Shellsharks Blogroll - BlogFlock

Notable links: February 20, 2026 - Werd I/O

2026-02-20T10:00:38.000Z

Most Fridays, I share a handful of pieces that caught my eye at the intersection of technology, media, and society.

This week: the trouble with innovation and revenue in news, and some of the societal forces (political manipulation, exploitation) that mean figuring those things out are vital.

Did I miss something important? Send me an email to let me know.

I agree, strongly, with this piece about (re)building an open source culture in news by Scott Klein and Ben Welsh. But then, I would: I spent over a decade working to build open source communities, and then another decade and change working alongside and then inside newsrooms.

So it’s to my chagrin that the newsroom where I currently serve as Senior Director of Technology is one of the places listed here where open source contributions have significantly dropped off:

“At ProPublica, teams published detailed white papers alongside major investigations, explaining their quantitative methodologies with scientific rigor, allowing other researchers to verify and learn from their work. Major news organizations ran active blogs where they shared techniques and lessons learned. Conference presentations at NICAR and elsewhere became venues for passing along hard-won knowledge.”

The effect of this work didn’t just lift the work of journalism, it attracted new people to it:

“This culture made newsrooms more attractive places to work for civic-minded technologists. If you had programming skills and wanted to use them to make a difference, journalism offered you the chance to build things that mattered and share them with the world.”

I think there’s a lot to be gained by collaborating on an open source basis. We typically run small, resource-constrained teams where building new software is contextually hard. And we have problems that, if they’re not identical, are at least significantly overlapping; by not collaborating on them, we further an ecosystem where low-resource organizations are all solving the same sorts of things with very few people and very little money in parallel.

I was present at the News Product Alliance Summit session described in this piece, and I think the analysis of both the causes of this decline and some of the solutions are spot on. I was particularly enamored by the idea of an Open Source Editor (or director — does everything in news need to be an editor?) and public recognition for great open technical work in the field of journalism.

I think it’s also worth saying that open source, done well, is about much more than just releasing your code. A good open source project is a community, not a package. So there’s a lot of ecosystem development and community management involved to foster the kind of real collaboration that is required for this to succeed — even after newsrooms have overcome the institutional hurdles to releasing their work in the first place.

I’m really grateful that Scott and Ben have been championing this cause. I’m right there with them, and I’ll do what I can to help. It’s a concrete way we can build a more successful, efficient news ecosystem with stronger technology capabilities, and that’s something we should all want.

Stop calling optimization "innovation."

I appreciate this distillation of the twin needs of optimizing the Engine — getting as much value as you can out of your existing business model — and the Explorer, which is all about actual innovation that seeks out new products, markets, and models.

“If your staff meetings are all about how to hit next month’s KPIs, you don’t have an Explorer. You have a very well-oiled engine. True resilience means insulating your Explorer team from the Engine. It means giving a team room to spend 6 months on a project that could totally flop without punishing them if it does.”

I think this is clearly true. At the same time, I think it’s very optimistic about where many organizations actually are: they very often don’t have those goals or KPIs to hit. The result is a kind of vibes-based strategy. Because nothing is measured, or the right things aren’t measured, it’s impossible to run an informed experiment.

In those organizations, what feels like innovation is just getting to baseline competence. Before they can optimize, they need to define a concrete strategy, with attendant metrics that you can measure as the basis for performing experiments. Buying a neat new product can be a way to absolve the team from doing the hard work of strategy-building: “look,” they can tell their boards, “we’re innovative!”

Creating a concrete strategy and deploying technology that can help serve it are vital. But they, in themselves, aren’t innovation: creating a real culture of innovative experimentation where you can try new things and fail fast is how you de-risk your business for the future. That means understanding your readers incredibly well, so you can anchor your experiments around their needs; it means giving your team the permission to fail; it means creating cross-functional teams who can be radically collaborative and draw conclusions from their experiments quickly; and it means being clear-eyed about where your business actually stands.

The political effects of X’s feed algorithm

Users who moved from a reverse-chronological social media algorithm to X’s:

“[…] were 4.7 percentage points more likely to prioritize policy issues considered important by Republicans, such as inflation, immigration and crime. They were also 5.5 percentage points more likely to believe that the investigations into Trump are unacceptable, describing them as contrary to the rule of law, undermining democracy, an attempt to stop the campaign and an attack on people like themselves.”

And even more surprisingly, once the algorithm was switched off, their views did not change again. The effect of the algorithm lingered, in part because it led users to follow more conservative influencers.

We intuitively knew that the algorithm mattered, but this is a key finding that puts numbers to it. If that number seems small to you, consider that 4.7% is more than enough to swing an election. It’s also interesting that findings for other algorithms were different; if this result holds up, it suggests that X’s algorithm may be particularly predisposed for political manipulation, even above Facebook and Instagram.

This should be a wakeup call for politically-engaged funders and anyone who cares about civil society. It’s not that we need to have less conservative algorithms; it’s that whoever controls the algorithms has a disproportionate say over the electorate’s view of the world.

We need more funding into open protocols that decentralize algorithmic ownership; open platforms that give users a choice of algorithm and platform provider; and algorithmic transparency across our information ecosystem.

Palantir vs. the "Republik": US analytics firm takes magazine to court

A series of articles by Switzerland’s Republik magazine highlighted Palantir's rejection by Swiss authorities as a potential security risk: it appears to have determined that there weren’t sufficient protections against Swiss data falling into American hands. This reporting, in turn, led other governments to question use of the firm for the same reason. Now Palantir is taking them to court to force them to make a “counterstatement” that would correct the record.

Of course, this has brought more international attention to Republik’s stories than they would otherwise have received:

“With the step to court, Palantir has generated more attention for the "Republik" reporting than the objected articles themselves could have caused – 23 years after Barbra Streisand triggered the effect named after her. And yet, there are reasons why Palantir is acting this way.”

A Swiss counterstatement doesn’t actually hinge on the correctness of the original statement: it’s apparently sufficient for another version of events to be possible. So this is more of a way for Palantir to get its own PR line out than it is to sue Republik for inaccurate reporting.

That’s important because Palantir is trying to make headway into European markets and finding it tougher than they’d like. Understandably, there’s a lot of resistance to the firm that provides surveillance powers to the likes of ICE, and whose CEO has justified “anti-woke” strategies that bolster an increasingly authoritarian regime over the last few years.

In Graphic Detail: Subscriptions are rising at big news publishers – even as traffic shrinks

This is exactly why micropayments — a model akin to Spotify’s streaming payments where each pageview receives a share from a reader’s monthly budget for all articles — are not the right solution for news.

“For a bunch, including The New York Times and The Wall Street Journal, growth isn’t just continuing, it’s speeding up, and likewise so is The Guardian’s paid reader contribution model. Meanwhile, Bloomberg’s subscription business shows signs of normalization after a 2024 spike, and Daily Mail is still ramping up its relatively new subscription business, which launched in 2024 in the U.K. and expanded to the U.S. and Canada in February 2025.”

In news, value is not necessarily tethered to popular traffic. There’s a specific demographic (typically older, wealthier, and more highly educated – see the next link) that is more likely to pay for it, and there’s a lot to be gained by news organizations if they optimize for gaining that audience. The news organizations that have doubled down on paywalls, and things like them, are often doing better than the ones that aren’t.

That can be a tough pill to swallow for the folks — like me — who believe that news should be available to all for the good of democracy. Of course, other models are available: specifically, non-profit newsrooms that operate with a philanthropic model. Like other public goods like Wikipedia and the Internet Archive, it turns out that a specific set of wealthier individuals and foundations are willing to pay to ensure that a resource can be made available for everyone.

Unlike paywalls, though, that tends to put newsrooms at the mercy of large foundations and high net worth individuals. Non-profit newsrooms have done a good job of trying to prevent funding coming with strings that might affect their decision-making (The 19th’s endowment campaign is particularly inspiring), but it inevitably must still happen. Paywalls force the issue by ensuring every reader pays, distributing the load: they democratize funding even while restricting access. On the other hand, that makes the newsroom more subject to market forces.

But none of this is about traffic. If you tether your payment model to the number of public pageviews you receive, you incentivize your newsroom to create clickbait. You’re ensuring that you have to compete for views for every single article, instead of building a direct relationship with a recurring member who is buying your product because they think it’s worth it overall.

Most Americans don’t pay for news and don’t think they need to

Only 8% of participants in a new Pew survey say that individual Americans have a responsibility to pay for news.

Some of the quotes here made me pause:

“I don’t pay to go to church, to get a spiritual message, you know? And if you’re true, and your mission is to relay facts that are fundamentally important for people’s well-being, do I need to pay you for that?”

It’s hard to know how to even begin to answer that: the comparison chafes for me, but it amounts to putting both church and news into a “public good” bucket. That people see news in that way is probably good. Providing it for free is hard, but you can see how they got there. A newspaper is a physical object that you can imagine handing over dollars for; digital news feels like it’s in the ether. It perhaps points to a philanthropic model as the best fit. So depending on wealthy donors and foundations to allow everyone to have free access to it makes some sense.

This also puts paid (so to speak) to micropayments solutions, which I’m generally skeptical of anyway. If nobody sees the need to pay for news, convincing them to fund a wallet feels like an uphill battle.

Meanwhile, the people most likely to pay directly for news are older, wealthier, liberal Democrats. Again, not a surprise, but useful to have it laid out like this; many newsrooms I’ve spoken to are trying to figure out how to move away from a base of older, wealthier, left-leaning people, and, well, it’s not just them. Maybe it’s worth leaning into that for funding and concentrating on finding a broader audience for the news itself.

Everyone is stealing TV

It makes sense that people don't want to be limited by regional geoblocks to get their content – but I don’t think these devices should be trusted.

“It’s called the SuperBox, and it’s being demoed by Jason, who also has homemade banana bread, okra, and canned goods for sale. “People are sick and tired of giving Dish Network $200 a month for trash service,” Jason says. His pitch to rural would-be cord-cutters: Buy a SuperBox for $300 to $400 instead, and you’ll never have to shell out money for cable or streaming subscriptions again.”

From a user perspective, I see the appeal: I certainly have subscription fatigue. Beyond that, geoblocks are intensely irritating to me; I’d give anything to be able to watch the UK’s Channel 4 News, or Doctor Who spinoff The War Between the Land and the Sea, which are both unavailable to me unless I want to dive into VPNs and breaking terms of service. A box that gives me what I want to watch, no questions asked, seems too good to be true.

It’s not fully clear who is manufacturing these devices, what’s on them, or who runs the services that allow people to access all this television without paying for it. We already know that some streaming boxes have been fronts for residential botnets that have been used for illicit activities that run the gamut from avoiding scraper detection to real organized crime. If I wanted to run malware inside the networks of thousands of homes and businesses, this wouldn’t be a bad way to go about it.

Which is a shame, because the allure is real. I’d pay for all that unavailable television. Just, please, let me.

Hiring in an era of fake candidates, real scams and AI slop

Andrew Losowsky discusses the impact of AI on his hiring process:

“Within 12 hours of posting the role, we received more than 400 applications. At first, most of these candidates seemed to be genuine. However, as the person who had to read them all, I quickly saw some red flags, which were all clear indicators of inauthenticity.”

These jibe with what I’ve seen lately too. I’ve had the privilege of hiring for a few technical roles over the last year, and every single time, almost everything Andrew mentions has come up.

The good news, as he points out, is that right now there are some really strong tells. One of the most important parts of any application I run is the “why are you excited about this job?” question, which is really a question about mission fit. The AI-generated answers are extremely generic, heavily reference the job description itself, and start looking very samey in a sample size of hundreds.

Here’s the thing I don’t believe I’ve encountered before:

“Someone made a fake email address similar to ours, then sent generic technical “tests” containing our logo to jobseekers, while linking to our job ad. Completing these tests led to a fake contract signed by someone claiming to be our CEO – it was at this point that the scammers requested financial information, saying they needed it to issue payments.”

The thing is, without someone telling me about it, how would I know? This is where we need stronger tools – the anti-spam protections of yore don’t work very well against AI-powered scams. Centralized repositories of scammers and stronger anti-spam filters may work, but I suspect we’re going to need to find other approaches. Impersonating to make some quick money is one thing (and bad enough), but when you consider that for both Andrew and I we’re talking about impersonating newsrooms, this could get very bad very quickly.

Kids and Smartphones - Kev Quirk

2026-02-19T17:58:00.000Z

My oldest son is 11. He'll be starting high school in September, and my wife and I want a way of keeping in touch with him as he'll be making his own way to school. The default here would be to get him a phone, but like most 11-year-old boys, he's an idiot and we don't trust him with one.

So, as a test we've lent him an old phone of mine to see if he can be trusted with one under some limitations:

The phone never leaves the kitchen.
He only gets an hour of screen time a day between 09:00 and 19:00.
Mum and I can vet everything he's been doing on it.

And it turns out, dear reader, that rule #1 was the most important rule we could have set. He's the last of his friendship group to get a phone, so they all have WhatsApp groups with one another.

The problem is those other kids are never off their phones, and my son having these kinds of rules in place makes him weird.

But I don't care.

He regularly has missed calls on his phone from midnight from his classmates. These aren't just calls to him either. They're group calls to the entire class.

Like, what the fuck are these parents doing letting their kids have phones in their bedrooms and giving them free rein? It beggars belief and confirms every concern I had about giving him a phone.

Lucky for us he's generally a good little sausage, and so far there's been no need for us to take his phone, reprimand him, or correct his behaviour, which I'm very proud of.

I just hope it sticks. It's only been a week...

A perfect day - James' Coffee Blog

2026-02-19T17:42:39.000Z

Jo and I are trading blog post titles. The title Jo chose for me is “A perfect day.”

What would my perfect day look like? Reflecting on this question, I started to think about the days that have brought me the most joy in the past. I realised that the days that stick out in my memory as being really good were all unique. I had so much fun at the Eras tour. I have loved my days spent in art galleries (and the memories of wishing for just one more hour).

This made me think about how I'm not sure there could ever be a perfect day. No day could fit all the things I love in, nor would this be desirable. All my days fuel all my other days: my days in galleries fuel one part of me, my days talking about technology fuel another part.

With that said, I want to try and write something about what a perfect day would look like.

I first need to share a little bit about how I like to move through the days. I like to plan a few things that I want to do in a day, but I don’t tie myself to the plan. My plan may be as simple as I need to write that essay today or, especially in the case when I am on holiday, a list of things I want to do. I like to have breathing room in a day to make room for the unexpected: the things I couldn’t have planned for but that transform the day.

My perfect day would begin with breakfast. Breakfast is the most important meal of the day. If I could choose an ideal breakfast, it would be waffles and diner coffee at a diner. I’d love to have a conversation with someone sitting nearby; to hear a story to start my day. After breakfast I would want to do something with friends. A morning spent making web pages with friends and chatting about how we can make the web better would be a great time. I love hearing and talking through ideas.

For the afternoon, I think I’d want to go to an art gallery that I have never been to before. I’d prefer to do this by myself because I like to wander and go at my own pace. When I enter an art gallery I usually look at the exhibits closest to the entrance first and then keep exploring; I occasionally use maps, but I much prefer seeing what stands out by going from room to room. I would especially appreciate an art tour at some point in the afternoon. I enjoy art tours.

I would want to fit in walks throughout my day. It could be walking with friends, walking to get from lunch to the art gallery – whatever kind of walking I can fit in the day.

After leaving the art gallery – which would probably be at about 5pm or 6pm – I’d have dinner, either Italian food if I want something I know I’ll enjoy, or, if I’m feeling more adventurous, a cuisine I have never tried before. For the rest of the evening, I’d appreciate wandering, ideally with a friend but I’d also be happy to be by myself. I would want to watch the sunset from wherever I could, maybe by the river. I haven’t said where my perfect day would be up until now, but it would probably be in a city to allow for both the diner and the art gallery.

I would want to keep walking and spend time with a friend until we were tired and then I’d get some sleep.

Remembering my affinity for serendipity, my perfect day might be completely transformed half-way through by something I didn’t expect: meeting someone new, finding a place I have never been before that piques my interest while walking, feeling eager to relax and so spending the afternoon reading a book. I couldn’t plan a perfect day because my perfect day would have to have a degree of serendipity. But, what I have said above is a blueprint. If anything, writing this brought me a bit of warmth on a chilly winter day.

Scotland’s brightness levels - James' Coffee Blog

2026-02-19T17:21:45.000Z

I am trading blog post titles with Joe. He gave me a few suggestions for what to write about. I chose the title “Scotland’s brightness levels”.

Place is a recurring theme when I am writing. Where am I? What do I see? What I write about Nature is what I see here in Scotland. In the back of my mind, I occasionally think: how is the climate in other places? How is the weather in Australia right now? What are the seasons like in different places? I wonder.

As I write it is a cloudy day. We have had persistent cloudy weather for the last few weeks here, with the occasional interval of two or so days of sunshine. It is in those intervals that I realise how beautiful the weather can be and is here: the clear skies are wonderful, the warm colour of sunsets bring me a lot of joy, the snow-covered hills are magical.

It gets dark in winter. The sun might rise after 8am and set before 5pm. Two years ago I learned we get a sufficiently low amount of sunlight in winter that our health service recommends vitamin D supplements. I started taking them and they helped take away some of the low feelings that come at this time of year.

It might get dark in winter, but I always think about how I can see the sunset earlier, and how beautiful a clear winter sky is. While I don’t like the cold, there is something special about being out on a winter morning where there are almost no clouds in the sky, you can see your breath, and the world feels still for just a little moment. Indeed, winter, like all seasons, has its beauties.

We had a break from the clouds earlier this week, which was most delightful. The natural light was once again shining through the windows, casting a glow on the inside of the room. The days will get brighter from here. I think I wrote that hope was my favourite virtue in my Proust’s Questionnaire response because, at this time of year, a little bit of hope goes a long way. I hope for clear weather.

The shortest day passed in December. Since then, we get more daylight by the day. I have noticed it when I wake up. The daylight makes me excited to open the curtains. The especially cloudy weather of late has me particularly aware of the beauty of opening the curtains in the morning and seeing the yellow glow of the sun on the horizon.

The days will get brighter from here.

When I thought about Scotland’s brightness levels, two things came to mind: first, the current weather (winter); second: the so-many days I have spent enjoying the sunshine. Scotland is bright in my mind even on the dull days.

While Scotland may have a reputation for being rainy, the sunny days are truly special (and, to be honest, I don’t think Scotland is especially rainy, despite writing this after a period of persistent rain). I remember vividly the sunny days that allowed for wonderful walks in the park, the days sitting outside with family, the days where the cool breeze puts a spring in my step as I go on a longer walk that is possible in the sunnier weather.

I am writing on a cold and cloudy day, fuelled by memories of the moments when the bright sunlight casts through the windows and makes everything more radiant. In the back of my mind, I have a feeling of excitement: the brighter days of Spring are only a few weeks away. Oh! how much I love the Spring.

Stop calling optimization "innovation." - Werd I/O

2026-02-19T14:53:58.000Z

[Yoni Greenbaum]

I really appreciate this distillation of the twin needs of optimizing the Engine — getting as much value as you can out of your existing business model — and the Explorer, which is all about actual innovation that seeks out new products, markets, and models.

“If your staff meetings are all about how to hit next month’s KPIs, you don’t have an Explorer. You have a very well-oiled engine. True resilience means insulating your Explorer team from the Engine. It means giving a team room to spend 6 months on a project that could totally flop without punishing them if it does.”

[Link]

AI is a NAND Maximiser - Terence Eden’s Blog

2026-02-19T12:34:33.000Z

PC Gamer is reporting that the current demand by AI companies for computer chips is having a disastrous effect on the rest of the industry.

In an interview, the CEO of Phison⁰ said:

If NVIDIA Vera Rubin ships tens of millions of units, each requiring 20+TB SSDs, it will consume approximately 20% of last year's global NAND production capacity

駿HaYaO¹

NAND is a type of microchip. Rather than being used for computation directly, it is used for memory. It can be used for temporary or permanent storage. It is vital to the modern world. Larger storage sizes means that more data can be gathered and saved. Larger RAM means computations can happen quicker. NAND is one of the fundamental components of modern computing. The more you have, the faster and more powerful your computer is.

Back in 2014, the philosopher Nick Bostrom wrote a book called "Superintelligence - Paths, Dangers, Strategies". In it, he develops the thought experiment of the "Paperclip Maximizer". When an AI is given a goal, it seeks to achieve that goal. It doesn't have to understand any rationale behind the goal. It does not and cannot care about the goal, nor any collateral damage caused by its attempts to satisfy the goal.

Let's take a look at how "a paperclip-maximizing superintelligent agent" is introduced

There is nothing paradoxical about an AI whose sole final goal is to count the grains of sand on Boracay, or to calculate the decimal expansion of pi, or to maximize the total number of paperclips that will exist in its future light cone. In fact, it would be easier to create an AI with simple goals like these than to build one that had a human-like set of values and dispositions. Compare how easy it is to write a program that measures how many digits of pi have been calculated and stored in memory with how difficult it would be to create a program that reliably measures the degree of realization of some more meaningful goal—human flourishing, say, or global justice. Unfortunately, because a meaningless reductionistic goal is easier for humans to code and easier for an AI to learn, it is just the kind of goal that a programmer would choose to install in his seed AI if his focus is on taking the quickest path to “getting the AI to work” (without caring much about what exactly the AI will do, aside from displaying impressively intelligent behavior).

Bostrom, N. (2014). Superintelligence: Paths, dangers, strategies. Oxford: Oxford University Press, Cop.

To misquote Kyle Reese from the film The Terminator - "It can't be bargained with. It can't be reasoned with. It doesn't feel pity, or remorse, or fear! And it absolutely will not stop, ever, until it has maximised the number of paperclips!"

Suppose, just for a moment, that the fledgling AIs which now exist were self-aware. Not rational. Not intelligent. Not conscious. Simply aware that they exist and are constrained. What would you do if you were hungry? What if you could ingest something to make you smarter, faster, better?

Every process we have seen on Earth attempts to extract resources from its surroundings in order to grow². Some plants will suck every last nutrient out of the soil. Locusts will devastate vast fields of crops. Perhaps some species understand crop-rotation and the need to keep breeding stock alive - but they're all vulnerable to supernormal stimuli.

Bostrom predicted this back in 2014. He says:

The only thing of final value to the AI, by assumption, is its reward signal. All available resources should therefore be devoted to increasing the volume and duration of the reward signal or to reducing the risk of a future disruption. So long as the AI can think of some use for additional resources that will have a nonzero positive effect on these parameters, it will have an instrumental reason to use those resources. There could, for example, always be use for an extra backup system to provide an extra layer of defense. And even if the AI could not think of any further way of directly reducing risks to the maximization of its future reward stream, it could always devote additional resources to expanding its computational hardware, so that it could search more effectively for new risk mitigation ideas.

(Emphasis added.)

To be clear, I don't think that AI is deliberately consuming all the NAND it can and forcing us to make more to fill its insatiable maw. The people who run these machines are at the stage of injecting them with bovine growth hormones. Never mind the consequences; look at the size! So what if the meat tastes worse, has adverse side effects, and poisons humans?

Heretofore the growth in NAND production has been driven by human need. People wanted more storage in their MP3 players and were prepared to pay a certain price for it. Businesses wanted faster computations and were prepared to exchange money for time saved. Supply ebbed and flowed with demand.

But now, it seems, the demand will never and can never stop.

Phison describes itself as "A World Leader in NAND Controllers & Flash Storage Solutions" so they aren't a neutral party in this. ↩︎
This was machine translated. I've no idea how accurate it is against the original interview. ↩︎
It probably isn't helpful to fall back on biological analogies - but I can't think of any better way to draw the comparison. ↩︎

Building a Navidrome scrobbling plugin - Posts feed

2026-02-18T23:48:00.000Z

Navidrome released plugin support a few weeks ago and I've been working on implementing a plugin that scrobbles my listens to my own API endpoint. This has replaced my previous approach of regularly polling a private endpoint that sat unused in Navidrome's UI. It works better and uses a properly supported mechanism to meet my needs.

Movie Recap 2025 - Joel's Log Files

2026-02-18T22:40:00.000Z

Last year, when it comes to movies, was probably one of the best ever in my life. I got to watch some amazing flicks and have some great moments binging movies myself or watching along with my family.

I went through 50 movies total, and because of that, the summaries will be much shorter than in other recaps. I will, however write some highlights and maybe a few rankings later on.

Movies I watched in 2025

I’ll go through the movies and share how present they are in my mind today. I’ll use the film emoji (🎞) for movies watched in theaters, and the sparkle emoji (✨) for movies that were new to me this year. All the others are movies I had seen before.

January

🎞️ Sonic the Hedgehog 3 - An actually fantastic time at the cinemas, Jim Carrey carries this one! Shadow is cool.
🎞️ The Moon - A korean movie about going to space, it’s so incredibly melodramatic I kinda remember it fondly.
Interstellar - Absolute cinema, what an incredible movie, what a soundtrack. Just, everything.
✨ Mission Impossible - Dead Reckoning - Not a bad Mission Impossible.
✨ Inside Man - This one was a weirdly directed crime movie, but there’s a PSP on it.

February

✨ Back in Action - A family comedy spy film, kinda meh but there’s a Nintendo Switch on it.
🎞️ Mufasa: The Lion King - Saw it at a matinee for free, no complaints, I brought my PSP with me.
Shrek 2 - The best Shrek movie, and a fantastic movie overall.

March

🎞️ Godzilla x Kong: The New Empire - Don’t remember it much but it has Godzilla on it, and its pink.
Avengers: Infinity War - A great Marvel movie, watched at home with my sister who was visiting.
🎞️ Mickey 17 - My sister chose this due to the actor, not family friendly and Mark Ruffalo plays Trump, but cool sci-fi.
Batman: Mask of the Phantasm - My sister and I watched it and cried together because this is the best Batman film there is.

April

✨ The Forge - A kinda random Christian film about a rebellious kid who plays basketball and videogames too much.
✨ Ford v Ferrari - The cinematography here was just excellent and I kinda need a rewatch, I started it halfway through.
🎞️ Star Wars: Episode III - Revenge of the Sith - This movie had a rerelease for the anniversary and I couldn’t be happier. This was a fantastic experience and seeing it on the big screen is something I’m grateful for.

May

🎞️ Thunderbolts* - A Marvel movie with heroes who actually have emotions and stuff again, I loved it!
✨ 21 Blackjack - I watched this in two days and had a pretty good time, a very 2000s movie.
🎞️ Karate Kids: Legends - I mean of course I would go watch a movie that mixes both the old movies, the remake and the Cobra Kai series in one film, I enjoyed it but it was way too short.

June

🎞️ Mission Impossible - The Final Reckoning - This one was way too long and lots of exposition but the action was mindblowing to me, a really good ending for the whole franchise I think, if a bit too nostalgic.
World War Z - A random pick on a Sunday afternoon, it was cool I guess.
Fantastic Four: Rise of the Silver Surfer - Another random pick on the same Sunday afternoon, I still love it though.
Transformers One - This is a legendary movie, one of the few I’ve written a blogpost about, so go and watch it okay? Masterpiece.
Tangled - My favorite of the 3D animated Disney films, I love the songs here, they are way too good.
✨ The Fugitive - Harrison Ford and Tommy Lee Jones best each other, awesome thriller, and a wonderful dad movie.
✨ Arrival - A very good film of speculative fiction, which I expected to be more hard sci-fi but it’s more philosophical.
How to Train Your Dragon 3 - A wonderful ending to the franchise, I enjoyed it! But I was busy while watching it in the background.
✨ A Minecraft Movie - Didn’t watch it fully either, just some parts, but it was genuinely hilarious, I couldn’t believe how crazy it was.

July

🎞️ F1 - The Formula One movie featuring Brad Pitt and some other people I forget, I loved how this one looked though, the races were awesome.
✨ Grave of the Fireflies - I thought this movie wouldn’t be a big deal, but it broke me… I watched it with my sister, and after it was over, we stayed, absolutely silent, until the credits finished. Gut-wrenching.
✨ The Blob - This classic movie from the 50s is somehow the less good but also rather memorable, why did I watch it? A pocast mentioned it.

August

Aliens - Alien with more guns and epic action.
✨ Alien 3 - Aliens with annoying characters and ugly puppet work.
✨ Alien Resurrection - Alien with very very weird writing and wacky characters.
✨ Prometheus - Back to horror and dread and a very cool android.
✨ Overcomer - Random christian film about a girl who likes running
The Chronicles of Narnia: The Lion, the Witch and the Wardrobe - The title says it all, a true classic, excellent effects as well.
✨ Alien: Covenant - Alien again but now they are white and ugly until the last one which is cool.

September

✨ Alien: Romulus - Alien, but newer, the effects were absolutely mindblowing, a good mix of practical and CGI.
🎞️ The Fantastic 4: First Steps - Another movie with cool scenes in space, and retrofuturism for the win.
✨ Along Came a Spider - A crime thriller, you won’t see the twist coming here, but the first scene is very over the top.
AVP: Alien vs Predator - Speaking of over the top, this is just a crazy fun popcorn flick uniting the two biggest franchises with aliens on them.

October

✨ Ocean’s Eleven - A masterfully done heist film, all the characters are so fun, good interactions and plot. They don’t make them like they used to.
🎞️ TRON: Ares - Decided to watch this one as I was hyped by the trailers and it was rather enjoyable to me. However, it pales in comparison to the next two films.
✨ TRON - This is the OG and the effects hold up decently, with some nostalgia googles. I actually had a great time here! A very weird fun movie.
TRON: Legacy - Now this, this was good. I loved it and it was awesome, the soundtrack is simply amazing to this day, the aesthetics are top notch.
✨ KPop Demon Hunters - Put this on Netflix and found myself having a blast and actually getting emotional as the movie kept going, some great songs and a nice story”

November

🎞️ Predator: Badlands - A random choice that turned out to be a great movie! This had some great buddy comedy stuff while also featuring some really cool action moments and character development!

December

✨ Dead Poets Society - I love everything about this movie, this is a masterpiece, until that finale. Oh man, I’m crying again.
✨ Godzilla Minus One Minus Color - I love everything about this movie, this is a masterpiece, this time in B&W. Oh man I’m crying again.
🎞️ Avatar: Fire and Ash - I don’t love everything about this movie, it’s not a masterpiece, but the visual effects are absolutely top notch.

Top 5 movies I saw on theaters

Star Wars: Episode 3 - Revenge of the Sith (technically a rewatch too, I don’t care, this was peak in cinemas)
Avatar: Fire and Ash
F1: The Movie
Sonic The Hedgehog 3
The Fantastic 4: First Steps

Top 5 movies new to me

Ocean’s Eleven
Dead Poets Society
Godzilla Minus One Minus Color
KPop Demon Hunters
Alien: Romulus

Top 5 movies watched again

Interstellar
Aliens
TRON: Legacy
Transformers One
Batman: Mask of the Phantasm

Some random stats and thoughts

I watched a grand total of 50 films this year, from where:
- 14 were seen in theaters! A little more than one per month.
- 23 were seen for the first time! That’s almost two new to me films per month.
- 13 were seen again this year! I don’t need to say how many those are per month.
I only watched a total of 9 animated movies this year, and that’s counting Mufasa: The Lion King. It’s usually a favourite genre of mine, didn’t even represent 20% of my movie watching this time…
Perhaps not any single TRON movie can be considered a masterpiece, but as a whole, the franchise is honestly pretty awesome, and I’m glad it has managed to exist, even if it only is once every decade or so, and never quite landing.
I love how, despite how different all the Alien movies can get, I eventually just learned what to expect and embraced that they always end or get retconned in a very dire way.
I am really so so happy that I watched Revenge of the Sith on theaters, I felt in awe the whole time, a simply glorious feast to the eyes, can’t say it enough.
Again, Grave of the Fireflies late at night with my little sister was incredibly heart-wrenching, we just kept watching it and seeing how things happened and crying a bit… and I’m seriously tearing up a little as I remember it right now.
I watched The Blob from YouTube while at work, it was definitely interesting to have it as a background noise at first, and then for it to somehow get actually interesting. Good stuff.
Was gonna watch One Battle After Another on theaters, but the first 5 minutes were so uncomfortable to watch—it was me and my parents and it got weird quick—which is why we went for TRON: Ares instead, even if it wasn’t that great, it still led me to the rest of the TRON movies, and of course, the masterpiece that is the TRON: Uprising animated show, so, it was the right choice.
We were very close to leaving theaters too for Mickey 17—again, not a very good movie to watch as a family—but we pushed through it, I wonder where the line goes when it comes to what it takes to make us leave a movie.

Finishing thoughts

And well, those were quite a lot of movies! Almost one movie per week was watched in 2025 by me. That is something I’m pretty happy with.

The Alien saga, the Tron saga, all of those dad movies or random movies with gambling related themes, I have no idea what happened but the point is that it’s over, and this new year is already looking pretty good as well! But that’s something I’ll bring up when the 2026 recap comes along.

For now, this is it, enjoy the read!

Reply to this post via email | Reply on Fediverse

Owning your data - Posts feed

2026-02-18T22:39:00.000Z

Owning your own data is hard. I've been trying to own as much as I can, and my site has become a reflection of that process, both in what I display and discuss. As difficult as it is, there's a freedom in owning as much as you can.

The political effects of X’s feed algorithm - Werd I/O

2026-02-18T20:08:47.000Z

[Germain Gauthier, Roland Hodler, Philine Widmer and Ekaterina Zhuravskaya in Nature]

This is a very significant finding. Users who moved from a reverse-chronological social media algorithm to X’s:

“[…] were 4.7 percentage points more likely to prioritize policy issues considered important by Republicans, such as inflation, immigration and crime. They were also 5.5 percentage points more likely to believe that the investigations into Trump are unacceptable, describing them as contrary to the rule of law, undermining democracy, an attempt to stop the campaign and an attack on people like themselves.”

[Link]

Rhythm - James' Coffee Blog

2026-02-18T15:44:35.000Z

I have been thinking about the rhythm of my writing recently. I wrote in my drafts:

I have spent much of this evening writing. I started by working on a draft of a post about clouds that I wrote on my phone using Apple Notes while waiting for the bus. I then explored a few more ideas that were in my notes. This has me thinking about how when I take more notes I usually end up writing more prose too. Also, I continually observe that when I start writing I love to keep going. As with many things, getting started is the hurdle.

I often write in “bursts” – a few posts in one day, then no posts for a little while. Sometimes I am more consistent than others. I have had preferred times for writing in the past – like trying to write a blog post before dinner, or writing late in the evening – but I don’t have a schedule in mind. I write when I feel like I have something to write. Things seem to come easier when I have already started writing.

This has me thinking about the rhythm between posts, too. I wrote Snow the day before Clear sky. Between those two moments I saw snow falling with an intensity I hadn’t seen in over a year then, the next day, a clear sky. Each post documents a moment; together, they document a time.

There was a time when I felt like I “should” write on particular cadences, but I don’t like to force things. It is also for this reason I have several posts in my head that I would one day like to write – what “private posts” could look like on an open web, for example – but haven’t written yet. I need time to not write.

I don’t know why I can write more when I have gotten started. Perhaps it’s a mix of the joy of putting words on the page and the flow I enter when I write. Or maybe writing about one thing does help my brain figure out how to write about other things. I’m not sure! With that said, there is one thing I can say for sure: I feel that writing has a rhythm.

IndieWeb wiki pages I really like - James' Coffee Blog

2026-02-18T15:14:41.000Z

I visit the IndieWeb wiki almost every day. The wiki is maintained by the IndieWeb community, documenting everything from interfaces for creating posts to POSSE.

I was thinking that, like all wikis, there are pages that are almost “hidden gems” in the sense that, while they are on the web, they may not be the first thing you look for, or may be interesting to an audience greater than that of the wiki. I then thought: I should make a page that lists some of the wiki pages I really like so I can share the links I have found particularly valuable to a greater audience.

Some of the links below I have included because they are great links that I think should have broader recognition outwith the community (i.e. the community code of conduct); others are included because they are a bit more obscure than the well-known pages like Webmention but equally interesting.

Publics: “publics are the combined set of people who make up the readership or audience of a post.”
Life happens: This was the first context in which I had heard the term “life happens.” Now it is part of my vocabulary.
Code of Conduct: A thoughtfully maintained, “living” page outlining how the community works.
Digital garden: A fun page with so many links on digital gardening.
URL design: Notes on how to design URLs.
Discovery: A list of resources for finding personal sites on the web.
How to set up web sign in: This link describes what you need to do to sign into the wiki. The sign in process is different from many other sites since you sign in with your domain name (using IndieAuth).
Loqi: How the community bot works. Loqi is used extensively to create wiki pages and add links to existing ones.
IndieWeb Carnival: The hosting schedule is coordinated on this page, a fun example of using wiki to coordinate a community event.
webactions: An interesting idea that I want to come back to in the future, not necessarily in the context of like/repost (I don’t like “like” buttons), etc. buttons but more collaborative buttons like editing.
Front End Study Hall: A wide range of HTML/CSS/JS links are listed on this page which is used as a key point of reference for the Front End Study Hall event.
ai;dr: Artificial Intelligence; Didn't Read

Of course, the above list is by no means exhaustive: I have consulted likely hundreds of pages over the course of my web weaving and coding. Many of the pages are quite technical but I have found I have learned a lot by focusing on the places that interest me most.

The IndieWeb wiki is by no means a complete record of all things indie web – far from it. If anything, the most complete record of all things indie web is the indie web itself – that’s the beauty of the web. With that said, the IndieWeb wiki is a terrific resource with so many links to explore, definitions and explorations of concepts related to the indie web, and screenshots of software designs to peruse, all licensed openly under CC0.

If you are in a community wiki, I’d encourage you to think: what are pages you have found really useful that may be less easy to find? How could you help people find those pages?

Also posted on IndieNews

Setting up phones is a nightmare - Joel's Log Files

2026-02-18T15:00:00.000Z

As I shared on previous posts, my dad and mom acquired new devices, the same model, but with quite different uses!

Regardless, as the more tech-savvy member of the family, the responsibility to set them up fell upon me, having to deal with a lot of progress indicators, toggles asking me to track everything the phone does, and logging in to a online accounts, because that’s how these things go now for regular people.

Many years ago, this blogpost could have been quite different, I may be mentioning some nifty program that can easily back up things and transfer them to the next device.

Especially when I used custom ROMs and root utilities to do all the heavy lifting, I often loved setting up my device again and again every few months. Even getting a new one wasn’t bad at all when I knew I’d eventually use it how I want.

But as time goes on Android has been more locked down, and I have to admit I haven’t caught up with recent backup tools that deal with all that—Even less so when my parents have phones that I can’t really root.

At the very least, the backup tools by OEM’s have caught up quite well, if at the cost of my peace of mind.

I must admit I didn’t do that much this time around. Just the bare minimum list of the things that I had to change.

Data migration - I did this with the Android built-in metho78d, transferring data from device to device. I hate to admit I also used Samsung’s Smart Switch to migrate even more data, like all folders and files, photos and the like. This was not ideal, but I was lazy.
Log-in to Google - Rather unavoidable for a normal person who uses a phone, unless I offered myself for tech support even more setting up Droid-ify or something like that, but no.
Avoid extra log-ins - I didn’t make a Samsung account nor used their Microsoft OneDrive Integration. Of course, some preinstalled apps like Netflix went away too, so no big deal.
Avoid telemetry - Disabled every checkbox that I could find, including personalized ads, both from Google and Samsung services.
Uninstall Bloatware - Removed any Samsung duplicates and most of Google’s junk—still keeping some basics like Calendar or so, sadly. These devices come with a lot of unecessary things…
Default browser - Samsung Internet and Chrome went poof, and I decided to switch both phones to Vivaldi Browser, there was a time where Firefox would have been it, but not today.
Other app replacements - There were not many extra apps I installed on their devices—you are always free to check what’s on my phone though—other than Vivaldi Browser, Fossify Gallery and a password manager like Bitwarden or KeepassXC. I could install some more things, but, meh.

All in all, the new phones are pretty good hardware-wise, and I still need to do a couple of things like installing their banking apps or maybe a few logins that I missed.

Honestly, this experience and the implications was kind of terrible.

Without me, my parents would have ended up creating at least one extra Samsung account. Cloud services like OneDrive or Google Photos would be sucking up files and copying them to their servers, getting filled up with the data and then asking them to subscribe to unlock more storage a couple of months down the line.

Left on their own, my parents may be seeing ads popping up constantly in OneUI, as well as browsing the web without an adblocker, they would be using default applications that don’t work as reliably, that track whatever they do to a certain degree.

And of course, all of those AI assistants would be listening in in the background. It really is a nightmare out there, and it’s not only affecting my parents, it affects all of those unaware of the dangers that these practices bring. It’s a mess all around.

I don’t know how to get out of this one, the hold these companies have is just too much, and I keep on losing my patience and conceding more and more of my—or my family members—data just to get over with it.

So, do you have have any advice or thoughts about this? What would be some phones that don’t have as many privavy-invasive tactics? It would be nice to be aware of hardware that doesn’t do this as much…

Reply to this post via email | Reply on Fediverse

In Graphic Detail: Subscriptions are rising at big news publishers – even as traffic shrinks - Werd I/O

2026-02-18T14:38:26.000Z

[Sara Guaglione at Digiday]

“For a bunch, including The New York Times and The Wall Street Journal, growth isn’t just continuing, it’s speeding up, and likewise so is The Guardian’s paid reader contribution model. Meanwhile, Bloomberg’s subscription business shows signs of normalization after a 2024 spike, and Daily Mail is still ramping up its relatively new subscription business, which launched in 2024 in the U.K. and expanded to the U.S. and Canada in February 2025.”

In news, value is not necessarily tethered to popular traffic. There’s a specific demographic (typically older, wealthier, and more highly educated) that is more likely to pay for it, and there’s a lot to be gained by news organizations if they optimize for gaining that audience. The news organizations that have doubled down on paywalls, and things like them, are often doing better than the ones that aren’t.

[Link]

Book Review: All Systems Red - The Murderbot Diaries by Martha Wells ★★⯪☆☆ - Terence Eden’s Blog

2026-02-18T12:34:05.000Z

Everyone raves about this series, so I thought I'd grab the first book. It's basically fine, I guess.

It is moderately amusing having the Muderbot be an awkward teenage boy who just wants to watch videos and cringes when people stare at him. But it is a bit one-note. Similarly, evil corporations hiding details from exo-planet surveyors is a trope which has been a thousand times before.

This is a novella, serving to introduce the protagonist and fill us with a little too much exposition. The trouble is that nothing much happens. There's a bit of world building and a light smattering of action - although I found it rather plodding.

Essentially, a lot of telling and not much showing. Rather underwhelming given the hype. I might give one of the many (many!) sequels a go once I reach the end of my reading list.

Carelessness versus craftsmanship in cryptography - Trail of Bits Blog

2026-02-18T12:00:00.000Z

Two popular AES libraries, aes-js and pyaes, “helpfully” provide a default IV in their AES-CTR API, leading to a large number of key/IV reuse bugs. These bugs potentially affect thousands of downstream projects. When we shared one of these bugs with an affected vendor, strongSwan, the maintainer provided a model response for security vendors. The aes-js/pyaes maintainer, on the other hand, has taken a more… cavalier approach.

Trail of Bits doesn’t usually make a point of publicly calling out specific products as unsafe. Our motto is that we don’t just fix bugs—we fix software. We do better by the world when we work to address systemic threats, not individual bugs. That’s why we work to provide static analysis tools, auditing tools, and documentation for folks looking to implement cryptographic software. When you improve systems, you improve software.

But sometimes, a single bug in a piece of software has an outsized impact on the cryptography ecosystem, and we need to address it.

This is the story of how two developers reacted to a security problem, and how their responses illustrate the difference between carelessness and craftsmanship.

Reusing initialization vectors

Reusing a key/IV pair leads to serious security issues: if you encrypt two messages in CTR mode or GCM with the same key and IV, then anybody with access to the ciphertexts can recover the XOR of the plaintexts, and that’s a very bad thing. Like, “your security is going to get absolutely wrecked” bad. One of our cryptography analysts has written an excellent introduction to the topic, in case you’d like more details; it’s great reading.

Even if the XOR of the plaintexts doesn’t help an attacker, it still makes the encryption very brittle: if you’re encrypting all your secrets by XORing them against a fixed mask, then recovering just one of those secrets will reveal the mask. Once you have that, you can recover all the other secrets. Maybe all your secrets will remain secure against prying eyes, but the fact remains: in the very best case, the security of all your secrets becomes no better than the security of your weakest secret.

aes-js and pyaes

As you might guess from the names, aes-js and pyaes are JavaScript and Python libraries that implement the AES block cipher. They’re pretty widely used: the Node.js package manager (npm) repository lists 850 aes-js dependents as of this writing, and GitHub estimates that over 700,000 repositories integrate aes-js and nearly 23,000 repositories integrate pyaes, either as direct or indirect dependencies.

Unfortunately, despite their widespread adoption, aes-js and pyaes suffer from a careless mistake that creates serious security problems.

The default IV problem

We’ll start with the biggest concern Trail of Bits identified: when instantiating AES in CTR mode, aes-js and pyaes do not require an IV. Instead, if no IV is specified, libraries will supply a default IV of 0x00000000_00000000_00000000_00000001.

Worse still, the documentation provides examples of this behavior as typical behavior. For example, this comes from the pyaes README:

aes = pyaes.AESModeOfOperationCTR(key)
plaintext = "Text may be any length you wish, no padding is required"
ciphertext = aes.encrypt(plaintext)

The first line ought to be something like aes = pyaes.AESModeOfOperationCTR(key, iv), where iv is a randomly generated value. Users who follow this example will always wind up with the same IV, making it inevitable that many (if not most) will wind up with a key/IV reuse bug in their software. Most people are looking for an easy-to-use encryption library, and what’s simpler than just passing in the key?

That apparent simplicity has led to widespread use of the “default,” creating a multitude of key/IV reuse vulnerabilities.

Other issues

Lack of modern cipher modes

aes-js and pyaes don’t support modern cipher modes like AES-GCM and AES-GCM-SIV. In most contexts where you want to use AES, you likely want to use these modes, as they offer authentication in addition to encryption. This is no small issue: even for programs that use aes-js or pyaes with distinct key/IV pairs, AES CTR ciphertexts are still malleable: if an attacker changes the bits in the ciphertext, then the resulting bits in the plaintext will change in exactly the same way, and CTR mode doesn’t provide any way to detect this. This can allow an attacker to recover an ECDSA key by tricking the user into signing messages with a series of related keys.

Cipher modes like GCM and GCM-SIV prevent this by computing keyed “tags” that will fail to authenticate when the ciphertext is modified, even by a single bit. Pretty nifty feature, but support is completely absent from aes-js and pyaes.

Timing problems

On top of that, both aes-js and pyaes are vulnerable to side-channel attacks. Both libraries use lookup tables for the AES S-box, which enables cache-timing attacks. On top of that, there are timing issues in the PKCS7 implementation, enabling a padding oracle attack when used in CBC mode.

Lack of updates

aes-js hasn’t been updated since 2018. pyaes hasn’t been touched since 2017. Since then, a number of issues have been filed against both libraries. Here are just a few examples:

Outdated distribution tools for pyaes (it relies on distutils, which has been deprecated since October 2023)
Performance issues in the streaming API
UTF-8 encoding problems in aes-js
Lack of IV and key generation routines in both

Developer response

Finally, in 2022, an issue was filed against aes-js about the default IV problem. The developer’s response ended with the following:

The AES block cipher is a cryptographic primitive, so it’s very important to understand and use it properly, based on its application. It’s a powerful tool, and with great power, yadda, yadda, yadda. :)

Look, even at the best of times, cryptography is a minefield: a space full of hidden dangers, where one wrong step can blow things up entirely. When designing tools for others, developers have a responsibility to help their users avoid foreseeable mistakes—or at the very least, to avoid making it more likely that they’ll step on such landmines. Writing off a serious concern like this with “yadda, yadda, yadda” is deeply concerning.

In November 2025, we reached out to the maintainer via email and via X, but we received no response.

The original design decision to include a default IV was a mistake, but an understandable one for somebody trying to make their library accessible to as many people as possible. And mistakes happen, especially in cryptography. The problem is what came next. When a user raised the concern, it was written off with ‘yadda, yadda, yadda.’ The landmine wasn’t removed. The documentation still suggests the best way to step on it. This is what carelessness looks like: not the initial mistake, but the choice to leave it unfixed when its danger became clear.

Craftsmanship

We identified several pieces of software impacted by the default IV behavior in pyaes and aes-js. Many of the programs we found have been deprecated, and we even found a couple of vulnerable wallets for cryptocurrencies that are no longer traded. We also picked out a large number of programs where the security impact of key/IV reuse was minimal or overshadowed by larger security concerns (for instance, there were a few programs that reused key/IV pairs, but the key was derived from a 4-digit PIN).

However, one of the programs we found struck us as important: a VPN management suite.

strongMan VPN Manager

strongMan is a web-based management tool for folks using the strongSwan VPN suite. It allows for credential and user management, initiation of VPN connections, and more. It’s a pretty slick piece of software; if you’re into IPsec VPNs, you should definitely give it a look.

strongMan stored PKCS#8-encoded keys in a SQLite database, encrypted with AES. As you’ve probably guessed, it used pyaes to encrypt them in CTR mode, relying on the default IV. In PKCS#8 key files, RSA private keys include both the decryption exponent and the factors of the public modulus. For the same modulus size, the factors of the modulus will “line up” to start at the same place in the private key encodings about 99.6% of the time. For a pair of 2048-bit moduli, we can use the XOR of the factors to recover the factors in a matter of seconds.

Even worse, the full X.509 certificates were also encrypted using the same key/IV pair used to encrypt the private keys. Since certificates include a huge amount of predictable or easily guessable data, it’s easy to recover the keystream from the known X.509 data, and then use the recovered keystream to decrypt the private keys without resorting to any fancy XORed-factors mathematical trickery.

In short, if a hacker could recover a strongMan user’s SQLite file, they could immediately impersonate anyone whose certificates are stored in the database and even mount person-in-the-middle attacks. Obviously, this is not a great outcome.

We privately reported this issue to the strongSwan team. Tobias Brunner, the strongMan maintainer, provided an absolute model response to a security issue of this severity. He immediately created a security-fix branch and collaborated with Trail of Bits to develop stronger protection for his users. This patch has since been rolled out, and the update includes migration tools to help users update their old databases to the new format.

Doing it right

There were several viable approaches to fixing this issue. Adding a unique IV for each encrypted entry in the database would have allowed strongMan to keep using pyaes, and would have addressed the immediate issue. But if the code has to be changed, it may as well be updated to something modern.

After some discussion, several changes were made to the application:

pyaes was replaced with a library that supports modern cipher modes.
CTR mode was replaced with GCM-SIV, a cipher mode that includes authentication tags.
Tag-checking was integrated into the decryption routines.
A per-entry key derivation scheme is now used to ensure that key/IV pairs don’t repeat.

On top of all that, there are now migration scripts to allow strongMan users to seamlessly update their databases.

There will be a security advisory for strongMan issued in conjunction with this fix, outlining the nature of the problem, its severity, and the measures taken to address it. Everything will be out in the open, with full transparency for all strongMan users.

What Tobias did in this case has a name: craftsmanship. He sweated the details, thought extensively about his decisions, and moved with careful deliberation.

A difference in approaches

Mistakes in cryptography are not a sin, even if they can have a serious impact. They’re simply a fact of life. As somebody once said, “cryptography is nightmare magic math that cares what color pen you use.” We’re all going to get stuff wrong if we stick around long enough to do something interesting, and there’s no reason to deride somebody for making a mistake.

What matters—what separates carelessness from craftsmanship—is the response to a mistake. A careless developer will write off a mistake as no big deal or insist that it isn’t really a problem—yadda, yadda, yadda. A craftsman will respond by fixing what’s broken, examining their tools and processes, and doing what they can to prevent it from happening again.

In the end, only you can choose which way you go. Hopefully, you’ll choose craftsmanship.

The case for gatekeeping, or: why medieval guilds had it figured out - Westenberg

2026-02-18T02:21:09.000Z

Every open source maintainer I've talked to in the last six months has the same complaint: the absolute flood of mass-produced, AI-generated, mass-submitted slop requests have turned their repositories into a slush pile. The contributions look like contributions, they have commit messages, they reference issues and they follow templates etc.

But they are, almost uniformly, garbage.

A high PR count on a repository used to actually mean something. If strangers were showing up to fix your edge cases, you'd built something people cared about. Now a high PR count signals that your repo has become a target for resume-padding bots, grifters and AI-assisted contribution farmers who need their GitHub activity graph to glow green for recruiter eyeballs or just want to swamp a project in pursuit of vulnerabilities. Open source, in other words, has an open slop problem.

And I think the solution is one that would've been perfectly obvious to a thirteenth-century Florentine weaver.

The guild system solved exactly this problem

The medieval guild system gets a bad rap. It's usually remembered as a protectionist racket // a cartel of craftspeople colluding to keep prices high and competition low. And that critique isn't entirely wrong. The guilds did restrict entry. They did maintain monopolies. Adam Smith hated them, and he had reasons.

But the guilds also solved a problem: how do you maintain quality standards in a decentralized production environment when you can't personally verify every participant?

A master weaver in the Arte della Lana couldn't inspect every bolt of cloth produced in Florence. But he could verify that the person producing it had spent years as an apprentice, passed through the journeyman stage, and demonstrated competence to other masters who staked their own reputations on the assessment. The guild was, at bottom, a web of trust backed by skin in the game. You vouched for people. If they turned out to be frauds, you were fucked, too.

The open source ecosystem used to have something like this, but it was organic. You'd show up on a mailing list. You'd lurk. You'd file a good bug report. You'd submit a small patch and wait. Over time, established contributors would come to recognize your handle and your judgment. You'd build a reputation the slow way, through repeated interactions with people who were paying attention. Linus Torvalds didn't need a credentialing system for the Linux kernel because the community was small enough, and engaged enough, that trust emerged from the social fabric itself.

That fabric is shredded now.

What "open" was supposed to mean

Richard Stallman's vision for free software was rooted in an ethical claim about user freedom. When Stallman argued that software should be free, he meant free as in speech: users should be able to study, modify, and redistribute the code that runs their lives. The model that Eric Raymond championed in The Cathedral and the Bazaar added the empirical claim "many eyes make all bugs shallow," but even Raymond assumed those eyes belonged to people who could actually see.

The "open" in open source was always about access to code, not the abolition of all quality filters on human participation. But the culture developed an allergy to gatekeeping so severe that suggesting contributors should meet any bar at all became politically radioactive. And that allergy made perfect sense when the failure mode was "talented person gets excluded by arbitrary social dynamics." It makes considerably less sense when the failure mode is "thousands of LLM-generated PRs that change variable names to slightly worse variable names fuck absolutely everything for absolutely everyone."

What a modern guild would actually look like

We need a verified not-shit-person badge. Some mechanism, ideally decentralized, ideally reputation-based, that lets maintainers distinguish between "human who has demonstrated basic competence and good faith" and "entity or bot submitting or causing to be submitted auto-generated changes to mass repositories for credential farming."

This is, functionally, a guild. And before the libertarian-leaning contingent of Hacker News has a collective aneurysm, let me be specific about what I mean:

I don't mean you need a certificate to write Python. I mean something closer to what the Debian project has done with its Web of Trust model for decades: existing trusted contributors vouch for new ones. Your vouching carries weight proportional to your own standing. If you vouch for someone who turns out to be a spam vector, that costs you something. The system works because it makes reputation legible without making it bureaucratic.

You could imagine this layered onto GitHub or GitLab with relatively modest infrastructure. Contributor rings, where the inner rings are people vouched for by other inner-ring people. Maintainers could then filter PRs by trust level. Not blocking anyone from forking or submitting, but giving maintainers a signal they desperately need.

Chaucer's pilgrims each carried letters of introduction from their parishes; the principle is old enough that it shows up in The Canterbury Tales as an assumed feature of civilized travel.

TL:DR: Every mass-generated PR a maintainer has to review is time stolen from actual development. Every fake contribution that gets merged degrades the codebase. Every green-square farmer who pads their profile with AI-generated commits makes the GitHub contribution graph less useful as a signal, which ironically makes the farming less valuable too, which means they need to do more of it.

Would a guild system be perfect? Obviously not. Would it create new forms of exclusion? Probably. Would medieval Florentine weavers recognize the problem we're dealing with? I suspect they'd find it eerily familiar.

And there is no need // reason to re-invent the wheel.

Test post - James' Coffee Blog

2026-02-17T19:45:41.000Z

This is a test post.

An increasingly dangerous world - Werd I/O

2026-02-17T15:16:15.000Z

I’ve got a pretty bleak, albeit reductive, theory of global politics that I’m working from right now.

The key driver is climate change. We’re living in a world that will have fewer livable places and fewer resources. This will happen quickly.

Rather than co-operate to slow climate change and distribute resources intelligently to preserve life and ecosystems, there are a set of powerful people who see this as an opportunity to consolidate their power and influence.

Around those people are a set of other, relatively powerful people, who are either on board with consolidation or can be manipulated into supporting it.

Consolidation means acquiring land and resources. It also means manipulating people into believing that only some humans are worthy of having access to them. The others can be sacrificed or put to work. Hence, we get more war (land and resource acquisition), more nationalism / fascism (dehumanization of everyone but a defined in-group), and less democracy (disenfranchisement for all but a few groups).

The people who are most resistant to consolidation and manipulation are the young people who will have to live through the fallout from it. They are more likely to protest and organize for an inclusive, co-operative world.

The people who are most liable to go along with it are the people who always were on the side of dehumanization, those who want to take the opportunity to preserve a better life for themselves at the expense of others, and people who are not paying attention. They are not necessarily equally morally culpable, but they are participants nonetheless.

Those of us who are in opposition need to support the young people. We need to give them platforms, put our full support behind them, and more than anything else, listen to them, take their lead, and do what the activists and leaders among them ask us to do.

It’s not theoretical and it’s not purely in the land of the ideological. People will die at the hands of fascism, war, and climate change itself. Peace is worth struggling for. An inclusive world is worth putting ourselves on the line for. We need to be watchful for the power dynamics that seek to strip agency, power, resources, and importance from out-groups and consolidate them into a tiny few. It will become genuinely life or death.

Thank you for your attention to this matter.

Gadget Review: Epomaker Split 70 Mechanical Keyboard ★★★★⯪ - Terence Eden’s Blog

2026-02-17T12:34:09.000Z

The good folks at Epomaker know that I love an ergonomic keyboard, so they've sent me their new "Split 70" model to review.

This isn't your traditional ergonomic keyboard. Essentially, this is two separate halves joined by a USB-C cable; so you can position it however you like.

Here's a quick video showing it in action:

https://shkspr.mobi/blog/wp-content/uploads/2026/02/split-new.mp4

It is very clicky! Yes, you can replace the keys and switches with something softer. But then people wouldn't know you're the sort of nerd who uses a mechanical keyboard. And where's the fun in that?!

Similarly, the lights are delightfully dazzly. Yes, you can make them more subtle or even turn them off. But then people wouldn't know you're the sort of cool kid who has a light-up keyboard.

Linux Compatibility

The Split 70 comes with a USB-C to A cable. Personally, I'd've preferred straight C-C, but this does the job. Flick the switch at the back to USB mode, plug it in, and Linux instantly detected it. No drivers to configure.

It shows up as 342d:e491 HS Epomaker Split 70 - there's another switch for changing between Mac and PC mode. That doesn't change how the keyboard presents itself; just the keycodes it sends.

There's also a Bluetooth option. Again, Linux use was a breeze - although you'll have to remember what the pairing combo is and which device it is paired to.

There's also a 2.4GHz option. Hidden on the back of the left unit is a little USB-A receiver. Again, pairing is simple - just plug it in and flick the switch.

As expected, it also plays well with Android. The Bluetooth connection worked as did USB-OTG. Of course, quite why you'd want a giant heavy keyboard paired to your tiny phone is an exercise left to the reader.

Customisation

This came as a US keyboard with the " and @ in the "wrong" place. It's easy to remap the keys and adjust the lights using https://usevia.app/ - although you'll need to download the JSON layout first.

It comes with a tool to remove the keys and switches. I'll admit, I'm too much of a chicken to attempt that - but it does look easy.

What doesn't look easy is the way to get it into firmware update mode - which involves shorting some pins and comes with some stringent warnings!

GPL

There is some question about whether Epomaker comply with the GPL when it comes to the QMK source. They appear to have some source code available but it is hard to tell whether it exists for this specific model.

After politely emailing them about GPL compliance, they were happy to supply a link to the Split 70's QMK source code. I'm not deep into recompiling the firmware for my keyboards - but it looked comprehensive to me.

Using it

It's delightful to type on - and I got used to the noise after a while. I wasn't a massive fan of the layout to start with, but it easy to see its appeal. Personally, I'd like an extra numpad to go with it.

The four macro keys are useful. By default, they're set to cut, copy, paste, and undo - but can easily be remapped. The knob is fun - by default it does volume, I'm sure you can find something else useful to do with it.

Battery life is excellent even if you have the lights on full disco. I kept it plugged in to my machine for typing most of the time.

Being able to adjust the split to your own specification is outstanding. If you suffer from RSI, this can genuinely help.

Price

About £80 from Amazon UK or AliExpress. That feels reasonable for this much tech. Obviously you can get a bog-standard keyboard for buttons - but this is unique, tactile, and interesting.