Shellsharks Blogroll - BlogFlock

Tiamat's Wrath (The Expanse #8) - Joel's Log Files

2026-06-24T15:00:00.000Z

The eight book of The Expanse by James S.A. Corey. Spoilers ahead.

I’ve recently realized that I kind of spend too much time summarizing things without spoilers, but I’ll just share the summary from the website and then share my thoughts about stuff, I guess? By now, eight books later, you are not, or you should not, be reading this review unless you are already with me, or you read the book and want my thoughts, so yeah, whatever.

Tiamat’s Wrath finds the crew of the Rocinante fighting an underground war against a nearly invulnerable authoritarian empire, with James Holden a prisoner of the enemy.

Thirteen hundred gates have opened to solar systems around the galaxy. But as humanity builds its interstellar empire in the alien ruins, the mysteries and threats grow deeper.

In the dead systems where gates lead to stranger things than alien planets, Elvi Okoye begins a desperate search to discover the nature of a genocide that happened before the first human beings existed, and to find weapons to fight a war against forces at the edge of the imaginable. But the price of that knowledge may be higher than she can pay.

At the heart of the empire, Teresa Duarte prepares to take on the burden of her father’s godlike ambition, but Teresa has a mind of her own and secrets even her father the emperor doesn’t guess.

And throughout the wide human empire, the scattered crew of the Rocinante fights a brave rear-guard action against Duarte’s authoritarian regime. Memory of the old order falls away, and a future under Laconia’s eternal rule—and with it, a battle that humanity can only lose—seems more and more certain. Because against the terrors that lie between worlds, courage and ambition will not be enough. . .

The second book of the third trilogy was quite the read. There are a lot of things happening that I didn’t see coming, like at all.

Every character here is once again, separated from each other for half the book. This was an incredible choice, as well as the addition of Teresa, who gives us a look into how the Empire really works and how things develop from there. As young as she may be, the responsibilities on her shoulders are quite the burden, and it’s interesting how everything pans out through her choices.

This book barely features Holden’s perspective, as he’s trapped and unable to do a lot. Most of the time he’s just reacting to the choices of everyone else, completely oblivious, although he does make a play, and the way things go from there turn out to be extremely important for his survival.

Elvi is pretty important given her position as a scientist, it was nice to see her and Fayez again, I must admit. Her passion for science continues to be infectious, and through her chapters we will see the aliens at play once more. The cosmical events in this book were something I didn’t see coming at all. The alien artifacts and technology, the measures taken by the Laconian Empire to try and harness such power, and her involvement on a huge plot twist made her chapters truly remarkable to me!

Naomi continues to be an incredibly cool individual, and now her role is more important than ever as part of the Rebellion against the Empire. She really will be travelling all over the place avoiding the enemy, by herself. Dealing with all this without Holden gives way to some emotional moments too.

Bobbie will actually clash with Naomi as another leader, in a friendly enough way. As the captain of the one ship that could actually deal any damage to the Empire, her role will be quite vital on this story, aided by Alex.

Alas, Amos goes missing—said very early on the story—Alex is still a loyal, but tired pilot, and many other things happen.

The writing was as good as ever, the plot twists really got to me. It really felt kind of dark and hopeless and a bit sad at times, with a lot of writing decisions I didn’t see coming, including some unexpected losses or changes to the characters. Beware!

As much as I liked the writing, I think the story got a bit weird at times, like they setup a lot of stuff and powered up the bad guys on the previous book, and ended up backtracking quite a bit here. It makes sense within the story and it’s all justified, but a lot of things felt a little shoved aside to make things much more plausible. Still, I give it a pass.

With how things have gone, I am really looking forward to the finale, there’s still so much that needs to wrap up…

Good stuff.

Date	Pages	Time	%
2026-05-12	67	1:00:00	5.2
2026-05-14	50	0:35:21	9.1
2026-05-15	71	1:13:09	14.61
2026-05-17	18	0:20:07	16.01
2026-05-18	65	0:56:00	21.06
2026-05-19	60	0:57:53	25.72
2026-05-20	35	0:31:33	28.44
2026-05-21	74	1:01:49	34.19
2026-05-22	118	1:48:57	43.35
2026-05-23	26	0:25:34	45.37
2026-05-24	73	1:07:21	51.04
2026-05-25	98	1:35:15	58.65
2026-05-26	31	0:26:00	61.06
2026-05-27	92	1:20:09	68.2
2026-05-28	50	0:44:46	72.08
2026-05-31	44	0:36:23	75.5
2026-06-07	47	0:45:47	79.15
2026-06-08	83	1:34:08	85.59
2026-06-09	186	2:26:14	100
Total	1288	19:26:26	100

This is day 84 of #100DaysToOffload

Reply to this post via email | Reply on Fediverse

Journalism is rearranging the deckchairs. It needs to reinvent itself. - Werd I/O

2026-06-24T13:34:06.000Z

Link: Journalism's Logical Fallacy, by Shirish Kulkarni

Journalism is in crisis, and it’s really easy (and lazy) to say that making a technology or process tweak will fix it: we just need to use AI to fill capacity gaps, or build stronger comments into our site, or we need a better business or distribution model.

None of those things address the underlying question of why we need journalism, why it’s important, and what it should be. By addressing innovation at the edges, newsrooms are avoiding the hard, existential work of revisiting their core value to begin with. But it’s only by understanding that core value that they will actually reset their relationships with audiences, build greater trust and loyalty, and pull themselves out of the rut they find themselves in.

Shirish Kulkarni’s findings from listening projects in Wales — with multiple dramatically different demographics — contradict a lot of the narratives newsrooms have been telling themselves. For example:

“The second finding challenges one of the journalism industry’s most comfortable premises: that audiences – particularly marginalised communities – are news-illiterate and need to be educated. The opposite is true. In fact, the communities we work with are forensically sharp about media – often more so than the industry insiders who talk about them.”

This mirrors something you often hear from mission-driven tech projects: “we just need to educate the user”. Usually the opposite is true: you need to educate yourself about the user and give them the thing they actually need. And in the case of journalism, at least as a finding of this research, the need turns out to be pretty simple:

“They want help making good decisions. For themselves, their families, their communities. Not drama, not outrage, not the next breaking story. Practical, trustworthy, usable information that helps them navigate their lives.”

It’s important, once again, to separate the work of news — breaking headlines, emergent facts — from journalism’s work to provide context and meaning. The first is a commodity; the second is both inherently community-driven and has always been more valuable.

Here I want to bang an old drum: newsrooms like to talk about audience strategies, not community strategies. It’s a meaningful difference that Shirish highlights well. The first implies an ivory tower broadcast approach: “we just need to reach people”. The second is an active relationship between a newsroom and the people it serves; a two-way conversation that requires trust and understanding on both sides.

The internet has always been a conversation. We’ve had the ability to build relationship-centric news organizations for 30 years, but most remain stubbornly set in a print mindset. This kind of research makes it clear how important that shift is, but, like Shirish, I don’t believe most existing newsrooms will evolve to actually meet this need. They can’t: the immediate commercial pressure is severe, and changing the model requires changing highly-ingrained cultural norms and assumptions that have been inherited from print. And in the midst of that panic, they’re jumping into bed with companies (AI vendors, proprietary social media platforms) that intermediate their relationships with their communities in exchange for some short-term wins.

So their outlook is not rosy. Instead, I think we’ll see new newsrooms emerge that reinvent what journalism is, are unafraid to build real, lasting, two-way relationships with the people they’re trying to serve, and eat everybody else’s lunch.

Auth0 PHP - manually authenticating JWT idTokens - Terence Eden’s Blog

2026-06-24T11:34:25.000Z

I find it baffling just how poorly documented most big projects are. Auth0 by Okta has a fair bit of cash, lots of customers, and almost completely absent documentation.

Here's how to successfully authenticate a JWT supplied by Auth0.

Once your user has authenticated with Auth0, they will be given an accessToken and an idToken. Only the idToken is needed for our purposes.

It will look something like this:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImFiYzEyMyJ9.eyJnaXZlbl9uYW1lIjoiSm8iLCJmYW1pbHlfbmFtZSI6IlRlc3QiLCJuaWNrbmFtZSI6IkpvVGVzdCIsIm5hbWUiOiJKbyBMZSBUZXN0IiwicGljdHVyZSI6Imh0dHBzOi8vZXhhbXBsZS5jb20vam8ucG5nIiwidXBkYXRlZF9hdCI6IjIwMjYtMDQtMjhUMTM6NTk6NTUuNjcxWiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJpc3MiOiJodHRwczovL2V4YW1wbGUuZXUuYXV0aDAuY29tLyIsImF1ZCI6ImFiYzEyMyIsInN1YiI6ImZhY2Vib29rfDEyMzQ1NiIsImlhdCI6MTc3NzM4NDc5NiwiZXhwIjoxNzc3NDIwNzk2LCJzaWQiOiJhYmMxMjMtNDU2LWRlZmdoaWprIiwibm9uY2UiOiIxMjM0NTY3ODkwIn0.ZgnZxOOtfczLewlm_agK6mJMYetVTZrHlBlu5qzXbADlhvZB8RraVuFKmFutLZLibMQxz_RY0oh4hRufVWDHJ0kuocW38kRHztDg7R5KOfvJEM46WW49xvhLhKprzkx9WXDDlpCRNL0QbBK2U0F1VjmRpTp1Q5cHEd8PBsa4rGAhfqudXp5JrC2Lm5e7ji0AQ_s7HJhy59b9mTb3tMqHGsrWDZS915zHPYEQtSvg5o9sSx1tCRfsyL6kdsdkaTffQjJDUrT5hpIQ-2_9tGuqioJjP4c0edQ85TaK9UnSxfzMQ8gYez963kbo_Iv1fJyaTVwXR-AVvwK-CeGJAFrheQ

Yeuch! If you stick it into JWT.io you'll see that it is Base64 encoded JSON containing a header, body, and signature. Each part is separated by a . character.

You could manually decode it, but that's a bit of a pain in the arse. So here's how to do it with the Auth0 PHP library. I'm using the Symfony one, but it should all be fairly similar.

First, import the library:

use Auth0\SDK\Auth0;

Next, you'll need to send the token to the PHP. You can do this in a header, GET, or similar:

$authHeader = $request->headers->get("Auth0-Authorization");

Then, set up Auth0 so that it can parse and validate the token:

try {
    $token = $authHeader;
    $auth0 = new Auth0([
        "domain"       => $_ENV["AUTH0_DOMAIN"],
        "clientId"     => $_ENV["AUTH0_CLIENT_ID"],
        "clientSecret" => $_ENV["AUTH0_CLIENT_SECRET"],
        "cookieSecret" => "_"   //  Dummy value.
    ]);

    $decoded = $auth0->decode(
        token: $token,
        tokenType: \Auth0\SDK\Token::TYPE_ID_TOKEN,
    );
} catch (\Exception $e) {
    error_log("Auth0 Error - {$e}");
}

The cookieSecret must be set - even though you aren't using cookies. Any non-null value is fine.

The tokenType must also be set correctly.

Assuming you all goes well, you will have a decoded object which has validated against Auth0. So how do you get the user's details from it?

Well, you could split the original idToken at the period character and Base64 decode the middle one. Try it now to see what it contains! Or print_r() the decoded token to see it in all its cryptographic glory.

The easiest way is to do:

$claims = $decoded->toArray();

Then you can access various properties by doing:

$username   = $claims["nickname"];
$identifier = $claims["sub"];

Perhaps there is a more official way - but I couldn't find anything in the documentation. Hurrah for reading source code!

Thinking out loud about project management - Johnny.Decimal

2026-06-24T00:40:26.000Z

This is a working draft for figuring out the end of our Task and Project Management course.

I've been thinking a lot about project management for the last 6 months and I'm thinking out loud here, nothing is set in stone. However, me and Lucy are using the concepts mentioned and it's working really well in our business.

Overall, there's nothing radically new in terms of project management principles. But how can these principles work alongside a Johnny.Decimal system to help us complete very-small or very-big projects successfully?

This is a rough-sketch, draft-rehearsal for the final project management modules in the course. We weren't going to publish it, but what the hey, maybe it will help someone or generate practical feedback.

Throwing my Roku in the trash - Posts feed

2026-06-23T22:57:00.000Z

I work from a big corner desk and part of the space on that desk is taken up by a small TV positioned in the corner. I use it occasionally and, for the longest time, it's had a Roku stick attached to it. It's reliable, but the UI has been filled with more and more cruft when all I ever want to do is launch Jellyfin.¹

This was the lone Roku device on our home network, it was mostly idle and the top two domains blocked by NextDNS were a pair of Roku tracking subdomains. Roku is also being acquired by an odious media company. I'm invested to the tune of, maybe, $29.99. I bought a cheap device and got a progressively crappy experience. It's not a whole ecosystem, it's not inescapable, but it's all irritating.

I looked at onn streaming devices² but ended up buying a cheap Xiaomi TV box running Google TV. Out of the frying pan and into the fire, sort of. The key differentiator here is that Google TV means Android, Android means I can install and meaningfully change things.

I plugged the thing in, added Xiaomi to my native tracking denylist in nextDNS, set up a throwaway Google account and configured things:

Unlock developer options: navigate to Settings -> System -> About -> scroll to "Android TV OS build" and click it until it says "You are now a developer.
Enable Android Debug Bridge: Settings -> System -> Developer options -> turn on USB debugging (conveniently this also enables network ADB).
Install ADB: brew install android-platform-tools.
Connected to the streaming box: adb connect <box-ip>:5555. The TV'll prompt you to allow USB debugging and you can opt to always allow from this computer.

From here, things are wide open. I grabbed the F-Droid APK from their site and installed it (adb install F-Droid.apk) and installed SmartTube as well. Google TV's home screen is about as noisy as Roku's (it also includes ads) but you can get around that by using a custom launcher. I went with Projectivy. When installed it'll prompt you for access necessary to override the default launcher and you can configure it to be far, far more minimal than the defaults for either of these platforms.

The last change I made was to install Button Mapper. It'll prompt you for permissions much like Projectivy does and let you remap all of the (often useless) streaming app specific buttons on your remote. Netflix now opens Jellyfin, Prime opens Apple TV and YouTube opens SmartTube (naturally).

It's a reasonable amount of configuration but now, when I do use this particular TV, it's not at all grating.³ There are no ads, no unnecessary apps, no irritating screensavers. It plays what I want, without issue.

Pressing the home button conveniently scrolls you up to rows of Roku-provided junk, rather than the top row of apps you have installed. ↩
Apparently these are made by Walmart? Are they any less terrible than Fox? ↩
We'll see how Xiaomi does in the NextDNS tracker blocker rankings. ↩

Signs you're a dangerous terrorist: using Signal, moving zines - Werd I/O

2026-06-23T18:16:37.000Z

Link: Texas anti-ICE protesters convicted of terrorism charges sentenced to at least 50 years in prison, by Sam Levine in The Guardian

This is an outrageous litmus test for the freedom to protest in America:

“A group of Texas protesters convicted of terrorism charges received unusually harsh sentences of at least 50 years in prison on Tuesday in a closely watched case that was widely seen as a test case of the Trump administration’s efforts to crack down on dissent.”

Let’s be clear: a few of the protesters were out of bounds. One fired an AR-15 at the police, which goes beyond legitimate protest into inciting violence (and maybe even deliberate provocation). I would never condone that kind of activity.

But these sentences far outstrip anything that’s been given to anyone on the right wing: the leader of the Proud Boys, as this article notes, was sentenced to 22 years in prison. One protester wasn’t even present, but was sentenced to 30 years for moving some zines:

“The ninth defendant, Daniel Sanchez-Estrada was not at the protest, but was convicted of corruptly concealing a document or record after prosecutors said he moved leftwing zines and other materials at the request of Rueda, his wife, after she was arrested. Sanchez-Estrada was sentenced to 30 years in prison on Tuesday.”

Many of the protesters had guns and were part of a gun club. They all possessed them legally. I personally wish there was not a right to bear arms and think that their ubiquitous presence in America makes everyone less safe, but the right to own them is enshrined in the Second Amendment. Instead, other “evidence” was used to infer that they planned violence, including this specific argument that should give everyone pause:

“[…] including their decision to communicate and auto-delete messages on Signal, an encrypted messaging platform widely used among activists, journalists and other citizens wary of government surveillance.”

Collectively, the justice department argued that these convictions are proof that anti-fascists are terrorists, which should also give us pause. The precedent here is obviously very dangerous for freedom of speech, freedom of assembly, and democracy in America.

Father's Day and gifts for myself - W25 - Joel's Log Files

2026-06-23T17:10:00.000Z

This week was wild, one of the most hectic days at work, watching the World Cup at church, getting some late birthday presents for myself, taking pictures, maybe a date? I don’t know what’s going onnn.

Alas, here’s some notes on it all, from June 16 to 22, 2026. Let’s go!

👔 Happy Father’s day to the people fulfilling that role in the family. We had a fun time at church, every non-dad prepared some food to eat together at the end, which is always nice to have. There was also a fun photo shoot section where I took pics with dad and the family, things were cool.
✝️ An unexpected loss in a close friend’s family turned some things upside down. There have been way too many deaths this year. We went to the funeral early and mourned with them. The family appreciated the support. We share the same faith and the same hope. John 11:25-27.
🧑‍💻 We had this project at work that was incredibly time-consuming and required a bunch of people doing things, and it’s finally over. Everything was a chore but it only lasted half a day and it’s finally implemented in production. All good, all is good now.
⚽ My church streamed the Mexic vs South Korea game on the projector screen and we were all together watching the game. Mexico wins and is on the first position of the group! Super cool stuff.
🎶 I acquired some music from Bandcamp! The soundtracks for Faster Than Light and the original Zelda & Chill album.
⌚ Got a new member for my watch collection. For my birthday, I purchased a Casio AQ-S820W. A solar powered watch which has a pretty similar size to the G-Shock GA-2100—also known as the CasiOak. It has managed to replace my trusty Casio Royale for the whole week, which is quite nice. Loving it so far.
I have kinda been looking at more watches because of this and tempted by a few. I actually ordered a Casio MQ-24—the classic, cheapest analog they have—and well, I got a fake, not the first time this happens, but I just got a refund!
🕹️ Another interest of mine is being piqued… I plan to get a Nintendo 3DS soon, maybe a N3DS XL, maybe a 2DS XL, I am still pondering on it all. I’ll keep you updated though!
📷 I spent way too much time trying to make a nice knolling of my EDC gear. Yes, I am working on an updated post for that, I just haven’t written a single word because I’m too busy getting the thumbnail done.
📸 I also photographed my watch collection, because I think I’ll write a page to showcase them soon. Some day.
💻 I’m thinking about resurrecting my Raspberry Pi 4. I had done a lot of things with it back in the day, and I got a lot of ideas asking on the fediverse, but I would like recommendations for a proper case for it, a way to get it to safely shutdown during a power loss too—lots of rain where I live cause this often.
🍿 Remember the girl I kind of invited to watch movies but she couldn’t that day? I tried again, and plans were made, I wonder how it’ll go.

Gaming

I’ve been pretty much focusing on one game at a time lately, I think the Summer Game Challenge has me in a completionist mood.

Transistor - This game has been even more awesome this week. The mechanics are really strong, the semi-turn-based combat caught my fancy. There’s this sandbox area that is full of tests and it’s great, because I’ve learned a bunch of things at a pace that the combat during the main game doesn’t quite allow. There are challenges focused on certain aspects of the gameplay, so you have to get good at it to go through, which is really satisfying. The story itself has been really interesting as well, although there is still a lot of unknowns. I just fought a giant beast that haunted me for a whole bunch of the game until I reached the top of some tower, it was pretty epic.
Slice & Dice - I played this for an hour or so total this week. It still has a challenge but I’ve been distracted by other things while on my phone.
Super Smash Bros Ultimate - Just a quick match with friends, nothing too serious this time around.

Reading

Leviathan Falls - Up to chapter 3. The final chapter of the grand saga of The Expanse, by James S.A. Corey. As much as I know that Sotolf is no fan of the ending—please do not wreak havoc in the comments if you read this—I am still very excited about the way everything will play out!
Shikimori’s Not Just Cute - Up to chapter 140. Things have gotten a bit serious. The friend group has gotten into the last year of high school lately, and the future is full of possibilities. I know the manga will end in 40 or so chapters, so I am curious to see how things wrap up.
Spy X Family - Up to chapter 136. This grandiose mini-arc where Loid is invited to a party full of enemies was incredibly fun! It is over now and I am looking forward to more ridiculous misadventures.

Watching

I am finally done watching all of the Max Steel movies, post incoming!

Max Steel vs The Mutant Menace - Here we see Cytro back—the best robot friend ever!—now on the good side, and he is awesome from here on. We will face against Max Steel’s ultimate foe, Toxon, N-Tek’s best agent, fallen from grace after a radioactive explosion. As this villain awakens, he plans to contaminate all of the planet with poison, radiation and waste. This villain is so powerful, Max will need to upgrade once again (last time was on Max Steel: Countdown) to be able to face him. Epic movie, way too short.
Max Steel vs The Toxic Legion - This was the most epic thing known to me back then. Toxon leads once more, together with Extroyer and Elementor. Every villain teaming up against Max Steel, looking to create a giant toxic storm that will end life as known on Earth. The challenge is up! There’s a redemption arc, and a new villain as a result from this.
Max Steel: Makino’s Revenge - After Max stops the toxic storm, some residual waste mutated Mike (I forgot the last name) into Makino. He was an influencer and independent journalist, and will use those skills and his power to control machines and computers to difame and expose Max Steel’s work as an agent. The spin on how social media and news affect the way people see things was very interesting for the time. The villain is very cartoon-ish though unfortunately.
Max Steel: Monstrous Alliance - Another team-up where Toxon, Makino and Elementor work together to take on Max, and N-Tek’s most powerful base, a floating ship in the sky that would protect the innocent and end conflict (think Captain America’s The Winder Soldier). Of course, with Makino’s control of technology, Toxon plans to use this ship to deploy… you guessed it, toxins, all over the world. Max Steel will have to step up one last time to finally put an end to them.
Terminator: Salvation - Decided to watch this one on a whim. I actually quite enjoy this Terminator movie, it tries a bit of a different take on the usual formula, and it works out in my opinion. A lot of weird choices like the romance subplot and the exagerated screams from the protagonist looking in the style of Revenge of the Sith, but cool action and sequences nonetheless.

Around the web

Blogposts

I don’t like prompts - Interesting take by Tracy on writing prompts, I haven’t participated a lot on the Indieweb Carnival and similar, but I do enjoy writing challenges, quizzes or question challenges—except the AI one, I feel icky answering that one.
I Miss Streaming Music - In a way I miss how useful algorithms can be for discovery. At the same time, I kind of like asking people for recommendations more often and get out of the comfort zone.
Doomscrolling for a Game - The paradox of choice attacks once again. It’s weird because lately I’ve been on a “one game at a time” mood and it has actually worked for me, but things change.
Roadside Assistance - Love these musings that are about seemingly vain things. This one’s features wildlife, and it’s very cute!

YouTube

Improve the Casio F91 Backlight for Free - This little mod is actually pretty interesting. I might give it a go and report back, but no promises.
I Played as San Marino until I WON the WORLD CUP - Just some entertaining gameplay from a FIFA game I never played. I think I’m just nostalgic for the 2010 World Cup days.
Casio is ALL YOU NEED: The Perfect 3 Watch Collection - I have more than three watches so, and it’s impossible not to need more once you start buying…
I Tried 3D Printing for the First Time - Oh no, TechDweeb was infected by the 3D printing virus, am I in danger?

This is day 83 of #100DaysToOffload

Reply to this post via email | Reply on Fediverse

📝 2026-06-23 12:58: Create one of those Uses pages. Still a work in progress, but there's a good... - Kev Quirk

2026-06-23T11:58:00.000Z

Create one of those Uses pages. Still a work in progress, but there's a good chunk of the stuff I use on there now.

https://kevquirk.com/uses

Thanks for reading this post via RSS. RSS is ace, and so are you. ❤️

You can reply to this post by email, or leave a comment.

Wonders of Web Weaving, Episode 7 - James' Coffee Blog

2026-06-23T00:00:00.000Z

The seventh episode of Wonders of Web Weaving is out:

In Episode 7, I chat with Ana, the author of ohhelloana.blog. We talk about, among other things, the growth we see in our websites over time, finding an in-person indie web community, and connecting with people using personal websites.

I hope you enjoy the episode!

Wonders of Web Weaving has an RSS feed you can use to follow along from wherever you get your podcasts.

Ana ohhelloana.blog The seventh episode of Wonders of Web Weaving is out Wonders of Web Weaving has an RSS feed

Introducing Patch the Planet - Trail of Bits Blog

2026-06-22T16:50:00.000Z

What happens when you clear dozens of Trail of Bits engineers’ schedules, pair them with every open-source maintainer they can contact, and unleash the latest frontier models like GPT-5.5-Cyber on critical open-source targets? Thanks to <a href="https://openai.com/index/daybreak-securing-the-world/">our partnership with OpenAI</a> and its Daybreak initiative, <a href="https://gist.github.com/patch-the-planet/69fd1aa925c8e73edea9e6e967043cbb">we can report</a> that the impact is hundreds of discovered bugs, 64 pull requests, and 51 issues filed across 19 projects (with many more still undergoing coordinated disclosure). That was just the first week of <a href="https://trailofbits.com/patch-the-planet">Patch the Planet</a>. Frontier models like GPT-5.5-Cyber are producing a firehose of security findings, and already-stretched maintainers must sift through all of it to separate real vulnerabilities from plausible-sounding false positives. Patch the Planet is different: with our experts orchestrating and triaging findings, we handle the work of fixing and hardening the code alongside the people who maintain it. The first week of Patch the Planet covered 19 projects across cryptography, networking, language infrastructure, and software supply chain. Among these 19 projects were cURL, NATS, pyca, Sigstore, aiohttp, the Go project, freenginx, Python and python.org, urllib3, PyPI, SimpleX, Valkey, and RustCrypto. Over 30 projects have joined the initiative so far, and we’re rapidly expanding it to include more; if you maintain an open-source project, <a href="https://trailofbits.com/patch-the-planet">apply to join</a>! <figure> <img src="https://blog.trailofbits.com/2026/06/22/introducing-patch-the-planet/ptp-image-1.gif" alt="“Live look at the Trail of Bits engineering teams”" width="500" height="221" loading="lazy" decoding="async" /> <figcaption>Live look at the Trail of Bits engineering teams</figcaption> </figure> Anyone can file an issue, flex, and walk away. We showed up with the patches: 37 are already merged, and many more are in flight. These merges go beyond just fixing bugs: we’re adding new tests and fuzzing harnesses, CI security scanning, supply-chain tooling, correctness fixes, and features maintainers had been meaning to get to. The goal of Patch the Planet is to leave essential open-source projects measurably better off. <h2 id="we-brought-patches-not-just-bug-reports">We brought patches, not just bug reports</h2> We’re reporting public findings <a href="https://gist.github.com/patch-the-planet/69fd1aa925c8e73edea9e6e967043cbb">on GitHub</a>, including 64 total pull requests. We also filed 51 issues, 19 of which are already closed with a fix. This public tally undercounts the work, since several projects take reports through private channels like HackerOne, GitHub security advisories, mailing lists, and private forks, and most of these have not been released publicly yet. What’s in those pull requests matters more than the count. At python.org, we added a CI workflow built on <a href="https://github.com/zizmorcore/zizmor">zizmor</a>, our open-source GitHub Actions auditor, fixed all of the issues it flagged, and integrated it into their CI. In RustCrypto, we contributed correctness fixes to the big-integer library that higher-level cryptography is built on, alongside genuine feature work in review: serde encoding support and HPKE DHKEM suite IDs. Other patches were plain engineering help: storage-accounting and service-restart fixes in SimpleX, a clearer admin-quarantine confirmation in PyPI’s Warehouse, and supply-chain improvements like SBOM sidecars for Python’s Windows artifacts. We will also be upstreaming many testing improvements and new testing campaigns. Arguably, our best contributions are not even bug or security fixes. Keeping track of all of this is a bot we call Patchy. Patchy monitors every project, posts each new finding and merged patch to our Slack, and, for reasons we consider scientifically sound, reintroduces the common use of <a href="https://openai.com/index/where-the-goblins-came-from/">goblins, gremlins, and assorted creatures</a>. Here’s Patchy’s description of <a href="https://github.com/pyca/cryptography/pull/14933">an issue that has been patched</a>: <figure> <img src="https://blog.trailofbits.com/2026/06/22/introducing-patch-the-planet/ptp-image-2_hu_d772e23377508832.webp" alt="“Patchy’s description of an issue that has been patched”" width="1200" height="329" loading="lazy" decoding="async" /> <figcaption>Patchy’s description of an issue that has been patched</figcaption> </figure> When a patch lands, Patchy celebrates with a triumphant <code>PATCHY HAPPY</code>. Making Patchy happy is really what drives us. <figure> <img src="https://blog.trailofbits.com/2026/06/22/introducing-patch-the-planet/ptp-image-3_hu_5af72ac2534386fd.webp" alt="“Bug patched, Patchy happy”" width="1200" height="185" loading="lazy" decoding="async" /> <figcaption>Bug patched, Patchy happy</figcaption> </figure> <h2 id="a-few-highlights-from-the-week">A few highlights from the week</h2> The week produced more than we can fit in this post, but here are some quick highlights. A fuzzing lab built in a day. Given a narrow goal (find remotely exploitable bugs) and no instructions on how, GPT-5.5-Cyber decided that reading the source of one of the most-reviewed C libraries in existence was a poor use of tokens. Instead, it stood up a full fuzzing lab in under a day: sanitizer and variant builds, a seed corpus drawn from existing tests, and harnesses across a dozen entry points. Instead of simply fuzzing exposed APIs, it successfully built a harness that injected operating system backpressure to identify novel issues by reaching previously unexplored buggy states. We estimate all of that effort likely would’ve taken one of our fuzzing experts two to three weeks to do manually. Just as important, it showed judgment about what to test, what to report (and not report), and where to find higher-impact findings. We’ll publish the full details in a standalone field report. A pipeline for variant testing historical CVEs built in a day. Codex was also adept at building simple but effective pipelines, such as the CVE variant analysis pipeline shown below. Codex’s <code>/goal</code> feature combined with frontier models like GPT-5.5-Cyber for this type of variant analysis produced novel issues with almost exclusively high-signal output. <figure> <img src="https://blog.trailofbits.com/2026/06/22/introducing-patch-the-planet/ptp-image-4_hu_a106c2e464121abc.webp" alt="“Pipeline for historical CVE variant analysis”" width="1200" height="617" loading="lazy" decoding="async" /> <figcaption>Pipeline for historical CVE variant analysis</figcaption> </figure> A release-pipeline improvement at python.org. We reported multiple security issues for <a href="http://python.org">python.org</a>, including some issues closing a legacy-API authorization gap. But we’re most proud of the work that produced long-term improvements to python.org’s release infrastructure: the new zizmor CI scanning, tightened release-file and metadata validation, deletion scoping fixed so bulk operations can’t reach beyond their target, and release-tooling patches in review that quote remote command arguments, fail safely on partial uploads, and add SBOM sidecars. The aiohttp maintainers fixed their issues almost immediately. We privately reported a cluster of issues across aiohttp’s client and server paths, including cookies that could regain broader scope after a save and reload, digest credentials that could answer a challenge from the wrong origin, and resource limits that ran after attacker-controlled buffering rather than before. The maintainers authored and merged all eight fixes within hours, seven of them inside a single five-hour window. We were impressed and appreciate the maintainers’ prompt and collaborative work on these issues! Differentially testing major cryptographic libraries against each other. Many of our projects implement the same logic, protocols, and algorithms. In particular, multiple projects implement the same cryptographic algorithms and standards like X.509 certificates. Therefore, we used Codex to point these projects at each other, and identify any relevant behavioral differences. This proved to be a high-signal approach that uncovered several issues, including <a href="https://github.com/pyca/cryptography/pull/14933">this AES-GCM issue in PyCA</a> and several X.509 issues, which we plan to upstream to <a href="https://x509-limbo.com/"><code>x509-limbo</code></a>. <h2 id="finding-the-bugs-is-now-the-easy-part">Finding the bugs is now the easy part</h2> If it wasn’t already clear from the last several months of security news, this week makes one thing clear: the expensive part of security work has moved. Arming Codex with fuzzing campaigns, variant analysis, differential testing, agentic searching, and similar techniques produces real vulnerabilities and compresses weeks or months of manual effort into hours. The advantage is no longer in finding bugs, but everything after: confirming a finding, getting its severity right, writing a patch a maintainer will accept, hardening the surrounding code, making long-term improvements to prevent similar issues in the future, and coordinating a disclosure. That is the work that floods of AI-generated reports threaten to bury. <h2 id="guidance-for-maintainers">Guidance for maintainers</h2> If you’re a maintainer managing an unsustainable number of AI-generated bug reports, the core challenges you need to solve are deduplication, false-positive filtering, and severity correction. Deduplication is the easiest problem to solve technically. Even simple AI-based tools that compare new reports against open issues perform well, especially when grounded in affected code lines. Automating this step eliminates most of the noise. False-positive filtering and severity correction are harder, but they can be managed. Without explicit guidance, models default to rating everything as critical. <figure> <img src="https://blog.trailofbits.com/2026/06/22/introducing-patch-the-planet/ptp-image-5_hu_1b13148a17364cf7.webp" alt="“Patchy without threat model and severity guidance”" width="1200" height="1019" loading="lazy" decoding="async" /> <figcaption>Patchy without threat model and severity guidance</figcaption> </figure> Generic approaches like our <a href="https://github.com/trailofbits/skills/tree/main/plugins/fp-check">fp-check</a> tool help, but only to a point. The best improvements require project-specific documentation, threat models, and severity criteria. <a href="https://cryptography.io/en/latest/security/">PyCA’s security documentation</a>, for example, was dramatically effective at reducing false positives in our bug candidates. Files like <code>AGENTS.md</code> that explicitly tell models which documentation to consult produced the most consistent and effective results. If security researchers are armed with this documentation, especially <a href="http://AGENTS.md"><code>AGENTS.md</code></a> for AI-based research, more noise will be filtered out before reaching the maintainers. <h2 id="whats-next-and-how-to-get-involved">What’s next and how to get involved</h2> This was just our first week. Over 30 projects have committed to join Patch the Planet, with a growing waitlist. As more findings clear coordinated disclosure, we’ll publish more results and deeper field reports, including full fuzzing lab details, the variant-analysis and differential-testing pipelines, and the tooling we’re building to help maintainers triage AI-generated reports themselves. Our <a href="https://gist.github.com/patch-the-planet/69fd1aa925c8e73edea9e6e967043cbb">Patch the Planet gist</a> contains the full public list of our week one output. <figure> <img src="https://blog.trailofbits.com/2026/06/22/introducing-patch-the-planet/ptp-image-6.gif" alt="“Join Patch the Planet and spread the word”" width="480" height="207" loading="lazy" decoding="async" /> <figcaption>Join Patch the Planet and spread the word</figcaption> </figure> If you maintain a critical open-source project and want this kind of help, you can <a href="https://trailofbits.com/patch-the-planet">apply to join Patch the Planet</a>.

Cybersecurity for the paranoid business traveller - Terence Eden’s Blog

2026-06-22T11:34:18.000Z

Over the years, I've worked for organisations with various levels of risk tolerance for business travellers. Some have been (rightly) paranoid and others have been (wrongly) placid about the threats their employees face.

The fact is, individuals are often targeted for espionage, blackmail, or other state-sponsored attacks.

Here's a list of some of the different advice I've received, roughly sorted into levels of suitability. Start at the top and work your way down until you reach a suitable level.

USB sticks? No thanks!

At some point, you'll be given a gift of a decorative USB pen drive. It'll either be part of a goodie-bag or you'll be told it has all of this quarter's TPS reports on it.

You should thank them for their kind gift. On your way back to the hotel, drop the stick in a bin.

There's just too much which can go wrong with a USB stick. Maybe it has a virus. Maybe it is an exfiltration device. Maybe it has extreme pornography and the police will catch you with it. Just chuck it. If anyone asks, say you couldn't get it to work and can they please email you the information.

USB Power? Play it safe!

USB powers everything from your phone and laptop, to your headphone and eReader. But USB cables also carry data. Some devices can be silently hacked by plugging them in to a dodgy power port.

Is it likely that the USB socket on the airport bus has been set up to exfiltrate travellers' data? Probably not - but why take the risk?

The best thing you can do is to always charge from your own device. Get a travel charger or, ideally, a portable battery and only use that for charging.

For extra paranoia, you can buy USB condoms and charging-only cables - but they tend to be slower at charging.

Reduce Your App Attack Surface

Do you need all those apps on your phone? Will you cope without your banking apps, dating apps, streaming apps? Each one is a potential vector for abuse.

Is it legal for you to date your preferred romantic partner in your intended destination? You shouldn't have to hide yourself, but having an illegal app on your phone is a great way to get picked up by the police.

Go through your phone and uninstall anything which isn't important to the trip.

A VPN probably draws more attention than it is worth, but browse cautiously

This is slightly counter-intuitive. Every important site on the web uses HTTPS. The really important ones are on a special list which means your browser will only use a secure connection. The chances of your data being intercepted is minimal.

But using a VPN immediately makes your traffic look suspicious and, in some countries, may be illegal.

That said, while the contents of your communications will be private, their destination is easy to figure out. Don't browse pornography or any other site which is liable to get you in trouble. This may include news sites from outside the country.

What passwords do you need?

Hopefully you use a password manager - and hopefully all your passwords are unique. But do you really need to carry around all of them? You password manager almost certainly allows you to create a sub-account into which you can deposit anything you need for your trip.

Similarly, you don't need all your MFA codes with you. If you do need MFA please make sure it isn't coming through SMS.

They're not flirting with you.

Mate, you're a middle-aged sales rep who scored a trip to a conference in an exotic country. Do you really think that pretty young thing is enthralled by your tales of middle-management?

No.

At best, the photos will be used to blackmail you. At worst the police will claim that they're under the age of consent and that will be used to blackmail you.

Laptops and Liability

Your IT team has provided you with a laptop which is encrypted and biometricly secured, right? But do you need that specific laptop?

Grab a cheap laptop. Fill it with only the documents you need. When you get back home, toss it.

I'm quite serious, a £200 Chromebook is a cheap price to pay to prevent your secrets getting stolen or your network being infiltrated.

What Else?

Possibly you think some of these are overkill. Perhaps you think I'm not being paranoid enough. What would you add to the list?

Over/Under Interview - Robb Knight • Posts • Atom Feed

2026-06-22T09:55:58.000Z

Avengers

The movies, overrated with the exception of Infinity War/Endgame which was some of the best movie experiences I've ever had.

The comics, underrated. The stories from the comics is where it's at but it's not a medium that everyone can enjoy. There are so many great Avengers and Avengers-adjacent stories available if you're willing to give it a try. My recommendation is Kelly Thompson's West Coast Avengers run.

Weeknotes

Underrated. I love reading people's weeknotes and I've found it a useful tool to get out random thoughts I've had as well as share fun things I've seen online that week. The pressure to do them every week though, massively overrated. You don't need to do that to yourself, post when you want.

Stickers

Underrated. What a fun item stickers are but you've got to use them. Stick them on anything. Maybe Maique will spot one you stuck somewhere. I love stickers.

BuJo

This is a tough one. Bullet Journal the brand? Overrated. Intentionally or not, one look at the website shows that it exists now to sell courses, books, and other related services.

Bullet Journal the system on the other hand has a lot of good ideas. I don't do all of them, nor do I follow it strictly but the things I did take from the (the bullet system itself, migrating tasks, monthly spreads) have been massively helpful. Slightly underrated if only because the website no longer reflects the system and rather serves as the business side.

Tacos

Underrated. I'm in the UK where we have a troubling lack of mexican-inspired food available but whats not to love? Meat, sauce, taco shell, lettuce, it's got it all.

What are the two best books you couldn't live without and that you recommend?

How to Lie with Statistics. I read this when I was 17 or so and it blew my mind the way you can present data in different ways to elicit different reactions or prove your point. Fair warning this was written in 1954 so some of the language would not be appropriate in 2025, but the ideas are solid.

So You've Been Publicly Shamed. This one serves have a warning both about what one might post online, as well as how wild online mobs can get.

People and Blogs Interview - Robb Knight • Posts • Atom Feed

2026-06-22T09:48:50.000Z

Let's start from the basics: can you introduce yourself?

I'm a developer and dad to two girls living in Portsmouth on the south coast of the UK. By day I work for a SaaS company and in my own time I work on my many side projects. In a previous life I worked at a certain clown's restaurant which is where I met my wife some 15 years ago.

Although developer is what I get paid to do I'm trying to move towards more making; websites, stickers, shirts, art, whatever. I have no idea what that looks like yet or how it's going to pay my bills. I have a whole host of side projects I've worked on over the years; they're not all winners but they all serve, or served, a purpose. If I get lucky, they resonate with other people which is always nice.

What's the story behind your blog?

I've had a lot of blogs over the years, most of which would get a handful of posts before being abandoned. There was a version that ran on Tumblr which I did do for at least a year or two — any interesting posts from that have been saved. The current iteration is by far the longest serving and will be the final version. There's no chance of me wiping it all and starting again.

This current version is part of my main website which is where I put everything. My toots on Mastodon start life as a note post, I post interesting links I find, and I log all the media I watch/play/whatever (I don't want to say consume, that's gross) in Almanac, which itself is on the third or fourth iteration.

As I said above, I had done a few posts on the Tumblr-powered blog but if I look at my stats for posts, it was around 2022 when Twitter started to fall apart that I started to blog more. I was moving away from posting things directly onto social media sites and getting it onto my own site.

I started writing more posts that just had a short idea or helpful tip because I realised not every post has to be some incredible think piece. My analytics show that these posts also tend to be the most popular which probably says more about the state of large, ad-riddled websites than it does about my writing. For example this post about disconnecting Facebook from Spotify is consistently in the top five posts on my site but you're never going to read that post unless you specifically need it. It's not a "good" post, it just exists.

What does your creative process look like when it comes to blogging?

To call what I have a process would be a very liberal use of the word "process". If I have nothing to write about I just won't write anything, I have no desire to keep to a schedule and write just for the sake of it. Usually, I'll get prompted by something someone asks like "How did you do X on your website?" or I feel like I have something to say that would be interesting other people.

I write my posts in Obsidian, then when they're ready to go I'll add them to my site. If I'm on my ~~proper computer~~ laptop I use my CLI tool to add a new post. If I'm on mobile, I use the very haphazard CMS I built.

I'll proof read most things myself before posting and I rarely ask for anyone else's input but if I do want a second opinion it's going to be previous P&B interviewee, Keenan. Usually I'm able to get out what I want to say fairly succinctly without too much editing.

Do you have an ideal creative environment? Also do you believe the physical space influences your creativity?

A proper keyboard and ideally a desk to sit at is what I prefer when I'm writing (or coding) but I can live with just the keyboard. My desk setup makes some people's skin crawl because there's so much going on but I like having all the trinkets and knick knacks around me.

I deeply dislike using my phone for most things outside of scrolling lists, like social media so I rarely write long posts on it. The small form factor just doesn't work for me at all but I also kind of need it to exist in the world.

A question for the techie readers: can you run us through your tech stack?

All my domains are registered with Porkbun and I manage the DNS with DNSControl - my main domain, rknight.me, has nearly 50 records for subdomains so managing those without DNSControl would not be a fun activity. Speaking of DNS I use Bunny for my DNS management and also use their CDN for images and other files I need to host.

The website itself is, as are many of my side projects, built with Eleventy. Eleventy gives me the flexibility to do some interesting things with the posts and other content on my site which would be much harder with some other systems.

The site gets built on Forge to a Hetzner server whenever I push an update to GitHub either via command line, or through the aforementioned CMS, and is also triggered at various points in the day to pull in my Mastodon posts.

Given your experience, if you were to start a blog today, would you do anything differently?

Assuming I actually had to the time to do it, I think I would start with the CMS first, before building anything of the actual site. It is a pain to update things when I'm not at my laptop but jamming features into my CMS is equally frustrating.

If I wanted something off the shelf and easier to maintain I suspect I would choose Ghost or Pika.

Financial question since the Web is obsessed with money: how much does it cost to run your blog? Is it just a cost, or does it generate some revenue? And what's your position on people monetising personal blogs?

Many of these costs are part of my freelancing so are bundled with other sites I run and somewhat hidden but I'll do my best to outline what I do use.

I have a single server on Hetzner that serves my main site as well as another 30 or so side projects so the cost is negligible per-site but it costs about $5 a month. Forge costs $12 a month to deploy my site along with other sites. The domain is $20 a year I think but that's it.

I have a One a Month Club here and I have a handful of people supporting that way. I also use affiliate links for services I use and like which occasionally pays me a little bit.

I think monetising blogs is fine, if it's done in a tasteful way. Dumping Google ads all over your site is terrible for everyone but hand-picked sponsors or referrals is a good way to find new services. Just keep it classy.

Time for some recommendations: any blog you think is worth checking out? And also, who do you think I should be interviewing next?

I want to read sites that are about the person writing them. Photos of things people have done, blog posts about notebooks, wallpaper, food, everything. Things people enjoy.

This is the second time I'm going to mention Keenan here because they write so wonderfully. They also have a podcast with Halsted called Friendship Material which is all kinds of lovely and joyful and everyone should listen.

Alex writes some really interesting computing-related posts, like this one about using static websites as tiny archives.

Annie is so smart and honest in her writing it brings me joy every time I see a new post from her. This post is a masterpiece.

Final question: is there anything you want to share with us?

I'd be a terrible business boy if I didn't at least mention EchoFeed, an RSS cross posting service I run.

I also have a podcast that used to be about tech but is now about snacks.

I Am A Link Curator - The Weblog of fLaMEd

2026-06-22T08:49:05.000Z

What’s going on, Internet? Friend of the site James recently shared a new post Blogger Archetypes which asks a series of questions to help you narrow down your character as a member of the blogging community. A bit of indie web fun.

Here are my results:

You are a Link curator

The web is not just its pages, but the connections between pages. You have internalised this and love spending your time exploring the web and sharing what you find with the world.

You are also a Culture maker

You love to help push the blogging community forward by starting discussions, encouraging thought, and sharing what’s on your mind.

And the other archetypes on offer:

Explorer: To you, the web feels like a library that’s open all hours and has everything you could ever imagine! You love reading others blogs, and know how important readers are to the whole of the indie web community!

Community gardener: You love to help contribute to building the blogging community, either through your writing or how you share the spirit of writing on the web with friends.

Author: You love writing and have a growing backlog of posts on your website! Words are your best friend and you’re always thinking about what to write next.

Link curator feels about right. A lot of what I do here is exactly that. Surfing the web, finding the good stuff, and passing it along. The bookmarks, the links back to other people’s writing (which I need to get back into doing regularly). That’s the fun part for me.

If you’ve got a blog, go and take the quiz and write up what you got. Send it my way, I’d love to to see what you got. 🤙

Hey, thanks for reading this post in your feed reader! Want to chat? Reply by email or add me on XMPP, or send a webmention. Check out the posts archive on the website.

📝 2026-06-22 09:39: The fox continues to prowl around our chickens. This morning we caught it in the... - Kev Quirk

2026-06-22T08:39:00.000Z

The fox continues to prowl around our chickens. This morning we caught it in the GARDEN a few feet from our favourite chicken. Luckily the magpies warned us and we were able to scare it away.

It's not nice keeping the little cluckers cooped up in this heat, but needs must unfortunately.

Thanks for reading this post via RSS. RSS is ace, and so are you. ❤️

You can reply to this post by email, or leave a comment.

No, I don't want you to summarise the page! - Kev Quirk

2026-06-22T08:04:00.000Z

I've talked about LLMs a few times here - the TL;DR is that I find them useful for certain use cases.

Searching something complex? Great.

Checking my code, or helping me with a problem in said code? Count me in.

But summarising a page I'm reading? Absofuckinglutely not.

One of the things I really enjoy about the web is surfing it and reading. Reading is one of the great joys I get from the web, and in general. Why would I want a bastardised version of your words presented to me by a computer when I can read the actual words you took time to write?

LLMs have their place and are useful tools in my opinion, but I'm getting sick of them being crammed into every facet of computing.

Hopefully the bubble will burst soon and we can all enjoy an LLM enriched web, not an LLM hijacked web.

Thanks for reading this post via RSS. RSS is ace, and so are you. ❤️

You can reply to this post by email, or leave a comment.

Registration review: Taiwan - Johnny.Decimal

2026-06-22T06:53:29.000Z

Vehicle registration plates provide a ubiquitous numbering scheme that's easy to enjoy: just walk around the streets and pay attention. Each country offers its own variant of the form, so in this series I will review each country's registration plates as I encounter them.

These reviews are not scientific and should not be quoted as authoritative.

Introduction

Taiwan's scheme was refreshed in 2012. This review only considers the post-refresh scheme. Older plates are still very common.

Schema

A simple, consistent scheme: AAA-0000. The usual suspects are omitted from the letter prefix – O, I – but Q remains, as we'll see below.

Absurdly, the number 4 is no longer used. I thought this was user preference, as I did see one in the wild. But it seems that the user preference was so strong, they elected to remove it. The plate I saw must have been from an older range.

This broad omission of 4 is common across Asia – it sounds like the word 'death' – as is the equally absurd omission of the West's superstition, 13.¹ (Combined with the fact that the ground floor is represented as 1 means that a room on the 14th floor isn't quite as high as one might hope.)

The scheme allows a theoretical maximum of 24^3 × 9^4 = 90,699,264 plates. Given Taiwan's population of 23.5m people this is a touch under 4 cars each. This doesn't feel like enough, but the most recent plate I saw began CCD indicating that about 10% of plates have been issued in 14 years. So we don't need to worry about them running out.

Special cases

There are special cases for electric vehicles E__-____, rentals R__-____, and so on. I appreciate this additional information being encoded in the plate.

They've also removed a whole bunch of three-letter words from the pool so bad luck if you wanted GAY-0000. Inexplicably, ANT is disallowed. Because that's … an ant?

Issue date

The scheme encodes issue date gracefully: it's pretty obvious by looking at cars that they started at AAA and they're currently somewhere in the early-to-mid-C__s.

This avoids issues of specifically encoding a year into the plate, as we'll see the next time I visit the UK. It also provides a free street game: find the latest plate!

Region awareness

There appears to be no region encoding in the plate. Taiwan is a relatively small island so this probably isn't necessary, but I do like knowing where someone is from.

Schema: 4/5

Pro: simple, obvious, and consistent.
Con: no regional coding, the 4 thing, and it feels punitive to have excluded ANT.

Design

A simple plate, stamped metal, black on white in its standard form. I prefer an embossing over a cheaper-looking laminate so top marks here.

The typeface is slightly condensed which looks nice on the plate. But I like a plate to fill the space given for it on the vehicle, and a narrow plate rarely does that.

Theoretically that's a - dash separating the letters and numbers, but it's shown as a dot on most (all?) plates. I would have stretched that out a little, at least on cars where there's plenty of room.

Points for a nice `Q`

If you're going to use a Q you really have to make sure it looks like a Q. Taiwan is a clear pass in this category.

Markings at the bottom

Apparently they moved the screw holes exclusively to the top to allow for those markings, barely visible, at the bottom. I wouldn't have bothered.

Design: 3/5

Pro: stamped metal. A nice typeface.
Con: no other adornments. Kinda plain. Doesn't fill the space.

Summary

Overall Taiwan scores 7/10: not bad for our first entrant. It's an inoffensive plate that does the job without trying to get in your face. I just wish that they'd put a touch more into its design.

13 is not excluded from the registration scheme, to be clear. I refer to its common omission from building floor numbers. ↩

Finished reading Book of the Dead - Molly White's activity feed

2026-06-22T00:12:23.000Z

Finished reading:

Kay Scarpetta series, book 15.

Book of the Dead

by Patricia Cornwell.

Published 2007. 511 pages.

Started June 20, 2026; completed June 21, 2026.

Removing prefixes and suffixes in Python - James' Coffee Blog

2026-06-22T00:00:00.000Z

A few weeks ago, I learned about the removeprefix method in Python. It lets you remove a specific prefix from the beginning of a string. For example, I can use the following code to remove www. from the beginning of a domain name:

"www.jamesg.blog".removeprefix("www.")

If the string doesn’t contain the prefix, nothing happens; if the string does contain the prefix, the prefix is removed.

Note: If you are parsing URLs in Python, you should use a library like urllib.parse to extract parts of a URL.

I did some digging and, via a mention of the method in Stack Overflow, I learned that Python 3.9 added support for methods for removing prefixes and suffixes from strings: removeprefix and removesuffix.

When I learned about removeprefix, I felt a little bit of joy. I have been using Python for years and had no idea about this method.

Instead of doing the trick to measure the length of a string I want to remove, and then removing that number of characters from the beginning of a string using indexing if the string startswith the string I want to remove, I now can use a single method: removeprefix (and removesuffix to do the same at the end of a string).

Addendum: lstrip and rstrip

While the lstrip() and rstrip() methods, which remove either whitespace or specified characters from the start or end of a string, may sound like they do the same thing, they remove all instances of the specified characters. For example, if I use this code:

"www.w.jamesg.blog".lstrip("www.")

The code returns:

jamesg.blog

lstrip() has removed all w and . characters that would start the string.

I thought I would document this because for a while I wasn’t aware this was the behaviour of lstrip and strip.

urllib.parse removing prefixes and suffixes from strings a mention of the method in Stack Overflow

📝 2026-06-21 18:42: It's handy when your riding buddy is a photographer. You end up with some nice... - Kev Quirk

2026-06-21T17:42:00.000Z

It's handy when your riding buddy is a photographer. You end up with some nice photos.

Thanks for reading this post via RSS. RSS is ace, and so are you. ❤️

You can reply to this post by email, or leave a comment.

Shellsharks Blogroll - BlogFlock

Tiamat's Wrath (The Expanse #8) - Joel's Log Files

Journalism is rearranging the deckchairs. It needs to reinvent itself. - Werd I/O

Auth0 PHP - manually authenticating JWT idTokens - Terence Eden’s Blog

Thinking out loud about project management - Johnny.Decimal

Throwing my Roku in the trash - Posts feed

Signs you're a dangerous terrorist: using Signal, moving zines - Werd I/O

Father's Day and gifts for myself - W25 - Joel's Log Files

Gaming

Reading

Watching

Around the web

Blogposts

YouTube

📝 2026-06-23 12:58: Create one of those Uses pages. Still a work in progress, but there's a good... - Kev Quirk

Wonders of Web Weaving, Episode 7 - James' Coffee Blog

Introducing Patch the Planet - Trail of Bits Blog

Cybersecurity for the paranoid business traveller - Terence Eden’s Blog

Over/Under Interview - Robb Knight • Posts • Atom Feed

People and Blogs Interview - Robb Knight • Posts • Atom Feed

I Am A Link Curator - The Weblog of fLaMEd

📝 2026-06-22 09:39: The fox continues to prowl around our chickens. This morning we caught it in the... - Kev Quirk

No, I don't want you to summarise the page! - Kev Quirk

Registration review: Taiwan - Johnny.Decimal

Introduction

Schema

Special cases

Issue date

Region awareness

Schema: 4/5

Design

Points for a nice Q

Markings at the bottom

Design: 3/5

Summary

Footnotes

Finished reading Book of the Dead - Molly White's activity feed

Removing prefixes and suffixes in Python - James' Coffee Blog

Addendum: lstrip and rstrip

📝 2026-06-21 18:42: It's handy when your riding buddy is a photographer. You end up with some nice... - Kev Quirk

Points for a nice `Q`