2026-04-07 21:00:00
About ten years ago I sat down in front of a camera and recorded eleven videos showing how I play mandolin for contra dances. I've now done something similar with piano, this time with thirteen videos.
This is not a high quality effort: I didn't write any scripts or even plan what I was going to say. Think of it as if we spent half an hour together, with me showing you how I play. Also keep in mind that I'm self taught, and my particular style that isn't for everyone. And my keyboard is wearing out, which means some of the keys make a clacking sound. And the first video cuts off part of my head, and the first eight videos have tape over the leftmost part of the camera. Ok, with caveats out of the way, the videos:
Last time I did this I put them on a new YouTube channel. In retrospect, that was a mistake: I haven't upladed anything to that channel since that initial burst, and there's a good chance I never upload again. So I've just put these on my regular channel.
2026-04-06 21:00:00
Last week the US president announced that:
... if the Hormuz Strait is not immediately "Open for Business," we will conclude our lovely "stay" in Iran by blowing up and completely obliterating all of their Electric Generating Plants, Oil Wells and Kharg Island (and possibly all desalinization plants!), which we have purposefully not yet "touched." This will be in retribution for our many soldiers, and others, that Iran has butchered and killed over the old Regime's 47 year "Reign of Terror."
Yesterday morning he posted that:
Tuesday will be Power Plant Day, and Bridge Day, all wrapped up in one, in Iran. There will be nothing like it!!! Open the Fuckin' Strait, you crazy bastards, or you'll be living in Hell...
These are threats to target civilian infrastructure as a coercive measure, which would be a war crime: if Iran doesn't allow tankers through the Strait of Hormuz, the US will cause massive damage to power plants, bridges, and possibly water systems. The US has historically accepted that this is off limits: destroying a bridge to stop it from being used to transport weapons is allowed, but not as retribution or to cause the civilian population to experience "Hell". The Pentagon's own Law of War Manual recognizes this distinction: when NATO destroyed power infrastructure in Kosovo, it was key that the civilian impact was secondary to the military advantage and not the primary purpose. [1][2]
To be clear, what Iran has been doing to precipitate this, by attacking civilian tankers for the economic impacts, is itself a war crime. But that does not change our obligations: the US has worked for decades to build acceptance for the principle that adherence to the Law of War is unconditional. It doesn't matter what our enemies do, we will respect the Law of War "in all circumstances". We've prosecuted our own service members, and enemy combatants, under this principle.
I hope that whatever is said publicly, no one will receive orders to target infrastructure beyond what military necessity demands. You don't need to be a military lawyer (and I'm certainly not one) to see that such orders would meet the threshold at which a member of the armed forces is legally required to disobey. I have immense respect both for commanders who refuse to pass on such orders and for service members who refuse to carry them out. [3]
[1] The manual cites Judith
Miller, former DoD General Counsel, writing on Kosovo that "aside
from directly damaging the military electrical power infrastructure,
NATO wanted the civilian population to experience discomfort, so that
the population would pressure Milosevic and the Serbian leadership to
accede to UN Security Council Resolution 1244, but the intended
effects on the civilian population were secondary to the military
advantage gained by attacking the electrical power infrastructure."
If the impact on civilians had been the primary motivation for NATO's
attacks on power infrastructure they would not have been lawful.
[2] "Military objectives may not be attacked when the expected incidental loss of civilian life, injury to civilians, and damage to civilian objects would be excessive in relation to the concrete and direct military advantage expected to be gained." (DoD LoWM 5.2.2) and "Diminishing the morale of the civilian population and their support for the war effort does not provide a definite military advantage. However, attacks that are otherwise lawful are not rendered unlawful if they happen to result in diminished civilian morale." (DoD LoWM 5.6.7.3)
[3] "Members of the armed forces must refuse to comply with clearly illegal orders to commit law of war violations." (DoD LoWM 18.3.2)
2026-04-05 21:00:00
I'm a huge fan of whipped cream. It's rich, smooth, and fluffy, which makes it a great contrast to a wide range of textures common in baked goods. And it's usually better without adding sugar.
Desserts are usually too sweet. I want them to have enough sugar that they feel like a dessert, but it's common to have way more than that. Some of this is functional: in most cakes the sugar performs a specific role in the structure, where if you cut the sugar the texture will be much worse. This means that the cake layers will often be sweeter than I want for the average mouthful, and adding a layer of unsweetened whipped cream brings this down into the range that is ideal. It's good in helping hit a target level of sweetness without compromising texture.
(This is a flourless chocolate cake with precision fermented (vegan) egg.)
I also really like how the range of sugar contents across each bite adds interesting contrast!
Cream isn't the only place you can do this. I like pureed fruit, ideally raspberries, to separate cake layers. Same idea: bring it closer to balanced while increasing contrast.
2026-04-04 21:00:00
Baking has traditionally made extensive use of egg whites, especially the way they can be beaten into a foam and then set with heat. While I eat eggs, I have a lot of people in my life who avoid them for ethical reasons, and this often limits what I can bake for them. I was very excited to learn, though, that you can now buy extremely realistic vegan egg whites!
EVERY engineered yeast to convert sugar into ovalbumin, the main protein in egg whites and the one responsible for most of its culinary function. This kind of fermentation was pioneered for insulin and microbial rennet in the 1980s, but many companies are now applying it to producing all kinds of vitamins, proteins, dyes, and enzymes.
EVERY has been working with commercial customers for several years, but you can now buy it as a shelf stable powder. At $24 for the equivalent of 45 egg whites ($0.53 each) it's more expensive than buying conventional ($0.21 each) or organic ($0.33) egg whites, but not massively so.
I learned about them from a coworker who made an angel food cake, and I've since made flourless chocolate cake and swiss buttercream frosting. It whipped and set just like egg whites; it's really impressive!
While this is great from a vegan perspective, it won't help most people who are avoiding eggs for allergy reasons: it's still ovalbumin. Labeling will generally say something like "contains: egg allergen", and the packaging I bought has the quite wordy "although not from eggs, the proteins may cause allergic reactions in certain individuals, especially those sensitive to egg, due to its similarity to real egg."
I'm now trying to figure out all the things that this now means I can cook for my oldest (no eggs for moral reasons). And also what sort of places that the ability to make "less watery egg whites", by mixing the powder with less water than normal, could let me do things I couldn't otherwise.
Comment via: facebook, lesswrong, the EA Forum, mastodon, bluesky
2026-04-03 21:00:00
I've played a lot of dance weekends over the years [1] and if I could change one thing it would be no more challenging sessions. I see it happen every time: it's a great crowd of people, with a wide range of experience levels, and Saturday afternoon is going well. Then it's time for the challenging / advanced / experienced session. What happens? The dances are too hard for the crowd and it's not fun.
The callers had already been selecting dances that worked well for the group, which meant material that was interesting but not a struggle. Push the difficulty up from there, and what gives? You can take longer teaching, perhaps four minutes instead of two, which lets you explain material that's a bit harder, but only a bit and at the cost of a lot more talking. You can call no-walkthroughs, medleys, or even hash, but at most dance weekends you can get away with that at a regular session (and if you can't it won't work at a challenging session either). Or you can call material that's too hard for the crowd, and it falls apart in places.
To go well, challenging sessions can't just be a matter of picking harder dances, they require a group of dancers who are up to the challenge. This can work as a one-off event or even a whole weekend, where you communicate clearly what people should expect and people can self-select. It can work at a festival where you have multiple tracks and people can easily choose something else. But none of this applies to most dance weekends, since they only have one hall.
I think the desire for challenging sessions comes from two places. One is that some people just really like challenging dances, and I think the best you can do there is challenging-specific events. The other, though, and I think this is a bigger factor, is that a whole weekend of contra dancing can be a lot of the same. So if you're looking for ways to add some interest to the schedule without forcing the caller to choose between "that's not actually challenging" and "it's not fun when the dances fall apart", some ideas:
Teaching sessions, where the caller focuses on demonstrating a new skill. There are tons of possibilities here, including how to help a lost neighbor, role swapping, partner swapping, flourishes, swing variations, momentum and weight, and supporting other dancers in and out of moves.
Games sessions, where the caller has you do something unusual but also fun and educational. One session might include, sequentially, some dancers leaving the hall for the walkthrough, pool noodles, blindfolding, ghosts, sabotage and recovery, and teaching a different 1/4 of the dance to each 1/4 of the dancers.
A session of Chestnuts, Squares, Triplets, Triple-minors, or a mix of different unusual formations.
Early morning family dance with acoustic open band.
A "marathon" session, where you medley one dance after another and people typically drop out every so often to rest and swap around. Make sure you coordinate with the band(s) to ensure this is something they'd be up for playing for; it's not the default deal.
Play with tempo. Show the dancers what tempos from 104 to 128 feel like, and try the same dance at multiple tempos. Practice dancing spaciously at slow tempos, and with connected and efficient movement at fast ones.
You might notice I didn't include themed sessions like "flow and glide contras" or "well-balanced people". The variation in feeling from one dance to the next is key to keeping contra dance interesting, and while sessions that explore just one area still work, I personally think they're much less fun.
[1] I count 70: 54 with the Free Raisins and 16 with Kingfisher.
2026-04-02 21:00:00
Open source components are getting compromised a lot more often. I did some counting, with a combination of searching, memory, and AI assistance, and we had two in 2026-Q1 ( trivy, axios), after four in 2025 ( shai-hulud, glassworm, nx, tj-actions), and very few historically [1]:
Earlier attacks were generally compromises of single projects, but some time around Shai-Hulud in 2025-11 there started to be a lot more ecosystem propagation. Things like the Trivy compromise leading to the LiteLLM compromise and (likely, since it was three days later and by the same attackers) Telnyx. I only counted the first compromise in chain in the chart, but if we counted each one the increase would be much more dramatic. Similarly, I only counted glassworm for 2025, when it came out, but it's still going.
In January I told a friend something like: "I'm surprised we're not seeing more AI-enabled cyberattacks. It seems like AIs have gotten to the point that they'd really be helping bad actors here, but it all still feels pretty normal and I don't understand why." While it's always hard to call the departure of an exponential from a noisy baseline, if this is AI helping with attacks we should expect this rate of increase to continue.
Other data points that have me expecting security to get worse before it gets better:
Linux is seeing a large increase in real security reports:
We were between 2 and 3 per week maybe two years ago, then reached probably 10 a week over the last year with the only difference being only AI slop, and now since the beginning of the year we're around 5-10 per day depending on the days (fridays and tuesdays seem the worst). Now most of these reports are correct, to the point that we had to bring in more maintainers to help us.We're seeing the defender side, but attackers can use the same tooling.
Claude Opus 4.6 seems to be actually good at finding and exploiting holes:
When we pointed Opus 4.6 at some of the most well-tested codebases (projects that have had fuzzers running against them for years, accumulating millions of hours of CPU time), Opus 4.6 found high-severity vulnerabilities, some that had gone undetected for decades.
AI agents eagerly pull in unvetted dependencies if they seem like they'd solve the problem at hand, and while humans do this too the agents massively speed up this process.
But I do think it will get better: while I'm not an expert here, I see many factors that favor defenders:
I think it's pretty likely that security bugs in major software are for the first time being identified faster than they're being written.
Checking package updates for vulnerabilities was never something most people did, but automated systems could plausibly do it well.
Most programmers are pretty terrible reviewing code in enough detail to notice something underhanded, but LLMs excel at this kind of attention to detail.
Developer education is hard, model education is much less so. I remember how long it took for SQL injections to go from a known attack to something most programmers knew not to do; it's way easier to keep LLMs from doing this.
Dependency cooldowns are very simple, but would help a lot.
Migration to more robust systems is more automatable. Automated conversion from C to Rust, switching to TrustedTypes, etc.
I wish defenders in biology had the same structural advantages!
[1] Here's my attempt at earlier years, all with a bar of "compromise
of a widely used open-source trust path that forced action well beyond
the directly compromised maintainer or project":