10 interesting stories served every morning and every evening.

reuters.com

www.reuters.com

Please en­able JS and dis­able any ad blocker

An entire Herculaneum scroll has been read for the first time

scrollprize.org

We read an en­tire scroll — with­out ever open­ing it

PHerc. 1667, sealed since the erup­tion of Vesuvius in 79 AD, has been vir­tu­ally un­wrapped and read from be­gin­ning to end.

June 25th, 2026

Read the preprint: Complete vir­tual un­wrap­ping and read­ing of a rolled Herculaneum pa­pyrus (PDF). The data is openly avail­able at scroll­prize.org/​data, and the code on GitHub.

For al­most 2,000 years, the car­bonized li­brary of Herculaneum has kept a cruel bar­gain: its scrolls sur­vived the erup­tion of Mount Vesuvius, but only by be­com­ing too frag­ile to open. To read one was to de­stroy it. Hundreds of rolls have there­fore re­mained sealed, their con­tents pre­served yet un­reach­able.

Today that changes. We have com­pletely vir­tu­ally un­wrapped and read PHerc. 1667 — the scroll the Vesuvius Challenge com­mu­nity knows as Scroll 4 — with­out ever touch­ing its pages. It is the first Herculaneum pa­pyrus to be dig­i­tally un­rolled and read in full, end to end, and made avail­able for sus­tained schol­arly study.

From a sealed lump to a read­able book​

PHerc. 1667 be­gan as a black­ened, rolled mass of car­bonized pa­pyrus. To read it, we never un­rolled it phys­i­cally. Instead, we scanned it with high-res­o­lu­tion X-rays, re­con­structed the wound sheet in­side the vol­ume, flat­tened it into a read­able sur­face, and used ma­chine learn­ing to bring out the faint traces of an­cient ink.

The work reaches be­yond a sin­gle scroll. Alongside the com­plete read­ing of PHerc. 1667, the re­search es­tab­lishes a method that holds up un­der in­de­pen­dent checks and scales to other rolls.

PHerc. 1667 — read in full​

PHerc. 1667 is what sur­vives of a larger roll: ear­lier at­tempts to open it by hand — in the nine­teenth cen­tury, and again in 1969 and the 1980s — de­stroyed its outer lay­ers and left only the com­pact in­ner core, about 8 cm of an orig­i­nal height of 19 – 24 cm. From that sur­viv­ing por­tion we have now re­cov­ered and read the text in full — the lower parts of some twenty-two columns, tran­scribed and re­viewed by pa­py­rol­o­gists. It is the first time the pre­served text of a rolled Herculaneum scroll has been read con­tin­u­ously, end to end, rather than in iso­lated words or patches.

The re­cov­ered text is a philo­soph­i­cal trea­tise on ethics, and the ev­i­dence points to a Stoic work: it turns on hu­man na­ture, im­pulse, and the moral progress of hu­man be­ings, and its fi­nal pre­served col­umn names Aristocreon — nephew and dis­ci­ple of the great Stoic Chrysippus — which, to­gether with the lan­guage and themes of the text, places it in a Stoic con­text and dates it to the 2nd cen­tury BC.

Because the pa­pyrus is dam­aged, the read­ings are frag­men­tary, with gaps where the sur­face is lost. Even so, sev­eral pas­sages can be read clearly for the first time in two thou­sand years:

…we will in­quire into some­thing, but we will not grasp it, if in some way we de­part from our­selves and from our own na­ture…”

Having…strained our­selves to the ut­most through re­search and learn­ing…pos­sess­ing the same prac­ti­cal wis­dom…”

…such be­ing the goods for us, even from the op­po­site evils there will be nei­ther any­thing good — let alone beau­ti­ful — nor any­thing bad — let alone ugly — nor hap­pi­ness…”

Translated from the Greek; the full col­umn-by-col­umn tran­scrip­tion is in the preprint.

PHerc. Paris 4 — ink made vis­i­ble by higher res­o­lu­tion​

In a sec­ond scroll — PHerc. Paris 4, the scroll the Vesuvius Challenge com­mu­nity knows as Scroll 1 — a higher-res­o­lu­tion imag­ing tech­nique makes the ink di­rectly vis­i­ble in­side the scroll it­self, in the three-di­men­sional X-ray data, for the first time. Segmented in 3D and pro­jected back onto the un­wrapped page, that ink matches the text read in the 2023 Grand Prize one-to-one — an in­de­pen­dent con­fir­ma­tion, from bet­ter data, that the read­ing is real.

PHerc. 139 — a ti­tle, and an au­thor​

In a third scroll, PHerc. 139, we re­cover the scrol­l’s ti­tle and au­thor at­tri­bu­tion: the work is iden­ti­fied as Philodemus, On Gods, Book 8 — a trea­tise by the Epicurean philoso­pher whose works fill so much of this li­brary. Reading the ti­tle of a closed scroll tells schol­ars what a roll con­tains be­fore a sin­gle col­umn of its body is stud­ied.

How it was done​

The scans were ac­quired with high-res­o­lu­tion phase-con­trast X-ray mi­cro­to­mog­ra­phy on the BM18 beam­line at the European Synchrotron Radiation Facility (ESRF) in Grenoble — an in­stru­ment able to re­solve the wafer-thin, densely packed lay­ers of a Herculaneum roll. The work was car­ried out in col­lab­o­ra­tion with the National Library of Naples Vittorio Emanuele III, which safe­guards the Herculaneum pa­pyri. From those vol­umes, the team re­con­structed the scrol­l’s geom­e­try, traced and flat­tened its sur­face into a read­able sheet, and trained ma­chine-learn­ing mod­els to de­tect ink that is al­most in­dis­tin­guish­able from the car­bonized pa­pyrus be­neath it. Each read­ing was then ex­am­ined and tran­scribed by pa­py­rol­o­gists.

Crucially, all of this is open. The to­mo­graphic data, re­con­structed sur­faces and tran­scrip­tions are re­leased un­der a Creative Commons li­cence at scroll­prize.org/​data and archived at the ESRF, and the code is on GitHub. Anyone can check the work, build on it, and ap­ply it to the scrolls that re­main.

A vic­tory for open, global sci­ence​

This is what open sci­ence makes pos­si­ble. The vir­tual un­wrap­ping of the Herculaneum scrolls was pi­o­neered at EduceLab by its prin­ci­pal in­ves­ti­ga­tor, Professor Brent Seales. In 2023 Seales opened his lab’s imag­ing and soft­ware tech­nol­ogy to the Vesuvius Challenge — a pub­lic, do­na­tion-funded ef­fort he co-founded with Nat Friedman and Daniel Gross to read the scrolls in the open — and from there a global com­mu­nity took up the prob­lem. The first let­ters and the 2023 Grand Prize were won by con­tes­tants from across the world.

What is less widely known is what hap­pened next. Most of the Vesuvius Challenge re­search team first ar­rived as con­tes­tants. They en­tered the open com­pe­ti­tion, won prizes for the break­throughs they made, and were then re­cruited onto the team that has now read an en­tire scroll. The peo­ple be­hind this break­through are, in large part, the global com­mu­nity the Challenge it­self cre­ated.

What’s next​

PHerc. 1667 is one scroll. Hundreds more re­main sealed — an en­tire li­brary of phi­los­o­phy, po­etry and prose wait­ing to be read for the first time since an­tiq­uity. The method shown here is built to scale, and every­thing needed to ap­ply it is open.

If you want to help read the rest of the li­brary:

Read the sci­ence: the preprint (PDF).

Get the data and code: scroll­prize.org/​data and GitHub.

Join the ef­fort: get started and be­come part of the com­mu­nity read­ing the scrolls.

The thoughts of the an­cient world, sealed in dark­ness for two mil­len­nia, are com­ing back into the light — a whole scroll at a time.

web hl2

hl2.slqnt.dev

Downloading…

Hacker Trends: 18 years of Hacker News, charted

hackernewstrends.com

Hacker Trends - see how any topic, tool, or per­son trended across 18 years of Hacker News

Charts how of­ten any topic, tool, or per­son has come up on Hacker News. Overlay a few terms to watch their trac­tion rise and fall. Each line is a live date-his­togram over 45M posts and com­ments, built on Upstash Redis Search. Below the chart sit the ac­tual sto­ries and com­ments be­hind the lines, fil­ter­able by term or au­thor. How Hacker Trends works

click a month to fil­ter, or drag across to pick a range

load­ing…

show

no matches for

ope­nai

″.

Popular Comparisons

click to load above

The de­ploy-plat­form ri­valry: Cloudflare car­ries the CDN/edge con­ver­sa­tion for years, then Vercel surges on the Next.js wave and the two trade blows as both push into edge func­tions and full-stack host­ing.

David vs Goliath of the lab era: OpenAI’s re­peated tow­ers lead from 2023, un­til a sud­den 2026 Anthropic surge pulls level and the lead changes hands.

The sil­i­con ba­ton pass: AMD leads 2017 – 20 on the Ryzen/Zen come­back, then Nvidia over­takes with the 2020 – 23 GPU-and-AI surge.

A three-way re­lay across the JVM/mobile era: Scala is the hot lan­guage ~2011, Swift grabs the ba­ton with iOS mid-decade, then Kotlin over­takes both as Android goes Kotlin-first.

Frontend’s gen­er­a­tions in a line: Angular leads the frame­work wars ~2013 – 14, Vue rises 2016 – 19, then Svelte takes the new­comer crown 2020 – 22.

The data­base lead-swap: MySQL owns the con­ver­sa­tion around 2009 – 11, then goes quiet as Postgres climbs to over­take it by 2017 – 20.

ML frame­works, gen­er­a­tion by gen­er­a­tion: TensorFlow launches the deep-learn­ing gold rush 2015 – 16, PyTorch over­takes re­search 2019 – 21, then JAX be­comes the cut­ting-edge fa­vorite 2021 – 23.

Bundler chang­ing of the guard: Webpack owns the build step 2015 – 20, then Vite ar­rives and over­takes it from 2022 on.

Crypto-exchange lead-swap: Coinbase is the ex­change peo­ple talk about through 2013 – 21, then Binance takes over the head­lines in 2022 – 23.

The ed­i­tor wars, old guard vs new: Vim and Emacs trade the modal-vs-ex­ten­si­ble ar­gu­ment year af­ter year, then Zed bursts in and spikes hard across 2024 – 26.

The Twitter-alternative re­lay: Mastodon spikes with the 2022 ac­qui­si­tion ex­o­dus, then Bluesky over­takes it as the des­ti­na­tion in 2024 – 25.

Node-alternative race: Deno is the buzzy re­place­ment 2020 – 22, then Bun grabs the spot­light from 2023 on­ward.

A text­book chang­ing of the guard: Flash burns hot across 2010 – 11, then HTML5 climbs past it into 2014 – 15, the open web eat­ing the plu­gin alive.

Containerization hand­off: Docker erupts 2014 – 15 as the new hot­ness, then Kubernetes in­her­its the spot­light from 2016 as or­ches­tra­tion be­comes the story.

Succession within a dy­nasty: vim leads through the 2010s, then its own fork neovim ig­nites 2021 – 23 and takes the lead as the com­mu­nity mi­grates.

Two AI shock­waves, off­set: ChatGPT’s late-2022 launch wall, then DeepSeek’s lone Jan-2025 tower, the Sputnik mo­ment” years later.

JS-superset suc­ces­sion: CoffeeScript’s 2011 – 14 hype cools, then TypeScript’s 2019+ rise shows which ab­strac­tion ac­tu­ally won.

The 2022 text-to-im­age ex­plo­sion, month by month: DALL-E 2 opens the era in spring, Stable Diffusion’s open-source re­lease det­o­nates in late sum­mer, then Midjourney be­comes the house­hold name into 2023.

A CPU-architecture shift: x86 dom­i­nates chip talk around 2020 – 23, then ARM surges with Apple Silicon and data-cen­ter ARM into 2024 – 26.

The text-ed­i­tor crown, passed hand to hand: Sublime Text is the beloved ed­i­tor of 2012 – 14, GitHub’s Atom takes over 2014 – 15, then VS Code eats the world from 2018 on.

Video call­ing, dy­nasty to dy­nasty: Skype owns the 2010s, then Zoom spikes hard in the sin­gle March-2020 lock­down month while Microsoft Teams rides the same re­mote-work wave on Office’s coat­tails.

CI chang­ing of the guard: Jenkins is the CI tool of the mid-2010s, then GitHub Actions takes over from 2021 on.

The AI-coding-tool re­lay: Cursor is the ed­i­tor every­one talks about in late-2024, Claude Code spikes hard across mid-2025, then OpenAI’s Codex takes its turn into early-2026.

The con­fig-man­age­ment wars: Chef leads the au­to­mate-your-servers era ~2011 – 12, Puppet trades blows through 2013, then Ansible’s agent­less ap­proach pulls ahead 2014 – 15.

The func­tional lan­guage HN could­n’t stop talk­ing about: Clojure’s Lisp-on-the-JVM mo­ment ~2009 – 11, Haskell’s pu­rity de­bates ~2012, then Elixir rides the Erlang re­vival 2016 – 18.

API de­sign, era by era: REST be­comes the we­b’s de­fault 2012 – 15, then the post-REST gen­er­a­tion splits: gRPC for ser­vice-to-ser­vice from 2016, GraphQL for the client from 2017.

Web servers across the decades: Apache rules the 2010 – 12 con­ver­sa­tion, ng­inx over­takes it for the high-traf­fic era 2011 – 13, then Caddy ar­rives with au­to­matic-HTTPS 2017 – 22.

The front-end MVC wars: Backbone.js is the first to give the browser struc­ture ~2011, then Ember and Angular es­ca­late to full frame­works 2013 – 14, the fight that set up React.

A decade of face-com­puter hype, one tower each: Google Glass in 2013, Oculus with the Facebook deal in 2014, then Apple’s Vision Pro in 2024: three spikes, ten years apart.

The full-stack web frame­work ba­ton: Django and Rails de­fine the 2009 – 15 MVC frame­work’ era, trad­ing the spot­light, then Laravel in­her­its it for the PHP world and surges 2019 – 21.

The JS build pipeline, three gen­er­a­tions: Grunt’s task-run­ner era 2013 – 14, Gulp’s stream­ing rewrite 2014 – 15, then Webpack ab­sorbs the whole job as bundling be­comes the story from 2016 on.

The just de­ploy it’ plat­form, rein­vented each era: Heroku de­fines push-to-de­ploy in the early 2010s (and spikes again at its 2022 free-tier sun­set), Netlify owns the JAMstack 2018 – 20, then Vercel takes the Next.js era from 2023.

The NoSQL boom in or­der: CouchDB rides the early doc­u­ment-store wave ~2009, Cassandra car­ries the scale-out story 2010 – 12, then MongoDB be­comes the er­a’s de­fault 2011 – 13.

Browser test au­toma­tion, three gen­er­a­tions: Selenium is the way to drive a browser through the 2010s, Cypress rein­vents it for the mod­ern front-end ~2020, then Playwright pulls ahead and surges into 2025 – 26.

Cross-platform mo­bile, ba­ton by ba­ton: Xamarin car­ries the write-once dream ~2016, React Native takes over for the JS crowd 2017 – 18, then Flutter over­takes both and peaks into 2024.

The hy­brid-app lin­eage, re­named each era: PhoneGap wraps web apps in a na­tive shell ~2011, its open-source suc­ces­sor Cordova car­ries it 2014 – 15, then Capacitor in­her­its the job and spikes in 2024.

The post-Web­pack bundler scram­ble: Parcel’s zero-con­fig pitch lands ~2019, es­build’s Go-speed rewrite grabs at­ten­tion 2021, then Rollup re-en­ters as the li­brary bundler of choice into 2022.

The ob­serv­abil­ity stack, layer by layer: Prometheus owns met­rics col­lec­tion ~2020, Grafana takes the dash­boards spot­light 2021, then Datadog rises as the all-in-one SaaS into 2023.

The cloud data-plat­form re­lay: Redshift de­fines the cloud ware­house ~2017, Databricks rides the lake­house pitch into 2021, then Snowflake be­comes the er­a’s de­fault name by 2024.

Open-weight LLMs, re­lease by re­lease: Llama opens the flood­gates in early 2023, Mistral’s European chal­lenger surges late 2023, then Qwen car­ries the open-model crown into 2026.

Voice as­sis­tants across the decade: Siri ar­rives first with the iPhone 4S in 2011, Google Assistant takes a turn ~2018, then Alexa peaks into 2022: three spikes, years apart.

Altcoin gen­er­a­tions: Litecoin is bit­coin’s sil­ver in the 2013 boom, Dogecoin spikes as the joke-coin of that same era, then Solana car­ries the next-gen-chain story into 2022.

Crypto’s se­r­ial ma­nias: the ICO to­ken-sale frenzy peaks in 2017, the NFT gold rush det­o­nates in 2021, then DeFi car­ries the yield-farm­ing hype into 2022.

Three game en­gines, one shared earth­quake: all three spike to­gether in the Sept-2023 Unity run­time-fee fi­asco - Unity’s self-in­flicted blow-up, with Unreal and Godot surg­ing the same month as de­vel­op­ers threat­ened to jump ship.

The eter­nal hard­ware trio: CPU and RAM are the sta­ples HN has ar­gued about since 2007, while GPU climbs out of the pack through the crypto-min­ing and deep-learn­ing booms.

People

Founders, hack­ers and fig­ures whose news mo­ments spike the time­line.

AI & LLMs

The launch-by-launch stair­case of the gen­er­a­tive-AI era.

Products & hard­ware

Launch-day spikes for the chips and gad­gets HN could­n’t stop de­bat­ing.

Languages & dev tools

Languages, run­times and ed­i­tors ris­ing on re­lease-dri­ven spikes.

JS frame­works

How JavaScript frame­works come and go: each er­a’s dar­ling, in or­der.

Startups & com­pa­nies

Launches, ac­qui­si­tions, li­cense blow-ups and the oc­ca­sional im­plo­sion.

Cloud & host­ing

The plat­forms we de­ploy on: hy­per­scalers, PaaS dar­lings and in­die hosts, each with its own out­age-and-launch rhythm.

Security in­ci­dents

The sharp, dat­a­ble spikes of the bugs and breaches that ru­ined a week­end.

Crypto & hype cy­cles

Bull runs, blow-ups and the fads that came and went.

Internet & cul­ture

Platform ex­o­duses, fed­er­ated pro­to­cols and mod­er­a­tion flash­points.

Dev cul­ture

The peren­nial HN ar­gu­ments that resur­face in waves, year af­ter year.

Industry zeit­geist

Common words that crest in waves with the mood of the tech in­dus­try.

Science & fron­tier tech

Lab break­throughs and moon­shots: the spikes that briefly made HN a physics fo­rum.

Open-source li­cense wars

Relicensings, rug-pulls and the forks they spawned: each one a dat­a­ble tower of out­rage.

Gaming

Launch-day ma­nia, GPU-scalping rage and the oc­ca­sional li­cens­ing re­volt.

Health & longevity

The bio­hack­ing, GLP-1 and sleep-op­ti­miza­tion waves HN can’t stop re­lit­i­gat­ing.

Bloomberg - Are you a robot?

www.bloomberg.com

We’ve de­tected un­usual ac­tiv­ity from your com­puter net­work

To con­tinue, please click the box be­low to let us know you’re not a ro­bot.

Why did this hap­pen?

Please make sure your browser sup­ports JavaScript and cook­ies and that you are not block­ing them from load­ing. For more in­for­ma­tion you can re­view our Terms of Service and Cookie Policy.

Need Help?

For in­quiries re­lated to this mes­sage please con­tact our sup­port team and pro­vide the ref­er­ence ID be­low.

Block ref­er­ence ID:c8a8d21a-70da-11f1-b10f-16b568bde4c4

Get the most im­por­tant global mar­kets news at your fin­ger­tips with a Bloomberg.com sub­scrip­tion.

reuters.com

www.reuters.com

Please en­able JS and dis­able any ad blocker

Apple announces significant price increases for MacBooks, iPads, more

9to5mac.com

Apple has raised prices across the board for many of its prod­ucts to­day. MacBook Neo now starts at $699 (up from $599), while MacBook Air now starts at $1299 (up from $1099). Other im­pacted prod­ucts in­clude MacBook Pro, iPad, iPad Air, and many more.

iPhone, Apple Watch, and AirPods pric­ing is un­changed.

Why is Apple in­creas­ing prices?

Apple CEO Tim Cook con­firmed the com­pany would in­crease prod­uct prices in an in­ter­view last week. Cook ex­plained that price in­creases had sim­ply be­come unavoidable” amid sky­rock­et­ing com­po­nent costs af­fect­ing things like mem­ory and stor­age. While Apple tried to weather the storm it­self, the sit­u­a­tion was ul­ti­mately unsustainable.”

We’re do­ing our best to mit­i­gate the huge in­creases that are be­ing passed to us, and we’ve been try­ing to shield our cus­tomers from the in­creases, but the sit­u­a­tion has be­come un­sus­tain­able,” Cook said in the in­ter­view.

Cook specif­i­cally called out the in­creas­ing amount of mem­ory go­ing to high-band­width mem­ory used for AI servers. There’s less sup­ply at a time when con­sumers want de­vices and the mem­ory guys are pass­ing along huge price in­creases,” he said.

In a state­ment to Reuters to­day, Apple said:

We have never ​seen a com­po­nent price in­crease this much, this quickly. We have shielded our cus­tomers ⁠from these in­creases so far, but we have now reached a point where we need to be­gin rais­ing prices on a num­ber of prod­ucts, in­clud­ing ​today’s in­creases for iPad and Mac. We know this is not wel­come news, and we are work­ing tire­lessly to find so­lu­tions.”

We have never ​seen a com­po­nent price in­crease this much, this quickly. We have shielded our cus­tomers ⁠from these in­creases so far, but we have now reached a point where we need to be­gin rais­ing prices on a num­ber of prod­ucts, in­clud­ing ​today’s in­creases for iPad and Mac. We know this is not wel­come news, and we are work­ing tire­lessly to find so­lu­tions.”

How much is Apple in­creas­ing prices?

Today’s price in­creases af­fect a ton of dif­fer­ent Apple prod­ucts, in­clud­ing the base start­ing price on things like MacBook Air, MacBook Neo, and more.

Macs

MacBook Neo: $699 (up from $599)

13-inch MacBook Air: $1,299 (up from $1,099)

15-inch MacBook Air: $1,499 (up from $1,299)

M5 MacBook Pro: $1,999 (up from $1,699)

M5 Pro MacBook Pro: $2,499 (up from $2,199)

M5 Max MacBook Pro: $4,099 (up from $3,599)

iMac: $1,499 (up from $1,299)

M4 Max Mac Studio: $2,499 (up from $1,999)

M3 Ultra Mac Studio: $5,299 (up from $3,999)

iPads

iPad: $449 (up from $349)

11-inch iPad Air: $749 (up from $599)

13-inch iPad Air: $949 (up from $749)

11-inch iPad Pro: $1,199 (up from $999)

13-inch iPad Pro: $1,499 (up from $1,299)

iPad mini: $599 (up from $499)

More prod­ucts:

Apple TV 4K: $199 (up from $129)

HomePod: $349 (up from $299)

HomePod mini: $129 (up from $99)

Vision Pro: $3,699 (up from $3,499)

What do you think of these price in­creases from Apple? Are you sur­prised? Let us know down in the com­ments.

Amazon pric­ing on Apple prod­ucts

The price in­creases haven’t yet hit some of Apple’s prod­ucts be­ing sold on Amazon — many of which were al­ready dis­counted for Prime Day. This in­cludes:

MacBook Neo: $589

13-inch MacBook Air: $949

15-inch MacBook Air: $1,149

M5 MacBook Pro: $1,549

iPad Air: $519

iPad Pro: $899

iPad: $299

More to come …Here’s a com­plete look at Prime Day pric­ing be­fore the price hikes hit Amazon:

Here’s a com­plete look at the Prime Day deals still live at Amazon ahead of of­fi­cial price in­creases:

MacBook Neo

MacBook Neo Citrus 256GB $590 (Now Reg. $699)

MacBook Neo Citrus 512GB $690 (Now Reg. $799)

MacBook Neo Silver 256GB $590 (Now Reg. $699)

MacBook Neo Silver 512GB $690 (Now Reg. $799)

MacBook Neo Indigo 256GB $590 (Now Reg. $699)

MacBook Neo Indigo 512GB $690 (Now Reg. $799)

MacBook Neo Blush 256GB $590 (Now Reg. $699)

MacBook Neo Blush 512GB $690 (Now Reg. $799)

M5 MacBook Air

13-inch M5 MacBook Air 16GB/512GB from $949 (Now Reg. $1,299)

13-inch M5 MacBook Air 16GB/1TB from $1,149 (Now Reg. $1,499)

13-inch M5 MacBook Air 24GB/1TB from $1,349 (Now Reg. $1,699)

15-inch M5 MacBook Air 16GB/512GB from $1,149 (Now Reg. $1,499)

15-inch M5 MacBook Air 16GB/1TB from $1,349 (Now Reg. $1,699)

15-inch M5 MacBook Air 24GB/1TB from $1,549 (Now Reg. $1,899)

M5 MacBook Pro

14-inch M5 MacBook Pro 16GB/1TB $1,549 (Now Reg. $1,999)

Or $1,529 at B&H with bonus $20 coupon

14-inch M5 MacBook Pro 24GB/1TB $1,749 (Now Reg. $2,199)

14-inch M5 MacBook Pro 32GB/1TB $1,944 (Now Reg. $2,399)

M5 Pro MacBook Pro

14-inch M5 Pro MacBook Pro 24GB/1TB $2,034 (Now Reg. $2,499)

Or $2,000 over at B&H with bonus $40 coupon

14-inch M5 Pro MacBook Pro 24GB/2TB 15-Core $2,399 (Now Reg. $2,899)

14-inch M5 Pro MacBook Pro 24GB/2TB 18-Core $2,583 (Reg. $2,799)

16-inch M5 Pro MacBook Pro 24GB/1TB $2,494 (Now Reg. $2,999)

16-inch M5 Pro MacBook Pro 48GB/1TB $2,857 (Now Reg. $3,399)

14-inch M5 Max MacBook Pro 36GB/2TB $3,300 (Now Reg. $4,099)

16-inch M5 Max MacBook Pro 36GB/2TB $3,649 (Now Reg. $4,399)

16-inch M5 Max MacBook Pro 48GB/2TB $4,149 (Now Reg. $4,999)

M4 iPad Air

11-inch M4 iPad Air 128GB $519 (Now Reg. $749) – Matching all-time low

11-inch M4 iPad Air 256GB $610 (Now Reg. $849) – Matching all-time low

11-inch M4 iPad Air 512GB $839 (Now Reg. $1,049)

11-inch M4 iPad Air 1TB $1,019 (Now Reg. $1,249)

13-inch M4 iPad Air 128GB $700 (Now Reg. $949) – Matching all-time low

13-inch M4 iPad Air 256GB $790 (Now Reg. $1,049) – Matching all-time low

13-inch M4 iPad Air 512GB $999 (Now Reg. $1,249)

13-inch M4 iPad Air 1TB $1,199 (Now Reg. $1,449)

iPad 11

iPad 11 128GB $299 (Now Reg. $449)

iPad 11 256GB $399 (Now Reg. $549)

iPad 11 256GB $597 (Now Reg. $749)

FTC: We use in­come earn­ing auto af­fil­i­ate links. More.

LastPass notifies users of yet another data breach

9to5mac.com

LastPass users are once again be­ing warned about stolen per­sonal data, though this time the breach hap­pened through one of the com­pa­ny’s out­side part­ners. Here are the de­tails.

LastPass says pass­word vaults not af­fected

As re­ported by TechCrunch, LastPass is email­ing users af­fected by a breach at mar­ket re­search firm Klue, which al­lowed hack­ers to ac­cess cus­tomer in­for­ma­tion and sup­port case data.

The news came as LastPass shared more in­for­ma­tion on a blog post, where it ex­plained:

The in­for­ma­tion ac­cessed was lim­ited to stan­dard busi­ness con­tact in­for­ma­tion and re­lated cus­tomer re­la­tion­ship man­age­ment (CRM) data, in­clud­ing cus­tomer names, phone num­bers, email ad­dresses, and phys­i­cal ad­dresses, as well as sup­port case data and sales-re­lated data.

The in­for­ma­tion ac­cessed was lim­ited to stan­dard busi­ness con­tact in­for­ma­tion and re­lated cus­tomer re­la­tion­ship man­age­ment (CRM) data, in­clud­ing cus­tomer names, phone num­bers, email ad­dresses, and phys­i­cal ad­dresses, as well as sup­port case data and sales-re­lated data.

LastPass said that upon learn­ing about the in­ci­dent, the com­pany re­voked em­ployee ac­cess to Klue, ro­tated the ex­posed API to­kens, no­ti­fied law en­force­ment, and launched a de­tailed in­ves­ti­ga­tion into the scope of the event, work­ing with our con­tacts at both Klue and Salesforce.”

The com­pany ex­plains that Klue’s plat­form in­te­grates with Salesforce and Gong sys­tems.

As a re­sult, LastPass is rec­om­mend­ing that cus­tomers remain vig­i­lant of po­ten­tial phish­ing at­tacks or so­cial en­gi­neer­ing at­tempts” lever­ag­ing the com­pro­mised in­for­ma­tion. LastPass also shared the fol­low­ing IP ad­dresses and email sender do­mains as­so­ci­ated with the at­tack­ers, which com­pa­nies can use to search for re­lated ac­tiv­ity in their sys­tems:

IP Addresses:

138.226.246[.]94

94.154.32[.]160

159.183.215[.]61

159.183.181[.]239

Email Sender Domains:

bac­carat.com[.]au

robin­skitchen.com[.]au

house.com[.]au

IP Addresses:

138.226.246[.]94

94.154.32[.]160

159.183.215[.]61

159.183.181[.]239

Email Sender Domains:

bac­carat.com[.]au

robin­skitchen.com[.]au

house.com[.]au

This is the lat­est in a se­ries of se­cu­rity in­ci­dents af­fect­ing LastPass. In 2015, hack­ers ob­tained ac­count email ad­dresses, pass­word re­minders, au­then­ti­ca­tion hashes, and cryp­to­graphic salts, al­though LastPass said en­crypted vault data was not ac­cessed.

In 2022, an at­tacker com­pro­mised a de­vel­oper ac­count and stole source code and tech­ni­cal in­for­ma­tion. The at­tacker later used that in­for­ma­tion to ac­cess cloud back­ups con­tain­ing cus­tomer records and en­crypted pass­word vaults, along with un­en­crypted de­tails such as names, billing ad­dresses, email ad­dresses, and phone num­bers⁠.

To learn more about the Klue breach and LastPass’s re­sponse, fol­low this link.

Worth check­ing out on Amazon

Geoffrey Cain — ‘Steve Jobs in Exile’

David Pogue — ’Apple: The First 50 Years’

MacBook Neo

Logitech MX Master 4

AirPods Pro 3

AirTag (2nd Generation) — 4 Pack

Apple Watch Series 11

Wireless CarPlay adapter

FTC: We use in­come earn­ing auto af­fil­i­ate links. More.

Blogging Can Just Be Stating The Obvious

blog.jim-nielsen.com

John Gruber writes about those an­noy­ing pop­ups every web­site seems to have now and while he does a great job tear­ing into these ubiq­ui­tous, user-hos­tile pat­terns, one of the things that stood out to me about his piece was this meta com­men­tary on blog­ging. Here’s John:

If you visit a web­site you should … see the web­site. See its con­tent. Be able to read the ar­ti­cle whose page you are at­tempt­ing to visit. Showing a subscribe to our newslet­ter” or accept our fuck­ing cook­ies” dick­over to some­one try­ing to read an ar­ti­cle on the web makes no more sense than send­ing out an email newslet­ter that only con­tains a link to read the newslet­ter on a web­page. A web­page should show the web­page. An email should show the email. I should not have to ex­plain this.

If you visit a web­site you should … see the web­site. See its con­tent. Be able to read the ar­ti­cle whose page you are at­tempt­ing to visit. Showing a subscribe to our newslet­ter” or accept our fuck­ing cook­ies” dick­over to some­one try­ing to read an ar­ti­cle on the web makes no more sense than send­ing out an email newslet­ter that only con­tains a link to read the newslet­ter on a web­page. A web­page should show the web­page. An email should show the email. I should not have to ex­plain this.

It’s funny how of­ten blog­ging feels like be­ing the lit­tle child in the story of The Emperor’s New Clothes. You’re just stat­ing what seems ob­vi­ous to you.

I of­ten look at my own posts and think, There’s noth­ing novel, or im­por­tant, or deep in here at all — is this even worth say­ing?”

A post’s point can seem so glar­ingly ob­vi­ous to me (and thus, I pre­sume, oth­ers) it feels like a waste of time to even say it. As John says:

A web­page should show the web­page. An email should show the email. I should not have to ex­plain this.

A web­page should show the web­page. An email should show the email. I should not have to ex­plain this.

But then real-world ex­am­ples of an­noy­ance pile up around you and no­body talks about it, so you fi­nally just have to say it in a post and bring re­ceipts.

You feel like some­one gone mad: Is any­one else see­ing the same thing I’m see­ing? And we’re just ok with this?”

Very of­ten, those are the best posts I read from oth­ers.

So it must be that a key in­gre­di­ent to blog­ging is sim­ple: have a will­ing­ness to state some­thing that seems ob­vi­ous to you but no­body else is say­ing it.

Or if some­one else is say­ing it, just link to them and say, Yes!!! This!!!”

Unlocking the Cloudflare app ecosystem with OAuth for all

blog.cloudflare.com

Unlocking the Cloudflare app ecosys­tem with OAuth for all

2026 – 06-24

6 min read

Cloudflare pro­vides ser­vices that help run 20% of the web, but we don’t do it alone. Developers on our plat­form use a myr­iad of tools and ser­vices from other com­pa­nies too. Cloudflare pro­vides a rich API for our plat­form that en­ables de­vel­op­ers to cre­ate au­toma­tions, CI/CD, and in­te­gra­tions that glue to­gether the var­i­ous parts of their in­fra­struc­ture. Earlier this month, we an­nounced self-man­aged OAuth, mak­ing it eas­ier for cus­tomers to cre­ate and man­age their own OAuth clients for del­e­gated ac­cess to the Cloudflare API.

Cloudflare is­n’t new to OAuth. If you’ve used Wrangler, or used in­te­gra­tions from part­ners like PlanetScale, then you’ve al­ready used it. However, un­til now, third-party OAuth was only avail­able through a small num­ber of man­u­ally on­boarded in­te­gra­tions, and was not avail­able to de­vel­op­ers more broadly. That meant de­vel­op­ers build­ing their own in­te­gra­tions had to rely on API to­kens, which are harder to man­age and a poor fit for many del­e­gated ap­pli­ca­tion flows.

Over the last year, we on­boarded a grow­ing num­ber of early part­ners while im­prov­ing the con­sent, re­vo­ca­tion, and se­cu­rity model be­hind Cloudflare OAuth. But as our Developer Platform grew and agen­tic tools drove de­mand for del­e­gated ac­cess, it be­came clear that open­ing up OAuth to all cus­tomers was crit­i­cal to the suc­cess of our plat­form.

With self-man­aged OAuth, de­vel­op­ers can now of­fer a stan­dard OAuth flow where cus­tomers grant scoped ac­cess di­rectly, mak­ing it eas­ier to build SaaS in­te­gra­tions, in­ter­nal de­vel­oper plat­forms, and agen­tic tools while giv­ing users clearer con­sent, eas­ier re­vo­ca­tion, and more con­trol over what an ap­pli­ca­tion can do.

Scaling the ecosys­tem se­curely

While our ear­lier OAuth so­lu­tion was suf­fi­cient for a small num­ber of care­fully man­aged part­ners, we re­al­ized that our per­mis­sions model, our con­sent ex­pe­ri­ence, and our ways of mit­i­gat­ing po­ten­tial abuse vec­tors were not ma­ture enough.

Earlier this year we up­dated our con­sent ex­pe­ri­ence to make it clearer which ap­pli­ca­tion is re­quest­ing ac­cess, and what per­mis­sions it will re­ceive. We also added re­vo­ca­tion to the dash­board so de­vel­op­ers can eas­ily con­trol which ap­pli­ca­tions have ac­cess to their data, and made app own­er­ship more vis­i­ble to pre­vent OAuth phish­ing at­tacks.

Opening self-man­aged OAuth to all cus­tomers also re­quired ma­jor up­grades to our un­der­ly­ing OAuth en­gine. This process re­quired a large amount of plan­ning to do with min­i­mal user in­ter­rup­tion, while also en­sur­ing data sta­bil­ity and se­cu­rity.

Planning the up­grade to our OAuth en­gine

Years ago, we de­ployed Hydra, an open-source OAuth en­gine, to power Cloudflare OAuth un­der the hood. That de­ploy­ment served us well when us­age was lim­ited, but as the de­vel­oper plat­form grew and agen­tic work­flows be­came more com­mon, it be­came clear that we needed a ma­jor up­grade to un­lock new ca­pa­bil­i­ties and im­prove per­for­mance.

As we planned the up­grade, we de­cided to do two smaller se­quen­tial up­grades rather than do­ing one large up­grade.  First, we would move to the lat­est 1.X re­lease, eval­u­ate any be­hav­ior or per­for­mance changes, and then pro­ceed with the 2.X up­grade.

During our up­grade plan­ning, it be­came clear that even the 1.X up­grade would still im­pact cus­tomers be­cause the Hydra data­base re­quired ex­ten­sive schema mi­gra­tions that:

Created in­dexes in a man­ner that would claim an ex­clu­sive lock on crit­i­cal ta­bles, pre­vent­ing ac­tive users from per­form­ing im­por­tant OAuth op­er­a­tions

Created in­dexes in a man­ner that would claim an ex­clu­sive lock on crit­i­cal ta­bles, pre­vent­ing ac­tive users from per­form­ing im­por­tant OAuth op­er­a­tions

Added columns to crit­i­cal ta­bles, and moved other columns to new ta­bles

Added columns to crit­i­cal ta­bles, and moved other columns to new ta­bles

There was also a quirk in the ver­sion of Hydra we were us­ing in which the SDK would per­form SELECT * op­er­a­tions, caus­ing de­se­ri­al­iza­tion is­sues with the schema changes.

To pre­vent user im­pact, we rewrote the SQL mi­gra­tions to use fea­tures such as CREATE INDEX CONCURRENTLY, and built a cus­tom ver­sion of Hydra which se­lected ex­plicit columns rather than SELECT *.

With the lat­est 1.X up­grade planned out, we now needed to cre­ate a plan for the even larger 2.X up­grade. We iden­ti­fied three po­ten­tial op­tions, and weighed the ben­e­fits and draw­backs of each one. Doing an in-place up­grade was not go­ing to work for us, due to the sheer amount of schema changes the ma­jor ver­sion bump brought with it. We de­cided that a blue-green strat­egy would work, but there was more that needed to be done than sim­ply flip­ping a switch to start us­ing the new ver­sion. The up­grade and mi­gra­tion process would take mul­ti­ple hours, and we needed the sys­tem to con­tinue func­tion­ing cor­rectly in that time win­dow.

The first blue-green op­tion would in­volve dis­abling writes to the data­base, pre­vent­ing any new au­tho­riza­tions from oc­cur­ring. This means they would not be lost in the tran­si­tion, but it also meant that no­body would be able to use ex­ist­ing OAuth apps un­less they al­ready had a valid cre­den­tial. It also pre­sented an­other large prob­lem: if users needed to re­voke ac­cess from an ap­pli­ca­tion for any rea­son, it would not be pos­si­ble while the up­grade was be­ing per­formed.

To com­bat these is­sues, we came up with a way to leave writes to the data­base en­abled, at the cost of los­ing some of them in the switch to the green ver­sion. The first thing to solve was min­i­miz­ing the num­ber of writes for new to­kens. There was an op­er­a­tional lever we pulled: in­creas­ing the ex­piry time of to­kens to mul­ti­ple hours. This would al­low apps that re­ceived new to­kens be­fore the up­grade to con­tinue us­ing them with­out need­ing to re­fresh.

With re­duc­ing writes solved, we needed to come up with a way to not lose any re­vo­ca­tions our users per­formed dur­ing the up­grade win­dow. To do this, we cre­ated a queue sys­tem (using Cloudflare Queues!) which, af­ter a re­vo­ca­tion event, would have a record writ­ten into the queue with in­for­ma­tion about that re­vo­ca­tion. This would al­low us to drain the queue with the data­base flipped to the green ver­sion, re­play­ing all re­vo­ca­tion events that took place in the time win­dow in which they would have been lost. This was crit­i­cal to get right, oth­er­wise ap­pli­ca­tions that users had re­voked would in­ad­ver­tently have their ac­cess re­stored.

Executing the up­grade

Upgrading to 1.X

From an op­er­a­tional point of view, our first up­grade to the last 1.X re­lease went off with­out any hitches. Our cus­tom data­base mi­gra­tions ran faster than we ex­pected, with no user im­pact. We had to do a hard cu­tover to the new ver­sion be­cause the old ver­sion was un­able to in­tro­spect to­kens that were cre­ated by the newer ver­sion.

After the cu­tover, we saw an in­crease in re­fresh to­ken er­rors that we had not seen be­fore. This ended up be­ing due to stricter re­fresh in­val­i­da­tion be­hav­iors in the new ver­sion; if a re­fresh to­ken was reused, Hydra would in­val­i­date the whole ac­cess and re­fresh to­ken chain. This is prob­lem­atic for Wrangler and MCP clients. These clients both have a high re­quest vol­ume, and a sin­gle reused re­fresh to­ken would in­val­i­date the en­tire ses­sion.

We mit­i­gated this by adding re­fresh to­ken co­a­lesc­ing be­hav­ior to our Worker which routes OAuth traf­fic to the cor­rect des­ti­na­tion. This al­lowed us to briefly cache the re­fresh to­ken re­quest be­fore it reached Hydra, so that if we de­tected a retry we could short-cir­cuit the re­quest and re­spond with­out in­val­i­dat­ing the to­kens. Fortunately, 2.X ver­sions of Hydra have a con­fig­urable refresh to­ken grace pe­riod”, which re­solves this by al­low­ing a re­fresh to­ken to be re­tried for a pe­riod of time with­out in­val­i­dat­ing the whole chain.

Upgrading to 2.X

Since mul­ti­ple hours of high user-fac­ing im­pact would not be ac­cept­able, we had our blue-green up­grade strat­egy set. At a high level, this sounds sim­ple; the mi­gra­tions would run on a copy of our pro­duc­tion data­base, and then cut over along with the new Hydra ver­sion af­ter they com­plete. In re­al­ity, there were a lot more mov­ing parts:

Enable re­vo­ca­tion re­play cap­ture queue

Enable re­vo­ca­tion re­play cap­ture queue

Copy and re­store our data­base to the new tar­get

Copy and re­store our data­base to the new tar­get

Targeted data cleanup — ex­ist­ing data vi­o­lated some new con­straints in­tro­duced in the newer ver­sions, which could pre­vent mi­gra­tions from suc­ceed­ing

Targeted data cleanup — ex­ist­ing data vi­o­lated some new con­straints in­tro­duced in the newer ver­sions, which could pre­vent mi­gra­tions from suc­ceed­ing

Perform cu­tovers on the Hydra ser­vice along with two ad­di­tional crit­i­cal in­ter­nal sys­tems si­mul­ta­ne­ously to pre­vent any er­rors

Perform cu­tovers on the Hydra ser­vice along with two ad­di­tional crit­i­cal in­ter­nal sys­tems si­mul­ta­ne­ously to pre­vent any er­rors

Post-cutover mon­i­tor­ing and val­i­da­tion

Post-cutover mon­i­tor­ing and val­i­da­tion

We chose an up­grade win­dow when Hydra had the low­est re­quest vol­ume per sec­ond to min­i­mize lost to­ken writes. Other than some time­out tun­ing, our pro­duc­tion mi­gra­tions ran well against the new data­base: the net run­time in pro­duc­tion was ap­prox­i­mately three hours. After the mi­gra­tions com­pleted, we care­fully rolled out the new ver­sion of the Hydra ser­vice, along with two ad­di­tional sys­tem con­figs to flip our sys­tems to use the new SDK ver­sion.

Shortly af­ter cut­ting traf­fic over, we ob­served that a data cleanup job in our au­tho­riza­tion ser­vice (which re­lies on the Hydra con­sent ses­sion API) was be­ing overea­ger in its purg­ing of OAuth pol­icy data. After in­ves­ti­ga­tion, we dis­cov­ered that there was an is­sue in one of the Hydra mi­gra­tions that cor­rupted the state of cer­tain valid OAuth ses­sions, which re­sulted in the mi­gra­tion mark­ing them as in­valid. The valid ses­sions be­ing cor­rupted caused a dis­agree­ment be­tween Hydra and our au­tho­riza­tion ser­vice, man­i­fest­ing as an in­crease in 403s. To mit­i­gate this, we did data restora­tions and be­gan work on im­prove­ments for OAuth au­tho­riza­tion be­hav­iors to re­move re­liance on sta­tic pol­icy data.

Beyond the data cleanup is­sue, there were some ad­di­tional small fixes more dri­ven by spe­cific client be­hav­iors which we landed quickly.

With the Hydra ver­sion up­grade com­plete, OAuth traf­fic has re­mained sta­ble with im­proved sys­tem per­for­mance and re­li­a­bil­ity for our cus­tomers. It also brought pro­duc­tion onto the same foun­da­tion our newer OAuth APIs had al­ready been val­i­dated against in stag­ing, clear­ing the way for our self-man­aged OAuth re­lease on June 3.

Performance im­prove­ments

After com­plet­ing a large up­grade like this, it is al­ways re­ward­ing and il­lu­mi­nat­ing to look at some broad met­rics about the im­pact. We gath­ered ad­di­tional met­rics dur­ing the data­base mi­gra­tions, and ob­served con­sid­er­able per­for­mance im­prove­ments af­ter the up­grade was com­plete.

Database

Hydra per­for­mance

Self-managed OAuth for all

Opening up OAuth to all cus­tomers is an im­por­tant step to­ward a broader Cloudflare app ecosys­tem. Today, any Cloudflare cus­tomer can cre­ate their own OAuth ap­pli­ca­tions and build in­te­gra­tions on top of Cloudflare. We’re ex­tremely ex­cited to launch Cloudflare self-man­aged OAuth for all.

To get started, take a look at our doc­u­men­ta­tion or jump straight to the OAuth apps page in the dash­board and cre­ate your first OAuth app.

To add this web app to your iOS home screen tap the share button and select "Add to the Home Screen".

10HN is also available as an iOS App

If you visit 10HN only rarely, check out the the best articles from the past week.

Visit pancik.com for more.