blogs by Gio

Atom feed Recent essays

🔨 My Pal Sorter

  • Posted in tech

I’ve decided to do a short write-up on a tool I just call “Sorter”. Sorter is something I built for myself to help me organize my own files, and it looks like this:

animated sort demo

It’s designed to do exactly one thing: move files into subfolders, one file at a time. You look at a file, you decide where it goes, and you move it accordingly. It’s the same behavior you can do with Explorer, but at speed.

You can download it if you want (although it might not be easy to build; check the releases for binaries) but for now I just wanted to talk through some of the features, why I built it the way I did, and the specific features I needed that I couldn’t find in other software.

🖱 Reddit: Your API *IS* Your Product

  • Posted in cyber

Reddit is going the same route as Twitter by making “API access” prohibitively expensive. This is something they very famously, very vocally said they would not do, but they’re doing it anyway. This is very bad for Reddit, but what’s worse is it’s becoming clear that companies think that this is a remotely reasonable thing to do, when it’s very critically not.

It’s the same problem we see with Twitter and other late-capitalist hell websites: Reddit’s product is the service it provides, which is its API. The ability for users to interact with the service isn’t an auxiliary premium extra, it’s the whole caboodle!

I’ll talk about first principles first, and then get into what’s been going on with Reddit and Apollo. The Apollo drama is very useful in that it directly converts the corporate bullshit that sounds technical enough to make sense into something very easy to understand: a corporation hurting them, today, for money.

The API is the product🔗

Reddit and all these other companies who are making user-level API access prohibitively expensive have forgotten that the API is the product. - The API is the interface that lets you perform operations on the site. The operations a user can do are the product, they’re not auxiliary to it!

“Application programming interface” is a very formal, internal-sounding term for a system that is none of those things. The word “programming” in the middle comes from an age where using a personal computer at all was considered “programming” it.

What an API really is a high-level interface to the web application that is Reddit. Every action a user can take — viewing posts, posting, voting, commenting — goes from the app (which interfaces with the user) to the API (which interfaces with the Reddit server), gets processed by the server using whatever-they-use-it-doesn’t-matter, and the response is sent back to the user.

The API isn’t a god mode and it doesn’t provide any super-powers. It doesn’t let you do anything you can’t do as a user, as clearly evidenced by the fact that all the actions you do on the Reddit website go through the API too.

The Reddit website, the official Reddit app, and the Apollo app all interface with the user in different ways and on different platforms, but go through the same API to interact with what we understand as “Reddit”. The fact that the API is the machine interface without the human interface should also concisely explain why “API access” is all Apollo needs to build its own app.

Right now, you can view the announcement thread at, and you can view the “API” data for the same thread at It’s not very fun to look at, but it’s easy to tell what you’re looking at: the fundamental representation of the page without all the trappings of the interface.

Public APIs are good for both the user and the company. They’re a vastly more efficient way for people to interact with the service than by automating interaction (or “scraping”). Having an API cuts out an entire layer of expense that, without an API, Reddit would pay for.

The Reddit service is the application, and you interface with it through WHATEVER. Whatever browser you want, whatever browser extensions you want, whatever model phone you want, whatever app you want. This is fundamentally necessary for operability and accessibility.

The API is the service. The mechanical ability to post and view and organize is what makes Reddit valuable, not its frontend. Their app actually takes the core service offering and makes it less attractive to users, which is why they were willing to pay money for an alternative!

⚖ Netflix's Big Double-Dip

Netflix is finally turning the screws on multi-user accounts. That “finally” is exasperation in my voice, not relief. Netflix is demanding you pay them an extra surcharge to share your account with remote people, and even then caps you at paying for a maximum of two. It’s been threatening to do something like this for a long, long time:

Since 2011, when the recording industry started pushing through legal frameworks to criminalize multi-user account use by miscategorizing “entertainment subscription services” as equivalent to public services like mail, water, and electricity for the purposes of criminal prosecution,

Since similar nonsense in 2016 exploiting the monumentally terrible Computer Fraud and Abuse Act,

Since 2019, when Netflix announced (to its shareholders) that it was looking for ways to limit password sharing,

Since 2021, when Netflix started tracking individual users by location and device within a paying account,

Since 2022, when it started banning group use in Portugal, Spain, and New Zealand, to disastrous consequence. Also, Canada, but temporarily. And, of course, then threatened to “crack down” on “password sharing” in “Early 2023”,

Since January, when it threatened to roll out “paid password sharing” in the “coming months”,

Since February, when it released a disastrous policy banning password sharing, then lied about the policy being an error and made a big show of retracting it due to the massive backlash, but then went ahead and did it in Canada anyway,

And finally now since just now, as it’s finally, really, for-realsies banning password sharing this quarter.

Netflix threatening this for so long was a mistake on its part, because that’s given me a long, long time for these thoughts to slowly brew in the back of my head. And there’s a lot wrong here.

the teat one this is a real graphic Netflix made!

Netflix’s pricing model🔗

So, first, what are multi-user accounts in the first place, and how does “password sharing” relate to that?

🎮 The Last Clockwinder Retrospective

  • Posted in gaming

I played The Last Clockwinder last week, and it changed the way I think about production games.

Factory games🔗

The Steam page describes The Last Clockwinder as a “VR puzzle-automation game.” I like production and automation games. But I’m used to FTB and Factorio and Zachtronics and Universal Paperclip. I’m used to the look automation-production games gravitate towards.


Factorio’s top-down design invites you to create sprawling factories that completely overtake the landscape. What little detail there is in the landscape is purely mechanical; resources you can extract and process, or enemies you have to either avoid or exploit for more resources.

Positioning the camera to give yourself a comfortable view of the structures you build and the items you’re manipulating leaves the actual character as a tiny focal point; more of a crosshair than a character or even an avatar.

Factorio scales enemy difficulty to “pollution” but this is always designed to be overcome, not be a legitimately limiting factor.


In Infinifactory, you’re captured by aliens and forced to engineer efficient factories in exchange for food pellets. Each puzzle takes place in a set of stark, desolate environments. It’s first-person, but you never directly interact with another character; the most you get are notes about how much your predecessors hated it.

As soon as you solve a puzzle, you’re presented with a histogram: how could you optimize your solution further? Could you be faster? Use fewer blocks? Are you better than your friends, or falling behind?

Universal Paperclip (gif)

Universal Paperclip’s minimalist HTML interface makes it a graphical outlier, but the bare-metal minimally-styled HTML invokes a sense of brutalism that reenforces the game’s theme of efficiency in the pursuit of a goal to the exclusion of everything else.

And then there’s The Last Clockwinder.

The Last Clockwinder🔗

It’s undeniably hard sci-fi. The first thing you do is arrive in spaceship. Throughout the game you’re on the radio with your friend idling in orbit, and the whole story revolves around interplanetary travel.

But then the first thing you see is a tree-patio with a hammock. It almost feels like a treehouse. The purpose of the tree is archival and preservation of rare and culturally significant plants; it’s a reserve, and that’s what gives it such importance. Inside the tree is the one room you stay inside for the entire game, and it’s a living space.

🖱 So you want to write an AI art license

  • Posted in cyber

Hi, The EFF, Creative Commons, Wikimedia, World Leaders, and whoever else,

Do you want to write a license for machine vision models and AI-generated images, but you’re tired of listening to lawyers, legal scholars, intellectual property experts, media rightsholders, or even just people who use any of the tools in question even occasionally?

You need a real expert: me, a guy whose entire set of relevant qualifications is that he owns a domain name. Don’t worry, here’s how you do it:

This is an extremely condensed set of notes, designed as a high-level overview for thinking about the problem

Given our current system of how AI models are trained and how people can use them to generate new art, which is this:

CurioModelAliceCurioModelAliceHello. Here are N images andtext descriptions of what they contain.Training (looks at images, "makes notes", discards originals)OK. I can try to make similar images from my notes,if you tell me what you want.Hello. I would like a depiction of this new thing you've never seen before.OK. Here are some possibilites.

The works🔗

The model and the works produced with the model are both distinct products. The model is more like processing software or tooling, while the artistic works created with the model are distinctly artistic/creative output.

Models do not keep the original images they were trained on in any capacity. The only keep mathematical notes about their properties. You (almost always) cannot retrieve the original image data used from the model after training.

ModelCurioModelCurioSend me a copy of one of the images you were trained onSorry, I do not remember any of them exactly,only general ideas on how to make art.

There is a lot of misinformation about this, but it is simply, literally the case that a model does not include the training material, and cannot reproduce its training material. While not trivial (you can’t have a model if you can’t train it at all), when done properly, the specific training data is effectively incidental.

AI-generated art should be considered new craftsmanship — specifically, under copyright law, it is new creative output with its own protections — and not just a trivial product of its inputs.


The fact that AI art is new creative output doesn’t mean AI art can’t be plagiarism.

🖱 Replika: Your Money or Your Wife

  • Posted in cyber

If1 you’ve been subjected to advertisements on the internet sometime in the past year, you might have seen advertisements for the app Replika. It’s a chatbot app, but personalized, and designed to be a friend that you form a relationship with.

That’s not why you’d remember the advertisements though. You’d remember the advertisements because they were like this:

Replika "Create your own AI friend" "I've been missing you" hero ad

Replika ERP ad, Facebook (puzzle piece meme) Replika ERP ad, Instagram

And, despite these being mobile app ads (and, frankly, really poorly-constructed ones at that) the ERP function was a runaway success. According to founder Eugenia Kuyda the majority of Replika subscribers had a romantic relationship with their “rep”, and accounts point to those relationships getting as explicit as their participants wanted to go:


So it’s probably not a stretch of the imagination to think this whole product was a ticking time bomb. And — on Valentine’s day, no less — that bomb went off. Not in the form of a rape or a suicide or a manifesto pointing to Replika, but in a form much more dangerous: a quiet change in corporate policy.

Features started quietly breaking as early as January, and the whispers sounded bad for ERP, but the final nail in the coffin was the official statement from founder Eugenia Kuyda:

“update” - Kuyda, Feb 12 These filters are here to stay and are necessary to ensure that Replika remains a safe and secure platform for everyone.

I started Replika with a mission to create a friend for everyone, a 24/7 companion that is non-judgmental and helps people feel better. I believe that this can only be achieved by prioritizing safety and creating a secure user experience, and it’s impossible to do so while also allowing access to unfiltered models.

People just had their girlfriends killed off by policy. Things got real bad. The Replika community exploded in rage and disappointment, and for weeks the pinned post on the Replika subreddit was a collection of mental health resources including a suicide hotline.

Resources if you're struggling post


First, let me deal with the elephant in the room: no longer being able to sext a chatbot sounds like an incredibly trivial thing to be upset about, and might even be a step in the right direction. But these factors are actually what make this story so dangerous.

These unserious, “trivial” scenarios are where new dangers edge in first. Destructive policy is never just implemented in serious situations that disadvantage relatable people first, it’s always normalized by starting with edge cases and people who can be framed as Other, or somehow deviant.

It’s easy to mock the customers who were hurt here. What kind of loser develops an emotional dependency on an erotic chatbot? First, having read accounts, it turns out the answer to that question is everyone. But this is a product that’s targeted at and specifically addresses the needs of people who are lonely and thus specifically emotionally vulnerable, which should make it worse to inflict suffering on them and endanger their mental health, not somehow funny. Nothing I have to content-warning the way I did this post is funny.

Virtual pets🔗

So how do we actually categorize what a replika is, given what a novel thing it is? What is a personalized companion AI? I argue they’re pets.

🖱 Lies, Damned Lies, and Subscriptions

  • Posted in cyber

Everybody hates paying subscription fees. At this point most of us have figured out that recurring fees are miserable. Worse, they usually seem unfair and exploitative. We’re right about that much, but it’s worth sitting down and thinking through the details, because understanding the exceptions teaches us what the problem really is. And it isn’t just “paying people money means less money for me”; the problem is fundamental to what “payment” even is, and vitally important to understand.

Human Agency: Why Property is Good🔗

or, “Gio is not a marxist, or if he is he’s a very bad one”

First: individual autonomy — our agency, our independence, and our right to make our own choices about our own lives — is threatened by the current digital ecosystem. Our tools are powered by software, controlled by software, and inseparable from their software, and so the companies that control that software have a degree of control over us proportional to how much of our lives relies on software. That’s an ever-increasing share.

👨‍💻 Jinja2 as a Pico-8 Preprocessor

  • Posted in dev

Pico-8 needs constants🔗

The pico-8 fantasy console runs a modified version of lua that imposes limits on how large a cartridge can be. There is a maximum size in bytes, but also a maximum count of 8192 tokens. Tokens are defined in the manual as

The number of code tokens is shown at the bottom right. One program can have a maximum of 8192 tokens. Each token is a word (e.g. variable name) or operator. Pairs of brackets, and strings each count as 1 token. commas, periods, LOCALs, semi-colons, ENDs, and comments are not counted.

The specifics of how exactly this is implemented are fairly esoteric and end up quickly limiting how much you can fit in a cart, so people have come up with techniques for minimizing the token count without changing a cart’s behaviour. (Some examples in the related reading.)

But, given these limitations on what is more or less analogous to the instruction count, it would be really handy to have constant variables, and here’s why:

-- 15 tokens (clear, expensive)
sfx_ding = 024
function on_score()

function on_menu()
-- 12 tokens (unclear, cheap)

function on_score()

function on_menu()

The first excerpt is a design pattern I use all the time. You’ll probably recognize it as the simplest possible implementation of an enum, using global variables. All pico-8’s data — sprites and sounds, and even builtins like colors — are keyed to numerical IDs, not names. If you want to draw a sprite, you can put it in the 001 “slot” and then make references to sprite 001 in your code, but if you want to name the sprite you have to do it yourself, like I do here with the sfx.

Using a constant as an enumerated value is good practice; it allows us to adjust implementation details later without breaking all the code (e.g. if you move an sfx track to a new ID, you just have to change one variable to update your code) and keeps code readable. On the right-hand side you have no idea what sound 024 was supposed to map to unless you go and play the sound, or label every sfx call yourself with a comment.

But pico-8 punishes you for that. That’s technically a variable assignment with three tokens (name, assignment, value), even though it can be entirely factored out. That means you incur the 3-token overhead every time you write clearer code. There needs to be a better way to optimize variables that are known to be constant.

What constants do and why they’re efficient in C🔗

I’m going to start by looking at how C handles constants, because C sorta has them and lua doesn’t at all. Also, because the “sorta” part in “C sorta has them” is really important, because the c language doesn’t exactly support constants, and C’s trick is how I do the same for pico-8.

In pico-8 what we’re trying to optimize here is the token count, while in C it’s the instruction count, but it’s the same principle. (Thinking out loud, a case could be made that assembly instructions are just a kind of token.) So how does C do it?

👨‍💻 Gio Flavoured Markdown

  • Posted in dev

“How can I show someone how my blog articles actually render?”

It sounds like it should be super easy, but it turns out it really isn’t. I write in Markdown (and attach the source to all my posts if you’re interested) that then gets rendered as HTML on-demand by Pelican. (More on this on the thanks page.) But that means there’s no quick way to demo what any given input will render as: it has to run through the markdown processor every time. Markdown is a fairly standard language, but I have a number of extensions I use — some of which I wrote myself — which means to get an authoritative rendering, it has to actually render.

But I want to be able to demo the full rendered output after all the various markdown extensions process. I want a nice simple way to render snippets and show people how that works, like a live editor does. The CSS is already portable by default, but the markdown rendering is done with python-markdown, which has to run server-side somewhere, so that’s much less portable.

So I spent two evenings and wrote up, which does exactly that. You can view the live source code here if you want to follow along.


🖱 The Failure of Account Verification

  • Posted in cyber

The “blue check” — a silly colloquialism for an icon that’s not actually blue for the at least 50% of users using dark mode — has become a core aspect of the Twitter experience. It’s caught on other places too; YouTube and Twitch have both borrowed elements from it. It seems like it should be simple. It’s a binary badge; some users have it and others don’t. And the users who have it are designated as… something.

In reality it’s massively confused. The first problem is that “something”: it’s fundamentally unclear what the significance of verification is. What does it mean? What are the criteria for getting it? It’s totally opaque who actually makes the decision and what that process looks like. And what does “the algorithm” think about it; what effects does it actually have on your account’s discoverability?

This mess is due to a number of fundamental issues, but the biggest one is Twitter’s overloading the symbol with many conflicting meanings, resulting in a complete failure to convey anything useful.

xkcd twitter_verification

History of twitter verification🔗

Twitter first introduced verification in 2009, when baseball man Tony La Russa sued Twitter for letting someone set up a parody account using his name. It was a frivolous lawsuit by a frivolous man who has since decided he’s happy using Twitter to market himself, but Twitter used the attention to announce their own approach to combating impersonation on Twitter: Verified accounts.