The Trust Paradox: When Your AI Gets Catfished
The fundamental challenge with MCP-enabled attacks isn’t technical sophistication. It’s that hackers have figured out how to catfish your AI. These attacks work because they exploit the same trust relationships that make your development team actually functional. When your designers expect Figma files from agencies they’ve worked with for years, when your DevOps folks trust… ⌘ Read more

@prologic@twtxt.net need to work on the CSS. For example, the tags are too big, the code blocks (and the inline ones) are too small, the single posts have no date (intended?), and so on. It’s an alpha start!

@alexonit@twtxt.alessandrocutolo.it Yeah I think we’re overstating the UNIX principles a bit here 🤣 I get what you’re trying to say though @zvava@twtxt.net 😅 If I could go back in time and do it all over again, I would have gotten the Hash length correct and I would have used SHA-256 instead. But someone way smarter than me designed the Twt Hash spec, we adopted it and well here we are today, it works™ 😅

@alexonit@twtxt.alessandrocutolo.it Yes well I’m pretty big on self-hosting. I’ve even tried to start a small business/company around it (but that’s another story for another day!) – Meanwhile I would encourage you to have a look at the work we’ve done in Salty.im 👌

@alexonit@twtxt.alessandrocutolo.it Well we have to really use the same spec or threading doesn’t really work in a truly decentralized manner 😉

Please don’t hate me today; I’m a bit grumpy and have too many reasons to be upset:

• 2 counts of pushing and trying to get the simplest things done at work (that for some reason are made more difficult than they should be)
  
• This whole Chat Control bullshit
  
• And some other person things going on that have been ongoing for 72 days and counting 🤬

And I need to make something absolutely clear as well here. Twtxt was completely and utterly dead back in {Aug 2020](https://yarn.social/about.html) when I came across the spec and its simplicity and realised the lost opportunity. Since then we’ve continued to grow a small but thriving community. The extensions we’ve built over time have stood and lasted the test of time for the past ~5 years. We need not break things too badly, because what we have today and was designed years ago actually works quite well™ (despite some flaws).

@bender@twtxt.net Well honestly, this is just it. My strong position on this is quite simple:

Do the simplest thing that could work.

It’s one of the age old UNIX philosphies.

Therefore, the simplest thing™ to do here is to just increase the hash length, mark a magic™ date/time as @lyse@lyse.isobeef.org has indicated and call it a day. We’ll then be fine for a few hundred years, at which point there’ll be no-one left alive to give a shit™ anyway 🤣

@bender@twtxt.net Yes I did about a week or so ago. It took me a lot of effort to get the content even rendered in the first place. LOL I had to basically export my blog as HTML (can you believe that?!) – The Hugo export just didn’t work at all 🤣

@lyse@lyse.isobeef.org Hm, I couldn’t trick yt-dlp into downloading the correct format. Works in the browser, though. 😅

How to get LSP semantic highlighting working for C++ ⌘ Read more

@bender@twtxt.net Thanks for asking!

So, I’ve been working on 2 main twtxt-related projects.

The first is small Node / express application that serves up a twtxt file while allowing its owner to add twts to it (or edit it outright), and I’ve been testing it on my site since the night I made that post. It’s still very much an MVP, and I’ve been intermittently adding features, improving security, and streamlining the code, with an eye to release it after I get an MVP done of project #2 (the reader).

But that’s where I’ve been struggling. The idea seems simple enough - another Node / express app (this one with a Vite-powered front-end) that reads a public twtxt file, parses the “follow” list, grabs (and parses) those twtxt files, and then creates a river of twts out of the result. The pieces work fine in seclusion (and with dummy data), but I keep running into weird issues when reading real-live twtxt files, so some twts come through, while others get lost in the ether. I’ll figure it out eventually, but for now, I’ve been spending far more time than I anticipated just trying to get it to work end-to-end.

On top of it, the 2 projects wound up turning into 4 (so far), as I’ve been spinning out little libraries to use across both apps (like https://jsr.io/@itsericwoodward/fluent-dom-esm, and a forthcoming twtxt helper library).

In the end, I’m hoping to have project 1 (the editor) into beta by the end of October, and project 2 (the reader) into beta sometime after that, but we’ll see.

I hope this has satisfied your curiosity, but if you’d like to know more, please reach out!

I stopped especially for this photo during a relaxed after-work tour today. I don’t know if I’ve mentioned it before, but the nature here with the park, forest, and lakes is really beautiful and always lifts my mood! ⌘ Read more

Whooooaaaah, I just accidentally found out that VLC can play 360° videos and I am able to pan around! Crazy shit. I actually scrolled in order to adjust the volume like it usually works, but it zoomed in and out instead. Then I saw the title hinting at the 360° stuff. Even though this is not my cup of tea, it’s nice that VLC supports it.

Removing the empty cache file and it works again. No idea about the PATH glitch, though. Very strange.

@prologic@twtxt.net I know we won’t ever convince each other of the other’s favorite addressing scheme. :-D But I wanna address (haha) your concerns:

1. I don’t see any difference between the two schemes regarding link rot and migration. If the URL changes, both approaches are equally terrible as the feed URL is part of the hashed value and reference of some sort in the location-based scheme. It doesn’t matter.

2. The same is true for duplication and forks. Even today, the “cannonical URL” has to be chosen to build the hash. That’s exactly the same with location-based addressing. Why would a mirror only duplicate stuff with location- but not content-based addressing? I really fail to see that. Also, who is using mirrors or relays anyway? I don’t know of any such software to be honest.

3. If there is a spam feed, I just unfollow it. Done. Not a concern for me at all. Not the slightest bit. And the byte verification is THE source of all broken threads when the conversation start is edited. Yes, this can be viewed as a feature, but how many times was it actually a feature and not more behaving as an anti-feature in terms of user experience?

4. I don’t get your argument. If the feed in question is offline, one can simply look in local caches and see if there is a message at that particular time, just like looking up a hash. Where’s the difference? Except that the lookup key is longer or compound or whatever depending on the cache format.

5. Even a new hashing algorithm requires work on clients etc. It’s not that you get some backwards-compatibility for free. It just cannot be backwards-compatible in my opinion, no matter which approach we take. That’s why I believe some magic time for the switch causes the least amount of trouble. You leave the old world untouched and working.

If these are general concerns, I’m completely with you. But I don’t think that they only apply to location-based addressing. That’s how I interpreted your message. I could be wrong. Happy to read your explanations. :-)

I bought an iPhone (as my third smartphone)
I never thought I would do this, but I bought an iPhone. It’s a pretty cheap iPhone SE 2. Gen (2020) used from eBay, like the device I got issued from my work. It’s so tiny and it’s really difficult to type even a short text like this. ⌘ Read more

Blackmagic turns the latest iPhone into a professional cinema camera
The Melbourne company worked with Apple to create a dock that allows pro camera connections on the iPhone 17 Pro. ⌘ Read more

Kaidan: Kaidan 0.13.0: Multi-Account Support and Secure Password Storage

Image

Image

Kaidan 0.13.0 is out now!
And it comes with a bunch of shiny new features.

Most of the work has been … ⌘ Read more

The worst thing you can do is make your infrastructure (switches, wifi, …) depend on some cloud service. Because someone else is maintaining that service; you have no control over it. You 100% depend on that other person now. Very stupid idea.

Now guess what manufacturers are pushing for …

Now guess who couldn’t complete a task at work this Saturday morning, because a certain cloud service was down …

IT is fucked. Throw it all away and start over.

Apologies if I’ve been spamming anyone out there in twtxt-land today.

I’ve been working on a couple of twtxt-related projects, and one of them is a reader (tentatively called twtstrm) written in JS. I used dummy data for the first few stages of development, but now I’m at the point where I need some real data, and that meant hitting up my actual following list.

Of course, it didn’t help that I had a typo in my If-Modified-Since headers, but all that has since been resolved.

Anyways, if I accidentally spammed you with requests today, I am sorry, and it shouldn’t happen anymore.

We thank you for your patience, and apologize for the inconvenience.

@bender@twtxt.net I wish 🤣 Nah work on-site thingy😆

Working on a project that does Augmented Reality and computer vision object detection and QR code and image recognition inside a Web application. Pretty neat what can be done today with a few thousand lines of JavaScript.

@zvava@twtxt.net There would be only one hash for a message. Some to be defined magic date selects which hash to use. If the message creation timestamp is before this epoch, hash it with v1, otherwise hammer it through v2. Eventually, support for v1 could be dropped as nobody interacts with the old stuff anymore. But I’d keep it around in my client, because why not.

If users choose a client which supports the extensions, they don’t have to mess around with v1 and v2 hashing, just like today.

As for the school of thought, personally, I’d prefer something else, too. I’m in camp location-based addressing, or whatever it is called. There more I think about it, a complete redesign of twtxt and its extensions would be necessary in my opinion. Retrofitting has its limits. Of course, this is much more work, though.

@zvava@twtxt.net Not much of a known fact these days, but thereused to be a Yarn phone app (https://git.mills.io/yarnsocial/app), last version released 5 or so years ago, but it still suggests, it has to be somewhat feasable, to make another one. I don’t think anyone tried since, because the web version works well on phones, but I’m still hoping, we get a more native phone experience, one day.

@thecanine@twtxt.net it should work everywhere. It is a web application.

@movq@www.uninformativ.de Luckily, I had a grep -v git at the end, so my repo is still in working order. Phew. I wish find had grep-like --exclude-dir and --exclude options (or the include variants) instead of its own weird options that I never can remember and combine properly.

@zvava@twtxt.net It is just completely impossible to make v2 backwards-compatible with v1.

Well, breaking threads on edits is considered a feature by some people. I reckon the only approach to reasonably deal with that property is to carefully review messages before publishing them, thus delaying feed updates. Any typos etc., that have been discovered afterwards, are just left alone. That’s what I and some others do. I only risk editing if the feed has been published very few seconds earlier. More than 20 seconds and I just ignore it. Works alright for the most part.

@bender@twtxt.net ohhh oops! i will work harder then 🫡🫡

@zvava@twtxt.net I never used any of the social media platforms, that’s why I’m probably ignorant.

I don’t understand the concept of a retwt. Just quote the (relevant) parts from whereever and comment on that. Or post a link instead of a quote. Sounds simple enough. :-) That’s also has the benefit that it works with every source, no matter what. Since it’s called retwt, I’d imagine this to only work (well) with whatever messages the system itself offers. But I could be wrong. What would be the benefit of having a dedicated message type or structure for “hey, look at that” messages in your opinion?

Hmm, what’s a content warning?

Erlang Solutions: ElixirConf US 2025: Highlights from My First ElixirConf
Joining conferences is one of the best perks of working as a Developer at Erlang Solutions. Despite having attended multiple Code BEAM conferences in Europe, ElixirConf US 2025 was my first. The conference had 3 tracks, filled with talks from 45+ speakers and 400+ attendees, both in-person and virtual.

ElixirConf is one of the great occasions to connect with other Elixir ent … ⌘ Read more

@zvava@twtxt.net I reckon there’s currently nobody working on v2. Which timezone are you in? Just post your questions here or head over to #yarn.social at libera.chat for a more realtime conversation via IRC.

How about no longer using in-browser Git repo viewers? Make the AI bots do the work and actually clone the repo.

Pandemic distance did not stop father and son starting wine label
When pandemic border closures separated a father and son, they launched a wine label together. Now they are back in the same state and working closely together. ⌘ Read more

@kat@yarn.girlonthemoon.xyz like it’s the shame that kills me the most but i just gotta get through it if i want a working server (and i really do!!!)

** A week notes to round out the summer **
I haven’t posted anything remotely resembling week notes since the middle of June! Since then many things have happened including, but not limited to: a trip to Minnesota to visit Isaac, a couple trips to New Hampshire for work, a family trip to Mount Desert Island to revisit our old stomping grounds, a whole heap of bicycle riding, I finished a couple great books, played some games, made some games, and wrote what is probably an unhealthy a … ⌘ Read more

@bender@twtxt.net thank youuuu bender i missed your fun posts!!!! yeah i have been INSANELY BUSY with fujocoded work (see those newsletter posts!) it’s been tough but i’ve been making my way through it 🫡🫡🫡

How Generative AI Video Works - Computerphile ⌘ Read more

The XMPP Standards Foundation: The XMPP Newsletter August 2025

Image

XMPP Newsletter Banner

Welcome to the XMPP Newsletter, great to have you here again!
This issue covers the month of August 2025.

Like this newsletter, many projects and their efforts in the XMPP community are a result of people’s voluntary work. If you are happy with the services and software you may be using, please consider saying thanks or help these proj … ⌘ Read more

@movq@www.uninformativ.de that works! Reading! :-)

Mathieu Pasquet: slixmpp v1.11
This new version includes a few new XEP plugins as well as fixes, notably
for some leftover issues in our rust JID code, as well as one for a bug that
caused issues in Home Assistant.

Thanks to everyone who contributed with code, issues, suggestions, and reviews!

Nicoco put in a lot of work in order to get all possible wheels built in CI. We now have manylinux and musl builds of everything doable within codeberg,
published to the codeberg pypi repo, and published on pypi. … ⌘ Read more

I finally have my new (top-secret) twtxt client in a working state. Next comes the deployment, which I hope to finish tonight. Release date: TBD. Stay tuned!

“But all your stuff is MIT licensed! They are allowed to do that!”

Haha. As if they would care. They crawl everything they get their hands on.

Besides, that’s not true, the license states that the copyright notice must be retained. “AI” breaks that. They incorporate my code and my articles in their product and make it appear as if it was their work.

@thecanine@twtxt.net We don’t use Microsoft at work – but similar products of other big companies. They’re all doing the same. The core product gets worse and worse, because they focus so much on vomiting “AI” over everything.

It will die down eventually. I hope.

We use all the Microsoft programs at work - Teams and Outlook especially.

After all kinds of technical problems with Teams, that sometimes go unresolved for over a year, Microsoft shifted their priorities away from fixing things and towards adding an annoying AI Copilot button, that just takes up space and all it does, is loads the website in Teams, so I disabled it. Soon they just add it back, but in a different row of icons, therefore it’s now a different button, you have to disable (I think they added yet another one, to the Teams, on my work phone and I had to disabled that too). Not too long after, the desktop one just enabled itself, because of “an error” and I can disable it, but doing so activates a popup, that begs you to turn it back on, every once in a while. You can’t disable the popup and can only click “Yes” or “Not now” on it. I still keep it disabled, out of principle, but yesterday I noticed yet another Copilot button, this time in the top right corner of my Outlook and this one cannot be disabled, on the business version of Outlook and even on the personal one, it’s only possible to do it through hidden privacy settings, by prohibiting the program from connecting to Microsoft servers, for extra “features”.

There’s people complaining about it online, so it’s clear nobody really wants it, but at this point Microsofts position is that you will have at least one useless AI button on your screen, at any given time, and you will be happy. And yes, their AI sucks and if I absolutely have to use AI for something, there’s already 2 better options, we have access to, at work.

https://smolweb.org/validator/ I have some work to do :P

** To the surprise of literally no one, I’m working on implementing a programming language all my own **
Inspired by conversation at a recent Future of Coding event, I decided I’d write up a little something about the programming language I’ve been working on (for what feels like forever) before I’ve gotten it to a totally shareable state. I have a working interpreter that I’m pretty pleased with, but I don’t yet have an interact … ⌘ Read more

@movq@www.uninformativ.de @prologic@twtxt.net this is extremely concerning and I hope there is enough push back to stop this! The ability to modify apps, is one of the two biggest reasons, I’m still using Android. If they remove that option, I’ll be forced to switch to one of the de-Googled forks.

That might not be a good solution either, because I need banking and identity verification apps on my main device and already had to get a second device for work, which has tighter sideloading restrictions and I would very much not like to be forced into using three Android phones simultaneously, to do what should be possible, with just one.

@prologic@twtxt.net It’s quite similar to how escape sequences work in a terminal. ASCII text is printed as ASCII text and then an escape sequence can make it bold or underline and so on. Other escape sequences allow you to say “the following $n bytes are part of a bitmap image”, and then this gets printed at whatever the current position is (somewhat similar to SIXEL in a terminal).

It’s just that the units are a bit weird, because this is all done in bloody inch. 😅

This is why I love tech from that era.

Write bytes to a parallel port and stuff happens. If it’s just ASCII bytes, then it will print ASCII text. Even the simplest programs can use a printer this way.

With a little bit of ESC/P, you can print images and other fancy stuff. That’s what I did this morning – never worked with ESC/P before, now I can print images. It’s not that hard.

Hayes-compatible modems are similar: Write some AT commands to the serial port and the modem does things. This isn’t even arcane knowledge, it’s explained in the printed manual.

Maybe I’m wearing rose-tinted glasses here, but I think with all this old stuff, you get useful results very quickly and the manuals are usually actually helpful. It’s so much easier to get started and to use this hardware to the full extent. Much less complexity than what we have today, not a ton of libraries and dependencies and SDKs and cloud services and what not.