 22 May
I, Cringely XML 19:49, Friday, 22 May 20:37, Friday, 22 May
Irregular Webcomic! XML 19:49, Friday, 22 May 20:30, Friday, 22 May
Joel on Software XML 20:07, Friday, 22 May 20:53, Friday, 22 May
Judith Proctor's Journal XML 19:42, Friday, 22 May 20:22, Friday, 22 May
Krebs on Security XML 19:49, Friday, 22 May 20:30, Friday, 22 May
Lambda the Ultimate - Programming Languages Weblog XML 19:42, Friday, 22 May 20:22, Friday, 22 May
Looking For Group XML 20:14, Friday, 22 May 20:58, Friday, 22 May
LWN.net XML 19:49, Friday, 22 May 20:30, Friday, 22 May
Mimi and Eunice XML 20:14, Friday, 22 May 20:59, Friday, 22 May
Neil Gaiman's Journal XML 19:42, Friday, 22 May 20:22, Friday, 22 May
Nina Paley XML 19:42, Friday, 22 May 20:29, Friday, 22 May
O Abnormal – Scifi/Fantasy Artist XML 20:14, Friday, 22 May 20:59, Friday, 22 May
Oglaf! -- Comics. Often dirty. XML 19:49, Friday, 22 May 20:37, Friday, 22 May
Oh Joy Sex Toy XML 20:14, Friday, 22 May 20:58, Friday, 22 May
Order of the Stick XML 20:14, Friday, 22 May 20:58, Friday, 22 May
Original Fiction Archives - Reactor XML 20:14, Friday, 22 May 20:56, Friday, 22 May
OSnews XML 20:14, Friday, 22 May 20:59, Friday, 22 May
Paul Graham: Unofficial RSS Feed XML 20:14, Friday, 22 May 20:59, Friday, 22 May
Penny Arcade XML 20:14, Friday, 22 May 20:56, Friday, 22 May
Penny Red XML 20:14, Friday, 22 May 20:59, Friday, 22 May
PHD Comics XML 19:35, Friday, 22 May 20:24, Friday, 22 May
Phil's blog XML 19:49, Friday, 22 May 20:37, Friday, 22 May
Planet Debian XML 20:14, Friday, 22 May 20:59, Friday, 22 May
Planet GNU XML 19:49, Friday, 22 May 20:30, Friday, 22 May
Planet Lisp XML 19:35, Friday, 22 May 20:24, Friday, 22 May
Pluralistic: Daily links from Cory Doctorow XML 19:42, Friday, 22 May 20:22, Friday, 22 May
PS238 by Aaron Williams XML 19:49, Friday, 22 May 20:37, Friday, 22 May
QC RSS XML 19:42, Friday, 22 May 20:29, Friday, 22 May
Radar XML 20:14, Friday, 22 May 20:56, Friday, 22 May
RevK®'s ramblings XML 20:07, Friday, 22 May 20:53, Friday, 22 May
Richard Stallman's Political Notes XML 19:35, Friday, 22 May 20:24, Friday, 22 May
Scenes From A Multiverse XML 19:42, Friday, 22 May 20:29, Friday, 22 May
Schneier on Security XML 19:42, Friday, 22 May 20:22, Friday, 22 May
SCHNEWS.ORG.UK XML 20:14, Friday, 22 May 20:58, Friday, 22 May
Scripting News XML 20:14, Friday, 22 May 20:56, Friday, 22 May
Seth's Blog XML 20:07, Friday, 22 May 20:53, Friday, 22 May
Skin Horse XML 20:14, Friday, 22 May 20:56, Friday, 22 May
Tales From the Riverbank XML 19:35, Friday, 22 May 20:24, Friday, 22 May
The Adventures of Dr. McNinja XML 20:14, Friday, 22 May 20:59, Friday, 22 May
The Bumpycat sat on the mat XML 19:42, Friday, 22 May 20:22, Friday, 22 May
The Daily WTF XML 20:07, Friday, 22 May 20:53, Friday, 22 May
The Monochrome Mob XML 19:49, Friday, 22 May 20:30, Friday, 22 May
The Non-Adventures of Wonderella XML 19:49, Friday, 22 May 20:32, Friday, 22 May
The Old New Thing XML 20:14, Friday, 22 May 20:58, Friday, 22 May
The Open Source Grid Engine Blog XML 19:42, Friday, 22 May 20:29, Friday, 22 May
The Stranger XML 20:14, Friday, 22 May 20:59, Friday, 22 May
towerhamletsalarm XML 20:07, Friday, 22 May 20:53, Friday, 22 May
Twokinds XML 20:14, Friday, 22 May 20:56, Friday, 22 May
UK Indymedia Features XML 20:14, Friday, 22 May 20:56, Friday, 22 May
Uploads from ne11y XML 20:07, Friday, 22 May 20:53, Friday, 22 May
Uploads from piasladic XML 19:49, Friday, 22 May 20:32, Friday, 22 May
Use Sword on Monster XML 19:42, Friday, 22 May 20:29, Friday, 22 May
Wayward Sons: Legends - Sci-Fi Full Page Webcomic - Updates Daily XML 20:07, Friday, 22 May 20:53, Friday, 22 May
what if? XML 19:49, Friday, 22 May 20:30, Friday, 22 May
Whatever XML 19:35, Friday, 22 May 20:24, Friday, 22 May
Whitechapel Anarchist Group XML 19:35, Friday, 22 May 20:24, Friday, 22 May
WIL WHEATON dot NET XML 20:14, Friday, 22 May 20:58, Friday, 22 May
wish XML 20:14, Friday, 22 May 20:59, Friday, 22 May
Writing the Bright Fantastic XML 20:14, Friday, 22 May 20:58, Friday, 22 May
xkcd.com XML 19:49, Friday, 22 May 20:32, Friday, 22 May