Shellsharks Blogroll - BlogFlock

Personal site infrastructure, diagrammed - Posts feed

2026-04-08T01:27:00.000Z

That I even need and have made a diagram of the infrastructure for this site speaks to how over-engineered it is. Yet, while it is ostensibly a personal site, it's a personal site that's replaced many services that I previously used.

Obfuscating My Contact Email - Kev Quirk

2026-04-07T21:41:00.000Z

I stumbled across this great post by Spencer Mortensen yesterday, which tested different email obfuscation techniques against real spambots to see which ones actually work. It's a fascinating read, and I'd recommend checking it out if you're into that sort of thing.

The short version is that spambots scrape your HTML looking for email addresses. If your address is sitting there in plain text, they'll hoover it up. But if you encode each character as a HTML entity, the browser still renders and uses it correctly, while most bots haven't got a clue what they're looking at.

From Spencer's testing, this approach blocks around 95% of harvesters, which is good enough for me.

Where my email appears

On this site, my contact email shows up in two places:

The Reply by email button at the bottom of every post.
My contact page.

Both pull from the site_email value in Pure Blog's config, so I only needed to make a couple of changes.

The reply button

The reply button lives in content/includes/post-meta.php, which is obviously a PHP file. So the fix there was straightforward - I ditched the {{ site_email }} shortcode and used PHP directly to encode the address character by character into HTML entities:

<?php
$_email = load_config()['site_email'] ?? '';
$_encoded = implode('', array_map(fn($c) => '&#x' . dechex(ord($c)) . ';', str_split($_email)));
?>
<a class="button reply-button"
    href="mailto:<?= $_encoded ?>?subject=Reply to: {{ post_title }}">Reply by email
</a>

Each character becomes something like k, which is gibberish to a bot, but perfectly readable to a human using a browser. The {{ post_title }} shortcode still gets replaced normally by Pure Blog after the PHP runs, so the subject line still works as expected.

The contact page

The contact page is a normal page in Pure Blog, so it's Markdown under the hood. This means I can't drop PHP into it. Instead, I used Pure Blog's on_filter_content hook, which runs after shortcodes have already been processed. By that point, {{ site.email }} has been replaced with the plain email address, so all I needed to do was swap it for the encoded version:

<?php

declare(strict_types=1);

function on_filter_content(string $content): string
{
    $config = load_config();
    $email = trim((string) ($config['site_email'] ?? ''));
    if ($email === '') {
        return $content;
    }

    $encoded = implode('', array_map(fn($c) => '&#x' . dechex(ord($c)) . ';', str_split($email)));
    return str_replace($email, $encoded, $content);
}

This goes in config/hooks.php, and now any page content that passes through Pure Blog's filter_content() function will have the email automatically encoded. So if I decide to publish my site_email elsewhere, it should automagically work.

One more layer of protection

As well as the obfuscation, I also set up my email address as a proper alias rather than relying on a catch-all to segregate emails. That way, if spam does somehow get through, I can nuke the alias, create a new one, and update it in Pure Blog's settings page.

Is this overkill? Probably. But it was a fun little rabbit hole, and now I can feel smug about it. 🙃

Thanks for reading this post via RSS. RSS is ace, and so are you. ❤️

You can reply to this post by email, or leave a comment.

When the President threatens to commit a genocide - Werd I/O

2026-04-07T19:09:44.000Z

Some of you might have missed that the President threatened Iran with genocide.

So to be clear, he said: “A whole civilization will die tonight, never to be brought back again.” Not a regime; a civilization. This is a meaningful threat on the entire population of a nation.

If he follows through, it's a crime against humanity.

If he doesn't follow through, it's a threat of genocide.

This isn't a situation we can both-sides. He's threatened to end an entire nation. There's no "people are entitled to their opinion" here. If you think this is okay, you think threatening to commit genocide is something a President should be able to do.

Some people will describe criticism of this as TDS or some knee-jerk "orange man bad". It's not those things. It's incredibly serious.

It feels surreal: like something from a movie or a TV show. That effect can be paralyzing. But it's real.

Using our voices is important at times like these. Even when it's professionally inconvenient. Even if we might lose friends when we do so.

If he is allowed to continue along this path, bad things will likely happen. Even if he doesn't execute on his threat this time, he may another time. Other nations may feel they need to defend themselves from potential violence.

What would it look like to bring the world back to a peaceful order? How can we ensure that the United States does not call for genocide again and cannot follow through with such an obscene threat?

Why Have a Dedicated Music Device? - Kev Quirk

2026-04-07T13:31:00.000Z

In the last year or so I've read about many people moving from streaming services, like Apple Music and Spotify, to their own music library. To support these local libraries, many seem to be getting themselves a music player, such as the Fiio Echo Mini.

While moving to a local library is something that I've thought about many times¹, I don't understand why people are buying these little music players.

The big selling points generally seem to be:

Bluetooth connectivity so you can use with buds, or in your car.
Plenty of local storage.
Audio jack.
Easy to drag and drop music.

With the exception of the 3rd point, pretty much every smartphone on the market will do all of this. And let's be honest, #3 doesn't really matter as most people use Bluetooth buds these days.

Yes, I know some people still use old school wired earphones. I don't need an email from you.

So if the device that's already in your pocket will do everything these little music players will already do, why get an extra device to lug around everywhere?

I want to stress, these look really cool, and if that's why you want one, that's totally fine. But anecdotally, that's not what I'm seeing.

Can someone enlighten me? I see the advantages of owning your own music library, but I don't get why people want to carry another device everywhere.

I've decided to stick with streaming, but that's a post for another day. ↩

Thanks for reading this post via RSS. RSS is ace, and so are you. ❤️

You can reply to this post by email, or leave a comment.

Did WordPress VIP leak my phone number? - Terence Eden’s Blog

2026-04-07T11:34:43.000Z

As discussed in my last blog post, the scumsuckers at Apollo.io have been giving out my personal details.

Not only did they have my email address, they also had a copy of one of my phone numbers. I asked them where they got it from and they said:

Your phone number came from Parsely, Inc (wpvip.com) one of our customers who participates in our customer contributor network by sharing their business contacts with the Apollo platform.

I've never done any business with Parsely. They have no reason to have my phone number and absolutely no permission to share it with other organisations.

Back in 2021, Parsely became part of WordPress VIP. Ah yes, our old "friends" at Automattic with their somewhat lax attitude to privacy.

I took advantage of WordPress VIP's GDPR policy and sent a terse but polite "Hey, WTAF?" to them. Their response was quick:

Thanks for reaching out. We are currently investigating our systems to locate any personal data regarding your request. We appreciate your patience.

After a bit of prodding, they eventually replied with:

It appears that we obtained your contact information as a result of a meeting you had with a representative for the WPScan service around August 5, 2022. WPScan is owned by our parent company Automattic.

We have no record of Parsely, Inc. (which is no longer in existence) or WPVIP Inc. (the owner of the Parse.ly service) having any relationship with Apollo.io.

We also have no record of Parsely, Inc. or WPVIP Inc. having sold or otherwise provided your information to any third party.

I have no memory and no record of meeting anyone from WPScan - although I concede it is possible I did as part of a previous job.

But even if it was in an email signature when I contacted them that still doesn't explain how it made its way to Apollo for them to give to spammers everywhere. Was it a hack? A data leak? A treacherous employee? A deliberate sale? A sneaky app update? Or maybe just Apollo lying to me.

I don't care any more. I'm just so tired of shitty companies treating personal data as a commodity to be traded, sold, repackaged, and abused.

What we learned about TEE security from auditing WhatsApp's Private Inference - Trail of Bits Blog

2026-04-07T11:00:00.000Z

WhatsApp’s new “Private Inference” feature represents one of the most ambitious attempts to combine end-to-end encryption with AI-powered capabilities, such as message summarization. To make this possible, Meta built a system that processes encrypted user messages inside trusted execution environments (TEEs), secure hardware enclaves designed so that not even Meta can access the plaintext. Our now-public audit, conducted before launch, identified several vulnerabilities that compromised WhatsApp’s privacy model, all of which Meta has patched. Our findings show that TEEs aren’t a silver bullet: every unmeasured input and missing validation can become a vulnerability, and to securely deploy TEEs, developers need to measure critical data, validate and never trust any unmeasured data, and test thoroughly to detect when components misbehave.

The challenge of using AI with end-to-end encryption

WhatsApp’s Private Processing attempts to resolve a fundamental tension: WhatsApp is end-to-end encrypted, so Meta’s servers cannot read, alter, or analyze user messages. However, if users also want to opt in to AI-powered features like message summarization, this typically requires sending plaintext data to servers for computationally expensive processing. To solve this, Meta uses TEEs based on AMD’s SEV-SNP and Nvidia’s confidential GPU platforms to process messages in a secure enclave where even Meta can’t access them or learn meaningful information about the message contents.

The stakes in WhatsApp are high, as vulnerabilities could expose millions of users’ private messages. Our review identified 28 issues, including eight high-severity findings that could have enabled attackers to bypass the system’s privacy guarantees. The following sections explore noteworthy findings from the audit, how they were fixed, and the lessons they impart.

Key lessons for TEE deployments

Lesson 1: Never trust data outside your measurement

In TEE systems, an “attestation measurement” is a cryptographic checksum of the code running in the secure enclave; it’s what clients check to ensure they’re interacting with legitimate, unmodified software. We discovered that WhatsApp’s system loaded configuration files containing environment variables after this fingerprint was taken (issue TOB-WAPI-13 in the report).

This meant that a malicious insider at Meta could inject an environment variable, such as LD_PRELOAD=/path/to/evil.so, forcing the system to load malicious code when it started up. The attestation would still verify as valid, but the attacker’s malicious code would be running inside, potentially violating the system’s security or privacy guarantees by, for example, logging every message being processed to a secret server.

Meta fixed this by strictly validating environment variables: they can now contain only safe characters (alphanumeric plus a few symbols like dots and dashes), and the system explicitly checks for dangerous variables like LD_PRELOAD. Every piece of data your TEE loads must either be part of the measured boot process or be treated as potentially hostile.

Lesson 2: Do not trust data outside your measurement (have we already mentioned this?)

ACPI tables are configuration data that inform an operating system about the available hardware and how to interact with it. We found these tables weren’t included in the attestation measurement (TOB-WAPI-17), creating a backdoor for attackers.

Here’s why this matters: a malicious hypervisor (the software layer that manages virtual machines) could inject fake ACPI tables defining malicious “devices” that can read and write to arbitrary memory locations. When the secure VM boots up, it processes these tables and grants the fake devices access to memory regions that should be protected. An attacker could use this to extract user messages or encryption keys directly from the VM’s memory, and the attestation report will still verify as valid and untampered.

Meta addressed this by implementing a custom bootloader that verifies ACPI table signatures as part of the secure boot process. Now, any tampering with these tables will change the attestation measurement, alerting clients that something is wrong.

Lesson 3: Correctly verify security patch levels

AMD regularly releases security patches for its SEV-SNP firmware, fixing vulnerabilities that could allow attackers to compromise the secure environment. The WhatsApp system did check these patch levels, but it made an important error: it trusted the patch level that the firmware claimed to be running (in the attestation report), rather than verifying it against AMD’s cryptographic certificate (TOB-WAPI-8).

An attacker who had compromised an older, vulnerable firmware could simply lie about their patch level. Researchers have publicly demonstrated attacks that can extract encryption keys from older SEV-SNP firmware versions. An attacker could use these published techniques against WhatsApp users to exfiltrate secret data while the client incorrectly believes it’s connected to a secure, updated system.

Meta’s solution was to validate patch levels against the VCEK certificate’s X.509 extensions. These extensions are cryptographically signed data from AMD that can’t be forged by compromised firmware.

Lesson 4: Attestations need freshness guarantees

Before our review, when a client connected to the Private Processing system, the server would generate an attestation report proving its identity, but this report didn’t include any timestamp or random value from the client (TOB-WAPI-7). This meant that an attacker who compromised a TEE once could save its attestation report and TLS keys, then replay them indefinitely.

Achieving a one-time compromise of a TEE is typically much more feasible and much less severe than a persistent compromise affecting each individual session. For example, consider an attacker who can extract TLS session keys through a side channel attack or other vulnerability. For a single attack, the impact tends to be short-lived, as the forward security of TLS makes the exploit impactful for only a single TLS session. However, without freshness, that single success becomes a permanent backdoor because the TEE’s attestation report from that compromised session can be replayed indefinitely. In particular, the attacker can now run a fake server anywhere in the world, presenting the stolen attestation to clients who will trust it completely. Every WhatsApp user who connects would send their messages to the attacker’s server, believing it’s a secure Meta TEE.

Meta addressed this issue by including the TLS client_random nonce in every attestation report. Now each attestation is tied to a specific connection and can’t be replayed.

How Meta fixed the remaining issues

Before their launch, Meta resolved 16 issues completely and partially addressed four others. The remaining eight unresolved issues are low- and informational-severity issues that Meta has deliberately not addressed. Meta provided a justification for each of these decisions, which can be reviewed in appendix F of our audit report. In addition, they’ve implemented broader improvements, such as automated build pipelines with provenance verification and published authorized host identities in external logs.

Beyond individual vulnerabilities: Systemic challenges in TEE deployment

While Meta has resolved these specific issues, our audit revealed the need to solve more complex challenges in securing TEE-based systems.

Physical security matters: The AMD SEV-SNP threat model doesn’t fully protect against advanced physical attacks. Meta needed to implement additional controls around which CPUs could be trusted (TOB-WAPI-10). If you are interested in a more detailed discussion on physical attacks targeting these platforms, check out our webinar, which discusses recently published physical attacks targeting both AMD SEV-SNP and Intel’s SGX/TDX platforms.

Transparency requires reproducibility: For external researchers to verify the system’s security, they need to be able to reproduce and examine the CVM images. Meta has made progress in this area, but achieving full reproducibility remains challenging, as issue TOB-WAPI-18 demonstrates.

Complex systems need comprehensive testing: Many of the issues we found could have been caught with negative testing, specifically testing what happens when components misbehave or when malicious inputs are provided.

The path forward for securely deploying TEEs

Can TEEs enable privacy-preserving AI features? Our audit suggests the answer is yes, but only with rigorous attention to implementation details. The issues we found weren’t fundamental flaws in the TEE model but rather implementation and deployment gaps that a determined attacker could exploit. These are subtle flaws that other TEE deployments are likely to replicate.

This audit shows that while TEEs provide strong isolation primitives, the large host-guest attack surface requires careful design and implementation. Every unmeasured input, every missing validation, and every assumption about the execution environment can become a vulnerability. Your system is only as secure as your TEE implementation and deployment.

For teams building on TEEs, our advice is clear: engage security reviewers early, invest in comprehensive testing (especially negative testing), and remember that security in these systems comes from getting hundreds of details right, not just the big architectural decisions.

The promise of confidential computing is compelling. But, as this audit shows, realizing that promise requires rigorous attention to security at every layer of the stack.

For more details on the technical findings and Meta’s fixes, see our full audit report. If you’re building systems with TEEs and want to discuss security considerations, we offer free office hours sessions where we can share insights from our extensive experience with these technologies.

Lost and found bottle, Easter vacation! - W14 - Joel's Log Files

2026-04-07T03:40:00.000Z

Happy Easter to all of you! The week has come and gone in a flash, and a lot of things happened this time around, thanks to the few days off I got. Here’s a quick rundown through some important events and things of note!

✈️ My siblings came here! There were a lot of things I did that I mention here, which happened with them around. It was a fun time, but I also quickly remembered that being the older brother comes with its caveats… let’s say my wallet feels very light right now, but it was fun!
🥤I went to the gym on Monday! after I left, I realized I forgot my water bottle… I was already on the bus back home so, I had to wait until tomorrow. I called a coworker who was still there, but he couldn’t find it. The next morning, the first thing I did was ask at the reception—my bottle was nowhere to be found. The next day, my siblings went to the gym with me, and even though I had already given up, they still asked, and wouldn’t you know, the bottle was right there! So, yay!
🚗 The first day of my Easter vacation was spent on… goint to a small town to get new plates for the family car, for like 6 hours. There was a store nearby and we got some snacks, I took a couple pictures in the main plaza downtown, so that was fun. I also played a lot of Resident Evil.
🍔 Once we got out of that place, we went back to civilization and ate some burgers! The usual chain here is Burguer King, and we enjoyed them very much.
🧱 I created a new background pattern for my website! You can see it on any page as long as it’s on desktop, currently unavailable on mobile due to screen size. Hope you like it! I plan to make it better later
🍿 Invited my family to watch a movie to the cinemas, which were pretty close (we were at a mall), and ended up watching Project Hail Mary. It was very fun because the place was packed full of people because of the release of the Super Mario Galaxy movie… we’ll watch that one later. We went with my grandma and kinda didn’t realize there was no ramp for her wheelchair. However, she sat on the first row along my parents, and nobody had reserved those seats, so there was no problem!
🃏 We acquired and played a new card game! Coup, a bluffing game where you eliminate all of your opponents until someone takes over and controls the whole political landscape!
🎂 We had a surprise party for a friend and spent sometime decorating their place before they got there. We also had pizza!
✝️ My church organized a hospital visit, we made food and gave water bottles for the people who were waiting outside, we prayed for them and the patients in need as well.

Watching

Project Hail Mary - This was a fantastic movie in my opinion. It rushed through a lot of the details of the book, but it was fun and I loved it for what it is. The visuals were stunning and I also have to give props to the soundtrack which felt rather different in many occasions, to what a “Sci-Fi” movie usually sounds like, from time to time. I had a good time!

Reading

To Be Taught, If Fortunate by Becky Chambers - A novella I suddenly started, about a group of astronauts sending a message back to Earth, or something like that. I actually don’t know much yet, haven’t made a lot of progress.
Clarkesworld #211 by Neil Clarke - I completed the second story of the book! It was much longer than the first one, but I actually really, really enjoyed it, it got to the heart strings for a bit, what a nice short story. The next entry is a novella, so I’ll need to focus on it some more.
Fly Me To The Moon - Up to chapter 229. I continued with this slice of life rom-com! It keeps being fun and adorable! While building up and answering some mysteries little by little. Good stuff!
Yokohama Kaidashi Kikou - Up to chapter 70. I made the decision to read 4 or so chapters of this masterpiece, and they were absolutely lovely. Alpha continues on her journey through Japan, and stumbles upon an airport, where she gets to see a plane up close for the first time, and even more surprises. Absolutely lovely.
Kingdom - Up to chapter 867. Still making progress on the war at large, with a side-character stepping up to the role of getting some allies out of trouble, I’m looking forward to know how thigs will fare.

Gaming

Completed

Resident Evil - The gateway into the World of Survival Horror. This classic held up extremely well for its age. IT lacks quite a bit of quality of life features that the sequel contained, but even then, all the basics are there. And not only that but there are some things that are genuinely awesome about it. The Mansion setting is truly great, and some of the puzzles were incredible. I enjoyed it from start to finish, even if it ended up funneling from Metroidvania-style gameplay to linearity, just like the sequel, I didn’t mind at all, I enjoyed the journey a lot. I only played as Jill Valentine though!

Ongoing

Balatro - I simply continued to go through a few playthroughs of this game on my phone, I am yet to win still. I’m truly terrible at it, I guess.

Around the Web

Blog posts

Do You Have the Time? - A post and ramble about how buying simple things that were available in physical stores before has been ruined by Amazon, instant shipping and the like.
I Miss My Hometown - A trip down RL Dane’s memory lane, and a wonderful conclusion.
Early Efforts in Sticker Making - A fun project that makes me want to buy one of those sticker cutting machines.
That’s Home. That’s us. - I had not seen Hello, World until today, it made me feel something I didn’t know I could sense. What a photo, what a post.

YouTube

Can Ocarina of Time be the Future of Zelda? - Brandon’s video about the latest rumour of Ocarino of Time getting a full remake for the Switch 2, I am incredibly hyped about this, this is what will get me to buy the Switch 2, finally.
The ORIGINAL Resident Evil Games - Some guy who played the original trilogy and did a pretty good comparison and shared some thoughts that I found pretty good. I just love these type of videos.
Setting up a retro gaming corner in my room - I really enjoy this channel and now I kind of want a CRT TV and some old consoles that I never got to own as a kid… oh well.
The Missions Bringing Us Back To The Moon - Neil

This is day 46 of #100DaysToOffload

Reply to this post via email | Reply on Fediverse

The Hacker News tarpit - Westenberg

2026-04-06T23:36:11.000Z

This newsletter is free to read, and it’ll stay that way. But if you want more - extra posts each month, no sponsored CTAs, access to the community, and a direct line to ask me things - paid subscriptions are $2.50/month. A lot of people have told me it’s worth it.

Upgrade

Hacker News is a web application with the following features: a list of links, sorted by votes. Comments under those links, also sorted by votes. User accounts with karma. A text submission option. A jobs board. That's it; that's the entire product.

The database schema would take a handful of tables. You've got users, posts, comments, votes, and some metadata. A first-year CS student could design it. And I don't mean that as an insult to either the first-year CS student or to Hacker News.

Well, I spent a Saturday last month vibe coding a Hacker News clone. Took about 3 hours, most of which was me arguing with the AI about CSS. By the end I had a working link aggregator with voting, comments, user accounts, and a ranking algorithm roughly equivalent to the one HN uses. It looked like Hacker News. It functioned like Hacker News. It sorted stories by a points-over-time decay function and everything.

My 9 year old could have used it.

...but nobody will ever use it.

To be clear - this is not a post about how hard it is to build software. It's a post about how easy it is to build software, and how that easiness fools people into thinking they understand what they're looking at when they see a successful product.

Every developer who sees HN thinks, "I could build that in a weekend." And they're right; they absolutely could. In fact, I'd assume they're pretty shite at their jobs if they couldn't. What they couldn't build in a weekend // month // year // probably ever, is the thing that makes Hacker News actually work. And that ~thing is not the software.

Let me list every Hacker News clone I can think of off the top of my head: Lobsters, Tildes, Barnacles, EchoJS, Hashnode, various subreddits pretending to be link aggregators, that one site called Squishy or Squidgy or something that I remember existing briefly in 2019. Some of these are ok. Lobsters is genuinely good. But none of them are Hacker News in the way that matters, which is: none of them are the place where you go when you want to know what several hundred thousand programmers think is interesting right now.

You can't build Place People Go as a feature. It's a thing that happened over time, through a specific and unrepeatable sequence of events, most of which were not planned and some of which were just luck.

Hacker News launched in 2007 as a side project by Paul Graham, who ran Y Combinator. The initial user base was people who read Paul Graham's essays. Think about what that means for a second. The seed community was a self-selected group of people who were (a) programmers or startup founders, (b) interested enough in ideas to read long essays about programming languages and startup strategy, and (c) already connected to the Y Combinator network.

This is an absurdly good seed community for a tech link aggregator. You could not assemble it on purpose. Or rather, you could assemble something similar, but you would need to already be Paul Graham, which is an unreasonable prerequisite for a product launch.

PG has talked about this a bit. He's said the key to HN's moderation is that they basically hand-tuned the community for years. Daniel Gackle (dang), who has moderated HN since around 2014, reads an almost superhuman volume of comments and applies a consistent but hard-to-formalize set of norms. The guidelines say things like "Be civil" and "Don't be snarky" and "Please don't post shallow dismissals." These rules are not special. Every forum has rules like this. What's special is that someone actually enforces them, every day, across thousands of comments, with at least an attempt at consistency.

A link aggregator is only as good as its community, and the community is only as good as the people in it, and the people are only there because the other people are there. This is a Schelling point problem; everybody needs to coordinate on the same place, and which place they coordinate on is partly arbitrary, and once they've coordinated it is very expensive to move.

There's a bar in your city where all the interesting people go on Thursday nights. The bar is not special. The drinks are mediocre, the lighting is bad, the bathrooms are questionable. But interesting people go there, which makes it interesting, which makes more interesting people go there. If you open an identical bar across the street with better drinks and better bathrooms, nobody is going to switch, because the interesting people are at the other bar. They all know they're at the other bar. There is no mechanism for coordinated switching.

You could build a better Hacker News. Better ranking algorithm, better comment threading, better search, dark mode, an API that doesn't feel like it was designed in 2008 (because it was designed in 2008). None of this matters. The readers, the commenters, the founders who show up for "Show HN" and "Ask HN" and "Who is hiring?" are already at Hacker News. You can't move them by building a nicer website. They are not there because the website is nice.

Vibe coding has made it trivially easy to build software. I can spin up a functional web app in hours. So can most developers. Increasingly, so can people who aren't developers at all. The cost of building the thing has collapsed toward zero.

But most successful software products were never gated by the difficulty of building the thing. They were gated by distribution, network effects, community, trust, brand, regulatory capture, some tangle of these. Making the building part free doesn't touch any of those. It arguably makes them worse, because now you have a thousand competitors who also built the thing over a weekend and are all fighting for the same pool of users who are already using something else.

Imagine you could conjure a fully equipped restaurant out of thin air. Kitchen, dining room, the works. Free. What happens? You don't get a golden age of dining. You get a million empty restaurants, because the scarce resource was never the building. It was the chef who knows what she's doing, the corner spot with foot traffic, the regulars who show up on Tuesdays. Those things take years.

Hacker News is fifteen years of community norms, trust, moderation decisions, accumulated habits, and network effects. You can't build that. It isn't a technical problem. It's closer to an archaeological one. The thing that makes HN work is deposited in layers over time and you cannot speed up the deposition.

There's a lazy version of this argument that says "network effects make incumbents invincible, so never try." I don't buy it. Digg was the Hacker News before Hacker News and it self-destructed. Reddit almost died several times. Twitter did die, sort of, depending on how you score it. These things can break. But they almost always break because the incumbent does something stupid, not because a competitor does something smart.

Digg didn't lose because Reddit was technically superior. Reddit in 2010 was ugly and confusing and had the subreddit system, which I maintain to this day is one of the worst information architecture decisions ever made for a site that size. Digg lost because Digg redesigned itself in a way that enraged its entire user base, at the exact moment Reddit was standing there as an alternative. The coordination problem solved itself because one of the two options eliminated itself.

If you want to replace Hacker News, you don't need a better Hacker News. You need Hacker News to screw up badly enough that people are motivated to leave, and you need to already exist when they start looking for the exit. This is a patience and luck problem, and last I checked neither of those ships with an npm package.

There's a related thing happening all over my Twitter feed. Someone builds a beautiful project management tool over a weekend. They tweet a screen recording. It gets 500 likes. The tool dies off because project management tools don't compete with each other on features. They compete with Jira, and Jira's moat is that your company's entire workflow is caked into it like geological strata. Nobody is migrating away from Jira because some guy's weekend project has nicer fonts.

Same with note-taking apps. Every week there's a new one. Every week it's gorgeous. I have probably tried forty of them since 2015 and I still use a folder of plain text files, because at some point I realized the switching cost isn't money or even time, it's the habits in your fingers, and those are basically impossible to override on purpose. The new app would need to be so much better that it overcomes years of muscle memory, and none of them are, because text files are actually fine.

The demo is not the product. The product is the ugly part that comes after, where you have to convince real people to actually change what they're doing, and that has never been a software problem. I don't think vibe coding makes it any easier. If anything it makes it harder because you have more competition from other people who also demoed something nice and also can't get anyone to switch.

I think the vibe coding discourse has a hole in it, and the hole is shaped like the question: "what is software for?"

If software is a thing you build, then vibe coding changes everything. Anyone can build. We have democratized building. Congratulations to building.

But software is mostly a thing people use, and getting people to use things is not a building problem. It never was. The reason most software fails is not that it was too hard to code. The reason most software fails is that nobody wanted it, or everybody wanted it but was already using something else, or the right people wanted it but couldn't find it, or they found it but didn't trust it, or they trusted it but couldn't get their team to switch.

Hacker News works because Paul Graham had an audience before he had a product, Y Combinator had a network that seeded the community, and dang has been doing the same moderating job every single day for over a decade with what I can only describe as an unreasonable level of dedication. The whole thing has been accumulating social capital for almost twenty years...

I built a Hacker News clone in six hours. To me, it's perfect and for everyone else it's empty and those two facts are going to remain true forever. If that doesn't tell you something about what software is and isn't, I don't know what will.

Westenberg is designed, built and funded by my solo-powered agency, Studio Self. Reach out and work with me:

Work with me

Battling bots - Posts feed

2026-04-06T17:34:00.000Z

I've already blocked entire countries to combat scrapers, I update my robots.txt for well-behaved bots (and 403 any included in the list that access anything other than my robots.txt). In addition to these steps, I've started blocking traffic from IPs contained in Spamhaus' DROP and DROPv6 lists.

I Hate Insurance! - Kev Quirk

2026-04-06T16:25:00.000Z

So yesterday I received an email from Admiral, our insurance provider, where we have a combined policy for both our cars and our home. Last year this cost £1,426.00, but this year the renewal had gone up by a huge 33%, to £1,897.93 broken down as follows:

Wife's car - £339.34
My car - £455.68
Our home (building & contents) - £1,102.91

Even at last year's price this was a shit tonne of money, so I started shopping around and here's what I ended up with:

Wife's car - £300.17
My car - £402.22
Our home (building and contents) - £533.52
Total: £1056.86 (44% reduction!)

These policies have at least the same cover as Admiral. In some cases, better.

I knew it would be cheaper shopping around, but I didn't think it would be nearly half. So, I called Admiral to see what they could do for me, considering I've been a loyal customer for 7 years.

They knocked £167,83 (8.8%) off the policy for me, bringing the revised total to £1,730.10. Nice to see that long-term customers are rewarded with the best price! 🤷🏻‍♂️

So I obviously went with the much cheaper option and renewed with 3 different companies. It's a pain, as I'll now need to renew 3 policies at the same time every year, but if it means saving this much money, I'm happy to do it.

Next year I'll get a multi-quote from Admiral to see if they're competitive. Something tells me they will be, as with most things these days, getting new customers is more important than retaining existing ones.

Unfortunately having car and home insurance is a necessary evil in today's world, but I'm glad I was able to make it a little more palatable by saving myself over £700! If your insurance is up for renewal, don't just blindly renew - shop around as there's some serious savings to be had.

Thanks for reading this post via RSS. RSS is ace, and so are you. ❤️

You can reply to this post by email, or leave a comment.

[RSS Club] Banana for scale - Terence Eden’s Blog

2026-04-06T11:34:00.000Z

This post is exclusive to RSS feed subscribers. Enjoy!

I've had this idea stuck in my head for a while, so I decided to make it.

This is "Scan Slowly And See".

The code is made by cloning some of the banana's spots. Do let me know if the QR code works for you 🍌

"Cognitive surrender" leads AI users to abandon logical thinking, research finds - Werd I/O

2026-04-05T17:34:11.000Z

[Kyle Orland in ArsTechnica]

I’m tired. Everyone’s tired. There are so many demands being made of us constantly that the output from an AI chatbot can seem like a godsend: rather than buckling down and doing yet more work, the machine can shortcut that for us.

Not so fast:

“Overall, across 1,372 participants and over 9,500 individual trials, the researchers found subjects were willing to accept faulty AI reasoning a whopping 73.2 percent of the time, while only overruling it 19.7 percent of the time. The researchers say this “demonstrate[s] that people readily incorporate AI-generated outputs into their decision-making processes, often with minimal friction or skepticism.” In general, “fluent, confident outputs [are treated] as epistemically authoritative, lowering the threshold for scrutiny and attenuating the meta-cognitive signals that would ordinarily route a response to deliberation,” they write.”

There are no shortcuts to doing great work, but if AI is used in this pressure-driven way, it becomes little more than a shortcut machine: a way to get to the end goal faster without really scrutinizing the thinking it took to get there. It’s no wonder that AI users didn’t examine the answers they were given; in a world where AI allows people to be saddled with more tasks, they might not have had the time to do anything else. Good enough; onto the next thing. Most people don’t want to cut corners, but under adverse circumstances, they will.

It may also be that they were rote learners who were less good at identifying the principles behind a solution. The people who bucked this trend were the ones who scored highly in “fluid reasoning” tests. I have to admit that this was new to me, but fluid learners are more able to find the underlying principles and links between topics and ideas in order to solve problems. The better people were at abstract thinking, the more likely they were to question outputs from the AI.

That makes some sense to me. AI can’t reason particularly well: it outputs convincing-sounding responses, but the underlying principles behind them aren’t necessarily fully-formed. If you’re used to just accepting something that looks right, perhaps because you’ve been taught to memorize rather than understand, it’s harder to discern when this kind of superficially intelligible, highly confident answer is right. If you scratch the surface and try to understand the underlying logic, that’s when it becomes clearer that the LLM doesn’t know what it’s talking about.

Managers that salivate about using AI to increase the workload / productivity of a team should consider this effect: the more you press people to use these systems, the more they might accept faulty reasoning from them. Hiring abstract thinkers — the people who are more likely to rise to be senior engineers etc — will help, but you need to give people the space, permission, and expectation to think for themselves.

[Link]

Someone at BrowserStack is Leaking Users' Email Address - Terence Eden’s Blog

2026-04-05T11:34:03.000Z

Like all good nerds, I generate a unique email address for every service I sign up to. This has several advantages - it allows me to see if a message is legitimately from a service, if a service is hacked the hackers can't go credential stuffing, and I instantly know who leaked my address.

A few weeks ago I signed up for BrowserStack as I wanted to join their Open Source programme. I had a few emails back-and-forth with their support team and finally got set up.

A couple of days later I received an email to that email address from someone other than BrowserStack. After a brief discussion, the emailer told me they got my details from Apollo.io.

Naturally, I reached out to Apollo to ask them where they got my details from.

They replied:

Your email address was derived using our proprietary algorithm that leverages publicly accessible information combined with typical corporate email structures (e.g., firstname.lastname@companydomain.com).

Wow! A proprietary algorithm, eh? I wonder how much AI it takes to work out "firstname.lastname"????

Obviously, their response was inaccurate. There's no way their magical if-else statement could have derived the specific email I'd used with BrowserStack. I called them out on their bullshit and they replied with:

Your email address came from BrowserStack (browserstack.com) one of our customers who participates in our customer contributor network by sharing their business contacts with the Apollo platform.

The date of collection is 2026-02-25.

So I emailed BrowserStack a simple "Hey guys, what the fuck?"

I love their cheery little "No spam, we promise!"

Despite multiple attempts to contact them, BrowserStack never replied.

Given that this email address was only used with one company, I think there are a few likely possibilities for how Apollo got it.

BrowserStack routinely sell or give away their users' data.
A third-party service used by BrowserStack siphons off information to send to others.
An employee or contractor at BrowserStack is exfiltrating user data and transferring it elsewhere.

There are other, more nefarious, explanations - but I consider that to be unlikely. I suspect it is just the normalisation of the shabby trade in personal information undertaken by entities with no respect for privacy.

But, it turns out, it gets worse. My next blog post reveals how Apollo got my phone number from from a very big company.

Be seeing you 👌

Link Dump: March 2026 - The Weblog of fLaMEd

2026-04-05T01:38:01.000Z

What’s going on, Internet? Trying something different. All the pages I bookmarked this month, no life updates in between.

Scroll trīgintā ūnus by Shellsharks - Sharing the latest edition of scrolls, posting online without overthinking.
I Am Happier Writing Code by Hand by Abhinav Omprakash - Letting AI write his code kills the satisfaction that made programming worth doing.
You Are The Driver (The AI Is Just Typing) by Keith - AI coding tools are only useful once you already know what you’re doing. They automate typing, not thinking.
Oceania Web Atlas by Zachary Kai - Collects personal websites from across Oceania
into one tidy, human-scaled directory.
Building the Good Web by Brennan - Building for users instead of against them is what separates the good web from everything else.
Unpolished human websites by Joel - Keep your website messy and human.
What is Digital Garage - Digital Tinker’s website is a workshop built for joy, not productivity. Creation without pressure.
How to feel at home on the Internet by Jatan Mehta - Is having your own domain really the only way to truly “own” your online space?
Endgame for the Open Web by Anil Dash - Is 2026 the last year we have a chance to put a stop on the dismantling of the open web?

Want more? Check out all my bookmarks at /bookmarks/ and subscribe to the bookmarks feed.

Hey, thanks for reading this post in your feed reader! Want to chat? Reply by email or add me on XMPP, or send a webmention. Check out the posts archive on the website.

Flowers; snow - James' Coffee Blog

2026-04-05T00:00:00.000Z

There were only one or two other patrons seated with a warm drink on this cool morning. For the first time in a few weeks, I got my favourite table. I’m not sure why it is my favourite, but it is the one I gravitated toward when the place opened.

When I looked out the window, I noticed that a few of the flowers in the hedge outside were starting to bloom. The red blossom took me back to this time last year when I was looking out at the same flowers. I thought about how much there is to see when you stay in the same place.

I don't know the name of the flowers, but I know someone who would: my grandmother. I have a memory of being a kid in the back of the car and her remarking on the weeping willows growing over the bridge in a small village. Now I know what weeping willows are too! I still have a long way to go, though: I know of the flowers on the hedge outside the coffee shop only as red flowers. I should take notes on the flowers and ask what kind they may be.

As the time passed, the rain started to fall outside. Was that a snowflake? I was cosy inside. There was a faint scent of cinnamon in the air which warmed my heart. I wrote down a few notes from my morning, sipping away on my decaf flat white as I did. Then, I caught the bus to go to my destination for the day.

Half-way through the journey, the rain turned into snow. I did see a snowflake! With every passing minute, the intensity of the snow grew. As we journeyed the luscious green hills became blanketed in white. I thought back to my memories of Winter, watching the snow fall.

Watching the snow fall, I was overjoyed and, at the same time, bewildered. I didn’t think I would be mesmerised by big snowflakes falling on the front window of the bus and being brushed away by the windscreen wipers. The snow kept falling. Then it was brushed away. Then more snow fell. And it kept going. I think part of my joy came from the surprise – of seeing the yellow sun beaming through my bedroom window only a few hours ago, and then seeing snow. And the other part of the joy came from my inner child: the part of me that sees snow and can’t help but be transfixed.

The snow didn’t fall for long – the skies are clear and blue. The sun shines through the window casting a golden light across the room. In my head and my heart I still feel the snow though, saving the memory and the feeling so that, for next year, I have another point of reference to help me navigate the seasons. Maybe, by then, I will know the name of the red flower too.

AMA: Can One Setup Their Digital Life to Be Subscription Free? - Kev Quirk

2026-04-04T13:18:00.000Z

Sanjay asked me in a comment on my AMA post:

Dear Kev,

I am a fellow reader of multiple blogs of yours and others. But somehow I have been searching for any article where any one can setup of his entire digital life using subscription free model.

I am not talking about to get everything FREE and become a PRODUCT. If you think you can setup everything using opensource then how would you setup all of your essentials. You can write a post anytime when you have a time.

For example.

Free domain based email via MX Routing
Hosting on Github or Cloudflare Pages
RSS feed
CDN
Database
Note App
Reminder
Music
OS - most important using Linux
Document, Spreadsheet, Presentation
Video Editing

And so on.. There may be many more things. I always think what would happen to my subscriptions if I will no more or I will have some issue or financial constraint. Will the subscription be a burden to my family when I will not be there. Or any of my important services will stop working for not paying suddenly?

Currently I am not paying any subscription for any of my services as I have reduced as minimum services I can opt.

Regards,
Sanjay

I think the short answer to your question, Sanjay, is mostly yes. But I'd advise against it for some things*.

The easy things

Some of the items on your list are really easy to get without a subscription, for example:

RSS feed reader - there are many feed readers you can install locally for free. Vivaldi has one built right into their browser, for example. Or you could self-host something like FreshRSS, or Miniflux.
Notes app - my recommendation here would be Obsidian. I personally sync via WebDAV to my server at home. If you don't have the ability to do that, most operating systems have a note taking app pre-installed.
Reminders - you can use the calendar app on your device, or on mobile, the built-in reminders/to-do apps.
Document editing - LibreOffice is great, as is Only Office if you want something more modern looking.
Operating system - Ubuntu for the win. It's what I use.
Video editing - Kdenlive is available for all major operating systems, and works really well.

The not-so-easy things

Unfortunately, some things on your list are either going to cost you money, privacy, or time somewhere along the line.

Email with a custom domain

Domains cost money. I know some don't but they tend to be very spammy and have poor email delivery as a result. Also, any email service worth their salt will require you to pay. If not, they're probably sniffing your mail.

You could self-host your email at home, but there's then a cost associated with the hardware to host the mail server, or your time administering the system. Email is notoriously difficult for self-hosters too.

Website hosting (GitHub or Cloudflare)

As with most things that are free on the web, if it's free, you're probably the product. And that's true with both GitHub and Cloudflare, in my opinion.

You can host a site for free on either service, but you would either need to buy a domain, or be happy using one of their free sub-domains. There's also the technical debt required to create the static sites that these services support. So there's a time cost.

Again, you can host at home, but there's the same hardware or time costs that are associated with self-hosting email.

CDN & Databases

Like email hosting, any service worth their salt is going to charge. Some may have initial tiers that are free, but I doubt they will be very generous. I personally use Bunny for my CDN needs. They're reasonably priced and have a pay-as-you-go model, so no subscription involved. Obviously you can't host a CDN at home, as that would defeat the object of the whole thing.

For databases; same story as above. You can host at home, but there's a hardware/time cost associated, or you can pay for a reputable host to do it for you.

Music

I think this one is easy. Your options are threefold:

A self-hosted media library that will consist of:
- Ripped music from a physical collection.
- Buying digital music from services like Bandcamp where you actually own the music, but this can get expensive.
- Pirated music 🏴‍☠️.
A free account on a streaming service like Spotify, but it will be riddled with ads.
A paid subscription to a streaming service.

Final thoughts

I think these decisions ultimately come down to personal preference, and a compromise in one of three things - cost, time, or privacy.

A service can be free and private, but it will be time consuming to manage.
It can be quick to get started (hosted) and private, but it won't be free.
It can be quick to get started (hosted) and free, but it won't respect your privacy.

There's always a trade off with this stuff. It just boils down to what you're willing to trade off, personally.

Thanks for reading this post via RSS. RSS is ace, and so are you. ❤️

You can reply to this post by email, or leave a comment.

The AI writing witchhunt is pointless. - Westenberg

2026-04-04T12:01:37.000Z

Alexandre Dumas ran what was essentially a content production house in 19th century Paris. His most famous collaborator was Auguste Maquet, who wrote substantial portions of The Three Musketeers and The Count of Monte Cristo. Maquet would produce drafts and outlines, and Dumas would rewrite and polish them, but the books went out under Dumas's name alone. Maquet eventually sued him over it in 1858 - and won a financial settlement - but the court ruled Dumas was the sole author.

At the peak of his Factory, Dumas had something like 73 collaborators working with him at various points. A contemporary writer named Eugène de Mirecourt published a pamphlet in 1845 called Fabrique de Romans: Maison Alexandre Dumas et Cie ("Novel Factory: The House of Alexandre Dumas and Company") accusing him of running a ghostwriting sweatshop. Dumas sued for libel and won, but nobody really disputed the underlying facts.

Dumas published around 100,000 pages in his lifetime.

Even his defenders admitted he couldn't have written all of it alone.

Put a pin in that, we'll come back to it later...

In November 2025, Hachette published a horror novel called Shy Girl by Mia Ballard. It is, decidedly, not my cup of tea. But, it had sold about 1,800 copies in the UK, and it had almost 5,000 ratings on Goodreads, averaging 3.51 stars. It was an ordinary debut, with a built-in fanbase.

And then the internet decided it was written by AI, and the world began a witchhunt.

A Reddit thread blew up, followed by a YouTube video titled "I'm pretty sure this book is ai slop" pulling in 1.2 million views. Goodreads reviewers started dissecting individual sentences like forensic linguists with a grudge, and by early 2026, Hachette had pulled the book from shelves, cancelled the US release, and scrubbed it from Amazon.

Ballard says she didn't use AI herself.

She says an acquaintance she'd hired to work on an earlier self-published version had incorporated AI tools without her knowledge.

"This controversy has changed my life in many ways and my mental health is at an all time low and my name is ruined for something I didn't even personally do," she wrote to the New York Times.

And I'll stand up right now and say - fuck it.

Maybe she's telling the truth.

Or, maybe she isn't.

I don't actually give a shit, because I don't actually know, and neither do you actually know, and neither do the thousands of people who participated in destroying her career.

We just. Don't. Know.

What I do know boils down to pretty much this: the tools // methods people used to reach their verdict are fucking garbage. The culture that's grown up around AI detection is poisonous, and I refuse to have anything to do with it.

AI detection tools are unreliable.

It's been shown over and over.

OpenAI launched its own AI text classifier in January 2023, and by July 2023, they'd shut it down because it correctly identified AI-written text only 26% of the time - worse, if I may point out, than a coin toss...

GPTZero, Turnitin's AI detection feature, Originality.ai, Pangram etc: the whole cottage industry that's sprung up here shares the same limitation. They're pattern matchers trained on statistical likelihoods, flagging text that looks like it could have come from a language model, and the problem is, a lot of perfectly human writing also looks like it could have come from a language model, because language models were trained on human writing, and even the AI-based AI detection tools are just playing an eternal // infernal game of whackamole with this model and that moel and the next model.

Snake, meet tail.

You're going to get along swimmingly.

Researchers at Stanford found in 2023 that AI detectors disproportionately flagged writing by non-native English speakers as AI-generated, based on simpler sentence structures, based on fewer idioms, based on predictable word choices, based on all the things a person writing in their second or third language might produce.

All the things a detector reads as "probably a robot."

The same thing happens to neurodivergent writers.

Autistic writers.

Such as myself...

The tools are biased and inaccurate, they spit out false positives at rates that should make anyone uncomfortable using them as evidence of anything, and yet people treat the output like a blood test that came back positive, forgetting apparently that blood tests are retested and retested because no one test is entirely accurate.

But most of the people who went after Shy Girl weren't even using formal detection tools; they were reading passages and going: "This sounds like ChatGPT to me" - and maybe it did, and maybe it was, but a gut feeling seems like an awfully precarious thing over which to fuck an entire career.

Just because someone on Reddit reads a sentence that feels generic, or a metaphor that lands a little flat, they (increasingly) conclude with absolute certainty that a machine wrote it, as if mediocre prose is a new invention, as if bad writing didn't exist before November 2022. And may God forgive us if we condemn each other to permanent damnation for producing shitty prose; sans the production of shitty prose, no writer has ever grown one jot.

I've been writing professionally for years, and I've read thousands of self-published and traditionally published books and a huge percentage of them contain clunky sentences, and overused phrases, and cliché metaphors, and prose that reads like it was assembled by so many monkeys with so many MacBooks. But that, dear reader is writing. Most writing is ok. Functional at best. Some writing is good enough to create // destroy empires and so on, and that was true in 2005 and it was true in every moment of our crummy, bargain-bin history up to the introduction of ChatGPT, and damn it, it's true now.

You can't read a paragraph and reliably, with a human life on the line (because that's the stakes, when you destroy a writer's career and a writer's reputation) tell beyond any reasonable doubt, whether a human or a machine produced it. Humans writing in familiar genres, leaning on conventions and common phrasings, leaning on their own context windows, containing everything from Ian Kershaw to Ursula LeGuin to a smattering of Harry Potter fanfiction from 2005 to a series of brain-rotted TikTok reels are doing the best they can to find the right words and shove them into something resembling the right order. A romance novel that uses "his eyes darkened with desire" isn't necessarily AI-generated, even if it reads like a steaming pile to those of us enlightened enough to call ourselves the Literati. Following genre conventions doth not a fraud make. A horror novel with clunky exposition isn't ChatGPT. It might just be a first-time author who hasn't found their voice yet, and they'll never find their voice if we wave pitchforks and torches at every line we personally dislike.

The big publishers are not the ones who'll get hurt by this, obviously. Hachette pulled Shy Girl and moved on, with a swiftly issued statement about "protecting original creative expression." Back to business, and so it goes.

No, the folks getting hurt are the writers. Not only the ones who are tarred - all of us. Every single God-forsaken one of us. We are all made smaller by the pursuit of unproven and unprovable purity. Whether Ballard used AI or not (and she says she didn't, and naive or not I'm inclined to throw my cynicism to the wind and just take her at face value, and you can mock me if you like), the punishment landed before any verdict was reached, because no verdict can ever be reached. Not beyond a reasonable doubt. Never beyond a reasonable doubt.

She's not going to be the last. This whole setup, where anyone can accuse any writer of using AI based on gut feeling, and broken detection tools get treated as proof and publishers fold at the first hint of controversy because the PR cost outweighs the book's revenue, is going to grind up a lot of people into a fleshy, bloody, bony paste. Most of them will be small-time writers, debut authors, indie-published folks without the platform or the money to fight back.

The motivations of the accusers are more complicated than they'd like to admit.

First - the writers who feel threatened by AI are channeling that fear into vigilante enforcement, and I get the fear. I share it, ~to a point. I think it's clear that AI is flooding the market with cheap content, even if I can't confidently crucify any individual for it. But destroying individual careers on the basis of speculation doesn't fight that problem - it simply gives you someone to punish, and the drive for revenge is, while altogether human, altogether bullshit.

Beyond the slighted writers, you've got the internet sleuths who've found a new game. The same energy that drove Reddit to misidentify the Boston Marathon bomber (remember that?) is now being applied to prose style analysis, with the same overconfidence, and the same total absence of accountability when they get it wrong.

Third - the booktok etc influencers who smell blood (and engagement) in the water. "I dissected this book and found some awkward sentences" doesn't get 1.2 million YouTube views. "This book is AI slop" apparently does.

Finally - the readers who feel betrayed by the idea that something they read might not have been "real." I understand that impulse, too - but the logical endpoint is a world where every writer is suspect, and every flat passage becomes evidence, and the act of reading itself is poisoned by constant suspicion.

What unites all of them is the conviction that they, ~they can tell. That they've developed a sixth sense for machine-generated prose through sheer exposure. Well, they haven't. Nobody has. The researchers who build these models can't reliably tell, and the companies that created the AI can't reliably tell, and I am comfortable concluding that someone with a Goodreads account and strong opinions sure as shit hasn't cracked it either.

Give me a break.

The "human-written" certification badges that have started popping up deserve a closer look, because they reveal how badly this whole discourse has gone off the rails...

The Society of Authors' logo and the Authors Guild's certification both operate on the honor system. You register, you say "I wrote this myself," and you get a sticker on your book. There is no forensic review (wouldn't make a difference), no manuscript audit (to what end?) Nobody's testifying under oath that they watched you type every word.

So what do these badges actually prove? That someone was willing to check a box? A person who used AI and wanted to hide it would check that box too. And a person who didn't use AI but can't afford the registration fee, or doesn't belong to the right trade association, or just didn't know the program existed, doesn't get the badge. The absence of the badge becomes its own accusation.

We've been here before. The "organic" label in food. The "fair trade" stamp on coffee. These things start as consumer protection and end as marketing advantages for folks with the resources to participate, and the writers who need protection the most - debut authors // the self-published, writers without agents or industry connections, are the ones least likely to know about or access these programs.

By creating a "certified human" category, you've implicitly created an "uncertified" category. Every book without the badge now carries a faint question mark, and so the presumption of innocence gets torn to shreds, and nobody has to take responsibility for it, because it happened through a logo, not a law.

I'm not going to use AI detection tools on other people's writing.

Not privately, not publicly, not ever.

I'm not going to participate in crowdsourced investigations of whether someone's novel or essay or blog post was "really" written by a human, and I won't share threads that claim to have found proof, and I won't add my voice to the chorus of outrage. My fingers are better employed typing out my own work than pointing at people I've never met.

The cost of a false accusation is a person's career and their mental health, while the cost of letting an AI-assisted book sit on a shelf is... a book sitting on a shelf. And I find I just do not give a shit. That asymmetry is so extreme I can't wrap my head around how more people aren't troubled by it.

If a publisher wants anti-AI clauses in their contracts, fine. If a literary prize wants attestation that no AI was used, that's their call. Those are agreements between parties who chose to be there and good luck to them. But the mob version of this, where anonymous internet users appoint themselves the AI police armed with broken tools and absolute conviction, is something I want no part of.

Writing has always been messy, and writers have always borrowed, imitated, recycled, and leaned on formulaic structures. Ghost writers exist, and editors sometimes rewrite entire chapters. Collaborative writing has been around for centuries. The line between "authentic" and "assisted" has never been as clean as people are pretending it is right now.

If The Three Musketeers were published today, and someone published the 2026 version of a Pamphlet, what would happen? Would a Reddit thread decide that the prose felt too formulaic? Would a YouTube video rack up a million views dissecting the sentence structure? Would Hachette pull it from shelves?

The answer is: fucking, probably. Because the current system doesn't care about the actual quality of the work, or the process behind it, or the centuries of collaborative tradition that produced some of the best writing we have. It cares about the appearance of purity. It cares about whether a mob can be convinced that something smells wrong.

Dumas is in the literary canon, and his books are assigned in schools.

But the way he made them would get him destroyed on the internet in 2026.

This seems suboptimal, to say the least.

I don't know what the right "policy framework" for AI and publishing looks like. Nobody does. We're probably going to spend years figuring it out and we're probably going to get a lot of it wrong.

But I am 100% sure that I know what the wrong version looks like. It looks like a YouTube video with a smug title and a million views, and a Reddit thread full of folks who've never published anything cosplaying as literary forensic experts, and a debut author's name becoming synonymous with fraud because her prose wasn't polished enough to survive a vibe check run by strangers on the internet.

Mia Ballard sold 1,800 books. She had a 3.51 on Goodreads. She was nobody. Most writers are nobody. The internet ate her alive because it felt good to have a villain.

She won't be the last.

And I still won't be any part of it.

Westenberg is designed, built and funded by my solo-powered agency, Studio Self. Reach out and work with me:

Work with me

Welcome to RSS Club! - Terence Eden’s Blog

2026-04-04T11:34:13.000Z

What if I told you there was a secret social network, hidden in plain sight? If you're reading this message, you're now a member of RSS Club!

RSS Club is a series of posts which are only visible to RSS / Atom subscribers. Like you 😃

If I've done everything right⁰, this page isn't visible on the web. It can't be found by a search engine. It doesn't share to Mastodon or appear syndicated to ActivityPub.

Of course, that also means that I can't receive any comments or feedback about it. I'd love it if you dropped me a note to say you found this post. My contact details are on https://edent.tel/ - feel free to use whichever method you like.

So, what can you expect from this exclusive content? More of the same old nonsense - but probably stuff I don't want to argue about on Social Media.

As a first pass, let's talk about this "Let's write a constitution" post from Matt Ellery. In it, he discusses various fun / sensible things you could do with a written constitution. I particularly like the idea of having a "Prime Number Election".

In my modernist tweak, I'd set up something like this:

Local council elections every 3 years.
National MP elections every 5 years.
Upper chamber elections every 7 years.

That ensures that no one party can dominate. Once every 35 years, the upper chamber elections would be brought forward by one year, with their next term lengthened to 8 years.

I'm less sure about having the locals be at the same time for every council. I think that could be a lot of work for democratic volunteers. Perhaps stagger them into thirds or quarters of the year?

Either way, I doubt we'll be getting a written constitution any time soon!

There is every possibility I have not and am now scrambling to fix things. ↩︎

Saturday morning reading - James' Coffee Blog

2026-04-04T00:00:00.000Z

My warm breath steams up my glasses a little bit. I have my cold pillow resting on my chin. I’m still under the covers. I started my morning with a book, Hot Chocolate on Thursday, a cosy tale that took me to Japan and Sydney all without my leaving my bedroom. I love reading in the mornings, although of late I have been a bit too busy to read so early. Saturday mornings, however, are always there for reading.

The prospect of staying warm under the covers for a while longer was enticing – and the cold of the pillow was comforting, too – but the light of morning encouraged me to get up. I had no bread in the house so I went out for breakfast, another one of those things I haven’t done for a few Saturdays now. Going out to a coffee shop and getting breakfast is one of my favourite things to do. Reading there makes the experience even more special.

I packed my book and set off to go and get some breakfast and coffee.

On my journey I noticed the changes in the trees and the bushes. The winter branches were budding. The green of each bud, collectively, brought new life to the trees and bushes. Spring is here. The same white blossom tree that caught my eye a week or two ago is still in full blossom. I know, soon, too, the tree will be green.

After placing my order at the coffee shop, I sat down and unpacked my book. I have run out of bookmarks and so the inside of the dust jacket serves as my bookmark. Soon I will make my way through all the mangas and books I have started. This morning was my way of making a bit of progress to that end. Decaf flat white for James. I went and got my coffee then settled in with my book.

Moments later, I heard a voice I hadn’t heard for a while. The song on the radio. It took me only a few moments to realise which song it was: Brightside by the Lumineers. I started singing along to myself. I remember when the album came out. I haven’t listened to that song in so long. Just as it had been a while since I had been in a cafe, enjoying a coffee and reading a book that brings me joy.

Update on the eBay Scam - Kev Quirk

2026-04-03T17:54:00.000Z

Last week I wrote about how I thought I was being scammed by someone on eBay. In the post I said the following:

I've asked eBay to step in and help resolve the situation, so we will see what happens. But there's a lot of buyer protection on eBay (and rightly so) but there's very little in the way of seller protection, even though I'm not a business. So I have a feeling they will find in favour of the buyer and I'll be out a few quid.

Well, a few days after publishing that post, I received an automated email from eBay, saying:

I then logged into eBay to check the conversation I'd had with this user via the eBay messenger. At the bottom of the message thread, there was a notice that said:

So it seems that eBay, for whatever reason, deemed the user's account to be problematic enough to warrant a suspension/termination.

What now?

Honestly, I don't know. I haven't had the payment for the watch taken from my account, and eBay haven't requested that I refund the payment. So I assume that I get to keep Ollee watch¹, and the money the potential scammer originally paid.

We message back and forth on WhatsApp, and they haven't messaged me there - if I were in their position and a legit buyer, I'd be seething and would have definitely messaged on WhatsApp. So something tells me this isn't their first rodeo, and the potential loss is just collateral damage.

Does this mean that for once the scammers have lost? We'll see. At this point I think the issue is closed from an eBay perspective, so I'm planning to re-list the Ollee Watch for a much discounted price in the next few. If eBay subsequently request the money be returned to the scammy user, I'll just have to take the hit on that.

If you're based in the UK and interested in this watch, please get in touch using the reply button below.

Albeit now worth way less since it doesn't have the original Casio module, or any of the Ollee packaging. ↩

Thanks for reading this post via RSS. RSS is ace, and so are you. ❤️

You can reply to this post by email, or leave a comment.