"Because no one has commented yet on the legal significance:Musk lost today because the jury found that he waited too long to bring his claims. The jury answers only yes/no questions, so we do not know their exact thoughts, but it is likely they determined that the 2019 and 2021 Microsoft deals were too similar to the 2023 Microsoft deal that was the centerpiece of Musk’s lawsuit. Musk could have brought the same lawsuit in 2019 or 2021, meaning his claims were untimely for the 3 year statute of limitations.Because the statute of limitations is a precondition, the jury was not asked to find any other facts. They may tell the press what they thought on other issues, or they may not.The judge was prepared to immediately accept the jury’s finding, and said she agreed that the jury’s decision was supported by the evidence.It is possible for Musk to appeal, but success is vanishingly unlikely. Whether Musk’s claims are barred by the statute of limitations is a quintessential question of fact, and appellate courts are extraordinarily deferential to factual findings by juries so as a practical matter it’s almost impossible to appeal this verdict."

"Aside from the disagreements between these parties, what about the precedent of running a non-profit, and then transferring all IP to a for profit when it’s convenient to do so?I wonder if the government or taxpayers have a case to bring regarding that."

"My suspicion is that winning might have been a secondary goal. When OpenAI goes to IPO, all the testimony of former executives about Altman's behavior is going to be in the public record. A lot of that testimony makes OpenAI sound very chaotic and poorly run. That could prevent large institutional investors from wanting to take the risk."

"This made me realize that obsidian is *not* opensource, but in a way obsidian made me feel like it was opensource. Obviously now that I researched it, it is quite obvious that it is not, but still it 'feels' like it should be opensource."

"AI'm building a native version[0] of Obsidian in Qt6 (QWidgets, cpp), replicating the markdown editor takes a while, there are so many ways of corrupting the file or losing the rendered markdown style... but its getting there[1] and its lightweight, using about 15mb ram, no gpu and barely uses any cpu when the cursor or scroll moves, like a text editor should be.Still need to render widget tables, lists and syntax highlighting for code blocks for a basic modern notepad, i'm not sure about open sourcing it, seems like a waste of time nowadays but it'll be free to use.[0]: https://i.imgur.com/ro9Zq9w.png [1]: https://i.imgur.com/pbJcTQF.gif"

"I wouldn't show it as an alternative to Obsidian though. It shares MD files with it and both are supposedly about note taking ("supposedly" is for Obsidian, I haven't tried Files.md yet), but Files.md seems to have its own way of making the users work with their thoughts, notes and knowledge altogether.When I read "an alternative", I assumed feature-parity and API compatibility. But what I found out was entirely different and much more interesting.I'll give it a try, thanks for sharing your year-old work!"

"The Chesa Boudin DA "misrepresentations" document, linked towards the end of this story, is weak, bordering on Trumpian. It highlights as "misrepresentations" cases where Boudin simply disagrees with Lim about a statement of opinion (whether his office was suitable forthcoming, organized, or deflecting). At one point it accuses Lim of "violating HIPAA", which is not a thing† (HIPAA constrains covered entities, not reporters).I think both sides of this conflict (Tan and Radley) are talking past each other and scoring points for their respective sides; Radley is famously an advocate of progressive prosecutors, and Tan (IIRC) worked to remove Boudin. I don't expect a totally accurate and balanced retelling from either side, in the same way that you should not expect a completely neutral report on inner-ring suburban housing policy from me (I'm a housing activist).But I did come away from this with a lower opinion of Boudin's office.(For what it's worth, I was extremely optimistic about the wave of progressive prosecutors led by Larry Krasner in Philadelphia, and while I have some Radley Balko issues, I've been reading John Pfaff on this stuff for a decade. What's happened to my worldview since then is that I feel like I've watched outsider-y progressives get elected into prosecutor roles and then fail their constituencies not because of ideology but over basic competency issues. I'd be foursquare behind a progressive prosecutor in a major city that ran a tight ship; we tried this in Chicago and didn't get that.)† btw: if you're the DA for a jurisdiction that includes a reporter, and you claim the reporter's journalism is unlawful, you sure as shit better have that right."

"In the about page, this author states that they produce "original reporting and commentary on the criminal justice system and civil liberties." I really think it is a mistake to blur that line. These days it feels like you can pretty reliably predict what narrative a journalist will present on any given story based on their individual poltics.How can you reasonably expect to be viewed as an objective reporter of facts if you also are acting as a commentator trying to shape public opinion?"

"I've come to be convinced that having a huge amount of money causes some kind of mental breakage, a need to control other people that is unhealthy for everyone it touches. I don't mind everyone having or expressing an opinion, even opinions I disagree with, but when someone uses their disproportionate wealth and influence to spread misinformation and disrupt and dismantle democratic systems it crosses a line. It takes a lot of nerve to call spreading misinformation and funding recall campaigns based on lies speaking truth to power. And, to attack someone for reporting facts that correct that misinformation? Grotesque."

"This has a security implication which is overlooked. Contributors to a repository have higher rights, such as avoiding approval requirements for fork PR runs. GitHub warns in the docs:> When requiring approvals only for first-time contributors (the first two settings), a user that has had any commit or pull request merged into the repository will not require approval. A malicious user could meet this requirement by getting a simple typo or other innocuous change accepted by a maintainer, either as part of a pull request they have authored or as part of another user's pull request."

"Screw GitHub for letting this happen. If they implemented some very basic requirements to comment and open PRs we wouldn't be here.Also please let us delete PRs just like we can delete issues."

"> It's especially sensitive for a VC-backed startup that is measured thoroughly by GitHub activity, but we have to pull the trigger:This sentence also illustrates the absurdity of this investment model. It imposes a trade-off between building good software, and complying with the investor's metrics. They probably call such metrics evidence-based, but this example shows that they arbitrarily capture some numbers to obscure the lack of meaningful measurements."

"I spent a few hours trying to get this to work, and I couldn’t get it to produce usable results on anything except the training data, even with very simple drawings.I noticed in the GitHub that they mention it is only around 60% reliable even on their own training data, but the image shown on the front page feels pretty misleading. I made 10 images that were very similar in complexity to the examples shown, and even after running it around 50 times on each image, not a single one worked correctly. In the rare cases where it produced something, the output was completely wrong.This seems pretty misleading in its current state and definitely needs more work."

"Neat, but I don't really see the utility. The time consuming part of CAD drawing comes from figuring out the correct dimensions of each feature, spacing, sizing, tolerances, etc., and constraining the drawing in a way so that it's easy to tweak later on- which this doesn't do at all. Maybe you could draw a 2d sketch of what you want then generate it, but you'd still have to do the hard part."

"This has been easy with OpenSCAD for a long time. I have made lots of cool, complex models this way. I built a repo of the prompts I use to show the llm how to do this and it includes many of the models I've created this way...https://github.com/cjtrowbridge/vibe-modeling"

"Related: https://github.com/jahala/tilth Edit: recent HN discussion: https://news.ycombinator.com/item?id=46952321"

"What I have personally observed with such tools is that they make the AI's dumb, similar to how it makes coders dumb when relying more on AI tools.These agentic AI's are already smart enough to figure out a highly optimized path to code exploration or search. But, with these tools, they just go very aggressive, partly because the search results from these tools almost in 100% of the cases do not furnish full details, but, just the pointers.To confirm this behaviour, I did a small test run. This is in no way conclusive, but, the results do align with what I been observing:---Task: trace full ingestion and search paths in some okayish complex project. Harness is Pi.1. With "codebase-memory-mcp": 85k/4.4k (input/output tokens).2. With my own regular setup: 67k/3.2k.3. Without any of these: 80k/3.2k.As we see, such a tool made it worse (not by much, but, still). The outputs were same in quality and informational content.---Now, what my "regular setup" mentioned above is?:Just one line in AGENTS.md and CLAUDE.md: "Start by reading PROJECT.md" .And PROJECT.md contains just following: 2-3 line description of the project, all relevant files and their one-line description, any nuiances, and finally, ends with this line: ## To LLM Update this file if the changes you have done are worth updating here. The intent of this file is to give you a rough idea of the project, from where you can explore further, if needed."

"Interesting. I too have been working in this space, though I took a different approach. Rather than building an index, I worked on making a "smarter grep" by offering search over codebases (and any text content really) with ranking and some structural awareness of the code. Most of my time was spend dealing with performance, and as a result it runs extremely quickly.I will have to add this as a comparison to https://github.com/boyter/cs and see what my LLMs prefer for the sort of questions I ask. It too ships with MCP, but does NOT build an index for its search. I am very curious to see how it would rank seeing as it does not do basic BM25 but a code semantic variant of it.This seems to work better for the "how does auth work" style of queries, while cs does "authenticate --only-declarations" and then weighs results based on content of the files, IE where matches are, in code, comments and the overall complexity of the file.Have starred and will be watching."

"I reverse-engineered a Doogee U10 (Rockchip RK3562) to boot Debian natively from an SD card.No BSP, no kernel source, no vendor documentation — just a DTB extracted from the stock Android firmware and rebuilt from there.The tablet boots Linux directly from SD without modifying internal Android storage. Remove the card and Android still boots normally.The process is intentionally simple: write the image to an SD card from any operating system, insert it, and boot. No flashing tools, no bootloader unlocking, no custom recovery, and no permanent modifications to the device. It can even be prepared directly from Android itself using an external SD card reader.I used Claude, Gemini, and ChatGPT heavily during bring-up for driver debugging, DT syntax, and kernel configuration issues. They accelerated development significantly, but the actual reverse engineering still required hands-on embedded Linux work: boot-chain analysis, DT bindings, panel timings, register experimentation, and kernel panic debugging.This project also convinced me that modern mobile hardware is massively underutilized once vendor support ends. Many phones and tablets already have hardware comparable to SBCs, but simple external boot support could extend their useful life for homelabs, edge computing, local AI inference, and embedded workloads.Any feedback, ideas, or contributions are very welcome."

"Booting into Debian with most devices fully functional is great.What I'd like to know is what software runs adequately under it in 4 GB RAM. Web browsing should definitely be possible, but I suppose it's limited to very few tabs. Some very lightweight DE could likely make it more usable. Running something like WezTerm + tmux as the DE could be even more economical, leaving some room for e.g. development tools."

"This is exactly what I want from the iPad Pro. Unlock the virtualization support to let me have a debian/ubuntu VM with a complete development environment that I could take for holiday to make emergency fixes, and leave the precious MBP at home."

"Anthropic is at a place where they need the world's best software engineers, and they're willing to comp at insane levels to get them. However: You simply cannot post a Linkedin job for "Really Good Software Engineer, comp $10M+" and make any sense of the inbound applications you'll get. They're not the first to figure this out, and they won't be the last: Successfully building a company, and using that company's products, is actually the best job interview you can ask for if you can pay for that caliber of candidate.What you should be paying attention to: Stainless is shutting down, and their team is joining Anthropic to build, who knows, some dumb integration to make Hubspot data available in Claude, or something equally as boring. But, Stainless was successful. Be the next Stainless. The idea is already validated, these AI companies have already done this to a handful of companies and they're going to keep doing it."

"> As we focus on Claude Platform capabilities and connecting agents to APIs, we’ll be winding down all hosted Stainless products, including our SDK generator. Starting today, new signups, projects, and SDKs will not be available.For better or worse, it's an acquihire."

"Some clarity about existing users/SDKs would go a long way. Otherwise this reads like "we just bought OpenAI's front door and we're EOLing it. Hopefully no one was planning to use it in the future". Petty and pointless."

"> “If you’d let me make this point, please —” Schmidt said amid boos. “The point I’d like to make is choose a diversity of perspectives, including the perspective of the immigrant who has so often been the person who came to this country and made it better. America is at its best when we are the country that ambitious people want to come to. Let us not lose that.”How does that tie in? You have to like AI because of immigrants? AI is like an immigrant, you have to accept it? What’s the logic here, or he’s just throwing random phrases around, it seems."

"> Schmidt urged graduates to embrace freedom, open debate, equality and the willingness to engage with those they disagree with.I think it was a great embrace of freedom and open debate to boo him for only asserting predictions that benefit him."

"Kind of goes to show how out of touch and insular the tech exec sphere can be. Almost everyone I interact with in reality has a deep distain for LLMs and their touted trajectory."

"This isn't a good analysis, and it's because it keeps rounding everything up. He rounds up the cost of electricity by 10%. He has a range of power use, takes the high end (which is 2x the low end) and multiplies it by the inflated electricity cost.But then they talk about using a newly purchased Mac to do the inference, running at full capacity, 24/7. Why would you do that? Apple silicon is fast but the author points out: you're only getting 10-40 tokens per second. It's not bad, but it's not meant for this!It's comparing apples to oranges. Yeah, data centers don't pay residential electricity rates. Data centers use chips that are power efficient. Data centers use chips that aren't designed to be a Mac.Apple silicon works out pretty good if you're not burning tokens 24/7/365 and you're not buying hardware specifically to do it. I use my Mac Studio a few times a week for things that I need it for, but I can run ollama on it over the tailnet "for free". The economics work when I'm not trying to make my Mac Studio behave like a H100 cluster with liquid cooling. Which should come as no surprise to anyone: more tokens per watt on hardware that's multi tenant with cheap electricity will pretty much always win."

"Unless I'm misunderstanding, this is counting the entire laptop in the cost of generating tokens. The calculation seems to omit that, in addition to receiving LLM output, you have also received a laptop in exchange for your money. If you intend to put this machine in a dark corner and run it solely as a token-munching server, a laptop would be an exceptionally poor choice of technology for this purpose. But if you intend to use the laptop as a laptop, having a laptop is a pretty big benefit over not having a laptop.You also get the benefit of privacy, freedom from censorship, and control over the model used (i.e. it will not be rugpulled on you in three months after you've built a workflow around a specific model's idiosyncrasies)."

"Frontier AI companies are selling at a loss.Excusing everything else that u/bastawhiz said[0]; the obvious fact here is that Claude, OpenAI, Gemini et al. are quite literally burning through 100's of billions of dollars and selling it back to you for pennies on the dollar in the hopes that they get to be the only one left.If I spend $10 growing Oranges and sell them to you for $1; then of course it's more expensive for you to do the growing.I feel like I'm taking crazy pills. These models will become more expensive over time, it's functionally impossible for them not to, they just want to capture the market before they have to stop selling at a huge loss.[0]: https://news.ycombinator.com/item?id=48168433"

"Something I learned just recently—the Australian government (surprisingly!) actually recommends VPN usage, they even provide a bit of a guide and how to; https://beconnected.esafety.gov.au/topic-library/advanced-on..."

"It is perhaps worth highlighting that Mozilla has done this in response to a specific UK government consultation [1] all about "growing up in the online world", which has, buried about 30 pages deep, a specific question about age-gating VPNs and similar technologies.As far as I can tell, there is no requirement to be a UK citizen to answer this – if you are, were, or could be resident in the UK I urge you to fill it out and help provide a voice of reason...[1] https://www.gov.uk/government/consultations/growing-up-in-th..."

"Has Google made a statement like this?I guess since I complain about Mozilla a lot for their past 5-10 years (minimum) of poor management decisions, I should give them their due when they do come out with a statement of support on our rights."

"Previous discussion: https://news.ycombinator.com/item?id=48130519"

"[dupe] 3 days ago OPhttps://news.ycombinator.com/item?id=48129789https://news.ycombinator.com/item?id=48114997https://news.ycombinator.com/item?id=48130519"

"Seems this traces back almost a week, from Nightmare-Eclipse who is the researcher who found this:Tuesday, 12 May 2026 - "Here are the links, yes, two vulnerabilities this time [YellowKey] [GreenPlasma] [...] Next patch tuesday will have a big surprise for you Microsoft"Wednesday, 13 May 2026 - "I can't wait when I will be allowed to disclose the full story, I think people will find my crashout very reasonable and it definitely won't be a good look for Microsoft."Author's blog: https://deadeclipse666.blogspot.com/First post in March 2026 is "[...] someone violated our agreement and left me homeless with nothing. They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine."I'm not sure what to make of it, is this someone essentially "leaking" things from the inside? Sure sounds like it, and others are able to reproduce the results."

"> This exact thing is what software developers have been begging for since the beginning of the profession: Receiving a detailed outline of the problem and what the end result should look like.> This is often the part that slows down software development. Trying to figure out what a vague, title only, feature request actually means.But that is exactly what Software Engineering is!. It's 2026 and the notion that you can get detailed enough requirements and specifications that you can one-shot a perfect solution needs to die.In my experience AI has made us able to iterate on features or ideas much faster. Now most of the friction comes from alignment and coordination with other teams. My take is that to accelerate processes we should reduce coordination overhead and empower individuals and teams to make decisions and execute on them."

"I think when LLMs first came out people thought they could just say something like, "Make a Facebook clone". But now we're realizing we need to be more exact with our requirements and define things better. That has always been the bottle neck in software.When I was working we used to get requirements that literally said things like, "Get data and give it to the user". No definition of what data is, where its stored, or in what format to return it. We would then spend a significant amount of time with the product person trying to figure out what they really wanted.In order to get good results with LLMs we need to do something similar. Vague requirements get vague results."

"On the one hand, this is a clean post that explains exactly what a lot of us have been thinking and seeing on the job at large organizations doing tech work. Dear Author, I agree with you 110% and want everybody else to come to understand what you have written.On the other hand, it feels like we've been over this tens of times recently, on HN specifically and IRL at work. Another blog post isn't going to convince leaders that this is how the world works when they are socially and financially incentivized to pretend like AI really will speed things up. So now I just wait for their AI projects to fail or go as slowly as previous projects and hope they learn something."

"I (somewhat jokingly) wrote one recently too... https://github.com/pnegahdar/nano in under 200 lines. Repl, sessions, non-interactive, approvals, etcThe smarter the models get the less the harnesses matter (outside of devx).Maybe one day I'll run it through swebech."

"I understand the need for memory footprint in some situations, but what's the point of seeking performance for a software that mostly calls LLMs and waits?"

"Thanks, I've been tooling away in my spare time on my own version of this -- both to get a deeper understanding of agents (everyone suggests writing your own) and to help learn Rust. I'd like to retain `pi`'s configurability though, the ability to self-mutate and generate new tools is incredibly useful, particularly because I don't think any of these things should have access to arbitrary code execution through `bash` (of course, if they have access to, say, `edit` and `cargo run` they still have arbitrary code exec, but...) (so I tend to generate tools on the fly when I encounter something the no-bash agent needs to do)."

"I think this feeling of everything being too complex is a natural consequence of work that is done for long-term abstract ends, rather than immediate and local ones.At least I think it is for me. Working remotely for an international software company is great for its lifestyle flexibility, but sometimes I just want to be a baker, chef, bike repairman, etc. that solves an immediate problem for a real person standing in front of you.The loop of work opens and closes in a very short period of time, And every system you need to interact with is basically local and entirely defined.This is unlike the typical white collar job where the loop opens and closes quietly, if at all, months or years later. That leaves a feeling of incompleteness and thus a perception that you don’t really understand or control the systems you’re interacting with."

"> I used to want to do many things. Make great art, build great machines, solve important issues. Maybe our greatest gift to the world is to do as little as possible. To look at the birds, feel the wind and the water in our own hands, and ... nothing more. Eat when we are hungry, laugh when we are happy, cry when we are empty. And maybe that is the greatest gift to ourselves as well.This is not always true, it depends on who you are. If you are an employee at Meta, or work for Philip Morris, you'd certainly do more good for the world by doing almost nothing, staying home doing nothing would be more moral compared to going to work everyday. Not so for doctors, nurses, teachers, and many other professions."

"Thought-provoking write-up. One part of this is the "meaning of human life". Part of that for me is: humans are the only known lifeform that can look at the stars and try to understand. And, to the best of our understanding, this ability arose from winning a billion biological lotteries, from the blind system of nature and natural selection which by complete coincidence, stumbled on intelligence as a beneficial trait for reproduction, and optimized for it to the point of creating sentience and free will.It's this incredibly improbable event that I think gives humanity as a whole an obligation to try to understand and explore the universe. To not do so, I think would be a waste of this incredibly unlikely "gift". And that appears to require complexity in order to understand and explore.Note I think this is an obligation of humanity, not necessarily every individual human. I think free will means individuals can choose not to.The other part of this is complexity of modern society. I'm not certain whether all the elements of modern society are necessary for this overarching meaning, and pieces of it could potentially be reduced, but I think it would be tricky. Society begins whether you want it to or not as soon as you have more than one individual with free will, and some complexity arises inevitably. But haven't thought about this side as much; it's an interesting side of this discussion."

"25 cameras destroyed over the course of a year, and more than half were destroyed by a single person. This doesn't appear to be a widespread concern the headline makes it out to be."

"I've warmed to LLM-generated/assisted writing in general but this kind of stuff is just lazy and is basically "I got Claude to say something I agree with and then made it pretty"."

"Eventually toll cameras and a consortium of private businesses will have this tech and then game over. Better to use this energy and legislate the behavior you want. Never let the enemy decide the terms."

"I recently launched a text editor for iOS that uses TextKit 2 and is highly performant with files of 5,000 lines (I tested with Moby Dick from Project Gutenberg). I made it between Aug 2025 and Apr 2026, development is ongoing.Every keystroke is restyled in under 8ms: no debouncing, no delayed rendering. 20 rapid keystrokes are processed in 150ms with full restyling after each one.Tag and boolean searches complete in under 20ms. Visible-range rendering is 25x faster than full-document styling. 120Hz screen refresh supported.App file size was 722 KB for 1.0, and 1.1 with more features is looking like ~950 KB.If I can do it on iOS then it's must be 10x easier on macOS.https://www.gingerbeardman.com/apps/papertrail/"

"Usually performance was the reason for using native APIs rather than web views, but this doesn't seem to be true any more.Browser rendering engines are pretty mature at this point, with significant GPU acceleration, and over a decade stress-testing by bloated web apps.Meanwhile SwiftUI doesn't feel particularly fast. Apple's latest and greatest rewrite of System Preferences has dumbed down the UI to mostly rows of checkboxes, and yet switching between sections can lag worse than loading web pages from us-east-1."

"If you're on macOS, WebKit is a native OS framework. Using WebKit to render Markdown seems completely appropriate.Now, if you're rendering everything with WebKit, that's ridiculous, in the same way rendering everything with PDFKit would be ridiculous. But for a Markdown view, WebKit seems like a logical choice. There's no need to subsequently flip the table and replace everything with a Chromium web app."

"Agreed.The ideal implementation of AI for Apple is probably to finally make Siri work. This isn’t necessary fancy, just let me set some calendar events without knowing the magic words or tell it to open Overcast and play the new Gastropod episode. Better yet, for power users, let me set up reusable shortcuts using natural language.The most important part of this is it doesn’t necessarily feel like AI. The user does not like AI for its own sake or the weirdos who ramble about putting them into a permanent underclass. The user likes messaging their friends and playing music.To much of this hype cycle has no user in mind."

"Steve already gave away the secret [1] (must watch) a long time ago:"You have to work backwards from the customer experience."AI was never going to be on Apple's roadmap in a significant way because it's in their DNA to differentiate technology from products.[1] https://youtu.be/oeqPrUmVz-o?si=ndUU1H5D3pNifWss"

"This is a similar argument to "Dropbox is a feature, not a product" and it definitely rings true in this instance too. I remember the litany of applications that only supported sync through Dropbox. It had no ecosystem, it's saving grace was that no one yet was operating a service similar at that scale.All the major AI companies are trying to manufacture their own ecosystems to become less disposable. They'll get away with it for a while, but only insofar as hardware prevents advanced use. Once we get that hardware[1] there will only be two types of AI companies: hardware manufacturers, and labs. Just like sync became trivial and ancillary, so will AI inference.[1] https://taalas.com/the-path-to-ubiquitous-ai/"

"Every AI subscription is a ticking time bomb for the frontier provider; within a few years we will be running local models as good as today’s frontier models with almost no cost burden. The floor will fall out of the enterprise market for all the frontier companies."

"Brad Gerstner confirmed that tokens aren't being sold at a loss. Whatever the formula, API + Subscription split, the companies are making a profit on net token sale.They maybe running at loss after all the salaries and stock comp, but tokens are in profit now."

"Although I agree with the sentiment in the article, it smells very LLM~y. Especially the sections and punchlines. Such as: `That is not a rounding error. That is a line item that needs its own budget code.`"

"This was a fun little read. Just through testing the examples, I also learned datalist does not seem to work well on mobile safari (which is a large enough market I might even say there’s essentially no scenario in which it’s worth using if there’s a compatibility issue)."

">What if there’s a bunch of options, but for [reasons] we don’t want a user to be able to select a subset of them? Let’s add the disabled attribute to an optgroupSeems broken in mobile safari, not actually disabled I can still select the disabled items."

"this was a dope & comprehensive.unfortunately we have a new class of dev's that never learned html but went straight for React. Now with LLMs they will never learn HTML.hence they reach for react components where simple html would have been sufficient."

"> I got curious about what writing more semantic HTML would feel like.I've been teaching semantic HTML / accessible markup for a long time, and have worked extensively on sites and apps designed for screen readers.The biggest problem with Tailwind is that it inverts the order that you should be thinking about HTML and CSS.HTML is marking up the meaning of the document. You should start there. Then style with CSS. If you need extra elements for styling at that point, you might use a div or span (but you should ask yourself if there's something better first).Tailwind instead pushes the dev into a CSS-first approach. You think about the Tailwind classes you want, and then throw yet-another-div into the DOM just to have an element to hang your classes on.Tailwind makes you worse as a web developer from a skill standpoint, since part of your skill should be to produce future-proof readable HTML and CSS that it usable by all users and generally matches the HTML and CSS specs. But devs haven't cared about that for years, so it makes sense that Tailwind got so popular. It solved the "I'm building React components" approach to HTML and CSS authoring and codified div soup as a desirable outcome.Tailwind clearly never cared about any of this. The opening example on Tailwind's website is nothing but divs and spans. It's proven to be a terrible education for new developers, and has contributed to the div soup that LLMs will output unless nudged and begged to do otherwise."

"I really, really love Julia Evans writing.She writes from a place of vulnerability and honesty. Most people write to sound smart and she writes to say "I don't know it all but there are some things I discovered I want to share." I almost feel like she writes to share things with people she loves, even though she doesn't know them directly.She spoke alongside Randall Munroe at the last Strange Loop (RIP). Some people waited to talk to him afterwards, but I waited to talk to her. I don't think she got my joke that she should rewrite her bash scripts into perl and for that I'm truly sorry."

"One thing that has always struck me about Tailwind is that practically every argument its proponents use more or less boils down to “I never learnt CSS beyond a junior level”. It’s super common to hear Tailwind advocates say things like “Without Tailwind, we would just have one big disorganised CSS file that always grows uncontrollably and ends up with loads of obsolete stuff in it and !important everywhere! Tailwind is so much better!”.CSS is a skill just like any other technical skill. If all you do is learn the bare minimum so you can bodge things until you get something that looks right, then your ambitions are going to outpace your ability to keep things organised very quickly."

"Here's the thing:I was first interested in Bun because it was written in Zig. I was interested in Zig because I respected Andrew Kelley's decision-making, and his taste matched my own.I got really excited about Bun for many reasons after that, but they essentially came down to a similar root: the decisions were ones that I respected and would probably have made myself if I had thought of them.I was a little concerned when Bun was acquired by Anthropic, but forced myself to remain cautiously optimistic.This behavior, though, is exactly the sort of decision-making that I don't respect. I've got nothing against Rust, but if this is how Anthropic is managing Bun, I can no longer bet on it being a reliable part of my toolkit. It isn't just the code, it's the thought behind it that I have to trust.I was so excited by Bun for many of the use-cases I have, but this just turns me off completely. This looks like an Anthropic internal-only tool, based on the behavior."

"What I don't understand is if they were going to translate Zig to unsafe Rust, why not just build a translation tool for it? You could do a one-to-one mapping of language constructs, hardcoding patterns in your codebase, and as one friend put it "Tbh they could've just hooked up zig translate-c to c2rust". They would get deterministic translation, would probably have not been a heavy investment to build, and the output would have the same assurances as the input.In this case, I would trust the output even less than the input. The input was memory-unsafe but hand-written. The output is memory-unsafe but also vibe-coded and has had no eyeballs on it. What is the point of abusing agentic AI for this use-case?"

"This issue is misleading.The issue isn't the existence of undefined behavior that miri would catch. The issue is exposing an API that allows undefined behavior from safe code - which miri only catches if you go write the test that proves it.This isn't an all together unreasonable thing to happen during an initial port of code from an unsafe language. You can, and the bun team seems to be, go around later and make sure that the functions where you wrap unsafe code does so correctly. Temporarily in a porting stage incorrectly marking some unsafe functions as safe isn't a real issue. It's a bit strange to merge it into the main repo in this state, but not a wholly unreasonable thing to do if the team has decided that they're definitely doing this. The only real issue would be if they made an actual release with the code in this state.It's also a bit unfortunate that they didn't immediately set up their tests to run in miri if only because LLMs respond so well to good tests - I know they didn't do this not because of this github issue (which doesn't demonstrate that) but because there's another test [1] that absolutely does invoke undefined behavior that miri would catch. Though the code it's testing doesn't actually appear to be used anywhere so it's not much of a real issue. That said it's obviously early in the porting process... maybe they'll get around to it (or just get rid of all this unsafe code that they don't actually need).[1] https://github.com/oven-sh/bun/blob/4d443e54022ceeadc79adf54... - the pointers derived from the first mutable references are invalidated by creating a new mutable reference to the same object. In C terms think of "mutable reference" as "restrict reference which a trivial mutation is made through". It's easy to do this properly, derive all the pointers from the same mutable reference, it just wasn't done properly.PS. Spamming github just makes people less likely to work in the open. Please don't. We can all judge this work just fine on third party sites.PPS. And we might want to withhold judgement until it's in a published state. Judging intermediate working states doesn't seem terribly fair or interesting to me."

"> The government says it needs this information to identify and interview witnesses who can testify about how the tools were actually used.Why start this whole thing, if you don't already have this information and have people willing to help you as witnesses?Sounds to me they're saying they don't have this already, but why is this investigation happening in the first place then? Rather than finding every user of the tool, find the users who use the tool in the way you don't approve of, then request the information for those?Really bananas approach to go for "Every single user of the app" and "Everyone who bought a dongle" when it has very real and legal use cases."

"This "car-tinkering app" is used as a glorified GameShark for deleting factory emissions controls, I don't feel sorry for anyone who uses this to roll coal or whatever. Instead of investigating everyone on the list of users of this app, should the government instead ban diesel engines knowing their emissions controls software will be defeated? Should environmental regulations be relaxed? What is really the solution here?"

"It will start with subpoenaing this information against people who modified their car to do "bad" things. But once they have the precedent, I would predict that it will very quickly be used at the behest of car manufacturers to go after people who modify their cars to, say, disable GPS tracking."

"I followed the link to the Pixel 9 bug/exploit and saw this:"Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One effect of this change is increased 0-click attack surface, as efficient analysis often requires message media to be decoded before the message is opened by the user"Haven't we learned our lesson on this? Don't read and act on my sms messages without me asking you to!"

""This is notably fast given that this is the first time that an Android driver bug I reported was patched within 90 days of the vendor first learning about the vulnerability."This makes me feel better about Google, but also makes me kind of frightened of the rest of Android. I wonder what Apple's response time is?"

"Semi-related: has the rate of published exploits picked up as if late, or is it simply the fact that there’s hype around ai as security tool (offense or defense) so it’s simply in the news more often?Feels like there’s something new every other day - linux, windows, mobile, various commonplace tools used by everybody, the list goes on"

"I know people have opinions about cooldowns, but they would have saved you from axios, tanstack, and many other recent npm supply chain attacks. If you have Artifactory / Nexus, you probably already have cooldowns, but it's easy to set up if you don't.Why cooldowns? Most npm (or pypi) compromises were taken down within hours, cooldowns simply mean - ignore any package with release date younger than N days (1 day can work, 3 days is ok, 7 days is a bit of an overkill but works too)How to set them up?- use latest pnpm, they added 1 day cooldown by default https://pnpm.io/supply-chain-security- or if you want a one click fix, use https://depsguard.com (cli that adds cooldowns + other recommended settings to npm, pnpm, yarn, bun, uv, dependabot and, I’m the maintainer)- or use https://cooldowns.dev which is more focused on, well, cooldowns, with also a script to help set it up locallyAll are open source / free.If you know how to edit your ~/.npmrc etc, you don't really need any of them, but if you have a loved one who just needs a one click fix, these can likely save them from the next attack.Caveat - if you need to patch a new critical CVE, you need to bypass the cooldown, but each of them have a way to do so. In the past few weeks, while I don't have hard numbers, it seems more risk has come from Software Supply Chain attacks (malicious versions pushed) than from new zero day CVEs (even in the age of Mythos driven vulnerability discovery)"

"What are the actual guarantees that go/Rust make that Python/npm don’t? It seems like it might just be that Python/npm are juicier targets? I’m starting to try and avoid all third party packages"

"There has been a lot of pain at my various jobs installing a safe global npm config on every developer machine, asking people not to disable it, checking it with mdm tools. A safer out-of-the-box configuration is long overdue."

"Not just Amazon, too. It feels like all of big tech (and some smaller firms) have simultaneously gone insane. Imagine if your CEO woke up one day and told the company: "We need to encourage travel spending. Please book as many business trips as you can, and spend as much money as possible. Fly first class to our satellite offices! Take limos instead of Ubers! Eat at fine restaurants! Make sure you are constantly traveling. In fact, we are going to make Travel Spending part of your annual performance review: If you don't spend enough on business travel, you'll get a low rating!"We are living in a totally bonkers time."

"Like six months ago we got a presentation from an AWS guy on the AI tooling available and how it fit with our particular use cases.At one point seemingly out of nowhere he pointed out on his screen share "Look at how many tokens I've used this month. I run so much Opus." It was a number that was offensively large.I remember thinking "That's a really odd flex, this crap is so expensive the fact that you use so much should be a red flag"He demonstrated a number of Claude Code use cases he had to manage and tweak AWS infrastructure that made me, the old greybeard sysadmin older than the internet think "You've used AI to do something that was a single command."So this story makes sense. They were being encouraged to just blast away at it six plus months ago."

"Lots of people reporting their "I had to use up my tokens, so I burned them on worthless stuff" stories. Incredible thing to do in a climate emergency. Push harder guys, maybe we can hit 3C warming?This reminds me of the story of how the USSR nearly made whales extinct to meet a quota for whale meat that nobody wanted to eat."

"> BTW, I approached ABC about buying back the former FiveThirtyEight IP*, and they said they wouldn't sell at any price because I'd criticized their management of the brand.--Nate Silver (538 founder)ABC seem pretty petty here."

"It's wild to me how often I see corporate America both: 1. Spend immense amounts trying to build and improve a brand. 2. Toss well known brands aside as if they are useless.Not that it's always the same company doing both at the same time, but it's crazy 538 was just left to die. It was a very recognizable brand among wonky professionals, a very desirable customer base. It's not as if politics and sports have gotten less relevant in the world over the past decade. ABC's decision to toss this aside is baffling.Much of the 538 alumni seem to be doing well, either independently or as part of a major organization, so I don't think much was lost overall. But I sure empathize with the folks who lost their dream job and ABC looks pretty bad for frittering away a successful business for seemingly no reason. Taking down these articles is nonsensical."

"Really sad to see some of the best visualizations I've ever seen in my life being taken down. I've easily spent hours exploring playing with their gun deaths visualization, p-hacking piece, gut microbiome explorable explainer and many others.Guess we better back up their GitHub repos before that gets taken down as wellhttps://github.com/fivethirtyeight"

"Must I beg to have an acronym spelled out a least once, the first time it's used? Even if you assume 90% of readers already know, the other 10% (including me, in this case) will thank you, it doesn't take much effort, and it expands the reach of your communication or idea.Exceptions for cases where the acronym is just so well known that a lot of people don't even know what it stands for even though they know the concept well. I recall one corporate training I was sitting through and they used the term "Border Gateway Protocol" and it took me a half beat to think through "oh, you mean BGP?"Thanks!"

"Replace ‘CTF’ with ‘high school’ or ‘university’ and you’ve described the total slow motion collapse of education; the only saving grace is that most of it requires in person presence.We’ve figured out the human replacement pipeline it seems, but we haven’t figured out the eduction part. LLMs can be wonderful teachers, but the temptation to just tell it ‘do it for me’ is almost impossible to resist."

"I feel the post. For me AI has ruined both, playing CTFs and also building CTFs challenges. The most annoying thing to me is the "yeah idk but here is the flag" mentality.Before when playing CTFs with my mates was usually sitting there for hours tackling a challenge until some other mate joined, had some look together and solved it with you together in 30 minutes which is the most rewarding learning experience. Nowadays mate joins in throws the clanker on it and solved it in 5 minntes. Asking on how it worked you always get the "yeah idk what it did, but who cares, here is the flag" response.Same for creating challenges. Whenever I ask for writeups or if some people solved it differently I usually get the "yeah idk, clanker solved that one" response taking the fun out of it.So yep, this CTF format is definitely dead. Mainly because the strong competitiveness and prices. This encourages people to cheese challenges and sometimes solving them differently was fine as you still had a creative out-of-the-box thinking moment, but nowadays with AI there is no brainpower needed, no cheesing needed, no human needed. As you mentioned, it's pay to win.My two cents is that the 24/7 CTFs will get more attraction as the scoreboard doesn't matter there and simply doesn't give you any price."

"Which goes on to prove that bottleneck isn't in writing the code. It is in reading and understanding the code.We all had that one "productive" engineer in our teams who would write huge PRs that would have large swaths of refactoring whether warranted or not and that was way before anyone even could imagine in their wildest dreams that neural networks could generate that huge amounts of code.The net effect of such a "productive" engineer always was that instead of increasing the team velocity, team would come to a crawling pace because either his PR had to be reviewed in detail eating up all the time and/or if you just did cursory LGTM then they blew up in production meanwhile forcing everyone back to the drawing board but project architecture would have shifted so rapidly due to his "productivity" that no one had a clear picture of the codebase such as what's where except that one "super smart talented productive loyal to the company goals" guy."

"Good time to mention this fantastic repo acting as a bot honeypot:https://github.com/UnsafeLabs/Bounty-HuntersThe corresponding leaderboard:https://clankers-leaderboard.pages.dev"

"Closing the program is totally reasonable. However, there is another option: Make submitters pay a nominal fee that is returned in the case that a real bug is found."

"I struggle with these world models from the perspective of video games (so this post is a particular perspective).I'm not a game developer myself, but some of my favorite games carry a deep sense of intentionality. For instance, there is typically not a single item misplaced in a FromSoftware game (or, for instance, Lies of P -- more recently). Almost every object is placed intentionally.Games which lack this intentionality often feel dead in contrast. You run into experiences which break immersion, or pull you out of the experience that the developer is trying to convey to you.It's difficult for me to imagine world models getting to a place where this sort of intentionality is captured. The best frontier LLMs fail to do this in writing (all the time), and even in code, and the surface of experiences for those mediums often feel "smaller" than the user interaction profile of a video game.It's not clear how these world models could be used modularly by humans hoping to develop intentional experiences? I don't know much about their usage (LLMs are somewhat modular: they can produce text, humans can work on it, other LLMs can work on it). Is the same true for the video output here?All this to say, I'm impressed with these world models, but similar to LLMs with writing, it's not really clear what it is that we are building towards? We are able to create less satisfying, less humane experiences faster? Perhaps the most immediate benefit is the ability for robotic systems to simulate actions (by conjuring a world, and imagining the implications).In general, I have the feeling that we are hurtling towards a world with less intentionality behind all the things we experience. Everything becomes impersonal, more noisy, etc."

"Model weights coming "soon" == currently vaporware. So the weights aren't even open, how can this be "open-source"?Everyone is right to be skeptical of this coming from a 2.8B model. Weights or it didn't happen."

"They all look like video games. I guess Unreal Engine is used to create synthetic data for training."

"I’m at a FAANG and we have $300/day token quota. Personally I don’t use that much of it but management is pushing really hard for it. “the quota has been raised for a reason, use it”. Any task: “have you tried working on it with Claude?”. Every meeting “now engineer x and y will show you what he did with AI”.It’s not all useless but most of the days I think I would be more productive if some processes were streamlined rather than if I had to throw tokens at them and still fail.Of all the showcases I’ve seen the best are the ones written by people assuming that the token bonanza will not last so they used AI to build tools they wished they had. AI used to build the tool but by no means used by the tool, so if/when token quota gets reduced we still have a functional tool."

"I feel in a really weird position where I both really dislike what AI is doing to the experience and practice of writing code, to the point where I want a job doing literally anything else besides using the computer, but also think that these tools are extremely powerful and only getting better.I think Mitchell's point is well taken -- it's possible for these tools to introduce rotten foundations that will only be found out later when the whole structure collapsed. I don't want to be in the position of being on the hook when that happens and not having the deep understanding of the code base that I used to.But humans have introduced subtle yet catastrophic bugs into code forever too... A lot of this feels like an open empirical question. Will we see many systems collapse in horrifying ways that they uniquely didn't before? Maybe some, but will we also not learn that we need to shift more to specification and validation? Idk, it just seems to me like this style of building systems is inevitable even as there may be some bumps along the way.I feel like many in the anti camp have their own kind of reactionary psychosis. I want nothing to do with AI but I also can't deny my experience of using these tools. I wish there were more venues for this kind of realist but negative discussion of AI. Mitchell is a great dev for this reason."

"Maybe this is what will turn software engineering into an Engineering field.Right know, prompters are setting up whole company infrastructure. I personally know one. He migrated the companies database to a newer Postgres version. He was successful in the end, but I was gnawing my teeth when he described every step of the process.It sounded like "And then, I poured gasoline on the servers while smoking a cigarette. But don't worry, I found a fire extinguisher in the basement. The gauge says it's empty, but I can still hear some liquid when I shake it..."If he leaves the company, they will need an even more confident prompter to maintain their DB infrastructure."

"Hi! I'm one of the programmers at Gutenberg. We've been improving the site a lot over the past few months (and more is coming!). If you haven't visited the page recently, it's worth checking out again: https://www.gutenberg.org/"

"While PG has probably gotten a lot of use and growth with the growth/maintreaming of the Internet since the 1990s, (TIL) it started back in 1971:> Michael S. Hart began Project Gutenberg in 1971 with the digitization of the United States Declaration of Independence.[5] Hart, a student at the University of Illinois, obtained access to a Xerox Sigma V mainframe computer in the university's Materials Research Lab. […] This computer was one of the 15 nodes on ARPANET, the computer network that would become the Internet. Hart believed one day the general public would be able to access computers and decided to make works of literature available in electronic form for free. […]* https://en.wikipedia.org/wiki/Project_Gutenberg"

"The best thing I ever did for my father was to buy him a kindle and an access point and show him how to use Project Gutenberg to get books. He loved the old writings (he being a GED holder who was in the Navy during Korea yet had read the entire Harvard Classics). He had a special rolled up towel he used to prop it on his lap in his favorite chair and he read and read and read. When he passed he was reading "Legends of the Jews" from 1931.I had some small e-correspondence with Michael S. Hart back in the 90's as well, and made a few modest contributions to the project, which made my English major undergraduate heart swell with pride and joy.I guess this is only to say that PG is special to me for these reasons, and I am glad to see it still thriving. <3"

"I work at Mullvad. (co-CEO, co-founder)Some aspects of the described behavior are as we intended and some are not. The cause is not exactly as described in the blog post. As for mitigation, we are already testing a patch of the unintended behavior on a subset of our infrastructure. If any of you try to reproduce the blog post's findings you may get confusing results throughout the day.We will also re-evaluate whether the intended behaviors are acceptable or not. Some of this is a trade-off between multiple aspects of privacy, and multiple aspects of user experience.Please note that this is my current understanding, which may change. I was only made aware of this an hour ago, and most of that time was spent talking with Ops, considering what to do immediately, and writing this post.Finally, for those of you who do security research: when you find a security or privacy issue, please consider notifying the maintainer/vendor before publishing your findings, even if you intend to publish right away."

"> As an example, imagine that you are a moderator on a forum and you suspect that a new face is actually a sockpuppet of a user you banned the day prior. You check the IP logs, and despite using different Mullvad servers, both accounts resolve to the overlapping float ranges 0.4334 - 0.4428 and 0.4358 - 0.4423. This gives you a >99% chance that they are the same person.This sounds like how I'd design a VPN if I were an intelligence agency."

"> As an example, imagine that you are a moderator on a forum and you suspect that a new face is actually a sockpuppet of a user you banned the day prior. You check the IP logs, and despite using different Mullvad servers, both accounts resolve to the overlapping float ranges 0.4334 - 0.4428 and 0.4358 - 0.4423. This gives you a >99% chance that they are the same person.I don't see how the author is arriving at this ">99% chance" purely from the numbers provided in the article. Assuming the first (banned IP) seed and the second seed are both in the range 0.4423 - 0.4358 (a stronger assumption than is justified by the example), all this tells us is that the first and second IP addresses both have seeds in a range that would contain 0.4423 - 0.4358 = 0.65% of all Mullvad users, which 0.0065 * 100,000 = 650 users. We've eliminated >99% of users as "suspects", but we haven't actually gotten >99% accuracy in identifying an individual across multiple exit IPs.In more Bayesian thinking, the overlap in potential seeds is great evidence to think these IP addresses represent one and the same person (or Mullvad VPN account at least), but as far as I can tell, that's not what the author is saying."

"This is really impressive. It's exactly what I imagined the original Microsoft Network in Windows 95 would have been like.And so The Microsoft Network wasn't a program you loaded like CompuServe. It was part of the OS, with folder icons that looked just like real folders. It was a kind of version of the Web where you could browse online data the same way you browsed your file system. This is what made it cool.It was as if the data was suddenly free of the shackles of being displayed in a program. Data wasn't just a web page, or a program showing its own internal databases. The Microsoft Network made it look like the data was right there, and you could click it and drag it around! For a brief time, back in 1995, it felt like we were on the verge of the true object-oriented web, a world filled with open data and free from the tyranny of the walled gardens.[1]It also reminded me what an excellent job Wikipedia does with their hierarchical classification which you don't see when you're often only searching by article name.[1]: https://web.archive.org/web/20260129143542/https://www.coder..."

"Incredibly beautiful, possibly because it maps so well to the mental model we typically use to organize knowledge in our heads. I don't know how we lost the folder/container vs. document/content iconography, and other things (like layout of items, sorting) during the shift to web applications."

"Large scrollbars! Windows with borders! What a relief!This has become a forgotten art: we focus so much on CONTENT these days that we forget that people want to use the mouse to scroll, and use the mouse to resize windows."

"http://archive.today/xgkiS"

"Having spent time working in UK healthcare tech, I never understood why everyone was lining up to throw buckets of money at Palantir. Quite apart from being obviously evil and so on, none of their solutions were actually very good.Unfortunately, it's hard to escape the feeling that friends in high places, some lobbying and some er... reciprocal back scratching might have been instrumental.See also senior staff at NHS England (or Digitial? can't remember) handing massive NHS compute contracts to AWS, and then leaving the civil service to become... an AWS employee."

"Palantir is very expensive. This is because:1. they aim to deliver product company margins with a consulting-heavy model.2. your software purchase funds a cadre of "free" FDEs and deployment strategists who customize your install, build a bunch of data pipes/transforms, and talk to people to figure out what all the data means.This could be a good deal if your tech org is not very competent at integrating your data, or if you have a sudden, short-term need. In the longer term, it's probably cheaper and more effective to develop a competent tech team, modernize the source data systems, and roll your own integration -- but that also requires leaders with long-term vision who are resistant to external hype and pressure."

"(Someone deleted a comment about why you'd want a mobile Codex app. This is the answer I wrote.)Once you've used these coding agents a lot, you develop a pretty intuitive feel for how they work, what they're capable of, what they're good at, and where their weaknesses are. Hopefully, you're already pretty familiar with the code base you're working on. Combining the two, this means you can get quite far essentially "vibe coding" (i.e. not looking at the actual code) on a new branch.So if you have some idea or some issue you want to fix on the go, you just iterate with the agent for a bit (presumably no more than a couple hours) until the agent outputs an implementation. Here, I do claim there is some "skill" (which is a function of your codebase familiarity, general SWE ability, and facility with AI agents), and if you're good, this implementation will be halfway decent a high percentage of the time. Then when you're back at your desktop, you can review the changes carefully/do some proper testing/debugging etc. But you've saved a good chunk of time- an initial draft is already waiting for you."

"Whats crazier is that Codex is free. I thought I had to pay to even try it out but nope, you can use the desktop app or cli for free, its apparently included in the free plan. You just have to sign in to your ChatGPT account.Of course I am aware that the caveat here is that all my interaction is part of training, but I’m fine with that. Even Qwen Cli discontinued the free plan."

"I’ve been using Codex from my phone for the past couple of months (through a tunnel, not this app).I was initially quite excited, but I’ve found the results are less than great compared to being at a keyboard.Something about the smaller screen size and/or lack of keyboard causes me to direct the agent less, which in turn creates more tech debt/code churn/etc.Maybe I’m just showing my age, and I should practice voice dictation or something more, but my thoughts flow faster and more clearly on a keyboard (less ums)."

"Wait a minute - clearly I missed something here. Last I read, Mythos was only available to a handpicked list of megacorps under project glasswing. Did the hourly changing AI soap opera air yet another plot twist that I missed amidst my quest better known as “trying to find a job”?If not, how’d a small time outfit get access to something the rest of us can’t have because we’re (apparently) not trustworthy enough?No shade on these guys - I’m thinking it’s just another plot twist in “Hours of AI’s Lives”."

"Well, this was fun read. Discovering such a high-ranking critical exploit within a week by coupling experts with frontier models is an amazing new journey we're about to embark on."

"So like ... I thought Mythos was just a bunch of hype? Or maybe the researchers are having their skills boosted due to using a model with such a cool name?I jest, but I did notice having more confidence to take on more ambitious work lately. We're all centaurs now."

"As a security person it is tiring to see so many people here either directly claim or at least allude to the claim that this is somehow much less scary because the _published_ exploit does not bypass ASLR. The writeup claims there is a way to reliably bypass ASLR with this attack. And that is a good default assumption I would be willing to believe without evidence.ASLR is a defense-in-depth technique intended to make exploitation more difficult. In almost all cases it is only a matter of time and skill to also include an ASLR bypass. Both requirements continue being lowered by LLM agents every few weeks. It is only a matter of time (and probably not a lot of time) until a fully weaponized exploit is developed. It may be published, it may also be kept private.It is straight up wrong to say "if you have ASLR enabled, you're not at any risk from this" and saying this is extremely harmful for anyone that trusts claims like that.This wrong belief that you shouldn't care about security vulnerabilities because mitigations may make exploitation more difficult has already caused so much harm in the past. Be glad that modern mitigations exist, but patch your stuff asap. If you are a vendor, do not treat vulnerability reports as invalid because the researcher has not provided an ASLR bypass. Fix the root cause and hope mitigations buy you enough time to patch before you get owned."

"This one's pretty bad but there are some preconditions.Requires a "rewrite" directive with a questionmark in the replacement string, and then a subsequent "set" directive that references a regex capture group (e.g. set $var $1).Also the POC assumes ASLR is disabled."

"The official F5 page is here: https://my.f5.com/manage/s/article/K000161019As noted elsewhere, ASLR protects you. While you are waiting for your affected platform to get the fix, they note the mitigation:"use named captures instead of unnamed captures in rewrite definition""To mitigate this vulnerability for this example, replace $1 and $2 with the appropriate named captures, $user_id and $section"F5 patched 1.31.0 and 1.30.1.OpenResty has a patch for 1.27 and 1.29: https://github.com/openresty/openresty/commit/ee60fb9cf645c9...You can track OpenResty's (a Lua application server based on Nginx) progress here: https://github.com/openresty/openresty/issues/1119"

"It seems like the fair solution to this problem is to open source server code if you are going to cease support for an online game. That way the community has the opportunity to run their own servers if they want to.I also really support giving 60 day notice if an online game is going to shut down. Places I have worked have had policies like that for games they are sun setting and I think the best game publishers think a lot about how to do that operation. It's not simple, because if people think a game is going away their behavior changes. And nothing sucks like buying online content for a game right before it shuts down. No matter what you do people will tell you they didn't know the game was shutting down. And if you give away content that you previously sold that also sometimes angers the community.The problem is when companies know a game isn't working they tend to want to shut it down right away because the money they spend keeping it up is never coming back. And maybe the company is going to die too. So I do support a law for a 60 day notice."

"I happen to be shutting down an online game right now.https://www.tyleo.com/blog/sunsetting-rec-room-how-to-give-a...The sad truth is that these things have high operating costs, especially if they need moderation. I would guess this bill just makes it more risky to make the games in the first place. It’s already brutally hard to make money on games.I feel like the effect of this might just be that shutting an online game makes it more likely to take a whole company down if you have to issue refunds. Alternatively, it might push multiplayer games towards other business models like ads, free-to-play, or subscription."

"I doubt it's possible for legislation to mandate meaningful compliance regarding something as dynamic and rapidly evolving as online games. Despite good intentions, such legislation often results in unintended consequences including distorting the market, creating perverse incentives or even making the problem worse.Serious problems are already apparent. Games offered “solely for the duration of [a] subscription." aren't regulated, which will greatly accelerate the death of perpetual licensing. A world where no games are available for outright purchase and offline use would be disastrous for players and historical preservation.It would be better if they'd focus on narrower problems where they can make a positive difference. For example, mandating a freely distributable end-of-life patch to remove online activation from DRMed games. Creating a patch and uploading it once to the Internet Archive isn't a big enough burden to make companies modify their biz model or deploy armies of lawyers and MBAs to circumvent. When it comes to rapidly evolving technology, the best regulations are clearly defined, narrowly scoped and cheaper to comply with than avoid or game."

"DwarfStar4 is a small LLM inference runtime that can run DeepSeek 4. The blog post implies that it currently requires 96GB of VRAM.For others who are lacking context :-)"

"I'm very curious where we will saturate the curve on "enough" intelligence for coding. At some point, you can let a less smart model hammer at a problem for longer and get to the same result, and as long as you are not involved it comes to the same thing. I feel like DeepSeek V4 Pro is nearly there. Maybe Flash is too.Once we hit that point, I am curious how much of Anthropic's current business model falls apart? So far it's always been clear that you just pay for the most intelligent model you can get because it is worth it. It now seems clear to me that there is limited runway on that concept. It is just a question of how long that runway is. I honestly wonder how much of their frantic push to broaden out into enterprise / productivity is because they see this writing on the wall already."

"Great to find this narrow focused thing:> We support the following backends: Metal is our primary target. Starting from MacBooks with 96GB of RAM. NVIDIA CUDA with special care for the DGX Spark. AMD ROCm is only supported in the rocm branch. It is kept separate from main since I (antirez) don't have direct hardware access, so the community rebases the branch as needed. > This project would not exist without llama.cpp and GGML, make sure to read the acknowledgements section, a big thank you to Georgi Gerganov and all the other contributors.Edit: aww, doesn't seem to support offloading to system RAM[0] (yet)[0] https://github.com/antirez/ds4/issues/108Guess I'll have to keep watching the llama.cpp issue[1][1] https://github.com/ggml-org/llama.cpp/issues/22319"

"> Even after the modem is removed, if you connect your phone to the car via Bluetooth then the car will use your phone as an internet connection and send all the same telemetry data back to Toyota. However, if you use a wired USB connection then it does not do that (see the discussion here and elsewhere), so I exclusively use CarPlay via USB.The problem with this is that both carplay and android auto capture their own vehicle telemetry. So even though the car is not able to use your phone as a general data pipe, Google and Apple still get access to this data when you're connected.They are both very cagey with how they talk about this (or don't)."

"I have a few year old Volkswagen. I'm security conscious and made sure to disable all the data collection I could find in the companion app, turn off remote access services, dig through the infotainment to turn off what I could, etc.Last year I requested a Carfax on it, and one of the fields in the request was current mileage. I entered an estimate like 75000 miles. On form submission, that field failed validation with the red subtext along the lines of 'this is less than the last reported mileage of 75345, reported <5 or so days prior>'. Checking my odometer and looking at my past few days' trips, that was indeed accurate.The car hadn't been to a shop or out of my possession in weeks, so I can only assume the telemetry was still dialing home and selling to third parties despite my best efforts to disable it.Anecdotal and not unexpected in the grand scheme, but it still surprised me."

"I have the same car and want to do this, but not for the reasons the author noted but because the GPS unit in the car is broken when paired with Carplay and has the wrong compass heading causing navigation to be completely useless.I have reported this to Toyota multiple times with videos detailing the problem and they have denied the problem and ultimately when faced with the evidence simply refused to fix it.I've been a big fan of Toyota's Production System and their management culture, but this experience has really diminished the brand for me. I realize these problems exist with all cars today. The pattern seems to be to foist low-quality hardware and software on their customers and take no responsibility for the results. Software bugs aren't what they consider a "typical car problem" so they simply don't fix them."

"When announcements say that rewrite took 1 week, I wonder how much time went into preparing this file with very detailed instructions on mapping Zig to Rust idioms: https://github.com/oven-sh/bun/commit/46d3bc29f270fa881dd573...On top of that, if you look at 'Pointers & ownership' and 'Collections' sections, the Bun codebase is already prepared, using internal smart pointer types that map 1-to-1 to Rust equivalents, and `bun_collections` Rust crate already exists.This makes an impression, that rewrite was prepared long time ago and was Bun team proposition to Anthropic during the acquisition deal."

"Still writing the blog post about this. Will share more details.For where this is coming from, skim the bugfixes in the Bun v1.3.14 and earlier release notes. Rust won’t catch all of these - leaks from holding references too long and anything that re-enters across the JS boundary are still on us. But a large % of that list is use-after-free, double-free, and forgot-to-free-on-error-path, which become compile errors or automatic cleanup."

" $ rg 'unsafe [{]' src/ | wc -l 10428 $ rg 'unsafe [{]' src/ -l | wc -l 736 Language Files Lines Code Comments Blanks ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Rust 1443 929213 732281 116293 80639 Zig 1298 711112 574563 59118 77431 TypeScript 2604 654684 510464 82254 61966 JavaScript 4370 364928 293211 36108 35609 C 111 305123 205875 79077 20171 C++ 586 262475 217111 19004 26360 C Header 779 100979 57715 29459 13805"

"Besides the people in this thread bemoaning the state of research funding, international students, etc. (all of which are valid), a lot of people are becoming disillusioned with academia. Probably 80% of the recent PhD grads I know are looking to leave academia, despite the fact that they went into it to pursue a career in academia. The median science PhD takes 6 years now, and is grueling work for terrible pay, all for difficult job prospects given the current market. MIT recently became one of the first universities to get a grad student union to try and combat the increasingly exploitative nature of academia. I can see how undergrads may look at how AI can do most of their homework assignments, and see how miserable grad students are, and decide that they don't want to continue down that path."

"What a Rorschach blot. Comments range from AI to immigration to doomsday results for USA.The admins statement in TFA speaks more to financial policy and grant declines. Unfunded students are much less likely to accept an admission. That's just a fact of life."

"Academia is about to go through a generational reset. The system is broken and the market only tolerates broken systems for so long.There are a ton of great things that come out of universities but it’s also clear that a model of charging folks well into the six-figures for a useless degree that doesn’t prepare them for the workforce is dead and a reckoning is underway.Many schools will fail and shut down. Of those left they will be much smaller and with tremendous focus on bringing the cost-value equation back to a defensible reality."

"I have been bothering the VM team for years for VM GPU pass through. I worked on the Apple Silicon Mac Pro and it would have made way more sense if you could run a linux VM and pass through the GPU that goes inside the case!Sadly, as you can tell, they have not taken me up on my requests. Awesome that other people got it working!"

"Excellent article.The game benchmarks are fun but the LLM improvements are where this gets really interesting for practical use. I love Apple platforms as an approachable way to run local models with a lot of RAM, but their relatively slow prompt processing speed is often overlooked.> Here you can see the big issue with Macs: the prompt processing (aka “prefill”) speed. It just gets worse and worse, the longer the prompt gets. At a 4K-token prompt, which doesn’t seem very long, it takes 17 seconds for the M4 MacBook Air to parse before we even start generating a response. Meanwhile, if you strap the eGPU to it, it’ll only take 150ms. It’s 120x faster.The prefill problem goes unnoticed when you’re playing around with the LLM with small chats. When you start trying to use it for bigger work pieces the compute limit becomes a bottleneck.The time to first token (TTFT) charts don’t look bad until you notice that they had to be shown on a logarithmic scale because the Mac platforms were so much slower than full GPU compute."

"> Because OpenGL is not well-supported anymore on macOS, the game is completely unplayable there, even with CrossOver. Ironically, it plays totally fine on a Windows PC, but this is a game you literally can’t play on Mac without this eGPU setup.I understand that this is true it seems that Doom does support Vulkan but you would need to add VK_NV_glsl_shader to MoltenVK. Probably much less work than what went into hanging an RTX 5090 off of a M4. Still, kudos to the scott and the local AI Inference speeds are pretty cool. What a crazy project! <applause>"

"I'm increasingly convinced that there's a killer app waiting for whoever can come up with a UI that makes claude code or codex accessible to the average user.Onboarding my non-software engineer teammates to it has super-charged them and essentially given them all their own personal developer that can automate tasks for them. Managing codebases, etc. is still a hassle though.90% of the power of Excel was that it was functionally a database that a normal person could actually use. I think we'll see something similar with coding agents."

"You are absolutely right. I shouldn’t have paid that invoice from ScamInc. Would you like me to help you file for bankruptcy?"

"I understand why this is a good idea. I have Claude Code hooked up to my mail synced via IMAP, my Mercury read-only token, and beancount, and it gets almost all of my invoices and categorizes them. The tedious portion for a lot of this is:* find invoice I_E for expense E* associate and categorize E based on I_E and transaction fieldThese things are annoying but Claude Code is great at it and it leaves a much smaller set I have to manually resolve. This is a class of problems that are tractable and checkable, which I happily use LLMs on. If it miscategorizes it, I'm going to see it because I'm looking over the accounts. In fact, I was previously using a different accounting app which had poor API support, so I dumped it so I could use Claude and it's incredible how much this helps me.There is an enormous number of use-cases that Claude/GPT are good for and the hard part is market penetration here. As an example, my dad was looking at some statistical health survey data in India and working out what things you could glean from it. Claude identified the things that would complicate his analysis in no time. He's 70 years old, and he'd done it all manually until he asked me (I've got a Mathematics degree) if something made statistical sense to do. I told him what it likely was and then asked him to try Claude. Knocked out his work and mine in moments. But he didn't think to use it. Now I have to get him a ChatGPT/Claude subscription.It's like how if you go to the Datadog pricing page they don't list a feature set. They have all these use-case lists with prices. You can build things using their base metrics functionality and logs functionality but showing the use-cases must have more adoption."

"I can't relate that much to this. Every time I use AI to write code, I'm constantly fighting a feeling on the back of my neck that I need to look over everything it has done and supplement/alter it with my own code. That ick feeling counteracts the dopamine hit of having a working app after a few minutes of vibe coding, and I don't think that's going anywhere anytime soon.That said, I have experience. I could absolutely see myself falling into this as a junior or even mid level dev. I'd no doubt not feel that feeling on my neck if it wasn't scarred from code review lashings early in my career by knowledgeable mentors."

"As a developer, I kind of feel like this all smells like job security.After using LLMs for a while, I have to admit it's pretty nice, and I like using it. I've been vibecoding a few apps, and it's a good dopamine hit to immediately see your ideas come to life. However, based on my experience, it will bite you if you trust it blindly. Even in my vibecoded projects, it keeps adding "features" without me asking for them. Since they're just pet projects, I don’t really care as long as the end result is what I'm expecting, but I don’t think companies will be as flexible. I also don't think customers would like it if features changed or got added with every new fix or update.So this could go in a bunch of different directions from here, but to summarize the current situation: A lot of companies are heading in this direction. Without proper engineering, AI will easily write more code and potentially change the application unintentionally. We will have fewer junior engineers entering the market because of fear around AI and reduced hiring. AI usage will hit a critical point where it is making massive amounts of changes, and the people "prompting" it might start getting overwhelmed. We will end up with more features that people have to keep in their heads. I don’t think we can trust LLMs 100%, and because of that, developers will still need to know exactly what the application does. Eventually, there will be a lot of bugs, and developers will complain that we need additional human resources. Hiring starts again. I think, right now, the toughest position is for new developers, and the best position is for people already in the market."

"We talk a lot about the risks of AI in schools, but those same risks apply in any learning environment.I recently started a new job and I find that AI is making it so much harder for me to onboard. I am adjusting to my role much slower than my peers who are using AI less. I am coding in a language I am unfamiliar with, which makes the lure of vibe coding stronger. I am at least skilled enough to recognize when Claude gives me an answer that either makes no sense or is unnecessarily verbose. But the more time I spend asking Claude to write code, the less I feel like I'm developing the skills that the job requires. Plus, when I submit a PR, I lack the necessary confidence in my own work, which just feels bad.Honestly, another part of this is that I'm asking Claude to search through Slack and docs for answers to questions when I should just ask another person. The AI is feeding my social anxiety, luring me into avoiding human contact that I know will be good for my understanding as well as my general need for social interaction.That all sounds like I am absolving myself of responsibility, but I think it's important to point out how a given technology is especially addictive for a certain type of person, and traps them in a negative behavioral cycle. If I hold off on relying on AI now, I suspect I can grow in my skills to the point that I can delegate tasks to AI that are rote and easy for me to verify their results. It feels challenging, but it's necessary."

"> The penalty is a 1-year ban from arXiv followed by the requirement that subsequent arXiv submissions must first be accepted at a reputable peer-reviewed venue.This is incredibly good for science. arXiv is free, but it's a privilege not a right!I'm not seeing this clearly listed on https://info.arxiv.org/help/policies/index.html so it's possible this is planned but not live yet - or perhaps I'm not digging deeply enough?As a certain doctor once said: the whole point of the doomsday machine is lost if you keep it a secret!"

"Seeing the usual LLM hypers angry replying to this on twitter is such a tell. Just like the comments on the LLM poisoning articles, some people just can't accept that some people don't like LLMs and get upset when you put any amount of hindrance to their rapid acceptance."

"https://xcancel.com/tdietterich/status/2055000956144935055"

"This is so exactly right and I've been saying it to whoever will put up with me...(and now am embarrassed I have no link to show for it. oh well, shame is good for writing. envy too!)Software production is now so easy that everything is a .emacs file (pronounced "dot emacs" btw): meaning, each individual has their own entirely personal, endlessly customizable software cocoon. As tptacek says in the OP, it's "easier to build your own solution than to install an existing one" - or to learn an existing one.Another good analogy, not by concidence, is to Lisp in general. The classic knock against it—one I never agreed with but used to hear all the time—is that Lisp with its macros is so malleable that every programmer ends up turning it into their own private language which no one else can read.Tangential to that was Mark Tarver's 2007 piece "The Bipolar Lisp Programmer" which had much discussion over the years (https://hn.algolia.com/?query=comments%3E0%20The%20Bipolar%2...). He wrote about the "brilliant bipolar mind" (BBM) - I won't get into how he introduces that or whether fairly or not, but it's interesting given how "AI psychosis", in both ironic and unironic variants, is frequently mentioned these days.From Tarver's article (https://www.marktarver.com/bipolar.html):The phrase 'throw-away design' is absolutely made for the BBM and it comes from the Lisp community. Lisp allows you to just chuck things off so easily, and it is easy to take this for granted. I saw this 10 years ago when looking for a GUI to my Lisp [...] No problem, there were 9 different offerings. The trouble was that none of the 9 were properly documented and none were bug free. Basically each person had implemented his own solution and it worked for him so that was fine. This is a BBM attitude; it works for me and I understand it. It is also the product of not needing or wanting anybody else's help to do something.Sounds pretty 2026, no? He goes on:The C/C++ approach is quite different. It's so damn hard to do anything with tweezers and glue that anything significant you do will be a real achievement. You want to document it. Also you're liable to need help in any C project of significant size; so you're liable to be social and work with others. You need to, just to get somewhere. And all that, from the point of view of an employer, is attractive. Ten people who communicate, document things properly and work together are preferable to one BBM hacking Lisp who can only be replaced by another BBM (if you can find one).---When production is so easy, consumption becomes the bottleneck [1], and suddenly sharing is a problem. This is why the Emacs analogy is so good. A .emacs file is as personal as a fingerprint. You might copy snippets into yours, but why would you ever use another person's? (other than to get started as a noob). You just make your own.The more customized these cocoons get, the harder they are for anybody else to understand—or to want to. It isn't just that another's cocoon has too high a cognitive cost to bother learning when you can just generate you own. It's also uncomfortable, like wearing someone else's clothes. The sense of smell somehow gets involved.I would call this, maybe not AI psychosis, but AI solipsism.In software it's fascinating how configuration management (that boringest of all phrases) is becoming the hard part. How do you share and version the source? What even is the source? Is it the prompts? That's where the OP heads at the end: "share it somewhere — or, better yet, just a screenshot and the prompts you used to make it." But when I floated a couple trial balloons about whether we might use this for Show HN—i.e., don't just share the code you generated, because that's not the source anymore; instead share the prompts—we got a lot of pushback from knowledgeable people (summarized here: https://news.ycombinator.com/item?id=47213630).These dynamics can only be what's behind the pipe-bursting pressure that Github has been under. What a Github successor would look like is unclear, but as a clever friend points out, there will have to be one. Projects and startups along these lines are appearing, but we seem to be in the horseless carriage phase still.Even more importantly, what happens to teamwork? If we are all a BBM now—or rather, if we all have personal armies of BBMs, locked in a manic state, primed at all hours to generate things for us-and-only-us—how do we work together? How do cocoons communicate, interoperate? What does a team of ai solipsists look like? It sounds oxymoronic.My sense is that a lot of software teams, startups and so on, on the cutting edge of AI-driven / agentic development, are currently contending with this, not (only) philosophically but practically, e.g. how does my generated code compose with your generated code. With these frictions we presumably end up giving back some portion (how much? who can say?) of the productivity gains of generated code [2]. One would expect such effects to show up over time, as the systems being built this way grow in complexity and maintenance/development tradeoffs become things.I don't see many talking about it publicly yet though, which is a pity. No one wants to be the first to stop clapping and sit down during an obligatory standing ovation, but it's a bummer if you can't (yet) tell interesting stories about downsides and instead have to pretend that this is the first free lunch, the only downsideless upside that ever existed. It makes the discussion performative and probably slows evolution, since the experiments, ironically, are happening in silos.These are the people doing the most serious and real and advanced work with the new tools (edit: I mean in the field of software dev), so it sucks if all talk of downsides is left to the cynical/curmudgeonly contingent, who for whatever good points they may, er, generate along the way, are obviously wrong about AI having no value for software dev. It's easier to talk about AI wiping out the human race than, say, bug counts going up or productivity levelling off after a while.Mostly I just want to know what's really going on! and how people are dealing with it and how it is developing over time. Do I have to like go to meetups or something?[1] That's why a recent paper used the title "Easier to Write, Harder to Read" - https://papers.ssrn.com/sol3/papers.cfm?abstract_id=6726702[2] Ran across this saying the same thing, a bit more strongly, the morning after I posted the above. https://x.com/fchollet/status/2054917282015445076. Maybe we'll get the conversation after all!"

"Software that today is overwhelmingly prepackaged and usually professional, which I think at this point the nerds should reclaim:* Podcast apps* Music listening apps* Feed readers* Bluesky clients* Note-taking apps* Desktop bookmarking/read-later apps* Chat and instant messaging* Time trackers* Recipe managersThese are all things that you can get better-than-replacement-grade results from Claude on --- not necessarily the best, not necessarily the most globally competitive, but certainly an application more closely tailored to exactly what you want it to do for your own idiosyncratic work style.Music.app is a miserable experience, and I can just tell as I use it that it's miserable trying to serve me. But Apple long ago factored all the meaningful bits out of Music.app into MusicKit. Why am I still using Music.app? MusicKit is the real product now. This is new."

"I've absolutely engaged in making personal software [0] thanks to the age of LLMs.But to be honest, my time using Emacs didn't teach me to "build personal software". My Emacs set up was extremely brittle, and it was a nightmare when I tried to use it across Windows & macOS. My university project was written using an unholy combination of org-mode & some workflow to create a beautiful LaTeX file, and I couldn't tell you how to recompile it (if I were to try, I'd probably get an LLM to literally translate it to LaTeX).I want my life to have as little maintenance as possible, and making my own software for everything isn't always compatible with that.[0]: A rewrite of a NETFX application in Rust, simply because the 20 minute installation time irked me: https://github.com/bevan-philip/wlan-optimizer"

"Why payment processors do it? Why people in America do not want to earn more money from commissions? Strong church lobby? Legal risks? I think its mostly religious groups who who are against adult content and sex, or there are other groups?Also this is why we should work to increase circulation of cryptocurrency. No stupid religious restrictions and stupid political sanctions.Also why PornHub and OnlyFans are immune to religious lobby?"

"The left-right coalition against porn makes relief for Kickstarter or Stripe unlikely.FOSTA-SESTA, the law that increased liability for platforms facilitating porn, passed 388-25 in the House and 97-2 in the Senate back in 2018. Every senate Progressive except one voted yes, including Sanders, Warren, Kamala Harris (AG against Backpage), Booker, etc. Anti-trafficking feminist groups like NOW backed that legislation, or were silent on it. Similarly, media outlets were either quiet or in vocal support, i.e., the NYTimes 2020 attack on Pornhub."

""Forced to ban adult content by payment processors"If you go through and click all the links and hunt down the source, the final source underlying it all is a comic author who says, without quoting anything, or any proof, that that's the reason why. Just a random guy saying that Stripe made them ban it, without any evidence.I'm the King of England. There, I guess I "am" the King of England, because all it takes is for a random person to make a statement and it becomes true."

"I was a grad student @ Princeton a handful of decades ago.I was a TA for a few classes and, given the honor code, we did not proctor the exams for undergrads. We just handed them out (left the room) and returned to collect them at the end.- One of the exams in a course that I TAed had 5 free-response questions.- There were also 5 TAs in that class, so we un-stapled the exams and each TA graded one question (for consistency).- We re-assembled the exams and returned them to the students.- A few days after the exam, one of "my" students (she attended my recitation) came to me with her exam and explained that I had incorrectly graded question 2.- I told her that I didn't grade question 2, so she had to go take it up with "TA # 2"- A few hours later, "TA #2" pays me a visit and she (TA#2) is annoyed. She tells me, "Your student is trying to pull a fast one. She answered Q2 incorrectly. She erased her answer and put in the correct answer and she wants it re-graded"- I briefly defended the student and said something like, "Why would she do that... and how could you even know?"- "TA#2" responded with "... because I photocopied all of the student responses after I graded them."- Then I felt like a piece of shit for doubting my fellow TA. And felt even worse being naive enough to not be suspicious.- "TA#2" and I brought all of this info up with the prof. who was running the course.- We were told that the situation would be handled by an Honor Committee or something like that. We forwarded the information to the committee, but no one spoke to us and we were not allowed to participate in the deliberations.- After about a week, all we were told was that the student was able to explain the "discrepancy" between her exam and the photocopy.To this day, I have no idea what that student could have possibly said to explain her actions.After that, I started photocopying every damned scrap of paper that I graded.edits for clarity. The student did not get a zero on the exam, nor was she booted from the course. I don't remember if she was given credit for Question 2, but the TA and I were both expecting her to be tossed, which obviously didn't happen."

"People blame AI but in reality it's more about America transitioning from a high-trust society to a low-trust one."

"Princeton is a strange place. What on earth could be the objection to proctoring? I'd much rather have a proctor than have to narc on a classmate. And even then, the proctor just reports the matter to a student-run body? Wild."

"For the past days I've been participating(albeit over Teams) in a conference relevant to my industry (intel), basically startups and established companies showcasing their products to a closed audience of EU gov. officials.One thing I noticed right away, is that all companies were asked "Can we fully host this from within EU or our country" from the various people in audience. Every single one. Many of the startups had slides prepared for this.Definitely a change, because it is not something I can recall being important just a couple of years ago."

"I started the process of this back in January and now, at least in terms of product hosting; fully migrated into European infrastructure (https://bannermedia.ltd).It didn't come without a bit of pain, but glad I've done it - and to come with this I've ended up building a whole terraform setup for cross provider / cross region high availability within Europe.So far my key mappings included:- Cloudflare -> Bunny CDN (and honestly I am so impressed with Bunny so far)- AWS (or similar) -> Hetzner + OVH; I'm also looking at Civo.com for UK presence.- GitHub -> Forgejo. I do actually still operate in GitHub for development only work, however Forgejo is mirrored within my European private network, and thats where deployment workflows happen.- Google Analytics -> Self hosted Umami.I'll be doing a writeup fairly soon on the entire process."

"While I agree with him that the US is becoming more unpredictable, I don't think the EU is much better, especially with regards to digital things where they can be worse in some ways. For example, they are discussing restricting VPN access for 'child protection'[1][1] https://www.europarl.europa.eu/thinktank/en/document/EPRS_AT..."

"It's maddening that quite a few people are jumping to defend Bambu here.Principally if you sell a device with a certain functionality and you later modify that device later to remove that functionality that is called theft. It does not matter the slightest bit whether you break into someone's house to physically alter the device or whether you remotely install a malicious software update to do that.But what's even more insane here is that some people are claiming that BambooLabs would somehow have the right to do this, because while BambooLab might not have the right to limit the hardware they already sold (which they did and these people just pretend did not happen) they have the right to limit their printer client software under the license conditions they impose on it from the beginning, when their printer client is literally a modification of AGPL licensed software. The entire point of the GPL is to prevent people like BambooLabs from doing exactly this. The AGPL is literally the single license with the most restrictions on BambooLabs to ensure that the users of the software — the customers — do not have any restrictions in what they can do with it.Some people are seeing this situation and just decide to side with the company against their customers on imposing restrictions on an already sold product after the sale and they are literally making shit up to justify it.Edit: For people who do not know what this is about: Someone modified AGPL software to reenable features of these 3D printers that BambooLabs stole after the sale and BambooLabs sent a legal threat to them to stop distributing the software."

"This looks to be a clone of the prior state of the repository that caused all the Bambu drama earlier this week.I did a ton of research because I didn't understand what people wanted here, and this is what's going on:Right now, Bambu have adjusted their system into two modalities:* "default" or "Cloud" mode, where you get an app, remote monitoring, but you have to use Bambu Studio or Bambu Connect to send prints. They implemented this by adding cloud auth to their "internal API;" the client application has to get a token from Bambu's servers, even if the request it eventually makes is a "local" one.* LAN / Developer mode, where the device displays a token and you put it into your app. This disables all of the remote monitoring but in exchange, clients can send prints locally.What users want is to "have their cake and eat it too;" they want the local token authentication _and_ the cloud authentication enabled at the same time. This isn't actually possible, so this plugin approximates it by emulating the interface to the cloud authentication to make the "Bambu Network" cloud RPC calls from a local slicer (one of these calls is a local_print call, so ostensibly this allows you to send prints without running them through the cloud, although with all of the online functionality still enabled and required, this seems like a pretty brave thing to trust).Personally, I find the Bambu reaction distasteful, and there's an argument that the offline mode only exists due to similar outrage, but I don't see the current system as particularly bad and find the appetite to restore "untrustworthy" cloud functionality a bit amusing."

"A lot of the distrust toward Bambu is because they originally announced cloud auth would be required even for printing locally in LAN mode, and only backpedalled on that when they saw the backlash.I'm not sure why their entire domain has been excluded from archive.org but you can still see the original post for now: https://blog.bambulab.com/firmware-update-introducing-new-au...--Critical Operations That Require Authorization The following printer operations will require authorization controls:Binding and unbinding the printer. Initiating remote video access. Performing firmware upgrades. Initiating a print job (via LAN or cloud mode). Controlling motion system, temperature, fans, AMS settings, calibrations, etc."

"Everyone seems to be leaving GitHub, and forgetting the entire spirit of what git is in my eyes. Git was always meant to be decentralized, the problem here is that all the tooling around git was centralized to GitHub because it was a cleaner experience, they scaled nicely, and were properly maintained. I would prefer to still see mirrors on GitHub that are auto-synched because I've seen projects for years either self-host or go somewhere niche, then the GitHub mirror dies or is removed, and said projects go poof to the sands of time for one reason or another, completely gone. Everyone seems to be picking some random git host alternative, and some of them are really simple to use.Git is decentralized, GitHub is just another place you can host your code in, but you can push your code to multiple remote servers."

"The real game changer would be completed Federation[1] support. This is why I am donating both Forgejo[2] and Codeberg[3] and urge everyone doing the same, to give more time and resources for the Forgejo team to implement it properly.Another good contender is the Radicle[4][5] which is completely decentralized on top of the Git.[1] https://codeberg.org/forgejo-contrib/federation/src/branch/m...[2] https://liberapay.com/forgejo[3] https://donate.codeberg.org/[4] https://radicle.dev/[5] https://radicle.network/nodes/seed.radicle.dev"

"I have also moved my git repositories to a self-hosted NUC. I have not yet bothered with a HTTP frontend to share it with the world, mostly because I don't want to provide AI scrapers with content and don't want to put the work in to block them.It's a shame that all these companies that benefited from open source have poisoned the industry like this"

"I have three locality domains, all with different registrars in Oregon. Two are with unique delegated locality domain registrars (think old school consultancies or ISPs that still exist) and one directly via localitymanagement.us (GoDaddy/USTLD).One of the registrars is from an out of state operator that has been dead for three years. I tracked his widow down and had a number of cordial conversations over about 18 months. I've helped his widow renew some personal domains but she's recently told me that she's going to stop paying the hosting bill of the locality registrar and it'll shut down June 1st. I've offered to take over hosting, we'll see if she is convinced.Several other locality users will likely also see their domains disappear once that happens as the USTLD registrar will require a notarized letter from the city/county of that domain to approve any "new" (new in their system) domains. Not easy for any mid or large sized city in the US.I love locality domains clearly, but the bureaucracy applied since the start has piled up over the years.I do worry that this poor Seattle ISP is going to get DDoS'ed by outsider (find an appropriate locality please if you go down this route) due to the popularity of this article, though!RIP Jon."

"Unfortunately the author is correct that you’re pretty screwed if the locality is no longer delegated. I messaged GoDaddy to register one in Boston, they asked for a _notarized_ letter on the local governments letter head approving. No one within the Boston city government knew what their procedure would be, and those willing to say yes didn’t have a notary around. They ended up citing a state law indicating that no locality domains were to be used for _government_ purposes in MA as their reason to say no, when of course that has no bearing on private use…If anyone would like to band together to push city of Boston or Cambridge to start approving these, please let me know! I can revive some email chains."

"This list of (supposedly 7388, didn't realize there even were that many?) of them can apparently now be registered online replacing the email method in the OP: https://localitymanagement.us/registrar/domain/delegatedzone...edit -- seems like the server has been "slashdotted" by this thread, I was finally able to get an account created but can't log in. doesn't seem very well coded anyway since I was apparently able to change the password twice using the same activation link lol."

"At the 1996 ATypI meeting in Den Haag, one of the speakers coined the term “sterotypography” to refer to certain cliches that get used in type usage. Another case of this is the use of Neuland and Neuland Inline to represent Africa, and of course the assortment of faux Chinese fonts that were ubiquitous on Chinese takeout menus in the 80s and 90s (and probably still are, but are there still takeout menus in the era of Grubhub?)."

"Does the Back To The Future logo really count? Raiders of the Lost Ark as a very similar style but does not evoke "future". Yes, there are subtle differences. My point is, if you divorced them from the connection to their content I think it would be hard to point to one as "future" and the other as "not future""

"Needs a (2016)> Posted on February 18, 2016 by Dave AddeyGreat read otherwise, I know the author mentions their book, I do wonder if he covers the history of how these fonts came to be so standard... for future stuff"

"Obsidian CEO here. We've been working for nearly a year to launch this new Community site and review system. I'm very excited about this first version but there are many more improvements to come.I've tried to be exhaustive with the blog post, FAQs, and next steps on our roadmap, but I am sure I forgot some things, so feel free to ask!This has been an incredibly challenging project for a number of reasons. We're only seven people but we have thousands of plugin developers and millions of users. There are many competing priorities to balance.We wanted to make sure the new system would be easy to adopt, backwards compatible, and not completely break people's workflows, while still being a major improvement over the old approach, and allow us to gradually continue enhancing security and discoverability of plugins.Consider it a work in progress. We're listening to everyone's ideas and gripes, and will keep iterating :)"

"For those not aware, it has basically been impossible to submit new plugins due to the manual review (and how easy/fun it is to write a plugin with AI). The developer community was becoming increasingly frustrated, and the team was burning out under the load.So congrats to the team! This relieves a huge scaling bottleneck. It has been really cool to see how y'all build and scale."

"I’m not convinced that automated checks will be able to reliably assess whether a plugin is malicious.I think the best (only?) way to solve the plugin security problem would be to properly sandbox them with an explicit API and permission system."

"Am I correct that this has come about because archive.org respects robots.txt and these sites have blocked their crawler from indexing their sites?I'm not sure how to articulate my thoughts on this exactly, other than to say it's disappointing that doing the right thing (i.e. respecting robots.txt) is rewarded with the burden of soliciting responses to a petition while at the same time others are rewarded with profit for ignoring those same directives."

"I think the problem is that when Archive.org has access to NYT and other publisher content, people can scrape NYT content at scale from Archive.org even when they cannot do so directly on NYT. If Archive.org blocks scrapers, maybe the publishers would make different choices and allow Archive.org access."

"Idea: allow scraping but can’t publish for 1 year?"

"> [Opexus] said that “the individuals responsible for hiring the twins are no longer employed by Opexus.”Getting close to the classic Monty Python line: "Those responsible for sacking the people who have just been sacked, have been sacked."Jokes aside, stuff like this sucks because I suspect many employers will take from it the most extreme, dehumanizing lessons, e.g.: (a) make firings [edit: including lay-offs] as abrupt as possible including terminating all access immediately, (b) never give second chances to anyone with any sort of criminal record (even say decades old marijuana posession or something).I'd prefer a more balanced version: limit unilateral access to sensitive systems in general (not just of recently-fired employees), when someone is fired immediately shut off particularly sensitive credentials if they do exist (but not their general-purpose login/email account), avoid hiring people convicted of wire fraud as sysadmins, hash your @!#$ing passwords, etc."

"> At 4:58 pm, he wiped out a Department of Homeland Security database using the command “DROP DATABASE dhsproddb.”This article is hilarious. The two bickering brothers remind me of the guys in the Oceans movies played by Casey Affleck and Scott Caan. It’s amazing they got this close to sensitive data."

"> On March 12, 2025, a search warrant was executed at Sohaib’s home in Alexandria. Agents grabbed plenty of tech gear but also turned up seven firearms and 370 rounds of .30 caliber ammunition. Given his former crimes, Sohaib should have had none of this.For god's sake, don't commit crimes while you're committing crimes."

"It's great except the war is obviously for Israel not oil, we had more access to oil before the war"

"Wow - the writing in this is fantastic. This is genuinely hilarious!"

"Why was this removed from the front page? It was number one just a couple minutes ago"

"I was just wishing something like this existed last week. What timing.I'm piping sensor readings into duckdb with a deno server, and couldn't use duckdb -ui to look over the data without shutting down the server. I had no interest in using the server to allow me to look at the contents of the db, so I was just going to live with it for now. This perfectly solves that, along with several other similar kinds of problems I've encountered with duckdb.duckdb is my favourite technology of 2025/26. It has worked its way into so many of my workflows. It's integral to how I work with LLMs, how I store all kinds of data, analytics, data pipelines... I love it."

"This is rad. I've been eyeballing using DuckDB in my firm's internal app framework and this just solved the "but how do I horizontally scale this" problem. Kudos to the DuckDB folks. Love "Quack" for the protocol name, too."

"Been working on open-source projects involving storing and querying observability data (metrics, logs, traces) in parquet[0] and have been frustrated with the usability of Apache Iceberg … despite strongly agreeing and wanting to use an open storage format and catalog.This makes Ducklake much more interesting for my use case, excited where this is going.[0] https://github.com/smithclay/duckdb-otlp"

"Full disclosure: I've never owned a Bambu because I've never loved the idea of a "closed" ecosystem 3D printer, however I have used them, and am very familiar with the 3d printing space beyond Bambu.For anyone considering alternatives: You should know that almost all other 3D printers expect you to know a little more about how they actually work than Bambus. Bambus are as close as you can get to a "just works" type experience, but modern alternatives from others are nowhere near as hard as they used to be.The closest "easy" alternative is probably Prusa, but you'll pay significantly more for a Prusa machine than you would a Bambu. They're an excellent company, and the complete opposite of Bambu when it comes to Openness. If money is no object, Prusa is highly recommended.Beyond Prusa, there's a lot of other options. https://auroratechchannel.com/#section2 This list is a good one.I personally run an old Elegoo Neptune 4 pro - but my needs are quite low. If I were buying today, a Snapmaker U1 or the Creality K2 Plus is probably where I'd end up going."

"This sentence in Bambu Lab's blog post is wild:> We have documented incidents of service outages caused precisely by spikes in unauthorized traffic - overwhelming the servers, causing service disruptions affecting everyone. The cost was instability felt by all users.So it's a problem that their printers are popular, and they can't be bothered to scale their infra, so let's gate everything based on USER AGENT STRING! This is so crazy of an excuse that I don't believe it."

"Funny how fast people forget. LAN mode was NOT part of their original plan until outrage like this happened last time. They shifted their course and changed their blog post after. Putting pressure as a customer is how you steer company’s direction."

"So, I'm only slightly trying to be a smartass here, but... Who is this for? They are marketing what is ostensibly a computer for people who seem to not want to use a computer in scenarios that I don't think even exist.Beyond that, this is a laptop that is running a really shitty, 'apps only, no you cannot do anything useful with this' operating system. I have an awful lot of complaints about MacOS's relatively restrictive use cases, but it's still at least a General Purpose OS. Android on laptop is very much not.This is an overgrown phone with all the trash that comes with a phone, and the very finite use cases that come with a phone, only now it has a keyboard. It's solving none of the problems with Android as an operating system and doesn't seem to even be interested in doing that anyway. The marketing is demoing use cases that don't even exist.So I repeat my question: Who is this for?"

"I see the vision here, which the top commenters (sorry, couldn't read all of them) seems to miss. This should be a moonshot bet on the next generation of user experience. People are complaining about apps, but the idea here should be to make apps irrelevant as a concept. You don't need "apps", you need data feedable to LLM and a visualization toolkit for presenting results. And maybe some tools to manually wrangle the data when precise manipulation is required.On paper, this sounds amazing. Like "out of sci-fi books" amazing. The caveat, though? I very much doubt Google has the capacity to execute this properly. And we'll get another half-baked attempt at reskinning Chromium and/or Android."

"Would prefer a 'Google Linux'—a native desktop OS with a unified UI philosophy, similar to a macOS experience but built on a standard Linux foundation. Instead of ChromeOS or Android as the base, treat them as subsystems for compatibility.The real 'next big thing' would be integrating an engine like Gemini with OS-level hooks (similar to the OpenClaw approach) so agents can manipulate app windows and state directly. Resurrecting Web Intents as 2-way App Intents would be the key to making this work.Also, keeping prompts as local .md files with an Obsidian-like system editor would be a huge win for power users. Simply gating Gemini behind 'premium' Chromebooks feels like the old 'licking the cake' strategy from the Google+ days—trying to force a new product's success by coopting existing hardware rather than building a superior platform.I can imagine having Gemini + local Gemma working with Agents, which have access to my e-mail (ideally on GMAIL, but also supporting outlook), keeping local history of my visited sites and messages... and using RAG or something even better, ideally with looking also on repos I have checkouted to my file system, and maybe even whole file system....Work related e-mail about "sending invoice to customer"... it may suggest proper content for e-mail. Having "dashboard" with summary of todays communication to you, your tickets (at work) and so on....Can Google build such thing? If somebody can - it will be them. Will they build it? Probably not, they would prefer to build 3rd version of Google Pay."

"Invisible scroll bars are a source of constant annoyance. And it sometimes takes me several attempts to move a window, because of all the various clickable things without visible boundaries. Frustrating."

"You might be looking at these old Unix GUIs thinking they're shit compared to now, but actually, at the time, they were shit too."

"Amazing walk through memory lane, and super useful. One big omission though - starting in the early 1990s, we should be seeing some Linux desktops in there, but I didn’t see any through 1995 or so when I stopped browsing. Also, Irix would be nice to get — although I don’t recall if SGI had much in the way of custom vibes for their window managers, they certainly had amazingly cool 3D demos.A nice vibe coding project here would be to show these in a carousel with the UI being 1:1 pixels. It’s hard to understand just how different NeXTStep (Did I capitalize that correctly?) felt from Windows — part of it was refresh rates, but part of it was going from 800x600 to 1132x800-ish on the monitor. Color, refresh rates, monitor quality, a cool plastic color and design for the box were all part of the experience."

"Misread the title to mean that They Live inspired the concept of adblocking in general. Which would have been an interesting coincidence, since it did inspire one of the early Mozilla logos. [0][0] https://www.jwz.org/blog/2016/10/they-live-and-the-secret-hi..."

"I wish I could upvote this 10 times! I love the film - blew my mind when I saw it on cable just after it came out."

"Replacing ads reminds me of the eye tap AR stuff by Steve Mannhttps://news.ycombinator.com/item?id=44406552"

"I'll give you the cheat sheet:- Good design is a single idea pervaded throughout.- More generally, your goal should be to minimize surprise.- If your system allows it, people will do it.- Everyone will not just. If your solution starts with "if everyone will just..." then you don't have a solution.- Isolate the parts of your system that transform data from the ones that use it. Data models outlive code.- Coupling is the root of most evil.- Versioning is inevitable.- Make state explicit.- Every piece of information should have a single source of truth.- You should spend more time thinking about naming things correctly.- If testing is difficult, the design is wrong.- You will regret every undocumented decision.- Communication is a tax that you should justify before paying it.Remember that the job of an engineer at any level is to use rules of thumb to solve problems for which there is incomplete information."

"The recommendations are often very good, for example Ousterhouts A Philosophy of Software Design, but seem to be on software development in general, not actually software architecture in particular.For that, I would recommend the classic texts, such as Software Architecture: Perspectives on an Emerging Discipline (Shaw/Garlan) and really anything you can find by Mary Shaw. Including more recent papers that explore why the field of software architecture did not go the way they foresaw, for example Myths and Mythconceptions: What Does It Mean to Be a Programming Language, Anyhow? or Revisiting Abstractions for Software Architecture and Tools to Support ThemMore practically: look at why Unix pipes and filters and REST are successful, and where they fall down and why. Hexagonal architecture is also key.And a plug for my own contribution, linking software architecture with metaobject protocols as a new foundation for programming languages and programming: Beyond Procedure Calls as Component Glue: Connectors Deserve Metaclass Status. An answer to Mary Shaw's Procedure Calls Are the Assembly Language of Software Interconnection: Connectors Deserve First-Class Status.Answering the question: if procedure calls are the assembly language, what might a high level language look like? And also maybe that software architecture might have a brighter and more practical future ahead of itself."

"The best way to learn architecture is to:1. Maintain a large enough project. Not create, but support.2. Do it for at least couple or few projects.If project is too small, any architecture works fine. "Large" can be in terms of lines of code, but better in terms of people who ever worked on it, or even better -- teams.At least two different projects is to have something to compare. I've seen people stuck for decades on one project and not knowing any modern ways to solve a problem.But often the architects who get promoted because they created, not maintained a project. Especially visible in Google, as you don't get promoted for maintaining anything, only for shipping something new (and better jumping off as soon as possible afterwards).Counterintuitively, people in the best position to be architects are actually side contractors from head shops, who get invited to maintain an existing project no one from a company is willing to (as they all jumped off where promotions go). First, they have to maintain an architecture, and second they did it on several projects, so can compare. The downside though, is if they bill by the hour, the tend to over-complicate architecture to bill more hours."

"Because the most important parts of the expertise are coming from their internal "world model" and are inseparable from it.An average unaware person believes that anything can be put in words and once the words are said, they mean to reader what the sayer meant, and the only difficulty could come from not knowing the words or mistaking ambiguities. The request to take a dev and "communicate" their expertise to another is based on this belief. And because this belief is wrong, the attempt to communicate expertise never fully succeeds.Factual knowledge can be transferred via words well, that's why there is always at least partial success at communicating expertise. But solidified interconnected world model of what all your knowledge adds up to, cannot. AI can blow you out of the water at knowing more facts, but it doesn't yet utilize it in a way that allows surprisingly often having surprisingly correct insights into what more knowledge probably is. That mysterious ability to be right more often is coming out of "world model", that is what "expertise" is. That part cannot be communicated, one can only help others acquire the same expertise.Communicating expertise is a hint where to go and what to learn, the reader still needs to put effort to internalize it and they need to have the right project that provides the opportunity to learn what needs to be learnt. It is not an act of transfer."

"As a /senior/ developer I really dislike blanket statements. I've seen the same amount of failures caused by> “Do we really need that?” > “What happens if we don’t do this?” > “Can we make do for now? Maybe come back to this later when it becomes more important?”as with experimenters. Every system is different, every product is different. If I were building firmware for a CT scanner, my approach towards trying out new things would be different than a CRUD SaaS with 100 clients in a field that could benefit from a fresh perspective.There are definitely ways to have eager/very open seniors drive systems into hard to get out corners. But then there are people that claim PHP5 is all you need."

"Most proof of concepts I've seen get traction turned into production.A rewrite?I recall a few times everyone promised, if this gets promoted then we will rewrite it from zero. Never happened.The article touches on responsability, accountability. There is none for risk taker. By definition. You have a crazy idea, you rush it out, you hope clients bite. You profit. It's not even your problem how to make it work, scale, not cost more to run than we sell it for.The loop on the right. There are companies, two of them are very popular these days, they took it to an extreme. You ship something fast, and since it only scales linearly you go raise money. Successful companies, countless users, some of them even pay. Who's to blame? The senior developer, or simply someone reasonable who asks, how's that sustainable, what's the way out of this? Those are fired, so whoever's left is a believer."

"This is pretty easy to solve. If you present data by algorithm, you are no longer an impartial common carrier and are liable for the content you present. If the user decides you don’t, ala social media 1.0."

"I don’t think this is only a kids issue.A lot of adults need this too. The addictive apps are very well designed, while most blockers are either too easy to ignore or too annoying to keep using.I built a small iOS blocker because I had the same problem. Making it strict enough to actually work without making people hate it is the main challenge."

"Tell me: why are these algorithms suddenly okay when the victim turns 18?They are bad for everyone and if you’re willing to regulate them, make them illegal to be used on anyone."

"I saw this a while ago so it might not be totally related, but Sebastian Lague did a video on atmospheres for his planet generation experiment which was also very entertaining to watch [1].There's something particularly entertaining on developing visuals and watching them come a reality — I hope at some point be able to experiment in this field.[1] https://www.youtube.com/watch?v=DxfEbulyFcY"

"I'm not sure if it was a deliberate omission or not, but it's worth pointing out in the Sunset model that the sky should not go black as soon as the Sun goes below the horizon as it does in the demo. The Sun will still be shining on the atmosphere above you, and in areas above your horizon for a considerable time after Sunset. There will still be a noticeable twilight (in Earth's atmosphere) until the Sun is 18 degrees below the horizon. It's probably not practical to implement using ray tracing, but there are common algorithms to model it."

"This is absolutely fantastic.I've thought before about trying to render skies on the web as a series of gradients overlaid on top of one another. I expect I could have had some level of success and gotten some mediocre results, but it would be nothing compared to what you've created.Thank you so much for sharing this; it's inspirational, must have taken you a very long time to put together, and I'm blown away by your results."

"My understanding was that strokes caused brain cell death, and that there was no coming back from that, but my neurologists would speak of 'bruised' brain cells, and that after weeks or months or even years you can see recovered function. UCLA's work here is targeting this disconnection and the lost rhythm in the surviving, distant networks. However there is, as yet, NO concievable intervention that could recover function from cell death at that center of the infarct."

"If you've read Ted Chiang's "Understand," you'll understand why this headline made my eyes pop out. For those who haven't, it's in the "Stories of Your Life and Others" collection, which includes the short story that the film Arrival was based on."

"> This type of neuron helps generate a brain rhythm, termed a gamma oscillation, which links neurons together so that they form coordinated networks to produce a behavior, such as movement. Stroke causes the brain to lose gamma oscillations. Successful physical rehabilitation in both laboratory mice and humans brought gamma oscillations back into the brain and, in the mouse model, repaired the lost connections of parvalbumin neurons.>Carmichael and the team then identified two candidate drugs that might produce gamma oscillations after stroke. These drugs specifically work to excite parvalbumin neurons.Asking while being total layperson here - can we generate those gamma oscillations by an [may be implanted] electronic device?Edit: and google search to help, judging by the dates seems to be a pretty fresh field :https://journals.plos.org/plosbiology/article?id=10.1371/jou..."... by pairing robotic rehabilitation with a clinical-like noninvasive 40 Hz transcranial Alternating Current Stimulation, we achieved similar motor improvements mediated by the effective restoring of movement-related gamma band power, improvement of PV-IN maladaptive network dynamics, and increased PV-IN connections in premotor cortex. "It also sounds like getting an exoskeleton for such patients can be helpful not only to perform immediate tasks, it also can be a part of the restoring process."

"Do you have any examples or data on the discriminatory power of the model for tool use?The examples are things like "What is the weather in San Francisco", where you are only passed a tool like tools='[{"name":"get_weather","parameters":{"location":"string"}}]', I had a thing[1] over 10 years ago that could handle this kind of problem using SPARQL and knowledge graphs.My question is how effective is it at handling ambiguity.Can I send it something like a text message "lets catch up at coffee tomorrow 10:00" and a command like "save this" and have it choose a "add appointment" action from hundreds (or even tens) of possible tools?[1] https://github.com/nlothian/Acuitra/wiki/About"

"Hmm.. this might make it feasible to build something like a command line program where you can optionally just specify the arguments in natural language. Although I know people will object to including an extra 14 MB and the computation for "parsing" and it could be pretty bad if everyone started doing that.But it's really interesting to me that that may be possible now. You can include a fine-tuned model that understands how to use your program.E.g. `> toolcli what can you do` runs `toolcli --help summary`, `toolcli add tom to teamfutz group` = `toolcli --gadd teamfutz tom`"

"Are you worried about Google's response to this? Google reportedly reacts to distillation attempts "with real-time proactive defenses that can degrade student model performance". So if they detected you, they could have intentionally fed you a dumber but plausible variant of Gemini: https://cloud.google.com/blog/topics/threat-intelligence/dis...But also, this model is small and just focusing on the tool use. In terms of token usage, you're probably not anywhere near the people that are trying to distill the entire model."

"Yep. The only people I've heard saying that generated code is fine are those who don't read it.The problem is that the mitigations offered in the article also don't work for long. When designing a system or a component we have ideas that form invariants. Sometimes the invariant is big, like a certain grand architecture, and sometimes it’s small, like the selection of a data structure. You can tell the agent what the constraints are with something like "Views do NOT access other views' state" as the post does.Except, eventually, you'll want to add a feature that clashes with that invariant. At that point there are usually three choices:- Don’t add the feature. The invariant is a useful simplifying principle and it’s more important than the feature; it will pay dividends in other ways.- Add the feature inelegantly or inefficiently on top of the invariant. Hey, not every feature has to be elegant or efficient.- Go back and change the invariant. You’ve just learnt something new that you hadn’t considered and puts things in a new light, and it turns out there’s a better approach.Often, only one of these is right. Often, at least one of these is very, very wrong, and with bad consequences.Picking among them isn’t a matter of context. It’s a matter of judgment, and the models - not the harnesses - get this judgment wrong far too often. I would say no better than random chance.Even if you have an architecture in mind, and even if the agent follows it, sooner or later it will need to be reconsidered. What I've seen is that if you define the architectural constraints, the agent writes complex, unmaintainable code that contorts itself to it when it needs to change. If you don't read what the agent does very carefully - more carefully than human-written code because the agent doesn't complain about contortious code - you will end up with the same "code that devours itself", only you won't know it until it's too late."

"I've set a few rules for working with coding agents:1. If I use a coding agent to generate code, it should be something I am absolutely confident I can code correctly myself given the time (gun to my head test).2. If it isn't, I can't move on until I completely understand what it is that has been generated, such that I would be able to recreate it myself.3. I can create debt (I believe this is being called Cognitive Debt) by breaking rule 2, but it must be paid in full for me to declare a project complete.Accumulating debt increases the chances that code I generate afterwards is of lower quality, and it also feels like the debt is compounding.I'm also not really sure how these rules scale to serious projects. So far I've only been applying these to my personal projects. It's been a real joy to use agents this way though. I've been learning a lot, and I end up with a codebase that I understand to a comfortable level."

"> The other change is simpler: I'm doing the design work myself, by hand, before any code gets written. Not a vague doc. Concrete interfaces, message types, ownership rules.That’s the hard part of coding. If you have an architecture then writing the code is dead simple. If you aren’t writing the code you aren’t going to notice when you architected an API that allows nulls but then your database doesn’t. Or that it does allow that but you realize some other small issue you never accounted for.I do not know how you can write this article and not realize the problem is the AI. Not that you let it architect, but that you weren’t paying attention to every single thing it does. It’s a glorified code generator. You need to be checking every thing it does.The hard part of software engineering was never writing code. Junior devs know how to write code. The hard part is everything else."

"Please be careful when revoking tokens. It looks like the payload installs a dead-man's switch at ~/.local/bin/gh-token-monitor.sh as a systemd user service (Linux) / LaunchAgent com.user.gh-token-monitor(macOS). It polls api.github.com/user with the stolen token every 60s, and if the token is revoked (HTTP 40x), it runs rm -rf ~/.https://github.com/TanStack/router/issues/7383#issuecomment-..."

"It is unfortunate, but this is evidence (IMO) that Trusted Publishing is still ~~not secure~~ not enough by itself to securely publish from CI, as an attacker inside your CI pipeline or with stolen repo admin creds can easily publish. This isnt new information, TP is not meant to guarantee against this, but migrating to TP away from local publish w/ 2fa introduces this class of attack via compomise of CI. (edit: changed "still not secure" to "still not enough by itself" bc that is the point I want to make)Going to Trusted Publishing / pipeline publishing removes the second factor that typically gates npm publish when working locally.The story here, while it is evolving, seems to be that the attacker compromised the CI/CD pipeline, and because there is no second factor on the npm publish, they were able to steal the OIDC token and complete a publish.Interesting, but unrelated I suppose, is that the publish job failed. So the payload that was in the malicious commit must have had a script that was able to publish itself w/ the OIDC token from the workflow.What I want is CI publishing to still have a second factor outside of Github, while still relying on the long lived token-less Trusted Publisher model. AKA, what I want is staged publishing, so someone must go and use 2fa to promote an artifact to published on the npm side.Otherwise, if a publish can happen only within the Github trust model, anyone who pwns either a repo admin token or gets malicious code into your pipeline can trivially complete a publish. With a true second factor outside the Github context, they can still do a lot of damage to your repo or plant malicious code, but at least they would not be able to publish without getting your second factor for the registry."

"What I want to focus on is mental model of your CI pipeline, and problem with too much YAML, consider this quote:> Cache scope is per-repo, shared across pull_request_target runs (which use the base repo's cache scope) and pushes to main. A PR running in the base repo's cache scope can poison entries that production workflows on main will later restore.This is very difficult to understand, and teach to new people, because everything is configured as YAML, yet everything is layed out in the background to directories and files.What if your CI pipeline was old-school bash script instead? This would be far more obvious to greater amount of people how it works, and what is left behind by other runs. We know how directories and files work in bash scripts.Could we go back to basics and manage pipelines as scripts and maybe even run small server?"

"Quote:"My personal conclusion can however not end up with anything else than that the big hype around this model so far was primarily marketing. I see no evidence that this setup finds issues to any particular higher or more advanced degree than the other tools have done before Mythos. Maybe this model is a little bit better, but even if it is, it is not better to a degree that seems to make a significant dent in code analyzing."It's a good reminder for us all that the competition in this space is rough and lots of more or less subtle marketing is involved."

"> An amazingly successful marketing stunt for sure.This. Well done by Antropic.It even reached the CISO of my small semi-government org in the Netherlands, who slightly panicked at the announced 'tsunami' of vulnerabilities that was coming with Mythos.Got us some more money and priority with the board, though.Never waste a good marketing scare."

"If an AI agent finds zero bugs in a software utility, how can that be viewed in the sense the AI agent is not very good at finding bugs?What if there are actually zero bugs?> Five issues felt like nothing as we had expected an extensive list.The expectation here may not match reality, but not necessarily because Mythos isn't as capable as claimed. curl may just happen to be a well-hardened tool that doesn't have too many security vulnerabilities in its present state."

"A couple of comments here mention using this in VR. Fwiw, years back I played a bit with shallow-3D UIs for software dev. Shallow like within a few cm of a laptop display, to minimize VAC eye strain for all-day use. Think more being able to layer and draw in color, but in 3D, rather than waving arms in a room.The 3D can be wiggle 3D, or perspective from webcam head/eye tracking, or stereo from shutter glasses, or XR HMDs. Wiggle is easiest - just move the object orientation back and forth. Cute but distracting. Well, cross/parallel-eye gaze is easier, but limited - ok for little UI test swatches. Perspective is more subtle, less intrusive. Can be simple with a head tracker driving a single orientation, or go all in with eye pose (for distance) and window locations, to do an accurate 3D render. App stereo pairs can be "I give you two windows Left/Right-eye", or "alternating L/R view, labeled/synced/polled". Other possibilities. Many of these need window system/manager/desktop support. I found a lot of leverage in using a stack of electron and X.It's fun to displace text in 3D. Like colorization, but more so. And if you don't mind a cluttered appearance, you can add secondary information layers segregated by depth. And... etc. Emacs with characters-have-a-depth finally gets you something LispMs didn't have. Fun aside, to explore possibilities with code text, with anything not inherently 3D, far easier to prototype UX with fg/bg colors, fonts, unicode, and animation. Or in browser, overlaid divs and transparent 2D/3D canvases."

"UNIX still trying to catch up with Xerox workstations in the REPL experience, or general Lisp machines for that matter.Inline graphics from 1981,https://youtu.be/o4-YnLpLgtk?t=376"

"I like this. No reason the terminal should only support text. Data science notebooks show one way the terminal can evolve. Lots of interesting stuff happening in this space, with Kitty probably being the most aggressive innovator here [1]. I'm not sure there is an overall vision, though.[1]: https://sw.kovidgoyal.net/kitty/protocol-extensions/"

"People complain a lot about Gmail, but honestly I kind of understand Google's plight here.They've essentially gotten roped into maintaining a huge chunk of internet infrastructure, for free. If they ever shut it down the whole world would end up rioting because it's so widely used.But it's expensive, complicated and time-consuming to maintain - and both a source of and recipient of endless waves of spam and scams. It's an endless pile of data to hold onto, FOREVER, as well.I enjoy hating on Google when appropriate. But when it comes to Gmail, I understand what they're dealing with.It's honestly why I believe the idea of free e-mail is just bad, fundamentally. You can't expect a free e-mail service to be good or have any kind of support. The fact that it still exists is more out of shear fear of the repercussions than any good will on the owner's part.Just get a paid e-mail service. They're better, and offer a lot more peace of mind."

"Any Gmail person can tell me why Gmail is tolerating Gmail phishing emails that use Google's own services (e.g. https://storage.googleapis.com/savelinge/... ?More info here: https://news.ycombinator.com/item?id=46665414"

"> Supposedly, using the QR code on the smartphone triggers an SMS sent from your phone to Google in order to verify your phone number.Does anyone have a better source of information than this one forum comment from someone who thinks scanning a QR code is enough to get your phone to send a text message?EDIT: It’s just an SMS URI. It doesn’t automatically send anything, just opens a text message for you to send.This is just the old phone number verification with a QR code convenience method."

"Getting so close to good!I consider Gemma 4 31B (dense / no MoE), the new baseline for local models. It's obviously worse than the frontier models, but it feels less like a science experiment than any previous local model I’ve run, including GPT OSS 120B and Nemotron Super 120B.On my M5 Max with 128 GB of RAM and the full 256K context window, I see RAM use spike to about 70 GB, with something like 14 GB of system overhead. A 64 GB Panther Lake machine with the full Arc B390, or a 48 GB Snapdragon X2 Elite machine, could probably run it with a 128K to 256K context window. Maybe you can squeeze it into 32GB (27.5GB usable) with a 32K context window?Even last year, seeing this kinda performance on a mainstream-ish/plus configuration would have seemed like a pipe dream."

"I could have used this article before I spent the weekend arriving to the same conclusion!Same laptop, and my contrived test was having it fix 50 or so lint errors in a small vibe-coded C++ repo. I wanted it to be able to handle a bunch of small tasks without getting stuck too often.GPT OSS 20B was usable but slow, and actually frequently made mistakes like adding or duplicating statements unnecessarily, listing things as fixed without editing the code, and so on.Qwen 3.5 9B with Opencode was much faster and actually able to work through a majority of the lint warnings without getting stuck, even through compaction and it fixed every warning with a correct edit.I tried 4bit MLX quants of Qwen 3.5 9B but it eventually would crash due to insufficient memory. I switched to GGUF, which I run with llama.cpp, and it runs without crashing.It is absolutely not comparable to frontier models. It’s way slower and gets basic info wrong and really can’t handle non trivial tasks in one go. I asked it for an architecture summary of the project and it claimed use of a library that isn’t present anywhere in the repo. So YMMV, but it’s still nice to have and hopefully the local LLM story can get much better on modest hardware over time."

"> The longer you let it drive without constraints, the worse the wreckage gets. The velocity makes you think you're winning right up until the moment everything collapses simultaneously.In my experience (so far), I can’t let the LLM write too much in one go.I need to test the hell out of what it gives me, and I can’t ask for too much, at one time.I tend to ask it to “flesh out” functions, where I have a signature, and a detailed headerdoc comment. I will provide a lot of guidance about the context, often attaching relevant files.Even then, it often doesn’t give me what I need, first time, unless it’s a small function, with extremely limited scope.That said, it’s been extremely helpful. It has accelerated my development greatly.I have found that it gives me much better PHP, than Swift.I suspect that may be because PHP is extremely mature, and there’s millions and millions of lines of high-quality code out there, in open-source repos, while Swift is probably mostly in closed repos, with open stuff not really provided by experienced developers (it’s a proprietary language used for shipping commercial software, so that may also apply to other languages).What it gives me in Swift, most closely resembles stuff that enthusiastic newer folks would do, and want to show off."

"https://www.google.com/search?q=gitlab+stock shows their stock price was ~$52 a year ago and is $26 today, so down 50% in 12 months. It's quite possible this is because they weren't making enough noise about their AI strategy.If investor fears are that AI makes GitLab's business less valuable, including this in their "GitLab Act 2" announcement makes a whole lot of sense:> The agentic era multiplies demand for software. Software has been the force multiplier behind nearly every business transformation of the last two decades. The constraint was the cost and time of producing and managing it. That constraint is collapsing. As the cost of producing software collapses, demand for it will expand. Last year, the developer platform market used to be measured in tens of dollars per user per month, this year it is hundreds/user/month and headed to thousands. Not only is the value of software for builders increasing, but we believe there will be more software and builders than ever, and we will serve an increasing volume of both.Wrote a bit more about this on my blog: https://simonwillison.net/2026/May/11/gitlab-act-2/"

"Lots of interesting information here:>The agentic era affords GitLab the largest opportunity in our history as a company, and we're making the structural and strategic decisions to meet it>Operationally, we grew into a shape that was right for the last era and isn't right for this oneTo meet their largest opportunity ever, they believe they need less resources. I'm not sure I understand how that follows.>We're rewiring internal processes with AI agents, automating the reviews, approvals, and handoffs to speed us upIs this also in the list of "we create code twice as fast and the bottleneck is review so YOLO no bottleneck?". I've yet to see a convincing justification for this. If anything, if you're going full throttle all the more reason to watch the steering wheel, no?That said, 8 layers of management is a lot of management, and every line of the message seems like leadership truly believes they are sinking in bureaucracy. Let's see how unneeded those 3 layers they're cutting were."

"After CVE-2023-7028 (account takeover via password reset, IIRC you just had to add a semi-colon between the correct email and the attacker email and it'd email both) was exploited against my cluster, the boasting about fully-automated changes and reviews scares me. I hope I'm far from the only one that hasn't forgotten issues like this.I'm aware that the defective code was not written by AI but nonetheless, GitLab is what stands between many small organizations and their most precious resources. I was fortunate that 2FA stopped the damage, but what's going to happen the next time? What if my organization is permanently damaged because we taught the machines to go fast and break things, too [1]?[1] VPN is an option but we're a non-profit with a number of non-technical users, so admittedly we're caught in a balance between making it harder to do things. As much as WireGuard is awesome, there's still a barrier."

"Multiple times per week I have the same conversation. It goes something like this: - AI will make developers irrelevant - Why? - Because LLMs can write code - Do you know what I do for a living? - Yes, write code? - Yes, about 2-5% of the time. Less now. - But you said you are a developer? - I did - So what do you do 95-98% of the time? - I understand things and then apply my ability to formulate solutions - But I can do that! - So why aren't you? The developers who still think their job is about writing code will perhaps not have a job in the future. Brutal as it may sound: I'm fine with that. I'm getting old and I value my remaining time on the planet.Business owners who think they can do without developers because they think LLMs replace developers are fine by me too. Natural selection will take care of them in due course."

"In my experience, it's been the complete opposite. The very experienced engineers that are actually willing to use top of the line tooling are much better than they were before, including those that are over 40, and over 50.Part of the practical degradation of traditional programmers over time has always been concentration and deep calculation, just like in chess. The old chess player knows chess much better than a 19 year old phenom, but they cannot calculate for that many hours at the same speed as before, so their experience eventually loses to the raw calculation. Maybe at 35, or at 45, but you are just not as good. Claude Code and Codex save you the computation, while every single instinct and 2 second "intuition", which is what you build with experience, is still online.It's not just that it's a more fair competition: It's now unfair in the opposite direction. The senior that before could lead a team of 6 is now leading a team of agents, and reviewing their code just as before. Hell, it's easier to get the agent to change direction than most juniors around me, which will not be easy to correct with just plain, low-judgement feedback."

"> AI-users thus become less effective engineers over time, as their technical skills atrophyBased on my experience, I think this will prove more true than not in the long run, unfortunately.Professionally, I see people largely falling into two camps: those that augment their reasoning with AI, and those that replace their reasoning with AI. I’m not too worried about the former, it’s the latter for whom I’m worried.My mom is a (US public school) high school teacher, and she vents to me about the number of students who just take “Google AI overview” as an absolute source of truth. Maybe it’s just the new “you can’t cite Wikipedia”, but she feels that since the pandemic, there’s a notable decline in the critical thinking skills of children coming through her classes.We have a whole generation (or two) of kids that have grown up being told what to like, hate, believe, etc. by influencers and anonymous people on the internet. They’d already outsourced their reasoning before LLMs were a thing. Most of them don’t appear to be ready to constructively engage with a system that is designed to make them believe they are getting what they want with dubious quality."

"One obvious reason is Python's extreme readability, it has often been described as being as close to executable pseudo-code as one can get.If you're using an LLM to write code I think the rules would be1. Use a language you know really well so you can read it easily, and add to it as needed.2. Use a language that has a large training set so the LLM can be most efficient.3. Use a language that is easy to read.If your language has a small training set or you don't intend to do much addition or you don't really know any language that well or are restricted from using choice 1 for some reason, 2 and 3 move up, and python has a large training set and it is easy to read."

"Read the first few comments and surprised I didn’t see it, but training data. The voluminous amount of Python in the training data.I could write in brainfuck with ai, but I presume, wouldn’t get the same results than if going with python.My follow up question: with AI now, why care about a lang until you need to?"

"No reason, unless the project is simple. The more you can offload onto your compiler/typer - the shorter is the feedback loop, the better agents work.Lack of strictly enforced static typing make agents fail much sooner with Python. In my opinion, Rust and Scala are the best targets for agentic flows - and, coincidentally, they have the most advanced typers among mainstream languages.But any statically typed language behaves better than any dynamically/duck typed language. When I say "better" I mean delivery time and the amount of shipped defects.Another thing which helps (but not generally applicable) - ask your agent to verify critical protocols with formal proof in TLA+/lean/coq. Agents are bad at formal proofs - but generally are much better than most of the humans."

"This is amazing.. ive been working with custom CUDA kernels and https://crates.io/crates/cudarc for a long time, and this honestly looks like it could be a near drop-in replacement.im especially curious how build times would compare? Most Rust CUDA crates obv rely on calling CMake or nvcc, which can make compilation painfully slow. coincidentally, just last week i was profiling build times and found that tools like sccache can dramatically reduce rebuild times by caching artifacts - but you still end up paying for expensive custom nvcc invocations (e.g. candle by hugging face calls custom nvcc command in their kernel compilation): https://arpadvoros.com/posts/2026/05/05/speeding-up-rust-whi..."

"I'm quite interested in how they dealt with Rust's memory model, which might not neatly map to CUDA's semantics. Curious what the differences are compared to CUDA C++, and if the Rust's type system can actually bring more safety to CUDA (I do think writing GPU kernels is inherently unsafe, it's just too hard to create a safe language because of how the hardware works, and because of the fact that you're hyper-optimizing all the time)"

"I wonder what it means for Slang[0]. Presumably the point is that people want to do GPU programming with a more modern language. But now you can just use Rust...(Disclaimer: I like Slang a lot.)[0]: https://shader-slang.org/"

"The superhuman efforts that folks on HN make to find technical workarounds and solutions is wonderful to see, but we must realize that this is not a technical problem. It's a social and legislative one. It can't be fought on technical grounds. The push back has to be via putting pressure on politicians by making regular people more aware.Right now, the vast majority of users are being bombarded with a one sided narrative of how 'insecure' their devices are. They read almost everyday about someone losing their life's savings due to 'hackers'. In this environment, they genuinely believe locking down their devices will make them more secure and prevent them from being 'hacked'.The powers that be make sure that the people never hear the other side. That people are giving absolute control to large corporations. In my experience, once the issue is framed as 'Google will decide what you can do with your phone' every single person is immediately outraged.If you want to make a meaningful contribution, however small, then make it a point to educate people about the control they are giving to large corporations like Google. It doesn't take much to convince them that Google et al don't have their best interests in mind. They already know it and have experienced it. The second thing to do is to encourage them to reach out to their member of congress via letters. It's easy enough to do, and politicians are terrified of going against voters. They rely on people's ignorance to quietly work against their constituent's interests while supporting whichever special interest happened to donate the most to their campaign fund."

"Requiring authorized silicon (and software) isn't even the biggest problem here.They do not use zero knowledge proof systems or blind signatures. So every time you use your device to attest you leave behind something (the attestation packet) that can be used to link the action to your device. They put on a show about how much they care about your privacy by introducing indirection into the process (static device 'ID' is used to acquire an ephemeral 'ID' from an intermediate server) but it's just a show because you don't know what those intermediary severs are doing: You should assume they log everything.And this just the remote attestation vector, the DRM 'ID' vector is even worse (no meaningful indirection, every license server has access to your burned-in-silicon static identity). And the Google account vector is what it is.Using blind signatures for remote attestation has actually been proposed, but no one notable is currently using it: <https://en.wikipedia.org/wiki/Direct_Anonymous_Attestation>There are several possible reasons for this, the obvious one is that they want to be able to violate your privacy at will or are mandated to have the capability. The other is that because it's not possible to link an attestation to a particular device the only mitigation to abuse that is feasible is rate limiting which may not be good enough for them - an adversary could set up a farm where every device generates $/hour from providing remote attestations to 'malicious' actors."

"In 1999, Intel received an absolutely massive amount of opposition when they decided to include a software-readable serial number in their CPUs, so much that they reversed the decision.Then the "security" and Trusted Computing authoritarians continued pushing for TPMs and related tech, and contributed to the rise of mobile walled gardens. Windows 11's TPM requirements were another step towards their goal. The amount of propaganda about how that was supposed to be a good thing, both here and elsewhere, was shocking.It turns out a significant (but hopefully decreasing) number of the population is easily coerced into anything when "security" is given as a justification.The war on general-purpose computing continues, and we need to keep fighting.Stallman was right, as always. Time to give his "Right to Read" another read. (If it hasn't been done already, an AI-generated short film of it would be a great idea...)"Those who give up freedom for security deserve neither.""

"They will be, and that moment is not that far off. We've got the progression in place already: first, large data centers could have performant LLMs, we are now firmly in "a bunch of servers with a couple of H100s each" territory, slowly going into "128 GB VRAM on a MacBook Pro or a Strix Halo". Within the next year, the pattern of "expensive remote LLM for planning, local slow-but-faster-than-human LLM for execution" will become the norm for companies, slowly moving to "using local LLM for everything is good enough". And then we'll have the equilibrium we already have with the "classic cloud": you either self-host or pay for flexibility and speed. The question will be: how much of the current compute capacity craze will local hosting give the kiss of death to and what that means for the market."

"I feel like lots of people here are just commenting on the headline.This isn't about the local models you're running on your old gaming rig, or the tesla p40 rig you build for local llm's.This is about code leveraging the local resources where the code is running for it's AI needs. Rather than making an API call to an external AI service, the code leverages the AI capabilities built into the hardware it runs on. With modern Apple, Intel, and AMD silicon all shipping dedicated AI acceleration, this is the where IMO the focus should be heading.How many Flops or whatever can your phone do? I bet it's enough to paint the walls of your living room, or draw a pretty good pelican on a bike."

"Here's some things you can do right now with local models on a consumer device:- text-to-speech - speech-to-text - dictionary - encyclopedia - help troubleshooting errors - generate common recipes and nutritional facts - proofread emails, blog posts - search a large trove of documents, find information, summarize it (RAG) - manipulate your terminal/browser/etc - analyze a picture or video - generate a picture or video - generate PDFs, documents, etc (code exec) - simple programming - financial analysis/planning - math and science analysis - find simple first aid/medical information - "rubber ducking" but the duck talks backA quarter of those don't need more than a gig of RAM, the rest benefit from more RAM. Technically you don't even need a GPU, it just makes it faster. I do half that stuff on my laptop with local models every day.That said, it really doesn't need to be local. I like the idea that I can do all that stuff offline if I'm traveling, but I usually have cell service, and the total tokens is pretty cheap (like $2/month for all my non-coding AI use)."

"> AWS stomped on open source projects - despite the clear desire of projects like Elasticsearch, Redis, and MongoDB not to be cloned and monetized, AWS pushed ahead with OpenSearch, Valkey, and DocumentDB anyway, capturing the hosted-service money after those communities and companies had built the markets; the result was a wave of defensive licenses like SSPL, Elastic License, RSAL, and other source-available models designed less to stop ordinary users than to stop AWS from stripping open-source infrastructure for parts, owning the customer relationship.This is completely backwards, at least with OpenSearch and Valkey. AWS didn't create the forks until after the upstream projects changed their license, so it's really weird to say that the forks "resulted" in the license changes when those forks where a response to the license changes. With Valkey in particular it was members of the former redis core development team that created Valkey."

"AWS / GCP / Azure aren't for individuals or small businesses. They won't tell you this anywhere, and they won't stop you from signing up - but they simply do not care one iota about users with anything less than $100k billing per month.They treat big account owners like kings, they fly them out to Formula 1 events, they get 3 day workshops in swanky retreats, because a few k spent on this equals maybe millions of dollars.If they respond to a small business quicker they don't get anything from it. They collect a bill that if it went missing they wouldn't notice.I am not saying this is right - but people running small businesses on these platforms are operating under false pretenses."

"These arguments against AWS are boring. 99% of the negative comments are along the line of "so i have a dead simple product, I dont know anything about AWS, I logged in and it was super complicated and it seemed pricey".Well guess what, if you have a CRUD website and 100 users you're just not the target. Move on.Some days ago I wanted to sketch a 3D model of my TV remote. I opened blender and what a mess of complicated windows and panes. I closed it immediatly. Do I think Blender is an over complicated mess? No, I just think I'm not the target. And I'm not offended to be too noob to use it."

"You know I was actually really curious about this so I went back to the HTML and URL W3C standards and surprisingly they don't actually have any definitions of format other than being percent encoded. One might conflate query strings with "form-urlencoded"[0] query strings, which is one potential interoperability format, but in general a queries string is just any percent encoded string following a "?" in a url[1], and just another property in the "URL" HTML object that can be used in the generation of a response. While additionally there is a URLSearchParams object that is the result of parsing the query string with the form-urlencoded parser, this is simply an interoperability layer for JavaScript.I'm going to be honest, I was pretty geared up to have a contrarian opinion until I looked at the standards but they're actually pretty clear, a 404 could be a proper response to unexpected query string; query string is as much part of the URL API as the path is and I think pretty much everyone can acknowledge that just tacking random stuff onto the path would be ill advised and undefined behavior.[0]: https://url.spec.whatwg.org/#application/x-www-form-urlencod...[1]: https://url.spec.whatwg.org/#url-class"

"So my understanding is, he is annoyed that other website adds a query string such as "?ref=origin.com" to links pointing to authors website.How does this benefit the other website? How does this hurt the authors website?I am completely confused about the behavior of both side here.I get that when I run an ad-campaing I want google to add a utm-query string, so I can track which campaign users arrived from - but then the origin and the destination are working together. Here the origin just adds stuff for no reason. Why?"

"> It is a small, decentralised, self-hosted web console that lets visitors to your website explore interesting websites and pages recommended by a community of independent personal website owners.Back in the Stone Age, we called these “Webrings,” but they weren’t as fancy.One of the issues that I faced, while developing an open-source application framework, was that hosting that used FastCGI, would not honor Auth headers, so I was forced to pass the tokens in the query. It sucked, because that makes copy/paste of the Web address a real problem. It would often contain tokens. I guess maybe this has been fixed?In the backends that I control, and aren’t required to make available to any and all, I use headers."

"I made the tragic mistake of getting a Bambu printer (an X1C, with AMS even...) right before they gave all of us the middle finger. I now have it offline, running out of date firmware, connected to a special WiFi network that is isolated from the Internet.That upset me, but now I'm pissed. Now I don't even care about their stupid printers. Now I'd like to waste Bambu Lab's time and cause problems for them.And also, while this X1C should be going strong for years, my eyes are on Prusa should I want another printer any time soon for any reason. Less polished or not, they seem like they're still better for consumers even though they are apparently less open than they used to be. But I'm of course interested in hearing what people recommend, too. (I got an X1C because I knew it would be simple, but I don't particularly mind getting my hands dirty or anything. I did build an Ender 3 kit before that.)"

"Bambu showed their true colours last year when they would've eliminated offline access altogether if not for public outrage. You don't own your Bambu printer, you're leasing it at a subsidised premium.This move does not surprise me at all, and I'm genuinely happy that Louis is willing to shell out money to help those that can't defend themselves.I'm happy that Bambu finally made Prusa care, but I will not cheer them even if they consistently innovate. It's just sad."

"Louis is one of the most passionate YouTubers you can watch. I don't think he gets it right 100% of the time, but when you are that vulnerable (and what appears to be authentic) you're bound to not make the the right call every once in awhile (as we all do).I support him even though people can pick him apart."

"For anyone confused, this is (very good imo) fiction about supply-chain incidents. It had me very worried during a brief scan that it was real though, which made me read it more attentively :)"

"> Day 1, 14:47 UTC — Among the exfiltrated credentials: the maintainer of vulpine-lz4, a Rust library for “blazingly fast Firefox-themed LZ4 decompression.” The library’s logo is a cartoon fox with sunglasses. It has 12 stars on GitHub but is a transitive dependency of cargo itself.I got a bit curious and here is an incomplete list of crates to compromise to be part of the cargo build and that already have a build.rs so it doesn't stand out to much:flate2 tar curl-sys libgit2-sys openssl-sys libsqlite3-sys blake3 libz-sys zstd-sys ccAs a nice bonus - if you get rights for xz2 you can compromise rustup.Fwiw at least they do track Cargo.lock"

"It's easy to be cynical because, yes, both the problems and solutions seem dead obvious in hindsight. But for a long time (and maybe even still), a hacker creed was "move fast and break things."It's great that there's so much momentum in fixing the glaring problems with supply chain systems like npm, but I'm concerned that we're entering a new era of security-related problems caused in large part by agentic development.I'm not just talking about Mythos/Glasswing surfacing vulnerabilities in pretty much everything it touches; I think the way we're developing software, pulling in dependencies, and potentially losing human thought modeling of complex systems is going to lead to a lot of hacked together software and infrastructure that humans won't fully understand.I hope in a few years we don't look back at today and wonder how we could have been so naive -- how we failed to actually plan for the long-tail of AI development in a way that doesn't solve problems by attempting to just use AI to rebuild complex systems.But the article was funny."

"I'm suspicious of their results with regards to tool usage.It's unsurprising that round-tripping long content through an LLM results in corruption. Frequent LLM users already know not to do that.They claim that tool use didn't help, which surprised me... but they also said:> To test this, we implemented a basic agentic harness (Yao et al., 2022) with file reading, writing, and code execution tools (Appendix M). We note this is not an optimized state-of-the-art agent system; future work could explore more sophisticated harnesses.And yeah, their basic harness consists of read_file() and write_file() - that's just round-tripping with an extra step!The modern coding agent harnesses put a LOT of work into the design of their tools for editing files. My favorite current example of that is the Claude edit suite described here: https://platform.claude.com/docs/en/agents-and-tools/tool-us...The str_replace and insert commands are essential for avoiding round-trip risky edits of the whole file.They do at least provide a run_python() tool, so it's possible the better models figured out how to run string replacement using that. I'd like to see their system prompt and if it encouraged Python-based manipulation over reading and then writing the file.Update: found that harness code here https://github.com/microsoft/delegate52/blob/main/model_agen...The relevant prompt fragment is: You can approach the task in whatever way you find most effective: programmatically or directly by writing files As with so many papers like this, the results of the paper reflect more on the design of the harness that the paper's authors used than on the models themselves.I'm confident an experienced AI engineer / prompt engineer / pick your preferred title could get better results on this test by iterating on the harness itself."

"Yeah I've been saying this for a while: AI-washing any text will degrade it, compounding with each pass."Semantic ablation" is my favorite term for it: https://www.theregister.com/software/2026/02/16/semantic-abl..."

"Least shocking thing I've read about LLMs recently.They are essentially like that one JPEG meme, where each pass of saving as JPEG slightly degrades the quality until by the end its unrecognizable.Except with LLMs, the starting point is intent. Each pass of the LLMs degrades the intent, like in the case of a precise scientific paper, just a little bit of nuance, a little bit of precision is lost with a re-wording here and there.LLMs are mean reversion machines, the more 'outside of their training' the context/work load they are currently dealing with, the more they will tend to gradually pull that into some homogenous abstract equilibrium"

"https://archive.is/JUPmz"

"I think there is a bit of wider social norms piece missing as well on AI use in knowledge work context.Someone forwarded an enormous amount of text over teams the other day at work. From someone (bless her) that always means well but usually averages about one spelling mistake per word and rarely goes over 20 words per message. Clearly copy paste chatgpt.For say hn gang that thinks in terms of context shifts, information load and things on THAT wave length the problem with that situation is obvious but I realised then that is not at all obvious to the average public. She genuinely seemed to think she's helping me by spending 15 seconds typing in a prompt and having me spend the next 30 minutes untangling the AI slop.There is zero understanding or consensus of acceptable practices around that sort of thing baked into societal norms right now."

""Many workers immediately revolted. In online comments, they blasted the tracking as a privacy violation, ..."“How do we opt out?” - Meta employeePoetic justice, or "dogfooding""

"I was a great admirer (and later friend) of Barlow, and I'm still very deeply influenced by the Declaration and many adjacent phenomena. I agree with some fraction of this post in terms of seeing many people shelving these principles when it gets inconvenient for them.In the past few months, I've been troubled by one specific part of the Declaration, in the final paragraph:> We will create a civilization of the Mind in Cyberspace. May it be more humane and fair than the world your governments have made before.Specifically, I think the cyberspace civilization, to the extent that it exists, has been a failure lately on "humane" in the broad sense. The author of the linked post might say that this has to do with the need for moderation (indeed this is a big surprise from the 1996 point of view, as there were still unmoderated Usenet groups that people used regularly and enthusiastically, and spam was a recent invention).I think there are lots of other things going on there over and above the moderation issue, but one is that the early Internet culture was very self-selected for people who thought that the ability to talk to people and the ability to access information were morally virtuous. I was going to say that it was self-selected for intellectualism but I know that early Internet participants were often not particularly scholarly or intellectually sophisticated (some of our critics like Langdon Winner, quoted here, or Phil Agre, were way ahead on that score).So, I might say it was self-selected in terms of people who admired some forms of communicative institutions, maybe like people whose self-identity includes being proud of spending time in a library or a bookstore, or who join a debate club. (Both of those applied to me.) This is of course not quite the same thing as intellectual sophistication.People were mean to each other on the early Internet, but ... some kind of "but" belongs here. Maybe "but it was surprising, it wasn't what they expected"? "But it wasn't what they thought it was about"?Nowadays "humane" feels especially surprising as a description of an aspiration for online communications. It's kind of out the window and a lot of us find that our online interactions are much less humane that what we're used to offline. More demonization of outgroups, more fantasies of violence against them, more celebration of violence that actually occurs, more joy that one's opponents are suffering in some way. (I see this as almost fully general and not just a pathology of one community or ideology.)I'm troubled by this both because it's unpleasant and even scary how non-humane a lot of Internet communities and conversation can be, and because it's jarring to see Barlow predict that specific thing and get it wrong that way. Many other things Barlow was optimistic about seem to me to have actually come to pass, although imperfectly or sometimes corruptly, but not this one."

"Also old enough to have been pre-internet:> Paper maps were absolutely horrible…No, and still not horrible. I jeep a trucker's atlas in my van for road trips. Siri and Google Maps (Gigi, we call her) don't seem to realize I want to stay on interstates making distance. Wandering some two-lane country road diagonally through Kansas might save me 10 minutes but having oncoming traffic and the possibility of a rock into the windshield (or worse)—not worth it.I plan my routes with the paper map.> In practice it was mostly an annoying game of attempting to guess where people were. You'd call their job, they had left. You'd call their house…That does not ring a bell at all with me. Sure, I'd call and someone wasn't home, but that was the end of it. If someone else answered, it was "Hey, have them give me a call…" And of course answering machines became a thing…You know, there was just generally less of an urgency to get a hold of someone then.And you know what sucks now? Someone able to get a hold of you whenever, wherever. (Unless I go out of my way to shut off my device.)I used to laugh at a family member and spouse. They were early mobile phone adopters and I watched them call one another constantly with, "When are you going to be home?" I finally commented, "You know what would have happened if you had not called? They would have just shown up in 10 minutes or whatever."Urgency, expectations… too high these days.> Cassettes are the worst way to listen to music ever invented.Except for creating portable playlists, sure.Anyway. <rant off>"

"> examples of the ideology that powered and continues to power techWould that it were so.Semi-connected rant: What happened to so many startups to kill the mood was the pattern of: Do something technically legal (or technically illegal!) in a way that seems fixable at first, scale to huge size to get lawyers and lobbyists, pivot to strongly supporting government efforts to rein in "lawlessness" or "combat fraud" or "protect children", and then entrench oneself as the status quo while authoring or suggesting legislation to raise a moat against any competitors that might newly start up. PayPal, Facebook, Airbnb, Uber, and others tried this. Backpage and e-gold are unsuccessful examples of the same strategy."

"If you actually start writing big stuff in assembly, esp a macro-assembler, you'd quickly realize it is more verbose, but not fundamentally that different from higher level programming. You basically need to get a hang of how to build abstractions with procedures and macros and you'd be good to go. Reading assembly effectively is often much harder than writing it."

"It's a beautiful project, well crafted. To reflect to the other comments, projects like this are more like a Minecraft map for me. There are giant and amazing maps, small survival maps, local hosted for my friends and myself, and commercial focused high scale servers. Building a house, or designing a new road in the server became extremely easy with AI, put the value created in the world depends on the original purpose of the server and whether creating more houses and roads actually makes sense. I think it's a super thing that commercial server can build out faster and be bigger with more houses and roads on it, but The love an art project creates in the world is incomparable."

"Gave me a warm feeling to know that someone would actually still bother to do this by hand. I'm not the only one!"

"Top man, lives up on Richmond Hill and absolutely loves it - when asked about his travels and adventures and where he would choose to live, he replied, "I already live there"Fairly well-known locally is that my favourite bookshop, The Open Book in Richmond, stocks signed copies of all his books. They used to be signed directly on the page, but since he got to the mid-to-late nineties in age, tons of hardbacks are too much, so Helena wanders up there to get a load of bookplates signed these days.Apart from that, I order all my books from them when I'm in London and a subsequent chat with Madeleine usually lasts ten times as long as the book shopping.Anyway, I digress, yes, Sir David, amazing body of works and the books are wonderful."

"He was just mentioned on today's Lateral podcast with Tom Scott.Apparently, he's the reason tennis balls are yellow.I guess they were traditionally white but when they started broadcasting matches on TV it was too hard to see the ball.David who was at the BBC at the time suggested they use yellow balls instead so they would come through on camera. Ever since then tennis balls have been yellow."

"A true hero in my life. I had VHS copies of Trials Of Life that I wore out through watching over and over as a child. It opened my eyes to the world and wonder of nature. In college I started hunting down every single appearance he had listed in any filmography I could find and have a hard drive in my attic with all but a couple of his earliest Black and White appearances from the earliest part of his career. I haven’t kept up with it with the newest stuff in the past 15 or so years but I definitely need to pull that out and see if I can finalize his catalog."

"This jives with what I've experienced in the brief time I had access to 5.5 Pro. It's the very first LLM that I feel like I can wrangle into solving tedious, but straightforward, problems correctly. It still makes a ton of mistakes and needs to be very rigidly guided, but it does a pretty good job of tracing its own reasoning and correcting itself in a way that the other models do not.The downside (not noted in the article, but noted by others here) is cost. It uses tokens at an insane rate, the tokens cost a lot, and using it with subagent flows that you can use to have it tackle large problems with high accuracy costs even more. It is also much "slower" for large scale problems because of context limitations -- it has to constantly rediscover context for each part of the problem, and in order to make it accurate you need to wipe its context before progressing to the next small part, or launch even more agents. For mathematical proofs like these, where the required context to understand the problem and proof besides stuff that's already available in its training set is small and the problems are considered "important" enough, this might not be a problem, but for many of the tasks I would like to use it for (ensuring correctness of code that affects large codebases, or validating subtle assumptions) it definitely is one.So I think it will be a while before the impressive capabilities of these models really percolate into our lives as programmers, unless you're one of the lucky ones given unlimited access to 5.5 Pro."

"It's a very long post with a mix of technical (math) and philosophical sections. Here are the most striking points to reflect upon IMHO.> It seems to me that training beginning PhD students to do research [...] has just got harder, since one obvious way to help somebody get started is to give them a problem that looks as though it might be a relatively gentle one. If LLMs are at the point where they can solve “gentle problems”, then that is no longer an option. The lower bound for contributing to mathematics will now be to prove something that LLMs can’t prove, rather than simply to prove something that nobody has proved up to now and that at least somebody finds interesting.Training must start from the basics though. Of course everybody's training in math starts with summing small integers, which calculators have been doing without any mistake since a long time.The point is perhaps confirmed by another comment further down in the post> by solving hard problems you get an insight into the problem-solving process itself, at least in your area of expertise, in a way that you simply don’t if all you do is read other people’s solutions. One consequence of this is that people who have themselves solved difficult problems are likely to be significantly better at using solving problems with the help of AI, just as very good coders are better at vibe coding than not such good codersPeople pay coders to build stuff that they will use to make money and I can happily use an AI to deliver faster and keep being hired. I'm not sure if there is a similar point with math. Again from the post> suppose that a mathematician solved a major problem by having a long exchange with an LLM in which the mathematician played a useful guiding role but the LLM did all the technical work and had the main ideas. Would we regard that as a major achievement of the mathematician? I don’t think we would."

"A very interesting comment from Baez, I'll just quote part of it.> Where does the value of thinking and having deep ideas come from? We need to think about this now. If it comes primarily from their scarcity – the fact that having certain ideas is hard – then indeed this value may drop precipitously when the manufacture of ideas can be automated. But if the value comes from the utility of the ideas – the benefit that the idea brings – then the story changes: perhaps creating more good ideas is actually better, not worse. Here I’m using “utility” in a broad sense, not just in the sense of what people often call applied mathematics.> In other words, mathematicians may need to adjust to a transformation from a scarcity economy to an abundance economy.https://gowers.wordpress.com/2026/05/08/a-recent-experience-..."

"* I'm not in that city.* It's running a kind of Chrome on a kind of Linux, at a stretch.* Nobody can infer when I work and when I sleep. That includes me.* The recent, high-end display is the screen of a low-end tablet I bought in a supermarket five years ago.* But yes, browser fingerprinting is annoying.* Since you can detect light mode, would it kill you to honor it?"

"I am once again asking privacy advocates to try sounding normal for once. Trying to make a browser accessing your timezone sound nefarious isn't going to convince anyone of anything."

"Whether or not the information is accurate isn't really the point. It's that it serves as a way to identify you even without cookies. I looked for better websites, the EFF one[0] is informative.My browser fingerprint was unique among the visitors in the past 45 days.[0] https://coveryourtracks.eff.org/"

"IA needs to do what Usenet has done. Have a bunch of mission-aligned but unrelated orgs (under different ownership and distributed around the world) that peer with each other, distribute all the content obtained by any of the orgs to each other, but that have no technical channel nor capability to distribute DMCA complaints and takedown requests.This is (AFAIK) basically how Usenet piracy works. You send your warez to one provider, and that provider instantly replicates them to all the providers they peer with, recursively, until they eventually reach the entire network. When any of those providers get a DMCA complaint, they remove the offending files (as they're required to do by law), but they don't inform other providers that they've received a DMCA notice, so those providers keep serving those files. This makes it much harder to remove data from the network than it is to add it."

"Relevant blog post: https://blog.archive.org/2026/05/06/internet-archive-switzer...> Internet Archive Switzerland joins a growing group of mission-aligned organizations, alongside Internet Archive, Internet Archive Canada, and Internet Archive Europe. Together, these independent libraries strengthen a shared vision: building a distributed, resilient digital library for the world."

"That website is really struggling. Very tempting to go to a mirror on archive.org to view it :)This seems very distinct from Internet Archive in the US, I wonder how separate it is.Internet Archive Canada (I worked there in 2024) operated like it was a subsidiary, even though I think it was technically an independent organization with some shared directors. Same Slack, same archive.org email domain, etc.IA.ch has Brewster and Caslon on the board.I suspect that for the political threats of the current decade the different Internet Archive organisations need to start operating more independently, especially when it comes to funding?"

"From 4 days ago: https://news.ycombinator.com/item?id=48019226 > I work on Bun and this is my branch > > This whole thread is an overreaction. 302 comments about code that does not work. We haven’t committed to rewriting. There’s a very high chance all this code gets thrown out completely. > > I’m curious to see what a working version of this looks, what it feels like, how it performs and if/how hard it’d be to get it to pass Bun’s test suite and be maintainable. I’d like to be able to compare a viable Rust version and a Zig version side by side."

"Very impressive that they could do this so quickly because I have been on a similar project (porting TypeScript to Rust) for 5 months. But I guess I don't have access to Mythos and unlimited tokens. I'm also close to 100% pass rate. 99.6% at the time of writing.https://tsz.devRust is perfect for writing all of code using LLM. It's strict type system makes is less likely to make very dumb mistakes that other languages might allow.Also want to note that writing the code using LLM doesn't remove the need to have a vision for the design and tradeoffs you make as you build a project. So Jarred and his team are the right kind of people to be able to leverage LLMs to write huge amounts of code."

"I just want to comment that I think it's a good change if we look past the AI involvement.Bun has had an extremely high amount of crashes/memory bugs due to them using Zig, unlike Deno which is Rust.Of course, if Bun's Rust port has tons of `unsafe`, it won't magically solve them all, but it'll still get better"

"I had never heard of this before, then last week I watched a video about it and was hooked. Now I'm seeing it everywhere!Meshtastic and Meshcore are both cool LoRa-based mesh text messaging that operate in an no-license-required band. While this limits your transmit power, it doesn't prohibit encryption - the inverse of most ham radio rules!Some cities have thriving communities of Meshtastic and/or Meshcore. You can look at maps of coverage to get a very general idea - in my experience, most Meshtastic nodes are NOT listed, while a good number of Meshcore nodes are.Meshtastic treats the mesh as dynamic - clients are assumed to always be moving, so transmissions flood between different nodes that are in eachother's reach.Meshcore has a static layer - repeaters that are assumed to be in fixed positions - and a dynamic layer - companions that move. With fixed and hopefully reliable connections between repeaters, routing paths between two users can be 'cached', which avoid the bandwidth overhead of flood routing.You can get started with a low cost ($30) transceiver board and an SMA antenna ($10) for the ISM band of your region. Stick it in a box an mount it somewhere high up, and see if you can pick up any other nodes!"

"We are in the South Pacific with our sailboat, and are using Meshtastic every day to talk between ourselves and with various buddy boats. The boat has a solar-powered repeater (CLIENT_BASE) on the mast that increases communications range significantly.This all works great with no local SIM cards or other subscriptions or infrastructure needed.We plan to run experiments with Reticulum when we stop for the cyclone season. Reticulum would open a lot more possibilities with both LoRa and internet-based comms. The Columba app seems to do a lot to bridge the usability gap, but work will need to be done to integrate Reticulum with our boat systems the way we have with Meshtastic (alerting, telemetry, digital switching control)."

"I took a plunge into learning about mesh networks, specifically because I love the idea of p2p/decentralized systems of communication. To be honest, I was surprised to find that my expectations for “where we are at” with this type of technology was pretty off-base. For some reason I thought by now it would be straightforward to do a little more than text messaging over a truly public and decentralized off-internet mesh. Maybe I’ve missed some things in my search (still learning!) and someone can correct my understanding."

"In case people no longer remember, when China started to require websites to register for a license before be allowed to operate, it was for "protecting the children" too.This simple policy then goes on to silence most individual publisher(/self-media) and consolidated the industry into the hands of the few, with no opportunity left for smaller entrepreneurs. This is arguably much worse than allowing children to watch porn online, because this will for sure effect people's whole life in a negative way.Also, if EU really wants "VPN services to be restricted to adults only", they should just fine the children who uses it, or their parent for allowing it to happen. The same way you fine drivers for traffic violation, but not the road.And if EU still think that's not enough, maybe they should just cut the cable, like what North Korea did."

"This title seems misleading.The EP paper appears to be highlighting the existence of a debate regarding VPN.Relevant quote:"Some argue that this is a loophole in the legislation that needs closing and call for age verification to be required for VPNs as well. In response, some VPN providers argue that they do not share information with third parties and state that their services are not intended for use by children in the first place. The Children's Commissioner for England has called for VPNs to be restricted to adult use only.While privacy advocates argue that imposing age-verification requirements on VPNs would pose significant risk to anonymity and date protection, child-safety campaigners claim that their widespread use by minors requires a regulatory response. Pornhub and other large pornography platforms have reportedly lost web traffic following the enforcement of age-verification rules in the UK, while VPN apps have reached the top of download rankings."Of course I'm not saying the EU won't regulate VPNs, but nowhere in this paper is "the EU" stating that VPNs need closing."

"I think all the identity verification schemes should start with the beneficial owners of companies. Governments have been lobbied to allow complete anonymity for the wealthy that own businesses doing questionable things while regular people are going to have to show id to buy food."

"My concern here is that by gravitating to HTML you lose the ability for a human (you!) to easily co-author the document with the LLM. If it’s just an explainer for your consumption, that’s not a concern - but if it’s a spec sheet for something more complex, I deeply value being able to dive in and edit what is produced for me. With a HTML doc it is much harder to do that than with MD.Now of course you could just reprompt your LLM to change the HTML - but when I already have a clear idea of what I want to say in my head, that’s just another roadblock in the way.If this pattern becomes more common I suspect human/LLM co-creation will further dwindle in favour of just delegating voice, tone and content choice to the LLM. I was surprised not to see this concern in the blog post’s FAQ."

"When exploring a new idea or tool, my go to prompt is``` In a single index.html, no dependencies, sparse styling, create an app that <idea> ```Even before AI, it's how I built small tools, and there's something lovely about being able to email my friends the tool, and tell them "If you want to make a change, toss it to your LLM!""

"The irony of this being a Twitter post with pictures of html rendering instead of an interactive html page is not lost on me.Arguing for html on a platform with less rich semantics than markdown is just ultimately funny"

"This is surprisingly common.The security of UUIDv4 is based on the assumption of a high-quality entropy source. This assumption is invalidated by hardware defects, normal software bugs, and developers not understanding what "high-quality entropy" actually means and that it is required for UUIDv4 to work as advertised.It is relatively expensive to detect when an entropy source is broken, so almost no one ever does. They find out when a collision happens, like you just did.UUIDv4 is explicitly forbidden for a lot of high-assurance and high-reliability software systems for this reason."

"Funny story no one will believe, but it’s true. A good friend of mine joined a startup as CTO 10 years ago, high growth phase, maybe 200 devs… In his first week he discovered the company had a microservice for generating new UUIDs. One endpoint with its own dedicated team of 3 engineers …including a database guy (the plot thickens). Other teams were instructed to call this service every time they needed a new ‘safe’ UUID. My pal asked wtf. It turned out this service had its own DB to store every previously issued UUID. Requests were handled as follows: it would generate a UUID, then ‘validate’ it by checking its own database to ensure the newly generated UUID didn’t match any previously generated UUIDs, then insert it, then return it to the client. Peace of mind I guess. The team had its own kanban board and sprints."

"This is usually caused by an insufficently seeded PRNG.Are you generating the UUID in the backend, or the frontend? Frontend is fundamentally unreliable for many reasons, including deliberate collisions. So if that case you'll need to handle collisions somehow. Though you can still engineer around common sources of collisions, the specifics depend on the environment.On the other hand making a backend reliable is feasible. What kind of environment is your code running in? Historically VMs sometimes suffered from this problem, though this should be solved nowadays. Heavily sandboxed processes might still run into this, if the RNG library uses an unsafe fallback. Forking processes or VMs can cause state duplication and thus collisions."

"This has been a very long time coming and the crackup we're starting to see was predicted long before anyone knew what an LLM is.The catalyst is the shift towards software transparency: both the radically increased adoption of open source and source-available software, and the radically improved capabilities of reversing and decompilation tools. It has been over a decade since any ordinary off-the-shelf closed-source software was meaningfully obscured from serious adversaries.This has been playing out in slow motion ever since BinDiff: you can't patch software without disclosing vulnerabilities. We've been operating in a state of denial about this, because there was some domain expertise involved in becoming a practitioner for whom patches were transparently vulnerability disclosures. But AIs have vaporized the pretense.It is now the case that any time something gets merged into mainline Linux, several different organizations are feeding the diffs through LLM prompts aggressively evaluating whether they fix a vulnerability and generating exploit guidance. That will be the case for most major open source projects (nginx, OpenSSL, Postgres, &c) sooner rather than later.The norms of coordinated disclosure are not calibrated for this environment. They really haven't been for the last decade.I'm weirdly comfortable with this, because I think coordinated disclosure norms have always been blinkered, based on the unquestioned premise that delaying disclosure for the operational convenience of system administrators is a good thing. There are reasons to question that premise! The delay also keeps information out of the hands of system operators who have options other than applying patches."

"This is exactly what happened with Log4Shell.Day -X + 1: Engineer at Alibaba finds the vuln and tells Apache. Patch is pushed to git while new release is coordinated.Day -X: A black hat sees commits fixing the bug. Attacks start happening.Day 0: Memes start circulating in Minecraft communities of people crashing servers. Some logs are shared on Twitter, especially in China, of people getting pwned.Day 0 + ~4 hours: My friend DMs me a meme on Twitter. I look up to find the CVE. Doesn't exist. My friend and I reproduce the exploit and write up a blog post about it. (We name it Log4Shell to differentiate it from a different, older log4j RCE vuln)Day ~1: Media starts picking it up. Apache is forced to release patches faster in response. CVE is actually published to properly allow security scanners to identify it.Today: AI makes this happen faster and more consistently. Patches probably should be kept private until a coordinated disclosure happens post-testing and CVE being published?Hard to say what the right move is, but this is gonna be happening a lot over the next 1-3 years. Lots of companies are going to be getting cooked until AI helps us patch faster than attackers can exploit these fresh 0-days."

"This feels more like an old problem getting reframed as an AI problem.people were already diffing kernel commits and figuring out which ones were security fixes long before llms. if a patch lands publicly, the race has basically already started.also not sure shorter embargoes really help. the orgs that can patch in hours are already fine. everyone else still takes days or weeks.if anything, cheaper exploit generation probably makes coordinated disclosure more important, not less."