Shellsharks Blogroll - BlogFlock

Completely oblivious people - Cool As Heck

2026-01-31T20:34:14.000Z

We just went to Wild Hare cider in Berryville. We usually love going there, but today we got there a few minutes before they opened at 2pm. We're sitting in the parking lot, and we see a car rush into the parking lot and a guy jumps out of the car and hurries into the building. Clearly, this guy was late for work.

So we give him a few minutes before going inside. He greets us and politely says that he is running a little late and just needs a few minutes to set up. We say "no problem" because we are looking around, as the place has changed a lot since we've been there over a year ago.

We finally sit down at the bar, he turns on Spotify on one of the TVs in the corner and starts playing music at a low volume, then turns on THE SHINING on the TV near us at the bar. Like yeah we just came for a drink and a horror movie.

It's important to know that this place is just a room in an old warehouse. It's not really heated. They have a couple heaters around the area but only one of them is on. We both still have our coats on as we're sitting at the bar, AND THIS DUDE OPENS THE GARAGE DOOR TO THE OUTSIDE. It's 18°F here today. We look at each other like "we gotta drink this shit and get the hell outta here" because we are going to freeze to death. About that time, another couple comes in and they're like "why is this door open? It's freezing!" The guys says "well I thought it was too dark in here." Both my wife and I and the other couple say "we would rather it be dark and warm." So he closes the door, but by that time we are basically done with our drinks and shivering, so we settled up and left.

Now we are home and it is time for a warm nap.

Book Review: With the End in Mind - Dying, Death and Wisdom in an Age of Denial by Kathryn Mannix ★★★⯪☆ - Terence Eden’s Blog

2026-01-31T12:34:55.000Z

Is it possible to "die well"? We have midwives for births, should we have "deathwives" for the other end of our lives? I think this book was recommended to me in the depths of the pandemic. I was too much of a chicken to read it while those around me were dying. The book aims to normalise the process of death and mostly succeeds. Unlike a lot of books, it doesn't just identify a problem - it provides pages of solutions. Every chapter ends with a series of questions to ask yourself (or your loved ones) about death.

At times, it is utterly heartbreaking and more than a little gruesome. Death is emotionally and physically distressing. Similarly, there are several stories which deal with the reality of assisted dying. I think the author comes down against euthanasia - but it certainly helps raise questions of whether repeatedly offering the option amounts to pressuring them into an unwanted decision.

It is a bit homespun and cloying. I felt like it painted quite a rosy picture of what death can look like. All the nurses are angels and the doctors have endless patience, there's always time for a cuppa and deathbed revelations are never awkward.

Oh, and there's a lovely aside about memorial benches being harbingers of doom, which I found quite amusing!

This will probably sit unread on your ebook for far too long - but it is worth cracking it open and thinking about the questions it raises.

Your Life is the Sum Total of 2,000 Mondays - Westenberg

2026-01-31T00:25:46.000Z

We plan our lives like we're editing a movie trailer.

The trip to Portugal, or the product launch, or the transformation photo at the gym. The big moment where everything crystallizes into meaning. We accumulate these peaks in our imagination, and then arrange them into a montage that proves our existence mattered, and that we really lived.

Then we spend the actual substance of our lives doing laundry and feeling crappy about it...

A few years ago, I saw Douglas Coupland (author of Microserfs and Generation X, and one of my personal favorite writers) on a panel at the Sydney Writers' Festival. One of the other panelists - an influencer with a recently published quasi-self-help memoir - delivered a long, dreamy anecdote about finding the true meaning of life while watching butterflies drift over a waterfall in some far-flung locale.

When she finished, the moderator asked Coupland what he thought.

He said butterflies and waterfalls are all well and good, but they're not real life. They're a flash in the pan - a spike of adrenaline and dopamine. And if you can only find meaning in those brief, luminous moments, you're in for a world of trouble.

Put it another way:

If you work a standard career from twenty-five to sixty-five, you'll experience roughly 2,080 Mondays. That's 2,080 alarm clocks set against your biological preferences and 2,080 inbox avalanches, plus 2,080 instances of navigating traffic or public transit while still metabolically processing the weekend. Add in the Tuesdays through Fridays, and you're looking at roughly 10,400 ordinary workdays across a career. Meanwhile, if you're fortunate enough to take two weeks of vacation annually for forty years, you'll accumulate 560 vacation days. The ratio is roughly 19:1 in favor of the mundane.

So we get to a question worth sitting with:

Do you actually like your average Monday?

The peak experience fallacy

Abraham Maslow spent decades studying what he called "peak experiences," those episodes of ecstasy and transcendence that seemed to characterize the healthiest human specimens. His 1964 work on self-actualization celebrated these episodes as evidence of psychological flourishing, and the positive psychology movement that followed made peak experience cultivation into something approaching a secular religion.

(And don't we love a good secular religion.)

But in Maslow's research he deliberately selected subjects he considered "self-actualizing" and then studied what made them tick. The peak experiences he documented were symptoms of people who'd already figured out something more fundamental.

What Maslow's self-actualizers actually had in common was what he would later come to call "plateau living," a sustained capacity to appreciate ordinary existence, to find the sacred in the quotidian. The peaks were outgrowths of the plateaus, not replacements for them.

Somehow, this part of the research didn't make it onto the Instagram motivation accounts.

Romanticism in the nineteenth century made the extraordinary moment into a spiritual imperative. Wordsworth's "spots of time," the vivid memories that restore the imagination, became cultural programming. We inherited the assumption that meaning lives in the exceptional rather than the everyday // that the proof of a life well-lived is a collection of dramatic set pieces.

The tolerated life problem

The psychologist Philip Zimbardo has a framework called "time perspective theory." People differ in how much mental weight they assign to past, present, and future. Future-oriented people tend to achieve more by conventional metrics, but they also exhibit a consistent pattern of sacrificing present satisfaction for hypothetical future rewards. When researchers follow these people over time, they find that the anticipated future keeps receding and the scaffolding remains permanent.

Seneca diagnosed this exact pathology in first-century Rome. He observed that people guard their property vigilantly but waste their time freely, treating it as an infinite resource. "You act like mortals in all that you fear, and like immortals in all that you desire," he wrote.

The barely tolerated Monday is a down payment on a life that never arrives, a perpetual advance payment for goods that don't ship.

Neuroplasticity works both ways. Every Monday you survive without presence, you're training your nervous system that survival is the appropriate response to ordinary life. The brain gets efficient at what it practices, and if it practices endurance, endurance becomes its resting state. You build tolerance in the drug addiction sense: you need more and more peak moments to feel alive because your baseline has been chemically optimized for numbness.

The architecture of an ordinary day

If your life is going to be 80% Mondays and their equivalents, the design specifications for Monday matter more than the design specifications for your vacation.

The three levers that actually move the needle on everyday experience are pretty much consistent: environment, commitments, body, and the way they interact.

The concrete physical and social circumstances of ordinary days are what matter.

Environment shapes behavior more powerfully than willpower. Kurt Lewin, the father of social psychology, called this "field theory" - behavior is a function of the person and their environment simultaneously. The architectural critic Christopher Alexander spent decades documenting how physical spaces create what he called "quality without a name," that feeling of aliveness and coherence that certain places generate. Your Monday morning unfolds in a specific physical context. If that context is cluttered and friction-laden, you're fighting your suroundings before you fight your inbox.

The writer Annie Dillard, in "The Writing Life:"

"How we spend our days is, of course, how we spend our lives."

She was talking specifically of the desk, the chair, the window, and the ritual of beginning. The container shapes the contents.

Commitments function as architecture too, but for time rather than space. Every standing meeting and every obligation you've accumulated is making claims on your Mondays whether you consciously choose it or not. The philosopher Harry Frankfurt distinguished between first-order desires (wanting something) and second-order desires (wanting to want something). Most people have a massive gap between what they'd choose if starting fresh and what they've accumulated through drift. Your calendar is probably full of first-order commitments that violate your second-order preferences for how you want to live.

The economist Albert Hirschman noted that people respond to deterorating situations through exit, through voice, through loyalty, or through some combination of these. Most people default to loyalty with their commitments, enduring obligations that no longer serve them because the activation energy for exit feels too high. But the asymmetry is real: the cost of one difficult conversation is finite, while the cost of tolerating an energy-draining commitment is infinite in the sense that it compounds for as long as you carry it.

Body is the substrate everything else runs on, but it's the lever people most consistently ignore when designing their days. You're not a brain piloting a meat vehicle but a single integrated system, and the state of the body on Monday morning is the state of you on Monday morning. The research on sleep and movement is tediously consistent: the basics matter more than the optimizations. No biohacking compensates for six hours of sleep and a pastry for breakfast. The Monday you experience is manufactured in the preceding twenty-four hours.

The Monday blueprint

Given all this, what would it look like to actually take Monday seriously as a design problem?

The first hour matters disproportionately. What you do between waking and starting work is the foundation that everything else builds on. If that first hour is wasted in ractive scrolling and rushed caffeine, you've primed your nervous system for a day of low-grade stress. If it's spent in intentional movement and even ten minutes of something that feels like choice rather than obligation, you've shifted the baseline entirely.

Most people's work blocks are structurally hostile to focus. Cal Newport has beaten the drum on deep work for years now, and the data supports him: the average knowledge worker can't go more than a few minutes without context-switching, and every switch carries cognitive costs. Your Monday needs a protected window, two hours minimum, where the work that actually matters happens without interruption; it needs the satisfaction that comes from making measurable progress on something that matters to you.

The body work is unglamorous: thirty minutes of movement and food that doesn't spike your blood sugar. Some kind of break from the sedntary. This is maintenance more than optimization, and treating it as optional is how you get to Friday afternoon feeling like you've been through the Somme.

Lastly: relationships.

One genuine human connection per Monday and one conversation that goes beyond the transactional changes the texture of the entire day.

The longitudinal research on wellbeing, from the Harvard Study of Adult Development running since 1938 to more recent epidemiological work, keeps landing on the same finding: the quality of human relationships is the single strongest predictor of flourishing.

...And that's about it.

It's not prescriptive.

There are no lifehacks.

But the blueprint works.

Building identity through iteration

Virtue is a practice, not a possession. You become what you repeatedly do, which means your Mondays are literally building the person you're becoming. Every Monday you survive is training you to be a survivor, and every Monday you engage with is training you to be someone who engages.

James Clear has popularized the notion of identity-based habits: rather than focusing on outcomes, focus on becoming the type of person who naturally produces those outcomes. Applied to Monday, the question shifts from "How do I get through this day?" to "Who is the person I'm becoming through how I spend this day?" The first question optimizes for survival while the second optimizes for construction.

Your life is made of ordinary days, and if those ordinary days are spent waiting for something better, you've wished away your existence.

The goal isn't a life with more peak moments. I think that's a false and ever-elusve pursuit. The goal is a life whose default setting doesn't require escape. Your future is made of boring days done on purpose, and a life you need a vacation from is a design problem rather than a motivation problem.

The most honest mirror you own is your calendar, and if you looked at your calendar for the last month without knowing whose it was, would you want that person's life?

In Louis Malle's 1981 film My Dinner with Andre, two old friends sit in a Manhattan restaurant and talk for two hours. And yes, that's the entire movie. And yes, it's one of the best films I've ever seen.

Andre Gregory, the theater director, has returned from years of seeking transcendence through increasingly elaborate experiences: working with Grotowski in Poland, being buried alive in a forest on Halloween, traveling to the Sahara, and participating in rituals designed to shatter ordinary consciousness. He describes these adventures with genuine wonder, convinced that modern life has anesthetized us and that only extreme experience can wake us up.

Wallace Shawn listens, fascinated but increasingly skeptical, and then he pushes back. Why, he asks, is it necessary to go to Mount Everest or get buried alive to appreciate existence? Why can't the awareness Andre found in a Polish forest be found right here, having a cup of coffee? "I think if you could become fully aware of what existed in the cigar store next door to this restaurant," Shawn says, "it would blow your head off."

This is The Work™️: learning to be fully present in a cigar store rather than accumulating butterflies and waterfalls or optimizing for the highlight reel. The transcendence Andre chased across continents was always available in the texture of an ordinary afternoon, an ordinary Monday. He couldn't access it because he believed that meaning lives in the hard-to-pin-down "elsewhere."

Your Mondays are not obstacles between you and your real life.

They are your real life, and all that remains is whether you're awake for them.

Note published on January 30, 2026 at 3:16 PM UTC - Molly White's activity feed

2026-01-30T15:16:14.000Z

Binance bitcoin bailout

It does not seem to me to bode well that they’re getting this nervous when the bitcoin price hasn’t even dropped below $80,000

Theatre Review: The Hitchhiker’s Guide to The Galaxy - Immersive Experience ★★★⯪☆ - Terence Eden’s Blog

2026-01-30T12:34:41.000Z

You've read the books, listened to the original radio performances, re-read the books, worn the t-shirt - and now it is time to be part of The Hitchhiker’s Guide to The Galaxy.

*Cue the music from Flight of the Sorcerer*

This is a 90-ish minute immersive experience. As well as a full cast of actors and a puppet android, there are ✨celebrity✨ voice cameos.

And songs! So many songs!

Pre Show

I'm always interested in how shows build excitement before a performance. We were encouraged to arrive early to stash our coats (a very reasonable £1 each) and soak up the atmosphere.

It mostly works! We're deposited into the pub with lots of texture. As well as multiple screens displaying a variety on in-jokes, the actors hobnob with the guests. Nifty!

Show

From a technology perspective, the show is astonishingly good. Laser display boards mixed with puppets, dry ice, surround sound, and a hundred little decorations to notice. The actors are witty and talented improvisers. They did well with the matinée audience who needed a little warming up. There's a bar halfway through the experience where you can buy a (typically overpriced) branded beer - but I'd recommend having a warm up Pan Galactic Gargle Blaster in the bar before the show.

Wandering around the Vogon ship is a sonic and visual delight. The chaos of running between the sets feels utterly on-brand for H2G2. The sets are lush and, as mentioned, the technology integrates well with the story.

So, about the story.

There is no continuity in this franchise. Canon is noticeable by its absence and you should throw most of your preconceptions of plot out of the window. This isn't a cosy retread of the books you loved, nor is it a something entirely new. Essentially it is a series of sketches ripped and remixed from various versions. It kind of felt like there was a missing segment in the show - characters disappeared (to go perform for the next set of participants) and then reappeared.

If you have even a passing familiarity with H2G2 (in any of its forms) then I think you'll enjoy it. If not, I think it is a little scattershot. 90 minutes isn't enough to build up much of the complexity or tension in the drama. That said, it is rather jolly fun and surprisingly tender.

Post Show

It isn't quite "exit through the gift shop" but not far off. I remember how the end of the Alien experience in the Trocadero had audience members running out into a public area - here it's a gentle stroll into the bar.

This is a worthy addition to the many different adaptations of Douglas Adams' opus.

The experience runs until the 15th of February at the Riverside Studios. Tickets start at, of course, £42.

Celebrating our 2025 open-source contributions - Trail of Bits Blog

2026-01-30T12:00:00.000Z

Last year, our engineers submitted over 375 pull requests that were merged into non–Trail of Bits repositories, touching more than 90 projects from cryptography libraries to the Rust compiler.

This work reflects one of our driving values: “share what others can use.” The measure isn’t whether you share something, but whether it’s actually useful to someone else. This principle is why we publish handbooks, write blog posts, and release tools like Claude skills, Slither, Buttercup, and Anamorpher.

But this value isn’t limited to our own projects; we also share our efforts with the wider open-source community. When we hit limitations in tools we depend on, we fix them upstream. When we find ways to make the software ecosystem more secure, we contribute those improvements.

Most of these contributions came out of client work—we hit a bug we were able to fix or wanted a feature that didn’t exist. The lazy option would have been forking these projects for our needs or patching them locally. Contributing upstream instead takes longer, but it means the next person doesn’t have to solve the same problem. Some of our work is also funded directly by organizations like the OpenSSF and Alpha-Omega, who we collaborate with to make things better for everyone.

Key contributions

Sigstore rekor-monitor: rekor-monitor verifies and monitors the Rekor transparency log, which records signing events for software artifacts. With funding from OpenSSF, we’ve been getting rekor-monitor ready for production use. We contributed over 40 pull requests to the Rekor project this year, including support for custom certificate authorities and support for the new Rekor v2. We also added identity monitoring for Rekor v2, which lets package maintainers configure monitored certificate subjects and issuers and then receive alerts whenever matching entries appear in the log. If someone compromises your release process and signs a malicious package with your identity, you’ll know.
Rust compiler and rust-clippy: Clippy is Rust’s official linting tool, offering over 750 lints to catch common mistakes. We contributed over 20 merged pull requests this year. For example, we extended the implicit_clone lint to handle to_string() calls, which let us deprecate the redundant string_to_string lint. We added replacement suggestions to disallowed_methods so that teams can suggest alternatives when flagging forbidden API usage, and we added path validation for disallowed_* configurations so that typos don’t silently disable lint rules. We also extended the QueryStability lint to handle IntoIterator implementations in rustc, which catches nondeterminism bugs in the compiler. The motivation came from a real issue we spotted: iteration order over hash maps was leaking into rustdoc’s JSON output.
pyca/cryptography: pyca/cryptography is Python’s most widely used cryptography library, providing both high-level recipes and low-level interfaces to common algorithms. With funding from Alpha-Omega, we landed 28 pull requests this year. Our work was aimed at adding a new ASN.1 API, which lets developers define ASN.1 structures using Python decorators and type annotations instead of wrestling with raw bytes or external schema files. Read more in our blog post “Sneak peek: A new ASN.1 API for Python.”
hevm: hevm is a Haskell implementation of the Ethereum Virtual Machine. It powers both the symbolic and concrete execution in Echidna, our smart contract fuzzer. We contributed 14 pull requests this year, mostly focused on performance: we added cost centers to individual opcodes to ease profiling, optimized memory operations, and made stack and program counter operations strict, which got us double-digit percentage improvements on concrete execution benchmarks. We also implemented cheatcodes like toString to improve hevm’s compatibility with Foundry.
PyPI Warehouse: Warehouse powers the Python Package Index (PyPI), which serves over a billion package downloads per day. We continued our long-running collaboration with PyPI and Alpha-Omega, shipping project archival support so that maintainers can signal when packages are no longer actively maintained. We also cut the test suite runtime by 81%, from 163 to 30 seconds, even as test coverage grew to over 4,700 tests.
pwndbg: pwndbg is a GDB and LLDB plugin that makes debugging and exploit development less painful. Last year, we packaged LLDB support for distributions and improved decompiler integration. We also contributed pull requests to other tools in the space, including pwntools, angr, and Binary Ninja’s API.

A merged pull request is the easy part. The hard part is everything maintainers do before and after: writing extensive documentation, keeping CI green, fielding bug reports, explaining the same thing to the fifth person who asks. We get to submit a fix and move on. They’re still there a year later, making sure it all holds together.

Thanks to everyone who shaped these contributions with us, from first draft to merge. See you next year.

Trail of Bits’ 2025 open-source contributions

AI/ML

Repo: majiayu000/litellm-rs
- By smoelius
  - #3: Specify Anthropic key with x-api-key header
Repo: mlflow/mlflow
- By Ninja3047
  - #18274: Fix type checking in truncation message extraction (#18249)
Repo: simonw/llm
- By dguido
  - #950: Add model_name parameter to OpenAI extra models documentation
Repo: sst/opencode
- By Ninja3047
  - #4549: tweak: Prefer VISUAL environment variable over EDITOR per Unix convention

Cryptography

Languages and compilers

Software analysis/transformation tools

Repo: pygments/pygments
- By DarkaMaul
  - #2819: Add CodeQL lexer
Repo: quarkslab/bgraph
- By DarkaMaul
  - #8: Archive project

Packaging ecosystem/supply chain

Others

Repo: AzureAD/microsoft-authentication-extensions-for-python
- By DarkaMaul
  - #144: Add missing import in token_cache_sample
Repo: SchemaStore/schemastore
- By woodruffw
  - #4635: github-workflow: workflow_call.secrets.*.required is not required
  - #4637: github-workflow: trigger types can be an array or a scalar string
Repo: google/gvisor
- By ret2libc
  - #12325: usertrap: disable syscall patching when ptraced
Repo: oli-obk/cargo_metadata
- By smoelius
Repo: ossf/alpha-omega
- By woodruffw
Repo: rustsec/advisory-db
- By DarkaMaul
  - #2169: Protobuf DoS
- By smoelius
  - #2289: Withdraw RUSTSEC-2022-0044

Published on Citation Needed: "Issue 100 – Freedom of all kinds is worth fighting for" - Molly White's activity feed

2026-01-29T22:38:50.000Z

Published an issue of Citation Needed:

Issue 100 – Freedom of all kinds is worth fighting for

As masked agents execute people and terrorize communities, crypto executives who spent years posting about freedom fall conspicuously silent — except when writing checks for the politicians enabling it

Book Review: The Players Act 1 by Amy Sparkes ★★⯪☆☆ - Terence Eden’s Blog

2026-01-29T12:34:04.000Z

So! Much! Melodrama!

This is a gently funny (and slightly tragic) romp with a band of travelling ~~vagrants~~ actors as they attempt to ply their renditions of Shakespeare to an indifferent 1700ish audience. There's a lot of charm to the characters and the plot is relatively straightforward.

The characters are a bit one-note. The baddie never actually twirls his moustache - but you'll instantly picture him doing it every time he appears. The others very much stay in their lane; the feisty woman who would rather wear trousers, the wide-eyed idealist, the grumpy father. It's rather like they're stock comedia dell'arte tropes come to life.

While there are some lovely lines (and excellent swearing), the story meanders back and forth a bit too much for my liking. I'm possibly not the target audience as I guess this is aimed at the older teen crowd.

I appreciate the book being made available without DRM. How refreshing to pay for a book and receive an unencumbered ePub; no need to liberate it from the clutches of Adobe!

Building cryptographic agility into Sigstore - Trail of Bits Blog

2026-01-29T12:00:00.000Z

Software signatures carry an invisible expiration date. The container image or firmware you sign today might be deployed for 20 years, but the cryptographic signature protecting it may become untrustworthy within 10 years. SHA-1 certificates become worthless, weak RSA keys are banned, and quantum computers may crack today’s elliptic curve cryptography. The question isn’t whether our current signatures will fail, but whether we’re prepared for when they do.

Sigstore, an open-source ecosystem for software signing, recognized this challenge early but initially chose security over flexibility by adopting new cryptographic algorithms as older ones became obsolete. By hard coding ECDSA with P-256 curves and SHA-256 throughout its infrastructure, Sigstore avoided the dangerous pitfalls that have plagued other crypto-agile systems. This conservative approach worked well during early adoption, but as Sigstore’s usage grew, the rigidity that once protected it began to restrict its utility.

Over the past two years, Trail of Bits has collaborated with the Sigstore community to systematically address the limitations of aging cryptographic signatures. Our work established a centralized algorithm registry in the Protobuf specifications to serve as a single source of truth. Second, we updated Rekor and Fulcio to accept configurable algorithm restrictions. And finally, we integrated these capabilities into Cosign, allowing users to select their preferred signing algorithm when generating ephemeral keys. We also developed Go implementations of post-quantum algorithms LMS and ML-DSA, demonstrating that the new architecture can accommodate future cryptographic standards. Here is what motivated these changes, what security considerations shaped our approach, and how to use the new functionality.

Sigstore’s cryptographic constraints

Sigstore hard codes ECDSA with P-256 curves and SHA-256 throughout most of its ecosystem. This rigidity is a deliberate design choice. From Fulcio certificate issuance to Rekor transparency logs to Cosign workflows, most steps default to this same algorithm. Cryptographic agility has historically led to serious security vulnerabilities, and focusing on a limited set of algorithms reduces the chance of something going wrong.

This conservative approach, however, has created challenges as the ecosystem has matured. Various organizations and users have vastly different requirements that Sigstore’s rigid approach cannot accommodate. Here are some examples:

Compliance-driven organizations might need NIST-standard algorithms to meet regulatory requirements.
Open-source maintainers may want to sign artifacts without making cryptographic decisions, relying on secure defaults from the public Sigstore instance.
Security-conscious enterprises may want to deploy internal Sigstore instances using only post-quantum cryptography.

Furthermore, software artifacts remain in use for decades, meaning today’s signatures must stay verifiable far into the future, and the cryptographic algorithm used today might not be secure 10 years from now.

These challenges can be addressed only if Sigstore allows for a certain degree of cryptographic agility. The goal is to enable controlled cryptographic flexibility without repeating the security issues that have affected other crypto-agile systems. To address this, the Sigstore community has developed a design document outlining how to introduce cryptographic agility while maintaining strong security guarantees.

The dangers of cryptographic flexibility

The most infamous example of problems caused by cryptographic flexibility is the JWT alg: none vulnerability, where some JWT libraries treated tokens signed with the none algorithm as valid tokens, allowing anyone to forge arbitrary tokens and “sign” whatever payload they wanted. Even more subtle is the RSA/HMAC confusion attack in JWT, where a mismatch between what kind of algorithm a server expects and what it receives allows anyone with knowledge of the RSA public key to forge tokens that pass verification.

The fundamental problem in both cases is in-band algorithm signaling, which allows the data to specify how it should be protected. This creates an opportunity for attackers to manipulate the algorithm choice to their advantage. As the cryptographic community has learned through painful experience, cryptographic agility introduces significant complexity, leading to more code and increased potential attack vectors.

The solution: Controlled cryptographic flexibility

Instead of allowing users to mix and match any algorithms they want, Sigstore introduced predefined algorithm suites, which are complete packages that specify exactly which cryptographic components work together.

For example, PKIX_ECDSA_P256_SHA_256 not only includes the signing algorithm (ECDSA P-256), but also mandates SHA-256 for hashing. A PKIX_ECDSA_P384_SHA_384 suite pairs ECDSA P-384 with SHA-384, and PKIX_ED25519 uses Ed25519 and SHA-512. Users can choose between these suites, but they can’t create dangerous combinations, such as ECDSA P-384 with MD5.

Critically, the choice of which algorithm to use comes from out-of-band negotiation, meaning it’s determined by configuration or policy, not by the data being signed. This prevents the in-band signaling attacks that have plagued other systems.

The implementation

To enable cryptographic agility across the Sigstore ecosystem, we needed to make coordinated changes that would work together seamlessly. Cryptography is used in several places within the Sigstore ecosystem; however, we primarily focused on enabling clients to change the signing algorithm used to sign and verify artifacts, as this would have a significant impact on end users. We tackled this change in three phases.

Phase 1: Establishing common ground

We introduced a centralized algorithm registry in the Protobuf specifications that defines all allowed algorithms and their details. We also implemented default mappings from key types to signing algorithms (e.g., ECDSA P-256 keys automatically use ECDSA P-256 + SHA-256), eliminating ambiguity and providing a single source of truth for all Sigstore components.

Phase 2: Service-level updates

We updated Rekor and Fulcio with a new --client-signing-algorithms flag that lets deployments specify which algorithms they accept, enabling custom restrictions like Ed25519-only or future post-quantum-only deployments. We also fixed Fulcio to use proper hash algorithms for each key type (SHA-384 for ECDSA P-384, etc.) instead of defaulting everything to SHA-256.

Phase 3: Client integration

We updated Cosign to support multiple algorithms by removing hard-coded SHA-256 usage and adding a --signing-algorithm flag for generating different ephemeral key types. Currently available in cosign sign-blob and cosign verify-blob, these changes let users bring their own keys of any supported type and easily select their preferred cryptographic algorithm when ephemeral keys are used. Other clients implementing the Sigstore specification can choose which set of algorithms to use, as long as it is a subset of the allowed algorithms listed in the algorithm registry.

Validation: Proving it works

To demonstrate the flexibility of our new architecture, we developed HashEdDSA (Ed25519ph) support in both Rekor and the Sigstore Go library and created Go implementations of post-quantum algorithms LMS and ML-DSA. This work proved that our modular architecture can accommodate diverse cryptographic algorithms and provides a solid foundation for future additions, including post-quantum cryptography.

Cryptographic flexibility in action

Let’s see this cryptographic flexibility in action by setting up a custom Sigstore deployment. We’ll configure a private Rekor instance that accepts only ECDSA P-521 with SHA-512 and RSA-4096 with SHA-256, by using the --client-signing-algorithms flag, demonstrating both algorithm restriction and the new Cosign capabilities.

~/rekor$ git diff
diff --git a/docker-compose.yml b/docker-compose.yml
index 3e5f4c3..93e0d10 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -120,6 +120,7 @@ services:
 "--enable_stable_checkpoint",
 "--search_index.storage_provider=mysql",
 "--search_index.mysql.dsn=test:zaphod@tcp(mysql:3306)/test",
+ "--client-signing-algorithms=ecdsa-sha2-512-nistp521,rsa-sign-pkcs1-4096-sha256",
 # Uncomment this for production logging
 # "--log_type=prod",
 ]

$ docker compose up -d

Let’s create the artifact and use Cosign to sign it:

$ echo "Trail of Bits & Sigstore" > msg.txt
$ ./cosign sign-blob --bundle cosign.bundle --signing-algorithm=ecdsa-sha2-512-nistp521 --rekor-url http://localhost:3000 msg.txt
Retrieving signed certificate...
Successfully verified SCT...
Using payload from: msg.txt
tlog entry created with index: 111111111
Wrote bundle to file cosign.bundle
qzbCtK4WuQeoeZzGP1111123+...+j7NjAAAAAAAA==

This last command performs a few steps:

Generates an ephemeral private/public ECDSA P-521 key pair and gets the SHA-512 hash of the artifact (--signing-algorithm=ecdsa-sha2-512-nistp521)
Uses the ECDSA P-521 key to request a certificate to Fulcio
Signs the hash with the certificate
Submits the artifact’s hash, the certificate, and some extra data to our local instance of Rekor (--rekor-url http://localhost:3000)
Saves everything into the cosign.bundle file (--bundle cosign.bundle)

We can verify the data in the bundle to ensure ECDSA P-521 was actually used (with the right hash function):

$ jq -C '.messageSignature' cosign.bundle
{
 "messageDigest": {
 "algorithm": "SHA2_512",
 "digest": "WIjb9UuEBgdSxhRMoz+Zux4ig8kWY...+65L6VSPCKCtzA=="
 },
 "signature": "MIGIAkIBRrn.../zgwlBT6g=="
}

$ jq -r '.verificationMaterial.certificate.rawBytes' cosign.bundle | base64 -d | openssl x509 -text -noout -in /dev/stdin | grep -A 6 "Subject Public Key Info"
 Subject Public Key Info:
 Public Key Algorithm: id-ecPublicKey
 Public-Key: (521 bit)
 pub:
 04:01:36:90:6c:d5:53:5f:8d:4b:c6:2a:13:36:69:
 31:54:e3:2d:92:e0:bd:d5:77:35:37:62:cd:6a:4d:
 9f:32:83:97:a7:0d:4e:48:73:fe:3c:a2:0f:f2:3d:

Now let’s try a different key type to see if it’s rejected by Rekor. To generate a different key type, we just need to switch the value of --signing-algorithm in Cosign:

$ ./cosign sign-blob --bundle cosign.bundle --signing-algorithm=ecdsa-sha2-256-nistp256 --rekor-url http://localhost:3000 msg.txt
Generating ephemeral keys...
Retrieving signed certificate...
Successfully verified SCT...
Using payload from: msg.txt
Error: signing msg.txt: [POST /api/v1/log/entries][400] createLogEntryBadRequest {"code":400,"message":"error processing entry: entry algorithms are not allowed"}
error during command execution: signing msg.txt: [POST /api/v1/log/entries][400] createLogEntryBadRequest {"code":400,"message":"error processing entry: entry algorithms are not allowed"}

As we can see, Rekor did not allow Cosign to save the entry (entry algorithms are not allowed), as ecdsa-sha2-256-nistp256 was not part of the list of algorithms allowed through the --client-signing-algorithms flag used when starting the Rekor instance.

Future-proofing Sigstore

The changes that Trail of Bits has implemented alongside the Sigstore community allow organizations to use different signing algorithms while maintaining the same security model that made Sigstore successful.

Sigstore now supports algorithm suites from ECDSA P-256 to Ed25519 to RSA variants, with a centralized registry ensuring consistency across deployments. Organizations can configure their instances to accept only specific algorithms, whether for compliance requirements or post-quantum preparation.

The foundation is now in place for future algorithm additions. As cryptographic standards evolve and new algorithms become available, Sigstore can adopt them through the same controlled process we’ve established. Software signatures created today will remain verifiable as the ecosystem adapts to new cryptographic realities.

Want to dig deeper? Check out our LMS and ML-DSA Go implementations for post-quantum cryptography, or run --help on Rekor, Fulcio, and Cosign to explore the new algorithm configuration options. If you’re looking to modernize your project’s cryptography to current standards, Trail of Bits’ cryptography consulting services can help you get on the right path.

We would like to thank Google, OpenSSF, and Hewlett-Packard for having funded some of this work. Trail of Bits continues to contribute to the Sigstore ecosystem as part of our ongoing commitment to strengthening open-source security infrastructure.

Are there any open APIs left? - Terence Eden’s Blog

2026-01-28T12:34:01.000Z

One of the dreams of Web 2.0 was that website would speak unto website. An "Application Programming Interface" (API) would give programmatic access to structured data, allowing services to seamlessly integrate content from each other. Users would be able to quickly grab data from multiple sources and use them for their own purposes. No registration or API keys, no tedious EULAs or meetings. Just pure synergy!

Is that dream dead? If so, what killed it?

A decade ago, I posted a plea looking for Easy APIs Without Authentication with a follow up post two years later. I wanted some resources that students could use with minimal fuss. Are any of the APIs from 10 years ago still alive?

Alive

These ones are still around:

Wikipedia - Yes! Still going strong.
Police.uk - Yes! After a brief dalliance with API registration, it is now back to being completely free and open.
Google Books ISBN - Yes! Obviously Google have forgotten it exists; otherwise it would have been killed off by now!
iTunes Lookup - Yes! Possibly the only thing Apple don't charge a premium for.
Pokémon API - and still receiving frequent updates.
MusicBrainz - this Internet stalwart will never die.
Open Notify - a collection of space APIs, although the code hasn't been updated in ages.

Dead

These have shuffled off this mortal coil:

BBC Radio 1 - No.
Twitter URL statistics - LOLSOB No.
Star Wars API - No.
British National Bibliography - No. Dead due, I think to the British Library's cyber attack.
Football Data - gone.

API Key Required

These are still alive, but you either need to pay or register to use them:

What Happened?

Something something … enshittification … blah blah … zero interest rate phenomenon … yadda yadda our incredible journey …

But back in the land of rationality, I've had a lots of experiences running APIs and helping people who run them. The closure and lockdown of APIs usually comes down to one or more of the following.

APIs cost money to run. Yes, even the static ones have a non-zero cost. That's fine if you're prepared to endless subsidise them - but it is hard to justify if there's no return on investment. Anyway, who is using all this bandwidth? Which leads on to:

Lack of analytics. Yes, I know tracking is the devil, but it is hard to build a service if you don't know who is using it. Sure, you can see traffic, but you can't tell if it is useful to the end consumer, or what value you can share. There's no way to communicate with an anonymous consumer. Which, of course, takes us to the next barrier:

Communication is key. If you need to change your API, there's no way to tell users that a change is coming. That might be the announcement of a deprecation, an outage, or an enhancement. You can try smuggling error messages into your responses and hoping someone notices a failing service somewhere - but it's much easier to email everyone who has an API key. And you know what else keys are good for?

Stopping abuse. It'd be nice if everyone played nice online; but some people are raging arseholes. Being able to throttle bad actors (figuratively or literally) is a desirable feature. On a resource constrained service, you sometimes have to put rules in place.

Still, if you know of any good open APIs which don't require registration, and that you think will survive until 2036, please drop a link in the comments.

Home alone, movie nights, Silksong returns - W04 - Joel's Log Files

2026-01-27T22:10:30.000Z

This week was a rather cold one, it rained on the weekend and the days have been much chiller since then. It’s winter so it’s to be expected, but the region where I live isn’t often this cold!

In any case not a lot of things happened this time around, but I do feel like writing just a bit more, so there you go!

💪 I didn’t go to the gym this week, but that’s perfectly okay. My parents went on a trip the whole week and I prefer to enjoy my time home alone!
🍿 Instead of playing a lot of videogames, I decided to do something a little bit more passive and just watch movies! Like my previous runs with Tron or Alien, I decided this time to just watch films from the 80s, and also Megamind, but whatever, more about this in the section below! Maybe I should keep watching the Terminator films though…
🕹️ This weekend was one of the few where my friends didn’t show up to do some multiplayer gaming, it was a pretty chill time, to be honest. As great as it is to play together, I am an introvert at heart, and I appreciate being by myself with no outside pressure to do anything else! I played a bunch of Silksong.
😴 I continue to procrastinate on writing blogposts… I have this one post about block-pushing puzzles on videogames that is pretty much done and I am yet to publish for no real reason, it’s actually rather long, and the reason is I feel I should take screenshot but I am too lazy to do it.
🖥️ Work continues to be pretty chill, no real complaints, but I’ve noticed an increase in the amount of time I spent sitting on my desk instead of standing up. I can adjust the height, I just started to get lazy…
🧥 Maybe it’s because of the season, but I’ve started to feel very good about my body lately, like, I have even worn buttoned shirts and left them tucked in because I like how I look. I somehow lost weight during Christmas time, so maybe that’s helping too. Point is, I will keep going to the gym and I will try to stay healthy, but, I am quite content with myself.

Gaming

I’m rather surprised at how much gaming happened this time around, I’m glad I got a nice balance going.

🪡 Hollow Knight: Silksong - I returned to this beauty and since I want to do 100% of what this game has to offer, I have faced against some new bosses in some hidden areas. I am also making my way through Bilewater, the worse area in the game, and got to one of the most hideous boss fights against a gauntlet of enemies followed by a rather tedious boss. I managed to defeat it in the end though, achieveing ultimate glory!
🏫 The Hundred Line: Last Defense Academy - I ended up returning to this game for quite a bit! I completed a boss fight and progressed through the alternative route I’ve been playing for a while. It continues to be extremely interesting and engaging!
🚀 Outer Wilds - I didn’t get to play as much this time around, but I explored a bit and found some more clues about what is going on in this world, progressing through the game, gathering knowledge and stuff. Amazing game in every sense!
⚔️ Slice & Dice - I had an extremely good run of Blursed Mode where I managed to win 140 times before I messed up badly, such is life someitmes.

Watching

Lots of movies were watched this week! Actually kind of sick, all of these absolute masterpieces.

The Terminator - I had never watched this movie from start to finish, maybe the finale a few times, I was familiar with the story, but the film itself was a bit of a blur. Honestly this was surprising. I always heard Terminator 2 was the better action flick, but the thriller and the chases and the violence of this one had me on the edge of my seat. I didn’t expect to see much of the future at all, but showing the despair and the dire situation in those flashbacks—more like flashforwards?—was very, very interesting. The set pieces, the visual effects, everything here was amazing to watch.
Back to the Future - This movie is my childhood, showing up on Canal 5—a public mexican TV channel—quite often. Watching it myself without many distractions or advertising was pretty fun! Can’t belive I took so long for that. This movie holds up super well and it’s a masterpiece of its time. These characters and moments are simply iconic, I got the Casio calculator because of this.
Megamind - Its been years since the last time I rewatched this, and it still holds up amazingly well. Definitely one of the best animated movies, with great writing and fun, but a genuinely good message and lesson as well. Quite a bit of nuance and thought provoking moments that are rare to see mixed in with the comedy and action this has.

Reading

I keep on without reading as much as I could, ugh I gotta step up in February…

Persepolis Rising - Finished chapter… 1. Yeah I’ve been slacking on this one, my bad! But at least I’m seeing a couple of returning characters at last, which has been fun.
Blue Lock - Until chapter 332. Just following the weekly release at this point! It’s fun!
DanDaDan - Until chapter 202. Finally decided to catch up a bit on DanDaDan which I kinda stopped reading for a few months, still fun!

Around the Web

Not videos this time around! Just some neat blogs I thought I’d share.

It’s not procrastination. It’s a side quest - Dave is doing Dave things and trying to justify himself about not doing things he should do.
What is the oldest thing you own? - This genuinely seems like a very fun theme, I should try and write about it, but I haven’t even finished my yearly recaps.
Talent can be quiet, if you want it to be - It’s nice to just enjoy hobbies without monetizing everything, but we live in a society…
New format for digest posts - Sam decided to change the style of his weeknotes and now it’s truly a log of posts and things that happened in real time! Interesting.
Being positive about tech right now - Things seem to go bad all the time, but it’s good to stay hopeful, I truly hope things will get better soon.

Reply to this post via email | Reply on Fediverse

Journalism lost its culture of sharing - Werd I/O

2026-01-27T16:36:40.000Z

[Scott Klein and Ben Welsh in Source]

I agree, strongly, with this piece about (re)building an open source culture in news by Scott Klein and Ben Welsh. But then, I would: I spent over a decade working to build open source communities, and then another decade and change working alongside and then inside newsrooms.

So it’s to my chagrin that the newsroom where I currently serve as Senior Director of Technology is one of the places listed here where open source contributions have significantly dropped off:

“At ProPublica, teams published detailed white papers alongside major investigations, explaining their quantitative methodologies with scientific rigor, allowing other researchers to verify and learn from their work. Major news organizations ran active blogs where they shared techniques and lessons learned. Conference presentations at NICAR and elsewhere became venues for passing along hard-won knowledge.”

The effect of this work didn’t just lift the work of journalism, it attracted new people to it:

“This culture made newsrooms more attractive places to work for civic-minded technologists. If you had programming skills and wanted to use them to make a difference, journalism offered you the chance to build things that mattered and share them with the world.”

I think there’s a lot to be gained by collaborating on an open source basis. We typically run small, resource-constrained teams where building new software is contextually hard. And we have problems that, if they’re not identical, are at least significantly overlapping; by not collaborating on them, we further an ecosystem where low-resource organizations are all solving the same sorts of things with very few people and very little money in parallel.

I was present at the News Product Alliance Summit session described in this piece, and I think the analysis of both the causes of this decline and some of the solutions are spot on. I was particularly enamored by the idea of an Open Source Editor (or director — does everything in news need to be an editor?) and public recognition for great open technical work in the field of journalism.

I think it’s also worth saying that open source, done well, is about much more than just releasing your code. A good open source project is a community, not a package. So there’s a lot of ecosystem development and community management involved to foster the kind of real collaboration that is required for this to succeed — even after newsrooms have overcome the institutional hurdles to releasing their work in the first place.

I’m really grateful that Scott and Ben have been championing this cause. I’m right there with them, and I’ll do what I can to help. It’s a concrete way we can build a more successful, efficient news ecosystem with stronger technology capabilities, and that’s something we should all want.

[Link]

Book Review: Doppelganger - A Trip Into the Mirror World by Naomi Klein ★★★★☆ - Terence Eden’s Blog

2026-01-27T12:34:06.000Z

This book is excellent at describing the symptoms of madness which have beset the world. It expertly diagnoses the causes which have led so many people into a mirror-realm of fantasy. Sadly it falls short of prescribing a cure. I doubt anyone who has fallen into the conspiracy mindset will read this book - but I hope if you read it you will become inoculated against the brain-worms.

Let's start at the beginning.

If the Naomi be Klein
you’re doing just fine
If the Naomi be Wolf
Oh, buddy. Ooooof.

How did Naomi's titular doppelganger move from feminism to fanaticism? How do well-meaning people square the circle of aligning themselves to people who spread hate?

At the same time, how do people like Naomi Klein justify spending hours obsessively listening to hate preachers? Can you stare into the abyss without it staring back into you? I'm not entirely sure that it is possible to binge on madness and stay objective. It reminds me of this classic:

“don’t use q-tips to clean your ears, you’ll just push the wax in further!!” well, yeah, sure, except for my special technique. if I use my special technique then it’s fine.

There's a deep well of sadness running through the book. So many people with an unending stream of pain clutching on to anything which might give them purchase in a confusing an uncertain world. Is it any wonder some of them latch on to weird racists with their simple solutions to complex problems?

The depressing thing is that sometimes the conspiracy-theorists are right. They can see that there are global conspiracies - but attribute them to [ethnic minorities|Marxists|the gays] rather than rapacious capitalists. Similarly, there are bitter lessons for the intellectual left who have comprehensively failed to advance progressive arguments and values. Many of us are more concerned with the purity of theory rather than implementation. You can't shame the public into understanding.

There's a slightly weak section on algorithmic amplification of abuse. Depressingly, Klein points out the perils of oligarch-owned social media yet she is still on Twitter and hasn't joined more equitable platforms.

The book also straddles an uneasy line between reportage and public therapy. Large parts feel like self-flagellation mixed with Freudian self-analysis. It demonstrates exactly how the grift works, why it is so effective, and what the surge of irrationality is doing to the world.

Perhaps I can fix it if I just read one more book. Just one more paragraph will make it all make sense. I'll grab on to the classics in the intellectual library to stop me sliding down the path to oblivion. Just one more book.

Started reading Summer Knight - Molly White's activity feed

2026-01-27T05:20:06.000Z

Started reading:

The Dresden Files series, book 4.

Summer Knight

by Jim Butcher.

Published 2002. 446 pages.

Started January 27, 2026.

Finished reading Grave Peril - Molly White's activity feed

2026-01-27T04:58:03.000Z

Finished reading:

The Dresden Files series, book 3.

Grave Peril

by Jim Butcher.

Published 2001. 378 pages.

Started January 20, 2026; completed January 26, 2026.

Why Intelligence Is a Terrible Proxy for Wisdom - Westenberg

2026-01-27T00:34:31.000Z

Isaac Newton, one of the greatest scientific minds in human history, lost a fortune in the South Sea Bubble of 1720.

After initially making money and selling his shares, he bought back in at the peak, watching helplessly as the stock collapsed. His reported loss was around £20,000, equivalent to several million dollars today. Newton invented calculus and described the laws governing planetary motion, but he couldn’t resist a speculative mania that, in retrospect, had all the hallmarks of obvious fraud. “I can calculate the movement of stars,” Newton allegedly said, “but not the madness of men.”

In the 2020’s, Newton might have been all-in on Crypto...

Linus Pauling won two Nobel Prizes, one in Chemistry and one in Peace, making him one of only five people to win the Peace Prize twice. And he spent the last decades of his life promoting megadose vitamin C as a cure for the common cold and, eventually, cancer, based on theories that never held up to rigorous testing. Bobby Fischer, the greatest chess player who ever lived, descended into paranoid antisemitic conspiracy theories after his world championship victory. John von Neumann, the polymath who contributed to quantum mechanics, game theory, computer science, and economics, was reportedly a terrible driver who wrecked cars with alarming frequency despite being able to perform complex calculations in his head.

Sometimes, brilliant people end up spectacularly, catastrophically wrong in ways that ordinary people avoid.

Because sometimes, brilliant people have extraordinary blind spots.

And, every now and then, a brilliant person can be a complete fool.

Popular belief (and hoards of Elon Musk fans on Twitter) holds that smart individuals - the geniuses we laud - should make fewer errors across all domains. If you have more processing power and superior reasoning abilities, surely you’ll arrive at correct conclusions more often than someone without those gifts.

But this model treats the brain like a calculator that either works well or poorly, when it’s actually more like a lawyer: capable of arguing any position with varying degrees of skill. Give a mediocre lawyer a bad case, and there is a better-than-not likelihood they’ll lose. Give a brilliant lawyer a bad case, and they’ll construct an elaborate, internally consistent, superficially compelling argument for why they should win anyway. See: Boston Legal.

Intelligence doesn’t merely help you find truth. It helps you construct persuasive narratives. And the person most easily persuaded by your narratives is yourself.

Francis Bacon identified this problem four centuries ago, writing about the “idols of the mind” that distort human reasoning. The intelligent person excels at building coherent worldviews and defending positions against attack. These are precisely the skills that make motivated reasoning so dangerous when they’re turned inward.

Simply put: smart people, by virtue of being very fucking smart, are better at constructing post-hoc rationalizations for beliefs they hold for emotional or social reasons. Everyone does this to some extent. We form impressions and then search for evidence to support them. But intelligent people search more effectively. They find better evidence, or at least better-sounding evidence. They anticipate counterarguments and preemptively defuse them. They build fortresses of logic around conclusions they reached for entirely non-logical reasons, and those fortresses can become so elaborate and well-defended that the person living inside them never realizes they’re trapped.

Philip Tetlock’s research on expert political judgment found that the experts with the most impressive credentials and the strongest reputations for insight performed barely better than chance at predicting geopolitical events, and sometimes performed worse than simple algorithms. The experts who performed best tended to be what Tetlock called “foxes” rather than “hedgehogs,” borrowing from Archilochus’s ancient distinction. Hedgehogs know one big thing and apply it everywhere, while foxes know many small things and adapt flexibly. The hedgehogs were frequently the most intelligent and articulate members of the sample. They also consistently overestimated their own accuracy and failed to update their beliefs when predictions went wrong.

Intelligence, it seems, can produce a particularly fraught form of intellectual pride. You’ve been right so many times before, in so many situations, in ways that others couldn’t match.

Milton’s Satan in Paradise Lost is brilliant and utterly self-deceived, constructing an entire theology to justify his rebellion while remaining blind to his own vanity. Dostoevsky’s Underground Man is excruciatingly self-aware and analytically sophisticated, using that sophistication primarily to torture himself and others while accomplishing nothing. Faust trades his soul for knowledge, only to find that knowledge without wisdom leads to destruction.

Why?

First, there’s the tendency to mistake complexity for correctness. Simple explanations feel too simple for someone who can handle complexity, so they reach for more elaborate theories even when Occam’s razor should apply.
Second, the ability to construct unfalsifiable frameworks that explain everything while predicting nothing, intellectual houses of cards that look impressive from the outside but contain no load-bearing walls.
Third, the social reinforcement that comes from being consistently regarded as the smartest person in the room, which makes it harder to accept that someone with less raw intelligence might be right when you’re wrong.
And fourth, the way that verbal facility can substitute for actual understanding, allowing someone to explain something convincingly without genuinely comprehending it themselves.

Wisdom is knowing what you don’t know.

Wisdom is what tells you to ignore the memecoin // prediction market bet, even though you could construct an excellent narrative explaining why this time will be different. Wisdom is what tells you that your political opponents might have a point, even though you could demolish their arguments in debate. Wisdom is what tells you not to install Clawdbot on your personal device and give it access to your banking details, even though you could become the next Tony Stark.

Intelligence can be measured on tests.

Wisdom is a good deal harder to quantify.

Isaac Newton never figured out the madness of men. He also never figured out alchemy, which consumed years of his life in fruitless experimentation. The mind that revolutionized physics believed he could transmute base metals into gold. That should tell us something. Our greatest strengths can coexist quite comfortably with our most embarrassing weaknesses and our worst impulses. The smartest person you know is probably an idiot in some domain that matters. If you’re the smartest person you know, the domain that matters might be closer than you realize.

Do savings accounts really lose money to inflation? - Terence Eden’s Blog

2026-01-26T12:34:05.000Z

I'm absolutely addicted to the Reddit's UK Personal Finance forum - where people mutually support each other through the difficult world of managing one's personal finances. It's a great community and full of people eager to help others.

In amongst the confusion around pensions, tips for budgeting, and complaining about debt-collectors is a persistent drumbeat encouraging people to save money. Good! More people should save more money. But the advice is always undercut with the message "sticking money in a savings account will see it eaten away by inflation".

Is that true?

Firstly, what is inflation? Simply put - prices rise and fall. The price of bread goes up by 50% and a loaf now costs £1.50. The price of a 42 inch flat screen TV drop by 50% and now costs £150. The average person buys 50 loaves of bread per year and a new TV every 5 years - add up the average of what people buy and you have a rough idea of what inflation is⁰.

Secondly, what is interest? Simply put - a bank or building society will pay you money to save with them. If you put £100 in a savings account paying 5% interest then leave it a year, you'll be given a fiver¹.

If the rate of inflation is higher than the rate of interest, your savings will be eroded; your money will be worth less.

The Bank of England's current interest rate and inflation rate shows this:

On average, if something cost £100 a year ago, today it will cost £103.20. If you had saved £100, it would be worth £103.75

So, based on this, savings exceed inflation right?

Well, as ever, it is a little more complicated than that!

For starters, the inflation rate is for the last year and the interest rate is the current rate.

The UK publishes a number of different inflation statistics. Depending on which one you prefer, the inflation rate over the last 12 months is between 3.2% and 4.4%.

Different savings accounts will attract different interest rates. Some will offer tasty bonuses to new savers and will drop to nothing once that promotion expires.

This stuff is hard to accurately model.

But let's ignore all that and YOLO it!

Here's two resources:

The Bank of England inflation calculator tells you want a historic price is in today's money (up to 2025).
The website HistoricalSavingsCalculator.com provides the annual average historical interest rate from the Bank of England (up to 2023).

As a quick check. £1,000 in 1975 is equivalent to about £7,300 in 2023.

The same amount saved in 1975 with average interest compounded, would be worth about £18,000 in 2023.

Amazing! Compound interest beats inflation!

But let's take another perspective. £1000 in 2008 is equivalent to £1,540 in 2023

£1,000 saved in 2008 would be worth about £1,180 in 2023.

A loss of over £300.

Let's stick annual UK inflation and interest rates into a graph:

Ah! Over the last 17 years, inflation has been higher than interest - a position which is slowly reverting. Fucking 2008, eh?

It looks like we might be entering a period where interest will be higher than inflation. Does the average person optimally pick their savings accounts? Probably not. Is inflation a 100% reliable way of tracking the worth of money? Also probably not.

While cash savings are unlikely to exceed the rate of return from "Dollar Cost Averaging", it is possible that savings accounts will once again offer some protection against inflation.

This is a vast over-simplification. It doesn't take into account a person's personal circumstances nor their preferences. But averages dehumanise everyone. ↩︎
Some savings accounts are tax free - so you don't pay anything on what you make. ↩︎

Note published on January 25, 2026 at 6:40 PM UTC - Molly White's activity feed

2026-01-25T18:40:38.000Z

finally got bad enough that it needs fixing, and today i could use a fiddly project to occupy my brain

sadly i forgot that this design has the components mounted on the bottom of the PCB which means desoldering all the switches, so ten minutes was a very unrealistic estimate

previously

Hiring in an era of fake candidates, real scams and AI slop - Werd I/O

2026-01-25T13:59:57.000Z

[Andrew Losowsky at The Markup]

Andrew Losowsky discusses the impact of AI on his hiring process:

“Within 12 hours of posting the role, we received more than 400 applications. At first, most of these candidates seemed to be genuine. However, as the person who had to read them all, I quickly saw some red flags, which were all clear indicators of inauthenticity.”

These jibe with what I’ve seen lately too. I’ve had the privilege of hiring for a few technical roles over the last year, and every single time, almost everything Andrew mentions has come up.

The good news, as he points out, is that right now there are some really strong tells. One of the most important parts of any application I run is the “why are you excited about this job?” question, which is really a question about mission fit. The AI-generated answers are extremely generic, heavily reference the job description itself, and start looking very samey in a sample size of hundreds.

Here’s the thing I don’t believe I’ve encountered before:

“Someone made a fake email address similar to ours, then sent generic technical “tests” containing our logo to jobseekers, while linking to our job ad. Completing these tests led to a fake contract signed by someone claiming to be our CEO – it was at this point that the scammers requested financial information, saying they needed it to issue payments.”

The thing is, without someone telling me about it, how would I know? This is where we need stronger tools – the anti-spam protections of yore don’t work very well against AI-powered scams. Centralized repositories of scammers and stronger anti-spam filters may work, but I suspect we’re going to need to find other approaches. Impersonating to make some quick money is one thing (and bad enough), but when you consider that for both Andrew and I we’re talking about impersonating newsrooms, this could get very bad very quickly.

[Link]

Book Review: Human Rites by Juno Dawson ★★★☆☆ - Terence Eden’s Blog

2026-01-25T12:34:53.000Z

After the pretty good Her Majesty's Royal Coven, the excellent Shadow Cabinet, the law of reverting to the mean hits the conclusion of Juno Dawson's Witches of Hebden Bridge trilogy.

By now you know the tropes - Bitchy-Witches, 90s pop-culture references, and wry chapter titles. It's all done well enough, the plot is a little twisty, the story entertaining, and the repeated mentions of Buffy are only a little too self-referential. The continual pop-culture references are a bit blunt and, in all honesty, feel like the book is trying too hard to anchor itself to other media.

If you enjoyed the other two books (and the Queen B prequel) then this is more of the same.

The ending is powerful and, thankfully, closes off the world. This doesn't feel like something which is going to be turned into a never-ending series of stories.

A good beach read but lacking some of the rage and inventiveness from the rest of the series.

Shellsharks Blogroll - BlogFlock

Completely oblivious people - Cool As Heck

Book Review: With the End in Mind - Dying, Death and Wisdom in an Age of Denial by Kathryn Mannix ★★★⯪☆ - Terence Eden’s Blog

Your Life is the Sum Total of 2,000 Mondays - Westenberg

The peak experience fallacy

The tolerated life problem

The architecture of an ordinary day

The Monday blueprint

Building identity through iteration

Note published on January 30, 2026 at 3:16 PM UTC - Molly White's activity feed

Theatre Review: The Hitchhiker’s Guide to The Galaxy - Immersive Experience ★★★⯪☆ - Terence Eden’s Blog

Celebrating our 2025 open-source contributions - Trail of Bits Blog

Key contributions

Trail of Bits’ 2025 open-source contributions

AI/ML

Cryptography

Languages and compilers

Libraries

Tech infrastructure

Software testing tools

Blockchain software

Reverse engineering tools

Software analysis/transformation tools

Packaging ecosystem/supply chain

Others

Published on Citation Needed: "Issue 100 – Freedom of all kinds is worth fighting for" - Molly White's activity feed

Book Review: The Players Act 1 by Amy Sparkes ★★⯪☆☆ - Terence Eden’s Blog

Building cryptographic agility into Sigstore - Trail of Bits Blog

Sigstore’s cryptographic constraints

The dangers of cryptographic flexibility

The solution: Controlled cryptographic flexibility

The implementation

Phase 1: Establishing common ground

Phase 2: Service-level updates

Phase 3: Client integration

Validation: Proving it works

Cryptographic flexibility in action

Future-proofing Sigstore

Are there any open APIs left? - Terence Eden’s Blog

Home alone, movie nights, Silksong returns - W04 - Joel's Log Files

Gaming

Watching

Reading

Around the Web

Journalism lost its culture of sharing - Werd I/O

Book Review: Doppelganger - A Trip Into the Mirror World by Naomi Klein ★★★★☆ - Terence Eden’s Blog

Started reading Summer Knight - Molly White's activity feed

Finished reading Grave Peril - Molly White's activity feed

Why Intelligence Is a Terrible Proxy for Wisdom - Westenberg

Do savings accounts really lose money to inflation? - Terence Eden’s Blog

Note published on January 25, 2026 at 6:40 PM UTC - Molly White's activity feed

Hiring in an era of fake candidates, real scams and AI slop - Werd I/O

Book Review: Human Rites by Juno Dawson ★★★☆☆ - Terence Eden’s Blog