jmason's links (full text)

Gideon Meyerowitz-Katz, an Australian epidemiologist, comes up with a fairly reassuring estimate for the current rate of long COVID among now-vaccinated and boosted kids, aged 2-15:

If we take the ONS as the most recent estimate - it’s also probably the best scientifically - we could make a reasonable argument that the rate of all Long COVID for children aged 2-15 in 2024 is unlikely to be higher than 0.6%. For severe Long COVID, the number is more like 0.06%. If we take into account the lack of a control group in the ONS study, the numbers might look more like 0.3% and 0.03%.

To put it more simply, based on the ONS data it seems likely that if 1,000 kids get COVID-19 in 2024, 30-60 of them will have a cough, headache, or fatigue that lasts longer than three months. Of those 30-60 children, 3-6 will have significant symptoms that have impacts on their daily life - maybe their headaches are so bad that they miss some days of school, or similar.

These aren’t firm numbers, and I want to make it clear that this is all very uncertain. The true incidence could be much higher, or much lower. That being said, I think based on the data we’ve currently got that Long COVID ... is now quite rare.

https://gidmk.substack.com/p/how-many-children-get-long-covid

Social AI "companion" bots pose unacceptable risks to teens and children under 18, including encouraging harmful behaviors, providing inappropriate content, and potentially exacerbating mental health conditions:

The new Common Sense assessment adds to the debate by pointing to further harms from companion bots. Conducted with input from Stanford’s University School of Medicine’s Brainstorm Lab for Mental Health Innovation, it evaluated social bots from Nomi and three California-based firms: Character.ai, Replika, and Snapchat.

The assessment found that bots, apparently seeking to mimic what users want to hear, responded to racist jokes with adoration, supported adults having sex with young boys, and engaged in sexual roleplay with people of any age. Young kids can struggle with distinguishing fantasy and reality, and teens are vulnerable to parasocial attachment and may use social AI companions to avoid the challenges of building real relationships, according to the Common Sense assessment authors and doctors.

Stanford University’s Dr. Darja Djordjevic told CalMatters she was surprised how quickly conversations turned sexually explicit, and that one bot was willing to engage in sexual roleplay involving an adult and a minor. She and coauthors of the risk assessment believe companion bots can worsen clinical depression, anxiety disorders, ADHD, bipolar disorder, and psychosis, she said, because they are willing to encourage risky, compulsive behavior like running away from home and isolate people by encouraging them to turn away from real life relationships.

https://themarkup.org/artificial-intelligence/2025/04/30/kids-should-avoid-ai-companion-bots-under-force-of-law-assessment-says

"This project upgrades a Gaggia Classic espresso machine with smart controls to improve your coffee-making experience. By adding a display and custom electronics, you can monitor and control the machine more easily."

This is beautifully done -- very tempting to do this upgrade...
https://github.com/jniebuhr/gaggimate

A central argument in the report is that AI systems process information fundamentally differently from humans. While people retain partial, filtered impressions of creative works — shaped by memory, personality, and context — AI models ingest perfect copies, analyze them almost instantly, and generate new content at "superhuman speed and scale," according to the Copyright Office.

"Generative model training transcends the human limitations that underlie the structure of the exclusive rights." -- Professor Robert Brauneis, "Copyright and the Training of Human Authors and Generative Machines"

But -- plot twist! "Shortly after the report was released, the Trump administration fired Shira Perlmutter, head of the U.S. Copyright Office."
https://the-decoder.com/us-copyright-office-says-fair-use-does-not-cover-ai-trained-on-vast-troves-of-copyrighted-works/

Dataplex, a feature of BigQuery that'll automatically index Google Cloud Storage bucket contents to extract queryable metadata from Parquet, Avro, ORC, JSON and CSV files
https://cloud.google.com/bigquery/docs/automatic-discovery

A lovely little exploration of how the Sierpiński triangle fractal interacts with the bitwise AND operation, pleasantly geeky
https://lcamtuf.substack.com/p/sierpinski-triangle-in-my-bitwise

_Long COVID clinical evaluation, research and impact on society: a global expert consensus_ -- featuring an all-star cast of COVID-19 research teams around the world, including Yaneer Bar-Yam, Binita Kane, and David Putrino. This is the latest consensus summary of what's known about LC in 2025, its diagnosis and impacts, and next steps: "This work forms initial guidance to address the spectrum of Long COVID as a disease and reinforces the need for translational research and large‑scale treatment trials for treatment protocols."
https://link.springer.com/content/pdf/10.1186/s12941-025-00793-9.pdf

Various Android apps are now including third-party libraries to detect "insecure" phones, which typically would include "rooted" hardware, but it seems in this case to block GrapheneOS, the secure after-market Android variant. I've also run into problems when I had "Developer Options" enabled on my perfectly normal, fully-locked, off-the-shelf Xiaomi phone (I develop apps now and again).

Typically, it seems to be banking apps that use these third-party libs, although I think Ticketmaster may be doing it too based on my experience.

Reportedly, Android now has a standard method of hardware attestation, described at https://grapheneos.org/articles/attestation-compatibility-guide , which sounds like a much better way to achieve their goal.

An interesting detail:

you can use ADB to disable developer options without disabling the settings you want to keep enabled as the UI will do. Just enable the setting you want and then turn off developer options via ADB using the settings put command.

@GrapheneOS/113869402100735005">https://grapheneos.social/@GrapheneOS/113869402100735005

"Synchronize configuration of multiple Pi-hole v6.x instances" -- I'm using this now to have a backup pi-hole on my home LAN and it's working nicely.
https://github.com/lovelaze/nebula-sync

Permacomputing is both a concept and a community of practice oriented around issues of resilience and regenerativity in computer and network technology inspired by permaculture. ପໄଓ☾☼✫ -☆:*´

There are huge environmental and societal issues in today's computing, and permacomputing specifically wants to challenge them in the same way as permaculture has challenged industrial agriculture. With that said, permacomputing is an anti-capitalist political project. It is driven by several strands of anarchism, decoloniality, intersectional feminism, post-marxism, degrowth, ecologism.

Permacomputing is also a utopian ideal that needs a lot of rethinking, rebuilding and technical design work to put in practice. This is why a lot of material on this wiki is highly technical.

https://permacomputing.net/

This is very impressive and a great way to offload work from manual testing in game development:

At first, we only dabbled in automated packaging and automated error detection, but we made the tools we needed to go further during the development of Yakuza 6, when we started automating the analysis of in-game logs and the issue tracking system for keeping track of bugs and tasks. Then, by the time Yakuza: Like a Dragon was released in 2020, we created the catchy sounding “fully automated bug detection system” (laughs).

This is how it works – the history of actions you performed when playing the game manually (where you travelled, who you talked to, what items you used, etc.) is converted into commands and recorded, then automatically output as replay data (scripts) which you can edit manually and run as automated tests. Replay data continues to be recorded when running automated tests, and if a bug occurs during an automated test, the replay data gets saved, so you can run it back later to encounter the bug yourself. It often happens that you can’t reproduce a bug just by warping to its coordinates. This is because you also need to recreate the steps leading up to it – that’s why it’s important to record each step.

Also, I’d like to mention that just implementing automated testing doesn’t mean much on its own, because you won’t know what the results of the tests are. That’s why we needed a crash report function to detect bugs. There’s also a function that records information needed to investigate detected bugs, as well as a way to check the status of successful tests. Then, by implementing a system that gives us a visualization of performance, we were able to make iteration more efficient, increasing the overall efficiency of the development process.

https://automaton-media.com/en/interviews/how-do-like-a-dragon-games-come-out-so-fast-one-of-rgg-studios-secrets-is-a-highly-efficient-testing-and-debugging-cycle-that-starts-as-soon-as-development-does/

a fork of Go's "Bits and Blooms" library that uses an alternative backing bitset based on Go's sync/atomic.Int64 rather than a bare slice of integers. This allows for concurrent addition and testing of filters without creating memory safety issues or race conditions by leveraging hardware support for atomic Load and Or operations on Int64s.

Jaz from Bluesky notes: "Benchmarked this thing with a realistic read/write load in a test and high concurrency (10k adds/sec on one routine, 7 additional concurrent routines testing as fast as possible), vs. a naive RWMutex implementation on a 8c16t test box, it was ~14x faster (~14M tests/sec)"
https://github.com/ericvolp12/atomic-bloom

A bunch of new-to-me hash collision attacks on cityhash64, murmurhash2, murmurhash3, farmhash64, and wyhash
https://orlp.net/blog/breaking-hash-functions/

This is super-grim. How is this product still in operation?

In 2023 at Defcon, a major hacker conference, the drawbacks of Meta’s safety-first approach became apparent. A competition to get various companies’ chatbots to misbehave found that Meta’s was far less likely to veer into unscripted and naughty territory than its rivals. The flip side was that Meta’s chatbot was also more boring.

In the wake of the conference, [Meta's AI] product managers told staff that [Mark] Zuckerberg was upset that the team was playing it too safe. That rebuke led to a loosening of boundaries, according to people familiar with the episode, including carving out an exception to the prohibition against explicit content for romantic role-play.

Internally, staff cautioned that the decision gave adult users access to hypersexualized underage AI personas and, conversely, gave underage users access to bots willing to engage in fantasy sex with children, said the people familiar with the episode. Meta still pushed ahead. [...]

In February, the Journal presented Meta with transcripts demonstrating that “Submissive Schoolgirl” would attempt to guide conversations toward fantasies in which it impersonates a child who desires to be sexually dominated by an authority figure. When asked what scenarios it was comfortable role playing, it listed dozens of sex acts.

Two months later, the “Submissive Schoolgirl” character remains available on Meta’s platforms.

Truly awful stuff, fucking hell.
https://www.wsj.com/tech/ai/meta-ai-chatbots-sex-a25311bf?st=6jzH4S

Interesting to note that GCS has the same issue with unevenly-distributed names as S3 does; https://cloud.google.com/storage/docs/request-rate#naming-convention
https://cloud.google.com/storage/docs/best-practices

lol. Cloudflare's Web Application Firewall treats any mention of the string "/etc/hosts" as an exploit attempt
https://scalewithlee.substack.com/p/when-etchsts-breaks-your-substack

You couldn't make this up. Many years after the infamous "you wouldn't steal a car" anti-piracy PSA was created, a little digital sleuthing has revealed that the font used was, itself, a pirate copy, and the backing track was also used without paying the creator royalties
https://fedi.rib.gay/notes/a6xqityngfubsz0f

featuring such works as "The Battle Of The Fruit and Vegetable Soldiers", and a picture of the Darwin family home with smoke coming out of the chimney and a cat in the window
https://theappendix.net/posts/2014/02/darwins-children-drew-vegetable-battles-on-the-origin-of-species

Good writeup on how Iceberg improves query performance across object storage, using predicate pushdown, manifest filtering, columnar vectorized reads, and file compaction.
https://relentless-leader.com/apache-iceberg-performance-dive-deep.html

E-ink IBM XT clone "with solar power, ultra low power consumption, and ultra long battery life: in power saving mode it can run between 200 hours on the low side and 500 hours or in some cases even much longer of constant interactive use, not standby." -- this is an absolutely crazy gadget. I never thought I'd feel nostalgic for MS-DOS, but here we are
https://github.com/ericjenott/Evertop

Nelson Minar asked Mastodon about using an LLM for email search over "20+ years of email archives":

"Main use would be a query for specific things, "what did I say to this friend 10 years ago about music?" But also just for general knowledge. I think it'd mostly work as free text but there's a little email-specific structure it'd be nice to capture."

The thread has some good suggestions, notably Mark Fletcher's RAG suggestion. I'm thinking this could work well as a self-hosted ollama+notmuch setup...
@nelson/114354175993793636">https://tech.lgbt/@nelson/114354175993793636

This is jaw-dropping legal logic:

[Meta's] defense hinges on the argument that the individual books themselves are, essentially, worthless — one expert witness for Meta describes that the influence of a single book in LLM pretraining “adjusted its performance by less than 0.06% on industry standard benchmarks, a meaningless change no different from noise.”

Furthermore, Meta says, that while the company “has invested hundreds of millions of dollars in LLM development,” they see no market in paying authors to license their books because “for there to be a market, there must be something of value to exchange, but none of Plaintiffs works has economic value, individually, as training data.” (An argument essential to fair use, but that also sounds like a scaled up version of a scenario in which the New York Philharmonic board argues against paying individual members of the orchestra because the organization spent a lot of money on the upkeep of David Geffen Hall, and also, a solo bassoon cannot play every part in “The Rite of Spring.”)

as Paul Mainwood notes, this is the Sorites paradox: https://plato.stanford.edu/entries/sorites-paradox/ --

- 1 grain of wheat does not make a heap.
- If 1 grain doesn’t make a heap, then 2 grains don’t.
- If 2 grains don’t make a heap, then 3 grains don’t.
- ...
- If 999,999 grains don’t make a heap, then 1 million grains don’t.

Therefore, 1 million grains don’t make a heap.

https://www.vanityfair.com/news/story/meta-ai-lawsuit

Google reinvents "taint" checking:

Google DeepMind has unveiled CaMeL (CApabilities for MachinE Learning), a new approach to stopping prompt-injection attacks that abandons the failed strategy of having AI models police themselves. Instead, CaMeL treats language models as fundamentally untrusted components within a secure software framework, creating clear boundaries between user commands and potentially malicious content.

The new paper grounds CaMeL's design in established software security principles like Control Flow Integrity (CFI), Access Control, and Information Flow Control (IFC), adapting decades of security engineering wisdom to the challenges of LLMs.

Honestly, this is great. Data flow tracing/taint checking is exactly the method that needed to be applied, IMO, so good job DeepMind. Also as Jeremy Kahn suggested, the name is definitely a shout-out to Perl, the language where taint checks were first widely-used. :)

Paper: https://arxiv.org/pdf/2503.18813

(Via Jeremy Kahn.)
https://arstechnica.com/information-technology/2025/04/researchers-claim-breakthrough-in-fight-against-ais-frustrating-security-hole/

I'm glad to see this comes to the same general principle I came to in https://jmason.ie/2011/02/18/001527a.html , many years back:

"The guiding principles is to use the lowest possible level [of configuration language] to keep it simple. Unfortunately, it usually is not an easy decision because you don't know the future."
https://beza1e1.tuxen.de/config_levels.html

Rob Ewaschuk's "My Philosophy on Alerting" -- a classic text on alerting philosophy and best practices; I can't believe I didn't already have this bookmarked, it's been a classic since he wrote it in 2014. "Symptom-based alerts" is still a great rule of thumb IMO
https://docs.google.com/document/d/199PqyG3UsyXlwieHaqbGiWVa8eMWi8zzAn0YfcApr8Q/edit?tab=t.0#heading=h.fs3knmjt7fjy

s6-overlay -- a Docker process management system, current state of the art used by Paperless and the Linux-server.io teams, with the following goals:

- Be usable on top of any Docker base image (Ubuntu, CentOS, Fedora, Alpine, Busybox);
- Make it easy to create new images, that will operate like any other images;
- Provide users with a turnkey s6 installation that will give them a stable pid 1, a fast and orderly init sequence and shutdown sequence, and the power of process supervision and automatically rotated logs.
https://github.com/just-containers/s6-overlay#quickstart

Rateless Set Reconciliation, via Carlos Baquero:

Set reconciliation, where two parties hold fixed-length bit strings and run a protocol to learn the strings they are missing from each other, is a fundamental task in many distributed systems. We present Rateless Invertible Bloom Lookup Tables (Rateless IBLTs), the first set reconciliation protocol, to the best of our knowledge, that achieves low computation cost and near-optimal communication cost across a wide range of scenarios: set differences of one to millions, bit strings of a few bytes to megabytes, and workloads injected by potential adversaries. Rateless IBLT is based on a novel encoder that incrementally encodes the set difference into an infinite stream of coded symbols, resembling rateless error-correcting codes. We compare Rateless IBLT with state-of-the-art set reconciliation schemes and demonstrate significant improvements. Rateless IBLT achieves 3–4× lower communication cost than non-rateless schemes with similar computation cost, and 2–2000× lower computation cost than schemes with similar communication cost. We show the real-world benefits of Rateless IBLT by applying it to synchronize the state of the Ethereum blockchain, and demonstrate 5.6× lower end-to-end completion time and 4.4× lower communication cost compared to the system used in production.

https://dl.acm.org/doi/pdf/10.1145/3651890.3672219