Nicola Romanò @nicolaromano@qoto.org

Guess the replication game
https://t1p.de/guther

I got much better at this once I stopped reading beyond the title.

#openscience #GuesstheReplication #openresearch #replication

Don’t call it age verification. Call it centralised personal data collection. And understand that it serves surveillance, not safety for children.

Q: How old are you?
A: That old…

@johnlogic @neuronakaya

In my experience when someone says "scientists don't want you to know" what they are really saying is "science doesn't support my crackpot theory"

NHS Goes To War Against Open Source

The NHS is preparing to close nearly all of its Open Source repositories.

Throughout my time working for the UK Government - in GDS, NHSX, i.AI, and others - I championed Open Source. I spoke to dozens of departments about it, wrote guidance still in use today, and briefed Ministers on why it was so important.

That's why I'm beyond disappointed at recent moves from NHS England to backtrack on all the previous commitments they've made about the value of open source to the UK's health service.

It's rare that multiple people leak the same story to me, but that's what gives me confidence that lots of people within the NHS are aghast at this news.

A few days ago, I was sent this quote which was attributed to a senior technical person in NHS England.

We are obviously looking at things like Mythos, which is more sophisticated at finding vulnerabilities. In the next week or so, we will be changing our tack on coding the open and making our code public until we're on top of that risk.

Most of our repos, unless they're essential, will be removed for security reasons.

As I've written before, this is not the correct response to the purported threat by Mythos. Neither the AI Safety Institute nor the NCSC recommend this action. While there may be some increase in risk from AI security scanners, to shutter everything would be a gross overreaction.

Nevertheless, that's what the NHS is preparing to do.

On the 29th of April, guidance note SDLC-8 was sent out. Here's what it says:

The majority of code repos published by the NHS are not meaningfully affected by any advance in security scanning. They're mostly data sets, internal tools, guidance, research tools, front-end design and the like. There is nothing in them which could realistically lead to a security incident.

When I was working at NHSX during the pandemic, we were so confident of the safety and necessity of open source, we made sure the Covid Contact Tracing app was open sourced the minute it was available to the public. That was a nationally mandated app, installed on millions of phones, subject to intense scrutiny from hostile powers - and yet, despite publishing the code, architecture and documentation, the open source code caused zero security incidents.

Furthermore, this new guidance is in direct contradiction to the UK's Tech Code of Practice point 3 "Be open and use open source" which insists on code being open.

Similarly, the Service Standard says:

There are very few examples of code that must not be published in the open.

The main reason for code to be closed source is when it relates to policy that has not yet been announced. In this case, you must make the code open as soon as possible after the policy is published.

You may also need to keep some code closed for security reasons, for example code that protects against fraud. Follow the guidance on code you should keep closed and security considerations for open code.

There's also the DHSC policy "Data saves lives: reshaping health and social care with data":

Commitment 601 – completed May 2022

We will publish a digital playbook on how to open source your code for health and care organisations

And, here's NHS Digital's stance on open source in their Software Engineering Quality Framework:

The position of all three of these documents is that we should code in the open by default.

All of which is reflected in the NHS service standard:

Public services are built with public money. So unless there's a good reason not to, the code they're based should be made available for other people to reuse and build on.

All of which is to say - open source should be baked into the DNA of the NHS by now. There are thousands of NHS repositories on GitHub. The work undertaken to assess all of them and then close them will be massive. And for what?

Even if we ignore the impracticality of closing all the code - it is too late! All that code has already been slurped up. If Mythos really is the ultimate hacker, hiding the code now does nothing. It has likely already retained copies of the repositories.

And if it were both practical and effective to hide source code - that doesn't matter. These AI tools are just as effective against closed-source. They can analyse binaries and probe websites with ease.

There are tens of thousands of NHS website pages which refer to their GitHub repos - will they all need to be updated? What's the cost of that?

I've no idea what led to NHS England making this retrograde decision - so I've send a Freedom of Information request to find out.

I am convinced that closing all their excellent open source work is the wrong move for the NHS. I hope they see sense and reverse course.

Until then, I've helped make sure that every single NHS repository has been backed up and, because the software licence permits it, can be re-published if the original is closed.

In the meantime, you should email your MP and tell them that the NHS is wrong to shutter its world-leading open source repositories.

Don't let them take away your right to see the code which underpins our nation's healthcare.

Further Reading

I'm quoted in this article from The New Scientist.
Matt Hancock on the issue
Discussion by Jessica Morley, PhD
Free Software Foundation Europe press release
Further commentary from New Scientist
Petition - Keep Things Open
Update 2026-05-14: GDS have published their Guidance "AI, open code and vulnerability risk in the public sector " which explicitly says closing repos is the wrong approach.

My only topical take for today is that “undoing a 600% increase is an 85.7% decrease” being arithmetically true does not stop it from being a great example of why to avoid percentages if you want to be understood.

In "good news for my small annoyances in copying the same function across scripts", R 4.6.0 will (finally) have a %notin% built-in

https://www.jumpingrivers.com/blog/whats-new-r46/ and https://cran.r-project.org/doc/manuals/r-devel/NEWS.html

#rstats

i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser.com or similar.

The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.

And yes, all of those emails contain the actual PII of the person who has been 'deleted' :-D

#infosec

so it cost anthropic $20k to find this openbsd crash bug which amounts to putting a negative integer in a tcp field where a negative integer was not expected by the c code which does some cavalier int cast bullshit, ie. a vuln which is totally fuzzable, and quite certainly would have been found by the fuzzers of the 2010s had anyone cared to burn that much compute on fuzzing openbsd.

The difference today is not that anybody suddenly cares about investing that much in openbsd (is the build server still a donated machine running in Theo's basement?), but that openbsd's reputation for security makes it really good marketing if you can find a bug, any bug, it doesn't matter; and that marketing value is what makes it worth spending $20k on fuzzing.

#JoyScrolling #ArtemisII #HiddenFigures #CelebrateScience #CelebrateWomenScientists #KatherineJohnson

Lui et son équipe de douze salariés vont quitter les lieux. Motif ? Ce restaurateur bio et végane, dont la cuisine était accueillie à l’hôtel Babel à Paris, a refusé de retirer un sticker « Free Palestine ».

Lire l'article ➡️ https://l.reporterre.net/bt4

Learned via the @R4DSCommunity Slack chat today that radian is no longer actively developed! @eitsupi's arf is recommended in the README now! https://github.com/randy3k/radian

NGL, while I greatly enjoy arf, I deeply appreciate radian and hate to see a good option disappear.

#RStats

We have a new paper out! Named "The hierarchical morphotope classification: A theory-driven framework for large-scale analysis of built form”, it provides an overview of the method we used to build our Urban Taxonomy dataset.

https://authors.elsevier.com/sd/article/S0264-2751(26)00279-9

Morphology often hits scalability limits. This method is able to break those as shown by classifying over 90 million buildings (in the paper, we have 150 million + now).

1/n

We have a cover! Excited to be part of this. The publisher site for the book is https://www.routledge.com/Bayesian-Workflow/Gelman-Vehtari-McElreath-Simpson-Margossian-Yao-Kennedy-Gabry-Burkner-Modrak-Barajas/p/book/9780367490140

Note that a PDF will be freely downloadable once the book is out!

My therapist said I need to find things to keep me busy, so I created the @cdnspace Artemis II dashboard.

I reverse-engineered the Unity Engine powering the NASA AROW visualization and found an absolute treasure trove of data to display.

Little did I expect that it's now being seen by anywhere from 200 to 600 people at any given time with 130,000 people having looked at it in the last 24 hours. People are even building projects around my API.

Yesterday, I received a message on LinkedIn from someone working in Mission Control in Houston... and they're using my dashboard! He even sent me a photo, but I can't share it until after the crew has splashed down.

Mind blown, and an absolute pick-me-up. The best part? It's being served from my basement.

https://artemis.cdnspace.ca/

#artemis #artemis2 #artemisII #nasa #csa

A lot can happen in 57 years.

In 1969 the corrupt President Nixon was president, the U.S. could not afford universal healthcare but did find the money to go to the moon while waging a war in Vietnam.

In 2026 the corrupt President Trump is president, the U.S. still cannot afford universal healthcare but does find the money to go to the moon while waging a war in Iran.