Discursive Podcast

Troy Hunt has processed the largest data breach corpus in Have I Been Pwned's history—nearly 2 billion unique email addresses and 1.3 billion passwords, with 625 million passwords never seen before. This isn't a single breach but rather credential stuffing data that criminals use to attempt logins across the internet. The scale is staggering: 32 million different email domains affected, requiring two weeks on maxed-out Azure infrastructure just to process. If you're reusing passwords anywhere, this is your wake-up call to get a password manager.
Meta just open-sourced Pyrefly, a Python type checker rewritten in Rust that's up to 40x faster than mypy on large codebases. This is what's replacing their OCaml-based Pyre for Instagram's massive Python infrastructure. By leveraging Rust's memory safety and parallelism, Pyrefly can analyze multiple files simultaneously without Python's Global Interpreter Lock—and it's fully compatible with existing type annotations. This represents a paradigm shift for Python at scale, making the language viable for even larger enterprise applications.
After more than 200 years of weather predictions and folksy wisdom, the Farmers' Almanac announced it's closing. The 2026 edition will be their last. While scientific studies have shown their long-range forecasts perform no better than random chance, the Almanac endured as a cultural institution for its planting calendars, fishing tables, and comforting rituals.
We also cover AMD's confirmation of a critical vulnerability in all Zen 5 processors affecting the RDSEED cryptographic random number generator, and Nvidia's B300 Blackwell platform delivering 144 petaflops of FP4 performance with 11x faster LLM inference than the previous generation—making massive AI models practically deployable at scale.
Links
Featured Stories
Two Billion Email Addresses Were Exposed
Meta Releases Pyrefly Python Type Checker
A Fond Farewell from Farmers' Almanac
Critical Updates
AMD Zen 5 Critical Cryptography Vulnerability
Nvidia B300 Blackwell Platform - 144 PFLOPS FP4
Other News
OpenAI Expands Sora to Android
Red Hat EU Sovereign Support

Developer workstations have become treasure chests of credentials—API keys, database passwords, cloud tokens, SSH keys—essentially the keys to the kingdom. This episode examines why developers have become the softest target in the security landscape, with surveys showing 86% of developers don't prioritize security when writing code, and nearly one-third are unfamiliar with secure coding practices. The consequences are stark: in 2023 alone, 8 million public GitHub commits exposed at least one secret.
We dramatize the operations of two recent worms that have exploited this vulnerability. ShaiHulud, discovered in September 2025, was the first known self-replicating worm in the npm ecosystem to harvest developer credentials and automatically infect hundreds of packages. PhantomRaven followed in August-October 2025, flooding npm with 126 malicious packages that collected over 86,000 downloads by impersonating legitimate projects and exploiting AI-generated package names "hallucinations."
The episode concludes with actionable security steps every developer must take: purging secrets from local files, implementing strong authentication, keeping tools up to date, securing CI/CD pipelines, and embracing a security-first mindset. We also explore practical tools, such as 1Password's CLI integration, that can inject secrets at runtime without storing them on disk.
In tech news, we cover a critical VMware vulnerability (CVE-2025-41244) being actively exploited to compromise U.S. government systems, requiring patches by November 20th. We explore timing wheels, the elegant O(1) algorithm that enables systems like Kafka and Linux to handle millions of timers efficiently. And in our weird bucket, we share the tale of an engineer who modded their bricked smart vacuum with Python scripts after the manufacturer killed it for blocking data collection—a perfect encapsulation of our dystopian relationship with IoT devices.
Links
Main segment
ShaiHulud npm supply-chain attack - Palo Alto Networks
Defending against ShaiHulud - AWS Security Blog
PhantomRaven malware analysis - Koi Security
126 npm packages stealing developer tokens - The Hacker News
1Password CLI secret references
GitGuardian State of Secrets Sprawl 2024
LastPass breach via unpatched Plex - The Hacker News
News
VMware Zero-Day Vulnerability Actively Exploited
How Timing Wheels Solved the 10-Million-Timer Problem
Vacuum Bricked After User Blocks Data Collection
Mozilla Ends Japanese Community Support
Apple and Goldman Sachs Ending Credit Card Partnership
Microsoft Invests $4.5 Billion in UK Data Centers
FTC Fines Amazon $30 Million for Alexa Privacy Violations

Git fundamentally transformed software development, enabling the open-source explosion we've witnessed over the past two decades. But as we approach Git's 20th birthday, it's worth examining where this beloved tool shows its age. Today's main segment digs into three key areas of discontent: Git's well-documented struggles with massive monorepos (forcing Facebook to switch to Mercurial and Microsoft to develop GVFS), the paradox of a decentralized tool creating unprecedented centralization around GitHub, and the current state of alternatives like Subversion and Mercurial.
The monorepo challenge is particularly revealing—when Facebook's engineers approached Git maintainers about scaling issues in 2012, they were told their repository was "too huge" and to split it up. This dismissive response led Facebook to migrate their entire codebase to Mercurial, while Microsoft took a different approach, engineering solutions like GVFS to make Git handle the 300GB Windows repository. These extreme cases expose Git's architectural assumptions and remind us that even dominant tools have their limits.
In today's news, we cover a critical React Native CLI vulnerability (CVE-2025-11953) that scores 9.8/10 on severity—exposing developer machines to remote command execution through the Metro development server. The vulnerability affects versions 4.8.0 through 20.0.0-alpha.2, with millions of weekly downloads at risk.
We also explore a fascinating paradigm shift: WebAssembly support has been added to the Linux kernel, enabling an entire operating system to run in virtual, portable environments. This isn't about web browsers—it's about running Linux itself on WebAssembly, complete with BusyBox in a browser. The technical achievement required working around WebAssembly's lack of MMU and interrupt mechanisms, showcasing remarkable engineering creativity.
Finally, our weird science story features a genetic mutation in the LRP5 gene that gives some people bones up to 8 times denser than normal—making them virtually unbreakable but unable to swim. This real-life superpower has pharmaceutical companies racing to understand the mutation for osteoporosis treatments, while affected individuals must avoid deep water at all costs.
Links
Main segment
The Fork-It-and-Forget Decade - Tim O'Brien on Medium
Why Facebook Doesn't Use Git - Graphite.dev Blog
Announcing GVFS (Git Virtual File System) - Microsoft Azure DevOps Blog
On Centralized Development Forges - Ariadne's Space Blog
Apache Subversion 1.14.5 Released
Mercurial 7.0 Released
News
Critical React Native CLI Vulnerability Exposes Millions of Developer Machines
WebAssembly Support Added to Linux Kernel
Genetic Mutation Makes People's Bones 8x Denser
Microsoft Discovers SesameOp Backdoor Using OpenAI API
Shift Technology AI Models Stolen in Insider Breach
YouTube Announces Voluntary Exit Program for US Staff
Norway Wealth Fund Votes Against Musk's $1T Pay Package

Modern aviation has a counterintuitive rule: keep the autopilot engaged during turbulence. After analyzing millions of flights, Airbus found that pilots who disconnect autopilot often make things worse through overcorrection and startle response. The machine, monitoring 88+ parameters simultaneously, handles the chaos better than human instinct. This aviation philosophy offers crucial lessons as programmers grapple with their own copilots—AI coding assistants that require us to shift from doing everything ourselves to managing intelligent systems.
The episode explores how FlightAware transforms thousands of data points per second into their famous "Misery Map," showing real-time airport delays across the US. This fascinating company has built a technical marvel, fusing FAA feeds, airline data, and 30,000 crowdsourced ground stations to track every flight globally. Their engineering blog details the sophisticated vector-based mapping and data tiling systems that make this possible, showcasing how complex aviation data becomes accessible visual information.
In air traffic control, AI adoption faces fierce resistance—and for good reason. Unlike cockpit automation that's had decades to prove itself, ATC remains fundamentally human-driven. While systems like Heathrow's AIMEE handle routine clearances and new tools help with conflict detection, the consensus is clear: AI augments but doesn't replace human controllers. As one expert noted, it takes years to develop the instinct for managing airspace, something AI can't simply replicate.
Today's news highlights include a shocking case of cybersecurity professionals using their insider access to deploy ransomware—the ultimate trust betrayal. On the creative side, LayoutitStudio's CSS-only terrain generator proves that web styling languages can create complex 3D worlds without JavaScript. And in a haunting discovery, scientists accidentally recorded the first dying human brain, revealing gamma waves suggesting memory replay in our final moments.
Links
Main segment
FlightAware Engineering Blog - The fascinating technical details behind the company's aviation data infrastructure
Airbus Safety Magazine on Autopilot in Turbulence
FlightAware Misery Map
FAA AI Safety Assurance Research
News
US Traces Ransomware Attacks to 2 People Working for Cybersecurity Firms
A CSS-Only Terrain Generator
First recording of a dying human brain shows waves similar to memory flashbacks
X is silently opening tweet links in webviews
Aisuru botnet shifts from DDoS to residential proxies
OpenAI and AWS sign $38 billion cloud deal

The October 2025 AWS outage in us-east-1 was a 15-hour preview of life without the cloud. When a DNS resolution failure cascaded through DynamoDB, it didn't just take down websites – it disrupted daily life in unexpected ways. From Starbucks' mobile ordering to smart mattresses stuck at the wrong temperature, the outage revealed how deeply cloud infrastructure has woven itself into the fabric of modern existence. As David Heinemeier Hansson noted, this centralization "is just an insult to DARPA's design" of a resilient, distributed internet.
But what if a software bug doesn't cause the next regional failure, but by a half-megaton explosion in the sky? The 2013 Chelyabinsk meteor – which injured 1,500 people and damaged 7,200 buildings with its 500-kiloton airburst – offers a sobering case study. This 20-meter asteroid approached Earth undetected and exploded with the force of 25-30 Hiroshima bombs. The mathematical risk analysis reveals an uncomfortable truth: while the odds of such an event hitting Reston or San Jose specifically are about 1 in 160,000-235,000 over 20 years, when you consider the top 100 data center hubs globally, the risk climbs to roughly 1 in 3,100-4,700.
The episode examines what would happen if a Chelyabinsk-scale event struck "Data Center Alley" in Northern Virginia, home to AWS us-east-1 and Azure US East, and the densest concentration of data centers on Earth. Beyond broken windows and power outages, such an event would simultaneously affect multiple availability zones—the exact scenario that multi-AZ architecture cannot handle. As the podcast emphasizes: "multi-AZ ≠ multi-region."
Drawing from historical precedent (including the 1908 Tunguska event that flattened 2,150 square kilometers of forest) and personal experiences with early warning signs, the episode argues for embracing "productive paranoia" in infrastructure planning. The key insight: while we can't prevent cosmic events, we can control our preparedness through geographic distribution, rigorous backup procedures, and – critically – ensuring our human teams are as geographically distributed as our data.
Links
Main segment
Chelyabinsk meteor — Wikipedia: https://en.wikipedia.org/wiki/Chelyabinsk_meteor
Tunguska event — Wikipedia: https://en.wikipedia.org/wiki/Tunguska_event
Brown et al., Nature (2013) – Chelyabinsk airburst analysis: https://www.nature.com/articles/nature12741
Popova et al., Science (2013) – Damage and injury patterns: https://www.science.org/doi/10.1126/science.1242642
NASA Planetary Defense Coordination Office (PDCO): https://www.nasa.gov/planetarydefense/
Center for Near-Earth Object Studies (CNEOS) at JPL: https://cneos.jpl.nasa.gov/
Sentry: Earth Impact Monitoring System: https://cneos.jpl.nasa.gov/sentry/
NASA NEO Surveyor Mission: https://www.jpl.nasa.gov/missions/neo-surveyor
DART Mission (Double Asteroid Redirection Test): https://www.nasa.gov/dart
AWS Service Health Dashboard: https://health.aws.amazon.com/health/status
DHH on Cloud Centralization (37signals): https://world.hey.com/dhh
Lex Fridman Podcast #474 — DHH transcript: https://lexfridman.com/dhh-david-heinemeier-hansson-transcript/
ThousandEyes — "AWS Outage Analysis: October 20, 2025": https://www.thousandeyes.com/blog/aws-outage-analysis-october-20-2025
UN-Habitat (2020) – World Cities Report: https://unhabitat.org/World-Cities-Report-2020
News
Physics Today – Chelyabinsk ground track analysis: https://physicstoday.scitation.org/do/10.1063/PT.5.0285/full/
New Yorker — "A Meteor in the Russian Sky": https://www.newyorker.com/news/news-desk/a-meteor-in-the-russian-sky
Reuters — "Amazon says AWS cloud service back to normal after outage disrupts businesses worldwide": https://www.reuters.com/business/retail-consumer/amazons-cloud-unit-reports-outage-several-websites-down-2025-10-20/
The Guardian — "Amazon reveals cause of AWS outage that took everything from banks to smart beds offline": https://www.theguardian.com/technology/2025/oct/24/amazon-reveals-cause-of-aws-outage

The main segment explores a milestone for the web platform: the Glasgow Haskell Compiler (GHC) now runs entirely in modern browsers via WebAssembly (Wasm). Developers can write, compile, and run Haskell without any local setup, lowering the barrier to entry for education and experimentation. Wasm provides a portable, memory‑safe execution sandbox that delivers near‑native performance across browsers and other runtimes.
Technically, this is significant: GHC’s sizeable runtime—supporting lazy evaluation, type inference, and rich language features—has been adapted to the browser’s security model, addressing memory management and FFI constraints. The result is a practical path to trying advanced functional programming in a tab, with implications for teaching, demos, and potentially web apps that benefit from strong static types.
In security, researchers describe “HeisenTrojans,” a class of attacks targeting Electronic Design Automation (EDA) tools rather than finished hardware. They report exploitable vulnerabilities in 83% of examined tools—covering buffer overflows, command injection, and memory corruption—raising the risk of silent netlist edits or backdoors during synthesis and layout. Because sign‑off checks validate geometry and timing rather than intent, such manipulations can evade traditional verification.
Finally, new cosmology results from DESI and the Union3 supernova catalog indicate a 4.2‑sigma deviation from the standard ΛCDM model, consistent with dark energy’s strength changing over time. If confirmed, this would prompt a significant re‑evaluation of the universe’s expansion history and long‑term fate, with scenarios ranging from slower expansion to eventual contraction.
Links
Main segment
GHC Now Runs in the Browser
MDN Web Docs: WebAssembly
GHC WebAssembly Documentation
Haskell.org: GHC
News
Security: HeisenTrojans - 83% of Hardware Design Tools Have Exploitable Bugs
Programming: GHC Now Runs in the Browser
Weird: Is Dark Energy Getting Weaker?
Background: Introduction to VHDL (Nandland)
FCC to Rescind Ruling Requiring ISPs to Secure Networks
Ubuntu 26.04 Will Use Rust for Core Linux Utilities
MIT Physicists Find New Way to See Inside Atoms

TORCHLIGHT, a research tool presented at USENIX Security 2025, discovered 29 zero-day exploits affecting 12.71 million IoT devices hidden on the Tor network by analyzing 26 terabytes of traffic over twelve months. These aren't just smart fridges—they're industrial controllers, security cameras, and network equipment controlling critical infrastructure, now potentially compromised by untraceable attackers. The programming language Frink treats units of measurement as first-class citizens in its type system, preventing the kind of unit conversion error that destroyed NASA's Mars Climate Orbiter in 1999. Created by Alan Eliasen in 2001, it's been quietly used by engineers for over 20 years when precise unit tracking is critical. The Vera C. Rubin Observatory in Chile activated the world's largest digital camera (3,200 megapixels), discovering over 2,000 new asteroids in just its first 10 hours of operation—representing only 0.05% of its goal to map 20 billion galaxies.
This week's episodes covered substantial ground in technical territory. We explored how open source evolved through distinct decades, culminating in the argument that Git fundamentally changed power dynamics by making forking trivial. We examined the legal complexity developers face with generative AI tools, including the gray areas around feeding output from one model into another. The passionate defense of code longevity challenged "rewrite culture," using examples of 1970s Fortran code still running today because it was validated and works. Dijkstra's 1972 Turing Award lecture proved eerily prescient about 2025 AI anxiety, predicting that better tools just let us tackle harder problems. The FinOps deep dive explained why utilization reports without context are useless—sometimes low utilization is a feature, not a bug. And the week ended with a nuanced take on DHH's cloud exodus, defending his decision while outlining the crucial complications most teams must consider.
Additional stories include Apple being found guilty of App Store dominance abuse in the UK, Myanmar's military shutting down a massive online scam operation seizing Starlink terminals, and California State University partnering with Amazon, OpenAI, and Nvidia to become America's "first AI-empowered university." The common thread throughout the week: technology decisions rarely have simple answers.
Links
Main segment
Ken White's Serious Trouble Podcast - Referenced as an example of accessible expert content outside one's specialty
Mike Loukides / O'Reilly Radar - Has been linking to related Medium stories
News
TORCHLIGHT Exposes 29 Zero-Day Exploits in 12 Million IoT Devices
Frink - A Programming Language for Physical Calculations
Frink Documentation
Frink Sample Calculations
World's Largest Camera Finds 2,000 Asteroids in First 10 Hours
Apple Found to Have Abused App Store Dominance in UK
Myanmar Military Shuts Down Major Online Scam Operation
Cal State Partners with Tech Giants for AI Integration

DHH's decision to move Basecamp and HEY out of the public cloud sparked intense debate in the tech community. Still, as someone who interviewed him back in 2008 (which ended with us literally running from Chicago police over a filming permit), I respect his position: real numbers and real success back his argument. For mature applications with predictable loads and strong ops talent, owning infrastructure can absolutely make economic sense. But there's a lot more to this calculation than hardware versus EC2 pricing.
The public cloud bill that feels punishing is actually a feature you need to exploit. It forces immediate architectural decisions—why store 3 years of debug logs? Why run dev environments 24/7? That monthly invoice is a diagnostic tool that keeps waste visible. In private infrastructure, that pressure evaporates. Spend becomes sunk CapEx that feels "free" until you run out of capacity— and then you can't just spin up new instances.
Security is where the conversation gets serious. Hyperscalers handle thousands of quiet tasks—microcode patches, live VM migrations off suspect hosts, hardware attestation, cross-region controls. With vulnerabilities like TEE.fail affecting trusted execution environments across AMD, Intel, and Nvidia, you need an information security team plugged into a much larger community of experts. Your colo facility won't have hundreds of people thinking about physical security, side-channel attacks, and supply chain risks.
Then there's risk transfer. I learned this firsthand when lightning struck my search engine business in 1997, destroying both the central systems and the backups. Since then, I've seen unpredictable events in every role—multiple disk failures, backhoes cutting fiber, supply chain shocks that made SSDs scarce for months. Remember the Chelyabinsk meteor in 2013 that caused widespread infrastructure damage? Black Swan events happen on decade timelines, and one event can nullify years of savings.
We also cover today's tech news: NPM's "PhantomRaven" attack targeting AI-suggested packages, UV's promise to unify Python tooling with Rust-powered speed, and why 987654321/123456789 equals almost exactly 8.
Links
Main segment
Why We're Leaving the Cloud - DHH
TEE.fail Vulnerability Disclosure
Chelyabinsk Meteor Event Documentation
News
NPM flooded with malicious packages downloaded more than 86,000 times
PhantomRaven NPM malware analysis by Koi
UV is the best thing to happen to the Python ecosystem in a decade
UV GitHub Repository
UV Official Documentation
987654321 / 123456789
Character.AI to Bar Children Under 18 From Using Its Chatbots
GM Will Cut 1,750 Jobs in Electric Vehicle Business
Microsoft Increases Investments Amid A.I. Race
Alphabet Revenue Jumps 16% With Strong Cloud Sales

In the main segment, Tim unpacks the deceptive nature of utilization reports that FinOps teams rely on to identify "waste" in infrastructure. While industry statistics show servers running at shockingly low utilization rates—often 12-50%—Tim argues that acting on these numbers without context is like "performing surgery with a chainsaw." He explores how CPU utilization percentages are fundamentally misleading with modern processors, why databases legitimately need low utilization for disaster recovery and peak loads, and how operational realities like global teams, inherited systems, and technical debt create legitimate reasons for apparent over-provisioning.
The news segment covers significant security and policy developments: researchers demonstrate TEE.fail, a new physical attack that defeats trusted execution environments from Nvidia, AMD, and Intel using under $1,000 in equipment. The Python Software Foundation rejected a $1.5 million NSF security grant rather than comply with new anti-DEI requirements, highlighting how political decisions now directly affect open-source development. Plus coverage of Nvidia hitting a $5 trillion valuation, Amazon's 14,000-person layoffs targeting multiple departments, and analysis of OneUptime's bare-metal migration claiming $1.2M in annual savings.
Tim emphasizes that good FinOps requires understanding the full picture—technical constraints, business requirements, and human factors—rather than simply optimizing utilization metrics. The episode concludes that sustainable cost management comes from partnering with teams and recognizing that some "inefficiency" is actually necessary insurance for reliable operations.
Links
Main segment
Tim O'Brien: "FinOps and Utilization Reports: It's More Complicated Than That"
Brendan Gregg: "CPU Utilization is Wrong"
Brendan Gregg: Systems Performance Book
Brendan Gregg: The USE Method
Gartner: "How to Make the Data Center Eco-Friendly"
Uptime Institute: Enterprise data center utilization studies
WifiTalents: Server Statistics and Industry Reports
David Kopp: Server Utilization Research Notes
News
FinOps: AWS to Bare Metal Two Years Later
Security: New physical attacks are quickly diluting secure enclave defenses from Nvidia, AMD, and Intel
Programming: Python plan to boost software security foiled by Trump admin's anti-DEI rules
Weird: Man accidentally gets a leech up his nose. It took 20 days to figure it out.
Nvidia hits record $5 trillion mark as CEO dismisses AI bubble concerns
Amazon plans to lay off approximately 14,000 employees

In the main segment, we unpack “The Humble Programmer” (1972) and why it still reads like a briefing for 2025. Dijkstra’s claim that “programming will remain very difficult” lands squarely in the age of AI code generation: as tools remove circumstantial cumbersomeness, our ambitions expand and the problems get harder. We connect his call to “prepare ourselves for the shock” with today’s anxieties about what changes (tooling, surface syntax) versus what persists (the intellectual work of modeling complex systems, making tradeoffs, and ensuring software actually works).
We also look at the economic and perception cycles Dijkstra flagged—how developers oscillate between being overpraised and undervalued—and argue for humility plus discipline over curmudgeonly fatalism. The takeaway: better tools don’t trivialize programming; they raise the ceiling on what we attempt.
Then in the news roundup: (1) Chrome will warn by default on first‑time HTTP navigations, effectively finishing the move to HTTPS‑everywhere; (2) Apache Fory Rust promises zero‑copy, cross‑language, high‑throughput serialization; and (3) Samsung makes idle‑screen ads official on high‑end smart fridges.
Links
Main segment
Original blog post: 53 Years Later, The Humble Programmer Still Explains Our Existential Panic
E. W. Dijkstra — The Humble Programmer (EWD340), PDF
E. W. Dijkstra — The Humble Programmer (EWD340), HTML transcription
Edsger W. Dijkstra — Wikipedia
“Go To Statement Considered Harmful” — DOI
Dijkstra's algorithm — Wikipedia
Structured programming — Wikipedia
ALGOL — Wikipedia
Fortran — Wikipedia
Lisp (programming language) — Wikipedia
News
Chrome to warn on unencrypted HTTP by default
Introducing Apache Fory Rust: A Versatile Serialization Framework for the Modern Age
Samsung makes ads on $3,499 smart fridges official