Deleted and correcting (sorry @BrendanEich). Here's what the anti-fingerprinting actually does: github.com/brave/brave-brows…. It doesn't spoof user agents. Still not convinced Brave is being a good citizen here, but I'll update after I've looked more closely at it.

Kocher's Law: the cost of mitigating speculative-execution vulnerabilities doubles every 18 months.

Welcome new followers. I regret to inform you, if this is what you came for, that I do not usually tweet about anvils. Also, I don't have a Bandcamp. However, I should tell you a little backstory about my avatar. In case you haven't seen these cartoons, Ralph Wolf and Sam Sheepdog are classic Warner Brothers characters. They punch in at 8:00, at which point Ralph puts his utmost into predating Sam's sheep while Sam puts his utmost into defending them. The pictured cliff scene occurs a moment before the lunch bell rings, at which time the two join each other for a picnic lunch, and then resume their positions so Sam can release Ralph off the cliff. At 5:00, they punch out and head off to the pub together. I've loved these cartoons forever, because they fictionally epitomize a rare and underrated civic virtue: the ability to understand, "circumstances have made us adversaries, but that doesn't mean we have to be enemies". My own experience with this, and the inspiration for the avatar, came in the early '10s while I worked at @Akamai_InfoSec under @csoandy. I'd spent my day dealing with DDoS attacks targeted Akamai-hosted customers, conducted by Assad-loyal Syrian hacktivists. That evening, I got involved with a deep and friendly geopolitical discussion with some anonymous IRC acquaintances. Over an hour into that conversation, it came out these acquaintances were the very hacktivists I'd spent my day responding to. We both took this revelation in good cheer and went on to share as much detail about our days as we safely could without jeopardizing our respective operational security. The very height of this virtue in relatively modern times must be the WWI Christmas truce, in which belligerents temporarily laid down their arms, and Jerry soldiers walked across no-man's-land for one night of caroling and celebrating their shared humanity, before resuming their positions the following morning. Contrary to the usual telling, this was not an isolated event, but a pattern of the early days of the war, which later ceased due to a combination of bitterness and weariness causing enmity to harden, and military brass concluding that such fraternity was no longer to be tolerated. A more ordinary and contemporary example comes from the friendships that opposing counsel regularly develop during the course of litigation. The force against which this virtue must be maintained scales with the personal and moral stakes involved. Lawyers have it relatively easy: there's no tension in believing at the meta level that an adversarial justice system best serves the public interest, while at the object level regarding both yourself and your OC as simple mercenaries whose careers will likely survive regardless of the outcome. Soldiers have it hardest. They're made to experience the other side not just as "the counterparty" but as the source of terror, grief, exhaustion, and death. The Christmas truce is so moving because it showed, for a while at least, that men could momentarily see through an apparatus thoroughly constructed to obscure that vision. My own anecdote falls somewhere between the two, albeit much closer to the easy side. My counterparts and I were not playing for sport: we both had real moral commitments. They thought they were resisting or punishing something worth resisting or punishing. I did and do reject that, and regard the civilian infrastructure and customer systems they were knocking over as not theirs to break. But as far the concrete stakes that might be within our personal control, rather than abstract political allegiances: it's just some computers. Everyone involved was much better off, and no one worse, for our mutual ability to maintain that perspective. Anyway, for my old followers who've wondered why I've maintained this silly cartoon avatar for almost a decade and a half, now you know. For my new ones, I think I'll switch it, temporarily and only once the primary commotion dies down, to an ACME anvil.

You buy a German anvil. It contains 83 moving parts and requires winding twice a day. It's forged from excellent steel, holds tolerances across all three striking faces to within three microns, includes a beautifully indexed horn-adjustment mechanism nobody asked for, and requires a proprietary 11-point spanner should you need to replace the rebound calibration bushing. It runs flawlessly for years, but one day it starts up in limp mode because the onboard anvil-management system detects that it's overdue for its 50,000-strike inspection. You search AliExpress for a Chinese anvil, and are presented with a multitude of offerings from such household-name brands as DUKXJYIBF, HDBTGMXI, AND UEJQIP. They're all priced to within a few pennies of each other, appear completely identical except for the nameplate, and obviously all came out of the same factory. You text your blacksmith friend to ask if they're legit. He tells you he got one like that from KIXJBU a few years ago, and that it's been great and a terrific deal. You thank him, but KIXJBU seems to have folded so you buy the one from UEJQIP. When it arrives, it feels suspiciously light. You scratch it and realize it's iron-plated aluminum. You buy an American anvil. It's five times the price of the competition, but it comes from a brand that your great-grandfather used to love. It comes boxed with a warranty registration postcard, twenty pages of safety instructions, assay certificate, and a regulatory slip which lists its FCC certification and ITAR registration. It looks just like your friend's KIXJBU. There's a "Made In China" sticker on the bottom. You buy a Russian anvil. It arrives coated in cosmoline, wrapped in newspaper from 1974, and weighing 40% more than advertised. The finish looks like it was machined with a shovel. The face is not flat, but somehow this does not matter. You drop it off a truck, accidentally leave it outside for six winters, and use it to straighten a bulldozer blade. It's fine. You buy a Swedish anvil. It comes flat-packed in a long cardboard box with cheerful Neo-Grotesk lettering and a line drawing of a smiling man assembling it with an Allen key. The instructions contain no words, only pictograms showing the anvil face, horn, waist, feet, and 112 identical-looking fasteners. Halfway through assembly, you discover that the pritchel hole was installed upside down, but only because you used peg B17 where you should have used peg B71. Once assembled, it is clean, stable, and works better than it has any right to. You immediately wonder whether you should have bought two. You buy a Japanese anvil. It arrives wrapped in rice paper inside a paulownia box, accompanied by a certificate bearing three generations of signatures and a photograph of the first production example being presented to the Emperor. The face has been hand-polished by a seventy-eight-year-old master whose family has made striking surfaces since the Muromachi period. You are given detailed instructions for oiling it with a cloth folded in a specific way. It is the most beautiful object you own. You never quite work up the nerve to strike it.

There's a structural reason that this happened, but it's not any of the ones that you'll hear about from Lunduke Journal. uutils is MIT-licensed. In order to maintain this and avoid accidental infection by GPL-licensed coreutils code, the project attempts a "Chinese wall" clean-room discipline to the limited extent that such a thing can possibly be practical in the context of two open source projects. Developers are discouraged from reading coreutils code or discussing its internals in PRs. Implementation for compatibility is guided by documentation and then tested in a way that treats coreutils as a black box. That testing is pretty thorough, but exploitable TOCTOU bugs that basically don't come up outside adversarial circumstances are exactly the kind of thing that tests are liable to miss. They're also the kind of thing that would likely have been avoided or at least caught much earlier if uutils devs had permission and encouragement to closely study coreutils code — but doing that would have incurred some genuine legal risks to the project's license status.

This looks AWESOME! I used to be a fencer, and I've complained for decades that watching it on TV is pointless because the sport is much too fast to be appreciated at 30fps. Problem solved.

Is it just me, or does GPT-5.4 seem lazier recently? I'm hearing lots of such complaints about Claude but haven't heard anyone else yet saying this about OpenAI models. Seems I have to browbeat it now to get the quality of technical writing that it would oneshot a few weeks ago.

With apologies to Clarke and Dawe. INTERVIEWER: Thank you for joining us Senator Collins. Now this OpenBSD vulnerability that was revealed earlier today– COLLINS: The one where the kernel panicked? INTERVIEWER: Yes COLLINS: Yeah, it's not very typical, I'd like to make that point. INTERVIEWER: Well how is it untypical? COLLINS: There are a lot of these packets going around the world all the time and very seldom does anything like this happen. I don't want people thinking that C is not safe. INTERVIEWER: Was this C code safe? COLLINS: Well I was thinking more about the other ones. INTERVIEWER: The ones that are safe. COLLINS: Yeah, the ones that don't panic the kernel. INTERVIEWER: Well if this wasn't safe, why was it running at ring zero on millions of machines? COLLINS: Well I'm not saying it wasn't safe, it's just perhaps not quite as safe as some of the other ones. INTERVIEWER: Why? COLLINS: Well some of them are built so that they don't segfault at all. INTERVIEWER: Wasn't this built so it wouldn't segfault? COLLINS: Well obviously not. INTERVIEWER: How do you know? COLLINS: Well because a selective ACK block placed 2^31 bytes away from the receive window, causing an int comparison to overflow, so the kernel concluded the same byte was simultaneously above and below the acknowledged sequence number, deleted the only hole in its SACK list, appended to a null pointer, panicking the kernel and pulling down the entire machine. It's a bit of a giveaway, I just like to make the point that that is not normal. INTERVIEWER: Well what sort of standards is this C code written with? COLLINS: Oh very rigorous software engineering standards. INTERVIEWER: What sort of thing? COLLINS: Well it's not supposed to crash, for a start. INTERVIEWER: What other things? COLLINS: Well, there are regulations governing which functions you're allowed to call. INTERVIEWER: What regulations? COLLINS: Well, gets() is out. INTERVIEWER: And? COLLINS: No strcpy. No strcat. INTERVIEWER: sprintf? COLLINS: Look, sprintf is fine if you're careful. INTERVIEWER: Are people careful? COLLINS: For the most part. INTERVIEWER: What else? COLLINS: Code's gotta be in source control. There's a test suite. INTERVIEWER: What does it test for? COLLINS: That it compiles I suppose. INTERVIEWER: So the allegations that it's a dangerous language that does next to nothing to check whether code is doing what it's supposed to, that's ludicrous? COLLINS: Absolutely ludicrous. C is a serious production language. INTERVIEWER: Well what happened in this case? COLLINS: Well the kernel crashed in this case by all means but it's very unusual. INTERVIEWER: But Senator Collins, why did the kernel crash? COLLINS: Well it got a packet. INTERVIEWER: It got a packet? COLLINS: The kernel received a packet. INTERVIEWER: Is that unusual? COLLINS: Oh yeah. Online? Chance in a million! INTERVIEWER: So what do you do to protect the internet in cases like this? COLLINS: Well we patched the bug upstream. INTERVIEWER: …leaving other vulnerabilities no doubt unfixed. COLLINS: No no no the bug has been patched. You might need to deploy it but– INTERVIEWER: But this class of vulnerability– COLLINS: It's not a class of vulnerability, it's a one-off bug caused by programmer error. INTERVIEWER: Well what else is out there? COLLINS: Nothing's out there. INTERVIEWER: There must be something. COLLINS: There is nothing out there. All there is, is code, and programmers, and fixes. INTERVIEWER: And? COLLINS: And untold numbers of exploitable kernel-level exploits. INTERVIEWER: And what else? COLLINS: And a 27 year old integer overflow. INTERVIEWER: And anything else? COLLINS: And large private models at AI labs discovering more vulnerabilities in secret. But there's nothing else out there. INTERVIEWER: Senator Collins, thank you for joining us. COLLINS: It's a complete void. Nothing worth thinking about. Oh, we're out of time? Could you call me a cab? INTERVIEWER: But didn't you come in a self-driving car? COLLINS: Yeah I did but… INTERVIEWER: What happened? COLLINS: Well the kernel panicked.

My hounds of war have heroically protected @MorlockP from a wild Icelandic ram.

Black to move. Would …Nxc5 be a blunder?

This is Major Tom to tech support I’m clicking on the tab But it’s acting in a most peculiar way And the menu ribbon looks quite different today

“I have two versions of outlook and neither of them are working” is actually a generational NASA quote now. Not quite One Small Step but every generation lives in a different world

Next time send it into the sun instead. theregister.com/2026/04/02/a…

As much as I generally try to just root for Team Space and ignore agency politics and commerical rivalries, I remain absolutely pissed that the Artemis program is going ahead while the Mars Sample Return mission got debudgeted and cancelled. Such a colossal waste.

Japan Twitter is the most wholesome thing to happen to the Internet since ShantyTok. So who's going to share some Japanese sea shanties?

The apex of modern weaponry is a pointy stick. x.com/Archer83Able/status/20…

Almost everybody is posting their favorite dunks, but for me it's gotta be this tweet. Reading it completely broke my sense of time.

Godzilla Minus One