Terence Eden’s Blog

You can parse an .env file as an .ini with PHP - but there's a catch

2026-03-13T08:04:06Z

The humble .env file is a useful and low-tech way of storing persistent environment variables. Drop the file on your server and let your PHP scripts consume it with glee.

But consume it how? There are lots of excellent parsing libraries for PHP. But isn't there a simpler way? Yes! You can use PHP's parse_ini_file() function and it works.

But…

.env and .ini have subtly different behaviour which might cause you to swear at your computer.

Let's take this example:

# This is a comment
USERNAME="edent"

Run $env = parse_ini_file( ".env" ); and you'll get back an array setting the USERNAME to be "edent". Hurrah! Works perfectly. Ship it!

But consider this:

# This is a comment
USERNAME="edent" # Don't use an @ symbol here.

It will happily tell you that the username is "edent# Don"

WTAF?

Here's the thing. The comment character for .ini is not # - it's the semicolon ;

Let me give you some other examples of things which will fuck up your parsing:

# Documentation at https:/example.com/?doc=123
DOCUMENTATION=123
# Set the password
PASSWORD=qwerty;789

That gets us back this PHP array:

[
  '# Documentation at https:/example.com/?doc' => '123',
  'DOCUMENTATION' => '123',
  'PASSWORD' => 'qwerty',
];

When the .ini is parsed, it ignores every line which doesn't have an = sign. It also treats literal semicolons as the start of a new comment until they're wrapped in quotes.

My code highlighter should show you how it is parsed:

# Documentation at https:/example.com/?doc=123
DOCUMENTATION=123
# Set the password
PASSWORD=qwerty;789

It gets worse. Consider this:

# Set the "official" name
REALNAME="Arthur, King of the Britons"

That immediately fails with PHP Warning: syntax error, unexpected '"' in envtest on line 1

You can use single quotes in pseudo-comments just fine, but if the ini parser sees a double quote without an equals then it throws a wobbly.

I'm sure there are several other gotchas as well. For example, there are certain reserved words and symbols you can't used as a key.

This will fail:

# Can we fix it? Yes we can!
FIX=true

It chokes on the exclamation point.

How to solve it (the stupid way)

The comments on an .env file start with a hash.

The comments on an .ini file start with a semicolon.

So, it is perfectly valid for a hybrid file to have its comments start with #;

Look, if it's stupid but it works…

What Have We Learned Here Today?

There's a right way and a wrong way to do .env parsing.
The wrong way works, up until the point it doesn't.
You should probably use a proper parser rather than hoping your .env looks enough like an .ini to pass muster.

On next week's show - why you shouldn't store your passwords inside a JPEG!

Does Mythos mean you need to shut down your Open Source repositories?

2026-04-24T10:20:09Z

Much Sturm und Drang in the world of Open Source with the announcement that the "Mythos" AI is now the ultimate hacker and is poised to unleash havoc on every code base.

So should you close all your Open Source projects to make them safe?

No.

Firstly, all your Open Source code has already been slurped up.

It was all ingested for "training purposes" years ago. If it was moderately interesting then it was backed-up by a digital hoarder. It has been archived by various digital libraries. Anyone who wants to do research on your code base can.

Closing now doesn't meaningfully protect you.

Secondly, most of the security holes in your systems are probably not in your code. Vulnerabilities exist throughout your supply chain. All the dependencies - your OS, libraries, and even hardware - are all richer targets for hackers. Finding a CVE in a popular library is almost certainly more worthwhile than investigating your Open Source code.

The bigger risk comes not from subtle logic bugs but from phishers, poor password hygiene, and insider threats. Securing your existing systems provides more protection than rushing to close-source your code.

Finally, closing the source of something doesn't protect you. These new AI models can easily investigate and your closed source systems and potentially penetrate them. It has always been possible to analyse websites and binaries. AI doesn't change that - although it might accelerate it.

Open Source does have risks but AI doesn't upend decades of evidence that closed-source is just as vulnerable to attackers.

In cases where the state creates code using public money, it has a responsibly to share that code. Automated threat analysis - even by hypercapabe AI - doesn't change that.

I would strongly recommend reading the UK's AI Safety Institute's evaluation of Claude Mythos Preview’s cyber capabilities and the NCSC's advice. Neither of them recommend closing down Open Source code.

Sneaky spam in conversational replies to blog posts

2026-04-22T14:31:32Z

I'm grateful that my blog posts attract lots of engaged, funny, and challenging comments. But any popular post also attracts spammers. I use Antispam Bee to automatically eradicate a couple of hundred crappy comments per day.

Nevertheless, some get through. Here's a particularly pernicious one - it appeared as three comments ostensibly in reply to each other.

At first glance these look like normal comments. They each address the content of the blog post albeit somewhat superficially. The first comment looks like it was from a social media post sharing my link - I get a lot of those as pingbacks, so it initially didn't trigger any suspicions from me.

The second is ostensibly a reply to the first and continues the conversation. Again, a bit shallow, but seems to be engaging in good faith.

The third looks like yet another reply. They all have unique email addresses, none of them have set their username to anything overly odd, and none of the users have filled out their URl.

But notice, in the second one, there's a link to a dodgy casino! There's no https:// so it didn't jump out as a link.

All three came from the same IP address in the Philippines, so easy to block for now.

Each reply is spaced exactly 3 minutes apart which, in retrospect, looks a little odd.

Re-reading them carefully, they all look like AI slop. A plausible sounding summary, written in a casual style, but with very little semantic content. Seeing them as replies to each other primed me to think they were genuine because I'm used to spam coming in individual replies. Having the spam in the middle comment made it easy to glaze over.

Remember, there are no technological solutions to social problems. Sticking more and more barriers in the way of commenting only discourages genuine replies while the profit motive incentivises spammers to work around them.

[RSS Club] How do you preserve an RSS feed?

2026-04-20T11:14:41Z

Psssst! This top secret post is only available to RSS subscribers!

I was sent this thought-provoking blog post called "The Necessary Pain Involved in Blogging (if you want your work to be preserved beyond your lifespan)".

In it, Martin Paul Eve makes the case that trying to preserve a blog is difficult. I mostly agree with him (although think he's perhaps a little hair-shirted about it) and it made me think about what I do in terms of preservation.

This feed is captured by the Internet Archive. That's been useful on the rare occasions where my posts have been corrupted and I don't have a backup.

I got my blog an ISSN. I guess in theory this mean the British Library have a right to archive it? But I haven't looked in to whether that is the case.

I don't store my posts in a git repository. Perhaps I should?

I like the idea of WordPress's 100 year domain name but I'm not sure if I trust the current owner not to completely shit the bed. And it's hard to justify £31k on a vanity project.

I'm not a scholar, so using something like Rogue Scholar feels inappropriate. My content also isn't Creative Commons licenced (perhaps it should be?).

If you have a good solution for a long-term, stable, and relatively cheap method of preserving a blog (and its RSS feed) please drop me a comment via your favourite method.

Better TTS on Linux

2026-03-27T16:10:05Z

The venerable eSpeak is a mainstay of Linux distributions. It is a clever Text-To-Speech (TTS) program which will read aloud the written word using a phenomenally wide variety of languages and accents.

The only problem is that it sounds robotic. It has the same vocal fidelity as a 1980s Speak 'n' Spell toy. Monotonous, clipped, and painful to listen to. For some people, this is a feature, not a bug. I have blind friends who are so used to eSpeak that they can crank it up to hundreds of words per minute and navigate through complex documents with ease.

For the rest of us, it is a steep and unpleasant learning curve.

There are lots of modern TTS programs using all sorts of advanced AI. Many of them are paywalled or require you to post your text to a webserver - with all the privacy and latency problems that causes. Some are restricted to high-powered GPUs or other expensive equipment.

Piper is different. It is local first, runs quickly on modest hardware, and is open source.

The easiest way to install it on Linux is to use Pied - a simple GUI which allows you to select languages, listen to accents, and then install them.

It will change your speech-dispatcher to use the new Piper voice. That means it is immediately available to your Linux DE's accessibility service and to apps like Firefox.

I now have a reassuring Scottish lady speaking out everything on my computer.

Book Review: Up - A scientist's guide to the magic above us by Dr Lucy Rogers ★★★★★

2026-04-20T10:48:03Z

My mate Dr Lucy Rogers has written a book! This is a charming and thought provoking exploration of everything that goes on above our heads. This isn't an impersonal and imperious manuscript, it's a deeply personal and joyful book filled with science, anecdotes, and the thrill of discovery.

It's spectacularly accessible. Written in a relaxed and casual tone, it encourages domestic science. I don't mean bakery, I mean the sorts of observations you can do at home without access to a multi-million pound laboratory. The afterword of the book contains dozens of resources for people who want to get involved in science. Dr Rogers eloquently makes the case that you don't need to dedicate yourself full time - it's perfectly acceptable to engage with it on your own terms.

What I liked most about it was that she gets her hands dirty. It would have been easy to write a literature review from the comfort of a safe and dry office. Instead we get a travelogue of all the places she's been - each trek through the forest, every laboratory, and all the foreign festivals are brilliantly recounted. It's a proper adventure from America's tornado alley down to the Vatican Archives.

I find it remarkable how slow some modern science is. As she points out, "there have been only eight transits of Venus since the telescope was invented" - our knowledge rests on the shoulders of giants, but they can be slow, lumbering beasts.

If, like me, you only have a hazy memory of the science you learned at school, this book will top up your knowledge (and vocabulary). It will reignite your passion and curiosity about the world around you - and make you want to buy a round the world ticket to chase solar eclipses!

Reprojecting Dual Fisheye Videos to Equirectangular (LG 360)

2026-03-09T11:04:45Z

I still use my obsolete LG 360 Camera. When copying MP4 videos from its SD card, they come out in "Dual Fisheye" format - which looks like this:

VLC and YouTube will only play "Equirectangular" videos in spherical mode. So, how to convert a dual fisheye to equirectangualr?

The Simple Way

ffmpeg \
  -i original.mp4 \
  -vf "v360=input=dfisheye:output=equirect:ih_fov=189:iv_fov=189" \
  360.mp4

However, this has some "quirks".

The first part of the video filter is v360=input=dfisheye:output=equirect - that just says to use the 360 filter on an input which is dual fisheye and then output in equirectangular.

The next part is :ih_fov=189:iv_fov=189 which says that the input video has a horizontal and vertical field of view of 189°. That's a weird number, right?

You'd kind of expect each lens to be 180°, right? Here's what happens if :ih_fov=180:iv_fov=180 is used:

The lenses overlaps a little bit. So using 180° means that certain portions are duplicated.

I think the lenses technically offer 200°, but the physical casing prevents all of that from being viewed. I got to the value of 189° by trial and error. Mostly error! Using :ih_fov=189:iv_fov=189 get this image which has less overlap:

It isn't perfect - but it preserves most of the image coherence.

Cut Off Images

There's another thing worth noticing - the top, right, bottom, and left "corners" of the circle are cut off. If the image sensor captured everything, the resultant fisheye would look something like this:

I tried repaging the video to include the gaps, but it didn't make any noticeable difference.

Making Equirectangular Videos Work With VLC

Sadly, ffmpeg will not write the metadata necessary to let playback devices know the video is spherical. Instead, according to Bino3D, you have to use exiftool like so:

exiftool \
        -XMP-GSpherical:Spherical="true" \
        -XMP-GSpherical:Stitched="true" \
        -XMP-GSpherical:ProjectionType="equirectangular" \
        video.mp4

Putting It All Together

The LG 360 records audio in 5.1 surround using AAC. That's already fairly well compressed, so there's no point squashing it down to Opus.

The default video codec is h264, but the picture is going to be reprojected, so quality is always going to take a bit of a hit. Pick whichever code you like to give the best balance of quality, file size, and encoding time.

Run:

ffmpeg \
  -i original.mp4 \
  -vf "v360=input=dfisheye:output=equirect:ih_fov=189:iv_fov=189" \
  -c:v libx265 -preset fast -crf 28 -c:a copy \
  out.mp4; exiftool \
        -XMP-GSpherical:Spherical="true" \
        -XMP-GSpherical:Stitched="true" \
        -XMP-GSpherical:ProjectionType="equirectangular" \
        out.mp4

That will produce a reasonable equirectangular file suitable for viewing in VLC or in VR.

If this has been useful to you, please stick a comment in the box!

Book Review: How To Kill A Witch - A Guide For The Patriarchy by Claire Mitchell and Zoe Venditozzi ★★★⯪☆

2026-04-11T08:42:00Z

After reading The Wicked of the Earth, I wanted to understand some of the history behind the stories. Why were women⁰ accused of being witches? What really happened in those trials? What are the modern consequences of those events?

This is the story of the Scottish Witch Trials - with brief forays into England and abroad. It examines the central tension of whether witchcraft was real to the accusers, or just a convenient means to oppress troublesome women. The descriptions of the imprisonment, torture, and state-sanctioned murder is visceral and horrific.

It's also rather stark in its modern assessment of the historic context:

Nonetheless, it’s important to remember it was a proper legal trial, with evidence being put forward and the judge assessing it and carrying out legal tests. Some people think that witchcraft trials were carried out by angry peasants waving pitchforks. Perhaps this is a more acceptable way for a modern person to think about it. No one wants to think that a judicial system can get it so wrong. But it did, with catastrophic consequences for those accused.

The book is mostly good, it's a spin off from the Witches Of Scotland podcast and that's reflected in the writing. As with any parasocial¹ entertainment, it attempts to centre the authors and bring the audience along for the ride - so there's lots of descriptions of the libraries the authors visit, how things make them feel, how enamoured they are with their podcast guests. I found it a little distracting, but it's obviously right for their main audience.

Similarly, there's an attempt to bring the past to life by imagining a little monologue from various historic figures. I found that a little unconvincing; I dislike putting words in peoples' mouths. But with sparse primary documentation, that may be the best way to bring these characters to life. It's also well illustrated. Too many books eschew pictures - but this has a nice collection of woodcuts and portraits to contextualise what we're reading about.

One little nitpick, the book makes the claims:

Life was hard and life expectancy was around 35

and

Lilias was an old woman, at least 60 years old and possibly as old as 80. At a time when life expectancy was much lower than it is now, even the lower estimate was still a considerable age.

That's not quite right. Although the average life expectancy was low, that's the average at birth - with a large number of infant mortalities dragging down the average. When you look at the full data, you'll see people used to live long lives even in the distant past.

In a way, it reminds me of Invisible Women. A national tragedy hidden from view.

It builds to a rousing end. There are parts of the world where witchcraft is still taken seriously - with devastating consequences. The febrile atmosphere which led to unfounded accusations against women is still prevalent even in modern societies.

And a small number of men. But this is firmly focused on the overwhelming majority. ↩︎
As opposed to paranormal. ↩︎

RSS Club for WordPress

2026-04-14T22:11:25Z

What if I told you there was a secret social network, hidden in plain sight? If you're reading this message, you're now a member of RSS Club!

RSS Club is a series of posts which are only visible to RSS / Atom subscribers. Like you 😃

If you want this for your own WordPress site, here's what you'll need:

A blog post which is only visible in RSS / Atom.
Which has no HTML rendering on your site.
And cannot be found in your site's search.
Nor via search engines.
Also, doesn't appear on your mailing list.
Does not get shared or syndicated to the Fediverse.

(This is a bit more strict than the original rules which allow for web rendering and being found via a search engine.)

Start With A Category

The easiest way to do this in WordPress is via a category - not a tag.

After creating a category on your blog, click the edit link. You will see in the URl bar a tag_id.

Whenever you want to make an RSS-exclusive post, you select the category before you publish.

Disable Display

This code stops any page in the RSS Club category from being displayed on the web.

function rss_club_post_blocker(): void {
    if (    is_singular( "post" )
        &&  has_category( "rss-club" )
        && !current_user_can( "edit_posts" ) )
    {
        status_header( 403 );
        echo "You must be a member of RSS Club to view this content.";
        exit;
    }
}
add_action( "template_redirect", "rss_club_post_blocker" );

Editors can still see it, but everyone else gets a blocked message.

Remove From Site Search and SiteMap

Here's a snippet to stick in your functions.php - it removes the category from any queries unless it is for the admin pages or the RSS feeds.

//  Remove the RSS Club category from search results.
//  $query is passed by reference
function rss_club_search_filter( \WP_Query $query ): void {
    //  Ignore admin screens.
    if ( !is_admin() && !is_feed() ) {
        //  Find the RSS-Club category ID.
        $category = get_category_by_slug( "rss-club" );

        //  Remove it from the search results.
        if ( $category ) {
            $query->set( "category__not_in", [$category->term_id] );
        }       
    }
}
add_action( "pre_get_posts", "rss_club_search_filter" );

This code also redacts that category from the build-in sitemap. Note - the name of the category still shows up in the XML, but it leads to a 404.

My mailing list and social media posts are fed from RSS. So how do remove an entire category from an RSS feed?

Simple! Append ?cat=-1234 to the end!

A negative category ID will remove the category from being displayed. So my email subscribers won't see the RSS only content. Of course, they get email-only exclusive posts, so don't feel too bad for them 😊

Fediverse Exclusion

The manual way is easiest. Assuming you have the ActivityPub plugin and a the Share On Mastodon plugin, you can unselect the sharing options before publishing.

If you think you might forget to toggle those boxen, there is a filter for the share plugin:

function rss_club_mastodon_filter( bool $is_enabled, int $post_id ): bool {
    global $exclude;
    if ( has_category( $exclude, $post_id ) ) {
        return false;
    }
    return $is_enabled;
}
add_filter( "share_on_mastodon_enabled", "rss_club_mastodon_filter", 10, 2 );

Similarly, there's a filter for the ActivityPub plugin:


function rss_club_activitypub_filter( bool $disabled, \WP_Post $post ): bool 
{
    global $exclude;
    if ( has_category( $exclude, $post ) ) {
        return true;
    }

    return $disabled;
}
add_filter( "activitypub_is_post_disabled", "rss_club_activitypub_filter", 10, 2 );

Enjoy!

If you've set up your own RSS Club feed, drop me a line so I can subscribe 😊

Why is it so hard to passively stalk my friends' locations?

2026-03-27T16:09:46Z

I feel terribly guilty when I visit a new city, post photos of my travels, only to have a friend say "Hey! Why didn't you let me know you were in my neck of the woods?"

Similarly, if I bump into an old acquaintance at a conference, we both tend to say "If only I'd known you were here, we could have had dinner together last night!"

I do enjoy the serendipity of events like FOSDEM - randomly seeing a mate and expressing the joy of spontaneity. But I also like arranging to meet up in advance.

At the moment, my strategy is sending a blast on social media saying "I'm visiting [this city] next week, anyone fancy a beer and a natter?" I've met friends all over Europe, Australia, and New Zealand that way. It mostly works. But I can't help feeling it is inefficient and prone to missing connections.

I even wrote my own code to auto-post FourSquare checkins to my other social media sites.

Here are my ideal scenarios. Imagine something built in to Signal / WhatsApp / Whatever app you already use.

Plan In Advance

I tell my app that I'm going to Barcelona from 14th - 19th February and am happy to meet any of my friends.

✨Background Magic✨

My friend Alice has also planned a trip to Barcelona around those dates. She gets a ping saying that one of her friends is going to be in the same city. Does she want to know more?

So far, so Dopplr.

My friend Bob lives just outside of Barcelona. He's set his "willing to travel" settings to be about 30 minutes, so also receives a ping.

I don't know that either of them have seen the notification until they decide they want to meet.

Spontaneous Fun

I step off the train in Manchester, England England. Perhaps the app notices I'm away from home, or maybe I press the "Anyone Around?" button.

On a map I can see friends who have shared their rough location. I decide to message Chuck to see if he's free for a chat.

Dave notices my location is now within his preferred travel distance. He gives me a ring.

A bit like how FourSquare used to be - but with less precision.

Downsides

The above is very much the "happy path". It doesn't look at any of the knotty problems or grapple with the UI that would be needed to make this work. But we know the technology for sharing location is viable - so what are the social issues that make this so difficult?

"Oh, fuck, Edgar's location says he's in town. Can we pretend to be out of the country?"

Alternatively, "Huh, I know at least a dozen people who live in Skegness. Why aren't any of them responding to me?"

Social pressure and awkwardness are hard problems. No one wants to use the app that makes you feel like a friendless loser.

Privacy

Do you want your friends knowing your every movement? I'm sure some people do, but most probably don't. It's possible to sketch out some vague controls:

Only send a notification if I push this button.
Don't send alerts if I am within this radius of my home / work.
Fuzz my location to the city / state / country level.

Danger

Is it a risk to let people know vaguely where you are? Is meeting up with (semi-) strangers from the Internet a smart life choice? Is having an app stalk you across the globe giving too much data to advertisers?

Does that creep from work abuse the system to keep popping up whenever you're out with friends?

Technology

I said the technology exists for this, and that was sort of true. Every device has GPS & an Internet connection. Storing a log of friends and sending them a message is a solved problem.

But is it solved in a decentralised and privacy preserving way?

No one wants to give all this power to one company. Google will build it and kill it. Facebook will sell your secrets to dropshippers. A funky start-up will be acquhired by Apple & restricted to iOS devices.

My location is fuzzed to an acceptable degree of imprecision and then sent… where? To all my friends directly? To a central server? Can k-anonymity help?

Is this a separate app? Everyone seemed to leave FourSquare after they buggered around with it. Perhaps it is just a feature in existing apps?

What's Already There?

Messaging apps like Signal, Telegram, and WhatsApp allow you to share your location with one or more friends.

To me, it feels a bit weird to manually send a dropped pin to some / all of my contact. It also doesn't let you share "tomorrow I will be in…"

Using "Stories" is the common way to share an update with all contacts - but none of them let you automatically share your location in a story.

FourSquare's Swarm app allows you to check in to a "neighbourhood". But there's no obvious way of saying "London" or "Manchester" - and I'm not sure how close to an area you need to be to get an alert that your friend is there.

What's Next?

I don't want to build this. Trying to get everyone I know to adopt a new app isn't going to happen. With the fragmentation of messaging and the lack of interoperability, this is likely to remain an unsolved problem for some time.

So here's my strategy.

Get back in to using FourSquare. Most of my friends seemed to stop using it back in 2017 when it was split into Swarm. But a few are still on there.
Manually post a story on Mastodon, BlueSky, Facebook, WhatsApp, Signal, and Telegram saying "Visiting Hamburg next week. Anyone want a beer?"
Hope that something better comes along.

Android now stops you sharing your location in photos

2026-04-06T14:28:44Z

My wife and I run OpenBenches. It's a niche little site which lets people share photos of memorial benches and their locations. Most modern phones embed a geolocation within the photo's metadata, so we use that information to put the photos on a map.

Google's Android has now broken that.

On the web, we used to use:

That opened the phone's photo picker and let the use upload a geotagged photo. But a while ago Google deliberately broke that.

Instead, we were encourage to use the file picker:

That opened the default file manager. This had the unfortunate side-effect of allowing the user to upload any file, rather than just photos. But it did allow the EXIF metadata through unmolested. Then Google broke that as well.

Using a "Progressive Web App" doesn't work either.

So, can users transfer their photos via Bluetooth or QuickShare? No. That's now broken as well.

You can't even directly share via email without the location being stripped away.

Literally the only way to get a photo with geolocation intact is to plug in a USB cable, copy the photo to your computer, and then upload it via a desktop web browser?

Why?!?!?

~~Because Google run an anticompetitive monopoly on their dominant mobile operating system.~~

Privacy.

There's a worry that users don't know they're taking photos with geolocation enabled. If you post a cute picture of your kid / jewellery / pint then there's a risk that a ne’er-do-well could find your exact location.

Most social media services are sensible and strip the location automatically. If you try to send a geotagged photo to Facebook / Mastodon / BlueSky / WhatsApp / etc, they default to not showing the location. You can add it in manually if you want, but anyone downloading your photo won't see the geotag.

And, you know, I get it. Google doesn't want the headline "Stalkers found me, kidnapped my baby, and stole my wedding ring - how a little known Android feature puts you in danger!"

But it is just so tiresome that Google never consults their community. There was no advance notice of this change that I could find. Just a bunch of frustrated users in my inbox blaming me for breaking something.

I don't know what the answer is. Perhaps a pop up saying "This website wants to see the location of your photos. Yes / No / Always / Never"? People get tired of constant prompts and the wording will never be clear enough for most users.

It looks like the only option available will be to develop a native Android app (and an iOS one?!) with all the cost, effort, and admin that entails. Android apps have a special permission for accessing geolocation in images.

If anyone has a working way to let Android web-browsers access the full geolocation EXIF metadata of photos uploaded on the web, please drop a comment in the box.

In the meantime, please leave a +1 on this HTML Spec comment.

Cheapest way to keep a UK mobile number using an eSIM

2026-03-30T07:48:52Z

I have an old mobile phone number that I'd like to keep. I think it is registered with a bunch of services for 2FA by SMS, but I can't be sure. So I want to keep it for a couple of years just in case I need it to log on to something.

I don't want to faff around with physical SIMs, so I went looking for the cheapest way to keep my number for the longest time. There are a whole bunch of providers out there who will do low-cost monthly contracts (like Spusu), which I don't want. Similarly, there are some pure PAYG providers who require you to top-up with £10 every few months (like 1pmobile).

In the end, I went with Lyca Mobile (affiliate link). Total cost was £10 which should last indefinitely.

The process isn't particularly straightforward. Here's how it works:

First, add a PAYG SIM to your basket and select "eSIM"

Next, click the Bin icon (🗑) in the top right. You'll get this pop-up:

Select "Discard plan & add credit" - you'll return to this screen:

The minimum top-up is a tenner, so select that. From there, you can add details of your old number, its porting code, and when you want the port to take place. Then pay.

Done! You'll receive your eSIM instantly. Scan it with your phone and you'll be up and running. The phone number porting will take as long as it takes.

OK, but will Lyca let you keep a number indefinitely? Here's what they say:

How long can I keep my number for if I don’t use any of Lyca Mobile’s services?

Normally we will keep your number for 120 days if you do not use our service. However, you may also keep your Lycamobile number for up to 1 year without using our service. Just dial *139*9999# from your Lycamobile and follow the instructions on the screen. Please be aware that there will be a fixed annual fee of £15 which will be deducted from your balance.

Source

Note, their chatbot says the fixed fee is a fiver. Like all half-baked AI systems, it is wrong.

So, what does "using" consist of? This is hard to find out! I think is any chargeable event. Based on their current PAYG pricing the cheapest options are:

Send an SMS for 23p
Use 1MB of data for 15p.

If I'm right, you could use 1MB of data every 120 days. That would deplete your credit in about 22 years. More than long enough for me!

There you have it, I'm pretty sure that's the cheapest way to keep a UK mobile number on an eSIM. You can keep it switched off for 119 days, flick it on, send a quick message, then shut it down again.

Click the referral link to join Lyca Mobile

[RSS Club] Why do you use RSS rather than Atom?

2026-04-09T15:24:22Z

This post is exclusive to feed subscribers. Enjoy!

This whole experiment is called RSS Club - but perhaps it should be called "XML-based distributed feed club"?

I've been playing about with local-only and privacy-conscious view tracking. I can see how many people click on my stories from HN or Google or anywhere else. I also decided to add the number of times a story is viewed by someone reading via feeds - like you!

Here's a typical day of page views:

First of all, I'm staggered that so many of you read this via feeds! Hurrah! And I'm amazed that I get more readers via feeds than Google. Every member of this secret RSS club is awesome 😘

When I originally set up this blog, it only supported RSS. At some point, WordPress added the more modern Atom feed format. Both get full support from me. But I'm wondering why so many people are still on RSS rather than Atom? Are there clients which don't support Atom? Is it just a legacy thing?

Should I redirect the RSS feed to the Atom feed or would that break things for you?

If you have any strong views on RSS 🆚 Atom, please drop me a comment via your favourite method.

Book Review: Small Comfort by Ia Genberg ★★☆☆☆

2026-04-04T13:03:54Z

I was left somewhat unconvinced by this book. I liked the concept - a series of interrelated stories all told in different styles.

Much like the film "Lola RenntRun Lola Run" there's a briefcase full of cash, a cast of morally ambiguous characters, and a meandering philosophical discussion about the nature of economic salvation.

It slams together the naïve and the cynical into a bunch of uneasy conversations.

I loved the slow-burn of the first story - the way it gradually revealed more and more about the characters. But throughout I was left wondering "where is this going?" The answer, disappointingly, was nowhere.

That's the heart of my problem with the book - it was compelling and frustrating in equal measure. The author herself states it best:

The reader needs something to hold on to. A glimmer of hope

It was stylish, there's no doubt about that. The texture of each story was gorgeous. The plotting was inventive and the morality interesting. I also enjoyed the bluntness of the social politics of economics. I just felt the whole was much less than the sum of its parts.

I read this as part of a new book club I'm attending. Thankfully, everyone else seemed to agree that it was a bit of a let down.

Theatre Review: Avenue Q ★★★★★

2026-04-08T09:00:22Z

I'll admit, I was a little sceptical about returning to Avenue Q. I saw it on its original West End run back in… OH MY GOD I AM SO OLD! FUCK! Where did the time go?

It's always hard to know how much to update a show. Does it need constant reinvention to stay in the zeitgeist or can it be pickled forever as a classic?

"I wish I had taken more pictures" was something that utterly resonated with me about my university experience. Photos were a rare commodity back when film still cost a couple of quid to develop. Perhaps today's uni students will sing "I wish I had posted less on Instagram"?

The show has been sympathetically updated. Some of the references have been modernised, a transphobic joke given the boot, and the lyrics tweaked to sometimes devastating effect. The song "Everyone's A Little Bit Racist" seems to have the most changes - and all for the better.

Parts of the show are adapted for a UK audience. Barely anyone here knows who Gary Coleman was so his intro is changed (although I guess part of the metajoke is that we all watched foreign celebrities on Sesame Street when we were growing up - so what's one more obscure cultural reference?). In the American show, the Bad Idea Bears proffer Long Island Ice Teas - that was a bit tame for UK audiences, so in the original UK run they guzzled absinthe daiquiris - a change inexplicably reverted for this limited run.

As a piece of pure entertainment it is spectacular. The laughs are genuinely non-stop and the whole auditorium rose to give the performers a well-deserved ovation. It is a tender and beautiful show which shows off the power of live theatre.

The songs are still stuck in my head and the puppetry is still amazing. Absolutely hilarious, genuinely shocking in places, utterly filthy - an excellent night out.

Pre- and Post-Show

I've written before about The art of the Pre-Show and Post-Show. With West End prices higher than ever, it is incumbent on theatres to make their shows a memorable and spectacular evening out. That can be as simple as a bit of set dressing in the foyer, or as extravagant as they can get away with.

The offering is pretty reasonable here. You can buy the T-shirt, hoodie, and commemorative socks at exorbitant prices. The souvenir programme is £8 and, while lush with photos, is pretty sparse. The original West End programme from the early 2000s had a pin-up calendar of Lucy The Slut, a bunch more funny photos, and fake autographs of the puppets.

There's a photo-booth for taking selfies, but it appeared to be broken.

It might been nice to have a few puppets placed around for people to take photos with.

One of the simplest things a venue can do is put on a themed cocktail menu. I'm surprised more shows don't do that. Who is going to turn down a glass of "The Internet Is For Pornstar Martini"?

The Shaftesbury Theatre itself isn't too cramped, even in the cheap seats. Although, at the back of the stalls, the overhang cuts off the top of the set which means you will miss a bit of action in some scenes.

While we were waiting for the show to start, the auditorium was filled with soundscape of subway cars rattling and distorted announcements. Again, fairly cheap and simple, but a nice way to build the mood.

As we exited, we were handed leaflets encouraging us to come back and bring our friends. Even better was the £10 discount on our next booking!

Considering this is a limited run, the production has done a fair job of getting the audience in the mood and rewarding them for their patronage.

Well done to all involved!

Did WordPress VIP leak my phone number?

2026-04-06T14:55:30Z

As discussed in my last blog post, the scumsuckers at Apollo.io have been giving out my personal details.

Not only did they have my email address, they also had a copy of one of my phone numbers. I asked them where they got it from and they said:

Your phone number came from Parsely, Inc (wpvip.com) one of our customers who participates in our customer contributor network by sharing their business contacts with the Apollo platform.

I've never done any business with Parsely. They have no reason to have my phone number and absolutely no permission to share it with other organisations.

Back in 2021, Parsely became part of WordPress VIP. Ah yes, our old "friends" at Automattic with their somewhat lax attitude to privacy.

I took advantage of WordPress VIP's GDPR policy and sent a terse but polite "Hey, WTAF?" to them. Their response was quick:

Thanks for reaching out. We are currently investigating our systems to locate any personal data regarding your request. We appreciate your patience.

After a bit of prodding, they eventually replied with:

It appears that we obtained your contact information as a result of a meeting you had with a representative for the WPScan service around August 5, 2022. WPScan is owned by our parent company Automattic.

We have no record of Parsely, Inc. (which is no longer in existence) or WPVIP Inc. (the owner of the Parse.ly service) having any relationship with Apollo.io.

We also have no record of Parsely, Inc. or WPVIP Inc. having sold or otherwise provided your information to any third party.

I have no memory and no record of meeting anyone from WPScan - although I concede it is possible I did as part of a previous job.

But even if it was in an email signature when I contacted them that still doesn't explain how it made its way to Apollo for them to give to spammers everywhere. Was it a hack? A data leak? A treacherous employee? A deliberate sale? A sneaky app update? Or maybe just Apollo lying to me.

I don't care any more. I'm just so tired of shitty companies treating personal data as a commodity to be traded, sold, repackaged, and abused.

[RSS Club] Banana for scale

2026-04-05T22:19:46Z

This post is exclusive to RSS feed subscribers. Enjoy!

I've had this idea stuck in my head for a while, so I decided to make it.

This is "Scan Slowly And See".

The code is made by cloning some of the banana's spots. Do let me know if the QR code works for you 🍌

Someone at BrowserStack is Leaking Users' Email Address

2026-03-27T16:09:35Z

Like all good nerds, I generate a unique email address for every service I sign up to. This has several advantages - it allows me to see if a message is legitimately from a service, if a service is hacked the hackers can't go credential stuffing, and I instantly know who leaked my address.

A few weeks ago I signed up for BrowserStack as I wanted to join their Open Source programme. I had a few emails back-and-forth with their support team and finally got set up.

A couple of days later I received an email to that email address from someone other than BrowserStack. After a brief discussion, the emailer told me they got my details from Apollo.io.

Naturally, I reached out to Apollo to ask them where they got my details from.

They replied:

Your email address was derived using our proprietary algorithm that leverages publicly accessible information combined with typical corporate email structures (e.g., firstname.lastname@companydomain.com).

Wow! A proprietary algorithm, eh? I wonder how much AI it takes to work out "firstname.lastname"????

Obviously, their response was inaccurate. There's no way their magical if-else statement could have derived the specific email I'd used with BrowserStack. I called them out on their bullshit and they replied with:

Your email address came from BrowserStack (browserstack.com) one of our customers who participates in our customer contributor network by sharing their business contacts with the Apollo platform.

The date of collection is 2026-02-25.

So I emailed BrowserStack a simple "Hey guys, what the fuck?"

I love their cheery little "No spam, we promise!"

Despite multiple attempts to contact them, BrowserStack never replied.

Given that this email address was only used with one company, I think there are a few likely possibilities for how Apollo got it.

BrowserStack routinely sell or give away their users' data.
A third-party service used by BrowserStack siphons off information to send to others.
An employee or contractor at BrowserStack is exfiltrating user data and transferring it elsewhere.

There are other, more nefarious, explanations - but I consider that to be unlikely. I suspect it is just the normalisation of the shabby trade in personal information undertaken by entities with no respect for privacy.

But, it turns out, it gets worse. My next blog post reveals how Apollo got my phone number from from a very big company.

Be seeing you 👌

Welcome to RSS Club!

2026-04-03T14:42:06Z

What if I told you there was a secret social network, hidden in plain sight? If you're reading this message, you're now a member of RSS Club!

RSS Club is a series of posts which are only visible to RSS / Atom subscribers. Like you 😃

If I've done everything right⁰, this page isn't visible on the web. It can't be found by a search engine. It doesn't share to Mastodon or appear syndicated to ActivityPub.

Of course, that also means that I can't receive any comments or feedback about it. I'd love it if you dropped me a note to say you found this post. My contact details are on https://edent.tel/ - feel free to use whichever method you like.

So, what can you expect from this exclusive content? More of the same old nonsense - but probably stuff I don't want to argue about on Social Media.

As a first pass, let's talk about this "Let's write a constitution" post from Matt Ellery. In it, he discusses various fun / sensible things you could do with a written constitution. I particularly like the idea of having a "Prime Number Election".

In my modernist tweak, I'd set up something like this:

Local council elections every 3 years.
National MP elections every 5 years.
Upper chamber elections every 7 years.

That ensures that no one party can dominate. Once every 35 years, the upper chamber elections would be brought forward by one year, with their next term lengthened to 8 years.

I'm less sure about having the locals be at the same time for every council. I think that could be a lot of work for democratic volunteers. Perhaps stagger them into thirds or quarters of the year?

Either way, I doubt we'll be getting a written constitution any time soon!

There is every possibility I have not and am now scrambling to fix things. ↩︎

Book Review: Superintelligence - Paths, Dangers, Strategies by Nick Bostrom ★★★★⯪

2026-03-30T08:37:40Z

When I finally invent time-travel, the first thing I'll do is go back in time and give everyone a copy of this book. Published in 2014, it clearly sets out the likely problems with true Artificial Intelligence (not the LLM crap we have now) and what measures need to be put in place before it is created.

It opens with The Unfinished Fable of the Sparrows:

Which, frankly, should be the end of the discussion. Oh Scronkfinkle, why didn't they listen to you?

This book attempts to set out they why and the how of protecting humanity from the (inevitable?) arrival of machines which we would describe as "superintelligent". That is, capable of human-level reasoning and understanding, but unlimited in terms of speed, working memory, and accuracy.

For example, automated trading algorithms caused a "Flash Crash" of the stock market in 2010. Unchecked machines very nearly destabilised the financial work. As Bostrom writes:

[…] while automation contributed to the incident, it also contributed to its resolution. The pre-preprogrammed stop order logic, which suspended trading when prices moved too far out of whack, was set to execute automatically because it had been correctly anticipated that the triggering events could happen on a timescale too swift for humans to respond. The need for pre-installed and automatically executing safety functionality—as opposed to reliance on runtime human supervision—again foreshadows a theme that will be important in our discussion of machine superintelligence.

So where are those safety functions now? Are any of the AI providers building in guardrails to prevent atrocities? We know that some LLMs are restricted from sharing details about devastating weapons of mass destruction - but there seems little else put in place.

The book is mostly accessible but veers wildly between casual language, deep philosophical tracts, pointed snark, and the occasional dive into maths and physics. For anyone with even a passing interest in the progression of any technology, it is a worthwhile read.

Many of the predictions are spot on:

As of 2012, the Zen series of go-playing programs has reached rank 6 dan in fast games (the level of a very strong amateur player), using Monte Carlo tree search and machine learning techniques. Go-playing programs have been improving at a rate of about 1 dan/year in recent years. If this rate of improvement continues, they might beat the human world champion in about a decade.

In fact, AlphaGo achieved mastery at the end of 2016.

In the slightly longer term, the cost of acquiring additional hardware may be driven up as a growing portion of the world’s installed capacity is being used to run digital minds […] as investors bid up the price for existing computing infrastructure to match the return they expect from their investment

As I wrote about in "AI is a NAND Maximiser" this too has come to pass.

While LLMs weren't yet invented when this was written, there's an excellent prediction about how an AI could become a pernicious psychological adversary:

Caution and restraint would be required, however, for us not to ask too many such questions—and not to allow ourselves to partake of too many details of the answers given to the questions we do ask—lest we give the untrustworthy oracle opportunities to work on our psychology (by means of plausible-seeming but subtly manipulative messages). It might not take many bits of communication for an AI with the social manipulation superpower to bend us to its will.

Indeed, I think it is clear that this is already happening. While I don't ascribe malice (or any other motivation) to the AIs, it is clear that their makers have a bias towards obsequiousness.

Other predictions are perhaps a little wide of the mark:

if somebody were to succeed in creating an AI that could understand natural language as well as a human adult, they would in all likelihood also either already have succeeded in creating an AI that could do everything else that human intelligence can do, or they would be but a very short step from such a general capability.

We're a few years in to the LLM revolution and, while we can quibble about what "understand" means, it's clear that natural language can now mostly be interpreted by computers. But that doesn't seem to have made the leap to general intelligence, nor the acceleration of art and science.

Others are hopeful but possibly a bit naïve:

A future superintelligence occupies an epistemically superior vantage point: its beliefs are (probably, on most topics) more likely than ours to be true. We should therefore defer to the superintelligence’s opinion whenever feasible.

Yes, there probably are modern concepts which have more in common with "phlogiston" than reality. But if a scientist were to time-travel back to the early 1700s, how easy would it be for them to disprove the theory? Perhaps AI ought to exist in the "trust but verify" space?

It is slightly over-footnoted, with no distinction between citation and diverting passage. There's also a tendency to go off in fanciful directions - the stuff on genetically enhancing humans goes on a bit too long for my tastes. Similarly, the philosophy of maximising happiness by emulating brains and virtually doping them seemed unconvincing.

That said, some of the thought experiments are both fun and profound - the seminal "Paperclip Maximiser" was introduced in this book.

There are some downsides. An over-reliance on specific individuals like Eliezer Yudkowsky crowds out some of the other important thinkers.

One of the suggestions made has already fallen:

One valuable asset would be a donor network comprising individuals devoted to rational philanthropy, informed about existential risk, and discerning about the means of mitigation. It is especially desirable that the early-day funders be astute and altruistic, because they may have opportunities to shape the field’s culture before the usual venal interests take up position and entrench.

The "Effective Altruism" movement is now hopelessly compromised and seemingly in tatters. Similarly, the cult of rationalism has taken an unfortunate turn to the bizarre and dangerous.

Nevertheless, it's hard to argue with the philosophy. Whether or not "superintelligence" is ever achieved, we should have systems in place now to protect us. It's the same as any other technology - the time to set up nuclear non-proliferation agreements and the systems to monitor them was before we invented them.