Dan Q

Kind: Reposts

Hackers Simply Asked Meta AI to Give Them Access to High-Profile Instagram Accounts. It Worked

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Hackers say that they used Meta’s AI support chatbot to break into a host of high-profile Instagram profiles by asking the support bot to change the email address associated with the target account. The claims coincide with a series of high-profile Instagram account takeovers, including the Barack Obama White House account, the Chief Master Sergeant of Space Force’s account, and Sephora’s account.

Well this is unsurprising and unshocking. Turns out that if you give your chatbot help interface unrestricted access to your backend systems – rather than, say, the access level of the human talking to it – then obviously hackers are going to try to jailbreak it in ways that you can’t possibly predict or guardrails against and, if/when they succeed, they’ll break into all the systems to which you’ve given the system access.

This shouldn’t even have to be said. Meta’s mistake here is so self-evident that they should be embarrassed.

Repost posted at UTC on .

No comments

Disabling AI in WordPress 7.0

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Because I have access to wp-config.php, I added the following to my file: 

define( 'WP_AI_SUPPORT', false );

A useful tip.

Personally, I’ve got what feels like an even-better approach (for me, at least) I switched to ClassicPress a year and a bit ago, and haven’t looked back! It’s a stripped-down fork of WordPress with no Gutenberg, lighter JavaScript, and a handful of other features… plus ClassicPress is already AI-free and staying that way.

This isn’t to say that you can’t use AI with ClassicPress. Just that you’re not having to install the feature if you’re never going to use it. With WordPress’s good plugin architecture it seems strange to me that such divisive features would become part of the core product, but that just seems to be the direction that the project’s been going in for a while now.

Repost posted at UTC on .

1 comment

Bringing Three Rings volunteers together: doing remote-first in person, and what to eat in a crisis

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Three Rings CIC is, and always has been, a fully-remote organisation. We were doing remote working almost two decades before the Pandemic made it cool (and well before tools like Slack and Zoom were a thing: we cut our remote-first teeth using IRC as our collaboration tool!), but, there are still sometimes occasions when it’s good to have as many people as possible physically in a room.

When, last year, the Nightline Association announced it was closing down, it put one of their key services, Nightline Portal, which helps Nightlines to take and handle calls these days, in serious risk: someone had to host and maintain it, and that had always been the Association. At the point the announcement was made, in February, the Portal team had about four months to find it a new home.

It took me some degree of back-and-forth with the Nightline Association on one side, and it required some careful governance and planning at our end (as well as a few shifts in short-term priorities!), but – helped by the fact we all wanted the best possible outcome for Nightlines – we got an agreement in place, a budget plan agreed, and were able to ensure Portal would keep going, for free faster than I think anyone had expected.

That mattered to Nightlines, because to them, it’s critical infrastructure. And it mattered to us, because Nightlines were where Three Rings began, back in 2002. Today, we support everything from major national charities to tiny community shops, but Nightlines remain close to our heart. Almost all our team – across a wide range of “x decades ago”! – started as Nightline volunteers; we’ve nearly all spent the night awake, quietly waiting out the small hours, in case one of our fellow students needs someone to talk to in a crisis and offering a listening ear when they called. We weren’t going to let that community lose something it relied on.

But adopting Portal meant a lot of work, against the clock. Data validation, new agreements, rebudgeting, and, once that was all done, a full migration to shift Portal from the Nightline Association’s server infrastructure to ours. So to get that done, we organised an in-person meetup, “Portal Camp,” in a reasonably central hotel. Volunteers gave up their weekend, left their homes on Friday evening for two more days of work, and we brought everyone together. We spent Saturday morning planning, carrying out test migrations, preparing comms, and agreed yes – we can go.

About a year ago I helped look after the technical side of the “lifeboating” of Portal into Three Rings, right through the point that everything went wrong and my developers almost missed dinner (and, indeed, had to eat at their laptops!). I mentioned at the time my awe and pride of them, but JTA’s post goes deeper and further and hints at the (much bigger) structural and procedural changes that were needed to adopt Portal.

A great thing about volunteering with Three Rings is that we get to ask, on any given day “how can we do the most good?” Not “will this give value to shareholders?” Not “what’s the marketing strategy for this?” Not “can this deliver return on investment?” Those are questions for a very different kind of organisation to us. We get to ask, each and every day, “how can we do the most good?”

That question is why, for me, adopting Portal into the Three Rings family, last year, was a no-brainer. Dozens of voluntary organisations depended upon it, and we had the skills and volunteers and technical infrastructure to stop it from dying.

Anyway: JTA’s post on LinkedIn is better, and more-interesting, and somehow also funnier than mine, so go read that. And if you want to talk volunteering with me, I’d love to chat!

Repost posted at UTC on .

No comments

Is AI Profitable Yet?

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Screenshot of a table and graph that shows all AI companies spending significantly more money than they make... except for NVidia, who're making bank.

No surprises here, but it’s interesting/staggering to see quite how large the disparity between spending and profit is for some of these companies.

I enjoy the fact that there’s a real-time ticker on the site so you can watch Amazon (for example) burn five thousand dollars a second.

When I tell people that generative AI, as it’s currently used, is unsustainable, this is what I’m talking about. Unless there’s a quantum leap in AI efficiency (for which I’ve seen no evidence of the feasibility) or a dramatic increase in the charged cost of LLM services (on the order of a tenfold increase assuming the increased cost does not drive any customers away; more if it does), this whole thing looks like a house of cards.

Repost posted at UTC on .

No comments

Bloomscrolling & Agentic Intelligence

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

A lot of the AI bubble – and that’s what it is, for all there are useful things inside there – is based on “Invest now, because when it works it’ll be fantastic!” rhetoric that’s like investing in a mainframe company in the late 60s on the basis that smartphones will take over the world. We’re moving a lot faster than mainframes went to PCs, but it’s important to invest in the things you can do with the system that work *now*.

There isn’t a good consumer use for AI right now. ChatGPT is a terrible source of information, confidently wrong in a way that sounds human enough to cause delusion and psychosis.

Things that AI/LLM tech is good for right now – pattern matching, repetitive tasks, logic flow – have some great business cases (It’s made some amazing breakthroughs in satellite and medical imagery, it’s got a bright future in automated transcription), and I think there’s a good case for it in content moderation (Yeah, it’s not great at it, but given the sick shit content mods on Facebook have had to deal with has given them cPTSD, I strongly believe it should be a machine job). It’s use for writing, music, translation, or art is still at the very least questionable and at the most utterly immoral.

Well-said, Aquarion!

The current generation of Generative AI isn’t useless. But its uses are quite specific and it certainly does more-harm-than-good that it’s promoted as an “everything” solution to every problem. I’ve used some form of agentic coding for several years, mostly of the “spicy autocomplete” variety1, and I mostly agree with Aquarion’s observations.

The whole post is an enjoyable tale.

Footnotes

1 My experiments with “vibe coding” have shown me that AI working alone can produce usually-functional code to specification, but that code is often of low quality and rarely maintainable, even by the AI.

Repost posted at UTC on .

No comments

CSS or BS

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

CSS or BS game in progress. The player is asked to declare whether 'view-timeline-name' is a real CSS property or made-up.

Well this is a fun (and frustrating!) game. You’ll be presented with 20 (alleged) CSS properties, but some of them… are convincing-looking fakes! You’ve got 10 seconds to identify whether each is real or not. Every few you get right increases the difficulty level, but also the score potential. How high can you score?

Me? Oh, I kept getting up into the “forbidden” level and then my brain would melt and I’d crash out. Quite proud of my last run, though:

Final score: 61/80. Reached: Forbidden. "If CSS knowledge were currency, you'd be comfortably middle-class."

×

Repost posted at UTC on .

No comments

The first glimmer

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Glimmers are the opposite of triggers.

They are small, almost imperceptible cues that tell the nervous system: you are safe. You are connected. You are still here. Where a trigger tightens the chest and narrows the world, a glimmer softens the edges. It steadies the breath. It lets a thin ribbon of light slip in.

They are rarely grand in scale. Most often, they are sensory. Fleeting. Easy to miss.

… 

This is beautiful.

I’m reminded of the way Ruth reframed imposter syndrome as wonder syndrome a few years ago, which I wrote about at the time. A “glimmer” is not only a valuable and useful word that I’d not come across before (I love it when that happens, like with entle), but it also reframes the world in a more-positive light.

I’m going to to start looking for and naming glimmers in my life as part of my general practice of gratitude. Cultivating a conscious awareness of our glimmers is probably harder than finding an awareness of our triggers – and even that’s not always easy to narrow down specifically! – but it seems like such a worthwhile exercise.

The One and I is a delightful and long-running personal blog, by the way, if you’re looking for somebody new to follow. It feels calming and personal and sweet and there’s a healthy corpus of pictures of pets.

Repost posted at UTC on .

No comments

Coding Is When We’re Least Productive

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

I potentially saved my client a bunch of money and embarrassment with that 3-line change.

Now, I consider that a productive day.

But had I been measured on my contribution by lines of code, or commits, or features finished, it would have been seen as a very unproductive day by my manager.

A great anecdote and some wise words from Jason Gorman on the nature of productivity and code.

This matches my feeling on AI. It’s good at making lots of code. Sometimes it even writes the right code. But something it rarely demonstrates skill at is comprehending the bigger issue. I’m sure we’re already seeing developers who “game” their employers’ productivity metrics, to the detriment of the end users, by having AI make “more” code without having to engage their brain and actually understand the problem.

(And, of course, there are employers who, whether intentionally or not, promote this kind of behaviour through their policies and success metrics.)

Repost posted at UTC on .

1 comment

Thames Path 7

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

New friends – obscure sights – the group divides – clear and present danger – an accident of geography – interest in bridges

2026 has not been an easy one so far. Work challenges, family challenges and my frickin’ house flooding have combined to make everything a bit overwhelming and hard to cope with.

So when we got a sunny Sunday, on a weekend in late April when (thanks to having found a long-term rental) we didn’t have to move between short-term lets, I cajoled Dan into once again acting as my support driver so I could walk some more of the Thames Path.

Dan and the smaller child joined me for the first couple of miles from Abingdon, which was nice.

My partner Ruth’s mission to walk the entire length of the Thames Path1 continued recently, and I still love “going on on” her journey – even the parts I wasn’t present for – through her blog posts.

If you too might enjoy blog-spectating this slowest-possible-walk along the length of the River Thames, you can catch-up on the backlog and subscribe for the next one, whenever that happens!

Footnotes

1 She’s doing the walk in many, tiny, and disparate instalments. By her own estimates she’s achieving about 50 metres per day, when averaged over her entire effort. This makes her only marginally faster than the 40 metres per day of the faster parts of the Greenland Ice Sheet, which I guess means that her progress is literally glacial in its speed.

×

Repost posted at UTC on .

No comments

Spoon bucket

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

I got a spoon bucket for my birthday! 🥄

2 gallon white plastic bucket, labeled: - Flatware Circus - Spoon Bucket - Discover the wonder of spoons with this randomized collection contained within a convenient bucket - 30 miscellaneous spoons inside one bucket

Wait, this is a real thing?

OMG it is.

New life goal unlocked!

Evaluation: wild success, a very pleasing range of spoons (and two tiny forks)

11 small piles of stainless steel flatware sorted by type, with 1-7 items per pile. 10 types are spoons, 1 is tiny forks.

The same guy behind these also does buckets of forks. And vlogs about silverware in general.

Everything about that is excellent.

Oh, and happy birthday Jamie, I guess!

× ×

Repost posted at UTC on .

No comments

ElenaJS (Progressive Web Components)

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

I still think web components are a great foundation for a design system. No other approach gives you true cross-framework portability built on what the web platform already provides. The problem isn’t necessarily the model itself, it’s how we’ve been building them.

This is how I ended up creating Elena, a library that I’m open sourcing today. Elena starts from HTML and CSS, and stays grounded in web standards and what the web platform natively provides.

love the “HTML Web Components”/”Progressive Web Components”1 development pattern. The idea is, if you’re new to it:

  1. Write the HTML to provide as much functionality as possible
  2. Wrap it in a custom element
  3. Use that custom element to enhance the component with anything only JS can provide

The downside is that there’s often more scaffolding than you’d like: implementing event and property change listeners (and tidying them on disconnection), batching updates to avoid flicker, and all that jazz.

Now obviously you could go with one of the big heavyweight frameworks like React, but then you’re leaning into a whole locked-in architecture that makes it harder to write progressive components and burdens your users with a ton of unnecessary code. Boo!

That’s why I love it when clever people make useful, HTML-friendly, ultra-lightweight frameworks2 like ReefJS, which I’ve talked about using before, and – now – Elena!

Elena’s a modern, simple, MIT-licensed wrapper framework for your web components, and – having perused the documentation on-and-off for the last couple of days – it’s really exciting. Perhaps not because of what it does, but because of what it doesn’t do. It’s unopinionated, well-documented, SSR-friendly3 microframework that seems to bring the absolute best in what the Web offers via web components… and makes it easier for developers without making end-users pay the price for it.

Anyway: all of which is to say: check out Elena! I’m really excited to have a play with it the next time I have a suitable web components project.

Footnotes

1 I’m with Jeremy: “Progressive Web Components” is a better name. Also: it’s it funny how changing just one word of a name can make you re-think what a thing is. The moment I refactored the way I thought about HTML Web Components into calling them Progressive Web Components was the moment I said to myself “hey, I could put an SVG into one of those… use state-managed props to set CSS variables that are available to the image… and in doing so, produce an SVG that elegantly becomes animated where JS is available…”

2 I same “frameworks”: by the time they’re this lightweight, single-purpose, and focussed on adding functionality that perhaps vanilla JS and web components should already have we might as well call them utility libraries or polyfills!

3 SSR perhaps ought not to matter for Progressive Web Components, but I can imagine situations where Elena would still be useful even for web components without a HTML fallback, at which point I suppose SSR could be a performance shortcut for some projects.

Repost posted at UTC on .

No comments

NHS England rushes to hide software over AI hacking fears

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

NHS England has issued new guidance to staff, which has been shared with New Scientist, that demands existing and future software be pulled from public view and kept behind closed doors. “All source code repositories must be private by default. Repositories must not be public unless there is an explicit and exceptional need, and public access has been formally approved,” says the new guidance. The deadline for making code private is 11 May.

Last month, an AI created by Anthropic called Mythos was widely reported to be capable of discovering flaws in virtually any software, potentially allowing hackers to break into systems running it.

NHS England’s guidance specifically points to Mythos as the cause for the new measures.

Yet again, “AI” is the reason why we can’t have nice things on an open and transparent Web.

This is bad, of course. But the worst part is the illusion it helps feed that closed-source software is necessarily more-secure than open-source software. Obviously it’s all much more-complex than that. Indeed, the article goes on to quote Terence Eden thoroughly debunking the entire line of thought:

“Is it possible that Mythos will scan a repository and find a bug? Yes, 100 per cent likely. Is that going to be a bug that causes a security issue in a live NHS service somewhere? Almost certainly not,” says Eden. “I think it’s someone in NHS England buying into the hype that Mythos is going to cause the end of security as we know it and getting a bit panicked.”

He’s right. This policy change is unlikely to improve the security of any of the affected pieces of NHS software (for much of which, the code is already out-there and archived, and so removing it from the Internet now is pretty pointless). If it’s going to be attacked, it’ll be attacked, and the resources that the bad guys have for probing a whole database worth of CVEs or fuzz-testing the extremities makes the availability of vulnerability-scanning AI pretty-close to irrelevant.

At least if it were open source then the good guys would have a chance of helping out… as well as we, the taxpayers who made the software possible, being able to see where our money was going!

Altogether a bad move by the NHS, here.

Repost posted at UTC on .

No comments

rejecting convenience

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

why bother going to the brick-and-mortar store? amazon is more “convenient”. why bother cooking a nice meal for yourself? doordash and uber eats are more “convenient”. why go out and socialize with people? facebook is more “convenient”. why use a digital camera, camcorder, or polaroid? your smartphone is more “convenient”. why bother going to the theater or concerts? netflix and spotify are more “convenient”. why bother making art? asking an AI to generate it for you is more “convenient”.

well, i say nuts to that. from now on, i’m going to make my life as inconvenient as possible. i’m going to go to the store and buy stuff in person. i’m going to make my own food with my own hands. i’m going to socialize with people face-to-face. i’m going to use a true camera instead of my phone’s camera. i’m going to buy blu-rays, DVDs, and CDs instead of streaming. i’m going to take my time when creating, watching, playing, and reading a work of art.

I’m seeing an growing movement in indieweb, revivalist, and adjacent circles that express RNotté’s sentiment: that the endless (and highly-marketable) quest for increased convenience in our lives has gained us free time, but we’ve lost something along the way.

What we’ve lost varies from case to case, but includes freedom (from lock-in to subscription services), creative satisfaction (from convenient “artistic” expression), privacy (from becoming the product, packaged-up by big-data advertising-funded tools), and social interactions (from so much of “social” media).

But reading RNotté share their thoughts on the matter today was the first time that it’s reminded me of The Matrix.

Framegrab from The Matrix. In the foreground is the silhouette of Morpheus, who is about to be interrogated by Agent Smith, a man in a suit at the windowed far end of an office.
The connection was probably helped by the fact that I rewatched the film pretty recently.

There’s a bit where Agent Smith says, to his captive the rebel captain Morpheus:

Did you know that the first Matrix was designed to be a perfect human world? Where none suffered, where everyone would be happy. It was a disaster. No one would accept the program. Entire crops were lost. Some believed we lacked the programming language to describe your perfect world.

Smith goes on to elucidate that his personal explanation for this fault was that humans depend upon suffering and misery, while acknowledging that there are other explanations. And perhaps we’ve touched upon one.

Perhaps humans – all humans – have a limit for how much they’re willing to accept convenience as compensation. Connected humans in The Matrix grain a convenient life, superficially superior to the struggle for survival experienced by humans living in the real world, short on food and hunted by machines. But to get that, they trade away their individual ability to become aware of the truth and, collectively, the ability for humanity for shape its own destiny. But there’s something about the imbalance of power in the arrangement niggles in human minds, and some rebel against the established order… and are joined by others who are shown that an alternative is available.

Clearly – as RNotté and others show – faceless technological forces need not go quite so far as enslaving an entire species before “convenience” no longer becomes a tolerable mitigation!

I’m not convinced that seeking out inconvenience is in itself a good. But questioning what your conveniences are worth and what you’re paying for them… that’s definitely worthwhile.

×

Repost posted at UTC on .

No comments

Molly guard in reverse

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Old-school computing has a term “molly guard”: it’s the little plastic safety cover you have to move out of the way before you press some button of significance.

Anecdotally, this is named after Molly, an engineer’s daughter who was invited to a datacenter and promptly pressed a big red button, as one would.

Then she did it again later the same day.

This article from UX expert Marcin Wichary is intended to be a vehicle to talk about the thoughtful design that goes into “reverse molly guards”: pieces of user interface that will proceed by themselves if you do nothing, but can be stopped by user interaction. He provides the example of MacOS’s “Are you sure you want to restart your computer?” dialog, which includes a countdown to automatically going ahead with the restart in 60 seconds unless told not to.

From my perspective, though: this was the first time I’ve ever come across  the term “molly guard”, and I love it (especially with its accompanying anecdote). I’ve seen them all over the place, though. In fact, I’d love to share with you a particularly-aggressive molly guard I implemented into Three Rings a couple of years ago:

A problem we occasionally faced in Three Rings was administrators – especially new administrators, gaining lots of powers for the first time – managing to delete entire rotas, without realising that this would delete all of the shifts (and the signups) within those rotas too. This is a hard operation to un-do, so we added a basic molly guard: an “are you sure?” interstitial page that explained exactly how much damage would be done.

But it didn’t work well enough! We watched users who would see a blocker and rush straight to the big, red, delete button on the other side of all the warnings. I guess that the dark patterns that are now everywhere in software have trained users to click-through every wall that gets in their way as fast as possible and with the minimum interaction. But now that “training” was working against the safety of charity data!

So we came up with something stronger:

Screenshot of a pre-deletion warning page that says on the first line how many shifts will be deleted and then asks on the last line for the user to repeat that number back.

Now, the interstitial page not only says what the scale of the damage is… it asks the user to repeat it back to them. Looking at that screenshot, you’ll see that the first line says that 2,056 will be deleted… and then the last line contains a text box to type that number back in again (this page only appears if it looks like a lot of “real” data will be deleted; otherwise we use the old page so as not to scare off people who are throwing together temporary test rotas).

If you read the page, it’s easy to answer the question. But if you just rush to the red button… you’re stuck. You’ll be given a user interface nudge to tell you to fill the box, but until you first line of the page, you won’t be able to answer it.

This molly guard works: since it was implemented, we’ve never had an instance of an accidentally-deleted rota that required us to pull data from the backups on behalf of a charity.

But it’s possible we’ve swung too far the other way and caused some collateral damage to usability: we’ve twice had technical support queries from users who couldn’t work out what they had to type into the box!

This is an acceptable outcome, we decided: it gives us the chance to check that they really mean what they were asking to do (of the two queries: one user did, the other meant to do something else) and point them in the direction the number they need. It works!

Anyway, the key thing I wanted to share was that great article by Marcin Wichary with some great photos of various hardware and software molly guards (and reverse molly guards) for your amusement.

×

Repost posted at UTC on .

No comments

The Dungeon of Dark Patterns

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

The Dungeon of Dark Patterns A comic in four panels Panel 1. The adventurer and his fairy are in front of the door of a nightmarish dungeon, it's dark, foggy, and the inside the door we can't see anything except a deep red light. > Dungeon: "Welcome adventurers, to the Dungeon of Dark Patterns!" Panel 2. In one room of the dungeon, a giant beautiful and inviting door with a red carpet, and on the side, in the shadow a too little door. Writing on big door: Go to the trap, on small door: Go to the treasure. The adventurer crouch and do a little sign to the fairy to follow him to the little door. > Dungeon: "Ha ha, you're good!" Panel 3. The aventurer is now putting some effort climbing on an old rope in the middle of a room with a beautiful luxuous stairway with a red carpet on the side. A sign tells "GO TO THE TREASURE but pass by the trap" in direction of the beautiful stairs; and "(other options)" in small and in the shadow in direction of the rope. > Dungeon: "Impressive!" Panel 4. Top down view on the adventurers shrugging in front of the fairy, they reached a dead end. A short path on the right has on the ground the word "Now", and a longer path "Later". Both lead to a giant pool of green acid where bones and skulls are floating. > Dungeon: "So, when do you want to jump to the trap?"

Well this is just excellent.

I’d not come across David Revoy before today, but he’s apparently being doing art and comics since 2014. The Mini Fantasy Theatre series started a couple of years ago, but is totally getting added to my RSS reader. Almost everything’s bilingual English/French too, if that’s something that interests you.

Navigating around the dark patterns of modern UX certainly feels like a dungeon delve, sometimes. Now we just need the episode in which the adventurer has difficulty unsubscribing from requests from their patron…

×

Repost posted at UTC on .

No comments