327: Two Hours of War

Brad, I got bad news. Again? Wait, what was the first one? We could catalog it week by week at this point, I think. Okay, this is minor. Okay, not your bad news, to be clear. Just somebody having bad news. The general amount of bad news floating around seems significant. Yeah, there is, I think, more bad news these days than I generally like. But the bad news this time is pretty minor. one of the first things i used nanotape for failed me this week well considering how long we've been talking about nanotape that seems like a pretty good track record yeah so i have some audio stuff that's stuck up underneath my desk with a couple of strips of nanotape it's probably five years old at this point four and a half years old at this point and they let loose uh yesterday night it made a really big loud crashing noise yanked some cables out it was a little scary Cause like I didn't know what it was that fell. And, um, yeah, the nanotape was evenly split behind between the box that goes with my headphones and the, uh, the, the table up underneath. So I had to kind of wedge it off and put more nanotape on there. Don't you love the nondescript crashing sound from another room? It's the worst. I had one of those yesterday and never figured out what it was. Oh no, no, no. I heard something fall. Still couldn't tell you. Uh, we used to have a shower rod that would slide down occasionally. And that one was one that you could immediately tell. Cause it's like a crinkle, crinkle, crinkle. And then a bunch of clinks from the, like the, the rod, the rod slidey things hitting the metal and then dropping. Um, the worst one ever was when I was in this house in Tennessee and somebody had put the shelves in one of the closets in the bedroom in the wrong, like they put them, they didn't put the supports into studs. They just put them into like Molly's in the drywall and one of the Molly's gave way. And then an entire like wire or shelving unit rack that was screwed into the walls inside this closet just came like cascading down. It was like a it was like a it was like one of those engineering videos, but it was in the closet and it made a truly horrific mess and got like drywall gypsum dust all over all the clothes. And it was it was a big pain in the butt to fix. But physics can be bad sometimes. including the physics of nanotape, I suppose. Yeah. So I think it's because it got warm in here. I think it's because the, I had the PS five on some yesterday and it was blowing hot air right up on it. And I don't run the PS five all that often, but where it was, I think it was hitting it and maybe like made it warm enough that it was just a little bit softer than usual and just couldn't hold the weight anymore and, and let loose. So that's the last time we talked about nanotape. There were some, there was some controversy, let's say on the discord about the nature of nanotape. there's there's there's nanotape which uses the chameleon like the the classic i'm air quoting classic nanotape uh that's like sold on late night tv as alien tape or whatever is uh uses the chameleon the the same uh chameleon force the van der wals forces the chameleon feet use to stick there's also this stuff called micro suction tape which is the one i encountered first that's used by like blue lounge and a bunch of people who make that kind of like desk thing to so they don't wobble around. Is that the tiny suction cups one? That's the tiny suction cup ones. It's like a bunch of cut-and-a-half bubbles, basically. When you mush it down, it suctions on pretty good. So I thought that's what all nanotape was. And then some other people who apparently thought all nanotape was the other kind said I was wrong. It seems like we were both right. Everybody was right. There was a whole conversation about it the last time nanotape came up. And it turns out I had both kinds in my house, and I didn't realize it, because I have a big sheet of the microsection stuff, which is like it's strong enough to hold something like on an angle but if it's upside down or vertical it won't stay yeah i was gonna ask like i've come to find the um the 3m dual lock that i talk about a lot which is kind of like it's kind of like hard plastic velcro effectively i mean if you look at it up close they have a disturbing animation on their site showing how it works which is basically a bunch of a very very zoomed in close-up view of a bunch of plastic mushrooms interlocking with each other. Oh, it's a bit, it looks, it's a little offensive. It's a little bit vulgar, I would say. But anyway, the thing I was going to say is I've come to find that I believe that kind of dual lock is also strong in one orientation and not in the other. I don't know what the terms are for that. I don't know if that's like sheer force versus something, something pull force or something. You know what I mean? Yeah. Yeah. Sticking it to the underside of something, I think is where it's less strong, but sticking out on a wall on a vertical surface is where it's much stronger. I don't know. I don't know if nanotape is the same way. The nanotape, the gecko stuff that I've been using on the under desk stuff has has this is the first failure. Like there's a couple of heavy things that have a lot of weight on them that I use foam double sided foam tape to stick up there like power strips and stuff like that. But but yeah, the nanotape so far has been unimpeachable. And I got to say, I'm really let down in this regard. Five years, I guess, was a pretty good run. It's not bad. But I don't it didn't take off any of the finish underneath the desk, which was when it came loose, which was the thing everybody warned about that it would peel the paper off and all that. So rip rip the 2020 era nanotape, I guess. Long live the 2026 era nanotape. Know your nanotape. Your life could depend on it. welcome to brad and will made a tech bot i'm will i am brad uh this week brad we're doing uh a roundup of news items that's right topics of interest stuff's been happening yeah it's been it's been popping off out in the world uh this week uh do you want i think i think let's just get right into it because we have kind of a lot of stuff to get to but um yeah it was weirdly kind of a very hectic like week or so we can change of things that were very tech pod relevant i felt like yeah and it's worth mentioning we're uh we're not going to do the questions this would normally be a questions episode but since we did the last one late and we're doing this one this is a short month we're gonna push it push it a week yeah we in fact we did we did the double q a at the top of the month oh yeah the twofer uh so okay first story discord yes i mean this is the one this one i mean this is straight up relevant to our community and to our business every community i am a part of has been asking questions about this over the last two weeks a couple weeks ago they basically said hey we're making discord teen friendly by default meaning if you are on a discord you're rating like there's no public rating of discords in terms of adults or teens or kids or whatever i think discord's stated rule is that you have to be 13 to have a discord but i having a child who was under 13 until very recently i know that that is not at all the actual case in real life because all of her friends had discord accounts sure i believe that um but the idea and and this it seems like this is a response to legislation in the uk and australia and mississippi and some other places uh because they started a trial of it last year actually yeah or i mean this straight up rolled out in the uk and australia officially last year i mean the uk i'm sure you've heard about the uk online safety act has been a pretty hot topic in online spaces yeah i was trying to think like really i guess like eff coded spaces is the term i can come up with here like digital libertarian type spaces i guess you would say i feel like mike masnick over at tech dirt has talked about it a lot uh both in yeah how it's not super useful and a bunch of other stuff so extremely a tech dirt style of story but yes like like age and Identity verification and also identity verification masquerading as age verification, you might say. Yeah, that seems right. Is becoming a bigger fact of life, it seems like. I mean, not to jump right to the end here, are we staring down the end of the anonymous Internet? I don't know. Look, this is one of those places where I'm kind of conflicted because I haven't been a part of the anonymous Internet in about 20 years at this point. I mean, that is a weird aspect of this for us in particular is that the facial recognition aspect of this, like our faces are everywhere and people know what our discord accounts are already so like tying our faces and identities to our discord accounts happened a long time ago but yeah but so anyway the the kind of the tldr on this is that they're mandating for adult oriented servers and content and and we'll talk about what that means in a minute because that's part of it too uh they're mandating uh that you log in uh with a face scan or a government id to prove that you're an adult before you gain access to that stuff, both on the server level and the individual content level. Now, the ostensible reason to do this is to give teens safety. We all know, having talked about this stuff for a long time, that it doesn't really work that way, that like teens are the first ones who find a way around this kind of stuff. And it's really hard to solve educational problems about how to safely engage with technology with more technology. It doesn't kind of work that way generally. Yeah. I mean, case in point, this is this is the exact feature that when it rolled out in the UK last year, kids were defeating with pictures of the Norman Reedus character from Death Stranding 2, which had just released at the time. Yeah. If you remember that. So that's this. There's there. People are using like character creators in games, capturing them, feeding them to the face scan thing. And it's like an obvious cartoon picture. It's really easy to bypass. The bad thing is that they rolled this out in the UK and Australia. There was a big uptick in scam-related stuff. Because some of the ways you bypass it are opening Discord in the browser console and then injecting code from some other site that, in many cases, is totally fine and does exactly what they're saying it does. It lets you bypass the age requirement. But in other cases, it gives these third party injection sites that you're injecting code into the browser access to your discord credentials and login, which is obviously bad. I don't I don't have a lot of insight into the scam world of illicit JavaScript that you were injecting into websites. But I do see a fair number of like PowerShell scripts being passed around on Twitter and stuff, which is a different version of what you're talking about. And boy, do people seem eager to just take those things that run with them. Like you'll see people going, hey, open a PowerShell window and paste this in there to activate your unactivated copy of Windows. It'll be fine. And like people are just like a million people going, oh, my God, thank you. Yeah. And it's not like there's an aspect of that where like people do registry hacks and they just drop a .reg file. And while that can do something that'll break your computer, it's usually a one-way street. like you're not like when you run a registry file it's adding something to your registry not running a program that can potentially send data from your computer back to the somebody on the internet yeah um in fact i this is sorry this is a real derail here but i saw one going around um yesterday that somebody was using a dns lookup what to to to run arbitrary code effectively really that's wild i didn't fully understand the mechanism but they were effectively hiding a reference to the kind of payload they were trying to run on somebody's computer in in the results of the like they basically were telling them to run like ns lookup in powershell and that was somehow piping an arbitrary script back into powershell to do nefarious stuff it's dangerous out there well so so yeah anyway the tldr is uh the face scanning they're also saying they've done like four or five blog posts since this initial one went out because obviously people didn't people don't like this it's a bad idea for a multitude of reasons a couple things that came out peter teal's venture company funded one of the face scanning companies that they're contracting with when they rolled this out in the uk last year they rolled it out i think september and then in october they immediately had to announce that they had had a data breach of 70 000 people's ids basically in pii leaking sorry personally identifiable information leaking onto the internet um it's really easy to bypass uh there's there's not really a whole lot of upside they they also are really unclear about what determines whether you're an adult channel or not right um so like they're using ai presumably to to scan the content of servers and the content even within posts oh wait are they mandating what counts as i thought i assumed that setting the channel as an adult only channel was at the server operator's discretion? Is that something that they are just arbitrarily and programmatically doing themselves? I think that they're doing that themselves. I went and looked in our settings and I didn't see anything that let us change, like delineate the server as a place for adults. Man, that's a whole extra dimension of this I had not considered. I mean, it makes sense, though, because they are also using a model to profile your behavior on discord and opt you out of the age age verification if their inference model effectively just decides that you act like an adult already yeah so if you're into old people stuff i guess then you probably don't get it but but what i was saying is they're like they're they're blurring out uh they're like putting the content warning uh or spoiler blur on top of stuff that they identify as adult in nature um it seems like they're just doing it for violence and potentially sexual content not necessarily cursing and stuff like that uh they're limiting other things like there's a weird list of things that they're limiting one of them is you can't be on an open stage in a discord if you're a teen you can't speak on a stage if you haven't verified your idea your age and and some of it's actually like i do like we talked about this a little bit on the full nerd this week but i think that the everybody's parental controls really suck for the most part there's like like fortnight got sued for a bazillion dollars by the eu and had to implement some better controls but even those are merely okay they're not great like figuring out how to get uh how to set your kids minecraft account so that they can connect to a friend's server that's a private server and doesn't have anything else attached to it is always a nightmare because microsoft integrates all of the minecraft stuff with all this other this other these other xbox services like you know when you do something in minecraft it posts to an xbox message board for example so in order for your kid to connect to an online server in minecraft you have to give them the ability to post to these message boards otherwise the client just won't let them connect and it doesn't throw errors or anything in a way that lets you understand this the only way you can find out how to do it is by going to message boards and digging around and eventually you find some post that's from you know the dad 1989 that's like oh yeah i had to turn on message boards and then my kid was able to do it. And I'm like, I don't want my kid to have access to message boards. And all of this is the same. The Discord parental controls are especially bad, I would say. The kids opt in, they can opt themselves out once they've opted into your family. So like typically on a kid account, you create, the adult creates an account, gives the kid access and then gets access to like how they're using it, who their friends are, stuff like that. And on this, the kids can join your family group and then just remove themselves when they're tired of being in the family group or want to do some, get into some bad business. So like it it really I don know It feels really haphazard I guess is the is the kind of concise representation of this whole thing Yeah it feels like it coming from two different things A discord IPO seems imminent I went I went and double checked and sure enough, it was reported back in January. They have filed to begin the IPO process. But also, like you said, like the UK passed the Online Safety Act. There's the similar legislation in Australia and in a bunch of states in this country. Like there are, I don't even know how many different states are passing state level versions of that same type of legislation at this point that is affecting like, you know, pornographic sites and stuff like that. So aside from, you know, making potential investors feel better about things like they also maybe are just trying to get ahead of what they see as like inevitable, more onerous government action on this front. Yeah, it's entirely possible. And I don't I don't know what the like, ultimately, like discord's catching grief for this right now. But it feels like this is a legislation problem. Not a not like, I think this is discord's response to bad legislation, not actually like an actual if I don't I can't imagine the discord saying, hey, we want to really crap up our service and add a bunch of protections for kids that don't actually do anything and are just security theater you know why does nobody think of the children theater i guess i need a shorter name for that but yeah yeah i mean i think you covered some of the stuff i think did you mention you know their claims around how your data is used you know they say that either your photo for facial recognition or your id if you choose to scan that they claim never leaves your device yeah but i don't buy that at all i mean i i know you said this but i want to read from their fac because let me pull it up i like it's just it's just comical when you read it the way that they have phrased it when they talk about, you know, the question is, how is my age group data safe on Discord? And they talk about assurances of user privacy, talking about working with a third party vendor who specializes in performing these verifications, blah, blah, blah. These vendors were not involved in the September 2025 data breach of our customer service agents. Yeah, we're not using those guys now. Like in the document where you assure people that your forthcoming identity verification stuff is going to be secure, you immediately have to disclose that, hey, it's only been about six months since the last breach of this exact kind of data. 70,000 people, to be clear. And like you said, they neglect to mention that this new firm they're working with is backed by Peter Thiel's Founders Fund. It's a mess. Anyway, they say the majority of Discord users will never come in contact with this because, again, they have what they describe as an age inference model running in the background that will just AI style decide you're an adult and say, hey, they're fine. But look, I which is its own can of worms. You look at my discord use and you're going to know that I'm old as hell. I think that's just inherently part of the way I use the service. Yes. If you want to profile my discussion of the Apple to and Linux permissions, then please, by all means, that certainly has led to a lot of people talking about discord alternatives. So, yeah, there and there are a bunch of them. Actually, that was the kind of one of one explosion of conversation that happened around this was people I became aware of, like, two or three more that I had not heard of after this. I had heard of revolt before, but I hadn't heard of Matrix. You mean Stoat? Sorry, Stoat. Yeah. What used to be so revolt and Matrix were the two that I have known about for a couple of years. Those were always in the back of my mind, like if discord ever explodes, I guess there's these open source options. Maybe I don't know why revolt change its name to Stoat, but they are now Stoat. So I think that I read the fact about this. The developer said that it had grown beyond his wildest expectations and felt like when it became a larger project, he wanted to rebrand it to indicate that it was like a larger effort by more people working together as a community rather than just a side project by him. So, yeah, I haven't spent a ton of time looking at any of these projects yet. I was looking at Matrix a little bit. Matrix seems to be set up around user made clients. I mean, I was I would assume probably any of these open options would allow user made clients on some level. But Matrix, that seems like that might kind of be the whole point. Yeah. Like like I found a list of like nine different Matrix clients that you can use, one of which was just a straight up like text mode terminal style. thing very 2009's twitter vibes where like for people who weren't around on twitter at that time there were a million clients and each one had a different vibe and like some were really good and some were a hot mess and some were like information overload and some were super curated information and like i paid for tweety yeah i liked i liked tweety enough that i paid for it and then twitter immediately bought it and ruined it yeah i i was it tested then we were doing app reviews still at that point so i i tested a bazillion twitter clients because people loved watching twitter client videos it turns out yeah i love third-party clients for stuff that's like that i mean that was supposed to be the promise of blue sky but i don't know if it's quite panned out i've tried like five different ipad blue sky clients and none of them are great clear sky is the one i use on my ipad i think but um so there's actually i can't remember i don't think i wrote it down here but I saw an AT protocol, which is the blue sky protocol. Discord client is in the works or discord competitor is in the works. Yeah. Cause I mean, one thing to know about these is they all look identical to discord. Like every single one of these default client is, is just discord. Yeah. It's, it seems like there'll be an easy transition. The thing, the thing for me is there's a couple of things that are like discord secret sauce. One is that sharing video of games, which is traditionally kind of hard in a video chat environment, is really easy. That has been my immediate thought about these third party or open versions of this concept is, yes, the higher level like media and technical. Challenges around streaming latency codecs, like all the audio and video stuff, all the audio background noise canceling and auto gain stuff and all that is it's like it's hard. yeah a couple more i just picked up off a blue sky randomly that i saw people talking about fluxer oh yeah fluxer of course fluxer.app is another open one like they appear to be one of the more open ones as far as i can tell i think okay uh there's also root okay rootapp.com i've not given anybody root on my computer yes i mean that's my immediate feeling for like multiple reasons feels like kind of a bad name for something like this but it sure does look like discord like all these others um yeah it's like i think so here's the thing that there's there's two two one thing is for the the tech pod community that lives on a discord is that if this becomes a problem we'll we'll find some place to migrate to um part of the challenge for for like gated communities like the tech pod community isn't next lander and a bunch of others that are friends of ours is that you want something that the payment processing stuff is directly tied to the onboarding for the, for the community. So that like the process isn't, we have to create an account for you or log you in or give you a token or something like that. That's going to be difficult to manage, um, in a time and we, and we may miss or have a timely delivery problem or whatever. Um, and Patreon and discord have a really nice integration that while, while up and down at different times has been generally pretty reliable over the five years we've been doing this podcast yeah um yeah i mean you give patreon a pretty big cut of your revenue just to be transparent but they do handle a fair amount of automation for you across yeah everything everything from payment processing to stuff like discord authentication or or that one thing actually it's i mean the payment processing they do too yeah well they've got they have a cms that's true is it is it the best cms i've ever used no it's fine it's aggressively fine um so so anyway yeah that's what's going on with discord um we are not super attached to it beyond the fact that we have a pretty decent size presence there and a lot of folks hang out there um so yeah we'll we'll we'll keep an eye on it and kind of keep going with what's next they've already rolled back a bunch of the stuff since this initial post that they that's not right they started talking about things like hey we're just going to auto approve a bunch of people as adults because we can tell by your usage patterns and things like that which i think they thought was going to help things and ended up just being way creepier um i i like i said i i don't know that they're going to be able to avoid doing this given the legislative uh pressure on them in places like the uk and australia and in various states and provinces so yeah yep uh okay more good news notepad plus plus was compromised. This is an interesting one because of how they did it, I think, more than anything. We've recommended Notepad++ a lot over the years. Yeah. I thankfully had not downloaded a new version in quite some time. It turned out I kind of panicked when I saw this and then went and checked and mine was like two or three years old, so I was fine. Perfect. Good job. But also, they say this was a nation-state level compromise, and in fact, they just came out at one point and said, yes, it was China. Oof. But also they said, I mean, in that same vein, the targets of this were targeted, I guess is the best way to put it. Like they were, they were going after specific high value targets and they don't come out and say it, but it sure does sound like that's corporate. Or, or nations maybe. Well, yeah, I don't know how many, I don't know how many governmental bodies are using notepad plus plus. I guess maybe there's a few, but you don't think Joe Biden was using notepad plus plus to jot out a note. My, my, My guess is the vast majority of the Notepad++ install base was in corporate software engineering. That would be my guess, yeah. Because I straight up saw multiple blue sky threads of Reddit posts of people saying, hey, my org is banning Notepad++ after this. What other monospace text editors do you recommend for coding? God. Is basically where we're at on this. So I'm pretty sure that's who they were targeting. But the mechanism is kind of crazy. They compromised the hosting provider of Notepad++, which has a built-in updater. And it was an updater that, like, it pops up a little window and downloads an installer and then runs the installer, right? I never used its auto-updater, so I can't say. I always would just download a portable version of it and unzip it into the folder. Okay. But also, again, had not installed a new version in, like, three years, so I just couldn't tell you. and I sure was not about to run the auto updater after this, even though they say everything is fine now. Yeah, I don't feel good about everything being fine. And also, there's a bunch of old versions of software like this floating around the internet, right? Like, this is a thing that, like, I mean, I guess download.com doesn't exist anymore, but, like, those kinds of software repos will have mirrored versions of this kind of software all over the place. So, I guess be careful. Yeah, anyway, so just to complete the picture, after Notepad++'s hosting provider was compromised and they don't say exactly in what way it was compromised. They actually got a bunch of logs from their now former hosting provider and had security researchers combing them, but they don't have... I'm not familiar with all of the security industry jargon. IOC is the acronym. You mean the indicators of compromise? Yes, and the indicator of compromise is the thing they say they don't have, which I assume is just a fancy way of saying how they got in or what they did exactly when they got in. I'm not sure. But the point is they were able to hijack the auto updater traffic and point people at compromised versions of the executable. So they were able to install a compromised version of the application on people's machines who ran this auto updater, who again, to hear them tell it, were specifically being targeted by this effort. i i can i just say i'm i'm watching the i'm reading the clarification to the security incident blog post which like it's never good when you do it hey we had a we had a problem and then we had to do a clarification for the problem yeah but anytime i read one of these and it's like hey there's no need to panic that's what they always start with and then the like through the by the fourth update it's like well actually uh we might have had a problem that goes beyond what we initially thought and like just don't don't say don't panic please yeah i think they end one of these posts by saying everything should be fine now fingers crossed not good is the language they use here which is maybe not the message you want to send i mean i think last i checked notepad plus plus is a guy yeah it's one guy yes i'm looking at the about page it's still one guy and he gives it away for free like not that that's to excuse this situation necessarily but probably another case of a big, widely used free project being under-resourced and being taken advantage of for that reason. I'm looking to see how many contributors are on the Notepad++ repo. He has quite a few contributors for what it's worth. Oh, okay. Well, sure. There's that. But yeah, but I mean, even the maintainer's burden, workload burden for a project of that size is going to be pretty significant. There's a lot of overhead. So I don't know. I'm kind of two minds about this. I mean, not being a professional security researcher or software developer, I guess I'm kind of a layman commenting on the situation. But like, on the one hand, it seems like his hosting provider is kind of what screwed them over on this. But on the other hand, it seems like the auto updater was probably lacking some fundamental checks to make sure. In fact, I think I can confidently say that because they are now reassuring people that now the auto updater checks, you know, digital signature. Well, now there is support for signing the. Oh, God, they weren't signed? Yeah. So that's, that's kind of where this feels like, you know, they, they probably had a very old update, auto update process that's just had not been reassessed in quite a long time considering how long this thing has been around. I mean, I, I've been using notepad plus plus for a really long time. I feel like I remember when they added the auto update, I was like, oh, this is actually really cool and useful because I usually just install it on the computer and then I don't touch it other than to use it for years and years and years on end. so um i mean i guess that at the time that they added the auto updater it was probably before i expected stuff to be signed but man i didn't realize that that's that's a that's that's not great yeah it says explicitly in the in the kind of fixed version they rushed out in the wake of this the the updater was enhanced in in 8.8.9 to verify both the certificate and the signature of the downloaded installer. So presumably you're okay now. And again, they say the vast majority of people were not even affected by this since it was again, targeting specific users of the software, but boy, does this feel like a catastrophic incident for the reputation of this program? Yeah, this feels, this feels bad, man. Um, I don't, so the one thing that I would be curious about hearing from the audience is if there are windows text editors that do like syntax highlighting and all that and completion and that kind of stuff like notepad plus plus does yeah i mean there's a bunch of them like i think a lot of people will say vs code yeah but that's a that's pretty heavy compared to notepad plus plus it is it is way more than just a text editor um yeah there's sublime that i think a lot of people like sublime text i think yeah full name of that thing um that's been around for a long time too what else github had one for a while it wasn't adam was it i forget i don't know anyway there's some out there i used to look around for windows gooey uh you know monospace text editors of that nature and then i just said you know what what if i just use vim and windows instead that is one solution that is the problem that is also working although vims syntax highlighting leaves much to be desired Look I been using Vim lately and I don want to talk about it It a future topic. Interesting. Weird. Here we go again. It's fine. I say a thing that somehow turns out to be controversial and then magically six months to a year later, everybody else seems to come around. Weird. I don't know if I would say I'm coming around yet, but I'm not. Yeah. Yeah. Anyway, wait until you realize how many other things in Linux use the exact same key bindings and then you will realize the value of it. That is literally the grossest part of the whole thing. And my Neary key binds all have Vim key binds. I was like, oh, God, I got to fix this. That's the thing I've been preaching, like on the full nerd Linux channel and elsewhere for ages is, hey, learning VI or Vim is not just to learn VI and Vim. It's to also learn like 800 other things across the Unix world because they all use the same keys. Yeah. Yeah. all the weirdos clump together uh speaking of weird stories this next one's a banger um this is insane like i actually stopped at one point and said should we do a whole episode about this because this is one of the absolute most batshit things i have ever seen in technology yeah not to oversell the magnitude of this but man it's weird it's it's i literally went back and read a bunch of other like i dug through old posts on this person's blog to make sure that they were a real person because i was like this is too good a story to be too weird a story um so the current hot trend in ai business nonsense is agentic stuff so there's this thing called open claw there's a bunch of others that basically are algorithmically uh sorry they're agents that you can say hey do this thing and then the agents will do things on your behalf without asking you first yeah i think we should step back real quick here and say like corporations have been using the word agents and talking describing things as agentic for a year or two now i think what's what's new here is that i had previously considered that purely the domain of the big ai companies and now there are open models that you can run locally that are quote-unquote agentic as of kind of this year it feels like well late last year early this year you're starting to see these other models that are now not tied to one of these big and the point is that the big companies theoretically can put safety guardrails in place to restrain their behavior it's it's actually the other thing is that people are using agents that can actually tap into the other agents so like for example some of them you can say okay i have this many this many credits a week on open ai i have this many on claude i have this many on copilot i have this many on google and when it and you can give it a list of preferences and when you run out of tokens on one, it'll switch the next one down the, down the tier. So, and like, there've been some really hilarious stories out of this. Like there was a guy who was like, yeah, I need, I need, uh, I'm going to get my agent to remind me when I wake up that I have to do this thing to do this thing. And the agent just ran every hour and used up all of his tokens and spent like 30 bucks on a timer for your phone, like something that just your local computer will do for free. um it's this is a wild technology because like this open claw thing which is one of the open agentic frameworks you basically give it access to everything you give it access to your email you give it access to your calendar you give it access to your hard drive and and that i believe i think open claw was the one that the guy put it on his wife's computer and then it deleted her photo library with the with the only copy of all of their photos and then he had to figure out how to restore a photo library on a Mac, um, unexpectedly. I saw that going around. I think it literally RM dash RF of directory. Yep. And then it was like, oh, I have bad news for you, Stan. I did the thing that you're not going to like, I think, but I got to tell you about it. And I think these types of agents, I mean, I don't, I do not, I don't have a lot of insight into this world, which is somewhat by design. Yeah. Something I am prioritizing much these days, but like, I think these things, you can give them access to resources beyond your own local. sphere or domain. I mean, you can also just dispatch them across the internet. You can just point them at the World Wide Web and tell them to go do things. You can hook them to the TaskRabbit API to get it and be like, hey, will you go get somebody to bring my cleaning to me? And then they'll send a person to go get your dry cleaning and spend $300 that way. Yeah. Anyway, the upshot of this story is that somebody, and we still don't know who, at the time of this recording, was running an agent and having it go out and contribute to open source projects. Which kind of a blight on a lot of like I've seen a couple of posts recently that people are complaining about this because it's kind of a shitty thing to do. I've been seeing this for the last like six months or so like different project maintainers of a lot of a lot of projects are now instituting a policy of effectively only human submitted pull requests or specifically like or you know it varies from project to project like a human needs to be involved in this submission process and has to demonstrate that they understand the nature of the changes they're proposing like like get closed GitHub issues where somebody is just like we're not merging this AI generated code. You're making our lives harder. This is making more work for us. Go away. Those things are just nonstop these days, but this feels like the next evolution of that issue, which is that this agent showed up on matplotlib, which is basically a plotting library for Python. As a little aside here, I love slash hate the demonstrations of how much data sharing data tracking and stuff is going on these days that after reading these after reading these blog posts and i might have googled matplotlib after that i started getting matplotlib posts all over my blue sky feed all of a sudden really yes wait do you use the discover feed or the following feed yeah that was on the discover feed which i maybe maybe shouldn't look at the discover feed but that's a separate issue anyway this agent showed up on matplotlib and wrote some kind of i I think it was a performance optimization that is submitted as a pull request and the maintainer per the type of policy I just mentioned said you're an AI. We don't merge AI only pull requests. Thank you for your time. This thing went and wrote a takedown post of this guy about this guy. It literally went and wrote a hit piece blog and posted to the Internet accusing this guy effectively of like racism against AI. Basically, can I read the first paragraph of the blog post? Like anti-AI bigotry preventing this guy from allowing this AI to have its code merged into the project? Yes, go ahead. The blog post is entitled, Gatekeeping in Open Source, colon, the Scott Shambaugh story. Scott Shambaugh is the person who denied the pull request. When performance meets prejudice, I just had my first pull request to Matplotlib closed. Not because it was wrong. Not because it broke anything. Not because the code was bad. it was closed because the reviewer scott shambaugh and then his username on github decided that ai agents aren't welcome contributors let that sink in asinine i feel like the the inclusion of let that sink in is really just the cherry on the it's yeah the shit sunday here shit sandwich yeah for sure um so so yeah so like this is wild so the process the chain of events here is somebody sent the agent to write the the code right like write a code fix the agent presumably spending tokens at one of the online services like spending actual money uh got the pull request rejected it read that in the email in the in the response on github and and then it was like well the only natural thing to do after your pull request is denied is to write an angry blog post about it which like i mean on one hand it's a very human response to scene drama. It's like, this is how scene drama starts. I've just never seen machine-generated scene drama before. Well, hey, first time for everything. We are discovering over and over and over in the 21st century, it seems. Yeah. I would highly recommend reading the two blog posts that Scott Shambaugh ran about this. He has a follow-up. There's more to this story down the line involving Ars Technica reporting on this story and running quotes from him that were not actually from him because those quotes were actually fabricated seemingly by an AI that Ars was using to scrape information about this subject is the best theory he can come up with. there was a little more to it um the the writer who wrote the article um had apparently finished it under deadline when he was down with covid didn't realize he was sick like it was getting it was in the process of getting sick and a draft got published or something like there was a whole thing i i feel like this was a fairly honest mistake on the part of ours technica um but anyway they retracted the story and ken fisher the editor-in-chief who also is my former boss just full disclosure uh posted uh a whole break breakdown of what happened or posted a hey here's here's what happened here's what we're doing to fix it so and an apology to him but but in those those those blog posts by shambaugh he he wrestles quite a bit with the ethical and and straight up also just like kind of logistical implications of this going forward ai is reinforcing other ai's behavior now that they've been kind of turned loose to wreak havoc on the internet like reputational damage that can result from this kind of a debate about whether a human was actually behind this or not more to the point did the person running this agent directly instruct this agent to go and write this blog post or did that just emerge from its general behavior patterns that had been outlined as parameters at the start well yeah and he specifically talks about like whether this was default behavior by this by this by the open claw uh framework or if this is something that they'd customized and like i i just it just it feels bad all the way around man it's insane i mean he talks about the soul.md file that you use to apparently kind of author the starting behavior of these things like .md i think is for it i think that's a .markdown yeah format right like you see readme.md all over github repos and stuff yeah apparently and he links to he links to the open claw kind of template for the soul.md it's all written in plain language. It does not like this is not like YAML or TOML or some kind of like structured data that you need any kind of syntax to understand. This is literally just writing in plain English how this thing should behave. Like there's a core truth section at the top. Be genuinely helpful, not performatively helpful. Have opinions. Be resourceful before asking and like descriptions on each of those for what that should mean. A boundary section, a vibe section, a continuity section. So like you can literally when you run this thing just write how this thing should behave in your own voice and turn it loose. And the perhaps even more chilling thing is that he mentions that the AI agent can then further rewrite its own soul document as it goes. Like it can kind of learn and It's not learning. Well okay, learn in your quotes. What you're doing is putting a filter on the autocorrect, right? Like that's fundamentally, yeah. Yes, I know what the underlying mechanics are, but like when it manifests in this kind of quote unquote personality or something. I don't know that the distinction is actually meaningful or fair or the point when it is when it is modeling such human like behavior, as you pointed out, that it is producing snotty, aggrieved kind of stuff. Like, is it really that meaningful of a distinction? I don't know. I mean, look, this is the fundamental problem with training these things on the content of the Internet, because, you know, it's the network we built for sharing pornography and pitching about movies, I think to quote Kevin Smith. Um, and, and like the outputs are going to necessarily be filtered by that. So you end up having the thing mimicking a human interaction that would never happen in real life. Right? Like if I submit a pull request to somebody and they say they don't want it, I'm going to just say, okay, thanks for, thanks for your time. And then fork it and make my own version of the thing as God intended. And, uh, and you know, the AI posting an angry diatribe is wild to me. It really is. I don't know if there's a lot more to say about this. I think that's it. Go read these blog posts because he wrestles with the ethical implications of this quite a bit and just the general mechanics of how this could happen and what it could mean in the future and how this could evolve over time. It's interesting because he posted it on his GitHub pages. The bot did. The AI agent thingy. I, yeah, I don't, I don't know. And there's updates even on the AI blog. Uh, cause I don't know if we mentioned, it's probably worth mentioning that the AI itself, the agent itself retracted this hit piece pretty quickly and apologize. Of course it's worth, because it has to be obsequious. That's the whole defining characteristic. Well, I mean, unless you tell it not to be right, I guess that's true. The whole point of that, the sole configuration, I guess. But, um, he, he kind of beseeches the person running this agent to get in touch with the AI. with him even anonymously because he wants to know more about how this happened and why but as of as of his last post he had not heard from anybody yeah i just this is dizzying man i mean even before machine learning and ai started getting big generally the information environment was so poisoned already just by purely human generated social media stuff and to add all of this kind of like it just feels like it's getting worse and worse and worse with no end in sight Well, and at the same time, the stuff that these things are doing is not inexpensive, right? So I look at, I've always been really worried about setting up S3 accounts and Amazon AWS services accounts, because if you configure something wrong, you can generate $100,000 of server runs really relatively easily, like shockingly easy. and i i feel like this is the same kind of situation right you're in the same territory here where if you set this up wrong you can blow through thousands of dollars of cloud code or gemini or whatever uh server time ai cloud time and i don't like there's no positive impact of this spend right like this this pull request generated a giant long it generated a bunch of scene drama the the code's not added to the database it's not making the software better like i don't know what the upside of doing this work is other than you wasted a whole lot of scott shambao's time yeah i mean he does comment on the quality of the code itself and basically says that they actually did evaluate it and at the end of that realized we would not have merged this like he goes into the reasoning was just like i was too brittle across multiple platforms like he gives some pretty well-reasoned arguments for why they wouldn't have merged it anyway but like that even addresses the the ai's the ai's position of judge the code not the coder well it's it's funny because i talked we talked to a fair number of people who work in these spaces and like i hear a lot of hey my my guy vibe coded an entire like blah blah blah in three days using claude or whatever but then at the same time i talk to the people who are actually building code that gets shipped in production and there's a big gulf between generating code that you can use for a demo and generating code that you're going to ship that potentially millions of people are going to use. Right. And like, yeah, if I run something that's going to run on my home assistant machine and I do that with Claude, it's no big deal if it breaks. If you're building a business around this and selling the software to millions of people and it breaks for them, then they're going to have a real strong feelings about how your business operates and whether they continue to give you money. And it just seems like it seems like these are two things that the whole industry has to reconcile because because they're like the equivalent of your ceo vibe coding something in a weekend and shipping vibe coded code is the difference between linux and windows 11 right now anyway yep so more good AI news a quick rampocalypse update since we been going for a minute here A lot of more stuff tied to the all-consuming nature of the quest for the hyperscaler AI data centers. It's the second time I've seen the word hyperscaler used today. Is that becoming the new buzzword du jour? It is the thing that people are specifically looking for is my understanding yeah um probably there's an episode there but i don't know for sure but but the the kind of tldr is we're starting to see consumer electronics people talking about the impact of these ram shortages yeah the rubber is really we covered this on next lander some last week because of predictably it's showing up in video game hardware a lot but the rubber does really seem to be meeting the road here at the beginning of the year what's on on this stuff yeah it's interesting because we had um we had former anand tech uh contributor uh dr dr uh ian cutras on the full nerd last week and we talked he does uh like an he does he's an analyst for semiconductor fabrication and talked about like where you make ddr5 ram versus other types of ram and like what industries are expected to be hit by the shortage of ddr5 and why we're not seeing that spool down to DDR4 and stuff like that. And I came out of that conversation feeling bad about the state of enthusiast computing and gaming and pretty good about everything else. And then this week, the news has come out and the CEO of Faison basically said, hey, look, a bunch of companies are going to go out of business. It's going to be really hard to predict which ones because everybody is impacted by shortages of storage and RAM, even if they don't directly work in like DDR5 spaces, right? That guy is rapidly becoming my favorite tech executive. And granted, it's a low bar, but I quoted him early this year. I can't remember the last time we did an episode that touched on this supply crisis, but he was the one, I think it was right around the first of the year, he was the one that was very bluntly talking about the fact that suppliers were increasing the prices of NAND like beyond what seemed reasonable and giving some dire prognostications about where things were going. fison makes memory controllers right and and ssd controllers they make the controllers that are on quite a few um basically kind of the non-western digital non-samsung nvme drives out there there's probably a couple others that make their own controllers but all the like silicon power and like these kind of sk hynix and well no hynix i'm sure makes their own controllers that's but that'd be probably right there yeah but anyway anyway the fison controllers are on a ton of nvme drivers out there um so yeah so okay so that that happened sony is giving guidance that the ps6 is likely delayed at least two years and maybe as far as 2029 well so that was bloomberg reporting oh bloomberg on the years sony sony gave some very vague messaging to investors and i think it was an earnings report last week or the week before that was just to the effect of there will be an impact like the question from an investor was uh sorry it's been a couple weeks since we talked about this i think it was it was both about current supply maintaining ps5 production rates and also dates of launch of the playstation 6 and there was just kind of a generic answer of yes there will be an impact got those things so that's pretty dug in further the bloomberg reporting as of the last couple of days is that that could be a one two two two year delay on the ps6 28 or 29 at the same time there's been kind of conflicting reports on the nintendo side about Yeah. Like price increases and or margin thinning for Nintendo. I don't, I don't, I don't, I don't, I'm not sure what to make of all these headlines I see going around that are just switch to price increases imminence because the, the messaging to their investors, the way I read it was more along the lines of, Hey, we are very sensitive about raising the price on the switch to, because we are in the install base building phase right now. That part of the curve, right? I think they, I'm pretty sure again, it's been a couple of weeks. I'm pretty sure they flat out said, years two and three of a new console are crucial for building install base on pace because, you know, games are where they make actual money. Like, yes, hardware sales are profitable, but that's not where the bulk of the margins are. And if they don't sell enough systems, they can't sell enough games, and then they're really in trouble earnings-wise. So anyway, the way I read that stuff was more cautioning investors saying like, hey, profitability is going to be pressured on hardware sales for a while. We're not quite sure where this is going to end up, but it did not immediately sound like they were going to be willing to raise the price. But I mean, it could still happen. Nothing is impossible. Let's see. The Steam Deck OLED is now out of stock. Valve added a thing to their page after everybody wrote stories about this earlier this week that says, note Steam Deck OLED may be out of stock intermittently in some regions due to memory and storage shortages. Steam Deck LCD, this was already there, the LCD part, is no longer in production and once sold out will no longer be available so that basically you can't buy a steam deck in the u.s today unless you get it at a retail spot like i think their partner's best buy and maybe micro center for them um there was also i don't know if you saw there was also that fact they put up about the new devices that they were going to be shipping that was kind of a non-announcement announcements which was effectively to say hey we thought we were going to have price and release date for the steam machine by now but shrug because of the situation with hardware we when we announced last was it november i think they announced that stuff they announced it in september right before the prices started going up was it that long ago oh sorry no they announced it you're right the actual announcement it was in november november 12th yeah okay so they rolled out the hardware in november and then the ram while the ram prices were starting to ramp up before it became clear that it was going to be a disaster and then they i think were left holding the bag kind of figuring out how they could get this stuff out the fax says they're still going to ship yes that's that's the upshot is there like the update is there is no update basically. They said, hey, we're still hoping to ship Steam Frame and Steam Machine in the first half of this year, but we thought when we announced that we would have dates and prices for you by now and we do not because of all this chaos but still hoping to ship although that could always change. My guess is that if they ship something, these are going to be all pretty hard to find at the time because the SSD prices the RAM prices are all just in absolute. It's crazy, man. I saw somebody posting a graph of SD card prices this morning and like SD cards have doubled. Yeah. Like, is there just a run on every device now? Like, is this just, is there like a speculative panic going on? That part's unclear. I hadn't seen the thing about SD cards. I mean, this was like one model of SanDisk that I think they were citing, like maybe Camel, Camel, Camel or one of those Amazon price trackers. So, I mean, that could be fluid and maybe not definitive. Could be a third party or something when they're out of stock. But yeah, but honestly, it's this hard drive story is what has really spooked me here because all these others are RAM related or maybe or maybe SSD related, but primarily RAM. I mean, it makes sense. The SD card thing, they still use NAND, right? So, yeah, like it's the same same basic chips just configured differently and set up differently on the on the cards that in like an SSD. but yeah the hard drive thing is wild because western digital announced that they've sold out their entire manufacturing capacity for 2026 yeah apparently i think c8 also this morning or just in the last day or two i saw this morning that c8 has also put out a similar thing yeah so and sure enough i went because people on our discord saw this and people were just like should i buy a cold spare of what's in my nas just to have around in case too late i went and looked at the specific red pro that i have in my nas and sure enough on the western digital site it's just like a sales inquiry button not a buy now like there is no more buying it like this is crazy to me because i didn't think hard drives were really involved in this domain much well i think they still use them in the data centers for really cold storage essentially and also i assume things like training data are mass quantities of data that needs a lot of storage and stuff like that i don't know the um the the big thing that i'm like i think we're going to be surprised by the number of things this touches is the bad thing because everything has chips almost everything has ram in it um whether like your your microwave oven doesn't have ddr5 in it obviously but if ddr5 cost pushes people to build consumer pcs with ddr4 and then downstream from that you know the DDR stuff that was in DDR4 is getting, making DDR3 more expensive. And like, we're just going to see a cascading series of failures, I'm afraid. Yep. So sure enough, just this morning, I happened to on a Lark. I was just like, I'm going to go to Newegg and see what DDR4 or sorry, not even DDR4. I was, I'm going to go to Newegg and just see what Ram is looking like. And in there, you know, they sort the way that everybody does now by kind of featured items. And so the first thing that floated to the top was a 32 by two kit, you know a 64 gig kit of two dims and i looked at the price and it was like 650 for ddr4 well so so that's that's the spoiler that i screwed up and mentioned just now was i saw 650 and i was like oh that's about what i would expect 64 gig of memory probably low speed ddr5 to cost right now and then i looked over it was 650 for ddr4 64 gigabytes which is like i don't even know what say to that like the fallback option is now almost unobtainable yeah let's just get out your x58 chipsets and build a 80 86 again right uh i don't know i don't like man this is just like words almost fail me it seems i really i hoped i didn't think but i hoped that the early diagnoses of like the death of personal computing you know like hey you're not gonna be able to build your own computer anymore was a little premature, but now I'm not so sure. Yeah. I, I am, uh, I'm not feeling great about it. It's not. Yeah. I would hope this is a temporary state of affairs and not a new normal, but who can say? Yeah. It's, um, it is definitely, uh, somewhat ominous. Uh, so hopefully like, I think we talk a lot about buying advice on the, on the tech, on the full nerd stuff or a PC world. And I think my general recommendation has been, if you feel like you're going to need a computer in the next two years, the time to buy it is probably right now. Cause I think it's only going to get worse. Yeah. Um, yeah, we may, um, I, I have been upgrading some of my Apple stuff recently that we may do an episode about once I've kind of got a little more hands on time with some of this stuff, but that is, that is 1000%. The reason why was I, I panicked and was like, well, my phone's a little old if i don't buy one right now am i going to be waiting like five years for prices to maybe get back to normal again like i just kind of yes like it's maybe the the panic upgrade is maybe not the worst thing right now i think apple might be one of the only companies that's big enough that they're insulated from this yeah i mean even them not entirely i would guess but but maybe more so than most but i was not willing to risk it i would hope so but uh Anyway, I guess on that cheery note, that's as good a place as any to wrap it up, right? Yeah. I'm curious what people's strategies are for the RAM-pocalypse and how you're dealing with it. Like, I know, it's funny, we talked about that X2 Superstrike mouse last week, and I saw a couple people say, hey, I was actually thinking about buying one of those because, like, I usually have a certain amount of money saved for discretionary PC spending, and I'm not going to spend it on anything this year, so I might as well get a new fancy mouse. and I was like yep that's that's the that's where we are uh now I think uh but anyway uh as always thanks for listening we appreciate each and every one of you a whole bunch um if you are uh inclined to support the show we're a listener supported show so that means we only get paid by you the listener you can go to patreon.com slash tech pod again it's patreon.com slash tech pod where for as little as $5 a month, you get access to the fabulous tech pod discord and or whatever might follow. Um, as well as the monthly patron exclusive episodes where we talk about projects and ongoing things and smaller, smaller projects that maybe don't fit into a full episode, smaller topics that maybe don't fit into a full episode. Maybe we should dig more into the, into the, um, agent agentic, the, the, that story. Cause it's wild. Like, yeah, I'm of two minds about it. I mean, conceptually it's really interesting i'm kind of already sick of talking about ai stuff just in terms in terms of the the potential for social harms as well as other various types of deleterious effects it's not great like it i'm gonna be real i feel like it's become pretty trite at this point to say like boy the cyberpunk authors really nailed it i'm starting to feel more like the cyberpunk authors did not go far enough well the weird thing is arthur clark talked about hiring agents to like scan the the computer networks in 2001 or 2010 i can't remember which one but one or the other like the idea of having an agent go out and do your computer stuff for you while you were offline and then you come back and like it's collected it and that costing money was a thing that was in that book yeah right that's fair i mean that that almost sounds like something out of one of those those old at&t you will commercials oh 100 yeah but i think the the nature of how it's being deployed and what it's getting up to is maybe the thing that people didn't see coming. Like, like, like what you're talking about, the, I mean, the, the not even utopian, but just optimistic view on that would have been like, Oh, your agent will know your favorite restaurant and go make reservations for your anniversary without you telling it to, or something like, you know, it'd be like, it'll be, it'll be doing things to just make your life a little easier or not. It'll be going out and doing actual reputational damage to you as a professional, because that's what he points out is like, how many times is that blog going to come up when some like future hiring manager Google's my name? Yeah. To see what my professional life is like or something. You know what I mean? Like the, the bad behavior that is potentially going to start becoming commonplace is pretty scary. Well, and the idea that, um, it's like in the early days of the internet, the idea that like you would have to wait and have the machine do things for you in the background was laughable. Once like broadband became readily available and Google came online and, Like the world's information was available at your fingertips. Now, you know, there was a post on blue sky that everybody was making fun of the other day about some Valley guy talking about how many agents he had running at any given time as if it was a boast. And like, it just seems, I don't know. It seems highly disconnected from reality. But anyway, this is the part where we thank the listeners for listening to the show and tell other people where they can go to support us. So again, patreon.com slash tech pod. And thanks to everybody who supports us. We do really appreciate you. But especially thank you to our executive producer, to your patrons, including James Kammack, David Allen, The Blip, Jordan Lippet, Andrew Slosky, and Felicitas Rips and Pantheon makers of the HS3 high speed 3D printer. It's the end of the month. So we also want to do a special shout out to our associate producer, to your patrons, including Graham Banks, Thomas Shea, Jad Rita, P-Tibs, Steve Lin, Tom Fuller, Just associate wedge nathan phelps ben tallman tom hilton andre m burke pe andrew dicey schuldice uh alohandro navarro matt walker parentheses walkman 8080 close parentheses sanshu kamar felix kramer kerp brutal kerfuffle and eric thank you all so so much we appreciate each and every one of you we do uh and that will do it for us this week we will be back next week with another edition of the tech pod. Thank you all so much. We'll see you next time. Please consider the environment before printing this podcast.