A video I’ve shared with friends recently is when Harry Mack ran into Ari, which was fun for me because they’re two of my favorite accounts to follow. Sorry I didn’t freestyle! I had to get back to do some work, which is why I got the monitor.
In other cool X/Twitter news, they launched an awesome feature today that lets you restrict replies not just to people you follow, but to people they follow as well. Nikita gave a hat tip to the conversation I had with Peter Levels / @levelsio.
This is a little embarrassing to share, but I’d rather someone else be able to spot a dangerous scam before they fall for it. So, here goes.
One evening last month, my Apple Watch, iPhone, and Mac all lit up with a message prompting me to reset my password. This came out of nowhere; I hadn’t done anything to elicit it. I even had Lockdown Mode running on all my devices. It didn’t matter. Someone was spamming Apple’s legitimate password reset flow against my account—a technique Krebs documented back in 2024. I dismissed the prompts, but the stage was set.
What made the attack impressive was the next move: The scammers actually contacted Apple Support themselves, pretending to be me, and opened a real case claiming I’d lost my phone and needed to update my number. That generated a real case ID, and triggered real Apple emails to my inbox, properly signed, from Apple’s actual servers. These were legitimate; no filter on earth could have caught them.
Then “Alexander from Apple Support” called. He was calm, knowledgeable, and careful. His first moves were solid security advice: check your account, verify nothing’s changed, consider updating your password. He was so good that I actually thanked him for being excellent at his job.
That, of course, was when he moved into the next phase of the attack.
He texted me a link to review and cancel the “pending request.” The site, audit-apple.com, was a pixel-perfect Apple replica, and displayed the exact case ID from the real emails I’d just received. There was even a fake chat transcript of the scammers’ actual conversation with Apple, presented back to me as evidence of the attack against my account. At the bottom of the page was a Sign in with Apple button that he told me to use.
I started poking at the page and noticed I could enter any case ID and get the same result. Nothing was being validated. It was all theater.
“This is really good,” I told Alexander. “This is obviously phishing. So tell me about the scam.”
Silence. *Click*.
Once I’d suspected what was happening, I’d started recording the call, so I was able to save a good chunk of it, which Jamie Marsland used to make a video about the encounter. You can hear for yourself exactly how convincing “Alexander” was.
So let my almost-disaster help you avoid your own. Remember these rules.
Don’t approve any password-reset prompts—those are the first part of the attack. Do not pass Go, just head directly to your Apple ID settings.
Apple will never call you first.
When you get an email from Apple—or, really, anyone telling you to complete a digital security measure—check the URL they’re trying to send you to. Apple Support lives on apple.com and getsupport.apple.com, nowhere else.
After all, the best protection is knowing what this looks like before it happens.
Thank you to Peter Rubin and Jamie Marsland for putting this all together.
Tonight was one of my most surreal Claude Code Sundays. To make a long story short, I pointed Claude Code at my Sonos setup in Houston: “All 29 Sonos speakers were running on WiFi with SonosNet completely disabled. They had accumulated ~89 million dropped packets across the system. That packet loss is why groups kept falling apart – Sonos grouping requires tight sync between speakers, and the WiFi was too congested to deliver it.”
We had a wild rollercoaster where at one point it bricked several of my devices (green LED), got mixed up on some groupings being a home theater, and sent me all around the house plugging things in to ethernet or not. At one point, I was certain I’d have to redo everything from scratch. Then we came back and everything worked, I asked, “What song should we play to celebrate this accomplishment?”
Ha – has to be “The Chain” by Fleetwood Mac. Seems fitting given we just spent the evening fixing one. Want me to queue it up on the Gym/Office?
It then failed horribly at trying to play that song, then, because it thought the speakers were re-meshing, it tried to play it on outdoor speakers, which would have surprised my neighbors at midnight. I ended up picking the song manually, and I must say it’s quite nice. I see why it’s easy to fall in love with these things, because the variable positive reinforcement slot machine cowboy hacking is honestly more fun than if it had just gotten it right on the first try.
America is home to 1m taxi and bus drivers, as well as over 3m truck drivers—adding up to 3% of the working population. Other potential losers are less obvious. Without car accidents there will, for instance, be less demand for personal-injury lawyers. If people stop buying cars, dealers and used-car salesmen will go.Â
It’s fascinating to think a few chess moves down the line, for example, fewer personal-injury lawyers funding politicians might lead to some form of Tort Reform, an area of society that, like gun control, has centrist changes most Americans would agree with, but has been captured by special interests.
One of my favorite hobbies is home networking and wifi, and once you go down that rabbit hole one of the best companies you can follow is Unifi. They’re such a cool company in so many ways, from having a 4-person board of directors, as a public stock. You can clearly tell they delight in bringing great design to hardware, in a Apple-like attention to detail.
They ship such cool products regularly, across an entire ecosystem that spans cameras to access control, it’s hard to describe everything they can cover, and they’ll even have random stuff that integrates into their system like EV charging or digital signage. I get as excited when they ship a new generation of hardware as I do for an iPhone launch.
But what’s exciting is that they just launched 5G bridging, with some fun devices that connect everything. I imagine someday I’ll have a Unifi puck hooked up to Starlink, providing amazing routing and connectivity anywhere in the world, powered by some PoE battery.
Werner Vogels, CTO at Amazon, boldly publishes his 2026 tech predictions. While you’re on his blog, take a moment to enjoy his essay, Development gets better with Age. Werner and I first crossed paths almost 20 years ago at tech conferences like GigaOm’s Structure, LeWeb, Future of Web Apps, O’Reilly Etech, and TheNextWeb. Though we don’t see each other often, I have enjoyed following his work and writing over the years, and it delights me that he’s still learning and sharing with the same vim and vigor I remember from when we first met. I think he might have been the first person to introduce me to the works of Richard Feynman through a BBC program.
If you have ever customized your home setup, or done extra work to make the cable just so, it’s impossible not to delight in the very deep rabbit holes this person goes in 3D-printing custom holders for everything in his junk drawer. I’m in awe. It’s an ad for Bambu Lab, but honestly it’s the kind of thing I could watch all day. So satisfying. Scott Yu-Jan is someone to keep an eye on.
To me, this embodies the maker / hacker / creator mentality that I try to imbue in all the software I work on. How do you make it your own? One of one, but then open source it and see how it gets better.
I’m often on the other side, but it’s such a delight to be an interviewer, I really enjoy it and put a lot of work into coming up with questions and shaping a conversation I think will draw out something novel from the person. Besides the Distributed Podcast, I’ve had a chance at events to interview great minds such as Steve Jurvetson, Patrick Collison, Dries Buytaert, and now John Borthwick.
We discussed his early investments in Airbnb and Tumblr, what made the NYC tech scene so special back then, and how it has evolved since. We also touched on the recent mayoral race, where Betaworks fits into the city’s tech ecosystem, and delved into one of my favorite topics: the comparison between open-source and proprietary models in AI.
It’s very interesting to compare my Wikipedia article and my Grokipedia article. The Grokipedia version is much, much longer, and does a better job of listing my accomplishments versus some random recent controversy. (Will someone reading about me a hundred years from now care that WordPress briefly had a sustainability team as one of its dozens of teams?) But at least everything on Wikipedia is true! On Grokipedia:
WooCommerce, an open-source e-commerce platform integrated with WordPress, enables online stores and has facilitated over $1 trillion in annual commerce as of 2023.
While I actually believe someday, probably around 2037, Woo will facilitate a trillion in commerce annually, that number is off by a couple orders of magnitude right now. 🙂
As with all software, we shouldn’t come to conclusions based on the 1.0 but rather look to its vector and speed of iteration, so I’ll reserve judgment on Grokipedia for now.
I love Wikipedia. I’ve been a contributor since it started, and I think it embodies Open Source ideals in a really beautiful way. For a little love letter to Wikipedia check out this article by Jason Koebler, Grokipedia Is the Antithesis of Everything That Makes Wikipedia Good, Useful, and Human. My take: If you think there’s something wrong with the Wikipedia, the way to fix it is to get involved and contribute. They have a robust community.
I have some “grand theories” of software engineering: I think there are two tribes of engineers that complexify things or simplify things, and they are in eternal conflict.
Some days, like this morning when I almost missed my flight to WordCamp Canada in Ottawa, I’m so overwhelmed with the maelstrom of ideas and sparks of creation that it feels like waves crashing against a dam. There are so many ways I can imagine new software, new products, new ways for the world to be.
This is a beautiful process, but it’s also painful! The anguish and agony arise as you attempt to distill the ideas and sparks; the creativity dims, and the beauty and perfection of the original inspiration fade, as I try to translate it into something that can become real and be legible to others. That’s why I have to drop everything when inspiration strikes, because if I try to return to it later, I find the muse has left and I can’t bottle that energy anymore. (There’s a reason Eric, Tantek, and I put “muse” into the XFN standard!)
To the extent I’ve been successful at all in my life, it is because I’m able to contain this tornado and break it down into plans, business models, people, and teams. I’ve never done anything useful on my own; it’s always been in conversation and partnership with others.Â
I’d like to introduce you to Jeremy Kranz. With his career as an investor at Intel Capital, then GIC, which is the sovereign wealth fund of Singapore rumored to manage over $700B, to now running his own fund Sentinel Global, he has had a front-row seat to investments in industry changing companies such as ByteDance (which became TikTok), Alibaba, Uber, DoorDash, Zoom, DJI (which changed the drone industry and argubly modern warfare), and many more I’m probably not even aware of.
When I first met Jeremy in 2014, I was amazed that a late-stage financial investor could understand Open Source so well, and he immediately grokked what Automattic was doing in a way that I think has little parallel in the world. (Today, it reminds me of Joseph Jacks at OSS Capital.) Deven Perekh of Insight Partners led Automattic’s 1.16B valuation Series C round, making us one of only forty “unicorns” (private companies valued over a billion dollars) at the time, and one of the reasons they beat out others as the lead of the round was that GIC/Jeremy was a LP of Insight so they could directly co-invest. GIC is so intensely private I couldn’t even mention them in the announcement at the time even though they were the catalyst for the round. Since then, Jeremy has become a close friend and advisor, and he even took me to my first Grateful Dead concert.
Eleven years later, this is his first podcast! Jeremy shares incredible alpha around China, AI and its adoption in the enterprise, how asset allocation is evolving, and at the end, a beautiful tie together of the Grateful Dead and Open Source.
I was reminded today of the profound marketing influence of Kathy Sierra, who was a pretty prolific blogger and speaker back in the day. I would summarize her thesis as such: Your best marketing and communication should talk about how you make your users awesome, not how you’re awesome. If you’d like to check out some of her talks, she spoke at WordCamp in 2008, at Business of Software in 2013, and at Mind the Product in 2015.
One of the cooler companies I’ve seen in a while is LumaField, which does industrial CT scanning, as they describe it.
Industrial X-ray CT (Computed Tomography) works on the same basic principle as medical CT, taking hundreds of X-ray images from different angles to capture the internal and external structure of objects in three dimensions.
I have two interesting interviews to share with you today, the first is Lex Fridman interviewing Pavel Durov, the founder of Telegram. I started using and advocating for Telegram back in 2015, and Audrey Capital was part of their aborted fundraise in 2018. As a software craftsperson, I’ve always had tremendous respect for the team and the rate at which they shipped truly novel design and UI. I’m amazed by the speed at which they ship major features across multiple platforms. The network also has incredibly resiliency, which they get into on the podcast. As I’m often in poor connectivity situations in planes or remote locations, Telegram has been one of the networks that works most reliably.
I’ve met Pavel only briefly about a decade ago, but have followed his story as he’s a unique character with an ascetic lifestyle, target of many intelligence agencies, sperm donor father of 100+ children, and many other unique characteristics. I use Telegram like I use X/Twitter, I put things I consider semi-public on it and I think of it like a social network and development platform, and since 2022 I’ve cross-posted my blog to a Telegram channel using a Jetpack bot. It’s probably my favorite community platform. The four hour interview between Lex and Pavel covers a lot of ground, but product builders will probably appreciate most the middle part around the 2-hour mark where they go into their engineering and design philosophies. (BTW I usually watch/listen to these at 2x speed.)
I know this seems like an unusual pairing, but both Pavel and Weird Al are hackers in the sense that they examined the rules of the system and decided to create a new game.
Sometimes the battle for open source and freedom can take on very prosaic and practical terms, but the wins can benefit everybody. To give an example: In Beeper we need more memory for showing notifications, because we support end-to-end encryption for networks like Signal, but Apple’s default was to only give 15 megabytes — barely enough to do anything. The previous CEO of Beeper, Eric Migicovsky, started a lobbying effort with the EU’s Digital Markets Act on behalf of the team to give third-party apps the same memory limits that Apple provides for their own apps, which is 50MB instead of 15MB. (And up to 250MB on their higher end devices.)
Today we’ve gotten a notification that as part of iOS 26 update Apple has shipped to 2.3B devices around the world, our memory limits issue has been addressed globally, for every application developer, and some interoperability requests we had for SMS/RCS have been addressed for EU users. Kudos and huge thank you to Apple for giving us all new capabilities to build amazing experiences for users on par with what they seek to deliver themselves. If you want to geek out on this, check out the technical deep dive that Beeper just posted.
BTW, if you haven’t heard of it yet, Beeper is an Automattic product which aims to democratize messaging, just like WordPress democratized publishing for the world, by allowing you to get all your messages from friends across 11 different networks, like WhatsApp, Instagram, Telegram, Twitter/X, Signal, Discord, in one single inbox. The new version we launched in July does this in a completely secure way that’s local to your device, so the same encryption, privacy, and security each network provides is maintained.
This really gets to my vision for Gutenberg to be a builder that anyone can use to create an incredible website, like legos anyone can assemble anything they imagine on the web. This is why I said Gutenberg is bigger than WordPress.
When I studied economics, one of the concepts that struck me the most was the concept of externalities. This International Monetary Fund post explains it well. In short, externalities are costs or benefits of an economic activity that affect third parties who did not choose to incur them, leading to a divergence between private and social costs or benefits. They’re spillover effects—positive or negative—that the market price fails to reflect. A classic example is air pollution from a factory, where nearby residents bear health and environmental costs not included in the price of the factory’s products.
Open source is full of externalities. On the positive side, adoption creates ecosystems of developers and provides many paths of distribution. On the negative side, there’s often underinvestment in the very projects that sustain the ecosystem. I have a lot of empathy for why, when open source meets finance and private equity, things can go sideways. You can look at a business built on open source and see seemingly amazing margins—efficient R&D that compounds in a DCF model. A percent here or there over many years really adds up.
My plea to investors in open-source businesses is this: when a business is built on top of open source, incorporate a restorative investment percentage back into the projects critical to the end-user experience of what you’re offering customers. In WordPress, we call this Five for the Future, but it doesn’t have to be five percent; it could be 0.1%. Plan for it when modeling your expected IRR hurdle from an investment. Then, a few years down the line, when the small percentages start to add up, you won’t face a big catch-up or gap.
This underinvestment is itself an externality. It doesn’t appear on the balance sheet, but it can manifest in black swan events, such as security breaches or remote code exploits. Technical debt is one of the largest unaccounted-for externalities in the world today. Engineering, in the long run, is primarily a craft of maintenance rather than creation. The bulk of the cost of something comes from its upkeep over time.
It’s New Apple Stuff day, so the headlines are being dominated by that, but it’s worth taking a step back and paying homage to the site that has been the front page of tech news for two decades now, Techmeme. I’ve been a daily visitor since it started, and I appreciate how they pair the algorithm with a light human touch to provide a wide overview. (WordPress-powered!) Fred Vogelstein at Crazy Stupid Tech has a great review of how Techmeme started and evolved.
