Shellsharks Blogroll - BlogFlock

Read "How Silicon Valley Humiliated the Democrats" - Molly White's activity feed

2026-04-17T13:37:40.000Z

Read:

“How Silicon Valley Humiliated the Democrats”.

Alexis Goldstein in The New Republic. Published April 16, 2026.

When will they learn? The party remains far too solicitous of an industry that’s rewarded their fealty with four years of Trump and untold damage to democracy.

Book Review: How To Kill A Witch - A Guide For The Patriarchy by Claire Mitchell and Zoe Venditozzi ★★★⯪☆ - Terence Eden’s Blog

2026-04-17T11:34:26.000Z

After reading The Wicked of the Earth, I wanted to understand some of the history behind the stories. Why were women⁰ accused of being witches? What really happened in those trials? What are the modern consequences of those events?

This is the story of the Scottish Witch Trials - with brief forays into England and abroad. It examines the central tension of whether witchcraft was real to the accusers, or just a convenient means to oppress troublesome women. The descriptions of the imprisonment, torture, and state-sanctioned murder is visceral and horrific.

It's also rather stark in its modern assessment of the historic context:

Nonetheless, it’s important to remember it was a proper legal trial, with evidence being put forward and the judge assessing it and carrying out legal tests. Some people think that witchcraft trials were carried out by angry peasants waving pitchforks. Perhaps this is a more acceptable way for a modern person to think about it. No one wants to think that a judicial system can get it so wrong. But it did, with catastrophic consequences for those accused.

The book is mostly good, it's a spin off from the Witches Of Scotland podcast and that's reflected in the writing. As with any parasocial¹ entertainment, it attempts to centre the authors and bring the audience along for the ride - so there's lots of descriptions of the libraries the authors visit, how things make them feel, how enamoured they are with their podcast guests. I found it a little distracting, but it's obviously right for their main audience.

Similarly, there's an attempt to bring the past to life by imagining a little monologue from various historic figures. I found that a little unconvincing; I dislike putting words in peoples' mouths. But with sparse primary documentation, that may be the best way to bring these characters to life. It's also well illustrated. Too many books eschew pictures - but this has a nice collection of woodcuts and portraits to contextualise what we're reading about.

One little nitpick, the book makes the claims:

Life was hard and life expectancy was around 35

and

Lilias was an old woman, at least 60 years old and possibly as old as 80. At a time when life expectancy was much lower than it is now, even the lower estimate was still a considerable age.

That's not quite right. Although the average life expectancy was low, that's the average at birth - with a large number of infant mortalities dragging down the average. When you look at the full data, you'll see people used to live long lives even in the distant past.

In a way, it reminds me of Invisible Women. A national tragedy hidden from view.

It builds to a rousing end. There are parts of the world where witchcraft is still taken seriously - with devastating consequences. The febrile atmosphere which led to unfounded accusations against women is still prevalent even in modern societies.

And a small number of men. But this is firmly focused on the overwhelming majority. ↩︎
As opposed to paranormal. ↩︎

We beat Google’s zero-knowledge proof of quantum cryptanalysis - Trail of Bits Blog

2026-04-17T11:00:00.000Z

Two weeks ago, Google’s Quantum AI group published a zero-knowledge proof of a quantum circuit so optimized, they concluded that first-generation quantum computers will break elliptic curve cryptography keys in as little as 9 minutes. Today, Trail of Bits is publishing our own zero-knowledge proof that significantly improves Google’s on all metrics. Our result is not due to some quantum breakthrough, but rather the exploitation of multiple subtle memory safety and logic vulnerabilities in Google’s Rust prover code. Google has patched their proof, and their scientific claims are unaffected, but this story reflects the unique attack surface that systems introduce when they use zero-knowledge proofs.

Google’s proof uses a zero-knowledge virtual machine (zkVM) to calculate the cost of a quantum circuit on three key metrics. The total number of operations and Toffoli gate count represent the running time of the circuit, and the number of qubits represents the memory requirements. Google, along with their coauthors from UC Berkeley, the Ethereum Foundation, and Stanford, published proofs for two circuits; one minimizes the number of gates, and the other minimizes qubits. Our proof improves on both.

Resource Type	Google’s Low-Gate	Google’s Low-Qubit	Our Proof
Total Operations	17,000,000	17,000,000	8,300,000
Number of Qubits	1,425	1,175	1,164
Toffoli Count	2,100,000	2,700,000	0

Table 1: Resource upper bounds reported in different proofs for circuits computing the correct output across 9,024 randomly sampled inputs

Our proof fully verifies when using Google’s unpatched verification code. It has the same verification key as their original proofs and is cryptographically indistinguishable from a zero-knowledge proof resulting from actual algorithmic improvements to the quantum circuit. We are releasing the code we developed to forge the proof, and a summary of our proof follows.

Circuit SHA-256 hash: 0x7efe1f62bb14a978322ab9ed41d670fc0fe0f211331032615c910df5a540e999

Groth16 proof bytes: 0x0e78f4db0000000000000000000000000000000000000000000000000000000000000000008cd56e10c2fe24795cff1e1d1f40d3a324528d315674da45d26afb376e8670000000000000000000000000000000000000000000000000000000000000000024ac7f8dd6b1de6279bcce54e8840d8eb20d522bf27dedd776046f6590f33add217db465201c63724e6b460641985543d2b79c3c54daeea688581676a786aafc1dba8604a361acdd9809e268b6d8bc73943a713bb0ed0d96221f73d26def6ea4041d05b077523d9351a48b2ecd984c686b6473df69d20a24296d0a1cba3cdbe92eb13a7cc0ecd92f27f7bf23f9ac859d4293e17216dcbd85d1c7f60a52f65a9d02faef077336acd39e845d534200b575b029d6e3f0afb4f90815557233eab70b0fe88919834dd9beb90d47241f1490dc202e0dce44e4894982b07073c8d4426513732d79e9af9913b254aa29471e1a98fa1b43a1886afb5dbd36988153217aa2

Verification key: 0x00ca4af6cb15dbd83ec3eaab3a0664023828d90a98e650d2d340712f5f3eb0d4

Zero-knowledge virtual machines

Google used Succinct Labs’ SP1 zkVM for their proofs. A zkVM is essentially a way to prove that you know which private inputs for an arbitrary guest program on the zkVM generate some public output. For example, consider this basic Rust guest program.

#![no_main]
sp1_zkvm::entrypoint!(main);

pub fn main() {
 // Read in private inputs a and b
 let a = sp1_zkvm::io::read::<u32>();
 let b = sp1_zkvm::io::read::<u32>();
 // Add them together
 let c = a + b;
 // Write the public output a + b
 sp1_zkvm::io::commit(&c);
}

A user can take the private inputs 2 and 3, run this program on the zkVM, and get a proof that the program ran successfully and that the output was 5. Anyone can verify the proof, but they would get zero knowledge about whether the input was (2, 3), (1, 4), or (6, 0xffffffff). Obviously, this toy problem is simple; real programs can be significantly more complicated.

Behind the scenes, the Rust guest program compiles down to a RISC-V ELF binary. This simple architecture allows complex program logic to be encoded into provable mathematical relationships. For example, the state of the RISC-V registers after executing an instruction is a deterministic function of their state before execution. Having to prove every step makes generating zkVM proofs resource-intensive and costly, but significant engineering work has enabled proving statements about complex programs.

Google’s zkVM guest

In the case of Google’s zero-knowledge proofs, the private input is the quantum circuit (in a custom assembly language), and the program is a simulator that checks the circuit. Note that these are “circuits” in the quantum sense, not the typical zero-knowledge definition. The public output includes bounds on the number of qubits and gate operations. In general, simulating quantum circuits is difficult, but the “kickmix” circuits defined in this paper refer to a specific subset that can be tested classically.

The following script, adapted from one of Google’s examples, increments a 3-qubit value. It includes three operations and a total of three qubits. Note that the first instruction CCX has two inputs (q0 and q1) and computes q2 = q2 ^ (q0 & q1). This is called a Toffoli gate. Toffoli gates are quite useful, but they’re much harder to implement on actual quantum hardware, so the complexity of quantum algorithms is sometimes measured in the number of Toffoli gates (or more accurately, non-Clifford gates). Circuits like this are serialized into bytes and sent to the zkVM simulator.

# Increment a value held in 3 qubits (q2, q1, q0). Sends
# (0, 0, 0) -> (0, 0, 1)
# (0, 0, 1) -> (0, 1, 0)
# ...
# (1, 1, 1) -> (0, 0, 0)

# If q0 and q1 are set, flip q2.
CCX q0 q1 q2
# If q0 is set, flip q1.
CX q0 q1
# Flip q0.
X q0

To verify that a circuit computes the correct function, the simulator deserializes the circuit, randomly initializes the qubits (e.g., to (1, 0, 1)), iteratively applies every operation in the circuit, and panics unless the final state is as expected (e.g., (1, 1, 0)). The simulator repeats this for many different inputs (9,024 times, to be precise), so proving that the simulator terminated without error is essentially the same as proving that the circuit is correct with high probability. In Google’s zkVM program, the circuit must compute one elliptic curve point addition, a critical subroutine of Shor’s algorithm for solving the elliptic curve discrete logarithm problem.

In addition to checking that the circuit computes the correct function, it also counts the total number of operations, the number of qubits, and the average number of Toffoli gates (some Toffoli gates are conditioned on classical bits and may be skipped during simulation). These performance metrics are checked to ensure they do not exceed specified upper bounds; if they don’t, the upper bounds are committed as public output.

Plan of attack

Since Google’s zero-knowledge proof comes from the results of running a Rust simulator on a private kickmix assembly script, we can create our own zero-knowledge proof by providing our own private input to the same program. If we find some input that causes the simulator to misreport the quantum costs, we’ll have successfully forged a proof. To beat Google’s results on any metric, we have the following goals:

Must compute elliptic curve point addition correctly
Preferably reports fewer than 17 million total operations
Preferably reports fewer than 2.1 million Toffoli gates
Preferably reports fewer than 1,175 qubits

This turns a quantum computing problem into an application security problem. Any deserialization bugs when parsing the kickmix circuit input are fair game, as well as any logic bugs we find in the simulator.

Vulnerability 1: Bypassing the Toffoli counter

One area of concern in the Rust source code was the use of unsafe blocks, disabling important memory safety checks. This was presumably done to reduce the overall cycle count of the zkVM guest program; each additional bounds check inflates the already substantial cost of generating a zero-knowledge proof, particularly checks that run millions of times. The vulnerability starts in the following two lines of code from program/src/main.rs.

let private_circuit_bytes = sp1_zkvm::io::read_vec();
let ops = unsafe {
 rkyv::access_unchecked::<rkyv::Archived<Vec<Op>>>(&private_circuit_bytes)
};

The first line shows that private circuit bytes (private_circuit_bytes) are directly read from outside the zkVM, and the use of the rkyv serialization library’s access_unchecked function instructs the library to assume that private_circuit_bytes corresponds to a valid serialization. But data from outside the zkVM is untrusted, so what happens if the bytes, which are meant to represent a vector of circuit operations, are malformed?

The answer is “not much.” There are relative pointer offsets and length fields in the serialization for the Vec type, but I couldn’t see a viable path from manipulating those to getting the prover to underreport resource counts. The Op type is similarly simple, consisting of seven 32-bit fields: one describes the OperationType, and six describe the identifiers of which qubits and classical bits to use as inputs and outputs for the operation. For a while, I was chasing down a bug in how the magic identifier 0xffffffff could bypass the qubit count and trigger an out-of-bounds write in the array of simulated qubit values. I was deep in the details of understanding the Rust heap allocator used by the SP1 zkVM before a colleague pointed out that Google was using SP1’s 64-bit RISC-V architecture rather than the potentially exploitable 32-bit architecture.

That left the kind field, an enum describing which of the 18 supported kickmix OperationType opcodes to apply. When simulating the quantum circuit, the guest program iterates over the vector of operations and determines whether to conditionally execute each operation; if so, it increments the count of Toffoli or Clifford gates, depending on the operation type, and executes the operation. This code is in Simulator::apply_iter.

match op.kind {
 OperationType::CCZ | OperationType::CCX => {
 self.stats.toffoli_gates += executed_shots;
 }
 OperationType::CX
 | OperationType::CZ
 | OperationType::Swap
 | OperationType::R
 | OperationType::Hmr => {
 self.stats.clifford_gates += executed_shots;
 }
 // Note: X and Z are not considered Clifford gates in the
 // stats because they can be tracked in the classical control system.
 // They don't need to cause something to happen on the quantum computer.
 _ => {}
}

match op.kind {
 OperationType::CCX => {
 let v = cond & self.qubit(op.q_control1) & self.qubit(op.q_control2);
 *self.qubit_mut(op.q_target) ^= v;
 }
 OperationType::CX => {
 let v = cond & self.qubit(op.q_control1);
 *self.qubit_mut(op.q_target) ^= v;
 }

What if op.kind falls outside of the expected 0–17 range because rkyv was instructed not to check this value during deserialization? This is undefined behavior, so to investigate, I used Ghidra to reverse-engineer the RISC-V ELF binary Google provided with their proof.

After identifying the location of this function in the binary, I discovered that the Rust compiler emits a pair of jump tables for these two match expressions. The first jump table determines which gate counter to increment, and the second performs the actual operation. But we maliciously control the value of op.kind, so what if instead of the normal behavior, we dereference past the end of the first jump table and directly jump to an address from the second jump table? Then an out-of-range OperationType could still perform the correct operation, but it would completely bypass the Toffoli counter!

Figure 1: In this simplified execution flow, providing an invalid operation type bypasses the Toffoli counter, giving the same functionality while hiding the true cost.

I calculated the necessary offsets, modified Google’s example prover code to inject the invalid operation types, and attempted to simulate a zero-knowledge proof of a simple 64-qubit adder circuit. To my surprise, it worked on the first try.

stdout: circuit.average_cliffords_performed() = 0
stdout: circuit.average_non_cliffords_performed() = 0
stdout: The circuit passed fuzz testing.

I had been concerned that the RISC-V registers would be in an invalid state when jumping into the wrong table, but this ended up not being the case. Now I had the primitive I needed to forge a circuit that misreports the number of Toffoli gates, and I just had to scale up my attack on the 64-qubit adder circuit to full elliptic curve point addition.

Building a quantum circuit

I now had a virtually unlimited budget for Toffoli operations, and the path forward looked simple. I could implement any kickmix circuit that correctly performs elliptic curve point addition without worrying about the Toffoli count, tweak the operation types before feeding the script to the prover, and then forge a proof for whatever Toffoli upper bound I wanted. I might use more total operations or more qubits than Google’s circuits, but it would be an amusing proof of concept. The only concern was that the prover’s running time is proportional to the total number of operations, so my circuit still needed a reasonably low operation count.

It turns out that programming a quantum computer is way more challenging than I anticipated, and this is because of the requirements of reversibility and uncomputation.

Requirement 1: Reversibility. A quantum circuit is made up of a series of reversible (unitary) gates. For kickmix circuits, think of these as reversible bit operations. For example, c’ = c XOR b is allowed because the original value of c can be recovered with c = c’ XOR b. On the other hand, c’ = c AND b is not allowed because if c’ and b are both 0, we cannot know if c was originally 0 or 1. By itself, AND is not reversible, but with an additional input in Toffoli gates, it is. The kickmix Toffoli operation CCX q1 q2 q3 updates q3 to q3’ = q3 XOR (q1 AND q2), and this operation can be reversed with q3 = q3’ XOR (q1 AND q2).

Requirement 2: Uncomputation. To avoid the undesirable effects of entanglement, any auxiliary (or ancilla) qubits used to store intermediate results of computation must be “uncomputed,” or reset to state 0. The reversibility requirement makes this a challenge, since the intermediate result may have been 0 or 1. The intermediate state must be uncomputed from the computation result in order to be reversibly cleared out.

As we try to build our reversible elliptic curve point addition circuit with uncomputation, a couple of tools are available. We could use Bennett’s trick, which involves preserving inputs and outputs in spare qubits, then running the full computation a second time in reverse to clear ancilla qubits. This approach isn’t ideal because it roughly doubles the operation count for each level of the call stack. Another approach is to use the more efficient measurement based uncomputation. Google has revealed that this is the technique their circuits use, but it requires a much finer-grained algorithmic analysis to apply correctly.

Vulnerability 2: Efficient operations with register aliasing

After struggling to implement elliptic curve point addition while keeping the operation count and qubit count low, I discovered another exploitable vulnerability: register aliasing. Recall the Toffoli (CCX) operation defined in Simulator::apply_iter.

OperationType::CCX => {
 let v = cond & self.qubit(op.q_control1) & self.qubit(op.q_control2);
 *self.qubit_mut(op.q_target) ^= v;
}

There’s no check that the qubit inputs (op.q_control1 and op.q_control2) are different from the qubit output (op.q_target), so tying all three together becomes q1 = q1 ^ (q1 & q1) = 0. That is, we can immediately reset a qubit to zero, violating the quantum requirement of reversibility and making uncomputation trivial.¹

Figure 2: By setting the output of a kickmix operation to the input, we can build circuits that violate quantum reversibility and implement arbitrary classical logic gates.

In addition, we can use this primitive to create any logical gate we want, like the classical AND gate that violates reversibility or the functionally complete NAND gate. Now that I don’t have to deal with the limitations of quantum circuits, it’s basically Nand2Tetris, except the goal is elliptic curve point addition. I implemented basic logic gates, followed by integer addition and subtraction, modular addition, modular multiplication, modular inversion, and, finally, point addition.

After exploiting a memory corruption issue in unsafe Rust code, implementing elliptic curve operations from the ground up using individual logic gates, and squeezing whatever performance I could out of the non-quantum aspects of the design, I finally had a working kickmix script that passed validation. 0 Toffolis, 8 million operations, and 1288 qubits. This beats one of Google’s two proofs but falls short of beating the other one by just 113 qubits.

If I wanted to truly claim that our zero-knowledge proof beat Google’s, I couldn’t leave it there. I needed to find some way to shave off 113 qubits, but I was all out of vulnerabilities.

The final challenge: Euclidean algorithm optimization

Profiling my circuit made it clear that the most expensive operation was modular inversion, and the same is true for many published quantum elliptic curve addition circuits. My optimized circuit required 4 field elements (1024 qubits) for the inversion, including some tricks to store intermediate field elements, and a handful of qubits for control flags and carry bits. If I were to beat Google’s proof, I needed to lose those tricks and do modular inversion using fewer than 2.59 field elements.

One idea is to use Fermat’s little theorem: $x^{-1} \equiv x^{p-2} \pmod{p}$. We replace inversion with exponentiation, which is just a sequence of modular multiplications. Each multiplication requires three field elements, and this approach requires hundreds of multiplications, well beyond our total qubit and operations budget.

What many quantum circuits use instead is a variant of the extended Euclidean algorithm (EEA). To compute $x^{-1} \pmod{p}$, this algorithm involves four variables $(a, u, b, v)$ initialized to $(x, 1, p, 0)$. The algorithm proceeds through several iterations to cancel out bits of $a$ and $b$, perform the same operations to $u$ and $v$, and (assuming $x$ and $p$ are coprime) the algorithm terminates with $(a, u, b, v) = (0, 0, 1, x^{-1})$.

I based my implementation on the binary EEA, a variant that involves canceling out the least significant bits of a and b rather than the standard most significant bits. Thanks to Thomas Pornin’s clear exposition of this algorithm, it was relatively easy to reimplement a high-performance version in my circuit, but the qubit overhead was still too high.

Next, I found this recent preprint by Han Luo, Ziyi Yang, Ziruo Wang, Yuexin Su, and Tongyang Li, which came out just days after Google’s announcement. It describes a method to compute modular inverses with the space equivalent of 3 field elements. Many of the techniques went above my head, but they open-sourced their code, so I had a much easier time understanding their paper. Their code included a Qiskit circuit, but I was unsuccessful in integrating this into my exploit. Despite these difficulties, the paper gave me the key term I would need to shave off the remaining qubits: Proos-Zalka register sharing.

The 2003 paper by John Proos and Christof Zalka recognizes that over the course of the standard EEA, the bit-lengths of a and b gets smaller, while the bit-lengths of u and v get larger. Their register-sharing algorithm saves space by limiting the number of qubits for each value at each iteration. This can fail with low probability, but rare failures are tolerable when doing Shor’s algorithm. I implemented a classical version of the register-sharing algorithm of Proos and Zalka, and I ended up with 30 million total operations, almost twice Google’s result.

Finally, I had the insight I needed. What if I combined the operation efficiency of the binary EEA with the space efficiency of the Proos-Zalka algorithm? The binary EEA doesn’t have the same bounds on u and v as the standard EEA, but a slight tweak (doubling v instead of halving u) does, and needs only a simple correction factor at the end. This idea is deeply connected to Kaliski’s method, which is considered in papers by Roetteler et al., Gouzien et al., Häner et al., and Litinski. Reversibility constraints require an extra qubit for each of about 512 iterations, but our implementation doesn’t need to be reversible.

Figure 3: The first 20 and last 5 rounds of the modified binary EEA depict how different variables can share space when performing modular inversion. A final correction factor is not applied here.

Thanks to register sharing, my final modular inversion requires the space of only 2.55 field elements, barely less than the 2.59 required. In total, my elliptic curve point addition circuit uses 8,288,880 operations, 1,164 qubits, 5,980,691 pre-bypass Toffoli gates, and 0 reported Toffoli gates. This is less than half the reported operations in Google’s circuits and just a few qubits fewer than their best variant. The source code for generating this proof of concept is available here.

What Google’s secret circuit (probably) does

The zero-knowledge properties of the proof makes this unanswerable, but framed in a different way, we can answer what problems are documented in prior work that Google would have to overcome to achieve their results.

Google’s circuit does elliptic curve point addition, which requires at least one modular division. In previous circuits, modular inversion is the most expensive step in terms of gate count and qubit count, so that’s where improvements are needed most. Our register-sharing implementation shows that 2.55 field elements of storage is enough for a nonreversible circuit, but prior quantum implementations of Kaliski’s EEA variant require an extra qubit per iteration to preserve reversibility. This adds 512 qubits of overhead to guarantee that modular inversion is invertible, and a circuit based on Kaliski’s method with Google’s qubit counts would need to solve this problem.

Even the most revolutionary scientific breakthroughs are rooted in published literature, and I think a healthy understanding of prior work can help demystify the risk of a shadowy adversary destabilizing cryptocurrencies with a secret algorithm.

The aftermath

Zero-knowledge proofs are a transformational new technology with wide-ranging impacts, and their application to vulnerability disclosure is still new. Without knowing the details of their circuit, it’s impossible for me to conclude whether Google’s decision to announce this discovery using a zero-knowledge proof is justified. However, I do have experience with both vulnerability disclosure and academic publishing, and this points to broader implications in the deployment of zero-knowledge technology.

One potentially overlooked aspect of coordinated disclosure is the importance of an embargo period. Current industry best practices recommend a 30-day buffer between a timely patch becoming available and full disclosure of the technical details. This allows time for patch adoption, benefits defenders who rely on the technical details, and prevents opportunistic exploitation by low-skill attackers. Zero-knowledge proofs can communicate the importance of patching, but they are not a cryptographic replacement for the benefits of eventual disclosure.

In academic publishing, the more details that are available in published work, the easier it is to improve upon that work. Papers that intentionally facilitate replication and have a clear statement of methods and claims are usually the ones that are later cited and have the greatest impact. Using a zero-knowledge proof still establishes improvement over prior work; it also indicates a confidence that no one else will independently develop the same improvement, and that no one but the authors will be able to improve upon the discovery in future work.

As a direct example of the value of open publishing, I want to highlight Google’s decision to release a well-documented kickmix simulator and thorough proof generation instructions. This is the sole reason I was able to find and demonstrate the vulnerabilities, and their patches simultaneously increase confidence in their zero-knowledge claims while preventing attackers from forging proofs of quantum breakthroughs that spread fear, uncertainty, and doubt.

Zero-knowledge systems are an incredible technology with many applications, but their use introduces a different set of risks than traditional approaches. They aren’t a magic wand that eliminates trust; instead, they redistribute trust from an original domain, such as the opinions of scientific experts, to trust in programming languages, compilers, proof systems, and cryptography experts. There are many frontiers that are considering the benefits of zero-knowledge, including electronic voting and age verification, but it’s also critical to consider the risks and make plans for what happens when this technology fails.

Acknowledgments

Thank you to Craig Gidney, Ryan Babbush, Tanuj Khattar, and Adam Zalcman from Google for their quick response and for putting up with my naive questions about quantum algorithms, and to Sophie Schmieg for putting us in touch. Finally, this would not have happened without Joe Doyle and the wider Trail of Bits cryptography team, whose suggestions and enthusiasm pushed this project over the finish line.

There’s a second bug in the HMR and R instructions, which are meant to reset a qubit to 0 while randomizing the phase. An error in conditional logic makes it possible to reset the qubit without trashing the phase, but register aliasing is a strictly better exploit primitive. ↩︎

On AI Images and Feature Images in General - Kev Quirk

2026-04-17T10:50:00.000Z

When is AI image slop ok?

By Gordon Mclean

Gordon stumbled across a post arguing that AI-generated featured images signals laziness, even if every word you write is your own, and it made him stop and think about his own blog.

Read post ➡

This post piqued my interest, and surprise suprise, I have opinions. 🙃

I've spoken about my opinions on AI and image generation before and my opinion hasn't changed on that. I have, however, switched from ChatGPT to Claude, for reasons.

Using AI for feature images?

Like I said in my previous post about AI, I don't think it creates art, but it can be useful for diagrams and some imagary. I listed some examples of my usage in that post, go take a look.

For feature images, I think it's fine, I suppose. I don't think it has a bearing on the writer's ability to write good content thought. I think most people can spot AI-generated prose these days. If my spider-sense starts tingling, I'll close the tab. But if I only see an AI-generated feature image, it's fine.

I think images creation and the ability to write nice words are two different skills. Using AI to create a feature image doesn't tell me that the person has a particular lack of creativity, as creativity comes in many forms. Ask Brandon Sanderson to create the cover art for one of his books, and I imagine he'd struggle. Does that make him any less creative? No. It just means he's a creative writer, not a creative artist.

For the record - I have no idea if Sanderson is good at drawing. It's just an example, okay. Please don't email saying "well ackchyually..."

Would I do it? Probably not. But I don't see the point in feature images anyway. I stopped using them many years ago, as generally they add nothing to the post, and are more for the writer to make the post look pretty than anything else.

So when I see these kinds of feature images, my first thought tends to be meh... and my assumption is that the writer probably didn't have the time, or lacked the skills, to create an image. I'd personally prefer they didn't add one at all if that's the case, but that's just me.

Maybe we should all be a little less judgmental. 🤷🏼‍♂️

Thanks for reading this post via RSS. RSS is ace, and so are you. ❤️

You can reply to this post by email, or leave a comment.

Notable links: April 17, 2026 - Werd I/O

2026-04-17T09:00:06.000Z

Most Fridays, I share a handful of pieces that caught my eye at the intersection of technology, media, and society.

Did I miss something important? Send me an email to let me know.

"Cognitive surrender" leads AI users to abandon logical thinking, research finds

I’m tired. Everyone’s tired. There are so many demands being made of us constantly that the output from an AI chatbot can seem like a godsend: rather than buckling down and doing yet more work, the machine can shortcut that for us.

Not so fast:

“Overall, across 1,372 participants and over 9,500 individual trials, the researchers found subjects were willing to accept faulty AI reasoning a whopping 73.2 percent of the time, while only overruling it 19.7 percent of the time. The researchers say this “demonstrate[s] that people readily incorporate AI-generated outputs into their decision-making processes, often with minimal friction or skepticism.” In general, “fluent, confident outputs [are treated] as epistemically authoritative, lowering the threshold for scrutiny and attenuating the meta-cognitive signals that would ordinarily route a response to deliberation,” they write.”

There are no shortcuts to doing great work, but if AI is used in this pressure-driven way, it becomes little more than a shortcut machine: a way to get to the end goal faster without really scrutinizing the thinking it took to get there. It’s no wonder that AI users didn’t examine the answers they were given; in a world where AI allows people to be saddled with more tasks, they might not have had the time to do anything else. Good enough; onto the next thing. Most people don’t want to cut corners, but under adverse circumstances, they will.

It may also be that they were rote learners who were less good at identifying the principles behind a solution. The people who bucked this trend were the ones who scored highly in “fluid reasoning” tests. I have to admit that this was new to me, but fluid learners are more able to find the underlying principles and links between topics and ideas in order to solve problems. The better people were at abstract thinking, the more likely they were to question outputs from the AI.

That makes some sense to me. AI can’t reason particularly well: it outputs convincing-sounding responses, but the underlying principles behind them aren’t necessarily fully-formed. If you’re used to just accepting something that looks right, perhaps because you’ve been taught to memorize rather than understand, it’s harder to discern when this kind of superficially intelligible, highly confident answer is right. If you scratch the surface and try to understand the underlying logic, that’s when it becomes clearer that the LLM doesn’t know what it’s talking about.

Managers that salivate about using AI to increase the workload / productivity of a team should consider this effect: the more you press people to use these systems, the more they might accept faulty reasoning from them. Hiring abstract thinkers — the people who are more likely to rise to be senior engineers etc — will help, but you need to give people the space, permission, and expectation to think for themselves.

The bottleneck shifts to distribution

This definitely gave me pause. In a world where writing code is something vastly more people can do, when even GitHub is struggling to keep up with the ballooning number of codebases out there, it’s going to be increasingly impossible to get recognition for your work.

“This is what it takes for your free and open source project to be recognized in 2026: you must secure the endorsement of legendary actress Milla Jovovich. You know, like a celebrity vodka.”

I kicked against this — who says Milla Jovovich wasn’t a first class contributor? The fundamentals of WiFi were created by Hedy Lamarr — but it’s true that the commits are mostly assigned to Sigman, the CEO of Bitcoin Libre. She is credited as architect, he as engineer, together with a contributor called Lu.

Regardless, it’s obvious that attaching her name to the project has drawn it more attention, and that this is a product that could result in a real financial outcome for both her and Sigman. I’m left feeling really glad that I released my first big open source software 22 years ago, when LLMs were an impossibility and big names didn’t attach themselves to open source. I was able to build a community with the funding equivalent of a can of Coke and a packet of crisps; if I’d been competing against Hollywood celebrities, I would have had no chance at all.

But I don’t quite agree with the thesis. Whether you’re famous or not, the way to get a following for your code is to solve a real problem better than anyone else. It’s true that distribution platforms can be kingmakers, but starting small by building real relationships with people you’re trying to help in ways that don’t scale is still a good way to get off the ground. That means building something genuinely differentiated rather than something that’s a few degrees off from what everyone else is doing. For small players with no networks and no names, that’s always been the best way to start, and I think it likely still is.

You Own Your Role, We Own The Outcome

This and its predecessor, One Consultative Decision Maker Per Lane, go beyond being sound management advice into almost being a manifesto for how management should work.

If people in your team stick to their lanes entirely, a lot can go wrong:

“The gaps between those lanes become the source of risk, and without a shared sense of ownership, those gaps go unaddressed until it is too late.

No one dropped the ball. But the ball fell between them.”

As Corey points out, roles and decision rights do matter a lot. If you don’t empower people to make real decisions in their respective lanes of responsibility and expertise, your team will grind to a halt (and, if you’re ultimately in charge, everyone will resent you). I’ve been in those teams and it’s always counterproductive; often that’s because there’s someone who wants to make all the decisions. By undercutting people’s decisions, they end up undermining the work of the team and making it impossible to make real progress.

But you also can’t encourage people to put blinkers on. Everyone needs to feel responsibility over the team’s end result — which also means they need to feel ownership over it. I’ve been there too: places where people want to be heads down and just look at a particular piece of code, for example. It doesn’t work on small teams. Maybe there are companies out there, really big ones with cubicles and campuses, where it makes sense. I’ve never worked in one.

There’s a productive tension here, obviously. You can’t go fully one way or the other. But if you treat a team as a community, and the team leader as the facilitator of that community, you can navigate these nuances more easily.

I wanted to share this piece because it ties together so many important ideas: a culture of open feedback, ensuring every voice is heard, framing the work as a learning problem, and leading with vulnerability. I like to create teams that embody these values, and work in places that share my belief that they are important.

So much of this is about trust in people. Trust in the expertise on your team to make sound decisions; trust that the collective can produce great work; trust that when you raise an issue or give feedback in good faith it will be received constructively. I think you have to start with trust as the default — and then vote with your feet if you find it isn’t there.

Google Broke Its Promise to Me. Now ICE Has My Data.

There’s an important distinction at the heart of this case.

The synopsis, from the EFF:

“In September 2024, Amandla Thomas-Johnson was a Ph.D. candidate studying in the U.S. on a student visa when he briefly attended a pro-Palestinian protest. In April 2025, Immigration and Customs Enforcement (ICE) sent Google an administrative subpoena requesting his data. The next month, Google gave Thomas-Johnson's information to ICE without giving him the chance to challenge the subpoena, breaking a nearly decade-long promise to notify users before handing their data to law enforcement.”

Subpoenas are legal orders compelling someone to either testify or produce evidence. They come in three broad flavors: civil, criminal, and administrative. Civil subpoenas arise from disputes between private parties (or between a party and the government in a non-criminal matter), typically over money, contracts, property, or rights. Criminal subpoenas are issued in the context of a criminal investigation or prosecution, where the government is pursuing charges against someone for violating criminal law. Administrative subpoenas are a legal grey area that sit in the middle. They’re issued by federal agencies (in this case, ICE, under the Department of Homeland Security) without prior approval from a judge or grand jury.

Statutory non-disclosure orders and national security letters are common in criminal and national security contexts; they’re rare-to-nonexistent in civil ones. If one exists, the subject can’t disclose that a subpoena was given or that they provided the information. Otherwise, they are free to notify.

The information here has often been given fewer Fourth Amendment protections under the third party doctrine. IP addresses, physical address, other identifiers, and session times and durations are metadata. US cell phone providers, too, will hand out this information with relatively little friction.

When your data is stored with a cloud provider like Google, prosecutors are most likely to ask Google for it, rather than you. If they’re issued a subpoena without a gag order, they’re supposed to notify you about it. If they’re issued one with, they can’t tell you about it in order to stay within the bounds of the law. Even without one, some companies may be tempted to comply in advance in order to stay on the government’s good side.

As is laid out in the linked piece, another student, Momodou Taal, was notified by both Google and Meta that his data was requested. Here, the system worked: because he was notified, he was able to fight off the order, and his data remained private. Amandla Thomas-Johnson didn’t receive the same courtesy.

Google is meant to notify users, if they can. If they didn’t, that’s a real problem. And it seems like that’s the case: that’s why EFF is going after them. The precedent here will matter a great deal for everybody’s privacy: commitments to notify should be enforceable. Hopefully regulators will hold that they are.

FBI Extracts Suspect’s Deleted Signal Messages Saved in iPhone Notification Database

This understandably made a few journalists nervous when 404 Media originally reported it last week:

“The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database.”

This reveals a shortcoming in how Apple stores notifications rather than in Signal itself.

What happens is that if the text of a Signal message shows up on a lock screen, it’s stored in iOS itself, in a place where forensic investigators can gain access to it. That’s a really good reason to turn off lock-screen notifications for Signal, and to remove the text of Signal messages from its notifications entirely.

Here’s how to mitigate:

In the Signal app itself, go into settings, and then Notification Content. Depending on your level of comfort, select “Name Only” (which will still store the name of your Signal contact in your iPhone device memory) or “No Name or Content”.

Then, in your iPhone settings panel, find the Notifications pane, and scroll down to Signal. De-select “lock screen”.

Stop Flock

This is nice to see: a grassroots protest movement against the proliferation of Flock cameras.

From the site:

“Flock Safety markets AI surveillance that goes far beyond reading license plates; color, bumper stickers, dents, and other features are used to build databases and identify movement patterns. These systems are spreading rapidly, often without oversight, and are accessible to police without a warrant. They raise serious privacy and legal concerns, and contribute to a nationwide trend toward mass surveillance.”

There’s little evidence that they do anything meaningful to prevent crime. But they do certainly create a surveillance layer, and help establish a culture of surveillance across law enforcement. 404 Media reported last year that ICE has been tapping into these cameras, although they weren’t established for that purpose; local police have been proxy users for immigration enforcement.

Not only does the platform read license plates and track individual cars, but it tracks associations between vehicles — cars that are often seen together, for example. Which, of course, reveals associations between people.

I would echo what Brandon Mitchell said on Hacker News:

“I don't want to stop Flock the company. I want to stop Flock the business model, along with all the other mass surveillance, and the data brokers. If the business models can't be made illegal, it should at least come with liabilities so high that no sane business would want to hold data that is essentially toxic waste.

Without that, we are quickly spiraling into the dystopia where privacy is gone, and when the wrong person gets access to the data, entire populations are threatened.”

The Take Action section of the website is pretty good, with some common-sense tasks that include calling your representatives and supporting civil rights organizations like the ACLU and the EFF.

Earlier this year, TechCrunch reported that some people are going a step further, ripping cameras off street lights themselves. In Oregon, protesters left a note that read, “Hahaha get wrecked ya surveilling f*cks”. I couldn’t possibly endorse.

I May Have Killed My Framework 13 - Kev Quirk

2026-04-16T19:43:00.000Z

I was in the office today, working away, and I often have my personal laptop, a Framework 13 next to me so I do things like check notes and emails, listen to music, etc.

I reached over to grab something on the other side of my desk and managed to knock an entire fucking cup of coffee all over my beloved laptop. It immediately died, I assume because of some kind of safety net built into the device.

I cleaned my desk up, and headed straight home to strip it down, clean it up, and dry it out. My first pass at cleaning removed a load of coffee with a combination of contact cleaner (which is a solvent suitable for electronics) and my little air compressor to blow it all out.

I switched the laptop back on - it made a horrible noise, the screen flickered and it shut off.

FUCK!

Going further

Next thing was to remove the mainboard to get deeper into the guts of the laptop. Shock horror, there was more coffee behind there too! So I repeated the cleaning process again, only this time a lot more thoroughly.

Here's what it looks like now:

I then found a few little spots of corrosion on the board. I'm really worried it was a result of the spillage on live components, and have therefore ruined the mainboard.

So I took to DuckDuckGo to see what the best remedy is, and apparently it's isopropyl alcohol (IPA for short). I've ordered some for delivery tomorrow, and will continue cleaning it up to see if I can get this thing to live again. If not, I may have to buy a new mainboard (around £600).

In the meantime I'm back on my M1 MacBook Air and I'm hating it. The operating system feels almost user hostile. I know it isn't, because I used to love it, but now I'm so used to using Linux again, this feels horrible.

Hopefully I'll be able to get back to my Framework in the next couple days. Wish me luck!

Thanks for reading this post via RSS. RSS is ace, and so are you. ❤️

You can reply to this post by email, or leave a comment.

More confessions from a FOSS enthusiast - Joel's Log Files

2026-04-16T18:30:00.000Z

Well, it’s been about a year since my last round of confessions as a FOSS enthusiast and I do have a few more things that I thought I’d share!

This was in part tangentially inspired by a post by Adrian Perales on controversies around FOSS programs (in Spanish).

Well, controversial decisions happen on an individual level as well so, whatever, I’ll just share some more of those. Make sure to check the first one though, most of them are still valid…

📱 My phone is even less de-googled

Last time I still had a phone with a custom-ROM on it, and I rarely used the Google services on it, which were just a minimal set of GAPPS for my banking apps and similar. I didn’t have the Play Store or anything, and even then it felt wrong.

Well, now that I am using the stock ROM that came with my Nothing (3a), I just have the usual Google experience. I even logged in to my main account to access my paid apps, and I’ve purchased more apps since then! Back in the day I bought Play Store gift cards to get credit without giving them my credit banking info, but now that has changed too.

What have I become?

But hey, I have Balatro on my phone!

🔍 Sill using Google Search

For a while now DuckDuckGo has been my go-to for web search, and it has served me quite well. However, more than once, I end up appending the !Bang syntax for Google: !g, to get those results instead.

And of course, I’d often stick to the quick summarized answer instead of looking for an article or diving deeper. I simply don’t care that much, and for the stuff I need, the results are serviceable.

Besides, nowadays a lot of the big search engines have turned to a life of crime, not just Google. DuckDuckGo has AI-assisted quick answers too. Brave Search has the same plus all the crypto stuff of the brower itself. Kagi Search is paid and also has some AI stuff on it.

I will still find what I need from a regular search sometimes, clicking on a result that leads me to a website and in the proper way, but that rarely happens nowadays, and a lot of top results are slop anyway. Not sure what to do here to be honest.

Perhaps it’s better to stick to independent search engines like Marginalia or Clew.se when possible.

🤖 FOSS with AI on it…

As much as I hate it, there are a lot of FOSS programs openly embracing code not generated by humans. I appreciate those that are honest about it, even if it annoys me.

The truth is that a lot of these programs are just pretty good at what they do, so I still use KeepassXC, I still use Calibre, and I still use Firefox…

And there are also programs that don’t say anything, or that don’t even think twice about it. It’s weird to see how some have just accepted it, sometimes I wonder if the opinion of the fediverse affects me too much.

LLMs are being used in so much stuff now, I am kind of scared to look at the GitHub repositories, I don’t want to end up dissapointed by it, I don’t want to have to switch from even more.

Like, CrossPoint Reader—the beloved community firmware for the XTEINK X4—or Smolfedi—a lovely PHP-based fediverse client, both of those are new and young projects, both have a degree of vibecode on them.

How many new exciting ideas will develop that will be stained by AI in upcoming years? Too many…

💾 Self-hosting? Backups? What is that?

My Raspberry Pi is literally collecting dust, unplugged in exactly the same place where it has been for 3 or 4 years. I am absolutely serious, no exaggeration. I haven’t even bothered to store it somewhere safe, or to check if it still works. I see it on the bottom level of a corner shelf at the dining room next to the Wi-Fi router, every single day.

I’m not doing anything with any sort of private hosting either. This website is using Vercel’s free tier, I pay my email with a custom domain via Zoho, I use a publicly available FreshRSS instance. Jellyfin and Navidrome and whatever else simply vanished from my needs.

Now, it’s not all lost, I prefer to keep stuff local, but if I’m going to do that I should at least keep everything safe right?

Nope, no backups whatsoever.

There are some duplicate files on my phone and my laptop with Syncthing, there is a 2TB hard drive I got which contains some movies and some other things, sure.

But if I’m honest, if in this very second my laptop died, I would lose all of my data there, if the micro SD card of my Anbernic RG35XX SP died, I would lose all of my saves and games in it. Same for whatever is on my PSP. I am sorry y’all, but I’ve gotten lazy.

Finishing thoughts

It’s important to remember that practically speaking, none of these are actually that serious. I am not truly that ashamed or guilty by doing any of this. Sure I feel kinda bad, sure it is annoying sometimes, and there will be some people who become very judgy and point fingers at me for not sticking to an arbitrary measure.

Don’t get me wrong, there’s an ideal I seek to pursue as well, there are things I can do to align better with my goals, and perhaps I’ll take some time to do it. I will look for AI-free alternatives, I may end up hosting my own custom search engine, or at least disabling all the summaries and slop from whatever search engine I use. Maybe I’ll finally get a custom ROM for my phone and actually stick to a degoogled life again. Perhaps I’ll setup a NAS and host my own stuff once more. I still have an old laptop that I could turn into a server, after all.

I’ve done it before, I used to have backups, I’ve lived free of AI slop for many years, I’ve lived with subpar search results for ages. We’ll see what happens.

But I don’t really let things like this stay too much in my head. I have a lot of other things to focus on, maybe some are not as important, I still support and love FOSS. I still support and love software that is human-made, I still care about security practices and ownership of my data, but well, it’s all work in progress.

Reply to this post via email | Reply on Fediverse

Google Broke Its Promise to Me. Now ICE Has My Data. - Werd I/O

2026-04-16T14:25:31.000Z

[Amandla Thomas-Johnson for the EFF]

There’s an important distinction at the heart of this case.

The synopsis, from the EFF:

“In September 2024, Amandla Thomas-Johnson was a Ph.D. candidate studying in the U.S. on a student visa when he briefly attended a pro-Palestinian protest. In April 2025, Immigration and Customs Enforcement (ICE) sent Google an administrative subpoena requesting his data. The next month, Google gave Thomas-Johnson's information to ICE without giving him the chance to challenge the subpoena, breaking a nearly decade-long promise to notify users before handing their data to law enforcement.”

[Link]

You Own Your Role, We Own The Outcome - Werd I/O

2026-04-16T13:55:04.000Z

[Corey Ford at Point C]

This and its predecessor, One Consultative Decision Maker Per Lane, go beyond being sound management advice into almost being a manifesto for how management should work.

If people in your team stick to their lanes entirely, a lot can go wrong:

“The gaps between those lanes become the source of risk, and without a shared sense of ownership, those gaps go unaddressed until it is too late.

No one dropped the ball. But the ball fell between them.”

[Link]

RSS Club for WordPress - Terence Eden’s Blog

2026-04-16T11:34:10.000Z

What if I told you there was a secret social network, hidden in plain sight? If you're reading this message, you're now a member of RSS Club!

RSS Club is a series of posts which are only visible to RSS / Atom subscribers. Like you 😃

If you want this for your own WordPress site, here's what you'll need:

A blog post which is only visible in RSS / Atom.
Which has no HTML rendering on your site.
And cannot be found in your site's search.
Nor via search engines.
Also, doesn't appear on your mailing list.
Does not get shared or syndicated to the Fediverse.

(This is a bit more strict than the original rules which allow for web rendering and being found via a search engine.)

Start With A Category

The easiest way to do this in WordPress is via a category - not a tag.

After creating a category on your blog, click the edit link. You will see in the URl bar a tag_id.

Whenever you want to make an RSS-exclusive post, you select the category before you publish.

Disable Display

This code stops any page in the RSS Club category from being displayed on the web.

function rss_club_post_blocker(): void {
    if (    is_singular( "post" )
        &&  has_category( "rss-club" )
        && !current_user_can( "edit_posts" ) )
    {
        status_header( 403 );
        echo "You must be a member of RSS Club to view this content.";
        exit;
    }
}
add_action( "template_redirect", "rss_club_post_blocker" );

Editors can still see it, but everyone else gets a blocked message.

Remove From Site Search and SiteMap

Here's a snippet to stick in your functions.php - it removes the category from any queries unless it is for the admin pages or the RSS feeds.

//  Remove the RSS Club category from search results.
//  $query is passed by reference
function rss_club_search_filter( \WP_Query $query ): void {
    //  Ignore admin screens.
    if ( !is_admin() && !is_feed() ) {
        //  Find the RSS-Club category ID.
        $category = get_category_by_slug( "rss-club" );

        //  Remove it from the search results.
        if ( $category ) {
            $query->set( "category__not_in", [$category->term_id] );
        }       
    }
}
add_action( "pre_get_posts", "rss_club_search_filter" );

This code also redacts that category from the build-in sitemap. Note - the name of the category still shows up in the XML, but it leads to a 404.

My mailing list and social media posts are fed from RSS. So how do remove an entire category from an RSS feed?

Simple! Append ?cat=-1234 to the end!

A negative category ID will remove the category from being displayed. So my email subscribers won't see the RSS only content. Of course, they get email-only exclusive posts, so don't feel too bad for them 😊

Fediverse Exclusion

The manual way is easiest. Assuming you have the ActivityPub plugin and a the Share On Mastodon plugin, you can unselect the sharing options before publishing.

If you think you might forget to toggle those boxen, there is a filter for the share plugin:

function rss_club_mastodon_filter( bool $is_enabled, int $post_id ): bool {
    global $exclude;
    if ( has_category( $exclude, $post_id ) ) {
        return false;
    }
    return $is_enabled;
}
add_filter( "share_on_mastodon_enabled", "rss_club_mastodon_filter", 10, 2 );

Similarly, there's a filter for the ActivityPub plugin:


function rss_club_activitypub_filter( bool $disabled, \WP_Post $post ): bool 
{
    global $exclude;
    if ( has_category( $exclude, $post ) ) {
        return true;
    }

    return $disabled;
}
add_filter( "activitypub_is_post_disabled", "rss_club_activitypub_filter", 10, 2 );

Enjoy!

If you've set up your own RSS Club feed, drop me a line so I can subscribe 😊

I truly hate mostpeopleslop - Westenberg

2026-04-16T04:50:26.000Z

In 2006, Joe Sugarman published a book called The Adweek Copywriting Handbook - and an axiom stuck...

"The sole purpose of the first sentence in an advertisement is to get you to read the second sentence."

That line, more or less, explains how social media turned into a pile of shit.

Sugarman's advice became the core system prompt for 300,000 tech assholes on Twitter. They've run it through algorithm after algorithm and produced the most soul destroying rhetorical tic of the 2020s. I'm talking about "Mostpeopleslop." "Most founders don't know this yet." "Most people aren't paying attention to this." "Most founders skip [thing my startup sells] because [bad reason]." "Most founders treat [normal activity] like [wrong version of activity]." "Most founders say they want [thing]. Few actually [thing] well." "Most founders confuse [vague concept A] with [vague concept B]." You've seen it, you've scrolled past it, and you've maybe even liked one or two of these excretions before your brain caught up to your thumb, because it's bloody everywhere. It breeds in the dark spaces between LinkedIn notifications, it has colonized every timeline on every platform where a man with a podcast and a Calendly link can post for free, and I hate it. May God forgive me, I hate it.

Why it works (and why that's the problem)

I'll give the format its due: it works // performs. And the reason why is simple. "Most people" is a tribal signal - when you read "most people don't know about this," your brain does a quick calculation: Am I most people? Do I want to be most people? No? Then I better keep reading, so I can be the Holy Exception. But you're not actually learning fucking anything. You're being told you're special for having stopped to read, and the poster is offering you membership in an in-group, and the price of admission is a like, a retweet, any scrap of engagement. It's a scarcity play - people pay more attention to shit that feels exclusive.

"Most people don't know this" is exactly that.

It comes in a few different flavours...

The Reframe Artist goes "Most people are treating [recent tech acquisition] as a media story. It's a distribution story." This guy read one Ben Thompson article in 2019 and has been repackaging the word "distribution" as a personality trait ever since. The point underneath might even be fine! But he can't say it straight.

The Trojan Horse is "Most founders skip analytics because setup is painful. [My startup] is native. Zero setup." These are just ads. They are indistinguishable from late-night infomercials. "Are YOU tired of [thing]? Most founders are! But wait, there's more and if you follow and reply CRAP now, you get a set of steak knives..."

The Self-Eating Snake: "Most founders treat building in public like a highlight reel. They're doing it wrong. 7 ways to build in public without being cringe." Followed by a numbered list that packages a real idea in the same exact format it claims to be critiquing.

The Fortune Cookie: "Most founders confuse motivation with desperation." "Most founders mistake speed for progress." These sound wise if you scroll past them fast enough. They're fortune cookies, and they get engagement because they're perfect for screenshotting into your Instagram story, but there's nothing actually there...

And the Parasite: some guy quote-tweets "What keeps you moving? Progress or Pressure?" and adds "Most founders confuse which one they're running on." You take someone else's thought, bolt on the "most founders" frame, and now you've "created content." The confidence-to-effort ratio should embarrass anyone. It's intellectual house-flipping, with all the integrity attached.

The content industrial complex

Mostpeopleslop has metastasized because Twitter started rewarding engagement bait at the same time the creator economy started demanding you post all day // every day. If you're a tech influencer in 2026, you probably post 10 to 20 times a day, maybe more - this is what the gurus tell you to do. You need formats you can crank out fast that reliably get impressions, and "most people" threads do exactly that. There's no research required, and no original data - you barely need an opinion. You could generate these in your sleep, and thanks to OpenClaw some of these guys clearly do...

The easiest content to produce is the content that mimics existing successful content. The "most people" format is the shallow work of tech Twitter. It looks like thought leadership. It reads like wisdom. It's still slop.

The result is a timeline full of people telling you what "most people" get wrong, while they all say roughly the same things, in roughly the same format, to the same audience with a near-uniform contrarianism. Everyone is standing on a soapbox yelling "wake up, sheeple" at a crowd of other people on soapboxes.

The aesthetic crime of reading the same tweet structure 40 times a day isn't even the worst part - it's that mostpeopleslop degrades the information environment. When every piece of advice is framed as something "most people" don't know, you lose the ability to distinguish between underappreciated ideas and stuff someone repackaged from a blog post they read that morning...

And it trains audiences to value framing over substance - if you read enough "most people" posts, you start evaluating ideas based on how they're packaged rather than whether they're true. A well-formatted "most people" thread with a mediocre idea will outperform a useful post that doesn't use the formula, and so yes the medium becomes the message, but the message is: style points matter more than being right or even being valuable in the first place.

Everyone is an insider and an outsider at the same time; you're an insider because you're reading this post, you're an outsider because "most people" haven't figured this out yet, but since everyone is reading these posts, everyone is an insider, which means the distinction is fictional and we seem to have a collective hallucination of exclusivity.

The incentive structure on Twitter (and LinkedIn, where this format is somehow even more prevalent) rewards this kind of posting. If you're building an audience to sell a course, a SaaS product, a consulting practice, or a $249/month community where you teach other people to build audiences to sell courses, you need impressions, and you need followers, and mostpeopleslop delivers both. The people posting this stuff aren't stupid; some of them (a select // rare few, I'll grant) are sharp, have real experience, and could write things worth reading, but the format is a trap. Once you see that it performs, you keep using it, and every time you use it, you get a little further from saying something real and a little closer to being a content-generation machine optimized for engagement metrics. You have become the slop.

I want people to say the thing. If you have an observation about distribution, share the observation. If you built a product that solves a problem, describe the problem and describe the solution and have done with it. You don't need to frame every single post as a correction of what "most people" believe, and you don't need to position yourself as the lone voice of reason in a sea of ignorance. You can just ~say the thing.

The best writers and thinkers in tech have never needed the "most people" crutch. You can be interesting without being condescending. You can build an audience by being useful rather than by manufacturing a false sense of exclusivity 280 characters at a time.

But most people don't know that yet. (Sorry. Had to.)

What Interested Me Today 8 - Joel's Log Files

2026-04-16T00:30:00.000Z

Welcome to another installment of “things that interested me today but aren’t enough to warrant a blogpost by themselves so I bundled them all together here”—I hope you find something that catches your eye!

Again I don’t really plan to do these every week but it just so happens that I felt like writing about something but didn’t really have a big topic in mind.

Oh well, enjoy the links!

Bubbles, a frontpage for the IndieWeb

Jeremy mentioned a new site that serves as a blog discovery platform: Bubbles!

It looks rather simple, very similar to Reddit, Lemmy, Hacker News or Lobste.rs. However, this is not about tech articles or about whatever drives the most clicks, it’s a platform to surface bloggers, people writing about their lives and whatever they want.

They seem to be really focused on the IndieWeb, and even provide a widget that can be added to your website so the upvotes you get there can be seen on your posts. That’s kind of fun!

You even log-in with your fediverse account, it doesn’t have to be just Mastodon either, so that’s pretty awesome. No extra account setup, no email to give, all good for me.

The way comments work is based on the same principle, leave a comment on a mastodon post generated by Bubbles itself using your Fediverse client, and it will appear in bubbles too—similar to how my comments system works.

Prove You’re Human, from the creators of 1000xRESIST

If you don’t know, 1000xRESIST is the most unique experience I’ve ever had in gaming, and in my top 5 favourite games of all time.

Sunset Visitor is the studio behind this masterpiece, and now they’re working on a new project!

Featuring captcha solving, living in the Windows XP wallpaper, and some strange robot with a face attached to it. This seems to be a very interesting take which will have a couple things to say about AI. Here’s the summary!

Prove You’re Human is a sci-fi narrative adventure in which you play as Santana and split your consciousness in two. The company behind this program has a chance at achieving true AGI — but there’s just one problem.

The company’s AI, Mesa, believes she’s a human being. It’s your job to train her out of these delusions.

Even though AI in real life right is an absolute pain, and I don’t like hearing much about what it, this game, from this studio, gets a pass, and I’m sure it will have a lot to say about things and I am looking forward to it.

I’m in the podium of #100DaysToOffload

I’ve talked about this 100 DaysToOffload challenge before—and Kev, who keeps the website updated with the people participating in it—recently changed the design a bit!

There’s now a button to sort by number of completions, and I am happy to say that I am in the top 3!

Unfortunately for me, Hyde surpasses me by two and Dan Q sits at the throne with a total of 7 completions!

Honestly though I am relieved that Rubenerd—who recently updated his URL btw so update it if you haven’t —has not participated on it. He doesn’t need to anyway… Please, if you read this, please don’t do it I beg you!!

Note published on April 15, 2026 at 4:15 PM UTC - Molly White's activity feed

2026-04-15T16:15:27.000Z

The new Fellowship crypto PAC has filed its first fundraising disclosure. It reports a $10 million contribution from Cantor Fitzgerald (previously headed by Commerce Secretary Howard Lutnick, now controlled by his sons) and $1 million from Anchorage Digital.

ITEMIZED RECEIPTS
A. Anchor Labs Inc
Date of Receipt 01-12-2026
Amount of Each Receipt this Period 1000000.00
Aggregate Year-to-Date 1000000.00
B. Cantor Fitzgerald
Date of Receipt 01-23-2026
Amount of Each Receipt this Period 10000000.00
Aggregate Year-to-Date 10000000.00" />

The Fellowship PAC launched in September with an announcement that they had $100 million committed. They've recently revealed that the PAC is headed by Tether's head of government affairs Jesse Spiro, and endorsed a slate of Republicans.

Fellowship PAC has made three independent expenditures so far, totalling $1.5M:

$300k to Clay Fuller, who just won the Republican runoff in GA-14
$850k to Nate Morris, challenging Andy Barr in the Kentucky Senate Republican primary
$350k to Pete Ricketts, incumbent Nebraska Senator running for re-election

To Be Taught, If Fortunate - Joel's Log Files

2026-04-15T15:20:00.000Z

Ages ago at this point, I watched a YouTube video about short science fiction books! Back then I ended up reading and eventually reviewing The Undefeated by Una McCormack. That very same video is what first brought this novella to my attention, but well, it took me a few more years to finally give it a go.

To Be Taught, If Fortunate is a novella by Becky Chambers, presented as a report sent back to Earth, with the hope of sharing the Lawki 6 mission’s discoveries and data to whoever is there to receive it, fifty years later.

We follow the perspective of Ariadne O’Neill, one of four crewmates and the flight engineer of the Meriam, who were sent to explore four planets in a distant star system, which contain extraterrestrial life. The crew is rather diverse and the relationships between the characters is charming, although they don’t explore them that much, with a lot of things left unsaid. Despite that, I found them relatable and human and I was surprised that I cared so much about them by the end.

The science here was rather interesting, featuring a lot of things that are often unaccounted for in other works—that said I don’t read a lot of hard science fiction. There are pods that let the crew go into “torpor” (basically they sleep and barely age until you arrive to the destination). And there’s lots of details around that, such as how hair and nail would grow so much, or the buildup of crust around the eyes, the weird sensation of having your body grow and age when you feel like you only slept and woke up in an instant, among other things, which something like Alien simply ignores.

There is more science like that, all throughout the book, but the main “gimmick” consists of slight genetic alterations to help the astronauts get used to a planet! They are applied through patches on the skin during torpor, and constantly checked and used during the mission. For example, when the next planet they visit has double the gravity of Earth, they’ll wake up with augmented muscle mass and boss density.

Another thing I loved about it is the focus on preservation during their exploration efforts. There are a lot of procedures to avoid affecting the environment, and as mentioned before, they adapt themselves to the planet, instead of trying to change the local ecosystem. However, there will also be some moments of tension because of this. The balance of exploration and human curiosity and what right do we have to disturb the natural order of these planets when we are not part of it. Is it okay to turn over a rock if the worms under it will be be affected by the sunlight? But how can we even know that’s the case without doing so? There’s plenty of discussions like that which were quite thought-provoking.

My favorite part however, have to be the planets, and the life they contain! Each will be different and it’s amazing to see how joyful the characters are when they explore and categorize the life forms they find. There’s a lot of variety and descriptions that were livid and interesting to me, but of course, not all living beings all the same, and there is always a danger to exploring the unknown. This was handled pretty well.

And then we got Earth. These characters get to be on this mission for a reason, and in this book space exploration has become a community effort. Humankind working together to reach for the stars. It’s nice, but it’s also not perfect. Before getting to a planet, we will often see news and events of what has been going on. Even worse, the news are 14 years behind. Despite how nice space exploration is, the planet continues to warm up and warfare is still present. The news play an important role, and some of the best plot twists in the story happen because of them.

All in all. The different elements of this novella are put to good use! I also love how much I can tell you about it in this review compared to my previous read—which would definitely be ruined if I said any more. In any case. There is a lot to like here, some great hard science, some good character writing, some tense plot twists and emotional moments, and overall, a sense of hope that remained even during the darkest moments. I highly recommend giving it a go. I am definitely going to check more of Becky Chambers’ works.

Maybe I should return to Outer Wilds too…

Reply to this post via email | Reply on Fediverse

FBI Extracts Suspect’s Deleted Signal Messages Saved in iPhone Notification Database - Werd I/O

2026-04-15T14:02:05.000Z

[Joseph Cox at 404 Media]

This understandably made a few journalists nervous when 404 Media originally reported it last week:

“The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database.”

This reveals a shortcoming in how Apple stores notifications rather than in Signal itself.

Here’s how to mitigate:

Then, in your iPhone settings panel, find the Notifications pane, and scroll down to Signal. De-select “lock screen”.

[Link]

I Wish I Could Talk to My Dad - Kev Quirk

2026-04-15T13:52:00.000Z

My best friend lost his Dad yesterday. Understandably he's extremely upset, and I feel awful for him. I never know what to do in these situations - "how are you doing?" just feels such a stupid thing to say. Like it's nowhere near enough. Of course he isn't doing well, you fucking idiot!

His loss has brought about feelings of loss following the death of my own Dad. Who we lost back in 2008 to cancer, when he was 47. Watching him just wither away was heartbreaking. Especially at the age of 23.

Now, nearly 20 years on, I rarely get upset about the loss. I still think about him all the time, but seeing what my friend has been going through has jumped it right to the front of my mind. Especially since the loss of my sister is still so raw.

I had a dream about my dad last night, the first I've had in a while. The dream was nothing special, I don't even fully remember what happened in it. But what I do vividly remember was that his voice wasn't right. And then I realised, I don't remember what my Dad's voice sounded like.

I have no videos of him, and no recordings on his voice. For a year or so after he died, I used to call his phone as it would go straight to voicemail and I'd get to hear his voice. Eventually the line was cut though. I wish I'd recorded it, just to have something.

I don't even have many photos of him. Most of them are from when I was a baby. I only have 1 photo of him and I as adults, which was taken on the day I passed out of basic training in the Army.

LTR: My dad, me, my dad's dad.

Just one conversation

Not being able to remember his voice isn't the only reason I'd love to talk to him again. He was funny, and always made me belly laugh. He loved to sing too - and was bloody good at it!

I'm also a very different person now than I was in 2008. I'd like for him to meet his grandsons, and I'd like to know what he thinks of the man I've turned into. He only met my (now) wife once or twice - he'd have loved her, and she'd have loved him.

All very narcissistic, I know. Be he was my dad!

Conversely, I'd love to know what kind of an old man he turned into. Would he still be as funny? Or would have turned into a grumpy old curmudgeon? Would we still go for a couple beers every Friday? Would he come here for barbecues in the summer? I'd have loved that.

There's no real point to this post, really. These thoughts have just been spinning around my grey matter for the last few days, and I wanted to work through them, which I think I've done a pretty poor job of.

So yeah, losing a loved one is shit. It never leaves you, and I feel horrendously sorry for my mate.

I'll try and make the next one more positive...

Thanks for reading this post via RSS. RSS is ace, and so are you. ❤️

You can reply to this post by email, or leave a comment.

Stop Flock - Werd I/O

2026-04-15T13:31:43.000Z

[Stop Flock]

This is nice to see: a grassroots protest movement against the proliferation of Flock cameras.

From the site:

“Flock Safety markets AI surveillance that goes far beyond reading license plates; color, bumper stickers, dents, and other features are used to build databases and identify movement patterns. These systems are spreading rapidly, often without oversight, and are accessible to police without a warrant. They raise serious privacy and legal concerns, and contribute to a nationwide trend toward mass surveillance.”

I would echo what Brandon Mitchell said on Hacker news:

“I don't want to stop Flock the company. I want to stop Flock the business model, along with all the other mass surveillance, and the data brokers. If the business models can't be made illegal, it should at least come with liabilities so high that no sane business would want to hold data that is essentially toxic waste.

Without that, we are quickly spiraling into the dystopia where privacy is gone, and when the wrong person gets access to the data, entire populations are threatened.”

The Take Action section of the website is pretty good, with some common-sense tasks that include calling your representatives and supporting civil rights organizations like the ACLU and the EFF.

[Link]

Why is it so hard to passively stalk my friends' locations? - Terence Eden’s Blog

2026-04-15T11:34:45.000Z

I feel terribly guilty when I visit a new city, post photos of my travels, only to have a friend say "Hey! Why didn't you let me know you were in my neck of the woods?"

Similarly, if I bump into an old acquaintance at a conference, we both tend to say "If only I'd known you were here, we could have had dinner together last night!"

I do enjoy the serendipity of events like FOSDEM - randomly seeing a mate and expressing the joy of spontaneity. But I also like arranging to meet up in advance.

At the moment, my strategy is sending a blast on social media saying "I'm visiting [this city] next week, anyone fancy a beer and a natter?" I've met friends all over Europe, Australia, and New Zealand that way. It mostly works. But I can't help feeling it is inefficient and prone to missing connections.

I even wrote my own code to auto-post FourSquare checkins to my other social media sites.

Here are my ideal scenarios. Imagine something built in to Signal / WhatsApp / Whatever app you already use.

Plan In Advance

I tell my app that I'm going to Barcelona from 14th - 19th February and am happy to meet any of my friends.

✨Background Magic✨

My friend Alice has also planned a trip to Barcelona around those dates. She gets a ping saying that one of her friends is going to be in the same city. Does she want to know more?

So far, so Dopplr.

My friend Bob lives just outside of Barcelona. He's set his "willing to travel" settings to be about 30 minutes, so also receives a ping.

I don't know that either of them have seen the notification until they decide they want to meet.

Spontaneous Fun

I step off the train in Manchester, England England. Perhaps the app notices I'm away from home, or maybe I press the "Anyone Around?" button.

On a map I can see friends who have shared their rough location. I decide to message Chuck to see if he's free for a chat.

Dave notices my location is now within his preferred travel distance. He gives me a ring.

A bit like how FourSquare used to be - but with less precision.

Downsides

The above is very much the "happy path". It doesn't look at any of the knotty problems or grapple with the UI that would be needed to make this work. But we know the technology for sharing location is viable - so what are the social issues that make this so difficult?

"Oh, fuck, Edgar's location says he's in town. Can we pretend to be out of the country?"

Alternatively, "Huh, I know at least a dozen people who live in Skegness. Why aren't any of them responding to me?"

Social pressure and awkwardness are hard problems. No one wants to use the app that makes you feel like a friendless loser.

Privacy

Do you want your friends knowing your every movement? I'm sure some people do, but most probably don't. It's possible to sketch out some vague controls:

Only send a notification if I push this button.
Don't send alerts if I am within this radius of my home / work.
Fuzz my location to the city / state / country level.

Danger

Is it a risk to let people know vaguely where you are? Is meeting up with (semi-) strangers from the Internet a smart life choice? Is having an app stalk you across the globe giving too much data to advertisers?

Does that creep from work abuse the system to keep popping up whenever you're out with friends?

Technology

I said the technology exists for this, and that was sort of true. Every device has GPS & an Internet connection. Storing a log of friends and sending them a message is a solved problem.

But is it solved in a decentralised and privacy preserving way?

No one wants to give all this power to one company. Google will build it and kill it. Facebook will sell your secrets to dropshippers. A funky start-up will be acquhired by Apple & restricted to iOS devices.

My location is fuzzed to an acceptable degree of imprecision and then sent… where? To all my friends directly? To a central server? Can k-anonymity help?

Is this a separate app? Everyone seemed to leave FourSquare after they buggered around with it. Perhaps it is just a feature in existing apps?

What's Already There?

Messaging apps like Signal, Telegram, and WhatsApp allow you to share your location with one or more friends.

To me, it feels a bit weird to manually send a dropped pin to some / all of my contact. It also doesn't let you share "tomorrow I will be in…"

Using "Stories" is the common way to share an update with all contacts - but none of them let you automatically share your location in a story.

FourSquare's Swarm app allows you to check in to a "neighbourhood". But there's no obvious way of saying "London" or "Manchester" - and I'm not sure how close to an area you need to be to get an alert that your friend is there.

What's Next?

I don't want to build this. Trying to get everyone I know to adopt a new app isn't going to happen. With the fragmentation of messaging and the lack of interoperability, this is likely to remain an unsolved problem for some time.

So here's my strategy.

Get back in to using FourSquare. Most of my friends seemed to stop using it back in 2017 when it was split into Swarm. But a few are still on there.
Manually post a story on Mastodon, BlueSky, Facebook, WhatsApp, Signal, and Telegram saying "Visiting Hamburg next week. Anyone want a beer?"
Hope that something better comes along.

One size fits none: let communities build for themselves - Werd I/O

2026-04-15T02:01:44.000Z

A little under twenty years ago, I stood on stage at the University of Brighton, in England, at our Elgg Jam event. Elgg was the open source social network I’d co-founded; Brighton used it to become the first university in the world to roll out a social network campus-wide.

I was giving the keynote talk, explaining what we’d include in the next major version of the platform. I built up anticipation, hamming it up as the audience — many of whom had built social networks with tens or hundreds of thousands of users — waited for what I had to say.

I moved to a blank slide.

“None,” I said. “The next version of Elgg has no features.”

Genuinely, there were gasps. I don’t think I’ve had a similar reaction at any talk I’ve given since. Years later, one of the attendees told me it was a mind-blowing moment: one of those sessions that immediately changes your perspective.

I went on to explain.

Instead of releasing a rigid social network out of the box, we recognized that for communities, one size didn’t fit all. Instead of giving everyone the same configuration, the same interface, and the same collection of tools, each community owner would easily compose their own combination of functionality and experience in order to best fit the community they served. By then, Elgg had been translated into 80 languages and there were a ton of plugins from across the ecosystem; there was a lot to configure a site with.

The underlying point was that a social networking platform existed to support a real human community, and needed to be responsive to its needs. How could we, as platform developers, possibly know what every community needed? We couldn’t; we didn’t. It was better to put that power in the hands of people who did.

Since that talk in September 2007, we’ve seen a lot of social networks that were one size fits all: Facebook, Twitter, Instagram, TikTok, and a raft of others. Each has forced communities to adhere to its own design assumptions. Every platform’s user experience is rooted in the cultural and intellectual assumptions of its development team. A rigid user experience means that needs that aren’t in line with its team’s worldview may be ignored.

That’s not a trivial gap. Some communities have specific requirements about identity; others have particular cultural sensitivities that need to be incorporated in an approach to trust and safety. In Myanmar, Facebook (which is based 8,000 miles away in Menlo Park, California) ignored local needs and community dynamics to the extent that it’s been accused of facilitating the genocide against the Rohingya people.

For centralized, proprietary platforms, there have been few options. Even for platforms like Bluesky and Mastodon, which are based on open protocols and can be forked and self-hosted, changing the interaction model and user experience has traditionally required a significant amount of development work.

If only there were some way to make that process easier.

Custom code is easier than ever

One of the most interesting developments this year has been agentic coding’s elevation from interesting tool to code-producing productivity workhorse. People I know who have been writing software for over thirty years are now using LLMs as their full-time coding engine. My friend Jesse Vincent, who has written open source software and managed the Perl programming language, now spends his time on ways to bring senior engineer-level thinking to LLMs. Simon Willison, co-founder of Lanyrd and creator of Datasette, spends much of his time exploring, defining, and analyzing the space. If LLMs sucked at this, they would say so. But they don’t, and instead these two veteran engineers have gone all-in. So have many thousands of other engineers.

In a world where custom code can be created far more easily than it could in the past, communities can more easily build bespoke spaces for themselves. There’s no need to adopt a one-size-fits-all platform — even an open source one — when you can ask for the exact features you want. Beyond existing tools like Claude Code, you can imagine tuning an AI-powered system specifically designed to help community leaders create customized platforms.

What would be needed then are agreed-upon rules about how community platforms behave: how they communicate with each other, how they integrate a user’s identity, and how they work with services for moderation, flagging, and other trust and safety necessities.

There’s a word for agreed-upon rules for how software communicates with each other: protocols. And in a world where anyone can spin up their own software, they’re more important than ever.

Protocols for parties

The web already has protocols and standards. Web pages travel over the HyperText Transfer Protocol (HTTP) and serve HyperText Markup Language (HTML). If anyone wants to build a new web browser, they don’t have to ask anyone; they just need to follow the HTTP and HTML specifications (okay, and CSS, JavaScript, etc etc — but these all follow the same principle).

Just as the web is built on open protocols, the next generation of social platforms is too. ActivityPub describes how two different community platforms can send messages between each other on behalf of their users. Authenticated Transfer Protocol (ATProto) defines how users can use and move their identities and provides a shared data layer. ActivityPub is used as glue between Mastodon, Ghost, and Threads; ATProto is used by Bluesky, Blacksky, Eurosky, and applications that sit on top of them. In both cases, just like HTTP and HTML, anyone can build a new community platform that uses them — and that therefore will be immediately compatible with all the other community platforms that use them.

These protocols have been around for years. But now that software itself is becoming cheaper to produce, and everyone can build their own applications that are right for them, the center of gravity has changed. Whereas previously open protocols were the co-ordination layer for many instances of a few applications, now they’re the co-ordination layer for an exploding ecosystem of more custom applications, each of which could be installed many times over.

Previously, libraries, modules and plugins were the building blocks of software. Consider what we were trying to do with Elgg, or what the WordPress project continues to push on: a core codebase that you can extend and configure by downloading plugins and themes from anywhere. Those plugins will still be a part of the ecosystem, but new plugins can be generated in hours or less. And increasingly, the existing ones will be configured for bespoke needs, too.

That’s a lot of custom codebases. By default, they’re all siloed away from each other. If one person builds a community for a neighborhood over here, and another person builds a community for an affinity group over there, there’s no way for them to intersect. People have to find them, sign up for them, and interact with them separately — and every new community has to start with zero users.

But if we make drawing on open protocol specifications as easy as pulling an open source library or a WordPress plugin, the definitions for how all these bespoke apps and communities talk to each other become the new shared building blocks. With them, each new codebase is part of an expansive web of applications and communities.

Making it easier

There’s more we could do to make this world possible.

Today, software often relies on something called a package manager to easily incorporate libraries. You can imagine a spec manager that does something similar for agentic development. Tell it to import ActivityPub, and boom, through a combination of instantly-applied new skills and cleanly-written specification guidelines, what you’re building is compatible with the Fediverse.

Just as libraries get added to a package manager today, new specifications could be added to a spec manager in the future. This would catalogue all protocol specs from across standards bodies — and, of course, anyone could publish their own, just as anyone can publish an open source library today. These become software dependencies.

And we could use domain-specific tooling that makes building software easier for non-engineers. A community platform builder would help community leaders create software to support their work, but hide complex development, debugging, and infrastructure considerations. Despite the abstracted, walled-garden nature of this kind of interface, open protocols would mean that the software could be deployed to a choice of provider, and its data wouldn’t be locked up inside it.

If it’s not obvious yet, none of this is tightly-bound to agentic development. If you hate LLMs or just want to write everything by hand — both reasonable positions — there’s nothing stopping this kind of infrastructure from being useful for you, too.

What’s still to come

We have established protocols for identity and communications between systems, but there’s more to running a community. For one thing, a community leader typically wants to make it safe: moderation, content flagging, and other abuse protections are vital. Every community needs to tend to its culture; making it welcome to more vulnerable users — the people more likely to be the subject of abuse — is an important step towards that.

Part of the point of having bespoke community platforms is that these value systems may be different from community to community, and the signals of abuse may be specific to them. Facebook failed Myanmar for exactly this reason. So these communities need to handle their own trust and safety.

But dedicated open protocols for trust and safety systems would allow these community owners to work with third-party platforms that might provide safety tooling and frameworks. It could also make it easier for multiple communities with similar values to pool their resources around trust and safety. These communities could all connect, through open protocols, to a third system where moderators can review content and take action through one central interface.

Overall, it’s the human stuff that rises to the top when code becomes more of a solved problem. Rather than considering how to build it, or where to obtain it, we can finally spend most of our time on the more important considerations: what is needed, why and for whom. We can use our own cultural norms to define the answers to these questions rather than accepting one-size-fits-all approaches from people in Menlo Park.

Which brings me to one last thing.

How we generate the code matters

While I don’t think these principles apply solely to agentic development, I believe that’s how they’ll most often be used.

The LLMs we mostly use are centered on Silicon Valley culture, with Silicon Valley assumptions. Their inherent biases, drawn from the source material the vendors have chosen to use to train the models, are well-documented. The vendors themselves often work with government, the military, law enforcement, and immigration, which may sometimes be at odds with community values. If we are truly to use this technology to build community-first software, the technology itself must be values-aligned with the community.

Writing code by hand, depending on the developers involved, fits this ethical standard. But we need LLMs that reach that bar, too. That’s most likely to mean grassroots models that are in themselves designed to be more community aligned, and whose source material is more likely to be ethically acquired.

This work is already being done. Small Language Models are being used to revitalize Indigenous languages. The Mozilla Data Collective is enabling more consensual, ethical, representative training data. These are the kinds of tooling efforts that will support community-aligned development, alongside the open protocols that will govern how generated software works together.

Many people are hard at work with the intention of supporting communities far better than the last generation of social media. Simultaneously, there’s been a resurgence in open protocols, and the rise of LLMs that can build software on our behalf. Together, these trends mean there’s so much more we can do.

In particular, moving away from the assumption of one-size-fits-all scale and leaning into the idea of small, culturally-aligned applications and tooling will enable us to better support communities that are far away from the norms and assumptions of Silicon Valley. It will be hard. But it’s a journey worth taking.

Note published on April 14, 2026 at 10:38 PM UTC - Molly White's activity feed

2026-04-14T22:38:52.000Z

i have never clicked "interested" on a Google News push notification except for on this and one other hummingbird migration–related article, and i'm hoping to train the algorithm to only push notify me with hummingbird content

Hummingbirds are moving north across US, reaching New England states" />

Shellsharks Blogroll - BlogFlock

Read "How Silicon Valley Humiliated the Democrats" - Molly White's activity feed

Book Review: How To Kill A Witch - A Guide For The Patriarchy by Claire Mitchell and Zoe Venditozzi ★★★⯪☆ - Terence Eden’s Blog

We beat Google’s zero-knowledge proof of quantum cryptanalysis - Trail of Bits Blog

Zero-knowledge virtual machines

Google’s zkVM guest

Plan of attack

Vulnerability 1: Bypassing the Toffoli counter

Building a quantum circuit

Vulnerability 2: Efficient operations with register aliasing

The final challenge: Euclidean algorithm optimization

What Google’s secret circuit (probably) does

The aftermath

Acknowledgments

On AI Images and Feature Images in General - Kev Quirk

When is AI image slop ok?

Using AI for feature images?

Notable links: April 17, 2026 - Werd I/O

I May Have Killed My Framework 13 - Kev Quirk

Going further

More confessions from a FOSS enthusiast - Joel's Log Files

📱 My phone is even less de-googled

🔍 Sill using Google Search

🤖 FOSS with AI on it…

💾 Self-hosting? Backups? What is that?

Finishing thoughts

Google Broke Its Promise to Me. Now ICE Has My Data. - Werd I/O

You Own Your Role, We Own The Outcome - Werd I/O

RSS Club for WordPress - Terence Eden’s Blog

I truly hate mostpeopleslop - Westenberg

Why it works (and why that's the problem)

It comes in a few different flavours...

The content industrial complex

What Interested Me Today 8 - Joel's Log Files

Bubbles, a frontpage for the IndieWeb

Prove You’re Human, from the creators of 1000xRESIST

I’m in the podium of #100DaysToOffload

More blogs for my RSS reader…

Note published on April 15, 2026 at 4:15 PM UTC - Molly White's activity feed

To Be Taught, If Fortunate - Joel's Log Files

FBI Extracts Suspect’s Deleted Signal Messages Saved in iPhone Notification Database - Werd I/O

I Wish I Could Talk to My Dad - Kev Quirk

Just one conversation

Stop Flock - Werd I/O

Why is it so hard to passively stalk my friends' locations? - Terence Eden’s Blog

One size fits none: let communities build for themselves - Werd I/O

Custom code is easier than ever

Protocols for parties

Making it easier

What’s still to come

How we generate the code matters

Note published on April 14, 2026 at 10:38 PM UTC - Molly White's activity feed