Flutterby™! (short)

‘No Way To Prevent This,’ Says Only Package Manager Where This Regularly Happens

“It’s a shame, but what can you do? This is just the price of building modern web apps,” said Senior Frontend Engineer Mark Vance, echoing the sentiments of a community that completely relies on a 40-level-deep nested tree of unvetted packages maintained by pseudonymous strangers to capitalize a single string. “There’s absolutely no way to foresee or prevent someone from taking over a long-abandoned utility package and injecting a crypto-miner into every production build in the world. It’s just an act of nature.”

ana «model a7m2» @ana@starlite.rodeo

why did they call them "ai datacenters" when they could have called them "slopping malls"

Pizza Hut's AI system caused 'cascading' problems and $100M in damages, franchisee alleges in new suit. Seems a little unfair to "AI", this just seems like the business people in charge of implementation didn't understand the processes they were automating, and fucked up bigtime in exposing information that shouldn't have been external, or should have understood that they needed to create other incentives in the process.

Via</>

But I think there's a larger issue here. The trend for years has been to punt understanding the systems we're automating into down the road, to use code to specify the constraints, to even just implement all of the options and A/B test the results. Using metrics that may or may not be actually relevant to the business goals.

It very much feels like in the same ways that in the naïveté of the '90s we said "we're going to bring the amazing online communities to the world", and what we did was brought the world to the online communities, destroying them, when we said "we're going to teach the world to program", rather than teaching critical thinking and logic, we taught people to plug together npm packages...

Anyway, good on the franchise owner, I hope he nails them to the wall.

I'm gonna have to pay special attention to this next time we're down in the mountains of that area: Wikipedia: Tunemah Peak

Tunemah Peak is a mountain in Fresno County, California, located in the southwestern United States, with an elevation of 11,158 feet. The mountain gets its name from the nearby Tunemah Trail, which originated in 1878 when a Cantonese cook and a shepherd uttered the Cantonese curse "屌你阿媽" (Jyutping: diu² nei⁵ aa³ maa¹; lit. 'fuck your mother') while walking along the rugged trail.

Via

Fascinating read on the politics of Christo's "Running Fence" installation in Sonoma County https://petalumahistorian.com/christos-trojan-horse/

mirrored (likely with paywall) at https://www.petalumanews.com/2...ing-fence-changed-sonoma-county/

Fits on a Floppy, an awareness campaign with logo for small software.

Software should be as small as it can be. Not as a gimmick, but as a discipline. The floppy disk is the measuring stick: 1.44 MB. If the software that ran entire businesses could fit in that space, then a modern, focused, single-purpose tool certainly can.

Via.

Michał "rysiek" Woźniak · 🇺🇦 @rysiek@mstdn.social

Independent audit confirms my analysis of Telegram's protocol from last year: https://istories.media/en/stor...endent-review-confirms-critical- telegram-vulnerability/

The audit was ordered by one of the main characters of IStories' investigation into Telegram's network infrastructure, man called Vedeneev. My analysis was done in connection with that journalistic investigation.

Presumably, Vedeneev ordered the audit in order to discredit my analysis and Istories' investigation. Instead, the report confirms my findings.

and Michał "rysiek" Woźniak · 🇺🇦 @rysiek@mstdn.social

You can find my original analysis here:
https://rys.io/en/179.html

tl;dr: for every device, Telegram generates a long-term identifier, auth_key_id, that is then prepended *cleartext* (or at best, trivially obfuscated) to every encrypted packet; this allows anyone with sufficient visibility into global Telegram traffic to spy on its users.

IStories reporting from last year.

Yesterday afternoon we went down to Copperfield's to see Mac Barnett in conversation with Jon Scieszka about Mac's new book Make Believe: On Telling Stories To Children. Two funny people talking very thoughtfully about relating to children. If you have the opportunity to hear 'em talk, do.

Love me a good takedown of.... investments of dubious quality, especially since I ran into the "EM thruster" stuff back when I was doing the transporation consulting: Ars Technica: Casimir force co-opted to generate free energy, midichlorians not included

This week, a company called Casimir Inc. emerged from “stealth mode” to announce that it had raised significant funding from venture capitalists willing to roll the dice on free energy. That’s right: a startup has gotten serious backing to develop sources of perpetual free energy. The people behind this fantastic new energy generator also brought us the wildly successful WTF thruster EM-drive that could supposedly directly convert electricity into a propulsive force.

The Register: Linus Torvalds says AI-powered bug hunters have made Linux security mailing list ‘almost entirely unmanageable’.

Essentially, "AI" discovered bugs/security holes are public, and should be treated as such, rather than being managed in privileged spaces without disclosure.

Linus Torvalds on the Linux Kernel Mailing List

Over the years I've read with horror the various things that state schools have done to native and indigenous children and families, but often assuaged that sense with the notion that this was all in the past, or in Canada, historical harms, and surely we were more civilized now...

NPR: Native kids with disabilities were held in wooden boxes. Sweeping reforms are coming

FORT COVINGTON, N.Y. — Rumors spread on social media over the winter: School kids with disabilities in the Salmon River Central School District, including Akwesasne Mohawk children, were being confined by special education teachers in wooden boxes. Sarah Konwahahawi Herne was devastated.

LLM hallucinations in the wild: Large- scale evidence from non-existent citations Zhenyue Zhao, Yihe Wang, Toby Stuart, Mathijs De Vaan, Paul Ginsparg, Yian Yin

Large language models (LLMs) are known to generate plausible but false information across a wide range of contexts, yet the real-world magnitude and consequences of this hallucination problem remain poorly understood. Here we leverage a uniquely verifiable object - scientific citations - to audit 111 million references across 2.5 million papers in arXiv, bioRxiv, SSRN, and PubMed Central. We find a sharp rise in non- existent references following widespread LLM adoption, with a conservative estimate of 146,932 hallucinated citations in 2025 alone. These errors are diffusely embedded across many papers but especially pronounced in fields with rapid AI uptake, in manuscripts with linguistic signatures of AI-assisted writing, and among small and early-career author teams. At the same time, hallucinated references disproportionately assign credit to already prominent and male scholars, suggesting that LLM-generated errors may reinforce existing inequities in scientific recognition. Preprint moderation and journal publication processes capture only a fraction of these errors, suggesting that the spread of hallucinated content has outpaced existing safeguards. Together, these findings demonstrate that LLM hallucinations are infiltrating knowledge production at scale, threatening both the reliability and equity of future scientific discovery as human and AI systems draw on the existing literature.

Which brings us to: Fuck yeah! Tech Crunch: Research repository ArXiv will ban authors for a year if they let AI do all the work.

404 Media: ArXiv to Ban Researchers for a Year if They Submit AI Slop

One of the amazing things about this is the number of people who are whining that it's unfair that they've actually read the work they're citing, or are creating other hypotheticals. This doofucs on the Fediverse is, for instance, willing to lay the blame on his co-authors in order to take the credit.

It gets worse if you head over to X/Twitter, which... I'm not gonna link to individually, you can find your own list off of Thomas G. Dietterich @tdietterich's announcement of the policy there, but honestly, people if these are the arguments y'all are making in good faith, academia is irretrievably broken.

Which I've long contented anyway, but... damn...