Shellsharks Blogroll - BlogFlock

More bike adventures - Joel's Log Files

2026-06-25T15:20:00.000Z

I realized I didn’t provide a cycling update on my previous weeknotes, so I decided to write some more about my misadventures so far. I am yet to buy fenders and a rack, so I am yet to try commuting to work properly. Even so, I continue riding like so, as I don’t mind getting my back splashed that much during a weekend, washing my clothes is not too bad.

Anyway, I haven’t really gone to a lot of new places lately, but I have done and seen some cool things nonetheless.

Last weekend was the first time I put some air on my tires. They were already feeling low on my previous trip—I think that’s one of the reasons I couldn’t catch up to other commuters before—so I decided to check them today. In my country, there are quite a lot of vulcanizadoras. They are small workshops where cars can patch wheels, put air on them and some other basic car maintenance. They really can be super simple. The one I went to is literally just a roof, no walls, no nothing, just a couple of guys sitting on top of some wheels by the side of the road.

Something I realized about my bike is that the valves are different, and they have different stems. (I had to look that up, that’s the name of the hole through which you inflate them). I wasn’t sure if the place would have an adaptor, but things worked out in the end and it wasn’t even expensive, they let me pay whatever I wanted. I probably went beyond their expectations by at least a dollar or two, everything happened in just a couple minutes, and riding away felt so awesome with my wheels gripping much better and feeling swifter than before.

The streets were full of puddles and some mud too, but I went carefully—no fenders, remember?—and avoided most damage. There was another commuter there and I followed him up for a while, this time I managed to surpass them eventually.

I went through some big puddles rather slowly and got to stay balanced despite the slow spin, it was rather fun, to be able to do all that. I hope getting fenders gives me even more confidence in the future to just ride through it.

The ride was fun, went downtown again and even visited the shop where I got my bike from. I wanted to check right then and there if I could get the hardware I wanted, but they were closed. No big deal, I rode back home, following the same path I took the first time I got on this thing.

The bicycle culture I’ve gotten to see in my city has been rather pleasant. A week before inflating my tires, I wanted to go to the park downtown again. On the way there, I was among a cluster of commuters, three going my way, another two going in the opposite direction. It felt cool to be among so many bicycles for a brief moment, in the same street!

When I got to the park, I actually saw another bunch of bicyles parked together—none of them were locked. Even if they hadd been, they were leaning on the weakest possible fence ever, pretty much just wires. There was nobody around, nobody seemed to be worried at all.

I kept riding and saw the park was rather filled with people this time. Some were doing excercise, some people were jogging around the same road I cycled through, and there were a few other parked bikes inside.

I’m shameless and made sure to ride along every bicycle I see, I love to know, how many of them are fixies, how many of them have disc brakes, what brands are common, which ones are less known. My bike continues to be the only Fuji around. I have seen two Specialized, one looked like a mountain bike, the other was a city bike with a retro look. I have seen a bunch of Giant bikes too, with quite basic designs. There’s also Mercurio, Alubike, and some Green Plus—all of these seem to be Mexican bicycle brands. The latter is a bit of a higher tier, judging by the prices online.

After so many videos from Europe and the US, or about my own country, from Guadalajara or Mexico City and how bike theft is so abundant. Seeing my city be so non-chalant about it was a bit of a relief. I already had my suspicions this would be the case, as it feels like everyone here knows each other well.

As of now, I am yet to leave my bike parked for a significant amount of time without a direct line of sight, I don’t know if I’ll ever need to do that either way, but I feel confident knowing things are likely to go just fine.

After this many trips, I continue to be pleased by the culture in my city, the cars have been pretty respectful, although I’ve had a few close calls at slow speeds when I get careless. Nothing serious would have happened, other than the scare either way. Being aware of surroundings is still important, slowing down and looking at both sides of the road, stuff like that.

Still, the freedom of just going wherever I want by powering this machine, the spin of the wheels, the force of my legs multiplied and turning into motion. It’s all awesome, I love this. I want to do it more. I need to try that commute to work, I just fear getting sweaty at work.

Perhaps a change of clothes is all I need.

This is day 86 of #100DaysToOffload

Reply to this post via email | Reply on Fediverse

All you need to poison an LLM is 13 words. - Werd I/O

2026-06-25T14:13:37.000Z

Link: It Is Trivially Easy to Use Reddit to Manipulate AI Search, Research Suggests, by Jason Koebler at 404 Media

All good fun:

“A tiny snippet of user-generated text as short as 13 words long is often enough to manipulate the AI agents that power tools like ChatGPT and Google’s AI search, new research shows. The study suggests that it is trivially easy for brands to inject promotional content on sites like Reddit, Quora, and Wikipedia with the end goal of poisoning or manipulating the output of AI tools.”

So not only do we need to worry about AI-generated slop polluting our social spaces, we also have to worry about people who want to influence the output of the AI-generated slop polluting them, too. There’s a whole industry of companies trying to improve their clients’ coverage in AI results, just as there were for search engine results. And all of them will be spamming the crap out of our public communities and collaborative websites.

As 404 Media points out, this poses a real question for moderators in those spaces. How can they possible stem the tide? It’s not clear that this is even possible. Which means, inevitably, that the signal vs noise ratio in those spaces will decline, leading to a decline in usership of those spaces overall, and a retreat for most people into private group chats and uncrawlable communities.

To put it simply:

“Poisoning LLM results is basically just as easy as doing targeted posting on highly relevant subreddits to the industry or company you’re trying to promote, phrasing the comment to align with popular LLM queries, and attempting to evade moderation for as long as possible.”

Guarding against bot-driven spam is a relatively simpler problem. In contrast, this content will often be insidiously human: cunningly designed to try to provide value while also hiding a paid agenda. In some ways, it’s all the same as it ever was, but the volume of the junk is only going to keep increasing.

Of course, the silver lining is that eventually these sources will become unusable for AI training too. Then, finally, maybe everyone will go away.

To build resilient organizations, you need to empower your team to make decisions. - Werd I/O

2026-06-25T13:59:38.000Z

Link: Empower Others, by Corey Ford at Point C

Another superb post from Corey Ford:

“There's a simple diagnostic for any organization: Are your leaders focused on accumulating control, or on empowering the people around them?

Too many people in positions of power are overly focused on themselves. They hoard decisions. They micromanage. They grab power. And the people around them suffer for it. Those employees wait for direction instead of taking initiative. They bring problems instead of solutions. They ask "now what?" instead of saying "here's what I think we should do.””

He goes on to describe bus factor, the question of what happens if you’re hit by a bus. (My colleague Adam Hirsch recently offered “lottery factor”, reframing the question to be about what happens when someone wins the lottery and goes away to live the life of their dreams, which is more fun to think about.) Could your organization live without you?

The only way to build an organization that can live without you is to devolve decision-making — and the only way to do that is to create the conditions to make devolved decision-making a safe norm. Corey’s been building on that idea in his recent posts, and I enthusiastically co-sign. I’ve taken “surround yourself with people who are better than you” to heart: the Director of Product Engineering, and Director of IT and Security, who both report to me, fit that description exactly and we’re all better off for it.

When we examine situations where this doesn’t happen, it’s worth considering incentives. If you’re a founder or top-level leader who is building a sustainable organization in good faith, these principles are obviously, straightforwardly a good idea. If, on the other hand, you’re not in that position, and you’re worried about your own standing in the organization, you might feel like it’s a good idea to entrench your own power and decision-making. I think that’s short-sighted: you’re there to support the organization, and hiring an amazing team, as long as you support them well, can only make you look good.

At various tech companies in particular, I’ve also encountered people who don’t want power to be devolved to them: they want to be given a plan and to follow it. I don’t think that’s realistic in most smaller companies, and even in larger ones autonomy, insight, and decision-making ability are prized. It’s a thing to hire for. When you want to devolve decision-making, you hire people who can make great decisions. When you want to entrench your own power and micro-manage, you hire followers. These are different paths. I can only recommend the former.

This, from Corey, is absolutely vital:

“Real empowerment means saying: "That's not what I would have done. But you own the decision. Here's what I'm thinking about. Here are the questions I'd want you to consider. But ultimately, it's yours.””

Nobody will ever do it your way. If you want them to follow your lead exactly, you’re not devolving power. If you want them to be genuinely empowered, you need to not just accept that they do things their way, but embrace it — while also being transparent about your own thinking and principles, and setting norms mantras that help people navigate what’s important for the team.

He’s got a lot to say about that. As always, his full post, and the underlying series, are required reading.

Unnatural - James' Coffee Blog

2026-06-25T00:00:00.000Z

Content warning: This poem is about the ongoing heat in Europe. I strike an optimistic tone toward the end, but if you would prefer not to read about the heat, I offer you one of the Scottish poems I have written in stead.

Nature’s weary tears fill the air;
invisible, warming.
Relentlessly, days proceed.

Hours pass; Celsius rises.
Midnights: warm like day.
We stay inside.
Blinds closed, water glasses full, cookers off.

Flowers bloom early.
Eyelids weigh; we yearn
for rest that does not come.

Heat ravages the continent.
London is Rome.

Roads reduce to liquid, power lines sag:
infrastructure is under stress.
Headlines depress.

Hope: We come together, reaching
with open eyes.
Her resiliency:
Our future?

Scottish poems I have written in stead

My writing feels uninspired, so I ramble - Joel's Log Files

2026-06-24T21:10:00.000Z

It’s weird when this happens but some months are just full of things that feel like tasks rather than something I wanted to do. All of June has been full of nothing but talking about things that happened, physical objects, events, notes, reviews, and rather tangible shenanigans, other than my bike rides, those are still fun.

These writings force me to write in a certain way, and I enjoy doing so, but it’s not the only way I like to write.

Some of my favorite artices here have been prompted by the most random things, I really appreciate getting to that state. Like sharing actual thoughts on things happening or on the message of a book or a series of videogames that go beyond what a review often has.

A part of me was going to reminisce on some of my favorite posts of that type, but that would just end up being another listicle, another task that would require me to do extra work. Like how game reviews need screenshots or categorizing critiques, or how weeknotes require me to check my gallery to see what I did.

I guess I just want to ramble again without any sort of defined path.

This post is just a short—future me here, not that short—acknowledgment of that. It has been happening for the whole month, so things don’t feel as fruitful as I’d like. It feels like I’m going through chores. Don’t get me wrong, those reviews are 2K words each because I had a lot to say about those videogames I loved, and because I am very happy when people put those games in their radar.

Writing those reviews and notes gives me joy, but it can feel daunting sometimes. I just want to write about writing for once, I get to do it every once in a while. I get to do it on my blog.

How have you been? What have you enjoyed? When was the last time you were in silence and contemplated the way you went through the motions of some task without any extra thing going on?

I keep reaching for podcasts, or some video in the background, or music, many times, but absolute silence while doing the dishes? Embracing boredom? It can be difficult today to do so.

As I write this though, I am in complete silence. A rare ocurrence for me lately, and it has been awesome. This paragraph is written on top of another five paragraphs I had already written, interestingly enough. I don’t always skip and write all over the place! I guess I really needed to ramble.

Yesterday I watched Rocky, one of those classic movies everyone should see some day, and I was surprised at how simple it is. There were a few scenes that happened in silence, with only some background noise and the characters doing things without saying anything. That morning scene where Rocky just swallows five raw eggs and goes to run actually hit hard, not joking! what a movie.

Reading reviews, I agreed with one of them saying it’s not really a boxing movie but a slice-of-life, that of a nobody who gets the chance of his life at challenging the champion. A lot of things happen just because Rocky decided to, he was not just going along either, but building himself up to train for this fight. Even then, he doesn’t think he can win, but he just wants to stay up for the whole 15 rounds.

And he went from a nobody, to the one guy who managed to resist Apollo Creed. He didn’t get the win, but he prevailed, and despite the fame and glory, he just went looking for Adrian, his girlfriend. Rocky didn’t care about winning or losing, he was conscious enough to call her name, and so he did, reunited with her again when credits rolled. What a finale, what a simple thing, simple storytelling is beautiful and rare, they don’t make movies like this anymore, do they?

Perhaps I am also tired of saving up spoilers on my reviews—sorry if I ruined the finale of Rocky just now, it’s still worth a watch—because it is through those bold choices in media, where I get to think the most, where I get to awe at what’s happening before my eyes. Maybe I should just do that from now on? A spoiler section where I get to gush about how unbelievable and awesome the art humans create can be?

Maybe that’s on order, not a list of things, not a top 5 or a favorites, just write about whatever things have gotten me to think just a bit more about this world, about hope, about how to keep moving forward.

There’s this sense of sadness when I begin to write about what I wish I could write about, but I am overall happy, because I’ve already written this much in the first place and writing is what matters to me, and for the most part, I love it.

This is all a ramble, but those are the kinds of posts I enjoy the most. Looking back, I think part of this was inspired by a post by isa where she talks about her personality affecting what she writes about, unable to write about what she likes because… idk? that’s just how it is sometimes? But she will try to do it in the future (maybe).

Funnily enough, I have the same problem sometimes. I already wrote about drafts that just don’t quite feel like something I want to publish. Part of that is the superficiality of it all.

Like, how I disallow myself from writing of some topics because of the sort of image of me it may create on a vacuum. When I shared my full physical Nintendo Switch collection, I kept thinking about how it probably makes me look like a guy with money to spare and a privileged life, meanwhile it’s just me with a stable job, still single and living with my parents. Even saying that feels like I am being a show off, I guess it’s true in a sense.

A long while ago I read about how X or Y is a privilege, and it feels wrong because privilege feels like a bad word nowadays. I have enough time to spend it writing here saying nothing, and I have done this dozens of times in the year, across more than 600 posts, and I keep going. Not many get to write like I do. I was about to go on a tangent on AI, but I won’t, moving on.

If you are still here, you may be about to say the same thing I’m already thinking: just write.

So, I am doing so, I am writing and considering where to go from here. To be honest, I’m already quite satisfied, I am just letting my thoughts flow and my fingers type and it’s working out pretty well. I wonder if I should add some breaks between these paragraphs, although there’s not so much of a theme between them, I wasn’t going to say more about LLMs, but they don’t get to top this raw aimless river of words, yay!

No need to remember what the book was about, no need to look for graphics or pictures to represent a theme. This is all just text, and there’s no point to it, and I love it so much.

Perhaps I should make a Junited post too, just for good measure. Or shut up, let you simmer these words in silence, get drifted away by something else, something worth your attention, or mine, and move on.

Enough, for now?

This is day 85 of #100DaysToOffload

Reply to this post via email | Reply on Fediverse

Tiamat's Wrath (The Expanse #8) - Joel's Log Files

2026-06-24T15:00:00.000Z

The eight book of The Expanse by James S.A. Corey. Spoilers ahead.

I’ve recently realized that I kind of spend too much time summarizing things without spoilers, but I’ll just share the summary from the website and then share my thoughts about stuff, I guess? By now, eight books later, you are not, or you should not, be reading this review unless you are already with me, or you read the book and want my thoughts, so yeah, whatever.

Tiamat’s Wrath finds the crew of the Rocinante fighting an underground war against a nearly invulnerable authoritarian empire, with James Holden a prisoner of the enemy.

Thirteen hundred gates have opened to solar systems around the galaxy. But as humanity builds its interstellar empire in the alien ruins, the mysteries and threats grow deeper.

In the dead systems where gates lead to stranger things than alien planets, Elvi Okoye begins a desperate search to discover the nature of a genocide that happened before the first human beings existed, and to find weapons to fight a war against forces at the edge of the imaginable. But the price of that knowledge may be higher than she can pay.

At the heart of the empire, Teresa Duarte prepares to take on the burden of her father’s godlike ambition, but Teresa has a mind of her own and secrets even her father the emperor doesn’t guess.

And throughout the wide human empire, the scattered crew of the Rocinante fights a brave rear-guard action against Duarte’s authoritarian regime. Memory of the old order falls away, and a future under Laconia’s eternal rule—and with it, a battle that humanity can only lose—seems more and more certain. Because against the terrors that lie between worlds, courage and ambition will not be enough. . .

The second book of the third trilogy was quite the read. There are a lot of things happening that I didn’t see coming, like at all.

Every character here is once again, separated from each other for half the book. This was an incredible choice, as well as the addition of Teresa, who gives us a look into how the Empire really works and how things develop from there. As young as she may be, the responsibilities on her shoulders are quite the burden, and it’s interesting how everything pans out through her choices.

This book barely features Holden’s perspective, as he’s trapped and unable to do a lot. Most of the time he’s just reacting to the choices of everyone else, completely oblivious, although he does make a play, and the way things go from there turn out to be extremely important for his survival.

Elvi is pretty important given her position as a scientist, it was nice to see her and Fayez again, I must admit. Her passion for science continues to be infectious, and through her chapters we will see the aliens at play once more. The cosmical events in this book were something I didn’t see coming at all. The alien artifacts and technology, the measures taken by the Laconian Empire to try and harness such power, and her involvement on a huge plot twist made her chapters truly remarkable to me!

Naomi continues to be an incredibly cool individual, and now her role is more important than ever as part of the Rebellion against the Empire. She really will be travelling all over the place avoiding the enemy, by herself. Dealing with all this without Holden gives way to some emotional moments too.

Bobbie will actually clash with Naomi as another leader, in a friendly enough way. As the captain of the one ship that could actually deal any damage to the Empire, her role will be quite vital on this story, aided by Alex.

Alas, Amos goes missing—said very early on the story—Alex is still a loyal, but tired pilot, and many other things happen.

The writing was as good as ever, the plot twists really got to me. It really felt kind of dark and hopeless and a bit sad at times, with a lot of writing decisions I didn’t see coming, including some unexpected losses or changes to the characters. Beware!

As much as I liked the writing, I think the story got a bit weird at times, like they setup a lot of stuff and powered up the bad guys on the previous book, and ended up backtracking quite a bit here. It makes sense within the story and it’s all justified, but a lot of things felt a little shoved aside to make things much more plausible. Still, I give it a pass.

With how things have gone, I am really looking forward to the finale, there’s still so much that needs to wrap up…

Good stuff.

Date	Pages	Time	%
2026-05-12	67	1:00:00	5.2
2026-05-14	50	0:35:21	9.1
2026-05-15	71	1:13:09	14.61
2026-05-17	18	0:20:07	16.01
2026-05-18	65	0:56:00	21.06
2026-05-19	60	0:57:53	25.72
2026-05-20	35	0:31:33	28.44
2026-05-21	74	1:01:49	34.19
2026-05-22	118	1:48:57	43.35
2026-05-23	26	0:25:34	45.37
2026-05-24	73	1:07:21	51.04
2026-05-25	98	1:35:15	58.65
2026-05-26	31	0:26:00	61.06
2026-05-27	92	1:20:09	68.2
2026-05-28	50	0:44:46	72.08
2026-05-31	44	0:36:23	75.5
2026-06-07	47	0:45:47	79.15
2026-06-08	83	1:34:08	85.59
2026-06-09	186	2:26:14	100
Total	1288	19:26:26	100

This is day 84 of #100DaysToOffload

Reply to this post via email | Reply on Fediverse

Journalism is rearranging the deckchairs. It needs to reinvent itself. - Werd I/O

2026-06-24T13:34:06.000Z

Link: Journalism's Logical Fallacy, by Shirish Kulkarni

Journalism is in crisis, and it’s really easy (and lazy) to say that making a technology or process tweak will fix it: we just need to use AI to fill capacity gaps, or build stronger comments into our site, or we need a better business or distribution model.

None of those things address the underlying question of why we need journalism, why it’s important, and what it should be. By addressing innovation at the edges, newsrooms are avoiding the hard, existential work of revisiting their core value to begin with. But it’s only by understanding that core value that they will actually reset their relationships with audiences, build greater trust and loyalty, and pull themselves out of the rut they find themselves in.

Shirish Kulkarni’s findings from listening projects in Wales — with multiple dramatically different demographics — contradict a lot of the narratives newsrooms have been telling themselves. For example:

“The second finding challenges one of the journalism industry’s most comfortable premises: that audiences – particularly marginalised communities – are news-illiterate and need to be educated. The opposite is true. In fact, the communities we work with are forensically sharp about media – often more so than the industry insiders who talk about them.”

This mirrors something you often hear from mission-driven tech projects: “we just need to educate the user”. Usually the opposite is true: you need to educate yourself about the user and give them the thing they actually need. And in the case of journalism, at least as a finding of this research, the need turns out to be pretty simple:

“They want help making good decisions. For themselves, their families, their communities. Not drama, not outrage, not the next breaking story. Practical, trustworthy, usable information that helps them navigate their lives.”

It’s important, once again, to separate the work of news — breaking headlines, emergent facts — from journalism’s work to provide context and meaning. The first is a commodity; the second is both inherently community-driven and has always been more valuable.

Here I want to bang an old drum: newsrooms like to talk about audience strategies, not community strategies. It’s a meaningful difference that Shirish highlights well. The first implies an ivory tower broadcast approach: “we just need to reach people”. The second is an active relationship between a newsroom and the people it serves; a two-way conversation that requires trust and understanding on both sides.

The internet has always been a conversation. We’ve had the ability to build relationship-centric news organizations for 30 years, but most remain stubbornly set in a print mindset. This kind of research makes it clear how important that shift is, but, like Shirish, I don’t believe most existing newsrooms will evolve to actually meet this need. They can’t: the immediate commercial pressure is severe, and changing the model requires changing highly-ingrained cultural norms and assumptions that have been inherited from print. And in the midst of that panic, they’re jumping into bed with companies (AI vendors, proprietary social media platforms) that intermediate their relationships with their communities in exchange for some short-term wins.

So their outlook is not rosy. Instead, I think we’ll see new newsrooms emerge that reinvent what journalism is, are unafraid to build real, lasting, two-way relationships with the people they’re trying to serve, and eat everybody else’s lunch.

Auth0 PHP - manually authenticating JWT idTokens - Terence Eden’s Blog

2026-06-24T11:34:25.000Z

I find it baffling just how poorly documented most big projects are. Auth0 by Okta has a fair bit of cash, lots of customers, and almost completely absent documentation.

Here's how to successfully authenticate a JWT supplied by Auth0.

Once your user has authenticated with Auth0, they will be given an accessToken and an idToken. Only the idToken is needed for our purposes.

It will look something like this:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImFiYzEyMyJ9.eyJnaXZlbl9uYW1lIjoiSm8iLCJmYW1pbHlfbmFtZSI6IlRlc3QiLCJuaWNrbmFtZSI6IkpvVGVzdCIsIm5hbWUiOiJKbyBMZSBUZXN0IiwicGljdHVyZSI6Imh0dHBzOi8vZXhhbXBsZS5jb20vam8ucG5nIiwidXBkYXRlZF9hdCI6IjIwMjYtMDQtMjhUMTM6NTk6NTUuNjcxWiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJpc3MiOiJodHRwczovL2V4YW1wbGUuZXUuYXV0aDAuY29tLyIsImF1ZCI6ImFiYzEyMyIsInN1YiI6ImZhY2Vib29rfDEyMzQ1NiIsImlhdCI6MTc3NzM4NDc5NiwiZXhwIjoxNzc3NDIwNzk2LCJzaWQiOiJhYmMxMjMtNDU2LWRlZmdoaWprIiwibm9uY2UiOiIxMjM0NTY3ODkwIn0.ZgnZxOOtfczLewlm_agK6mJMYetVTZrHlBlu5qzXbADlhvZB8RraVuFKmFutLZLibMQxz_RY0oh4hRufVWDHJ0kuocW38kRHztDg7R5KOfvJEM46WW49xvhLhKprzkx9WXDDlpCRNL0QbBK2U0F1VjmRpTp1Q5cHEd8PBsa4rGAhfqudXp5JrC2Lm5e7ji0AQ_s7HJhy59b9mTb3tMqHGsrWDZS915zHPYEQtSvg5o9sSx1tCRfsyL6kdsdkaTffQjJDUrT5hpIQ-2_9tGuqioJjP4c0edQ85TaK9UnSxfzMQ8gYez963kbo_Iv1fJyaTVwXR-AVvwK-CeGJAFrheQ

Yeuch! If you stick it into JWT.io you'll see that it is Base64 encoded JSON containing a header, body, and signature. Each part is separated by a . character.

You could manually decode it, but that's a bit of a pain in the arse. So here's how to do it with the Auth0 PHP library. I'm using the Symfony one, but it should all be fairly similar.

First, import the library:

use Auth0\SDK\Auth0;

Next, you'll need to send the token to the PHP. You can do this in a header, GET, or similar:

$authHeader = $request->headers->get("Auth0-Authorization");

Then, set up Auth0 so that it can parse and validate the token:

try {
    $token = $authHeader;
    $auth0 = new Auth0([
        "domain"       => $_ENV["AUTH0_DOMAIN"],
        "clientId"     => $_ENV["AUTH0_CLIENT_ID"],
        "clientSecret" => $_ENV["AUTH0_CLIENT_SECRET"],
        "cookieSecret" => "_"   //  Dummy value.
    ]);

    $decoded = $auth0->decode(
        token: $token,
        tokenType: \Auth0\SDK\Token::TYPE_ID_TOKEN,
    );
} catch (\Exception $e) {
    error_log("Auth0 Error - {$e}");
}

The cookieSecret must be set - even though you aren't using cookies. Any non-null value is fine.

The tokenType must also be set correctly.

Assuming you all goes well, you will have a decoded object which has validated against Auth0. So how do you get the user's details from it?

Well, you could split the original idToken at the period character and Base64 decode the middle one. Try it now to see what it contains! Or print_r() the decoded token to see it in all its cryptographic glory.

The easiest way is to do:

$claims = $decoded->toArray();

Then you can access various properties by doing:

$username   = $claims["nickname"];
$identifier = $claims["sub"];

Perhaps there is a more official way - but I couldn't find anything in the documentation. Hurrah for reading source code!

Thinking out loud about project management - Johnny.Decimal

2026-06-24T00:40:26.000Z

This is a working draft for figuring out the end of our Task and Project Management course.

I've been thinking a lot about project management for the last 6 months and I'm thinking out loud here, nothing is set in stone. However, me and Lucy are using the concepts mentioned and it's working really well in our business.

Overall, there's nothing radically new in terms of project management principles. But how can these principles work alongside a Johnny.Decimal system to help us complete very-small or very-big projects successfully?

This is a rough-sketch, draft-rehearsal for the final project management modules in the course. We weren't going to publish it, but what the hey, maybe it will help someone or generate practical feedback.

Throwing my Roku in the trash - Posts feed

2026-06-23T22:57:00.000Z

I work from a big corner desk and part of the space on that desk is taken up by a small TV positioned in the corner. I use it occasionally and, for the longest time, it's had a Roku stick attached to it. It's reliable, but the UI has been filled with more and more cruft when all I ever want to do is launch Jellyfin.¹

This was the lone Roku device on our home network, it was mostly idle and the top two domains blocked by NextDNS were a pair of Roku tracking subdomains. Roku is also being acquired by an odious media company. I'm invested to the tune of, maybe, $29.99. I bought a cheap device and got a progressively crappy experience. It's not a whole ecosystem, it's not inescapable, but it's all irritating.

I looked at onn streaming devices² but ended up buying a cheap Xiaomi TV box running Google TV. Out of the frying pan and into the fire, sort of. The key differentiator here is that Google TV means Android, Android means I can install and meaningfully change things.

I plugged the thing in, added Xiaomi to my native tracking denylist in nextDNS, set up a throwaway Google account and configured things:

Unlock developer options: navigate to Settings -> System -> About -> scroll to "Android TV OS build" and click it until it says "You are now a developer.
Enable Android Debug Bridge: Settings -> System -> Developer options -> turn on USB debugging (conveniently this also enables network ADB).
Install ADB: brew install android-platform-tools.
Connected to the streaming box: adb connect <box-ip>:5555. The TV'll prompt you to allow USB debugging and you can opt to always allow from this computer.

From here, things are wide open. I grabbed the F-Droid APK from their site and installed it (adb install F-Droid.apk) and installed SmartTube as well. Google TV's home screen is about as noisy as Roku's (it also includes ads) but you can get around that by using a custom launcher. I went with Projectivy. When installed it'll prompt you for access necessary to override the default launcher and you can configure it to be far, far more minimal than the defaults for either of these platforms.

The last change I made was to install Button Mapper. It'll prompt you for permissions much like Projectivy does and let you remap all of the (often useless) streaming app specific buttons on your remote. Netflix now opens Jellyfin, Prime opens Apple TV and YouTube opens SmartTube (naturally).

It's a reasonable amount of configuration but now, when I do use this particular TV, it's not at all grating.³ There are no ads, no unnecessary apps, no irritating screensavers. It plays what I want, without issue.

Pressing the home button conveniently scrolls you up to rows of Roku-provided junk, rather than the top row of apps you have installed. ↩
Apparently these are made by Walmart? Are they any less terrible than Fox? ↩
We'll see how Xiaomi does in the NextDNS tracker blocker rankings. ↩

Signs you're a dangerous terrorist: using Signal, moving zines - Werd I/O

2026-06-23T18:16:37.000Z

Link: Texas anti-ICE protesters convicted of terrorism charges sentenced to at least 50 years in prison, by Sam Levine in The Guardian

This is an outrageous litmus test for the freedom to protest in America:

“A group of Texas protesters convicted of terrorism charges received unusually harsh sentences of at least 50 years in prison on Tuesday in a closely watched case that was widely seen as a test case of the Trump administration’s efforts to crack down on dissent.”

Let’s be clear: a few of the protesters were out of bounds. One fired an AR-15 at the police, which goes beyond legitimate protest into inciting violence (and maybe even deliberate provocation). I would never condone that kind of activity.

But these sentences far outstrip anything that’s been given to anyone on the right wing: the leader of the Proud Boys, as this article notes, was sentenced to 22 years in prison. One protester wasn’t even present, but was sentenced to 30 years for moving some zines:

“The ninth defendant, Daniel Sanchez-Estrada was not at the protest, but was convicted of corruptly concealing a document or record after prosecutors said he moved leftwing zines and other materials at the request of Rueda, his wife, after she was arrested. Sanchez-Estrada was sentenced to 30 years in prison on Tuesday.”

Many of the protesters had guns and were part of a gun club. They all possessed them legally. I personally wish there was not a right to bear arms and think that their ubiquitous presence in America makes everyone less safe, but the right to own them is enshrined in the Second Amendment. Instead, other “evidence” was used to infer that they planned violence, including this specific argument that should give everyone pause:

“[…] including their decision to communicate and auto-delete messages on Signal, an encrypted messaging platform widely used among activists, journalists and other citizens wary of government surveillance.”

Collectively, the justice department argued that these convictions are proof that anti-fascists are terrorists, which should also give us pause. The precedent here is obviously very dangerous for freedom of speech, freedom of assembly, and democracy in America.

Father's Day and gifts for myself - W25 - Joel's Log Files

2026-06-23T17:10:00.000Z

This week was wild, one of the most hectic days at work, watching the World Cup at church, getting some late birthday presents for myself, taking pictures, maybe a date? I don’t know what’s going onnn.

Alas, here’s some notes on it all, from June 16 to 22, 2026. Let’s go!

👔 Happy Father’s day to the people fulfilling that role in the family. We had a fun time at church, every non-dad prepared some food to eat together at the end, which is always nice to have. There was also a fun photo shoot section where I took pics with dad and the family, things were cool.
✝️ An unexpected loss in a close friend’s family turned some things upside down. There have been way too many deaths this year. We went to the funeral early and mourned with them. The family appreciated the support. We share the same faith and the same hope. John 11:25-27.
🧑‍💻 We had this project at work that was incredibly time-consuming and required a bunch of people doing things, and it’s finally over. Everything was a chore but it only lasted half a day and it’s finally implemented in production. All good, all is good now.
⚽ My church streamed the Mexic vs South Korea game on the projector screen and we were all together watching the game. Mexico wins and is on the first position of the group! Super cool stuff.
🎶 I acquired some music from Bandcamp! The soundtracks for Faster Than Light and the original Zelda & Chill album.
⌚ Got a new member for my watch collection. For my birthday, I purchased a Casio AQ-S820W. A solar powered watch which has a pretty similar size to the G-Shock GA-2100—also known as the CasiOak. It has managed to replace my trusty Casio Royale for the whole week, which is quite nice. Loving it so far.
I have kinda been looking at more watches because of this and tempted by a few. I actually ordered a Casio MQ-24—the classic, cheapest analog they have—and well, I got a fake, not the first time this happens, but I just got a refund!
🕹️ Another interest of mine is being piqued… I plan to get a Nintendo 3DS soon, maybe a N3DS XL, maybe a 2DS XL, I am still pondering on it all. I’ll keep you updated though!
📷 I spent way too much time trying to make a nice knolling of my EDC gear. Yes, I am working on an updated post for that, I just haven’t written a single word because I’m too busy getting the thumbnail done.
📸 I also photographed my watch collection, because I think I’ll write a page to showcase them soon. Some day.
💻 I’m thinking about resurrecting my Raspberry Pi 4. I had done a lot of things with it back in the day, and I got a lot of ideas asking on the fediverse, but I would like recommendations for a proper case for it, a way to get it to safely shutdown during a power loss too—lots of rain where I live cause this often.
🍿 Remember the girl I kind of invited to watch movies but she couldn’t that day? I tried again, and plans were made, I wonder how it’ll go.

Gaming

I’ve been pretty much focusing on one game at a time lately, I think the Summer Game Challenge has me in a completionist mood.

Transistor - This game has been even more awesome this week. The mechanics are really strong, the semi-turn-based combat caught my fancy. There’s this sandbox area that is full of tests and it’s great, because I’ve learned a bunch of things at a pace that the combat during the main game doesn’t quite allow. There are challenges focused on certain aspects of the gameplay, so you have to get good at it to go through, which is really satisfying. The story itself has been really interesting as well, although there is still a lot of unknowns. I just fought a giant beast that haunted me for a whole bunch of the game until I reached the top of some tower, it was pretty epic.
Slice & Dice - I played this for an hour or so total this week. It still has a challenge but I’ve been distracted by other things while on my phone.
Super Smash Bros Ultimate - Just a quick match with friends, nothing too serious this time around.

Reading

Leviathan Falls - Up to chapter 3. The final chapter of the grand saga of The Expanse, by James S.A. Corey. As much as I know that Sotolf is no fan of the ending—please do not wreak havoc in the comments if you read this—I am still very excited about the way everything will play out!
Shikimori’s Not Just Cute - Up to chapter 140. Things have gotten a bit serious. The friend group has gotten into the last year of high school lately, and the future is full of possibilities. I know the manga will end in 40 or so chapters, so I am curious to see how things wrap up.
Spy X Family - Up to chapter 136. This grandiose mini-arc where Loid is invited to a party full of enemies was incredibly fun! It is over now and I am looking forward to more ridiculous misadventures.

Watching

I am finally done watching all of the Max Steel movies, post incoming!

Max Steel vs The Mutant Menace - Here we see Cytro back—the best robot friend ever!—now on the good side, and he is awesome from here on. We will face against Max Steel’s ultimate foe, Toxon, N-Tek’s best agent, fallen from grace after a radioactive explosion. As this villain awakens, he plans to contaminate all of the planet with poison, radiation and waste. This villain is so powerful, Max will need to upgrade once again (last time was on Max Steel: Countdown) to be able to face him. Epic movie, way too short.
Max Steel vs The Toxic Legion - This was the most epic thing known to me back then. Toxon leads once more, together with Extroyer and Elementor. Every villain teaming up against Max Steel, looking to create a giant toxic storm that will end life as known on Earth. The challenge is up! There’s a redemption arc, and a new villain as a result from this.
Max Steel: Makino’s Revenge - After Max stops the toxic storm, some residual waste mutated Mike (I forgot the last name) into Makino. He was an influencer and independent journalist, and will use those skills and his power to control machines and computers to difame and expose Max Steel’s work as an agent. The spin on how social media and news affect the way people see things was very interesting for the time. The villain is very cartoon-ish though unfortunately.
Max Steel: Monstrous Alliance - Another team-up where Toxon, Makino and Elementor work together to take on Max, and N-Tek’s most powerful base, a floating ship in the sky that would protect the innocent and end conflict (think Captain America’s The Winder Soldier). Of course, with Makino’s control of technology, Toxon plans to use this ship to deploy… you guessed it, toxins, all over the world. Max Steel will have to step up one last time to finally put an end to them.
Terminator: Salvation - Decided to watch this one on a whim. I actually quite enjoy this Terminator movie, it tries a bit of a different take on the usual formula, and it works out in my opinion. A lot of weird choices like the romance subplot and the exagerated screams from the protagonist looking in the style of Revenge of the Sith, but cool action and sequences nonetheless.

Around the web

Blogposts

I don’t like prompts - Interesting take by Tracy on writing prompts, I haven’t participated a lot on the Indieweb Carnival and similar, but I do enjoy writing challenges, quizzes or question challenges—except the AI one, I feel icky answering that one.
I Miss Streaming Music - In a way I miss how useful algorithms can be for discovery. At the same time, I kind of like asking people for recommendations more often and get out of the comfort zone.
Doomscrolling for a Game - The paradox of choice attacks once again. It’s weird because lately I’ve been on a “one game at a time” mood and it has actually worked for me, but things change.
Roadside Assistance - Love these musings that are about seemingly vain things. This one’s features wildlife, and it’s very cute!

YouTube

Improve the Casio F91 Backlight for Free - This little mod is actually pretty interesting. I might give it a go and report back, but no promises.
I Played as San Marino until I WON the WORLD CUP - Just some entertaining gameplay from a FIFA game I never played. I think I’m just nostalgic for the 2010 World Cup days.
Casio is ALL YOU NEED: The Perfect 3 Watch Collection - I have more than three watches so, and it’s impossible not to need more once you start buying…
I Tried 3D Printing for the First Time - Oh no, TechDweeb was infected by the 3D printing virus, am I in danger?

This is day 83 of #100DaysToOffload

Reply to this post via email | Reply on Fediverse

📝 2026-06-23 12:58: Create one of those Uses pages. Still a work in progress, but there's a good... - Kev Quirk

2026-06-23T11:58:00.000Z

Create one of those Uses pages. Still a work in progress, but there's a good chunk of the stuff I use on there now.

https://kevquirk.com/uses

Thanks for reading this post via RSS. RSS is ace, and so are you. ❤️

You can reply to this post by email, or leave a comment.

Wonders of Web Weaving, Episode 7 - James' Coffee Blog

2026-06-23T00:00:00.000Z

The seventh episode of Wonders of Web Weaving is out:

In Episode 7, I chat with Ana, the author of ohhelloana.blog. We talk about, among other things, the growth we see in our websites over time, finding an in-person indie web community, and connecting with people using personal websites.

I hope you enjoy the episode!

Wonders of Web Weaving has an RSS feed you can use to follow along from wherever you get your podcasts.

Ana ohhelloana.blog The seventh episode of Wonders of Web Weaving is out Wonders of Web Weaving has an RSS feed

Introducing Patch the Planet - Trail of Bits Blog

2026-06-22T16:50:00.000Z

What happens when you clear dozens of Trail of Bits engineers’ schedules, pair them with every open-source maintainer they can contact, and unleash the latest frontier models like GPT-5.5-Cyber on critical open-source targets? Thanks to <a href="https://openai.com/index/daybreak-securing-the-world/">our partnership with OpenAI</a> and its Daybreak initiative, <a href="https://gist.github.com/patch-the-planet/69fd1aa925c8e73edea9e6e967043cbb">we can report</a> that the impact is hundreds of discovered bugs, 64 pull requests, and 51 issues filed across 19 projects (with many more still undergoing coordinated disclosure). That was just the first week of <a href="https://trailofbits.com/patch-the-planet">Patch the Planet</a>. Frontier models like GPT-5.5-Cyber are producing a firehose of security findings, and already-stretched maintainers must sift through all of it to separate real vulnerabilities from plausible-sounding false positives. Patch the Planet is different: with our experts orchestrating and triaging findings, we handle the work of fixing and hardening the code alongside the people who maintain it. The first week of Patch the Planet covered 19 projects across cryptography, networking, language infrastructure, and software supply chain. Among these 19 projects were cURL, NATS, pyca, Sigstore, aiohttp, the Go project, freenginx, Python and python.org, urllib3, PyPI, SimpleX, Valkey, and RustCrypto. Over 30 projects have joined the initiative so far, and we’re rapidly expanding it to include more; if you maintain an open-source project, <a href="https://trailofbits.com/patch-the-planet">apply to join</a>! <figure> <img src="https://blog.trailofbits.com/2026/06/22/introducing-patch-the-planet/ptp-image-1.gif" alt="“Live look at the Trail of Bits engineering teams”" width="500" height="221" loading="lazy" decoding="async" /> <figcaption>Live look at the Trail of Bits engineering teams</figcaption> </figure> Anyone can file an issue, flex, and walk away. We showed up with the patches: 37 are already merged, and many more are in flight. These merges go beyond just fixing bugs: we’re adding new tests and fuzzing harnesses, CI security scanning, supply-chain tooling, correctness fixes, and features maintainers had been meaning to get to. The goal of Patch the Planet is to leave essential open-source projects measurably better off. <h2 id="we-brought-patches-not-just-bug-reports">We brought patches, not just bug reports</h2> We’re reporting public findings <a href="https://gist.github.com/patch-the-planet/69fd1aa925c8e73edea9e6e967043cbb">on GitHub</a>, including 64 total pull requests. We also filed 51 issues, 19 of which are already closed with a fix. This public tally undercounts the work, since several projects take reports through private channels like HackerOne, GitHub security advisories, mailing lists, and private forks, and most of these have not been released publicly yet. What’s in those pull requests matters more than the count. At python.org, we added a CI workflow built on <a href="https://github.com/zizmorcore/zizmor">zizmor</a>, our open-source GitHub Actions auditor, fixed all of the issues it flagged, and integrated it into their CI. In RustCrypto, we contributed correctness fixes to the big-integer library that higher-level cryptography is built on, alongside genuine feature work in review: serde encoding support and HPKE DHKEM suite IDs. Other patches were plain engineering help: storage-accounting and service-restart fixes in SimpleX, a clearer admin-quarantine confirmation in PyPI’s Warehouse, and supply-chain improvements like SBOM sidecars for Python’s Windows artifacts. We will also be upstreaming many testing improvements and new testing campaigns. Arguably, our best contributions are not even bug or security fixes. Keeping track of all of this is a bot we call Patchy. Patchy monitors every project, posts each new finding and merged patch to our Slack, and, for reasons we consider scientifically sound, reintroduces the common use of <a href="https://openai.com/index/where-the-goblins-came-from/">goblins, gremlins, and assorted creatures</a>. Here’s Patchy’s description of <a href="https://github.com/pyca/cryptography/pull/14933">an issue that has been patched</a>: <figure> <img src="https://blog.trailofbits.com/2026/06/22/introducing-patch-the-planet/ptp-image-2_hu_d772e23377508832.webp" alt="“Patchy’s description of an issue that has been patched”" width="1200" height="329" loading="lazy" decoding="async" /> <figcaption>Patchy’s description of an issue that has been patched</figcaption> </figure> When a patch lands, Patchy celebrates with a triumphant <code>PATCHY HAPPY</code>. Making Patchy happy is really what drives us. <figure> <img src="https://blog.trailofbits.com/2026/06/22/introducing-patch-the-planet/ptp-image-3_hu_5af72ac2534386fd.webp" alt="“Bug patched, Patchy happy”" width="1200" height="185" loading="lazy" decoding="async" /> <figcaption>Bug patched, Patchy happy</figcaption> </figure> <h2 id="a-few-highlights-from-the-week">A few highlights from the week</h2> The week produced more than we can fit in this post, but here are some quick highlights. A fuzzing lab built in a day. Given a narrow goal (find remotely exploitable bugs) and no instructions on how, GPT-5.5-Cyber decided that reading the source of one of the most-reviewed C libraries in existence was a poor use of tokens. Instead, it stood up a full fuzzing lab in under a day: sanitizer and variant builds, a seed corpus drawn from existing tests, and harnesses across a dozen entry points. Instead of simply fuzzing exposed APIs, it successfully built a harness that injected operating system backpressure to identify novel issues by reaching previously unexplored buggy states. We estimate all of that effort likely would’ve taken one of our fuzzing experts two to three weeks to do manually. Just as important, it showed judgment about what to test, what to report (and not report), and where to find higher-impact findings. We’ll publish the full details in a standalone field report. A pipeline for variant testing historical CVEs built in a day. Codex was also adept at building simple but effective pipelines, such as the CVE variant analysis pipeline shown below. Codex’s <code>/goal</code> feature combined with frontier models like GPT-5.5-Cyber for this type of variant analysis produced novel issues with almost exclusively high-signal output. <figure> <img src="https://blog.trailofbits.com/2026/06/22/introducing-patch-the-planet/ptp-image-4_hu_a106c2e464121abc.webp" alt="“Pipeline for historical CVE variant analysis”" width="1200" height="617" loading="lazy" decoding="async" /> <figcaption>Pipeline for historical CVE variant analysis</figcaption> </figure> A release-pipeline improvement at python.org. We reported multiple security issues for <a href="http://python.org">python.org</a>, including some issues closing a legacy-API authorization gap. But we’re most proud of the work that produced long-term improvements to python.org’s release infrastructure: the new zizmor CI scanning, tightened release-file and metadata validation, deletion scoping fixed so bulk operations can’t reach beyond their target, and release-tooling patches in review that quote remote command arguments, fail safely on partial uploads, and add SBOM sidecars. The aiohttp maintainers fixed their issues almost immediately. We privately reported a cluster of issues across aiohttp’s client and server paths, including cookies that could regain broader scope after a save and reload, digest credentials that could answer a challenge from the wrong origin, and resource limits that ran after attacker-controlled buffering rather than before. The maintainers authored and merged all eight fixes within hours, seven of them inside a single five-hour window. We were impressed and appreciate the maintainers’ prompt and collaborative work on these issues! Differentially testing major cryptographic libraries against each other. Many of our projects implement the same logic, protocols, and algorithms. In particular, multiple projects implement the same cryptographic algorithms and standards like X.509 certificates. Therefore, we used Codex to point these projects at each other, and identify any relevant behavioral differences. This proved to be a high-signal approach that uncovered several issues, including <a href="https://github.com/pyca/cryptography/pull/14933">this AES-GCM issue in PyCA</a> and several X.509 issues, which we plan to upstream to <a href="https://x509-limbo.com/"><code>x509-limbo</code></a>. <h2 id="finding-the-bugs-is-now-the-easy-part">Finding the bugs is now the easy part</h2> If it wasn’t already clear from the last several months of security news, this week makes one thing clear: the expensive part of security work has moved. Arming Codex with fuzzing campaigns, variant analysis, differential testing, agentic searching, and similar techniques produces real vulnerabilities and compresses weeks or months of manual effort into hours. The advantage is no longer in finding bugs, but everything after: confirming a finding, getting its severity right, writing a patch a maintainer will accept, hardening the surrounding code, making long-term improvements to prevent similar issues in the future, and coordinating a disclosure. That is the work that floods of AI-generated reports threaten to bury. <h2 id="guidance-for-maintainers">Guidance for maintainers</h2> If you’re a maintainer managing an unsustainable number of AI-generated bug reports, the core challenges you need to solve are deduplication, false-positive filtering, and severity correction. Deduplication is the easiest problem to solve technically. Even simple AI-based tools that compare new reports against open issues perform well, especially when grounded in affected code lines. Automating this step eliminates most of the noise. False-positive filtering and severity correction are harder, but they can be managed. Without explicit guidance, models default to rating everything as critical. <figure> <img src="https://blog.trailofbits.com/2026/06/22/introducing-patch-the-planet/ptp-image-5_hu_1b13148a17364cf7.webp" alt="“Patchy without threat model and severity guidance”" width="1200" height="1019" loading="lazy" decoding="async" /> <figcaption>Patchy without threat model and severity guidance</figcaption> </figure> Generic approaches like our <a href="https://github.com/trailofbits/skills/tree/main/plugins/fp-check">fp-check</a> tool help, but only to a point. The best improvements require project-specific documentation, threat models, and severity criteria. <a href="https://cryptography.io/en/latest/security/">PyCA’s security documentation</a>, for example, was dramatically effective at reducing false positives in our bug candidates. Files like <code>AGENTS.md</code> that explicitly tell models which documentation to consult produced the most consistent and effective results. If security researchers are armed with this documentation, especially <a href="http://AGENTS.md"><code>AGENTS.md</code></a> for AI-based research, more noise will be filtered out before reaching the maintainers. <h2 id="whats-next-and-how-to-get-involved">What’s next and how to get involved</h2> This was just our first week. Over 30 projects have committed to join Patch the Planet, with a growing waitlist. As more findings clear coordinated disclosure, we’ll publish more results and deeper field reports, including full fuzzing lab details, the variant-analysis and differential-testing pipelines, and the tooling we’re building to help maintainers triage AI-generated reports themselves. Our <a href="https://gist.github.com/patch-the-planet/69fd1aa925c8e73edea9e6e967043cbb">Patch the Planet gist</a> contains the full public list of our week one output. <figure> <img src="https://blog.trailofbits.com/2026/06/22/introducing-patch-the-planet/ptp-image-6.gif" alt="“Join Patch the Planet and spread the word”" width="480" height="207" loading="lazy" decoding="async" /> <figcaption>Join Patch the Planet and spread the word</figcaption> </figure> If you maintain a critical open-source project and want this kind of help, you can <a href="https://trailofbits.com/patch-the-planet">apply to join Patch the Planet</a>.

Cybersecurity for the paranoid business traveller - Terence Eden’s Blog

2026-06-22T11:34:18.000Z

Over the years, I've worked for organisations with various levels of risk tolerance for business travellers. Some have been (rightly) paranoid and others have been (wrongly) placid about the threats their employees face.

The fact is, individuals are often targeted for espionage, blackmail, or other state-sponsored attacks.

Here's a list of some of the different advice I've received, roughly sorted into levels of suitability. Start at the top and work your way down until you reach a suitable level.

USB sticks? No thanks!

At some point, you'll be given a gift of a decorative USB pen drive. It'll either be part of a goodie-bag or you'll be told it has all of this quarter's TPS reports on it.

You should thank them for their kind gift. On your way back to the hotel, drop the stick in a bin.

There's just too much which can go wrong with a USB stick. Maybe it has a virus. Maybe it is an exfiltration device. Maybe it has extreme pornography and the police will catch you with it. Just chuck it. If anyone asks, say you couldn't get it to work and can they please email you the information.

USB Power? Play it safe!

USB powers everything from your phone and laptop, to your headphone and eReader. But USB cables also carry data. Some devices can be silently hacked by plugging them in to a dodgy power port.

Is it likely that the USB socket on the airport bus has been set up to exfiltrate travellers' data? Probably not - but why take the risk?

The best thing you can do is to always charge from your own device. Get a travel charger or, ideally, a portable battery and only use that for charging.

For extra paranoia, you can buy USB condoms and charging-only cables - but they tend to be slower at charging.

Reduce Your App Attack Surface

Do you need all those apps on your phone? Will you cope without your banking apps, dating apps, streaming apps? Each one is a potential vector for abuse.

Is it legal for you to date your preferred romantic partner in your intended destination? You shouldn't have to hide yourself, but having an illegal app on your phone is a great way to get picked up by the police.

Go through your phone and uninstall anything which isn't important to the trip.

A VPN probably draws more attention than it is worth, but browse cautiously

This is slightly counter-intuitive. Every important site on the web uses HTTPS. The really important ones are on a special list which means your browser will only use a secure connection. The chances of your data being intercepted is minimal.

But using a VPN immediately makes your traffic look suspicious and, in some countries, may be illegal.

That said, while the contents of your communications will be private, their destination is easy to figure out. Don't browse pornography or any other site which is liable to get you in trouble. This may include news sites from outside the country.

What passwords do you need?

Hopefully you use a password manager - and hopefully all your passwords are unique. But do you really need to carry around all of them? You password manager almost certainly allows you to create a sub-account into which you can deposit anything you need for your trip.

Similarly, you don't need all your MFA codes with you. If you do need MFA please make sure it isn't coming through SMS.

They're not flirting with you.

Mate, you're a middle-aged sales rep who scored a trip to a conference in an exotic country. Do you really think that pretty young thing is enthralled by your tales of middle-management?

No.

At best, the photos will be used to blackmail you. At worst the police will claim that they're under the age of consent and that will be used to blackmail you.

Laptops and Liability

Your IT team has provided you with a laptop which is encrypted and biometricly secured, right? But do you need that specific laptop?

Grab a cheap laptop. Fill it with only the documents you need. When you get back home, toss it.

I'm quite serious, a £200 Chromebook is a cheap price to pay to prevent your secrets getting stolen or your network being infiltrated.

What Else?

Possibly you think some of these are overkill. Perhaps you think I'm not being paranoid enough. What would you add to the list?

Over/Under Interview - Robb Knight • Posts • Atom Feed

2026-06-22T09:55:58.000Z

Avengers

The movies, overrated with the exception of Infinity War/Endgame which was some of the best movie experiences I've ever had.

The comics, underrated. The stories from the comics is where it's at but it's not a medium that everyone can enjoy. There are so many great Avengers and Avengers-adjacent stories available if you're willing to give it a try. My recommendation is Kelly Thompson's West Coast Avengers run.

Weeknotes

Underrated. I love reading people's weeknotes and I've found it a useful tool to get out random thoughts I've had as well as share fun things I've seen online that week. The pressure to do them every week though, massively overrated. You don't need to do that to yourself, post when you want.

Stickers

Underrated. What a fun item stickers are but you've got to use them. Stick them on anything. Maybe Maique will spot one you stuck somewhere. I love stickers.

BuJo

This is a tough one. Bullet Journal the brand? Overrated. Intentionally or not, one look at the website shows that it exists now to sell courses, books, and other related services.

Bullet Journal the system on the other hand has a lot of good ideas. I don't do all of them, nor do I follow it strictly but the things I did take from the (the bullet system itself, migrating tasks, monthly spreads) have been massively helpful. Slightly underrated if only because the website no longer reflects the system and rather serves as the business side.

Tacos

Underrated. I'm in the UK where we have a troubling lack of mexican-inspired food available but whats not to love? Meat, sauce, taco shell, lettuce, it's got it all.

What are the two best books you couldn't live without and that you recommend?

How to Lie with Statistics. I read this when I was 17 or so and it blew my mind the way you can present data in different ways to elicit different reactions or prove your point. Fair warning this was written in 1954 so some of the language would not be appropriate in 2025, but the ideas are solid.

So You've Been Publicly Shamed. This one serves have a warning both about what one might post online, as well as how wild online mobs can get.

People and Blogs Interview - Robb Knight • Posts • Atom Feed

2026-06-22T09:48:50.000Z

Let's start from the basics: can you introduce yourself?

I'm a developer and dad to two girls living in Portsmouth on the south coast of the UK. By day I work for a SaaS company and in my own time I work on my many side projects. In a previous life I worked at a certain clown's restaurant which is where I met my wife some 15 years ago.

Although developer is what I get paid to do I'm trying to move towards more making; websites, stickers, shirts, art, whatever. I have no idea what that looks like yet or how it's going to pay my bills. I have a whole host of side projects I've worked on over the years; they're not all winners but they all serve, or served, a purpose. If I get lucky, they resonate with other people which is always nice.

What's the story behind your blog?

I've had a lot of blogs over the years, most of which would get a handful of posts before being abandoned. There was a version that ran on Tumblr which I did do for at least a year or two — any interesting posts from that have been saved. The current iteration is by far the longest serving and will be the final version. There's no chance of me wiping it all and starting again.

This current version is part of my main website which is where I put everything. My toots on Mastodon start life as a note post, I post interesting links I find, and I log all the media I watch/play/whatever (I don't want to say consume, that's gross) in Almanac, which itself is on the third or fourth iteration.

As I said above, I had done a few posts on the Tumblr-powered blog but if I look at my stats for posts, it was around 2022 when Twitter started to fall apart that I started to blog more. I was moving away from posting things directly onto social media sites and getting it onto my own site.

I started writing more posts that just had a short idea or helpful tip because I realised not every post has to be some incredible think piece. My analytics show that these posts also tend to be the most popular which probably says more about the state of large, ad-riddled websites than it does about my writing. For example this post about disconnecting Facebook from Spotify is consistently in the top five posts on my site but you're never going to read that post unless you specifically need it. It's not a "good" post, it just exists.

What does your creative process look like when it comes to blogging?

To call what I have a process would be a very liberal use of the word "process". If I have nothing to write about I just won't write anything, I have no desire to keep to a schedule and write just for the sake of it. Usually, I'll get prompted by something someone asks like "How did you do X on your website?" or I feel like I have something to say that would be interesting other people.

I write my posts in Obsidian, then when they're ready to go I'll add them to my site. If I'm on my ~~proper computer~~ laptop I use my CLI tool to add a new post. If I'm on mobile, I use the very haphazard CMS I built.

I'll proof read most things myself before posting and I rarely ask for anyone else's input but if I do want a second opinion it's going to be previous P&B interviewee, Keenan. Usually I'm able to get out what I want to say fairly succinctly without too much editing.

Do you have an ideal creative environment? Also do you believe the physical space influences your creativity?

A proper keyboard and ideally a desk to sit at is what I prefer when I'm writing (or coding) but I can live with just the keyboard. My desk setup makes some people's skin crawl because there's so much going on but I like having all the trinkets and knick knacks around me.

I deeply dislike using my phone for most things outside of scrolling lists, like social media so I rarely write long posts on it. The small form factor just doesn't work for me at all but I also kind of need it to exist in the world.

A question for the techie readers: can you run us through your tech stack?

All my domains are registered with Porkbun and I manage the DNS with DNSControl - my main domain, rknight.me, has nearly 50 records for subdomains so managing those without DNSControl would not be a fun activity. Speaking of DNS I use Bunny for my DNS management and also use their CDN for images and other files I need to host.

The website itself is, as are many of my side projects, built with Eleventy. Eleventy gives me the flexibility to do some interesting things with the posts and other content on my site which would be much harder with some other systems.

The site gets built on Forge to a Hetzner server whenever I push an update to GitHub either via command line, or through the aforementioned CMS, and is also triggered at various points in the day to pull in my Mastodon posts.

Given your experience, if you were to start a blog today, would you do anything differently?

Assuming I actually had to the time to do it, I think I would start with the CMS first, before building anything of the actual site. It is a pain to update things when I'm not at my laptop but jamming features into my CMS is equally frustrating.

If I wanted something off the shelf and easier to maintain I suspect I would choose Ghost or Pika.

Financial question since the Web is obsessed with money: how much does it cost to run your blog? Is it just a cost, or does it generate some revenue? And what's your position on people monetising personal blogs?

Many of these costs are part of my freelancing so are bundled with other sites I run and somewhat hidden but I'll do my best to outline what I do use.

I have a single server on Hetzner that serves my main site as well as another 30 or so side projects so the cost is negligible per-site but it costs about $5 a month. Forge costs $12 a month to deploy my site along with other sites. The domain is $20 a year I think but that's it.

I have a One a Month Club here and I have a handful of people supporting that way. I also use affiliate links for services I use and like which occasionally pays me a little bit.

I think monetising blogs is fine, if it's done in a tasteful way. Dumping Google ads all over your site is terrible for everyone but hand-picked sponsors or referrals is a good way to find new services. Just keep it classy.

Time for some recommendations: any blog you think is worth checking out? And also, who do you think I should be interviewing next?

I want to read sites that are about the person writing them. Photos of things people have done, blog posts about notebooks, wallpaper, food, everything. Things people enjoy.

This is the second time I'm going to mention Keenan here because they write so wonderfully. They also have a podcast with Halsted called Friendship Material which is all kinds of lovely and joyful and everyone should listen.

Alex writes some really interesting computing-related posts, like this one about using static websites as tiny archives.

Annie is so smart and honest in her writing it brings me joy every time I see a new post from her. This post is a masterpiece.

Final question: is there anything you want to share with us?

I'd be a terrible business boy if I didn't at least mention EchoFeed, an RSS cross posting service I run.

I also have a podcast that used to be about tech but is now about snacks.

I Am A Link Curator - The Weblog of fLaMEd

2026-06-22T08:49:05.000Z

What’s going on, Internet? Friend of the site James recently shared a new post Blogger Archetypes which asks a series of questions to help you narrow down your character as a member of the blogging community. A bit of indie web fun.

Here are my results:

You are a Link curator

The web is not just its pages, but the connections between pages. You have internalised this and love spending your time exploring the web and sharing what you find with the world.

You are also a Culture maker

You love to help push the blogging community forward by starting discussions, encouraging thought, and sharing what’s on your mind.

And the other archetypes on offer:

Explorer: To you, the web feels like a library that’s open all hours and has everything you could ever imagine! You love reading others blogs, and know how important readers are to the whole of the indie web community!

Community gardener: You love to help contribute to building the blogging community, either through your writing or how you share the spirit of writing on the web with friends.

Author: You love writing and have a growing backlog of posts on your website! Words are your best friend and you’re always thinking about what to write next.

Link curator feels about right. A lot of what I do here is exactly that. Surfing the web, finding the good stuff, and passing it along. The bookmarks, the links back to other people’s writing (which I need to get back into doing regularly). That’s the fun part for me.

If you’ve got a blog, go and take the quiz and write up what you got. Send it my way, I’d love to to see what you got. 🤙

Hey, thanks for reading this post in your feed reader! Want to chat? Reply by email or add me on XMPP, or send a webmention. Check out the posts archive on the website.

📝 2026-06-22 09:39: The fox continues to prowl around our chickens. This morning we caught it in the... - Kev Quirk

2026-06-22T08:39:00.000Z

The fox continues to prowl around our chickens. This morning we caught it in the GARDEN a few feet from our favourite chicken. Luckily the magpies warned us and we were able to scare it away.

It's not nice keeping the little cluckers cooped up in this heat, but needs must unfortunately.

Thanks for reading this post via RSS. RSS is ace, and so are you. ❤️

You can reply to this post by email, or leave a comment.