Bay

Hello Senator Thune, At 3 AM on Friday, March 27th, in a near-empty chamber, you passed a bill by voice vote that excludes all funding for ICE and CBP. Let me repeat that: voice vote. No roll call. No record of who was there. No accountability. Just you, Barrasso, and a handful of senators shuffling paper in the dead of night while America slept. You could have demanded a recorded vote. You chose not to. You could have held the line for five more days until the House returned. You chose not to. You could have used the same procedural tools Democrats have used against you for 40 days. You chose not to. Instead, you gave Chuck Schumer exactly what he asked for, DHS funding minus immigration enforcement, and called it a win. Then you walked to the cameras and blamed the Democrats. Let's be precise about what you did: 1. You caved to a demand Democrats made on Day 1 of this shutdown. Forty-one days of supposed hardball negotiation, and you settled for their opening offer. 2. You handed them a template. The next time Democrats want to defund any agency — ICE, CBP, or anything else — they now know: just shut down DHS and wait. John Thune will fold at 3 AM. 3. You punted to reconciliation. "Good possibility," you said. Not "we will." Not "guaranteed." Just maybe. Meanwhile, ICE operates on fumes from last year's bill with no certainty of future funding. The precedent you set: You have argued for months that the filibuster is sacrosanct. That the 60-vote threshold protects minority rights. That we cannot bend Senate rules for policy wins. But at 3 AM on Friday, you bent every norm that actually mattered: • Voice vote to avoid accountability • Empty chamber to avoid debate • Midnight deal to avoid scrutiny • Immediate recess to avoid questions You'll bend the rules to avoid a fight. You just won't bend them to win one. What you've actually accomplished: Democrats demanded ICE restrictions. They got ICE defunded. Not reformed. Not restrained. Defunded. And you're out here tweeting about how Democrats are the "Defund the Police" party while you just voted to defund border enforcement at 3 in the morning. The question you should answer: Why did this deal have to happen at 3 AM? Why couldn't it happen at 3 PM, with cameras rolling and every senator on record? You know why. Because you didn't want your voters to see what surrender looks like. Here's my message: We saw it anyway. Stop hiding behind "Democrat obstruction." You're the Majority Leader. You set the schedule. You control the floor. You chose this outcome. Own it.

San Diego politicians aren't just coming for your wallet — they're raiding it from every direction. A new county sales tax. A 5,000% increase on the real estate transfer tax. A payroll tax ripped straight from your paycheck. And that's just the county. The City of San Diego is piling on too — a one-cent sales tax pushed by labor unions, a vacation rental tax, Balboa Park parking fees, 14.7% water rate hikes, new trash fees, and higher rec fees. 9+ new taxes and fee increases. All targeting YOU. How much more can your family afford?

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.