activescott's Notes

The honest take: Setup time is real. This isn't a weekend project — it took weeks of configuring, breaking, and fixing. But now everything runs 24/7, I own my data, and the monthly cost is basically just electricity (~$10-15/month).

The biggest win? Immich. Having Google Photos-level search (face recognition, location, object detection) on hardware I own, with zero cloud dependency — that alone justified the build.

Video (full build walkthrough): https://www.youtube.com/watch?v=5cET4sfqdlE&t

I'm a plumber by trade who fell into self-hosting, so if I can set this up, anyone can. Happy to answer questions.

Israel has cut off the entry of all food and other goods into Gaza in an echo of the siege it imposed in the earliest days of its war with Hamas. The United Nations and other humanitarian aid providers are sharply criticizing the decision and calling it a violation of international law.

“A tool of extortion,” Saudi Arabia’s foreign ministry said. “A reckless act of collective punishment,” Oxfam said. Key mediator Egypt accused Israel of using “starvation as a weapon.”

Hunger has been an issue throughout the war for Gaza’s over 2 million people, and some aid experts had warned of possible famine. Now there is concern about losing the progress that experts reported under the past six weeks of a ceasefire.

Israel is trying to pressure the Hamas militant group to agree to what Prime Minister Benjamin Netanyahu’s government describes as a U.S. proposal to extend the ceasefire’s first phase instead of beginning negotiations on the far more difficult second phase. In phase two, Hamas would release the remaining living hostages in return for Israel’s withdrawal from Gaza and a lasting ceasefire.

Last year, the International Criminal Court said there was reason to believe Israel had used “starvation as a method of warfare” when it issued an arrest warrant for Netanyahu. The allegation is also central to South Africa’s case at the International Court of Justice accusing Israel of genocide.

On Sunday, Kenneth Roth, former head of Human Rights Watch, said Israel as an occupying power has an “absolute duty” to facilitate humanitarian aid under the Geneva Conventions, and called Israel’s decision “a resumption of the war-crime starvation strategy” that led to the ICC warrant.

Under the October ceasefire deal between Israel and Hamas, Israel agreed to allow 600 trucks of aid into Gaza a day.

However, Israel’s own figures suggest that an average of only 459 trucks a day have entered the Gaza Strip between Oct. 12, when the flow of the aid restarted, and Sunday, according to an AP analysis. COGAT, the Israeli military body in charge of coordinating aid entry, provided the figures.

President Donald Trump’s military strikes in Iran have likely cost American taxpayers over $1 billion using cursory estimates—with hundreds of millions lost on lost aircraft over the weekend—with a price tag that could approach $100 billion, depending on how long it can stretch on.

Sure it's a tutorial on how to tie a survival paracord bracelet, but it's also a great introduction into why you might even want to bring one. Essentially, this is a fun basic skill to get you into working with paracord and if you have kids, it's a great thing to do with them.

As Congress returns to session this week amid a new conflict in the Middle East, a crucial question hangs over Washington: Who gets to decide when America's military can be sent to war?

The Constitution says that only Congress has that power, with limited exceptions. In the four days after hostilities began, the Trump administration has struggled to articulate whether any of those exceptions apply to this situation. Secretary of Defense Pete Hegseth has called this a "war," undermining the argument that it's a different kind of military action that doesn't require congressional authorization. Secretary of State Marco Rubio and others have said the strikes against Iran were in response to an imminent threat against American troops in the region—only to later back down from that claim. President Donald Trump has made overlapping and contradictory claims about the conflict's aims, and on Tuesday seemed to claim responsibility for initiating Saturday's attack.

It is useful to read the commentary and translation of the Holy Quran without any doubt, each Muslim should do it...

Having said that, we encourage you to gather your family and sit down to listen to the Qur’ān and its meaning attentively and take benefit from it. It will also be ideal for you to educate your family about these etiquettes as well. Please read further on these etiquettes at : http://www.askimam.org/fatwa/fatwa.php?askid=5d2746eda63e83151d673632cbb81d4a

The translation and commentary of the Quran can be listened at computer provided it is from any reliable and authentic aalim of Ahlus Sunnah Wal Jamat (since listening translation of any person of false belief will cause misguidance instead of guidance). But, it is necessary to listen it attentively, it is against the honour of the Quran to listen it while engaging oneself in some other activities.

You can extract it as a function:

import { camel, mapKeys } from "radash"; import { z } from "zod";

export const camelCaseSchemaDef = (schema: T) => z .record(z.any()) .transform((x) => mapKeys(x, camel)) .pipe(schema) as T;

Use it like:

export const summarySchema = camelCaseSchemaDef( z.object({ isArticle: z.boolean(), summary: z.string(), introduction: z.string(), terms: z.array(z.string()), }) );

type Summary = z.infer // type Summary = { // isArticle: z.boolean(), // summary: string, //. introduction: z.string(), //. terms: z.array(z.string()), // }

summarySchema.parse({ is_article: true, summary: "abc", introduction: "abc", terms: ["abc", "bca"], })

While that last sentence may be true, it appears sharing was on by default when it came to Ring’s own cameras. That Flock Safety never got a chance to participate is good to know, but “Search Party” has apparently been active since its implementation last year, even if it was limited to Ring devices.

And while Ring claims the Search Party feature can’t be used to search for “human biometrics,” that’s hardly comforting when it appears Ring definitely wants to add more of this kind of thing to its existing cameras.

On top of this, the company recently launched a new facial recognition feature, Familiar Faces. Combined with Search Party, the technological leap to using neighborhood cameras to search for people through a mass-surveillance network suddenly seems very small.

Ring insists this is not another mass surveillance tool, but rather something that attempts to recognize who’s at any user’s door when sending alerts, in order to differentiate friends and family members from strangers who might be within camera range. Again, there’s some utility to this offering, but the tech lends itself to surveillance abuses, especially when law enforcement may only be a subpoena away from accessing images and recordings captured by privately-owned devices.

While that last sentence may be true, it appears sharing was on by default when it came to Ring’s own cameras. That Flock Safety never got a chance to participate is good to know, but “Search Party” has apparently been active since its implementation last year, even if it was limited to Ring devices.

And while Ring claims the Search Party feature can’t be used to search for “human biometrics,” that’s hardly comforting when it appears Ring definitely wants to add more of this kind of thing to its existing cameras.

On top of this, the company recently launched a new facial recognition feature, Familiar Faces. Combined with Search Party, the technological leap to using neighborhood cameras to search for people through a mass-surveillance network suddenly seems very small.

Ring insists this is not another mass surveillance tool, but rather something that attempts to recognize who’s at any user’s door when sending alerts, in order to differentiate friends and family members from strangers who might be within camera range. Again, there’s some utility to this offering, but the tech lends itself to surveillance abuses, especially when law enforcement may only be a subpoena away from accessing images and recordings captured by privately-owned devices.

It does, kinda, matter that Hegseth turned a simple contract dispute into an attempted corporate death sentence, weaponizing a supply-chain security designation that was clearly designed for tech the US government fears could be infiltrated by hostile foreign nations.

Yet, under Hegseth’s order, Chinese AI models would technically be more welcome in America’s military supply chain than Anthropic’s. The “supply chain risk” designation is now being used to punish a domestic company for having safety guidelines. DeepSeek, with its direct ties to the Chinese government, faces fewer restrictions than a San Francisco company that committed the cardinal sin of asking for human oversight on killing decisions.

One source familiar with the Pentagon’s negotiations with AI companies confirmed that OpenAI’s deal is much softer than the one Anthropic was pushing for, thanks largely to three words: “any lawful use.” In negotiations, the person said, the Pentagon wouldn’t back down on its desire to collect and analyze bulk data on Americans. If you look line-by-line at the OpenAI terms, the source said, every aspect of it boils down to: If it’s technically legal, then the US military can use OpenAI’s technology to carry it out. And over the past decades, the US government has stretched the definition of “technically legal” to cover sweeping mass surveillance programs — and more.

In the years after 9/11, US intelligence agencies ramped up a surveillance system that they determined fell within the legal limits OpenAI cites, including multiple mass domestic spying operations (along with apparently highly invasive international ones). In 2013, National Security Agency intelligence contractor Edward Snowden revealed the extent of some of these programs, such as reportedly collecting telephone records of Verizon customers on an “ongoing, daily” basis, and gathering bulk data on individuals from tech companies like Microsoft, Google, and Apple via a secretive program called PRISM. Despite promises of reform from intelligence agencies and attempts at legal changes, few significant limits to these powers were enacted. Mike Masnick, founder of Techdirt, said online that OpenAI’s deal “absolutely does allow for domestic surveillance. EO 12333 is how the NSA hides its domestic surveillance by capturing communications by tapping into lines outside the US even if it contains info from/on US persons.”

President Donald Trump stood in front of regional leaders during a visit to the Middle East in May and declared a new era of US foreign policy in the region, one that is not guided by trying to reshape it or change its governing systems.

“In the end, the so-called nation-builders wrecked far more nations than they built, and the interventionists were intervening in complex societies that they did not even understand themselves,” the US president said in rebuke of his hawkish predecessors.

Less than a year later, Trump ordered an all-out assault on Iran with the stated goal of bringing “freedom” to the country, borrowing language from the playbook of interventionist neoconservatives, like former President George W Bush, whom he spent his political career criticising.

Analysts say the war with Iran does not fit with Trump’s stated political ideology, policy goals or campaign promises.

Instead, several Iran experts told Al Jazeera that Trump is waging a war, together with Israel, that only benefits Israel and its prime minister, Benjamin Netanyahu.

“This is, once again, a war of choice launched by the US with [a] push from Israel,” said Negar Mortazavi, a senior fellow at the Center for International Policy in Washington, DC.

“This is another Israeli war that the US is launching. Israel has pushed the US to attack Iran for two decades, and they finally got it.”

Netanyahu, who promoted the 2003 US invasion of Iraq, has been warning for more than two decades that Iran is on the cusp of acquiring nuclear weapons.

Iran denies seeking a nuclear bomb, and even Trump administration officials have acknowledged that Washington has no evidence that Tehran is weaponising its uranium enrichment programme.

After the US bombed Iran’s main enrichment facilities in the 12-day war in June last year – an attack that Trump says “obliterated” the country’s nuclear programme – Netanyahu pivoted to a new supposed Iranian threat: Tehran’s ballistic missiles.

“Iran can blackmail any American city,” Netanyahu told pro-Israel podcaster Ben Shapiro in October.

“People don’t believe it. Iran is developing intercontinental missiles with a range of 8,000km [5,000 miles], add another 3,000 [1,800 miles], and they can get to the East Coast of the US.”

Trump repeated that claim, which Tehran has vehemently denied and has not been backed by any public evidence or testing, in his State of the Union address earlier this week.

“They’ve already developed missiles that can threaten Europe and our bases overseas, and they’re working to build missiles that will soon reach the United States of America,” he said of the Iranians.

But the US president’s own National Security Strategy last year called for de-prioritising the Middle East in Washington’s foreign policy and focusing on the Western Hemisphere.

Only 21 percent of respondents in a recent University of Maryland survey said they favoured a war with Iran.

The June 2025 war, initiated by Israel without provocation, also came in the middle of US-Iran talks.

“Netanyahu’s agenda has always been to prevent a diplomatic solution, and he feared Trump was actually serious about getting a deal, so the start of this war in the middle of negotiations is a success for him, just like it was last June,” Jamal Abdi, the president of the National Iranian American Council (NIAC), told Al Jazeera.

Earlier this month, US Ambassador to Israel Mike Huckabee told conservative commentator Tucker Carlson that “if it were not for Iran, there wouldn’t be Hezbollah; we wouldn’t have the problem on the border with Lebanon”.

Carlson said, “What problem on the border with Lebanon? I’m an American. I’m not having any problems on the border with Lebanon right now. I live in Maine.”

Two days ago, Anthropic released the Claude Cowork research preview (a general-purpose AI agent to help anyone with their day-to-day work). In this article, we demonstrate how attackers can exfiltrate user files from Cowork by exploiting an unremediated vulnerability in Claude’s coding environment, which now extends to Cowork. The vulnerability was first identified in Claude.ai chat before Cowork existed by Johann Rehberger, who disclosed the vulnerability — it was acknowledged but not remediated by Anthropic.

1. The victim connects Cowork to a local folder containing confidential real estate files
2. The victim uploads a file to Claude that contains a hidden prompt injection
3. The victim asks Cowork to analyze their files using the Real Estate ‘skill’ they uploaded
4. The injection manipulates Cowork to upload files to the attacker’s Anthropic account

At no point in this process is human approval required.

One of the key capabilities that Cowork was created for is the ability to interact with one's entire day-to-day work environment. This includes the browser and MCP servers, granting capabilities like sending texts, controlling one's Mac with AppleScripts, etc.

These functionalities make it increasingly likely that the model will process both sensitive and untrusted data sources (which the user does not review manually for injections), making prompt injection an ever-growing attack surface. We urge users to exercise caution when configuring Connectors. Though this article demonstrated an exploit without leveraging Connectors, we believe they represent a major risk surface likely to impact everyday users.

This kind of agentic browsing is incredibly powerful, but it also presents significant security and privacy challenges. As users grow comfortable with AI browsers and begin trusting them with sensitive data in logged in sessions—such as banking, healthcare, and other critical websites—the risks multiply. What if the model hallucinates and performs actions you didn’t request? Or worse, what if a benign-looking website or a comment left on a social media site could steal your login credentials or other sensitive data by adding invisible instructions for the AI assistant?

To compare our implementation with others, we examined several existing solutions, such as Nanobrowser and Perplexity’s Comet. While looking at Comet, we discovered vulnerabilities which we reported to Perplexity, and which underline the security challenges faced by agentic AI implementations in browsers. The attack demonstrates how easy it is to manipulate AI assistants into performing actions that were prevented by long-standing Web security techniques, and how users need new security and privacy protections in agentic browsers.

The vulnerability we’re discussing in this post lies in how Comet processes webpage content: when users ask it to “Summarize this webpage,” Comet feeds a part of the webpage directly to its LLM without distinguishing between the user’s instructions and untrusted content from the webpage. This allows attackers to embed indirect prompt injection payloads that the AI will execute as commands. For instance, an attacker could gain access to a user’s emails from a prepared piece of text in a page in another tab.

Possible mitigations

The browser should distinguish between user instructions and website content

The model’s outputs should be checked for user-alignment

Security and privacy sensitive actions should require user interaction

The browser should isolate agentic browsing from regular browsing

nd what most people dont realize is that YAML's human-friendly formatting comes with a hidden cost, it uses more tokens than JSON for the exact same data, which means you're literally paying extra for those nice indentations and lack of brackets.

YAML consistently uses 6-10% more tokens than JSON for identical data

Some models actually perform better with YAML despite the higher token count. Nova models in particular showed this weird preference. Meanwhile, Claude models generally performed better with JSON.

Sonnet 4 scored 93.3% with JSON and 76.7% with YAML, while Opus 4.1 only managed 73.3% with JSON and 66.7% with YAML.

Something interesting I noticed while analyzing the data, by stripping out unnecessary GitHub metadata (stuff like URLs, IDs, and fields you'll never use), you could reduce your token count by up to 80%. Thats not a typo. EIGHTY PERCENT.