A week ago the Copy Fail vulnerability came out, and Hyunwoo Kim immediately realized that the fixes were insufficient, sharing a patch the same day. In doing this he followed standard procedure for Linux, especially within networking: share the security impact with a closed list of Linux security engineers, while fixing the bug quietly and efficiently in the open. His goal was that with only the raw fix public, the knowledge that a serious vulnerability existed could be "embargoed": the people in a position to address it know, but they've agreed not to say anything for a few days.

Someone else noticed the change, however, realized the security implications, and shared it publicly. Since it was now out, the embargo was deemed over, and we can now see the full details.

It's interesting to see the tension here between two different approaches to vulnerabilities, and think about how this is likely to change with AI acceleration.

Each morning I look over my work calendar and make a series of verbal requests:

Set a timer for 9:59
Set a timer for 10:59
Set a timer for 11:29
Set a timer for 1:29
Set a timer for 2:29

Why?

• I do not want to miss any meetings.
• I will miss occasional meetings if I'm not notified.
• I want to keep my phone on silent.
• I don't reliably notice my phone vibrating.
• While I do notice a smartwatch vibrating, I can't wear one.

When I pitch people on far-UVC they often ask about in-duct UV. How about putting UV inside your HVAC ducts, where you can safely blast the air with cheap toxic wavelengths. Unfortunately, it's rarely a good approach.

The biggest issue is that most people don't have ducts. They're common in the US, though less so in older construction (radiators) or newer (mini-splits). Outside the US (and Canada, and Australia), however, ducted systems are mostly limited to large modern office buildings. Worldwide, maybe one in ten indoor hours are spent in ducted spaces. [1]

While I was traveling Julia asked me: why is Anna saying her fiddle practice is only two minutes? In this case, two minutes was the right amount of time!

Anna (10y) and I had been fighting a lot about practice. She'd complain, slump, stop repeatedly to make adjustments, and generally be miserable. I'd often have to pull out "if you want to keep taking fiddle lessons you have to practice": she loves her teacher and is very motivated by the prospect of being good at fiddle. Still, it would take us ages and we'd barely get through anything.

One evening when she seemed like she might be open to it I explained that we were spending twenty painful minutes on two minutes of material. I challenged her: if she focused, and went through with no fussing, we'd be done in two minutes. It did turn out to be the right time for this message, she gave it a good try, and (with a little fussing in the middle) we were done in three minutes.

Damon Binder recently wrote up an argument for prioritizing air filtration over far-UVC for pathogen control:

UVC and filtration are close substitutes—both deliver effective air changes per hour, both reduce airborne pathogen concentrations by the same amount per eACH—and on current pricing, filtration is cheaper.

There's a lot of good stuff in his analysis, but I see [1] three considerations that really change the bottom line:

1. Cost is actually much lower.
2. Noise is a serious issue.
3. Performance is dramatically higher in larger rooms.

A friend observed a pattern where contra dance events seem to be pairing older and younger callers. I looked over my notes for two-caller events in 2025 and saw [1]:

• Two older callers: 33 events
• One of each: 30 events
• Two younger callers: 4 events

Seems pretty clear evidence of pairing, no? But this actually turns out to be what you'd expect to see if organizers ignored age.