Jim Nielsen’s Blog

I don’t much enjoy being a lab rat to your half-baked ideas.

I can tell when your approach to what I use is: “Ship it and let’s see how people respond.”

Well let me tell you something: I’m not going to respond.

My desire to give you constructive feedback is in direct correlation to your effort to care — about your communications, about what you ship, even about what you don’t ship.

Just because you ship some half-baked feature doesn’t mean I’m going to take the time to tell you whether I find it any good.

Doubly so in the age of AI. I know how easy it is for you to ship slop, why should I take the time to formulate careful feedback on your careless output?

I can disagree with product decisions, but I won’t get mad at thoughtfulness and care. I respect that.

But I will very much disagree with and get mad at product decisions devoid of thought and care. I have no respect for that.

It’s not really worth my time to respond to such a posture of shipping software, and yet here I am writing about it. Because I care about the things I choose to (or am required to) use.

So this is my one-time, general-purpose piece of feedback to all such purveyors of digital goods and tools. Just because nobody tells you that what you shipped sucks, doesn’t mean it’s worth keeping. You can’t measure an apathetic response because it is, by definition, the absence of data.

Reply via: Email · Mastodon · Bluesky

The setup for my notes blog looks like this:

• Content is plain-text markdown files (synced via Dropbox, editable in iA Writer on my Mac, iPad, or iPhone)
• Codebase is on GitHub
• Builds are triggered in Netlify by a Shortcut

I try to catch spelling issues and what not before I publish, but I’m not perfect.

I can proofread a draft as much as I want, but nothing helps me catch errors better than hitting publish and re-reading what I just published on my website.

If that fails, kind readers will often reach out and say “Hey, I found a typo in your post [link].”

To fix these errors, I will:

• Open iA Writer
• Find the post
• Fix typo
• Fire Shortcut to trigger a build
• Refresh my website and see the updated post

However, the “Open iA Writer” and “Find the post” are points of friction I’ve wanted to optimize.

I’ve found myself thinking: “When I’m reading a post on notes.jim-nielsen.com and I spot a mistake, I wish I could just click an ‘Edit’ link right there and be editing my file.”

You might be thinking, “Yeah that’s what a hosted CMS does.”

But I like my plain-text files. And I love my native writing app.

What’s one to do?

Well, turns out iA Writer supports opening files via links with this protocol:

ia-writer://open?path=location:/path/to/file.md

So, in my case, I can create a link for each post on my website that will open the corresponding plain-text file in iA Writer, e.g.

<article>
  <!-- content of post here -->
  <a href="ia-writer://open?path=notes:2026-01-04T2023.md">
    Edit
  </a>
</article>

And voilà, my OS is now my CMS!

It’s not a link to open the post in a hosted CMS somewhere. It’s a link to open a file on the device I’m using — cool!

My new workflow looks like this:

• Read a post in the browser
• Click “Edit” hyperlink to open plain-text file in native app
• Make changes
• Fire Shortcut to trigger a build

It works great. Here’s an example of opening a post from the browser on my laptop:

And another on my phone:

Granted, these “Edit” links are only useful to me. So I don’t put them in the source markup. Instead, I generate them with JavaScript when it’s just me browsing.

How do I know it’s just me?

I wrote a little script that watches for the presence of a search param ?edit=true. If that is present, my site generates an “Edit” link on every post with the correct href and stores that piece of state in localstorage so every time I revisit the site, the “Edit” links are rendered for me (but nobody else sees them).

Well, not nobody. Now that I revealed my secret I know you can go get the “Edit” links to appear. But they won’t work for you because A) you don’t have iA Writer installed, or B) you don’t have my files on your device. So here’s a little tip if you tried rendering the “Edit” links: do ?edit=false to turn them back off :)

Reply via: Email · Mastodon · Bluesky

In “The Future of Software Development is Software Developers” Jason Gorman alludes to how terrible natural language is at programming computers:

The hard part of computer programming isn’t expressing what we want the machine to do in code. The hard part is turning human thinking – with all its wooliness and ambiguity and contradictions – into computational thinking that is logically precise and unambiguous, and that can then be expressed formally in the syntax of a programming language.

The work is the translation, from thought to tangible artifact. Like making a movie: everyone can imagine one, but it takes a director to produce one.

This is also the work of software development: translation. You take an idea — which is often communicated via natural language — and you translate it into functioning software. That is the work.

It’s akin to someone who translates natural languages, say Spanish to English. The work isn’t the words themselves, though that’s what we conflate it with.

You can ask to translate “te quiero” into English. And the resulting words “I love you” may seem like a job complete. But the work isn’t coming up with the words. The work is gaining the experience to know how and when to translate the words based on clues like tone, context, and other subtleties of language. You must decipher intent. Does “te quiero” here mean “I love you” or “I like you” or “I care about you”?

This is precisely why natural language isn’t a good fit for programming: it’s not very precise. As Gorman says, “Natural languages have not evolved to be precise enough and unambiguous enough” for making software. Code is materialized intent. The question is: whose?

The request ”let users sign in” has to be translated into constraints, validation, database tables, async flows, etc. You need pages and pages of the written word to translate that idea into some kind of functioning software. And if you don’t fill in those unspecified details, somebody else (cough AI cough) is just going to guess — and who wants their lives functioning on top of guessed intent?

Computers are pedants. They need to be told precisely in everything, otherwise you’ll ask for one thing and get another. “Do what I mean, not what I say” is a common refrain in working with computers. I can’t tell you how many times I’ve spent hours troubleshooting an issue only to realize a minor syntactical mistake. The computer was doing what I typed, not what I meant.

So the work of making software is translating human thought and intent into functioning computation (not merely writing, or generating, lines of code).

Reply via: Email · Mastodon · Bluesky

I recommended against using an AI browser unless you wanted to participate in a global experiment in security. My recommendation did come with a caveat:

But probably don’t listen to me. I’m not a security expert

Well, now the experts (that you pay for) have weighed in.

Gartner, the global research and advisory firm, has come to the conclusion that agentic browsers are too risky for most organizations.

Ground breaking research.

But honestly, credit where it’s due: they’re not jumping on the hype train. In fact, they’re advising against it.

I don’t have access to the original paper (because I’d have to pay Gartner for it), but the reporting on Gartner’s research says this:

research VP Dennis Xu, senior director analyst Evgeny Mirolyubov, and VP analyst John Watts observe “Default AI browser settings prioritize user experience over security.”

C’mon, let’s call a spade a spade: they prioritize their maker’s business model over security.

Continuing:

Gartner’s fears about the agentic capabilities of AI browser relate to their susceptibility to “indirect prompt-injection-induced rogue agent actions, inaccurate reasoning-driven erroneous agent actions, and further loss and abuse of credentials if the AI browser is deceived into autonomously navigating to a phishing website.”

And that’s just the beginning! It gets worse for large organizations.

The real horror of these AI browsers is that they can help employees to autonomously complete their mandatory trainings:

The authors also suggest that employees “might be tempted to use AI browsers and automate certain tasks that are mandatory, repetitive, and less interesting” and imagine some instructing an AI browser to complete their mandatory cybersecurity training sessions.

The horror!

In this specific case, maybe AI browsers aren’t the problem? Maybe they’re a symptom of the agonizing online instructional courses that feign training in the name of compliance?

But I digress. Ultimately, the takeaway here is:

the trio of analysts think AI browsers are just too dangerous to use

Imagine that: you take a tool that literally comes with a warning of being untrustworthy, you embed it as foundational in another tool, and now you have two tools that are untrustworthy. Who would’ve thought?

Reply via: Email · Mastodon · Bluesky

If you subscribe to this blog, you must like it — right? I mean, you are subscribed to it.

And if you like this blog, you might also like my notes blog.

It’s where I take short notes of what I read, watch, listen to, or otherwise consume, add my two cents, and fire it off into the void of the internet.

It’s sort of like a “link blog” but I’m not necessarily recommending everything I link to. It’s more of “This excerpt stood out to me in some way, here’s my thoughts on why.”

It’s nice to have a place where I can jot down a few notes, fire off my reaction, and nobody can respond to it lol. At least, not in any easy, friction-less way. You’d have to go out of your way to read my commentary, find my contact info, and fire off a message (critiquing or praising). That’s how I like it. Cuts through the noise.

Anyway, this is all a long way of saying: if you didn’t already know about my notes blog, you might like it. Check it out or subscribe.

Today, for example, I posted lots of grumpy commentary.

• https://notes.jim-nielsen.com/#2025-12-18T1130
• https://notes.jim-nielsen.com/#2025-12-18T1128
• https://notes.jim-nielsen.com/#2025-12-18T1136

Reply via: Email · Mastodon · Bluesky

My last article was blogging off Jeremey’s article which blogged off Chris’ article and, after publishing, a reader tipped me off to the Gell-Mann amnesia effect which sounds an awful lot like Chris’ “Jeopardy Phenomenon”. Here’s Wikipedia:

The Gell-Mann amnesia effect is a cognitive bias describing the tendency of individuals to critically assess media reports in a domain they are knowledgeable about, yet continue to trust reporting in other areas despite recognizing similar potential inaccuracies.

According to Wikipedia, the concept was named by Michael Crichton because of conversation he once had with physicist Murray Gell-Mann (humorously, he said by associating a famous name to the concept he could imply greater importance to it — and himself — than otherwise possible).

Here’s Crichton:

you read with exasperation or amusement the multiple errors in a story—and then turn the page to national or international affairs, and read with renewed interest as if the rest of the newspaper was somehow more accurate about far-off Palestine than it was about the story you just read. You turn the page, and forget what you know.

He argues that this effect doesn’t seem to translate to other aspects of our lives. The courts, for example, have a related concept of “false in one thing, false in everything”.

Even in ordinary life, Crichton says, “if somebody consistently exaggerates or lies to you, you soon discount everything they say”.

In other words: if your credibility takes a hit in one area, it’s gonna take a hit across the board.

At least, that’s his line of reasoning.

It’s kind of fascinating to think about this in our current moment of AI. Allow me to re-phrase Crichton.

You read with exasperation the multiple errors in AI’s “answer”, then start a new chat and read with renewed interest and faith as if the next “answer” is somehow more accurate than the last. You start a new prompt and forget what you know.

If a friend, acquaintance, or family member were to consistently exaggerate or lie to you, you’d quickly adopt a posture of discounting everything they say. But with AI — which even comes with a surgeon general’s warning, e.g. “AI can make mistakes. Check important info.” — we forgive and forget.

Forget. Maybe that’s the keyword for our behavior. It is for Crichton:

The only possible explanation for our behavior is amnesia.

Reply via: Email · Mastodon · Bluesky

Chris Coyier:

There’s the thing where if you’re reading an article in the newspaper, and it’s about stuff you don’t know a ton about, it all seems well and good. Then you read another article in the same paper and it’s about something you know intimately (your job, your neighborhood, your hobby, etc) there is a good chance you’ll be like hey! that’s not quite right!

Chris extends this idea to AI-generated code, i.e. if you don’t know or understand the generated code you probably think, “Looks good to me!” But if you do know it you probably think, “Wait a second, that’s not quite right.”

Here’s Jeremy Keith riffing on Chris’ thoughts:

I’m astounded by the cognitive dissonance displayed by people who say “I asked an LLM about {topic I’m familiar with}, and here’s all the things it got wrong” who then proceed to say “It was really useful when I asked an LLM for advice on {topic I’m not familiar with, hence why I’m asking an LLM for advice}.”

Kind of feels like this boils down to: How do we know what we know?

To be fair, that’s a question I’ve wrestled with my whole life.

And the older I get, the more and more I realize how often we barely know anything.

There’s a veneer of surety everywhere in the world.

There are industries of people and services who will take your money in exchange for a sense of surety — influencers, consultants, grifters, AI, they all exist because we are more than willing to pay with our time, attention, and money to feel like we “know” something.

“You’re absolutely right!”

But I, for one, often feel increasingly unsure of everything I thought I knew.

For example: I can’t count the number of times I thought I understood a piece of history, only to later find out that the commonly-accepted belief comes to use from a single source, written decades later in a diary or on a piece of parchment or on a stone, by someone with blind spots, questionable incentives, or a flair for the dramatic, all of which leaves me seriously questioning the veracity and objectivity of something I thought I knew.

Which leads me to the next, uncomfortable question: How many other things are there that I thought I knew but are full of uncertainty just like this?

All surety vanishes.

And that’s an uncomfortable place to be. Who wants to admit “I don’t know”?

It’s so easy to take what’s convenient over what corresponds to reality.

And that’s what scares me about AI.

Update 2025-12-16

After publishing, I was tipped off to the Gell-Mann amnesia effect which is right up the subject alley of this post.

Reply via: Email · Mastodon · Bluesky

Related posts linking here: (2025) The “A” in “AI” Stands For Amnesia

I complained about this on the socials, but I didn’t get it all out of my system. So now I write a blog post.

I’ve never liked the philosophy of “put an icon in every menu item by default”.

Google Sheets, for example, does this. Go to “File” or “Edit” or “View” and you’ll see a menu with a list of options, every single one having an icon (same thing with the right-click context menu).

It’s extra noise to me. It’s not that I think menu items should never have icons. I think they can be incredibly useful (more on that below). It’s more that I don’t like the idea of “give each menu item an icon” being the default approach.

This posture lends itself to a practice where designers have an attitude of “I need an icon to fill up this space” instead of an attitude of “Does the addition of a icon here, and the cognitive load of parsing and understanding it, help or hurt how someone would use this menu system?”

The former doesn’t require thinking. It’s just templating — they all have icons, so we need to put something there. The latter requires care and thoughtfulness for each use case and its context.

To defend my point, one of the examples I always pointed to was macOS. For the longest time, Apple’s OS-level menus seemed to avoid this default approach of sticking icons in every menu item.

That is, until macOS Tahoe shipped.

Menus in macOS Tahoe

Tahoe now has icons in menus everywhere. For example, here’s the Apple menu:

Let’s look at others. As I’m writing this I have Safari open. Let’s look at the “Safari” menu:

Hmm. Interesting. Ok so we’ve got an icon for like half the menu items. I wonder why some get icons and others don’t?

For example, the “Settings” menu item (third from the top) has an icon. But the other item in its grouping “Privacy Report” does not. I wonder why? Especially when Safari has an icon for Privacy report, like if you go to customize the toolbar you’ll see it:

Hmm. Who knows? Let’s keep going.

Let’s look at the "File" menu in Safari:

Some groupings have icons and get inset, while other groupings don’t have icons and don’t get inset. Interesting…again I wonder what the rationale is here? How do you choose? It’s not clear to me.

Let’s keep going. Let’s go to the "View" menu:

Oh boy, now we’re really in it. Some of these menu items have the notion of a toggle (indicated by the checkmark) so now you’ve got all kinds of alignment things to deal with. The visual symbols are doubling-up when there’s a toggle and an icon.

The “View” menu in Mail is a similar mix of:

• Text
• Text + toggles
• Text + icons
• Text + icons + toggles

You know what would be a fun game? Get a bunch of people in a room, show them menus where the textual labels are gone, and see who can get the most right.

But I digress.

In so many of these cases, I honestly can’t intuit why some menus have icons and others do not. What are so many of these icons affording me at the cost of extra visual and cognitive parsing? I don’t know.

To be fair, there are some menus where these visual symbols are incredibly useful. Take this menu from Finder:

The visual depiction of how those are going to align is actually incredibly useful because it’s way easier for my brain to parse the symbol and understand where the window is going to go than it is to read the text and imagine in my head what “Top Left” or “Bottom & Top” or “Quarters” will mean. But a visual symbol? I instantly get it!

Those are good icons in menus. I like those.

Apple Abandons Its Own Guidance

What I find really interesting about this change on Apple’s part is how it seemingly goes against their own previous human interface guidelines (as pointed out to me by Peter Gassner).

They have an entire section in their 2005 guidelines (and 1992 and 2020) titled “Using Symbols in Menus”:

See what it says?

There are a few standard symbols you can use to indicate additional information in menus…Don’t use other, arbitrary symbols in menus, because they add visual clutter and may confuse people.

Confused people. That’s me.

They even have an example of what not to do and guess what it looks like? A menu in macOS Tahoe.

Conclusion

It’s pretty obvious how I feel. I’m tired of all this visual noise in my menus.

And now that Apple has seemingly thrown in with the “stick an icon in every menu by default” crowd, it’s harder than ever for me to convince people otherwise. To persuade, “Hey, unless you can articulate a really good reason to add this, maybe our default posture should be no icons in menus?”

So I guess this is the world I live in now. Icons in menus. Icons in menus everywhere.

Send help.

Update: 2026-01-05

Niki wrote the post I wanted to write including why icons in every menu item is a bad idea. You should read it, and then send it to everyone you know.

Reply via: Email · Mastodon · Bluesky

As ever, Mandy Brown casually drops a blog post that makes you examine the everyday meaning of words:

One of the imperatives in contemporary, professional work culture is to “grow.” There is often a sense of height or largeness with that imperative, as if growth must be measured in your distance up the ladder, your territory across the way. In The Soul’s Code, James Hillman implores us to think rather of growing down, of growth not of branch but root, of becoming more grounded, sturdier, less able to be pushed around by the whims of others.

I love this idea of “growing down”, becoming more rooted and sturdy.

It got me thinking about the word “growth”.

Contemporary usage of the word in business often communicates human intervention and imposition against an otherwise natural outworking.

“Growth” in a forest is different than “growth” in business.

In business, we talk about “growth hacking” as if the natural cadence of growth isn’t sufficient. It requires modification because we deem it insufficiently slow.

We “engineer” growth instead of tending it.

Personally, when I say I want to grow, I mean like a tree. Not like a cancer.

Tree growth responds to its environment and integrates with its ecosystem. Growth is sustainable, balancing expansion and repair. It scales in harmony with its context.

Cancer growth is selfish, consuming resources at the expense of its host. Growth is uncontrolled until the system that supports it collapses. It scales through extraction until failure.

When we talk about the growth of technology in the 21st century, which kind of growth do you think best describes it?

“Hey, {social media | AI} grew so big, we all sat together under its canopy and enjoyed the shade.”

Said no one.

More likely: “Hey, {social media | AI} grew so big, it metastasized beyond what society could bear and now look at the mess we’re in.”

Reply via: Email · Mastodon · Bluesky

I wrote about the 404s I serve for robots.txt. Now it’s time to look at some of the other common 404s I serve across my static sites (as reported by Netlify’s analytics):

• /wp-login.php
• /wp-admin
• /news/wp-includes/wlwmanifest.xml
• /login/
• /wp-includes/wlwmanifest.xml
• /news/wp-includes/wlwmanifest.xml
• /website/wp-includes/wlwmanifest.xml
• /info.php

I don’t run WordPress, but as you can see I still get a lot of requests for wp-* resources.

All of my websites are basically just static files on disk, meaning only GET requests are handled (no POST, PUT, PATCH, etc.). And there’s no authentication anywhere.

So when I see these requests, I think: “Sure is nice to have a static site where I don’t have to worry about server maintenance and security patches for all those resources.”

Of course, that doesn’t mean running a static site protects me from being exploited by malicious, vulnerability-seeking traffic.

Here are a few more common requests I’m serving a 404 to:

• /.env
• /.env.production
• /.env.local
• /.env.dev
• /.git/config
• /data.sql
• /database.sql.gz
• /mysql.sql
• /db.sql.gz
• /backup.sql.gz
• /database.sql

With all the magic building and bundling we do as an industry, I can see how easy it would be to have some sensitive data in your source repo (like the ones above) end up in your build output. No wonder there are bots scanning the web for these common files!

So be careful out there. Just because you’ve got a static site doesn’t mean you’ve got no security concerns. Fewer, perhaps, but not none.

Reply via: Email · Mastodon · Bluesky