Jim Nielsen’s Blog

You’ve probably heard this famous quote from Steve Jobs about saying ‘no’:

People think focus means saying yes to the thing you’ve got to focus on. But that’s not what it means at all. It means saying no to the hundred other good ideas that there are. You have to pick carefully. I’m actually as proud of the things we haven’t done as the things I have done. Innovation is saying no to 1,000 things.

But wait, we have AI now. We don’t have to say no to 1,000 things. We can say yes to all the things — generate them all, simultaneously!

Do you really have to “pick carefully” when AI can materialize everything you previously would’ve been too constrained to do?

Generative technology paired with being “data-driven” means it’s easy to build every idea, ship it, measure it, and see what sticks.

Humans, money, time — these all used to be constraints which required budgets, trade-offs, and decision making.

Organizations had an incentive to say “no” when development was constrained — “We can only do so much, so let’s make sure we do the most impactful things.”

But maybe the scarcity of organizational resources was the wrong focus all along?

It’s never been a good idea to ship everything you think of. Every addition accretes complexity and comes with a cognitive cost.

Maybe we need to reframe the concept of scarcity from us, the makers of software, to them, the users of software. Their resources are what matter most:

• Attention (too many features and they can’t all be used, or even tried)
• Stability (too much frequent change is an impediment to learning a product)
• Clarity (too many options creates confusion and paralysis)
• Coherence (too many plots and subplots cannot tell a unified story)

So maybe the way you argue for saying “no” isn’t because it helps you as a business, but because it helps your customers. It helps them make sense of what you’ve made.

And yet: arguing for customer clarity has always been harder than arguing for internal efficiency or some bottom line.

In an age of abundance, restraint becomes the only scarce thing left, which means saying “no” is more valuable than ever.

I’m as proud of the things I haven’t generated as the things I have.

Reply via: Email · Mastodon · Bluesky

So I’m making a thing and I want it to be styled different if the link’s been visited.

Rather than build something myself in JavaScript, I figure I’ll just hook into the browser’s mechanism for tracking if a link’s been visited (a sensible approach, if I do say so myself).

Why write JavaScript when a little CSS will do? So I craft this:

.entry:has(a:visited) {
  opacity: .5;
  filter: grayscale(1);
}

But it doesn’t work.

:has() is relatively new, and I’ve been known to muff it, so it’s probably just a syntax issue.

I start researching.

Wouldn’t you know it? We can’t have nice things. :visited doesn’t always work like you’d expect because we (not me, mind you) exploited it.

Here’s MDN:

You can style visited links, but there are limits to which styles you can use.

While :has() is not mentioned specifically, other tricks like sibling selectors are:

When using a sibling selector, such as :visited + span, the adjacent element (span in this example) is styled as though the link were unvisited.

Why? You guessed it. Security and privacy reasons.

If it were not so, somebody could come along with a little JavaScript and uncover a user’s browsing history (imagine, for example, setting styles for visited and unvisited links, then using window.getComputedStyle and checking style computations).

MDN says browsers tell little white lies:

To preserve users' privacy, browsers lie to web applications under certain circumstances

So, from what I can tell, when I write .entry:has(a:visited) the browser is telling the engine that handles styling that all .entry items have never been :visited (even if they have been).

So where does that leave me?

Now I will abandon CSS and go use JavaScript for something only JavaScript can do.

That’s a good reason for JS.

Reply via: Email · Mastodon · Bluesky

Nic Chan comes out as the whistleblower on how many “Contact Us” pages are made (spoiler: they’re designed to keep us from contacting anyone).

A “fuck off contact page” is what a company throws together when they actually don’t want anyone to contact them at all. They […] are trying to reduce the amount of money they spend on support by carefully hiding the real support channels […] If you solve your own problem by reading the knowledge base, then this is a win for the company. They don’t want to hear from you, they want you to fuck off.

It’s true. This is how the proverbial sausage is made. I’ve been there. I’ve seen these decisions handed down. Which means, like Chan, I know how to read between the lines of most “Contact Us” pages on the internet.

I’m not sure about you, but as a user, when I see [these kinds of pages], knowing that whatever my original query was, [I know] I’m going to have to solve it unassisted.

My process follows this arc:

• I have a question.
• Go to the company’s “Contact Us” page.
• Immediately intuit from the design of the page whether I’m actually going to be able to contact someone and get help, or if I’m on my own.

A direct line to a human is the ultimate luxury in today’s world.

The project finished on time, everyone got paid, and the client was happy with the end result, but I still felt very disappointed in the whole thing.

So it goes.

There’s a scene from The Matrix that kept echoing in my head while reading Chan’s post.

There are contact pages, my friends. Endless “Contact Us” pages.

Where human beings no longer exist.

For a long time I probably wouldn’t have believed it, and then I saw the pages made with my own eyes. Watched them remove the ability for human beings to contact one another.

And standing there, facing the pure, automated precision of it all, I came to realize the obviousness of the truth.

What is the “Contact Us” page?

Cost savings.

The “Contact Us” page is a computer-generated dream world, built to keep us from contacting another human in order to save cost and turn a human being into this: a source of revenue.

Reply via: Email · Mastodon · Bluesky

“The data doesn’t lie.”

I imagine that’s what the cigarette companies said.

“The data doesn’t lie. People want this stuff. They’re buying it in droves. We’re merely giving them what they want.”

Which sounds more like an attempt at exoneration than a reason to exist.

Demand can be engineered. “We’re giving them what they want” ignores how desire is shaped, even engineered (algorithms, dark patterns, growth hacking, etc.).

Appealing to data as the ultimate authority — especially when fueled by engineered desire — isn’t neutrality, it’s an abdication of responsibility.

Satiating human desire is not the highest aspiration.

We can do so much more than merely supply what the data says is in demand.

Stated as a principle:

Values over data.

Data tells you what people consume, not what you should make. Values, ethics, vision, those can help you with the “should”.

“What is happening?” and “What should happen?” are two completely different questions and should be dealt with as such.

The more powerful our ability to understand demand, the more important our responsibility to decide whether to respond to it. We can choose not to build something, even though the data suggests we should. We can say no to the data.

Data can tell you what people clicked on, even help you predict what people will click on, but you get to decide what you will profit from.

Reply via: Email · Mastodon · Bluesky

The other day I was browsing YouTube — as one does — and I clicked a link in the video description to a book.

I was then subjected to a man-in-the-middle attack, where YouTube put themselves in the middle of me and the link I had clicked:

Hyperlinks are subversive. Big Tech must protect themselves and their interests.

But link hijacking isn’t why I’m writing this post.

What struck me was the ordering and visual emphasis of the “call to action” (CTA) buttons. I almost clicked “Back to YouTube”, which was precisely the action I didn’t want.

I paused and laughed to myself.

Look how the design pattern for primary/secondary user interface controls has inverted over time:

• Classic software:
  • Primary CTA: what’s best for you
  • Secondary CTA: an alternative for you
• Modern software:
  • Primary CTA: what’s best for us
  • Secondary CTA: what’s acceptable to us

It seems like everywhere I go, software is increasingly designed against me.

Reply via: Email · Mastodon · Bluesky

I redesigned my www website. Why?

• The end of year / holiday break is a great time to work on such things.
• I wanted to scratch an itch.
• Websites are a worry stone [gestures at current state of the world]
• Do I really need a reason? Nope.

I read something along the lines of “If you ship something that shows everything you’ve made, it’s dead on arrival.”

Oooof. I feel that. It’s so hard to make a personal website that keeps up with your own personal evolution and change.

But the hell if I’m not gonna try — and go through many existential crises in the process.

I was chasing the idea of making my “home” page essentially a list of feeds, like:

• Hey, I blog. Here’s the latest: [1, 2, 3]
• Yo, I take notes. Here’s the latest: [1, 2, 3]
• Bruh, I collect iOS icons. Here’s the latest: [1, 2, 3]
• Guess what? I collect macOS icons too. Here’s the latest: [1, 2, 3]
• Hey, I ___. Here’s the latest: [1, 2, 3]

You get the idea.

The thought was: if I condense the variety of the things I do online into a collection of feeds (hard-coded or live from other sites I publish), then I’ll never be out of date!

Plus I love links. I love following them. I wanted my home page to be the start of a journey, not the end. A jumping off point, not a terminal one.

At least that was the idea behind this iteration.

Behind the Scenes

I built the (static) site using Web Origami.

I loved it! Origami is great for dealing with feeds because it makes fetching data from the network and templating it incredibly succinct.

<h2>Latest from my notes blog</h2>
<ul>
  ${Tree.map(
    (https://notes.jim-nielsen.com/feed.json).items.slice(0,3),
    (note) => `<li><a href="${note.url}">${note.title}</a></li>`
  )}
</ul>

In just those few lines of code I:

• Fetch a JSON feed over the network
• Grabbed the 3 most recent entries
• Turn the data into markup

For example, here’s the code showing my latest blog posts:

And here’s the code showing the latest icons in my iOS collection:

Beautiful and succinct, isn’t it?

Origami is a static site builder, so to keep my site “up to date” I just set Netlify to build my site every 24 hours which pulls data from a variety of sources, sticks it in a single HTML file, and publishes it as a website.

The “build my site every 24 hours” isn’t quite as easy as you might think. You can use a scheduled function on Netlify’s platform but that requires writing code (which also means maintaining and debugging said code). That seems to be Netlify’s official answer to the question: “How do I schedule deploys?”

I went with something simpler — at least simpler to me.

• Setup a build hook on Netlify (which you have to do for the schedule function approach anyway).
• Use Apple’s Shortcuts app to create a shortcut that issues a POST request to my build hook.
• Use Shortcuts’ “Automation” feature to run that shortcut every day.

So the “cron server” in my case is my iPhone, which works great because it’s basically always connected to the internet. If I go off grid for a few days and my website doesn’t refresh, I’m ok with that trade-off.

Reply via: Email · Mastodon · Bluesky

In his talk, I like the way Jake Nations pits easy vs. simple:

Easy means you can add it to your system quickly. Simple means you can understand the work that you’ve done.

I like this framing.

Easy means you can do with little effort.

Simple means you can understand what you do with little effort.

In other words: easy measures the effort in doing, while simple measures the effort in understanding the doing.

For example: npm create framework@latest or “Hey AI, build an instagram clone”. These both get you a website with little effort (easy) but do you understand what you just did (simple)?

It’s easy to get complexity, but it’s not easy to get simplicity.

(I get this is arguing semantics and definitions, but I find it to be a useful framing personally. Thanks Jake!)

Reply via: Email · Mastodon · Bluesky

I’ve been slowly reading my copy of “The Internet Phone Book” and I recently read an essay in it by Elan Ullendorff called “The New Turing Test”.

Elan argues that what matters in a work isn’t the tools used to make it, but the “expressiveness” of the work itself (was it made “from someone, for someone, in a particular context”):

If something feels robotic or generic, it is those very qualities that make the work problematic, not the tools used.

This point reminded me that there was slop before AI came on the scene.

A lot of blogging was considered a primal form of slop when the internet first appeared: content of inferior substance, generated in quantities much vaster than heretofore considered possible.

And the truth is, perhaps a lot of the content in blogosphere was “slop”.

But it wasn’t slop because of the tools that made it — like Movable Type or Wordpress or Blogger.

It was slop because it lacked thought, care, and intention — the “expressiveness” Elan argues for.

You don’t need AI to produce slop because slop isn’t made by AI. It’s made by humans — AI is just the popular tool of choice for making it right now.

Slop existed long before LLMs came onto the scene.

It will doubtless exist long after too.

Reply via: Email · Mastodon · Bluesky

Matthias Ott shared a link to a post from Anthropic titled “Disrupting the first reported AI-orchestrated cyber espionage campaign”, which I read because I’m interested in the messy intersection of AI and security.

I gotta say: I don’t know if I’ve ever read anything quite like this article.

At first, the article felt like a responsible disclosure — “Hey, we’re reaching an inflection point where AI models are being used effectively for security exploits. Look at this one.”

But then I read further and found statements like this:

[In the attack] Claude didn’t always work perfectly. It occasionally hallucinated […] This remains an obstacle to fully autonomous cyberattacks.

Wait, so is that a feature or a bug? Is it a good thing that your tool hallucinated and proved a stumbling block? Or is this bug you hope to fix?

The more I read, the more difficult it became to discern whether this security incident was a helpful warning or a feature sell.

With the correct setup, threat actors can now use agentic AI systems for extended periods to do the work of entire teams of experienced hackers: analyzing target systems, producing exploit code, and scanning vast datasets of stolen information more efficiently than any human operator. Less experienced and resourced groups can now potentially perform large-scale attacks of this nature.

Shoot, this sounds like a product pitch! Don’t have the experience or resources to keep up with your competitors who are cyberattacking? We’ve got a tool for you!

Wait, so if you’re creating something that can cause so much havoc, why are you still making it? Oh good, they address this exact question:

This raises an important question: if AI models can be misused for cyberattacks at this scale, why continue to develop and release them? The answer is that the very abilities that allow Claude to be used in these attacks also make it crucial for cyber defense.

Ok, so the article is a product pitch:

• We’ve reached a tipping point in security.
• Look at this recent case where our AI was exploited to do malicious things with little human intervention.
• No doubt this same thing will happen again.
• You better go get our AI to protect yourself.

But that’s my words. Here’s theirs:

A fundamental change has occurred in cybersecurity. We advise security teams to experiment with applying AI for defense in areas like Security Operations Center automation, threat detection, vulnerability assessment, and incident response. We also advise developers to continue to invest in safeguards across their AI platforms, to prevent adversarial misuse. The techniques described above will doubtless be used by many more attackers—which makes industry threat sharing, improved detection methods, and stronger safety controls all the more critical.

It appears AI is simultaneously the problem and the solution.

It’s a great business to be in, if you think about it. You sell a tool for security exploits and you sell the self-same tool for protection against said exploits. Everybody wins!

I can’t help but read this post and think of a mafia shakedown. You know, where the mafia implies threats to get people to pay for their protection — a service they created the need for in the first place. ”Nice system you got there, would be a shame if anyone hacked into it using AI. Better get some AI to protect yourself.”

I find it funny that the URL slug for the article is:

/disrupting-AI-espionage

That’s a missed opportunity. They could’ve named it:

/causing-and-disrupting-AI-espionage

Reply via: Email · Mastodon · Bluesky

I don’t much enjoy being a lab rat to your half-baked ideas.

I can tell when your approach to what I use is: “Ship it and let’s see how people respond.”

Well let me tell you something: I’m not going to respond.

My desire to give you constructive feedback is in direct correlation to your effort to care — about your communications, about what you ship, even about what you don’t ship.

Just because you ship some half-baked feature doesn’t mean I’m going to take the time to tell you whether I find it any good.

Doubly so in the age of AI. I know how easy it is for you to ship slop, why should I take the time to formulate careful feedback on your careless output?

I can disagree with product decisions, but I won’t get mad at thoughtfulness and care. I respect that.

But I will very much disagree with and get mad at product decisions devoid of thought and care. I have no respect for that.

It’s not really worth my time to respond to such a posture of shipping software, and yet here I am writing about it. Because I care about the things I choose to (or am required to) use.

So this is my one-time, general-purpose piece of feedback to all such purveyors of digital goods and tools. Just because nobody tells you that what you shipped sucks, doesn’t mean it’s worth keeping. You can’t measure an apathetic response because it is, by definition, the absence of data.

Reply via: Email · Mastodon · Bluesky