I like sharing my location with my pocket friends sometimes. If I'm in a cool bar that they know, perhaps they can recommend a drink. If they live nearby, maybe they want to come for dinner. Not everyone has FourSquare's SwarmApp, so it is handy to automatically share its updates with other people.

Of course, Swarm doesn't cross-post to social media because walled-gardens are the most profitable. This is my attempt to open it back up again.

Here's what they look like on BlueSky and Mastodon:

Checked in to Hamburger Fischmarkt, Große Elbstr. 9 (Fischmarkt), Germany Probably a *bit* early for a breakfast beer. See on Swarm

[image or embed]

— Terence Eden (@edent.tel) 24 May 2026 at 07:45

Post by @Edent@mastodon.social

View on Mastodon

tl;dr

You can get the SwarmToSocial code from my GitLab.

At the moment, developers get 10,000 API calls for free each month. That's probably more than enough for most personal uses.

Documentation

I was pleasantly surprised that FourSquare's CheckIn documentation was fairly easy to use and understand.

Once you've signed up for a developer account you can create an OAuth app. That will generate a Client ID (ABC123), Client Secret (XYZ789), and you supply a Project URL.

Once done you can follow the Authentication documentation. Or just visit:

https://foursquare.com/oauth2/authenticate?
   client_id=ABC123
  &response_type=code
  &redirect_uri=https://example.com/

Sign in with your FourSquare account. It will redirect you to:

https://example.com/?code=456QWE

Use that code to construct the final URl:

https://foursquare.com/oauth2/access_token?
   client_id=ABC123
  &client_secret=XYZ789
  &grant_type=authorization_code
  &redirect_uri=http://example.com/
  &code=456QWE

That will respond with the Access Token:

{
   "access_token":"asdfghjkl123456"
}

Hurrah! Posting a new checkin is relatively simple. POST to this URl with a header of accept: application/json

https://api.foursquare.com/v2/checkins/add?
   v=20260223
  &venueId=13600425
  &shout=This%20is%20a%20test
  &oauth_token=asdfghjkl123456

• v is, rather confusingly, a date. The versioning documentation has more details but, basically, set it to the date you deployed your app.
• venuId you'll need to find yourself (more on that later).
• shout is up to 140 characters (!) of URl encoded text.

That will send back rather a lot of JSON. Here are the important bits:

{
  "meta": {
    "code": 200,
    "requestId": "123456789"
  },
  "response": {
    "checkin": {
      "id": "987654321",
      "createdAt": 1771843820,
      "type": "checkin",
      "visibility": "closeFriends",
      "shout": "This is a test of the API",
      "timeZoneOffset": -300,
      "editableUntil": 1771930220000,
      "user": {
        "id": "56367",
        "firstName": "Terence",
        "lastName": "Eden",
        "relationship": "self",
        "displayName": "Terence Eden"
      },
      "venue": {
        "id": "QWERTYUIOP",
        "name": "My Birthday Party!",
        "contact": {},
        "location": {
          "isFuzzed": true,
          "lat": 39.123456789,
          "lng": -84.987654321,
          "cc": "US",
          "city": "Cincinnati",
          "state": "KY",
          "country": "United States",
          "formattedAddress": [
            "Cincinnati, KY",
            "United States"
          ]
        }
      },
      "checkinShortUrl": "https://swarmapp.com/user/56367/checkin/987654321?s=wRZ7ByNfCW1DNrOIpsRcytPZelE"
    }
  }
}

For my purposes, the shout and checkinShortUrl are the most important. You can view a sample check in:

https://swarmapp.com/user/56367/checkin/699c34b55bad6b7fb1695544?s=LA7jCaAtH-s9CwSpgQrQdHrP5-8

Venue ID

If you're already using a service like Untappd you might be able to get the venue ID from that.

If not, FourSquare provides 100 million points of interest for free - although with questionable data quality.

Alternatively, you can search by location:

curl --request GET \
     --url 'https://places-api.foursquare.com/places/search?ll=51.123%2C0.123&radius=1000&sort=POPULARITY' \
     --header 'X-Places-Api-Version: 2025-06-17' \
     --header 'accept: application/json' \
     --header 'authorization: Bearer ABC123'

As far as I can see, the Bearer Token only exists on the documentation page. I couldn't find it in my developer console. Weird!

That gets you back:

{
  "results": [
    {
      "fsq_place_id": "4be584ed2457a593ad8cab15",
      "latitude": 51.11783041264215,
      "longitude": 0.11219274871133413,
      "categories": [
        {
          "fsq_category_id": "4bf58dd8d48988d1fa941735",
          "name": "Farmers Market",
          "short_name": "Farmers Market",
          "plural_name": "Farmers Markets",
          "icon": {
            "prefix": "https://ss3.4sqi.net/img/categories_v2/shops/food_farmersmarket_",
            "suffix": ".png"
          }
        }
      ],
      "date_created": "2010-05-08",
      "date_refreshed": "2025-11-01",
      "distance": 970,
      "extended_location": {},
      "link": "/places/4be584ed2457a593ad8cab15",
      "location": {
        "address": "",
        "locality": "Hartfield",
        "region": "East Sussex",
        "postcode": "",
        "admin_region": "England",
        "country": "GB",
        "formatted_address": "Hartfield, East Sussex"
      },
      "name": "Perryhill Farm Shop",
      "placemaker_url": "https://foursquare.com/placemakers/review-place/4be584ed2457a593ad8cab15",
      "related_places": {},
      "social_media": {
        "twitter": ""
      },
      "tel": "",
      "website": "http://www.perryhillorchards.co.uk/index.php?sec=4"
    },
    {
      "fsq_place_id": "8896f77565e54a658585301d",
      "latitude": 51.11649,
      "longitude": 0.13131,
      "categories": [],
      "date_created": "2021-12-06",
      "date_refreshed": "2021-12-06",
      "distance": 909,
      "extended_location": {},
      "link": "/places/8896f77565e54a658585301d",
      "location": {
        "address": "Priory Park, Beech Green Lane",
        "locality": "Withyham",
        "region": "East Sussex",
        "postcode": "TN7 4DB",
        "admin_region": "England",
        "post_town": "Hartfield",
        "country": "GB",
        "formatted_address": "Priory Park, Beech Green Lane, Withyham, East Sussex, TN7 4DB"
      },
      "name": "Spectra Studios",
      "placemaker_url": "https://foursquare.com/placemakers/review-place/8896f77565e54a658585301d",
      "related_places": {},
      "social_media": {},
      "tel": "01892 487149"
    },
  ],
  "context": {
    "geo_bounds": {
      "circle": {
        "center": {
          "latitude": 51.123,
          "longitude": 0.1234
        },
        "radius": 1000
      }
    }
  }
}

You can manually check a place using the Placemaker site: https://foursquare.com/placemakers/review-place/64eca80f0398c97ab52298ec

Getting Existing Checkins

What if you've checked in to a place using the official Swarm app? How do you get your own recent checkin data?

Again, there is documentation on getting user checkins.

curl --request GET \
     --url 'https://api.foursquare.com/v2/users/self/checkins?v=20260223&limit=2&offset=0&oauth_token=asdfghjkl123456' \
     --header 'accept: application/json'

Where it says oauth_token it actually means the access_token.

The JSON that is returned is a bit verbose, so I've simplified it here:

{
  "meta": {
    "code": 200,
    "requestId": "699c6505b488565a31e315e3"
  },
  "response": {
    "checkins": {
      "count": 2344,
      "items": [
        {
          "id": "699c34b55bad6b7fb1695544",
          "createdAt": 1771844789,
          "type": "checkin",
          "visibility": "closeFriends",
          "entities": [],
          "shout": "Testing the API using an Untappd FourSquare ID.",
          "timeZoneOffset": 0,
          "editableUntil": 1771931189000,
          "venue": {
            "id": "64eca80f0398c97ab52298ec",
            "name": "Abbey Wood Fossil Pit",
            "contact": {},
            "location": {
              "lat": 51.487514,
              "lng": 0.13048041,
              "postalCode": "SE2 0AX",
              "cc": "GB",
              "country": "United Kingdom",
              "formattedAddress": [
                "SE2 0AX"
              ]
            },
            "createdAt": 1693231119
          },
        },

Annoyingly, there's no checkinShortUrl which means it can't easily be shared.

For that, you'll need to use the get-checkin-details API:

curl --request GET \
     --url 'https://api.foursquare.com/v2/checkins/699c34b55bad6b7fb1695544?v=20250202&oauth_token=asdfghjkl123456' \
     --header 'accept: application/json'

Which will return this (truncated for brevity):

{
  "meta": {
    "code": 200,
    "requestId": "699c67de5f5c0a0e8ab234db"
  },
  "response": {
    "checkin": {
      "id": "699c34b55bad6b7fb1695544",
      "createdAt": 1771844789,
      "type": "checkin",
      "shout": "Testing the API using an Untappd FourSquare ID.",
      "timeZoneOffset": 0,
      "checkinShortUrl": "https://swarmapp.com/user/56367/checkin/699c34b55bad6b7fb1695544?s=LA7jCaAtH-s9CwSpgQrQdHrP5-8",

Photos

If there's a photo with the checkin, it will be return in the JSON like this:

{
  "response": {
    "checkin": {
      "photos": {
        "count": 1,
        "items": [
          {
            "id": "699f3a9f96799c05c0f16c9c",
            "createdAt": 1772042911,
            "prefix": "https://fastly.4sqi.net/img/general/",
            "suffix": "/56367_5VYox4Y-hs66wURVsYc1NLgOokfwBfcWhtKQrOlMdD8.jpg",
            "width": 1008,
            "height": 1344,

The URl for the image is prefix width x height suffix - in this case https://fastly.4sqi.net/img/general/1008x1344/56367_5VYox4Y-hs66wURVsYc1NLgOokfwBfcWhtKQrOlMdD8.jpg

You can adjust the width and height if you want a thumbnail or some other resolution.

If there's no photo, the count will be 0.

Putting it all together

Every 15 minutes, the SwarmToSocial code does the following:

1. Get the most recent checkin.
2. Read a local file to get the previously seen checkin ID.
3. If the checkin ID hasn't been seen before:
   1. Get the checkin details.
   2. Get the photo if it exists
   3. Post the checkin (plus photo) to Mastodon & BlueSky.
   4. Save the checkin ID to a file.

Enjoy!

In 2015, the UK Government launched a new passport design. It immediately attracted negative press for its designers' "sexist" decision to feature more men than women.

The government has been accused of sexism over the new UK passport design, which commemorates the achievements of two women but seven men.

It's true that there are only two named women - but there is another unnamed woman on the passport! Here's the "Performing Arts" page:

Shakespeare stares down at his Wooden O. Half the page is a stage, and the men and woman merely players.

Here they are in a bit more detail:

Who are they? They look like reasonably modern photos rather than portraits. They're not obviously famous. None of the press at the time mentioned who they were. No stock photography library had anything similar that I could see. Your favourite AI thought one of them was Doctor Who and the other a Congressman from Nantucket.

The official document describing the design simply says:

On the left hand side there is an image of the interior of the theatre, with a play in progress.

I scanned in an old passport to get the faces in as much detail as possible. All three of them look like jobbing actors who you probably saw in a schools' production of Twelfth Night, don't they?

I couldn't find anything about them online. I asked my investigative-minded friends but they drew a blank.

I even sent a Freedom of Information request to the Passport Office.

They refused on grounds of GDPR, but they did say:

However, we can disclose the photographs of the individuals appearing on the passport page captured by a photographer employed by a supplier contracted to HM Passport Office.

So, if you're one of the actors / models - or know who they are - please drop a note in the box below!

Luckily, there's the RM6237 Low Value Purchase System to make everything better. If a department wants to buy something below a certain threshold, they can contact any of the registered suppliers and just buy it. No complicated paperwork, cheaper prices, win-win!

Except, there's on annoying bit of bureaucracy. Every month I have to tell the Government Commercial Agency what business I've done.

Fair enough, I guess. Let them know how many paperclips I've sold to the Ministry of Administrative Affairs.

But there's a wrinkle. What if I've sold nothing? Well, I still have to log on, wait for an MFA code to be send, click through, and report "No Business".

I think that's a waste of time. But I wondered how much time it collectively wastes for the nation's small businesses.

So I filed a Freedom of Information request to see how many people have to sign in to let them know they haven't done any business. They replied quickly - although sent the data as a PDF rather than the requested machine-readable format.

Here's how much of a waste of time it is for everyone:

Even if you assume that it only takes 2 minutes to fill in their form, that's over 2 days worth of time being wasted every month.

At best, 59 small businesses reported that they sold something via RM6237. Well over a thousand businesses are clicking on a button which, frankly, ought not to exist. Why isn't the onus on those buying using the system to report what they've spent and who they spent it with?

After clicking the button, I'm always asked to rate my experience using the service. I FoI'd that data as well but was told:

This information is not held. Feedback scores submitted are anonymised and only available as a service-wide view; consequently, we do not capture or hold results specific to RM6237

So the GCA are wasting everyone's time and do not track how annoying it is.

So I settled on the Chuwi Minibook N150. It's literally small enough to fit in my cargo-short pockets. For the price (around £300ish) it is basically fine. There are a few niggles, but none of them showstoppers for me.

I took it to OggCamp and had so many people come and ask me about it. It's a small, cute, and distinctive looking device.

The Bad

Here are the worst things about the laptop:

• US Keyboard. Yup, the @ and " are in the wrong place. I can be set to UK, but then you lose the | key.
• The trackpad sometimes goes a bit jittery. It usually works, but once it a while goes askew. The touchscreen can be used if it happens.
• Screen rotation works, but the keyboard and trackpad don't switch off if you bend the keyboard all the way back.
• No biometrics like fingerprint or camera - so you need to remember your passwords.
• Support from the manufacturer is haphazard. Mostly forum links and expired downloads. The firmware seems to update fine on Linux though.

That's not too bad, I reckon.

Installing Linux

I had a brief play with Windows 11, let it update its drivers just in case there was any magic firmware, then nuked it.

Turn the device off. Turn it on and then hammer the Delete button. It'll pop you into the BIOS.

Secure Boot needs to be disabled:

Security → Secure Boot → Secure Boot → Disabled

You'll also need to set it to boot from a USB device:

Boot → Boot Option #1 → USB Device

The go to Save & Exit. I tried Linux Mint Debian Edition. It booted just fine and, after fiddling in the display settings, it automatically detected the screen rotation. Internet worked, touchscreen worked, Bluetooth worked. I tried a few distros and settled on NixOS as being the least worst option.

Everything works except the keyboard switching off when it is folded backwards.

Look and Feel

It is a solid lump of metal. There are no decals on back of the screen (so perfect for adding stickers!) and the bottom is similarly bare apart from some air-flow grilles and the usual identifying marks.

There are two USB-C ports on one side and a vestigial headphone jack on the other.

Keyboard

Despite coming from a UK warehouse and shipping with a UK plug, it has a US keyboard. The only real difference is the £ symbol is missing from the 3 button, the @ and " are swapped, and the | button is in the wrong place. None of that is disastrous and setting your OS to use a UK layout fixes things.

Because \| is mapped to #~, there's no way to type a backslash or pipe.

There are three levels of backlight. Off, dim, and not quite so dim. No fancy RBG effects here!

Trackpad

Supports multi-touch so you can use gestures. Obviously it is quite small, but you can touch the screen if you need to. Annoyingly, the trackpad is only "clicky" at the edges. You can click down in the middle, but it doesn't feel like it clicks. Not a show stopper, but a bit aggravating.

Screen

The screen has masked off rounded corners. Personally I think that's something which should be left to the Desktop Environment to decide. I can't really understand why they've done that. However, as the ratio is 16:10, you're not going to lose precious pixels when watching a movie.

The screen is bright enough for most uses and goes fairly dim for night use. It is locked at 50Hz which is a bit of a baffling decision. I guess it saves a modicum of power? For almost all uses, you won't notice the difference though.

Battery and Charging

It ships with a USB-C PD charger with a UK plug and a hard-wired connection. Unfortunately, the charger was limited to 36W - so fairly modest.

However, initially the Minibook would only charge at around 10W (20V⎓0.5A) eventually getting up to 16W (12V⎓1.3A or 20V⎓0.3A) - that didn't meaningfully change when I used a more powerful laptop charger. It never got up to the promised 36W while the unit was off.

Once I turned it on, it jumped to ~35W (11.70V⎓3A). Using the stronger charger it occasionally got to 40W (20V⎓2A) but mostly stayed around 36W.

That's not a bad speed, and the battery is relatively small, but you won't be able to take it from empty to full with a quick blast. If you do need it to charge quickly, make sure it is on.

Size, Weight, and Tablet Mode

At just under a Kg, it is light enough to slip into a jacket pocket. Similarly, although around twice as thick as a normal 10 inch tablet, it isn't massive. Holding it up for long periods means you will feel the weight more keenly - but the keyboard acts as a pretty decent stand.

It supports multi-touch and a pen, apparently, which is not supplied.

Camera

The small lens is sensibly placed in the top centre and is of surprisingly good quality. You're not going to shoot a movie on it, but fine for video calls.

Verdict

Depending on how you are blessed by The Algorithm, this is around £300 - £350. You may also have to pay tax and delivery depending on where it is shipped from.

The specifications are pretty decent. Look, it's no MacBook Neo - but it is cheap and runs Linux.

If you're happy futzing around a bit, it's a decent travel companion.

Similarly, in most countries, you cannot vote until you have reached a specific age.

These are age-gates. You do not need to prove your competence to drink, vote, smoke, or get married; you just need to be old enough.

Some things have skill-gates. If you want an amateur radio licence in the UK, you need to pass an exam. You can be any age⁰.

Similarly, most jurisdictions allow you to get a medical licence once you have passed the requisite tests¹.

There are also activities which are dual-gated. You can only get a driving licence after passing a test, but you can only apply to take the test once you are a certain age.

Where should society swap age-gates and skill-gates?

Perhaps the big one is voting. The UK is preparing to extend the franchise to all 16 and 17 year olds - but why is there an age-gate at all?

Children are affected by politics, they pay tax on the goods they buy, they exist in the world. Why shouldn't they vote?

The usual argument is that they are too immature. But maturity isn't dependent on age. Idiots are allowed to vote. Centenarians with no stake in the consequences of their politics are allowed to vote. People who don't understand what powers a government has are allowed to vote.

Would it really be so bad to introduce a voting licence? Make people take a short quiz to ensure they understand what they're voting for and why they're voting. Perhaps there are concerns about disenfranchising eligible adults (but not mature children) or that the state will rig the test (when they could rig the election) or whatever. But if we're sticking with the fiction that some people aren't mature enough to vote then we must give disenfranchised people a chance to prove their maturity.

You could make the same argument about driving. If a 7 year old is able to demonstrate mastery and control of a vehicle, are they likely to be a better driver than a 90 year old who has never taken a modern test?

Alcohol is different. We realise that the drug is harmful and especially harmful to developing humans. So we age-gate it. But do people really understand the health risks? Should you have to pass a test in order to imbibe? We make the people selling alcohol pass somewhat rigorous skills assessments. Perhaps the burden of proof should be reversed?

Wait, do you really believe all this?

No, not necessarily.

I find it fascinating that different cultures set different limits on people's activities. I wouldn't like to live somewhere that allowed anyone to drive on the public roads. Similarly, I don't particularly want governments restricting who can vote based on an arbitrary assessment.

But where are the limits? Why is the legal driving age so variable? Why are some driving tests easier than others?

Do you want a teenage doctor diagnosing you - even if they are legally certified? Should you be able to use a radio without passing a test if you're a legal adult?

Which age-gates and skill-gates do you think should be flipped?

Imagine a giant dying. You can't. They are huge and endless. A towering presence which, so it seems, has always been part of our world. They dominate and are indomitable. It is simply unfathomable that they can ever end. Yet end they must.

As the whale dies, we do not know what passes through its cavernous brain. But we do know what the rest of the ocean thinks.

Lunch.

The death of a whale is a thing to be celebrated. The thump of their still-warm body onto the floor is the starting bell for a feast. Some larger predators sense an easy meal and tear off the choicest morsels. But what of the scavengers? What about the new life not yet established? What happens to the weird little creatures just waiting for an energy boost?

In many ways, it was fortuitous that Twitter pre-signalled its death with the Fail Whale.

The twitching corpse is gently floating down to its watery grave. Some of the older and more established social networks have bitten out chunks of the still-fresh body and have run away with their spoils. But the fascinating thing is watching all the new services benefit from the death of a giant. Mastodon, Discord, BlueSky, Qaplion, Nostr, and a bunch of others hollowing out the rotting husk and using it to power their own growth.

Will those .meow social networks ever become a gigaton behemoth capable of ruling the waves? Maybe not, but size is not the only metric of success. Finding and defending an ecological niche is its own reward. Evolution abhors a monoculture.

Several bloated bodies meander through the brine, each one confident that its ageless wisdom will outlast the others. Had they any self-awareness, the hubris would gnaw at their tattered souls until the crushing realisation of their impending doom drove them mad.

Perhaps it will happen to GitHub next. The endless downtime and forced injection of crappy AI will start a death spiral. Already established forges are waiting to pounce once they smell blood in the water. But what critters will emerge to suck the bones of the old giant and develop in unexpected ways? Some bizarre fungal growth will devour the stinking jelly unlocked from those shattered bones and a new ecosystem will emerge.

Will WordPress's increasingly erratic leadership and tangle of legal disputes cause it fatal damage? Once minnows darted away from its presence; now they cautiously nip at its greying skin. Its mighty bellow still echoes through the clammy waters, but there's a tinge of frailty in its song.

Everything dies eventually.

The internal flora and fauna - be they parasitic or symbiotic - eagerly await their host's downfall. A chance to break free and explore new strange new world. A chance to begin a new relationship and co-evolve in unexpected ways.

The biological pump is primed, the hungry jaws of an uncountable fleet of new ideas is just waiting to pounce, the giants swim on in blissful ignorance.

You can read more about Whale Fall on Wikipedia.

Which is what makes GDS's latest guidance so surprising. At the start of the month, NHS England made the bizarre and irresponsible decision to close all their Open Source repositories due to unfounded fears of AI hacking¹. Lots of people within the NHS were outraged. As were many outside - with this petition against the move gathering over 2,000 signatures.

Within other parts of government there was also alarm. Although I no longer work for Government Digital Service, I was contacted by several concerned people there who remembered all my work on Open Source. The brilliant team in Whitechapel have now published their guidance "AI, open code and vulnerability risk in the public sector".

It is brutal.

They utterly repudiate the NHS's stance and forensically eviscerate it. I'll let you read the whole thing, but here are a few choice excerpts:

Recent public reporting about organisations restricting access to public repositories due to AI-enabled code analysis illustrates how quickly leaders may reach for blanket closure in response to uncertainty.

Basically, non-technical managers need to stop over-reacting.

Private repositories can create a false sense of security.

I think that's the crux of the argument. Closing code doesn't solve the underlying problems.

Making code private is not an appropriate mitigation for lack of ownership, patching capability, or operational assurance, so systems that cannot be safely maintained should be remediated or retired.

If you are so concerned about the poor security of your systems, you should shut them down completely to mitigate the threat.

Closure can become a one-way door.

As I said to the BMJ, "nothing lasts longer than a temporary fix".

Where code has been developed in the open, making a repository private later may not remove access for a capable adversary as popular repositories are often mirrored or forked

Indeed. A friend of mine has already archived all of the NHS's repositories. You can see the ones they've tried to hide.

But the killer blow, I think, is this:

Moving code from public to private as a substitute for investment in secure-by-design delivery, ownership and remediation is a warning sign because it reduces sharing and scrutiny, can slow coordinated improvement across government and suppliers, and does not remove the underlying weaknesses in a running service.

Exactly! Coding in the open has been shown time and again to produce high quality and secure work. The looming threat of AI vulnerability scanners doesn't change that - security is a shared responsibility. Technical teams need to be well enough resourced to create secure systems; hiding code is as reliable as papering over structural cracks.

GDS was created was to be a strong centre with vast technology expertise. This was to counter the frankly shoddy approach to tech in other departments. Back then, a Service Assessment was a way for a department to prove that they were actually capable of designing, launching, and managing a complex IT project.

Most departments have become significantly better at the development and running of these sorts of projects, so the raison d'etre of GDS has somewhat waned. Departments feel more confident in running off on their own. Usually I'd celebrate that - it's important that GDS doesn't become a bottleneck and that the talent is distributed throughout the whole Civil Service.

But NHS England has always been a bit of a weird one. One of the reasons NHSX was created² was to ensure that the health service had strong expertise in technology and its deployment. As the Head of Open Technology there, I helped craft the policies which embedded Open Source and Open Standards within it³.

I don't know what discussions have taken place within NHS England - although I looking forward to receiving a response to my FOI request. It looks to me like a small group within NHS England have received a report showing some potential vulnerabilities discovered by Mythos. Rather than following their own internal guidance, they've over-reacted and slapped a blanket ban on coding in the open.

I fervently hope that this new guidance will encourage DHSC to bring NHS England into line with best practice. If not, perhaps GDS ought to reassert itself as the technical authority with power to veto a department's incomprehensible decisions?

Throughout my time working for the UK Government - in GDS, NHSX, i.AI, and others - I championed Open Source. I spoke to dozens of departments about it, wrote guidance still in use today, and briefed Ministers on why it was so important.

That's why I'm beyond disappointed at recent moves from NHS England to backtrack on all the previous commitments they've made about the value of open source to the UK's health service.

It's rare that multiple people leak the same story to me, but that's what gives me confidence that lots of people within the NHS are aghast at this news.

A few days ago, I was sent this quote which was attributed to a senior technical person in NHS England.

We are obviously looking at things like Mythos, which is more sophisticated at finding vulnerabilities. In the next week or so, we will be changing our tack on coding the open and making our code public until we're on top of that risk.

Most of our repos, unless they're essential, will be removed for security reasons.

As I've written before, this is not the correct response to the purported threat by Mythos. Neither the AI Safety Institute nor the NCSC recommend this action. While there may be some increase in risk from AI security scanners, to shutter everything would be a gross overreaction.

Nevertheless, that's what the NHS is preparing to do.

On the 29th of April, guidance note SDLC-8 was sent out. Here's what it says:

The majority of code repos published by the NHS are not meaningfully affected by any advance in security scanning. They're mostly data sets, internal tools, guidance, research tools, front-end design and the like. There is nothing in them which could realistically lead to a security incident.

When I was working at NHSX during the pandemic, we were so confident of the safety and necessity of open source, we made sure the Covid Contact Tracing app was open sourced the minute it was available to the public. That was a nationally mandated app, installed on millions of phones, subject to intense scrutiny from hostile powers - and yet, despite publishing the code, architecture and documentation, the open source code caused zero security incidents.

Furthermore, this new guidance is in direct contradiction to the UK's Tech Code of Practice point 3 "Be open and use open source" which insists on code being open.

Similarly, the Service Standard says:

There are very few examples of code that must not be published in the open.

The main reason for code to be closed source is when it relates to policy that has not yet been announced. In this case, you must make the code open as soon as possible after the policy is published.

You may also need to keep some code closed for security reasons, for example code that protects against fraud. Follow the guidance on code you should keep closed and security considerations for open code.

There's also the DHSC policy "Data saves lives: reshaping health and social care with data":

Commitment 601 – completed May 2022

We will publish a digital playbook on how to open source your code for health and care organisations

And, here's NHS Digital's stance on open source in their Software Engineering Quality Framework:

The position of all three of these documents is that we should code in the open by default.

All of which is reflected in the NHS service standard:

Public services are built with public money. So unless there's a good reason not to, the code they're based should be made available for other people to reuse and build on.

All of which is to say - open source should be baked into the DNA of the NHS by now. There are thousands of NHS repositories on GitHub. The work undertaken to assess all of them and then close them will be massive. And for what?

Even if we ignore the impracticality of closing all the code - it is too late! All that code has already been slurped up. If Mythos really is the ultimate hacker, hiding the code now does nothing. It has likely already retained copies of the repositories.

And if it were both practical and effective to hide source code - that doesn't matter. These AI tools are just as effective against closed-source. They can analyse binaries and probe websites with ease.

There are tens of thousands of NHS website pages which refer to their GitHub repos - will they all need to be updated? What's the cost of that?

I've no idea what led to NHS England making this retrograde decision - so I've send a Freedom of Information request to find out.

I am convinced that closing all their excellent open source work is the wrong move for the NHS. I hope they see sense and reverse course.

Until then, I've helped make sure that every single NHS repository has been backed up and, because the software licence permits it, can be re-published if the original is closed.

In the meantime, you should email your MP and tell them that the NHS is wrong to shutter its world-leading open source repositories.

Don't let them take away your right to see the code which underpins our nation's healthcare.

Further Reading

• I'm quoted in this article from The New Scientist.
• Matt Hancock on the issue
• Discussion by Jessica Morley, PhD
• Free Software Foundation Europe press release
• Further commentary from New Scientist
• Petition - Keep Things Open
• Update 2026-05-14: GDS have published their Guidance "AI, open code and vulnerability risk in the public sector " which explicitly says closing repos is the wrong approach.

Sometimes when I raise an issue on GitHub, or write a comment, other users leave me Emoji reactions. Perhaps a 👍 or 🎉 if they like my contribution, but occasionally a 👎 or 😕 if they're foolish enough to think I'm wrong.

The problem is, GitHub doesn't tell me that someone has 🚀'd my wisdom. If GitHub was as good as Facebook, it would present a little 🔔 to let me know exactly how many ❤️s I have received. Instead I have to manually check every issue I've raised to see if the hive-mind judges me worthy.

You might be thinking that there's an API for finding the reaction count to a specific piece of content - and you'd be right! The only problem is that it requires you to send it a specific content ID. So pretty bloody useless unless you want to construct a mega-query of everything you've ever written.

Enter the terrifying world of GraphQL - where men fear to tread and AIs are driven mad. It is possible to squeeze the API until the pips squeak. Here's a GraphQL query, run using the gh CLI, which grabs any issue with over zero reactions, displays how many reactions it received, and who gave what sort of reaction.

gh api graphql -f query='
query {
  search(query: "author:@me reactions:>0", type: ISSUE, first: 10) {
    nodes {
      ... on Issue {
        url
        reactions(last: 50) {
          totalCount
          nodes {
            content
            user {
              login
            }
          }
        }
      }
    }
  }
}'

As you might be able to decipher, that looks for the 10 most recent issues. If you are prolific, you may want to increase that number - although it will increase the time it takes for the query to run. If you have the temerity to dare to retrieve more than 100, you'll be slapped with the dreaded EXCESSIVE_PAGINATION error.

Similarly, it only gets the most recent 50 reactions. The count will be be the total number of reactions, no matter how low you set the number.

In return, you'll get a hideous mass of JavaScript which looks like it has been vomited up by a disgruntled Cacodemon:

{
  "data": {
    "search": {
      "nodes": [
       {
          "url": "https://github.com/validator/validator/issues/1814",
          "reactions": {
            "totalCount": 9,
            "nodes": [
              {
                "content": "THUMBS_UP",
                "user": {
                  "login": "markohoza"
                }
              },
              {
                "content": "EYES",
                "user": {
                  "login": "adamwolf"
                }
              },

There is no way to get anything older. If someone liked a comment you made in 2019, you will never know!

If you hate your eyes enough to read through the search type documentation, you'll notice there is no way to search Pull Requests. This is, of course, a rotten lie. If you read different documentation you'll see that PRs are classed as a type of issue. Why? Because your sanity is not worth the cost of updating things.

Anyway, it makes our life slightly easier. We can search both Issues and PRs in one easy to chew lump of GraphQL:

gh api graphql -f query='
query {
  search(query: "author:@me reactions:>0", type: ISSUE, first: 100) {
    nodes {
      ... on Issue {
        url
        reactions(last: 100) {
          totalCount
          nodes {
            content
            user {
              login
            }
          }
        }
      }
      ... on PullRequest {
        url
        reactions(last: 100) {
          totalCount
          nodes {
            content
            user {
              login
            }
          }
        }
      }
    }
  }
}'

Again, beware gazing into the JSON lest the JSON gazes into you!

{
  "data": {
    "search": {
      "nodes": [
        {
          "url": "https://github.com/WICG/webmonetization/pull/634",
          "reactions": {
            "totalCount": 2,
            "nodes": [
              {
                "content": "CONFUSED",
                "user": {
                  "login": "tomayac"
                }
              },
              {
                "content": "HEART",
                "user": {
                  "login": "tomayac"
                }
              }
            ]
          }
        },

OK, so it should be pretty damned simple to get the number of reactions to any comments, right? RIGHT?!?!

No. Because consistency is a dirty word and GraphQL was designed in the bowels of hell as a way to keep API developers from ever obtaining a state of grace.

There's no way I could find to use reactions:>0 with a comment search query. This will get you lots of useless unreacted results. I guess you can filter them with jq or just scratch your monitor with razor blades so you don't have to see their empty laughing maws.

gh api graphql -f query='
query {
  viewer {
    issueComments(last: 10) {
      nodes {
        url
        reactions(last: 10) {
          totalCount
          nodes {
            content
            user {
              login
            }
          }
        }
      }
    }
  }
}'

And, again, JSON nested like wheels within wheels and fires within fires:

{
  "data": {
    "viewer": {
      "issueComments": {
        "nodes": [
          {
            "url": "https://github.com/home-assistant/supervisor/issues/6474#issuecomment-3740347148",
            "reactions": {
              "totalCount": 0,
              "nodes": []
            }
          },
          {
            "url": "https://github.com/edent/3D-UK-Money/issues/1#issuecomment-3757022146",
            "reactions": {
              "totalCount": 1,
              "nodes": [
                {
                  "content": "THUMBS_UP",
                  "user": {
                    "login": "MickeyF2010"
                  }
                }
              ]
            }
          },

What Have We Learned Today?

The Necronomicon was probably written in GraphQL. Any form of Daemon summoning must use nested queries and frightening syntax.

Trying to track reactions to your content will drive you mad. There's a reason this knowledge is forbidden.

Disclaimer

This post was not sponsored by GitHub. Although I did drink rather too many of their free beers at FOSDEM. Consider this post payback for that self-induced hangover.

Some apps (like WhatsApp) will play the motion photo when the image is selected, others will just show a static image.

So how do you extract the movie from the image using Linux?

Step one, let's take a look at the EXIF metadata in the image. Here's what running exiftool photo.MP.jpg gets:

Motion Photo                    : 1
Motion Photo Version            : 1
Motion Photo Presentation Timestamp Us: 866808
Directory Item Mime             : image/jpeg, image/jpeg, video/mp4
Directory Item Semantic         : Primary, GainMap, MotionPhoto
Directory Item Length           : 46353, 2106347
Directory Item Padding          : 0
MPF Version                     : 0100
Number Of Images                : 2
MP Image Flags                  : (none)
MP Image Format                 : JPEG
MP Image Type                   : Undefined
MP Image Length                 : 46353
MP Image Start                  : 2570425

That can be cross-referenced with the Motion Photo metadata specification.

We can confirm this is a Motion Photo, Version 1. The video portion at 866,808 microseconds (about 0.8 seconds) is where the main photo is taken from.

The file starts with the image, then a GainMap (for HDR), and then the video.

Somewhat obtusely (in my opinion) the Directory Item Length only shows "secondary media items" - in this case, the GainMap and Video.

The filesize is 4,723,125 bytes, which equals the sum of the three values; 46,353 + 2,106,347 + 2,570,425.

So, to get the MP4 video, we need to extract the last 2,106,347 bytes. This can be double-checked by taking the filesize and subtracting the MP Image Start and the MP Image Lengths (4,723,125 - 46,353 - 2,570,425 = 2,106,347).

The extraction can be done with dd but it's probably just as easy to use tail to read the last N bytes of a file:

tail -c 2106347 photo.MP.jpg > video.mp4

You can verify that the video is valid by running ffmpeg -i video.mp4 - the output will be lower resolution than the photo and will only be a few seconds long. It will play in VLC or any other standard player.

Try It Yourself

Here's one of my motion photos - it should present in your browser as a still image, but run the above code to extract the video.

Click the photo to download the full version rather than the optimised one.

Sources

For other adventures in Motion Photo exploration, take a look at:

• https://developer.android.com/media/platform/motion-photo-format
• https://motion-live.js.org/
• https://medium.com/android-news/working-with-motion-photos-da0aa49b50c

If you manage to break your TV using this forbidden knowledge, please don't come crying to me for help.

1. Turn on your TV.
2. Switch to an HDMI source. You must not be on a TV menu.
3. Hold down the 0 button until you see the message "Remote controller will control TV"
4. Press the blue 'Home' button on the remote control.
5. Press the following buttons on the remote control number pad, in this order
   • 4
   • 7
   • 2
   • 5

You should be presented with this screen:

The options will vary depending on your TV model.

• Video Settings
  • Whole bunch of things like RF AGC SECAM and ADC Calibration B Offset
  • This is a great way to break your TV.
• Audio Settings
  • Just displays the "Surround Type" - you can't change anything.
• Options 1
  • Power-up settings, hotel mode, volume. Again, read-only.
• Options 2
  • Information about menus, HMDI selection, DCF ID. Yup, nothing to play with.
• Options 3
  • More diagnostic information about smart TV stuff. Includes Alexa Ready state.
• Tuning Settings
  • Tuner type and firmware
• Source Settings
  • Which sources have been enabled
• Diagnostic
  • Remote Control Test - see which buttons you're pressing on the remote
  • Video Pattern Test - pressing right cycles through white, red, green, blue, magenta, turquoise, yellow, grey, black
  • Factory Reset
  • Some more read-only stuff like MAC address
• USB Logging
  • Screen Capture - can be set to Enabled. No idea how to activate it though
  • UART RX - can be Enabled
  • Flash write debug - seems to write a debug list to a USB drive
  • HTTP Test Server - can be Enabled.
  • Export channel list to USB
• USB Operations
  • Only works if you have a USB drive connected - but doesn't seem to do anything.

After turning on the test server, the following ports were exposed:

PORT      STATE SERVICE
2870/tcp  open  daishi
5001/tcp  open  commplex-link
7681/tcp  open  unknown
56183/tcp open  unknown
56789/tcp open  unknown
56790/tcp open  unknown

There are some weird entries in the debug log written to USB:

mbrg_AUDIO_HDMI_MODE_CONFIG : NONPCM mode 
[AUDIO][Utopia]: ===== Check Audio Decoder Protection from hash-key IP =====
[AUDIO][Utopia]: Hash Key Check DD Fail, no DD license!!
[AUDIO][Utopia]: Hash Key Check DDP Fail, no DD+ license!!
[AUDIO][Utopia]: Hash Key Check Dolby MS11 Fail, no Dolby MS11 license!!
[AUDIO][Utopia]: Hash Key Check Dolby MS12 LC profile Fail, no Dolby MS12 LC profile license!!
[AUDIO][Utopia]: Hash-key Support Dolby MS12 D profile.
[AUDIO][Utopia]: Hash Key Check Dolby MS12 B profile Fail, no Dolby MS12 B profile license!!
[AUDIO][Utopia]: Hash Key Check AAC Fail, no any AAC license!!
[AUDIO][Utopia]: Hash Key Check DDCO Fail, no DDCO license!!
[AUDIO][Utopia]: Hash Key Check DTS Fail, no DTS license!!
[AUDIO][Utopia]: Hash-key Support WMA.
[AUDIO][Utopia]: Hash Key Check DRA Fail, no DRA license!!
[AUDIO][Utopia]: Hash Key Check DTSLBR Fail, no DTSLBR license!!
[AUDIO][Utopia]: Hash Key Check DTSE Fail, no DTSE license!!
[AUDIO][Utopia]: Hash Key Check DTSNeoUltra Fail, no DTSNeoUltra license!!
[AUDIO][Utopia]: Hash-key Support SRS_TSHD.
[AUDIO][Utopia]: Hash Key Check SRS_THEATERSOUND Fail, no SRS_THEATERSOUND license!!
[AUDIO][Utopia]: Hash Key Check DTS_StudioSound3D Fail, no DTS_StudioSound3D license!!
[AUDIO][Utopia]: Hash Key Check COOK Fail, no COOK license!!
[AUDIO][Utopia]: Hash-key Support DTS_HD.
[AUDIO][Utopia]: Hash Key Check Dolby volume Fail, no Dolby volume license!!
[AUDIO][Utopia]: Hash Key Check SRS_PURESND Fail, no SRS_PURESND license!!
[AUDIO][Utopia]: Hash Key Check DTS VirtualX Fail, no DTS VirtualX license!!
[AUDIO][Utopia]: Hash Key Check DTS_StudioSound_II Fail, no DTS_StudioSound_II license !!
[AUDIO][Utopia]: ===== Check Protection IP End                         =====

Right, that's it. Hope that's of use to someone.