Notes

The great works of Victorian England were erected by engineers who could not be sure of the properties of the materials they were using. In particular, whether by incompetence or malfeasance, the iron of the period was often not up to snuff. As a consequence, engineers erred on the side of caution, overbuilding to incorporate redundancy into their creations. The result was a series of centuries-spanning masterpieces.

AI-security providers do not think like this. Conventional coding is a deterministic practice. Security vulnerabilities are seen as errors to be fixed, and when fixed, they go away. AI engineers, inculcated in this way of thinking from their schooldays, therefore often act as if problems can be solved just with more training data and more astute system prompts.

More risks from vibe coding. If you're going to use AI in production environments, you better be able to understand and work with the code it spits out.

When we use the term "best practice", it sounds like what we're saying is, "what you've done is fine, but here's another way you could have done it." When in fact, what we're really saying is, "I want you to fix this accessibility issue, but I can't technically fail you on it, because it's outside the scope of this particular standard."

This was just so cool.

While we were busy reinventing navigation in JavaScript, the platform quietly solved the problem.

Modern browsers – specifically Chromium-based ones like Chrome and Edge – now support native, declarative page transitions. With the View Transitions API, you can animate between two documents – including full page navigations – without needing a single line of JavaScript.

Yes, really.

Let the browsers do as much of the work as possible.

Every single person who said we were being hysterical about Trump being an existential threat should be forced to explain how the President seizing control of the capital’s police force and deploying military units to forcibly relocate citizens represents normal democratic governance.

They called us hysterical when we said he’d use the military against civilians. He’s literally doing it right now. They called us alarmist when we said he’d seize control of law enforcement. He just placed D.C. police under the direct command of his Attorney General.

They called us deranged when we said he’d create fake emergencies to justify authoritarian power grabs. He’s invoking emergency powers while violent crime is at a 30-year low.

They said the institutions would hold. The institutions are being commandeered in real time.

They said the generals would refuse illegal orders. The National Guard is already deployed.

They said we were exaggerating the fascist threat. He’s literally declaring “Liberation Day” while seizing control of the capital.

Remember who told you this was hysteria.

There was a time when building a website felt straightforward. You'd write some HTML, add PHP for dynamic content, sprinkle in jQuery for interactions, upload it to your server, and you were done. No package managers, no build processes, no debates about hydration strategies.

My first big personal project was built using both PHP and jQuery. I miss those days. It was easy, write some PHP and JavaScript, copy the files, and refresh the page.

In short: spend less time glueing together tools and frameworks on top of the browser, and more time bridging tools and APIs inside of the browser. Then get out of your own way and go sit on your ass. You might find yourself more productive than ever!

Well, I want you to visit my website. I want you to read an article from a search result, and then discover the other things I’ve written, the other people I link to, and explore the weird themes I’ve got. I want some of you to read my article then ask me to speak at your conferences. Many folks rely on ad impressions to support the high-quality content they’re putting out for free.

I write the content on this website for people, not robots. I’m sharing my opinions and experiences so that you might identify with them and learn from them. I’m writing about things I care about because I like sharing and I like teaching. I spend hours writing these posts and AI spends seconds summarising them.

HTML isn’t just how we place elements on a page. It’s a language – with a vocabulary that expresses meaning

Tags like <article>, <nav> and <section> aren't decorative. They express intent. They signal hierarchy. They tell machines what your content is, and how it relates to everything else.

I know I could be better about this, and I try to use the right tags to help with accessibility.

If everything is a <div> or a <span>, then nothing is meaningful.

This is why I'm not always a fan of frameworks.

Let’s start with the most obvious sign that this law is working exactly as poorly as critics warned: VPN usage in the UK has absolutely exploded. Proton VPN reported an 1,800% spike in UK sign-ups. Five of the top ten free apps on Apple’s App Store in the UK are VPNs. When your “child safety” law’s primary achievement is teaching kids how to use VPNs to circumvent it, maybe you’ve missed the mark just a tad.

Politicians missing the mark when it comes to the internet and technology? You don't say.

A law supposedly designed to protect children now requires victims of sexual assault to submit government IDs to access support communities. People struggling with addiction must undergo facial recognition scans to find help quitting drinking or smoking. The UK government has somehow concluded that access to basic health information and peer support networks poses such a grave threat to minors that it justifies creating a comprehensive surveillance infrastructure around it.

Again, these lawmakers ignore the pretty obvious negative side effects laws like this cause.

The age verification process itself is a privacy nightmare wrapped in security theater. Users are being asked to upload selfies that get run through facial recognition algorithms, or hand over copies of their government-issued IDs to third-party companies. The facial recognition systems are so poorly implemented that people are easily fooling them with screenshots from video games—literally using images from the video game Death Stranding. This isn’t just embarrassing, it reveals the fundamental security flaw at the heart of the entire system. If these verification methods can’t distinguish between a real person and a video game character, what confidence should we have in their ability to protect the sensitive biometric data they’re collecting?

Remember how bad the Equifax breach was?

Let’s be crystal clear about what this law actually accomplishes: It makes it harder for adults to access perfectly legal (and often helpful) information and services. It forces people to create detailed trails of their online activity linked to their real identities. It drives users toward less secure platforms and services. It destroys small online communities that can’t afford compliance costs. And it teaches an entire generation that bypassing government surveillance is a basic life skill.

Narayanan suggested if the systems are no better than random number generators, perhaps we should explicitly use random number generators: choose candidates by lottery after they fulfill some minimum requirements.

I almost wonder if this would produce better results sometimes.

We have some muscle memory for how to manage nuclear rivalries among a few great powers, Sullivan told me. But a strategic landscape of 15 or 20 nuclear powers could be risky in ways that we cannot anticipate. The odds of a nuclear exchange occurring would rise. The most potent current warheads are more than 80 times as destructive as the bomb that leveled Hiroshima’s urban core, and they now fly on missiles that can reach their targets in mere minutes. It would take only one of them to all but erase Tokyo, Seoul, Beijing, or New York City. The total damage that even a limited exchange of these more powerful weapons would cause is mercifully unknown to us, but it may be vain to hope for a limited exchange. The most elaborate and significant war game in the literature suggests that the cycle of nuclear vengeance would continue until the arsenals of all involved parties are spent. If a nuclear conflict does someday break out, death and destruction might very quickly unfold on a planetary scale.

Having read Nuclear War: A Scenario last year, this is chilling and scary.