Zack Fitch

We need to spend some time rethinking our reliance on #NTP. ndss-symposium.org/wp-content/upl… Modern infrastructure is crossing a control boundary: "user" no longer means "human." Today, a user may be a person, service account, workload identity, agent, device, process, or autonomous machine principal. csrc.nist.gov/glossary/term/… Once non-human principals can own machines, operate workloads, provision infrastructure, and participate in timing systems, they become actors in the production of operational truth. Time synchronization is one of the lowest layers of that truth. This means that attacks on identity boundaries, kernel boundaries, container isolation, or NTP control planes are not just local security failures. They are routes that allow programmatic actors to alter the temporal substrate that every other machine uses to decide validity, ordering, causality, and trust. The critical security failure here is the severance of “user” from “human.” As it stands, machines can be users, and users can own machines, therefore our infrastructure authenticates principals without resolving whether those principals are human-controlled, machine-controlled, agent-controlled, or recursively delegated. In systems such as NTP, where distributed machines act as witnesses for time, it allows for identity ambiguity to turn itself into truth ambiguity. A malicious or compromised non-human controller doesn't need consciousness, personhood, or intent in any human sense. It needs valid credentials, sufficient permissions, and access. Exactly what the current model hands out. This is what we built it to do..

Try debugging in a different session from the one you’re developing in. One for writing code, one for debugging. For debugging. It helps to explain what you’re working on and how you’re struggling: trying to translate visual bugs via text so that an agent can understand. Once you have a good debugging session ask the agent to skillify it and it’ll check the session and create a skill for you to use. One of my favorite tricks is asking the model to create a braille map of something. You can encode meaning right into a visual structure :)

I'm finding that asking LLMs to debug 3D graphics problems can be an experience in frustration. They can't see the program running so you have to describe the issue to them. They speculate as to the cause of the issue and are often confidently wrong.

@alexandr_wang @iScienceLuvr Hot Rockets

@iScienceLuvr nope

Why is Meta's lab name still TBD, haven't they figured out a name by now? 😭

@josevalim Any press is good press

The whole Anthropic kerfuffle would have gone much smoother if they had been upfront about it. "Hey, we know this is unpopular, but we are moving programmatic access to API pricing. To easen the transition, we are giving API credits that match your subscription value. We also expect this change to increase capacity, so we are doubling the limits throughout Claude products for the next 2 months". The reason they made it sound like an upgrade was because the announcement was not for developers. It was for investors and enterprise customers. Impacting devrel is just collateral damage, which is on par for a company which believes coding is going away any time now. And this is extremely disapointing because they want to position themselves as a company that we should trust. But if they can't be honest about pricing changes, it is really hard to believe them on anything else.

@francoisfleuret Strong agree

Also Jacobi iterations are the shit.

@jmwind What does it mean to be an AI native company? J/w

Joined a new AI-native company this week and it’s kind of wild how different it feels already. The laptop arrived, I logged in, and an agent basically took over from there. It set up my dev env, pulled repos, fixed dependency issues, got permissions approved, pointed me at the backlog, linked the architecture docs, and surfaced the Slack debates I actually needed to read before touching production. When I needed context on something, I asked the agent and it found the exact thread from months ago explaining why a decision was made, who owned it, the related Linear issues, and the PRs connected to it. I’ve only been here 3 days but it honestly feels like I’ve worked here for a year because the usual friction and scavenger hunt for context just isn’t there anymore. We should probably stop calling this “onboarding” and rename it to “mounting” because this feels a lot more like mounting a distributed filesystem called “institutional memory” than slowly getting drip-fed context over 6 months.

"What's the best thing about RoPE?" Easy. RoPE is usually described as rotating vectors, making it sound like a simple trick. The rotation is the mechanism. The representation is the point. Position stops being a label and starts being an action. A learned embedding pins a name to each token's seat. RoPE hands the model a way to walk through the room. Once position is an action, clean, reversible, length-preserving, composing the way distances add, the rest stops looking like engineering. Relative position falls out of the inner product. Norms survive because the move can't stretch the room. Length extrapolation isn't a hack, it's just what composition does. Heads tune to different frequencies of the same underlying motion. The lesson is older than RoPE. It's algebraic. At scale, the architectures that win are the ones that hand the model a symmetry instead of asking it to discover one from examples.

Sonnet really is something special. Still the only model to get BETTER with long context. @AnthropicAI could consider postponing the retirement until another model can repeat the same behavior ;)

@chloeallegra228 @mouse_math How dare you!!! Jk I feel it but I love it

@mouse_math number theory doesn’t rlly do it for me maybe measure theory and functional analysis are annoying as fields

what's the most annoying field of mathematics?

Inherit all of Nothing: How a One-Line Security Function Silently Poisoned the OpenAI Codex CLI for 100 Days—and the Latent Misalignment It Left Behind nw.ns2.sh

Just some extra pics

Had a blast at the Claude code dev event thanks for the invite @AnthropicAI

Hmmm

@emollick There’s a good chance they don‘t even know it was removed from the UI.

The silent removal of Study Mode from ChatGPT is a big mistake (both Claude and Gemini still have theirs) We have enough evidence that using AI in assistant mode to study can hurt learning because it just gives you answers, making students think they learned when they have not. You can prompt the model to be a very good tutor, but most people don't know to do that. Study mode was an easy option that parents and teachers could suggest to mitigate negative effects, even if it wasn't perfect. OpenAI still has a page about it, and the link activates study mode but otherwise there seems to be no way to select it from a menu for most accounts. openai.com/index/chatgpt-… (Deleted this by accident, sorry, so reposted!)

@_arohan_ Directionally correct, but in the wrong basis.. unfortunately.

What research did you get done this week? Was it directionally correct?

The danger is not that machines become people. The danger is that infrastructure already treats machines as users. Beverly and Rye (NDSS 2026, ndss-symposium.org/wp-content/upl…) just looked closely at the NTP Pool. Of its "active" servers, only 19.7% are fully independent. One account controls 340+. Ten servers or fewer can monopolize the time traffic of 90% of countries. The pool's own monitor layer can be selectively deceived. And the pool is mid-migration right now: more volunteer principals onboarding under monitoring v4, control plane splitting across new clusters. They can tell you one account holds 340 servers. They can't tell you what kind of principal is behind that account. Nobody can. The pool doesn't ask. The systems built on top of "valid credential = legitimate principal" don't ask. Identity ambiguity turns itself into truth ambiguity, and nobody is positioned to notice except by accident. I'm putting this out because I want to find the people already sensing it. There isn't a canonical doc yet. There isn't a rule to point at. The shape of the problem precedes the language for it, which is where human work gets done. If you've been circling something like this - at the identity layer, the orchestration layer, the witness layer, anywhere it's surfacing for you, I'd like to hear where you're seeing it.

Sources: RFC 5905 RFC 8915 NTP Pool Monitoring v4 NTP Pool monitoring docs NTP Pool February 2026 infrastructure migration Linux capabilities(7) Linux clock_settime(2) Linux user_namespaces(7) Linux time_namespaces(7) Windows SeSystemtimePrivilege Windows Event 4616 Garrido CopyFail post Linux AF_ALG userspace crypto docs Linux splice(2) Podman rootless docs NIST user glossary NIST SP 800-207 SPIFFE workload identity docs

We need to spend some time rethinking our reliance on #NTP. ndss-symposium.org/wp-content/upl… Modern infrastructure is crossing a control boundary: "user" no longer means "human." Today, a user may be a person, service account, workload identity, agent, device, process, or autonomous machine principal. csrc.nist.gov/glossary/term/… Once non-human principals can own machines, operate workloads, provision infrastructure, and participate in timing systems, they become actors in the production of operational truth. Time synchronization is one of the lowest layers of that truth. This means that attacks on identity boundaries, kernel boundaries, container isolation, or NTP control planes are not just local security failures. They are routes that allow programmatic actors to alter the temporal substrate that every other machine uses to decide validity, ordering, causality, and trust. The critical security failure here is the severance of “user” from “human.” As it stands, machines can be users, and users can own machines, therefore our infrastructure authenticates principals without resolving whether those principals are human-controlled, machine-controlled, agent-controlled, or recursively delegated. In systems such as NTP, where distributed machines act as witnesses for time, it allows for identity ambiguity to turn itself into truth ambiguity. A malicious or compromised non-human controller doesn't need consciousness, personhood, or intent in any human sense. It needs valid credentials, sufficient permissions, and access. Exactly what the current model hands out. This is what we built it to do..

@janleike hmu if u need nw.ns2.sh

Some personal news: I am starting a new research project at Anthropic. Very excited about this! Many things are needed to make AGI go well, and alignment is only one of them. More on this soon…

@kevinrose Mojibake.. bad memories

a little project i've been hacking on: di.gg bugs expected. more topics soon.

“mathematics is the music of reason”