Shellsharks Blogroll - BlogFlock

Concert Review: London Philharmonic - Pictures at an Exhibition ★★★★★ - Terence Eden’s Blog

2026-04-02T11:34:07.000Z

A delightful and emotional rendition of three rather different works.

Mark-Anthony Turnage's "Three Screaming Popes" was a chaotic cacophony. Wild, bizarre, inventive, and seemingly driven by excess. A fascinating performance, although not one I'll put on in the background. Turnage himself took to the stage to bask in the applause.

Bartók's Violin Concerto No. 1. Reading the story behind the composition made the performance by soloist Alina Ibragimova even more terrifying than it might have otherwise been. The sounds emanating from her violin were somewhere between a tantrum and flirtatious coquette. Stunning to see her tear up the stage.

Mussorgsky's Pictures at an Exhibition. Outstanding. Hearing a 100 piece orchestra power through the score was exhilarating. It is such a vivid piece. There's no other way to describe it - each movement is distinct and full of character. One of those rare pieces where you can feel the music worming its way into your brain.

You can listen to the concert on BBC Radio 3.

Pre- and Post-Show

I've written before about The art of the Pre-Show and Post-Show. Venues and shows have multiple ways to make an event special for an audience.

This concert did some things really well. For a start - the programme was free! I wish the West End was a bit more like Broadway with a free "Playbill" at every show. Even better, the programme was actually useful! Some nice blurbs about the performers and the pieces.

I particularly liked this little snippet:

How wonderful! It's always someone's first time at an orchestral concert. More programmes should have these little comfort notes.

Other than that, there wasn't much. There was no interaction between the conductor and audience, which felt a little odd. The programme had a QR code to a 31(!) point questionnaire. I'm not sure how many people would be bothered to complete that.

Royal Festival Hall is a delight - plenty of space, multiple bars, lots of seating areas, and a larger number of spacious & clean toilets. An excellent venue.

Time is a User-Interface - Westenberg

2026-04-02T00:32:14.000Z

Using my edit button shortcut - James' Coffee Blog

2026-04-02T00:00:00.000Z

In 2025 I built a browser extension that adds an edit button to your browser. The edit button pages if a page either has:

A rel=edit link;
A custom edit link set in the extension preferences, or;
A link with an anchor like “edit page” (only available if you enable the setting, since this is a heuristic).

Back when I built the extension, I added in a keyboard shortcut to open the edit link associated with a page. On Mac, the shortcut is Command + Shift + E.

I forgot all about this shortcut until recently, when I accidentally pressed Command + Shift + E instead of Command + Shift + R, the shortcut to refresh a page. At first, I was surprised, but the mis-press gave me the reminder I needed that this feature exists.

Since then, I have been using the Command + Shift + E shortcut almost daily to edit pages on my website.

I like that the shortcut has a similar hand position to refreshing, a shortcut that I find relatively comfortable to use. I also like that the shortcut only requires use of my left hand, so that I can press the edit button while using my mouse to navigate to my next task.

My flow to edit a page now usually looks something like this:

Go to a page on my website (i.e. my software notes page).
Press Command + Shift + E.
Ghost opens in my browser.
I use my mouse to navigate to Apple Notes, where I usually have notes I want to copy onto my website.
I use my mouse to go back to Ghost where I paste in my notes and organise and develop them a bit where necessary.
I save my edits.

While I could also use the mouse to press the edit link button that appears in my browser, the shortcut is so convenient.

The irony is that I forgot the shortcut existed until I accidentally encountered it. Indeed, overall, I struggle with remembering keyboard shortcuts beyond the basics (copy, paste, quit, refresh), preferring to opt for a menu or another visible affordance. But the edit keyboard shortcut is now becoming one I use regularly so it is increasingly etched into my memory. I think there was a gap to bridge between adding the shortcut as a feature in the development process and making a habit around its use.

browser extension that adds an edit button to your browser software notes page

For The Seiko of It - Hey, it's Jason!

2026-04-02T00:00:00.000Z

I wasn't going to pick up any new watches on this trip. Then I picked up a new watch. 🤷

March 2026 Summary - Joel's Log Files

2026-04-01T15:50:50.000Z

The year continues to move at an incredible pace, and I continue to engage with so many forms of media, keeping track is starting to get a bit confusing! Nothing impossible to manage of course, it’s fun to have so many more things going on.

Podcasts

Once again, my podcast listening has been diminishing this year, as music continues to go upwards! I think that now that I fully settled on scrobbling with Listenbrainz, plus going to sleep with music over podcasts, has helped quite a bunch. Another big reason might be that I haven’t listened to Welcome to Night Vale in a while, which was what I listened to before sleep. In any case I listened to 23 horus of podcasts in March!

The podcasts I have been listening

Into The Aether - The usual run of current weekly episodes. The run so far has been amazing, featuring all maner of games like Resident Evil Requiem, Persona 4 Golden, Pokémon Pokopia, Danganronpa, Marathon, Slay The Spire 2 and Minishoot Adventures.
99% Invisible - A couple of great episodes on the Em Dash, and the history behind knowing where we are.
Wolf 359 - Listened up to episode 45 of this show. The story continues to be incredible, some of my favorites episodes that I still remembered from my first listen around 5 years ago. I drama and the stakes are getting real.
Revolutions - Listened to another four episodes or so of the French Revolution. This historical event has so much to unpack, I have listened to 50 episodes of it so far.
Stuff You Should Know - Just a random selection of episodes I listened to. Like an episode on tracking time, and flood myths.
Dungeons and Daddies - Listened to one episode and a half of Season 3! It got interested by the end so I expect to keep this up next month a bit more.
They’re Just Movies - This one is no longer around, but I listened to their overview of the Aliens movie, and want to check some more of their episodes. I kinda miss it.
Trash Taste - Just picking episodes at random, not much else.

Gaming

Gaming took over, and despite it all, I didn’t finish a single game! I just started so many at once and I am kind of having fun just jumping around between them without any rhyme or reason. But hey, they’re games, meant to be fun, after all.

The games I have been playing

Started

Resident Evil - I decided to venture into the world… of Survival Horror. The game that started it all! After the sequel, I thought I’d visit the original, and I have to say, I have really enjoyed it so far. I am happy to say I’ve managed to figure out all of the puzzles without help, except for the one that uses the chemical. Other than that, it’s been fun.
Metroid Fusion - I have so many Metroidvanias avilable to me, and I haven’t finished Silksong in ages, and yet again, I’ve decided to start another run of Fusion on my Miyoo Mini Flip. This game rules, and I’ve already reached the third boss of the game. I want to finish it as quickly as I can without using save states!
Ridge Racer Type 4 - I listened to the soundtrack of this game and I wanted to check it out. There are so many menus and modes and an actual story? I just jumped into a race as quick as I could and enjoyed the soundtrack a bit, but I admit I didn’t do more, I prefer the PSP physics and gameplay.
River City Ransom - This is a game that I tried online with Naty playing via NSO. It is a fairly deep game for its time, and we definitely had a lot of fun with its gameplay and mechanics, we played it for like 40 minutes but ran out of time and we haven’t returned to it.
What Did I Do To Deserve This, My Lord!? 2 - This is considered a hidden gem of the PSP. A game where you create an underground dungeon and grow your own army of creatures who grow by themselves and follow basic movement patterns to fight against the heroes. It’s a fun subversion, but not my cup of tea, I think.
Pokémon Emerald Legacy - I played the first 20 minutes of this game and I am tempted to give it a proper go. The Legacy romhack is supposed to be the ultimate way to enjoy the game and I look forward to having the mood to get into it.
Caves of Qud - I played a bit of the tutorial since I’ve heard so many great things, but I didn’t go much deeper than that, it seems huge and I’m definitely interested though.

Ongoing

CrossCode - A wonderful game that really grew up on me during this month. I made a bunch of progress and since I’m playing it alongside some friends, I’ve really looked forward to what they think or have to say about stuff. I like that I’m ahead too, not gonna lie. In any case, all the dungeons have been awesome, and even if the puzzle design can be a little tiresome, it definitely gets my brain working and I love the feeling of figuring things out. The puzzles can definitely get long though.
Super Mario 3D World - This has been a fun game to play with friends, and even to go through by myself a couple of times. We are trying to get every single star and sticker from this before finishing the story! We made it to the final stage now that it’s kind of like a circus, and I’m looking forward to beating this game at some point in the next couple of months.
Ridge Racer - This masterpiece for the PSP continues to be excellent to play. I have made some progress doing World Tours in the EX class, and I love how this game just hooks me and won’t let me go at all.
Into The Breach - I ended up returning to this gem of a game and finally managed to complete a run on it, even if it was on easy. The tactics and mechanics of this masterpiece are just amazing. I want to keep playing more of it and master all the available mechs too.
Balatro - Ended up playing this game with friends a couple of times, however, I ended up finally caving in and purchasing the title for my phone… It is fun, and I am scared. I am yet to win a game though, despite it all.
Gladiator Begins - This title for the PSP is an arena battler that I’ve played on and off. I touched it for a bit during the PSP season of Into The Aether, but didn’t even bring it up much. I have played some more lately and yeah, it’s very fun! I’m currently stock in a boss fight though, where I simply need to git gud.
Vampire Survivors - This roguelike “bullet heaven” is finally losing its spell among my group of friends, we play it for time to time, but it definitely feels a bit more like homework lately, just to complete the unlockables and achievements. We will keep playing though, just not as crazy as before.
Grapple Dog - I barely touched this game, although I had a lot of fun with it last month, I need to get back to it, I really enjoyed the physics and mechanics of it, but I guess that Switch and handheld gaming took over to compensate for the Laptop-focused gaming of February.
Super Smash Bros Ultimate - Just a couple of matches with friends… I’ve been tempted to play the solo campaign lately though, to unlock more characters and just test myself.

Movies

I just watched this one movie

The only movie I got to watch in March was David. An animated, faith-based, musical film about the traditional story of David and his rise to the throne as a King. I already said it on my weeknotes, this film is pretty good for what it is, but and probably among the best when it comes to Christian animation, with a few truly awesome scenes.

However, it falls short in other aspects, it gets preachy at times—although not as bad as others—and the songs, while good in the moment and with an OK message, they just aren’t very memorable, and there’s maybe one or two that weren’t really necessary. I also would have liked to see a bit more action. I don’t expect anything gruesome from a kids movie, but at the very least some swords clashing would have been fun.

Manga

What a great month this was for manga, other than the fact two of the ones I finished didn’t meet my expectations, the rest of what I read was rather enjoyable!

The mange I have been reading

Started

Kagurabachi - Up to chapter 115. Speaking of swords clashing, this was a manga that completely hooked me and wouldn’t let me go at all. I read from the start to the latest released chapter as of now, catching up with it. This is a revenge story, and features some amazing characters, excellent action and panelling, simple, yet breath-taking artwork and some actually good writing for once! I’ve enjoyed everything thus far, zero complaints, genuinely surprised.

Ongoing

Fly Me To The Moon - Up to chapter 214. This is a manga I started ages ago, and this month I finally decided to return to it. It starts as a fun rom-com manga about a newly wed couple, but it has turned into something much more interesting. There is a mystery to it all, and everything has started to finally unveil, if at a slow pace. However, I don’t mind, even without the mystery, the humor and wholesome moments are plenty. I enjoy it.
DanDaDan - Up to chapter 226. I barely read any of this manga, but at the very least I managed to get to the big bad guy of the current arc, I think, and it’s definitely an interesting premise. I am only a few chapters behind, so I am honestly just waiting for more chapters to release and build up some momentum.
Blue Lock - Up to chapter 340. I catched up and I’m reading week by week. This match against France has definitely been an epic one. I enjoy the challenge that Isagi has been facing. So many questions, doubts and tactics that don’t work. I really love the drama thus far.
Love’s in Sight! - Up to chapter 56. It had been a while since I revisited this one as well, it’s a cute rom-com about a blind girl and a delinquent guy with a soft heart. It’s pretty wholesome, and it actually deals with a lot of the accesibility and life of a blind person. Way more educational than I expected, and some of the narratives focused on that are really well done.
Kingdom - Up to chapter 866. This continues to be an absolutely epic tale. There were a couple of great moments going on during the current arc (The Battle against Zhao), and I am only three or so chapters behind. Some great developments have been made.
Spy x Family - Up to chapter 130. Currently on a very fun arc where Loid, Yor and Yor’s brother are held hostage, and while the three of them could easily get away and stop the whole thing, neither of them wants to blow off their cover. The conflict is solving itself in the most hilarous way, I love this manga.

Complete

Planetes - This is definitely a must read, a great science fiction manga in space in a nearby future that follows a group of garbage collectors that keep Earth’s space as clean as it can be. We follow multiple characters of this crew, all of them with their own journeys and ideal, forming relationships, dealing with the struggles of life in space. We meet some of their families, we see how technology continues to develop, we see the impact that seeking for the stars can have in life. There are so many topics, there are so many incredible moments, so much conflict, be it in political drama, between characters, and of course, internal dilemmas, depression, trauma, joy, hope, love. This is a true piece of art, up there with Yokohama Kaidashi Kikou, Vagabond and Kingdom. In only 22 chapters, this gave me so much food for thought. Just read it if you can.
Chainsaw Man - I have no words to describe what finishing this feels like. It is such an internal conflict. I absolutely loved Part 1 of this, and early on, I also loved Part 2. But something happened, and things started to look way too dire. Nonsense after nonsense, and chapters kept getting shorter and uglier. In the end, this manga finished with a 6-page long issue. I don’t know what to say. It was definitely a journey, and there’s a way to see this as the only ending Chainsaw Man could have had, but nah, I needed more out of it. I have a sour taste in my mouth. Thankfully I read plenty of masterpieces this month I even forgot to bring it up on my weeknotes—I edited them now, but still. I hope the anime fixes it.
Jujutsu Kaisen Modulo - Another manga that also started with a lot of promise, but didn’t manage to stick the landing at all. Its redeeming grace is that it only really had 25 chapters, and that 15 or so of them are very good. The art itself is awesome though, and even though the final sequences are super rushed, the art is great to see.

Anime

The only anime I watched this month

Orb: On the Movements of the Earth was the only anime I started, and I watched up to episode 4. This is an anime that caught me by surprise. A story set in the middle ages about a smart kid with a love for astronomy who eventually learns and the Earth revolves around the Sun, in an era where the Catholic Church considered the heliocentric model to be heresy.

The conflict and the relationship between truth, faith and science is very interesting to see. I definitely need to watch the rest of the season, it loks very promising.

Books

So many books were read, I actually started a couple more than the ones I mention here, but these are the significant ones, to be honest.

The books I read this month

Started

Clarkesworld Magazine #211 by Neil Clarke - I finally started going through the Clarkesworld magazines that I subscribed to a couple years back. I went through the first two stories found on this issue—The Lark Ascending and An Intergalactic Smugglers Guide to Homecoming—the third one is the longest thus far, but I’ll hopefully deal with it soon! The second story is my favorite thus far.
Strange Dogs by James S.A. Corey. - A novella that takes place before Persepolis Rising, so far so good! I barely read it though because reading on my XTEINK X4 took over.

Completed

Chrono Trigger by Michael P. Williams - A memoir, a critique, and retrospective of my favorite game of all time. It was quite cool! And contained plenty of information I didn’t know at all. It also featured some great interviews with the translators of the game. I enjoyed it, it’s a fun read but you definitely need to play the game before getting to it.
Non-Stop by Brian W. Aldiss - An incredible story that makes great use of the generation ship plot. I loved it from start to finish and flew through it in a matter of days. I already published my review of it so I won’t say much more. It’s worth a read despite its age, in my opinion.
Persepolis Rising by James S.A. Corey - The seventh entry in The Expanse series. This journey does a timeskip and places us in a new status quo, which is about to be challenged by Humanity’s greatest enemy once again, itself. A great start to this last trilogy. I look forward to the rest!

This is day 44 of #100DaysToOffload

Goals

Last month I set some goals that I would pursue during March, but I think I should do some more general goals that I can do during the year, and during the month itself. This is what I came up with. I added those I completed from last month, but I don’t think I want to list everything I completed as the year goes, so, yeah, just ongoing goals and progress updates, I guess.

Completed:

Survived my work
Finished Persepolis Rising
Went to the movies once

New

Fully sorting and labelling everything on my shelves for once
Finish a pending commission for a friend
Finish a pending commission for my parents

In progress

A full website redesign (??)
Read the whole Bible in a year (9/365)
Finish listening to Wolf 359 (45/61)
Complete 15 books (4/15)
Complete 15 videogames (2/15)

Finishing thoughts

This month was wild. Work really took over a lot of my life since my coworker went on his long vacation, and yet, despite it all, I managed to surpass expectations when it comes to the amount of media I watched. I am particularly happy about the books and manga I got to read.

It’s getting to a point I may just highlight some specific things instead of mentioning everything.

And all the blogposts I managed to do this month? It’s not my best or the most constant, but I am rather happy about it. Plus all the small changes and additions to my website. A good month all around, even if I could have gone without the extra workload. Can’t complain much though.

Definitely looking forward to what April has in store, I hope things will go alright.

Until next time!

This is day 44 of #100DaysToOffload

Reply to this post via email | Reply on Fediverse

What Digital Isolation and Censorship Evasion Look Like In Wartime Iran - Werd I/O

2026-04-01T14:12:55.000Z

[Laura Scherling in Tech Policy Press]

I’ve worried that the internet will become a casualty of our worsening global politics. The inherent co-operation needed to let global networks talk to each other is aligned with an open world but not so much with an authoritarian one. Walled-off national internets — often called splinternets — may become more common.

While I worry about this for the US as the authoritarian screws continue to tighten, this is the concrete reality for people in Iran and 20 other countries today. As this piece in Tech Policy Press points out:

“The cybersecurity company Surfshark recorded 81 new internet restrictions in 2025 across 21 countries, pointing to evolving patterns of repression. Out of the 81 restrictions Surfshark tracked, 51 of these restrictive measures were taken in response to political situations.”

News and information needs to be shared differently in this kind of environment: the digital distribution techniques we’ve spent the last few decades learning simply don’t apply. Last year, in Building distributed media for a democratic breakdown, I wrote about how we might learn from Cuba’s ‌El Paquete Semanal and take advantage of both sneakernets and peer-to-peer networks to overcome these kinds of blockades. In a restrictive environment, people need news and journalism more than ever.

I wrote that piece somewhat speculatively, but the reception to it in journalistic circles took me by surprise. It’s an idea and a worry that people are taking seriously. And over the last six months, in a world that has seen more conflict, more restrictions, and more attacks on free speech, there have only been reasons to take it more so.

[Link]

The Right Is Using AI Content Scanners to Try to Supercharge Book Banning - Werd I/O

2026-04-01T13:42:25.000Z

[Claire Woodcock at 404 Media]

This AI-powered effort is intentionally designed to create chilling effects and reduce support for vulnerable communities:

“Conservative parents’ advocacy groups have been experimenting with using commercially available artificial intelligence tools to help them flag more books they’ve deemed pornographic to be removed from public schools and libraries. Even though LLMs are notoriously error-prone, and the books in question aren’t pornographic, these groups continue to explore use cases for AI anyway.”

According to 404 Media’s reporting, the script has a list of 300 or so words that form the basis of a heuristic that applies an “appropriateness” score to each one. If the book is deemed inappropriate, the script creates an automated report designed to be attached to book challenges at the school district level.

This reminds me of DOGE itself, which used a keyword-based system to flag “woke” grants that should be defunded that led to some incredibly dumb decisions about what should go:

“Among them, for example, was a $470,000 grant to study the evolution of mint plants and how they spread across continents. As best we can tell, the project ran into trouble with Republicans on the Senate Committee on Commerce, Science and Transportation because of two specific words used in its application to the NSF: “diversify,” referring to the biodiversity of plants, and “female,” where the application noted how the project would support a young female scientist on the research team.”

These techniques are clearly inaccurate, but that’s not the point: it’s enough to cause havoc and make people second guess publishing books on certain topics. It’s the same culture of chaos that led to a school librarian being fired for (correctly) refusing to remove over a hundred LGBTQ books from the children’s to the adult section of her library. And it’s all designed to harm some of the people who need the most support.

[Link]

Random File Format - Terence Eden’s Blog

2026-04-01T11:34:57.000Z

This was an idea I had back in the days of Naptster.

At the turn of the century, it was common to listen to an "acquired" music file only to find it was missing a few seconds at the end due to a prematurely stopped download. Some video formats would refuse to play at all if the moov atom at the end of the file was missing.

I wondered if it would be possible to make a file format which was close to impossible to read unless the entire file was intact. I don't mean including a checksum to detect download errors - I mean a layout which was intrinsically fragile to corruption.

While digging through an old backup CD, I found my original notes. I'm rather impressed at what neophyte-me had constructed. My outline was:

The file ends with a 32 bit pointer. This points to the location of the first information block.
The information block describes the length of the data block which follows it.
At the end of the data block is another 32 bit pointer. This points to the location of the next information block.
The start of the file may be a pointer, or it may be padded with random data.
There may be random data padded between the data blocks.

This ensures that a file which has been only partially downloaded - whether truncated at the end or missing pieces elsewhere - cannot be successfully read.

Here's a worked example. Start at the end and follow the thread.

Random data.
Data block size is 2.
Data
Data
EOF.
Data block size is 1.
Data.
Go to location 1.
Random data.
Go to location 5.

There are, of course, a few downsides to this idea.

Most prominently, it bloats file size. If the data block size was a constant 1MB, that would pad the size a negligible amount. But with variable data block size, it could increase it significantly. Random padding also increases the size.

If the block size is consistent and there's no random padding data, the files can be mostly reconstructed.

Depending on which parts of the file are missing, it may be possible to recover the majority of the file.

A location block size of 32 bits restricts the file-size to less than 4GB. A 64 bit pointer might be excessive or might be future-proof!

Highly structured files with predictable patterns, or text files, may be easy to recover large bits of information.

A malformed file could contain an infinite loop of pointers.

Perhaps a magic number should be at the start (or end) of the file?

While reading the file is as simple as following the pointers, constructing the file is more complex, especially if blocks have variable lengths.

Code

Here's a trivial encoder. It reads a file in consistently sized chunks of 1,024 bytes. It shuffles them up and writes them to a new file. The last 4 bytes contain a pointer to the first block, which says the data length is 1,024. After that, there is a 4 byte pointer to the next block location.

import random

#   Size of data, headers, and pointers.
data_length = 1024
header_length  = 4
pointer_length = 4

#   Read the file into a data structure.
original_blocks = list()
with open( "test.jpg", "rb") as file:
    for data in iter( lambda: file.read( data_length ), b"" ):
        #   Add padding if length is less than the desired length.
        padding = data_length - len( data )
        data += b"\0" * padding
        original_blocks.append( data )

#   How many blocks are there?
original_length = len( original_blocks )

#   Create a random order of blocks.
order = list( range( 0, original_length ) )
random.shuffle( order )

#   Where is the start of the file?
first_block_index = order.index( 0 )
first_block_pointer = first_block_index * ( header_length + data_length + pointer_length )

#   Loop through the order and write to a new file.
i = 0
#   Open as binary file to add the pointers correctly.
with open( "output.rff", "wb" ) as output:
    while i < original_length:
        #   Where are we?
        current_block = i
        current_block_value = order[i]
        #   Write length of data in little-endian 32 bytes.
        output.write( data_length.to_bytes( header_length, "little") )
        #   Write data
        output.write( original_blocks[ current_block_value ] )
        i = i+1
        #   Last block. Write an EOF header.
        if ( current_block_value + 1 >= original_length ):
            eof = 4294967295
            output.write( eof.to_bytes( header_length, "little") )
        else:
            next_block = order.index( current_block_value + 1 )
            #   Write pointer to next block
            next_block_location = next_block * ( header_length + data_length + pointer_length )
            output.write( next_block_location.to_bytes( pointer_length, "little" ) )
    #   At the end of the file, write the pointer to block 0.
    output.write( first_block_pointer.to_bytes( pointer_length, "little" ) )

And here is a similarly trivial decoder. It reads the last 32 bits, moves to that location, reads the block size, reads the data and writes it to a new file, then reads the next pointer.

import os
#   Size of data, headers, and pointers.
header_length  = 4
pointer_length = 4
#   File name to write to.
decoded_file = "decoded.bin"

#   Create an empty file.
with open( decoded_file, "w") as file:
    pass

#   Function to loop through the blocks.
def read_block( position, i ):
    #   Move to the position in the file.
    input_file.seek( position, 0 )
    #   Read the data length header.
    data_length = int.from_bytes( input_file.read( header_length ), "little" )
    #   Move to the data block.
    input_file.seek( position + header_length, 0 )
    #   Read the data.
    data = input_file.read( data_length )
    #   Read the pointer header.
    next_position = int.from_bytes( input_file.read( pointer_length ), "little" )
    #   If this is the final block, it may have null padding. Remove it.
    if ( next_position == 4294967295 ) :
        data = data.rstrip(b"\0")
    #   Append the data to the decoded file.
    with open( decoded_file, "ab" ) as file:
        file.write( data )
    #   If this is the final block, finish searching.
    if ( next_position == 4294967295 ) :
         print("File decoded.")
    else:
        #   Move to the next position.
        read_block( next_position, i+1 )

#   Open the file as binary.
input_file = open( "output.rff", "rb" )

#   Read the last 4 bytes.
input_file.seek( -4, 2 )

#   Get position of first block
first_block = int.from_bytes( input_file.read(), "little" )

#   Start reading the file.
seek_to = first_block
read_block( seek_to, 0 )

As I said, these are both trivial. They are a bit buggy and contain some hardcoded assumptions.

Here are two files encoded as "RFF" - Random File Format - an image by Maria Sibylla Merian, and the text of Romeo and Juliet.

Have fun decoding them!

Mutation testing for the agentic era - Trail of Bits Blog

2026-04-01T11:00:00.000Z

Code coverage is one of the most dangerous quality metrics in software testing. Many developers fail to realize that code coverage lies by omission: it measures execution, not verification. Test suites with high coverage can obfuscate the fact that critical functionality is untested as software develops over time. We saw this when mutation testing uncovered a high-severity Arkis protocol vulnerability, overlooked by coverage metrics, that would have allowed attackers to drain funds.

Today, we’re announcing MuTON and mewt, two new mutation testing tools optimized for agentic use, along with a configuration optimization skill to help agents set up campaigns efficiently. MuTON provides first-class support for TON blockchain languages (FunC, Tolk, and Tact), while mewt is the language-agnostic core that also supports Solidity, Rust, Go, and more.

The goal of mutation testing is to systematically introduce bugs (mutants) and check if your tests catch them, flagging hot spots where code is insufficiently tested. However, mutation testing tools have historically been slow and language-specific. MuTON and mewt are built to change that. To understand how, it helps to first understand what they’re replacing.

The regex era

Mutation testing dates to the 1970s, but for a long time, the technique rarely saw much adoption in the blockchain space as a software quality measurement. Testing frameworks are coupled tightly to target languages, making support for new languages expensive.

Universalmutator changed this with its regex engine. After a commit on March 10, 2018 added Solidity support, the tool gained immediate traction in the blockchain space. We collaborated with the universalmutator team to advance smart contract testing and highlighted the tool in our 2019 blog post. Despite (or perhaps because of) its elegant approach and compact codebase, universalmutator generated impressive mutant counts, enabling developers to assess test coverage more thoroughly than simpler tools could. Vyper and other language support followed, establishing universalmutator as the leading mutation testing tool for blockchain.

But regex has fundamental limits. Line-based patterns cannot mutate multi-line statements, a critical gap acknowledged by the original paper. More problematic: without mutant prioritization, the tool wastes time on redundant mutations. When commenting a line triggers no test failures, universalmutator still generates and tests every possible variation of that line, dramatically extending campaign runtime. Printing the results to stdout adds further friction for humans and AI agents reviewing campaigns. Later improvements (including a 2024 switch to comby for better syntactic handling) addressed some pain points, but remaining limitations prompted the development of more focused alternatives.

Between 2019 and 2023, several tools emerged to address them, including our own slither-mutate solution. Each took a different approach to the core problems of language comprehension, scalability, and test quality.

slither-mutate: Speed through prioritization

We launched slither-mutate in August 2022, after our wintern, Vishnuram, brought the concept to life. Because Slither already parsed Solidity’s AST and provided a Python API, the groundwork was laid to generate syntactically valid mutations and implement a cleaner tweak-test-restore cycle (earlier tools polluted repositories with mutated files).

The tool’s key innovation was mutant prioritization: high-severity mutants replace statements with reverts (exposing unexecuted code paths), medium-severity mutants comment out lines (revealing unverified side effects), and low-severity mutants make subtle changes, such as swapping operators. The tool skips lower-severity mutants when higher-severity ones already indicate missing coverage on the same line, dramatically reducing campaign runtime, the biggest obstacle to wider mutation testing adoption. By late 2022, we were deploying slither-mutate across most Solidity audits.

Two limitations remained. First, tight coupling to Solidity meant there was no path to easily support other blockchain languages. Second, dumping results to stdout persisted as a problem, but adding a database to Slither creates unacceptable friction for the broader Slither user base.

Introducing MuTON and mewt: The tree-sitter era

MuTON, our newest mutation testing tool, provides first-class support for all three TON blockchain languages: Tolk, Tact, and FunC. We’re grateful to the TON Foundation for supporting its development. MuTON is built on mewt, a language-agnostic mutation testing core that also supports Solidity, Rust, and more.

MuTON achieves language comprehension comparable to slither-mutate while supporting multiple languages by using Tree-sitter as its parser. Tree-sitter powers syntax highlighting in modern editors, building a concrete syntax tree that distinguishes language keywords from comments. This allows MuTON to target expressions like if-statements in a well-structured way, handling multi-line statements gracefully. Traditionally, integrating Tree-sitter grammars for new language support takes orders of magnitude longer than writing regex rules, but AI agents paired with bespoke skills invert this calculus, delivering Tree-sitter’s power with regex-like ease of extension.

MuTON stores all mutants and test results in a SQLite database, a quality-of-life improvement that became evident while using slither-mutate but wasn’t feasible to retrofit. Results persist across sessions; campaigns can be paused and resumed without losing progress. If you accidentally close your terminal during a 24-hour campaign, your work survives. Persistent storage also enables flexible filtering and formatting: print only uncaught mutants in specific files, or translate results to SARIF for improved review. This flexibility helps humans and AI agents explore results, triage findings, and hunt for bugs.

The future of mutation testing

MuTON addresses many historical pain points, but significant friction remains. Three challenges stand between mutation testing and widespread adoption: configuring campaigns for reasonable runtimes, triaging results to separate signal from noise, and generating tests that encode requirements rather than accidents. AI agents, equipped with specialized skills, promise to transform each of these obstacles into routine tasks.

Optimizing configuration

Performance remains the biggest obstacle to mutation testing. If your test suite takes five minutes and you have 1,000 mutants, that’s 83 hours of unavoidable runtime. Mutation testing tools can’t fix slow tests, but smart configuration can dramatically reduce wasted time. MuTON already gives you powerful options to tune campaigns: target critical components instead of everything, use two-phase campaigns that run fast targeted tests first and then retest uncaught mutants with the full suite, configure per-target test commands so mutations in authentication code only trigger authentication tests, or restrict to high and medium severity mutations when time is tight. These tools work today and deliver real speedups.

But the decision tree branches endlessly: should you split by component or severity? Two-phase or targeted tests? What timeout accounts for incremental recompilation? We’ve released a configuration optimization skill that guides AI agents through these choices, measuring your test suite, estimating runtimes, and proposing optimal configurations tailored to your project structure. Try it now—it’s available in our public skills repository and makes the process painless.

Triaging results

Not all uncaught mutants matter. Mutations that change x > 0 to x != 0 are semantic no-ops when x is an unsigned integer. A perfect mutator wouldn’t generate such mutations in the first place, but that would require deeper language-specific understanding than Tree-sitter provides. Manual triage traditionally requires slogging through hundreds of results, checking types, and understanding context to extract actionable insights.

MuTON’s database and flexible filtering already make this dramatically easier. Filter by mutation type or specific files to highlight high-value results. More importantly, these filters make AI-assisted triage token-efficient in ways earlier tools dumping raw output to stdout never could. Even today, asking an agent to review filtered mutation results and summarize true positives delivers 80% of the insights for 1% of the manual work. We’re developing a triage skill that systematically guides agents through result analysis, identifying patterns such as clustered uncaught mutants (a strong bug indicator) versus isolated operator mutations in utility functions (likely false positives or low priority). The skill will help agents flag high-risk areas and explain why specific mutations matter, turning raw results into actionable security insights.

The promise and peril of mutation-driven test generation

At first glance, using mutation testing to guide AI agents in writing tests seems like an elegant solution: test mutants, find escapees, generate tests to catch them, repeat until coverage is complete. But this naive approach harbors a subtle danger: an uncritical agent doesn’t know whether it’s encoding correct behavior or propagating bugs into your test suite.

When mutation testing reveals that changing priority >= 2 to priority > 2 alters behavior, should the agent write a test asserting that priority == 2 triggers an action? Maybe. Or maybe that’s a bug, and now you’ve corrupted your tests with the same incorrect logic, giving false confidence while doubling your maintenance burden. The real challenge isn’t generating tests that just catch mutants; it’s generating tests that encode requirements rather than implementation accidents.

We believe the solution lies in building agents that are skeptical, that halt and ask questions when they encounter suspicious or ambiguous patterns, and that demand external validation before crystallizing behavior into tests. It’s a subtle problem that balances AI’s strengths with developers’ limited attention, but we’re working on it. Stay tuned.

Dive in

Ready to test your smart contracts? Install MuTON for TON languages, or mewt for Solidity, Rust, and more. Run a campaign and discover your blind spots. Found a bug in TON language support? File an issue in MuTON. See room for improvement in the core framework or other languages? Join us in the mewt repository. Both projects are open source and welcome contributions.

Watch our skills repository for new skills that will guide AI agents through campaign setup and result analysis, transforming mutation testing from a manual slog into a routine part of the development process.

Museum Memories: Roundup - James' Coffee Blog

2026-04-01T00:00:00.000Z

This month I had the pleasure of hosting the March 2026 IndieWeb Carnival on the topic of “Museum memories”, in which I invited participants to write about a memory of a museum. To everyone who participated – we had over 30 participants this month! – thank you. It was a delight to read everyone’s stories.

Reading the contributions to this month’s Carnival will take you around the world, covering everywhere from Canada to Japan to Goa to Cairo. There are a breadth of perspectives, covering everything from a behind-the-scenes look at writing for museums (V.H. Belvadi), to cities themselves as museums (Paul), to the role of context in understanding art exhibits (Ginny).

In this post I briefly summarise the contributions, drawing attention to one point that stood out to me as I read each blog post. I invite you to read the round-up and follow the links to any post that interests you.

While the "Museum memories" Carnival is now over, I am still accepting contributions. Feel free to email me at readers [at] jamesg [dot] blog and I will make sure your post is represented in the round-up. In addition, if I have missed your blog post in the round-up, please email me so I can add your post.

The Carnival for April is on the topic of "Adventure", hosted by Pablo.

Submissions

Beto walks the reader through his experiences with modern art, starting with the Centre Pompidou in Paris. He notes the extent to which modern art opened his eyes, to the extent of reflecting on the very nature of what art could be:

My earliest memory of being in love with a museum was when I visited the Centre Pompidou, in Paris, with my dad. I was 15, and we were traveling from Brazil through France, Italy, and Spain. This was my first contact with modern art, and I was deeply affected by everything I saw. It changed my perception of art, and of what art could be.

⁂

Joe starts by reflecting on how thought-provoking the topic of museum memories was: “As I thought about what that prompt brought to mind, I was flooded with memory.” He then goes on to share two memories of museums: the first, seeing WIRED magazine in a museum; the second, in the pride he felt seeing an exhibition run by his sister at the Smithsonian in Washington, D.C.

What a wonder it is to remember the totality of my sister’s life and experience that kind of accomplishment. I mean, I remember the day when my sister was born. I remember her first step. That I can hold those memories in my head along with the memory of the day she earned her Master’s Degree and the day she shared her exhibit with me and our Dad.

⁂

Jeff followed in Joe’s footsteps of exploring two museum memories: his time in the Design Museum of Barcelona and the Salvador Dalí Museum in St. Petersburg, Florida. Reflecting on visiting the design museum in Barcelona, Jeff shares how the visit was brought to life by being accompanied by family:

This visit stands out because of the shared experience with my son. The museum was focused on design, which we are both involved in. […] So the exhibits touched something deep inside of who we are as designers/creatives. I am so glad that I got to be with him when he visited this museum.

⁂

Like Joe, I was flooded with memories when I started to think about writing my entry to the Carnival for this month. I shared my experience visiting the National Museum of Flight with my grandparents when I as a kid. I am still in awe of the scale and grandeur of the museum, and have many fond memories of the trip:

I feel that same sense of awe now in art galleries when I look at large paintings: the scale of the thing in front of me can be so grand – or indeed small and extensively detailed – that, for a moment, I can’t help but think “wow!” That feeling never gets old.

⁂

Mike shared his excitement of visiting the Steven F. Udvar-Hazy Center (Air & Space Museum) in Northern Virginia and the wonders of seeing a real-life spaceship in person:

Sure, if you’re a flight geek, or a war buff, you’re going to be in heaven there. But as neither of those really, I can attest to how really cool it is to walk around there regardless of your interests. I mean, how can you not gaze in wonderment at an actual spaceship, imagining the many stellar voyages it took. Wondrous.

⁂

Zinzy then takes us to London to the National Gallery, where she reflects on how the words on a plaque next to an artwork in the National Portrait Gallery changed her perception of a work. I will leave this quotation as your invitation to read the post in full:

Picture me entering the National Portrait Gallery for a photo exhibit, and walking heart-first into a room with an enormous print of a woman in complete disarray. Cheeks red from hours of crisis, a frown pressed into her forehead, shoulders held up as if tenseness were the only form of comfort she had left to know

Zinzy’s experiences match my own in seeing paintings in museums: the plaques help us understand a piece, but our initial impressions still stick with us.

⁂

We’re now leaving London to explore the Museum of Possibilities in Chennai with Jatan. The museum has a range of exhibits on assistive technologies, a few of which Jatan explores in the post both in words and with images. At the start of the post, Jatan shares a wonderful tool:

One of the display themes was tech tools which bridge accessibility gaps for people. These tools were in working states. I particularly loved this e-pen which reads text out loud as you slide it over any page with words. It can even save said text as a file.

⁂

twitu then takes us to the Goa Chitra Museum, which displays “many daily use tools and equipment by the people of Goa in the 19th and early 20th century.” twitu reflects on the experience of seeing tools used over a hundred years ago, noting:

I find it fascinating to know what occupied the lives of people 100+ years ago. The tiresome beat of daily chores and tools to automate them. And some of them have stayed fundamentally the same for the pass 100 years!!

⁂

Last Encore takes us to Japan to explore how the architecture of museums impacts our experience as visitors, reflecting on the tension between interior design, architectural visions, and function:

In such establishments, one is bombarded with buzzwords like “immersive” or “free-flowing,” where the layout is intentionally ambiguous. Under the guise of “exploring in any order you like,” I find myself pacing the same gallery over and over, muttering, “I am quite certain I have seen this room already.” Finding the exit becomes a genuine struggle.

Last Encore’s experiences brought back my own memories of museums that feel almost labyrinthine: full of wonderful art, but hard to navigate.

⁂

Ginny takes us to the WAG-Qaumajuq museum in Winnipeg:

The WAG-Qaumajuq is home to the largest collection of Inuit art pieces in Canada. Qaumajuq (pronounced KOW-ma-yourk) means "it is lit, it is bright" in Inuktitut.

Ginny’s post introduces her post through the lens of context, which she considers an essential part of art galleries:

The most important part of an art gallery for me is context. Why was this piece created, what was the artist's inspirations, what part of their history informed the art?

Full of fascinating facts about Inuit and Indigenous culture, Ginny’s post is a wonderful read.

⁂

Next, Ben explores the power of museum memories through the lens of exhibitions on power generation. Ben starts with a concise history of how humans generated power, and then shares several experiences of getting up close with power generation machines of all kinds in several museums. In his post, he reflects on how one display case can display the chronology of a technology over a century:

Something that stood out to me is a display case with functioning models of industrial-era steam machines all connected together by belts to overhead drive shafts. […] The evolution of the display case over 100 years shows the versatility of rotational energy: networks of power distribution can be built with interchangeable power generators and power consumers.

⁂

V.H. Belvadi invites us behind the scenes to see what it is like to work with a museum. V.H. explores what museums could be if they had more support, the role everyday objects play in museums, the intricacies of communicating to the public through exhibit plaques, and more. I especially appreciated his eye-opening perspective on what museums could be with more support:

Speaking to multiple curators a common confession I have heard is that if only the museum could afford floor space for everything they own, they would love to display all of it. For many museums that might mean an extra room or storey. For the likes of the British Museum it probably means several additional buildings.

⁂

Nick then takes us to the Metropolitan Museum of Art in New York through the lens of his visit as a seventh grader. Nick reflects on, among other things, the grandeur of the building and how it felt to be visit:

What I can recall most vividly is the feeling of wandering through this enormous museum on my own. Stepping into the grand entrances of the Met is akin to visiting the world’s great cathedrals. High ceilings, marble floors, brilliant lighting. I was still naive in my art education at this point, but these art works felt so important, so elevated in that remarkable space. I did not actually get lost in the Met, but I did lose track of time.

Nick wraps up his post with a delightful conclusion: “I may have gotten a little lost in the Met, but I found a part of myself too.”

⁂

Sammie brings a new perspective to what we consider to be a museum, inviting us to think of museums not only as a discrete physical location but as any place in the world that sparks your curiosity:

Similarly, seeing things physically in general. Watching train cars drive by and seeing all the art on the sides of them displayed, or watching the wheels and considering how they fit in the tracks. Questioning how wires connect and following them from one machine to the next. Studying walls and furniture, paintings on the walls of waiting rooms. There are so many things that you get to see and question and wonder.

⁂

Matthew tells us the story of his experience growing up near the Blists Hill outdoor museum complex, and the lasting influence the space had on his life. Matthew notes how the museum allowed him to “smell and really feel the past”:

Once onsite, I was given a lot of freedom to roam around and look at the various shops and interests of the site, and then we’d go home for lunch. The site, it is a reproduction victorian village, with shops, banks, and other artefacts that faithfully recreate the era. It was fairly rudimentary in those days, having not long opened, but quickly developed into one of those rare but popular destinations where you get to not only see, but touch, smell and really feel the past.

⁂

Andrei made two contributions to the Carnival this month: first exploring the relationship between art and wealth in “Exit through the gift shop > The fine line between culture and ostentation”, and then documenting several museums he has visited in “Museums along the Road”.

Andrei invites readers to seek a slower experience in museums by visiting an exhibition that really appeals to us:

So instead of going for the huge art and history museums where you spend tens if not hundreds of euros for the tickets, go for the slow experience. Stay away from the Louvres and MOMAs and Tates of the world, they’re usually filled with stolen shit taken from oppressed people so rich people can get richer. Instead, search an exhibition of an artist that you like, or visit something special.

⁂

David starts his post by talking about the variety of museums that he enjoys, from art institutions like the Louvre to rural historical museums. He then explores how there is nothing like seeing a piece of art in person:

I learned early on that there is no substitute for seeing actual works of art whenever possible. It’s a wonderful experience to finally see a painting that you are familiar with through reproductions. A painting is alive in a way that even a high quality reproduction is not. The colors are true, but it’s more than that. It’s the life, the physicality, the hand of the artist, sometimes obscured but always present. A reproduction can show you how something looks, but it can’t capture any of that life.

⁂

Noahie documents how our relationship with museums can transform with time. Starting by mentioning how he explored the Dallas Museum of Art with an “irreverent attitude” as a kid, he now sees museums as a place to have a “peaceful and interesting day.” Noahie then reflects on the increased accessibility to art in the modern day, and the lasting influence art has had on his life:

Overall, I think that museums have become a more humble institution despite their aristocratic beginnings. These days, good art is accessible to everyone, and I think that's important. The influence it has had on my life is vast, and these days, it's one of the things I most look forward to in life.

⁂

Bix shares his experience visiting a travelling exhibit from the United States Holocaust Memorial Museum at the time of the Bosnian War, which left them with a chilling impression:

Mostly, I just remember that even as the exhibition itself eschewed showing images of the camps from one war, we daily were seeing images of camps from the latest war.

⁂

Elena begins her blog post with a story of a museum guard who had particular expectations of how someone should and should not appreciate art:

I still had my ticket in my hand and used that to point to all the cool parts. I admit, I was also very close to the glass, but I didn't touch anything. Anyway, it didn't take long and a guard came literally stomping towards us. He then said in a very upset tone: "This is great art you're looking at. Do not use your ticket to point at it! One does not point at great art with a ticket!"

This museum did not deter Elena from enjoying the rest of the museum with her colleagues, thankfully. Instead, she took it in her stride:

But when it had finally sunken in, we quoted him at every other artwork to remind one another to please absolutely not use our tickets to point at this great art that's exhibited here.

⁂

Anthony puts museums at the heart of his holidays. When visiting, he is “looking for, over anything else, is evidence of how things were made”, connecting the marks of how art is made to his love of analog writing tools:

My love of fountain pens, typewriters and block printing isn’t rooted in nostalgia, but in the fact that they leave their mark on my work. The nib, the slug and the carvings literally imprint every decision, every mistake and every happy accident into the paper. They prove that i was here. At their best, museums do the same thing on a much larger scale. They prove that people were there.

⁂

Kristof shares three memories of museums: the Deutsches Museum in Munich, exploring various museums in Sweden, and his experience at Yad Vashem, the World Holocaust Remembrance centre. Kristof’s reflections of Yad Vashem from the perspective of someone who grew up in Germany are stark:

This museum leaves no one unmoved, but what struck me deeply in retrospect is the fact that my language and my familiar culture were visible in the pictures. Beautiful facades of German cities… with corpses lying in the streets in front of them. Beautiful German landscapes… with barbed wire, half-dead people, and the headline “Arbeit macht frei”. The culture of my ancestors was visible everywhere. MY damn culture! I felt shame because my people were the perpetrators. I felt anger because my people were the victims.

⁂

Reilly documents his experience visiting the Communication Technologies Museum, where he was able to get up close to – and even try – some technologies. Reilly’s experience illuminates how interactive exhibits add a new dimension to museums: from being an observer who reads and studies an exhibit to an active participant:

One of my favorite exhibits was a set of teletype machines, all linked together. A teletype is similar to a typewriter, but keypresses can be transmitted and received. Typing on one of these machines sends a code for each character — traditionally the 5-bit Baudot code. When a teletype on the other end of the line receives Baudot code, it types out the same character as the unit sending the code. The museum as kind enough to let visitors type on one of the teletypes, and it was extremely cool to see them communicate with each other, with another unit duplicating what we typed.

⁂

Paul takes us to the biggest museum we have seen yet in submissions to the Carnival by positing that the city of Barcelona itself is a museum:

I mention all of this because the city itself is a giant museum. You can step back in time, in design, and urban planning, and wander through the narrow cobbled streets of the Old Quarter, then walk ten minutes to Eixample to see an extension, started two hundred years ago, that’s still celebrated for how modern it is.

Paul’s blog post is almost a web-based walking tour of Barcelona, covering ancient building foundations, the city planning of the Eixample neighbourhood, the Castell de Montjuïc, street art, the Sagrada Família, and more.

⁂

We’re now off to Philadelphia to explore the Franklin Institute with Jesse. In his post, Jesse walks through the architecture of the building, its striking exhibits, and the personal resonance of the health exhibits in the museum. The pendulum in the museum inspires Jesse to ask us to consider the role of rhythm in our own lives:

And we are also rhythmic machines, aren’t we? — rhythm being the way nature imposes order on her own chaos. The body’s algorithms, circulation and respiration, and the mind as well. Inhale, exhale. Sleep, wake, sleep.

⁂

Loreleice takes readers through an exhibition in Museo Sugbo, which documents the history of the Cebu area in the Philippines. Loreleice describes photos of both a “baro't saya, a traditional costume for Filipina women”, and “pots and bowls, which seem to come from the pre-colonial era.” I feel like Loreleice is my tour guide while I read this post.

Toward the end of the blog post, Loreleice notes the potential of museums to deepen our knowledge of a subject:

Since I only get surface-level knowledge about the Philippine history from textbooks (and possibly the Internet world), I feel like museum visits could deepen that.

⁂

Theo, inspired by the range of memories he has in museums, prepared a list of moments spent in museums. The list covers everything from seeing his grandfather “‘ice-skating’ for the first time in like 20 years” to “running around in an ancient Roman villa, making bread and visiting the herbs garden; Twice”.

Theo’s post ends with the central role people play in their memories of museums:

I think I realised that what made museums so special to me is the people I shared these moments with. Some of these people I'll never see again, others I could but won't. People I miss, people I love.

⁂

For Evan, museums are woven through his life, from visiting the National Museum of Natural History as a kid, to exploring the museums of Paris with family, to going to the Carnegie Museum of Art in Pittsburgh on a first date with the woman who became his wife. Evan introduces his post with a label I might have to start using myself: being a Museum Person:

I think of myself as a Museum Person. I come from a family of Museum People. I married a Museum Person. I take my kid to museums. We’ve been going to museums for longer than I can remember.

⁂

Dale discusses the delightful surprise of encountering the Spirit Museum in Stockholm. His blog post makes me think about how many “gems” there are to discover outside of the headline museums in cities:

Honestly, in a city with lots of really good museums, the Spirit Museum is a real gem, and maybe the best ‘accidental’ discovery Iʼve made. Despite that it is small by capital museum standards, they seem to have a knack of attracting really interesting visiting exhibitors and punch above their weight in variety and entertainment value.

⁂

Britt recalls moments from childhood spent in museums run by North East Museums in England, including the “Hancock Museum (natural history) and Discovery Museum (science and local history)”. The memories span from a close encounter with an animatronic triceratops to seeing a beehive at work through the glass in a museum staircase.

Britt notes that museums have had a lasting influence on her passion for learning:

My many childhood visits to museums are part of why I love learning things and sharing what I learn with other people.

⁂

Next, we’re off to Egypt with Jeremy to explore the Cairo Museum. Jeremy submitted a post from 2005 for this month’s Carnival, which I accepted with great delight owing to its vividness. Jeremy’s post walks through several exhibits and his reactions to them. He also discusses how the information available in museums builds over time:

OK, there are still fabulous gaps in my knowledge. Like, what is the relationship between Dunmutef the jackal and Anubis the jackal? But I feel that I have made something of a breakthrough, all on my own. Bits of information, scattered observations, have come together in something that resembles coherence.

⁂

Sara starts by sharing a childhood memory of the Technological Museum of Bistra, and then goes on to discuss the everyday role that museums have in our lives, with a particular focus on museums in Ljubljana. Sara’s conclusion reminds us that museums are for everyone:

While I know a lot of people here dismiss museums and galleries as something that only intellectual and pretentious people do, I do think that the museums and galleries do have their role in our everyday life as well and I am seeing that in my everyday life. They deserve the support they are getting and more.

⁂

Frances shares a memory of visiting the British Museum at the age of ten or eleven during which they took many photos. Reflecting on the one of the pictures, Frances connects their childhood museum visit to their current field of study:

Here we have Mithras slaying a bull. Apparently I was already intending to study ancient and mediaeval history at university.

It does not appear my interests have changed all that much.

⁂

By way of the 21_21 DESIGN SIGHT exhibit, kwist reflects on how all the parts of an exhibition come together to build an impression:

Instead, an exhibition's concept, selection of exhibits, their arrangement in relation to each other, and even things like the use of the museum space and its soundscape come together to offer a unique experience, and a view at the world from a different perspective.

kwist also shares the moment when the exhibit, which was about the concept of “wildness”, came to life:

But at least for me, it also just ... worked. Somewhere along the way, I decided to go along with it, and started thinking about this more abstract concept of "wildness" the exhibition was trying to convey - and it clicked somehow. It was an almost meditative experience that had a strong impact on how I view museums, and deepened my appreciation of them.

⁂

Moving on, Ken’s post takes us back to Washington, D.C., this time to the Hirshhorn Museum. Ken notes that the building was “One of the first times modern architecture seriously captured my curiosity.” Describing the building and his experiences visiting the museum, he says:

On the inside, it’s all post-WWII modern and contemporary visual art, each floor a continuous loop of gallery space. And then on the top (publicly-accessible) floor, one of the galleries has a balcony overlooking the National Mall.

Something about the novelty of the subject matter and my malleable state of mind at the time, but certain exhibitions are just seared into my being.

⁂

Next, we are visiting Michael’s blog, in which he shares five stories from museums across the United States, from Philadelphia to San Francisco. Michael’s post reflects on the nature of life and time, museums near and far, using poetry to describe an exhibition, and more.

Reflecting on his visit to the Exploratorium in San Francisco, Michael explores how what seemed far away as a child became close as an adult as he stood inside the museum 20 years after reading about it in a magazine:

Sure thing, kid. It's amusing now, having lived here for 30 years, to remember just how far away San Francisco was to a suburban 9-year-old growing up on Long Island.

This has me thinking that, indeed, museums themselves bring what may be so far away a little bit closer to us.

⁂

Thomas takes us to the heart of Paris to explore a specific exhibit at Musee d’Orsay that left a lasting impression: the Three Mixed-media Arabs. Thomas shares his reaction to the sculptures, studying them in close detail from many angles:

Part of what struck me was the movement of the alabaster cloth. But, with the cloaked sculpture and a hood, I couldn’t sort out how the hood, face, and head worked. Each angle and time I’d look I was see another detail of the sculpture that drew me in and distracted me from the static mechanics of how it was done. Whomever I’m with often nudges me onward, but my mind is stuck and enrapt with the hooded in hard alabaster bronze face that seems to have the alabaster moving freely like cloth captured and frozen in an instance (yet crafted over much time).

Thomas shares his impression that the works do not get as much attention as others, noting:

When I am there and taking in the three pieces I am usually the only one around it looking at them for anything more than a few seconds or passing glance. It feels like they are hidden in plain sight.

⁂

Thank you again to everyone who contributed to the Carnival, and to all readers who have followed along with the Carnival this month!

This post was syndicated to IndieNews.

Exit through the gift shop > The fine line between culture and ostentation Museums along the Road Joe Matthew Britt display case Evan David Centre Pompidou Frances Museum memories my entry to the Carnival Jeff Jeremy Ken’s post Dale Kristof Last Encore Adventure Ginny Loreleice Michael’s blog Jesse syndicated to IndieNews Noahie Paul kwist Reilly Beto Sammie Sara Mike Theo Elena Jatan V.H. Belvadi Bix Nick Zinzy twitu Anthony Ben

Nesting social posts under blog posts in Artemis - James' Coffee Blog

2026-04-01T00:00:00.000Z

In Grouping link posts in a web reader, I described a feature in Artemis to show when someone whose website you are following has bookmarked a post by an author you also follow. The motivation for this feature was to reduce clutter in a user’s reader by grouping shares of a post under the original post.

Whether an entry should be nested was determined by the URL of an entry in a feed, which meant that the feature triggered only for people who publish bookmarks feeds that link directly to other websites.

Yesterday, I started working on an expansion to this feature to cover another case: when someone you follow publishes a blog post, then announces that post on another account like Mastodon whose feed you also follow. I have seen this happen a few times since there are a few people whose blog and Mastodon account I follow. Ideally, the Mastodon post would be grouped under the main post.

Here is an example of the new feature in action:

ALT

The Artemis web reader showing three posts. The first post has one post nested under it that says "Shared as a link by Thomas Vander Wal."

Above, vanderwal.net’s Musee d’Orsay and the Three Mixed-media Arabs blog post is the main entry. Below the entry is the text “Shared as a link by Thomas Vander Wal”, which links to the Mastodon post announcing the blog post.

When a post is retrieved by the Artemis polling system, all outgoing links are saved in a list. Then, when a user’s reader is being displayed, any post that links to another post will appear nested under the post to which it links. This feature only triggers if the feed that contains the link is a Mastodon account ¹. This prevents a scenario where someone writes a blog post that links to another blog post, where, with the logic above, the blog post that links to another post would be hidden.

(Note for users: This feature works if you are subscribed to a feed using the ActivityPub syntax like @jamesg.blog@jamesg.blog; if you follow the RSS feed for a Mastodon account this will not work. This feature may work for Bluesky replies too, although I haven’t yet tested it on Bluesky accounts).

While a relatively small change, this feature helps to create focus on blog posts as opposed to presenting both a blog post and an announcement post in the same way.

[1] This feature may also work with other ActivityPub-based systems, although I haven’t tested it yet.

Grouping link posts in a web reader Mastodon post Musee d’Orsay and the Three Mixed-media Arabs

The Entire Internet Is a UGC Reaction Video Now - Westenberg

2026-03-31T23:32:07.000Z

I keep a folder in Apple Notes called “cursed websites,” where I save various artefacts that make me feel like the social contract has dissolved. Call it an act of self-loathing. Call it collecting evidence of the fall. Dansugc.com went straight into the folder this morning.

It’s a site where marketers // entrepreneurs (and I find the line between those two groups has become blurred to the point of being illegible) can buy pre-recorded “Reaction” videos for $3 apiece. You browse a library of 2k clips, sorted by emotion (shocked! Happy! Crying! Excitement!), pick a face you find particularly appealing, download a 5-10 second clip of a stranger performing surprise // delight at nothing in particular, and splice it into your own content. The idea is to make it look like an actual someone had an actual emotional response to your app on TikTok. Custom orders run to $8 and let you specify outfits, emotional arcs etc.

The tagline reads: “100% Real Humans. Zero AI.”

And I think that tells you almost everything you need to know about where we are. And where we are is a place where “at least the fake fuckery was produced by a biological organism” counts as a premium feature. The pitch for selling manufactured authenticity at scale is that at least the people in the factory are still real people. That’s the floor. That’s what passes for premium. We are drowning in content that is functionally the same as so many designer handbags stitched up alongside so many dupes.

The internet is the most powerful communication technology in human history, and we’re using it to sell each other $3 clips of faked surprise.

I don’t blame Dan, if that’s even his real name. He’s running a business filling a niche. He’s recognised that the entire internet advertising “ecosystem” now runs on simulated, casual, spontaneous “cool girl” energy. He’s simply the shovel-seller in an authenticity gold rush; except the gold is parasocial trust, and the shovels are clips of various women pretending to have their minds blown by your calorie-counting app.

100, ready to post UGC videos per month costs $800. A fully managed campaign for 500 videos goes for $10k. Dan claims over 5 billion total views generated, and I don’t doubt his numbers at all. But if this stuff doesn’t set off your alarms, even a little, you’ve probably been marinating in it so long you’ve lost the ability to smell it.

What Dan’s business lays bare - if you actually sit with it - is that the internet, as a social and cultural space is almost entirely performance. The whole apparatus has been hollowed into a content mill that grinds human attention into micro-conversions. I’m aware that I’m not the first person to make the complaint that the internet sucks - but every point of suck has now compounded into the final boss of shitty experiences. The algorithmic timelines, the social media homogeneity, the death of truth, the proliferation of monetisation strategies and side hustles etc have all contributed to this moment: a growth hacked, engagement optimised, brand-building logic that has destroyed our ability to distinguish between a person sharing something they give a shit about, and a person executing a “content” strategy.

Open TikTok right now and ~try to find a video that isn’t, at some level, attempting to sell you something - a political identity, a digital product, a lifestyle, a personal brand. It's next to impossible. Every piece of content carries this faint whiff of ~strategy behind it. The girl doing a “Get Ready With Me” video has an affiliate link in her bio, and the asshole ranting about immigration has a Substack he can’t wait to funnel you to. The therapist explaining attachment styles is, naturally, building a course she’ll launch next month, and the couple doing a “day in our van-life” vlog is negotiating a brand deal in their DMs. There is always a funnel, always a CTA, and the output, no matter how “down to earth” it’s designed to feel, is always doubling as a mechanism to convert your attention into revenue.

Jean Baudrillard (read Simulacra and Simulation) identified how modern society replaces reality with the symbols and signs of reality. He mapped the process in four stages: first the image reflects reality, then it masks reality, then it masks the absence of reality, and finally it has no relation to reality whatsoever. A UGC reaction video purchased for $3 and spliced into a TikTok ad is operating at that fourth stage, because the reaction doesn't reference a real reaction, there was never a real reaction, and the whole thing is a sign pointing at nothing, wearing the costume of spontaneity.

You might say who cares, advertising has always been manipulative, and sure, that's true. When Grigory Potemkin allegedly erected fake village facades along the Dnieper River in 1787 to impress Empress Catherine II during her tour of Crimea, he was doing UGC marketing for the Russian Empire (the historical consensus is that the villages were probably real settlements that had been tidied up rather than total fabrications, but the legend stuck because the concept is so useful as shorthand). The instinct to manufacture the appearance of prosperity for the benefit of powerful onlookers is old as dirt. What's different now is the scale and the fact that regular people are doing it to each other all day long, voluntarily, for free or for pennies.

There's a phrase you hear in marketing: "everyone is a creator now." It sounds democratizing, hopeful even, like the whole internet has become a Renaissance workshop where artisans and thinkers reach audiences directly. In practice, everyone is a marketer now. The "creator economy" turned out to be an economy where the thing being created, more and more, is demand for more of yourself. Your aesthetic, your opinions, your morning routine, your trauma, your fitness journey, your face: all raw material for the content machine, all measured against growth metrics that would make a mid-career product manager feel right at home.

The result is an internet that feels, to use a technical term, like shit. Scroll any platform and you're wading through a river of optimized slop, and what makes it depressing is how same-y it all is despite the theoretically infinite diversity of human expression available online.

Political content looks like beauty content and beauty content looks like finance content and finance content looks like fitness content, because they’re all using the same hooks and they’re all built on the same emotional beats. The provocative claim in the first 2 seconds, the false tension, the extreme language, comment if you agree, like and subscribe and so on and on. Don’t forget to share this with someone who ~needs to hear this. Make sure you follow for part 2. The playbook is identical, whether someone’s raving about the best skin serum, or about their least favourite ethnic groups...

AI makes all of this both worse and darkly funny at the same time. AI slop and human slop have now converged to the point that Dan can credibly market “zero AI” as a premium feature, while his customers’ output offers no real elevation from the realm of deepfakes. And as much as Real Humans is a selling point for the internet today, the AI is getting better, too. It can produce damn-near the same hooks, the same engagement-bait captains, the same dead-eyed reaction that a human can churn out today. AI content creators aren’t even poisoning the well; not really. They’re simply drawing from a well we already puked in years ago.

AI slop is human slop with the labor costs removed, and that's why nobody can tell the difference, and that's why Dan has to specify that his product is made by real humans, like a carton of eggs stamped "cage-free."

There's a moment in Don DeLillo's White Noise where a character visits "The Most Photographed Barn in America" and realizes that nobody can actually see the barn anymore because the barn has been completely replaced by the aura of the photographs of the barn. Once you've seen the signs about the barn, he says, it becomes impossible to see the barn. The internet has done this to basically everything. You scroll past enough UGC reaction videos and you can't encounter a real reaction without wondering if it's bought, you read enough performative vulnerability posts and you can't encounter real vulnerability without suspecting it's a hook. The constant presence of the fake thing corrodes your ability to trust the real thing, and the really vicious part is that a lot of the "real things" were fake too, which means the thing you're mourning the loss of may never have existed in the form you remember it.

This is, I suspect, why nostalgia for "the old internet" has become its own genre of content (which is, of course, itself being optimized for engagement, because there's no exit door). People remember a time when someone's blog was their blog and nothing more, when a forum post was written because a person had a thing to say and they said it and moved on. Whether that era was actually as good as we remember is debatable, and I think there's a strong case that we're romanticizing it. Sturgeon's Law applied then too: 90% of everything was crap. But the crap was sincere crap. The crap was some guy with a Blogspot writing 3,000 words about his favorite Star Trek episodes because he liked Star Trek and had opinions about the Borg, with zero intention of building an audience or selling a course called "How I Built a 6-Figure Blog About Star Trek."

Read "CPAC Had the Stage in Texas—but Not Much of a Crowd" - Molly White's activity feed

2026-03-31T22:42:22.000Z

Read:

“CPAC Had the Stage in Texas—but Not Much of a Crowd”.

Steven Monacelli in D Magazine. Published March 31, 2026.

When CPAC chairman Schlapp asked the crowd, “How many of you would like to see impeachment hearings?” they erupted in cheers. “No, that was the wrong answer,” Schlapp said. “Let me try again. How many of you would like to see impeachment hearings?” Some in the crowd cheered again. “No,” Schlapp said, clearly frustrated.

An alternate history of social media - Werd I/O

2026-03-31T21:20:00.000Z

I've been remiss about sharing it here, but I really enjoyed my conversation with Rabble on his excellent Revolution.Social podcast, which published earlier this month. Revolution.Social describes itself as a podcast about the future of social media built on permissionless open protocols. It's hosted by Twitter's first employee, Rabble, a.k.a. Evan Henshaw-Plath.

The list of other guests is an impressive who’s who of thinkers and change agents on the web — Anil Dash, Jay Graber, Cory Doctorow, Renee DiResta, Mike McCue, Mallory Knodel, Rudy Fraser, and more — and I’m honored to be in this company. These are all great conversations.

It’s available on Apple Podcasts, Spotify, YouTube Music, and wherever you get your podcasts. You should go and subscribe.

And if you listen or watch – I'd love to hear what you think.

Read "Prediction markets backlash builds possible stormcloud for 2027" - Molly White's activity feed

2026-03-31T20:14:32.000Z

Read:

“Prediction markets backlash builds possible stormcloud for 2027”.

Jesse Hamilton. Published March 31, 2026.

Odds favor a Democratic rise in Congress next year, when lawmakers who've begun going after firms such as Kalshi and Polymarket may have greater sway.

Published on Citation Needed: "Issue 103 – The President’s Council of Podcasters" - Molly White's activity feed

2026-03-31T17:29:08.000Z

Published an issue of Citation Needed:

Issue 103 – The President’s Council of Podcasters

Coinbase is accused of holding the cryptocurrency industry hostage over stablecoin rewards, prediction markets face an onslaught of opposition, and a Stand With Crypto poll can’t even get enthusiasm from its own activists

How we made Trail of Bits AI-native (so far) - Trail of Bits Blog

2026-03-31T11:00:00.000Z

This post is adapted from a talk I gave at [un]prompted, the AI security practitioner conference. Thanks to Gadi Evron for inviting me to speak. You can watch the recorded presentation below or download the slides.

Most companies hand out ChatGPT licenses and wait for the productivity numbers to move. We built a system instead.

A year ago, about 5% of Trail of Bits was on board with our AI initiative. The other 95% ranged from passively skeptical to actively resistant. Today we have 94 plugins, 201 skills, 84 specialized agents, and on the right engagements, AI-augmented auditors finding 200 bugs a week. This post is the playbook for how we got there. We open sourced most of it, so you can steal it today.

A recent Fortune article reported that a National Bureau of Economic Research study of 6,000 executives across the U.S., U.K., Germany, and Australia found AI had no measurable impact on employment or productivity. Two-thirds of executives said they use AI, but actual usage came out to 1.5 hours per week, and 90% of firms reported zero impact. Economists are calling it the new Solow paradox, referencing the pattern Robert Solow identified in 1987: “you can see the computer age everywhere but in the productivity statistics.”

AI works. Most companies are using it wrong. They give people tools without changing the system. That’s the gap between AI-assisted and AI-native. One is a tool, the other is an operating system.

What AI-native actually means

“AI-native” gets thrown around a lot. The way I think about it, there are three levels:

AI-assisted is where almost everyone starts. You give people access to ChatGPT or Claude. They use it to draft emails, generate boilerplate, summarize documents. It’s a productivity tool. The org doesn’t change. The workflows don’t change. You just do the same things a little faster.

AI-augmented is where you start redesigning workflows. You’re not just using AI as a tool. You’re putting agents in the loop, changing how work actually flows. Maybe the AI does the first pass on a code review and the human does the second. The process itself is different.

AI-native is the structural shift. The org is designed from the ground up assuming AI is a core participant. Not a tool you pick up, but a teammate that’s always there. Your knowledge management, your delivery model, your expertise, all designed to be consumed and amplified by agents.

At Trail of Bits, what this means concretely: our security expertise compounds as code. Every engagement we do, the skills and workflows we build make the next engagement faster. Every engineer operates with an arsenal of specialized agents built from 14 years of audit knowledge. That’s not “we use AI.” That’s “AI is on the team.”

What people are actually resisting

When I first launched this initiative inside Trail of Bits, there was an incredible amount of pushback. Studies of technology adoption consistently show the same thing: the problem is never the software. It’s people’s unwillingness to accept that something else might be better than their intuition. I had to understand four specific psychological barriers before I could design a system that works within them.

Self-enhancing bias. We overestimate our own judgment. Paul Meehl and Robyn Dawes showed that if you take the variables an expert says they use and build even a crude linear model, the model outperforms the expert. Not because it’s smarter, but because it applies the same weights every time. You don’t. You’re hungover some days, distracted others, and you never notice because you take credit for your wins and blame external factors for your misses. This gets worse with seniority. The more expert you are, the more you trust your gut, and the less you believe a machine could do better. As Jonathan Levav frames it: the more unique you feel you are, the more you resist a machine making decisions for you.

Identity threat. In one study, researchers showed people the same kitchen automation device framed two ways: “does the cooking for you” versus “helps you cook better.” People who identified as cooks rejected the first framing and accepted the second, for the same device. There’s a symbolic dimension too: people don’t want robots giving them tattoos (human craft), but they’re fine with a tattoo-removing robot (instrumental, no symbolism). Security auditing is symbolic work. AI that replaces skill feels like an attack on who you are.

Intolerance for imperfection. Dietvorst et al. ran a study where participants watched an algorithm outperform a human forecaster. But after seeing the algorithm make one error, they abandoned it and went back to the human, even though the human was demonstrably worse. We forgive our own mistakes but not the machine’s. Their follow-up found the fix: let people modify the algorithm. Even one adjustable parameter was enough to overcome the aversion.

Opacity. A 2021 study in Nature Human Behaviour found that people’s subjective understanding of human judgment is high and AI judgment is low, but objective understanding of both is near zero. People feel like they understand how a doctor diagnoses. They can’t explain it either. The feeling of not understanding kills the feeling of control.

The remedies that actually worked

We designed the system around the resistance, not against it.

The remedies that actually worked

For self-enhancing bias, we built a maturity matrix. Nobody likes being told they’re at level 1. But that’s the point: you can’t argue you’re already good enough when there’s a visible ladder. It makes the conversation concrete instead of “I don’t think AI is useful.” It also creates social proof. When you see peers at level 2 or 3, the passive majority starts moving.

For identity threat, we never asked anyone to stop being a security expert. We gave them a new way to express that identity. When a senior auditor writes a constant-time-analysis skill, they’re not being replaced. They’re becoming more permanent. Their expertise is encoded and reusable. That’s an identity upgrade, not a threat. The maturity matrix reinforces this: level 3 isn’t “uses AI the most.” It’s “invents new ways, builds tools.” The identity of the expert shifts from “I don’t need AI” to “I’m the one who makes the AI dangerous.”

For intolerance for imperfection, we invested heavily in reducing the ways AI can fail embarrassingly. A curated marketplace means no random plugins with backdoors. Sandboxing means Claude Code can’t accidentally delete your work. Guardrails and footgun reduction mean fewer “AI did something stupid” stories circulating in Slack. If someone’s first AI experience is bad, you’ve lost them for months.

For opacity, we wrote an AI Handbook that made everything concrete: here’s what’s approved, here’s what’s not, here are the exceptions, here’s who to ask. Clear rules restored the feeling of control.

And underlying everything: we made adoption visible and fast. Deferred benefits kill adoption. If setup takes an hour and the first result is mediocre, you’ve confirmed every skeptic’s priors. Copy-pasteable configs, one-command setup, standardized toolchain, all designed so the first experience is fast and good. And the CEO going first matters more than people think. The passive 50% watches what leadership actually does, not what it says.

The operating system model

Here’s the actual system we built. Six parts, each designed to address the barriers I just described:

Barrier	Core problem	What we built
Self-enhancing bias	“I’m already good enough”	Maturity Matrix with visible levels and real consequences
Identity threat	“AI is replacing who I am”	Skills repos + hackathons that reward building, not just using
Intolerance for imperfection	One bad experience = months lost	Curated marketplace, sandboxing, guardrails
Opacity / trust	“I don’t understand how it decides”	AI Handbook that explains the risk model, not just the rules

Pick a standard toolchain so you can support it
Write the rules so risk conversations stop being ad hoc
Create a capability ladder so improvement is expected, measurable, and rewarded
Run tight adoption sprints so the org keeps pace with releases
Package the learnings into reusable artifacts (repos, configs, sandboxes) so the system compounds
Make autonomy safe with sandboxing, guardrails, and hardened defaults

This isn’t a strategy deck we wrote and handed to someone. We built every piece ourselves, open sourced most of it, and iterated on it in production with a 140-person company doing real client work.

Standardize on tools

Step one was boring but critical: we standardized. We got everyone on Claude Code, and we treat it like any other enterprise tool: supported configs, known-good defaults, and a clear path to “this is how we do it here.”

If you skip this step, you can’t build anything else. You end up with 40 different workflows and zero leverage.

Write the rules

We wrote an AI Handbook. Not to teach people how to prompt. It’s there to remove ambiguity.

The key part is the usage policy: what tools are approved, what isn’t, especially for sensitive data. Cursor can’t be used on client code (except blockchain engagements; use Claude Code or Continue.dev instead). Meeting recorders are disallowed for client meetings conducted under legal privilege. Now, when a client asks what we’re using on their codebase, everyone gives the same answer.

The handbook doesn’t just list what’s approved. It explains the risk model behind each decision, so people understand why. That’s what addresses the opacity barrier: not “just trust this,” but “here’s our reasoning.” Once you have policy, you can safely push harder on adoption.

Make it measurable

We built an AI Maturity Matrix that makes AI usage a first-class professional capability, like “can you use Git” or “can you write tests.”

Trail of Bits AI Maturity Matrix, as of March 2026

It’s not a vibe. It’s a ladder: clear levels, clear expectations, a clear path up, and real consequences for staying stuck. What level 3 looks like depends on your role. An engineer at level 3 builds agent systems that ship PRs and close issues autonomously. A sales rep at level 3 has agents producing pipeline reports and QBR prep without hand-holding. An auditor at level 3 runs agents that execute full analysis passes and produce findings, triage, and report drafts.

This is how you avoid two failure modes: leadership wishing adoption into existence, and the org splitting into “AI people” and everyone else.

Create an adoption engine

We run hackathons as a management system: short, focused sprints of 2-3 days with one objective. They’re how we keep pace when the ecosystem changes every week.

Claude Code Hackathon v2: Autonomous Agents

One recent example: “Claude Code Hackathon v2: Autonomous Agents.” The two lines that mattered were:

Objective: Ship the most impactful changes across our AI toolchain and public repos
Twist: Engineers must work in bypass permissions mode (fully autonomous agent, not approve-every-action)

That twist is intentional. It forces everyone to learn the real constraints: sandboxing, guardrails, and how to structure work so agents can succeed.

A few design choices matter here: we focus on public repos so we can move fast and show real outcomes. We measure success by activity (issues filed/fixed, PRs reviewed/merged), not lines of code. Everyone works in pairs, and every change gets reviewed by a buddy. Even the “move fast” sprint has quality control built in.

Capture the work as reusable artifacts

Hackathons create motion. But motion doesn’t compound unless you capture it.

The most important artifact is a skills repo. Skills are reusable, structured workflows, ideally with examples, constraints, and a way to verify output. We maintain an internal skills repo for company-specific workflows and an external skills repo so the broader community can validate and improve what we’re doing.

We also created a curated marketplace, a “known good” place for third-party skills. Once you tell people “go use skills and plugins,” they’ll install random stuff. This is basic enterprise thinking applied to agent tooling: if you want adoption, you need a safe supply chain.

We made defaults copy-pasteable. We built a repo that centralizes recommended Claude Code configuration so onboarding isn’t tribal knowledge. This is where we put known-good settings, recommended patterns for personal ~/.claude/CLAUDE.md, and anything we want to standardize.

We made sandboxing the default. If you want autonomous agents, you need sandboxing. We give people multiple safe lanes: a devcontainer option, native macOS sandboxing, and Dropkit. The point isn’t that everyone uses the same sandbox. The point is everyone has a safe sandbox, and it’s easy to adopt.

We reduced footguns. We hardened defaults through MDM. For example, we rolled out more secure package manager defaults via Jamf, including mandatory package cooldown policies. The easiest way to reduce risk is to make the default path the safe path.

Finally, we connected agents to real tools. Once you have policy, guardrails, sandboxes, and skills, you can connect agents to real tools. One example we’ve published is an MCP server for Slither. Even if you don’t care about Slither specifically, the point is: MCP turns your internal tools into something agents can use reliably, and your org can govern.

Results so far

Let me give you some numbers on what this system actually produced.

The numbers that got the room's attention at [un]prompted

Tooling scale: Across our internal and public skills repos, we have 94 plugins containing 201 skills, 84 specialized agents, 29 commands, 125 scripts, and over 414 reference files encoding domain expertise. That’s the compounding effect: every engagement, every auditor, every experiment adds to the arsenal.

The breadth matters. We have skills for writing sales proposals, tracking project hours, onboarding new hires, prepping conference blog posts, and delivering government contract reports. The internal repo has 20+ plugins targeting specific vulnerability classes: ERC-4337, merkle trees, precision loss, slippage, state machines, CUDA/Rust review, integer arithmetic in Go. Each one packages expertise that used to live in someone’s head into something any auditor can invoke.

Delivery impact: For certain clients where the codebase and scope allow it, we went from finding about 15 bugs a week to 200. An auditor runs a fleet of specialized agents doing targeted analysis across an entire codebase in parallel, then validates the results.

About 20% of all bugs we report to clients are now initially discovered by AI in some form. They go into real client reports. An auditor validates every one, but the AI is surfacing things humans would have missed or wouldn’t have had time to look for.

Business impact: Our sales team averages $8M in revenue per rep against a consulting industry benchmark of $2-4M. The sales team uses the same skills repos for proposal drafting, competitive positioning, conference prep, and lead enrichment. Same system, same compounding effect.

And this is maybe a year into building the system seriously. The models are getting better every month. The skills repo grows every week.

Open questions

Here’s what we’re actively working on and don’t have great answers for yet.

Private inference. We want local models for cost and confidentiality, but open models aren’t good enough yet. There’s still a significant gap versus the best closed models on coding benchmarks. We’re evaluating on-prem inference servers to run 230B+ models at full precision. Key insight: speed drives adoption more than capability. Nobody uses a slow model, even if it’s smart. In the meantime, private inference providers like Tinfoil.sh (confidential computing on NVIDIA GPUs, cryptographically verifiable) are getting compelling.

Prompt injection and client code protection. This is an existential question for using AI on client code. The data the agent works on is inherently accessible to it. Today we use blunt instruments: sensitive clients mean no web access. Longer term, we’re looking at agent-native shells like nono and agentsh that enforce policy at the kernel level.

Policy enforcement and continuous learning. We push settings via MDM, but we’re not yet pulling signal back. The goal is to turn the whole company into a feedback loop that improves the operating system weekly. One possible long-term architecture: a master MCP server between agents and internal resources, enforcing policy server-side. We’re not there yet.

The future of consulting. This is the one that keeps me up at night. The consulting business model assumes you’re billing for time, and that time roughly correlates with expertise. But when some people can outperform others by orders of magnitude with the right agent setup, that correlation breaks. The question shifts from “how many hours did the auditor spend” to “did the auditor know where to point the agents and which findings are real.”

We don’t have the answer yet. But the nature of how Trail of Bits offers services will probably change in the next 6 to 12 months. Audit scoping, pricing, deliverables, all of it is on the table. The firms that figure this out first will have a structural advantage, and the ones that keep billing by the hour will watch their margins compress as their competitors ship more in less time. We’re not waiting to find out which side we’re on.

The replicable recipe

If you want to copy this, copy the system, not the specific tools:

Standardize on one agent workflow you can support
Write an AI Handbook so risk decisions aren’t ad hoc
Create a capability ladder so improvement is expected
Run short adoption sprints that force hands-on usage
Capture everything as reusable artifacts: skills + configs + curated supply chain
Make autonomy safe with sandboxing + guardrails + hardened defaults

That’s what we’ve done so far, and it’s already changed how fast we can ship and how quickly we can adapt.

Resources

All of our tooling is open source:

trailofbits/skills - Our public skills repository
trailofbits/skills-curated - Curated third-party skills marketplace
trailofbits/claude-code-config - Recommended Claude Code configurations
trailofbits/claude-code-devcontainer - Devcontainer for sandboxed development
trailofbits/dropkit - macOS sandboxing for agents
trailofbits/slither-mcp - MCP server for Slither

We’re hiring! We’re looking for an AI Systems Engineer to work directly with me on accelerating everything in this post, and a Head of Application Security to lead a team of about 15 exceptionally overperforming consultants. Check out trailofbits.com/careers.

Bic Runga At Te Paepae Theatre - The Weblog of fLaMEd

2026-03-31T06:34:28.000Z

What’s going on, Internet? Friday night my wife and I enjoyed a couple hours out in the evening to catch Bic Runga perform the second show on her Red Sunset tour at the recently opened Te Paepae Theatre.

We got into town 30 minutes before doors opened, but rather than stress about catching the warm up act we grabbed dinner at an old favourite, Depot.

We enjoyed clams, snapper slides, skirt steak and potato skins. Comforting knowing this is the same food we’d get here when we last visited a decade ago.

We arrived at Te Paepae around 8 pm, headed up stairs and found our seats. The warm up band which turned out to be Bic’s husband’s band were just finishing up. We had to double check, but yes that was Bic on the drums.

After a short 15-20 minute interval the show was back on with Bic taking the mic, and her husband returning the favour on drums.

Bic wove in old favourites among new songs from the latest album Red Sunset. Red Sunset is her first album in 15 years (if we don’t include 2016’s cover album). I hadn’t managed to listen to Red Sunset yet, so the new songs were a first listen live. Pretty sure she opened with Drive. The new songs sounded great and I can’t wait to dive into the album on an upcoming roadtrip. As the show drew to an end Bic let us know that the show was wrapping up and rather than piss around with leaving the stage and coming back for the encore she got straight into her biggest and favourite track, Sway. What a tune to end the show with.

After the show Bic headed straight to the merch tent and was signing vinyls and CDs and posing for selfies with fans. I grabbed a copy of her 1997 album Drive and got it signed by her. The vinyl itself wasn’t anything special. A single cardboard sleeve with a standard black vinyl. Sony obviously didn’t put a lot of effort into the production of this classic kiwi album.

Drive will always be a favourite of mine, it is one of my earliest memories of really getting into kiwi music. During third form (Year 9) for a music class project we had to find a local artist to do a report on, I wasn’t clued up on local music back then like I am now. Dad shared a newspaper or magazine article on this new album from a 17 year old, Bic Runga. And that I would say was my awakening to local music. It wasn’t too long until the third labour government under Helen Clark would invest heavily into the arts and we’d all be exposed to kiwi music for a solid few years.

Leaving the venue with my wife and the signed copy of Drive in my hand was a nice way to wrap up the evening and a good reminder of why I love kiwi music.

Laters 🤙

Hey, thanks for reading this post in your feed reader! Want to chat? Reply by email or add me on XMPP, or send a webmention. Check out the posts archive on the website.

22.00.0192 March's YouTube roundup - Johnny.Decimal

2026-03-31T02:34:08.000Z

March's YouTube roundup

Here's your monthly round-up.

Make your LLM more efficient with Johnny.Decimal

2026-03-04

https://youtu.be/h5TUFFQEJgw

Attention to detail gets you hired

2026-03-07

https://youtu.be/J2Sm9oIfj9A

Johnny.Decimal wasn't designed to organise everything

2026-03-11

https://youtu.be/DaK99lMlHH4

Meetings – at least they're not email

2026-03-14

https://youtu.be/EybKGE_TM_k

I use the structure like a big checklist

2026-03-18

https://youtu.be/2jSjo-94cCU

Fly around your system with these terminal tricks

2026-03-21

https://youtu.be/SM2TlZMOIYo

An easy way to save 20 minutes a day

2026-03-30

https://youtu.be/dEv7EYeX1Po

Decimal ozhoom from the forum sent me this AppleScript that you can hack to automate this process. Change the paths at the top.

# enter the folder location in quotes:
set path1 to "Users:john:xxxxxxxxxxxx" as alias
set path2 to "Users:john:P68 Personal Life" as alias
set path3 to "Users:john:xxxxxxxxxxxxx" as alias
set path4 to "Users:john:Downloads" as alias

tell application "Finder"
	open path1
end tell

tell application "System Events" to perform action "AXPress" of menu item "New Tab" of menu "File" of menu bar item "File" of menu bar 1 of application process "Finder"
tell application "Finder"
	activate
	set target of front window to path2
end tell

tell application "System Events" to perform action "AXPress" of menu item "New Tab" of menu "File" of menu bar item "File" of menu bar 1 of application process "Finder"
tell application "Finder"
	activate
	set target of front window to path3
end tell

tell application "System Events" to perform action "AXPress" of menu item "New Tab" of menu "File" of menu bar item "File" of menu bar 1 of application process "Finder"
tell application "Finder"
	activate
	set target of front window to path4
end tell

The World's First Bullshit - Westenberg

2026-03-31T00:20:34.000Z

I opened Twitter this morning and three different startups were announcing "the world's first" something. An AI CMO, an autonomous AI marketer, and a design agent "with taste," which is a phrase that made me close my laptop for about ten minutes.

None of them are the world's first anything. I'd bet money there are 40 AI marketing tools already shipping, maybe more, and the category lines are so blurry that "first" really comes down to how specific you're willing to get with your label. I could build an AI that writes haikus about SaaS pricing pages. I could call it the world's first AI SaaS Pricing Haiku Engine. Nobody could argue, because nobody else would have tried. That's what "first" means now. You've found an unclaimed sliver of territory so narrow that being the only person there is trivially easy.

But OK, forget that the claims are fake. What bothers me more is that "world's first" is the wrong thing to want in the first place. It's the wrong trophy entirely.

Thomas Newcomen bolted together the first commercially successful steam engine in 1712 and the thing was, by every measure, awful. Maybe 1% thermal efficiency. It ate coal like a bonfire eats kindling and it leaked through every cycle. James Watt showed up 57 years later, added a separate condenser, and built a version you could run a factory with. Newcomen got a Wikipedia footnote. Watt got a unit of measurement named after him. Google wasn't the first search engine. Facebook wasn't the first social network (Friendster was, and if you remember Friendster, congratulations, you're old). The iPhone showed up years after the Blackberry and the Palm Treo. Who ended up mattering? The ones people actually liked. Every single first mover on that list became a piece of bar trivia.

Founders keep doing this, I think, for two overlapping reasons and one of them is almost sympathetic. Silicon Valley has a mythology, basically a religion at this point, where the inventor is the saint and the timestamp is the sacred relic. The Xerox PARC researchers who built the graphical user interface were visionaries; Steve Jobs was the guy who walked through their lab, took notes, and shipped something your mom could buy at a mall. The mythology says PARC mattered more. In practice, Jobs built the product, and products are what people use.

But I think the bigger driver is more cynical than that, and it has to do with Twitter specifically. "World's first" is a cheat code for the algorithm. You can't verify it while you're scrolling, it sounds historic, and it carries a weight that "we also built an AI marketing tool, we think ours is pretty good" never will. The most extreme claim gets the most retweets, and retweets are what your investors see before they decide whether to write a check. I get why people do it. I'd probably be tempted too.

The problem is who it attracts. Novelty-chasers. People who'll try your product once, talk about it at a dinner party, and never open it again. The people who actually make a product successful long-term are the ones who care that your thing works well, and those people could not care less whether you were first or forty-first.

The second version of something is almost always better than the first, because the second version watched the first one break. Every good product is a correction of somebody else's bad product. That's how engineering works in practice: you watch someone else's bridge come down and you build yours with thicker cables.

What would it look like if founders were honest about this? "We looked at the 14 AI marketing tools that already exist and we think we've solved the 3 problems they all share." A less exciting tweet. But it's certainly more useful. It tells potential customers that you've done your homework and you're competing on substance rather than on who filed their launch post on Tuesday instead of Wednesday. Most founders would rather sound historic than sound competent, and their customers can tell.

The AI startup space right now feels like the early days of a gold rush, when the most important thing is to stake your claim loudly before anyone else reaches the same patch of dirt. But gold rushes end.

The people who built lasting wealth in the California Gold Rush were largely the ones selling picks and denim jeans to miners, the ones who understood that being best at serving a need that wasn't going away beat being first to a plot of land every time.

Levi Strauss arrived in San Francisco in 1853, 3 years after California became a state, and he wasn't first to anything, but he's still around.

Every founder tweeting "world's first" today should ask one question about their product: would anyone still care about this if 10 other people had built the same thing? If yes, you might have something, and if no, if the only interesting thing about the product is the claim of novelty, what you're looking at is marketing copy where the product should be.

You can announce "world's first" on launch day, before anyone has used your product, before anyone has even seen a demo. You can never announce "world's best." Other people have to say that about you, and they'll only say it if you've given them a reason to.