Aikido Security discovered a critical unauthenticated authentication bypass in phpBB affecting tens of millions of users. A single HTTP request is all it takes to take over any account — a vulnerability that's been sitting in the codebase since 2014.Category: Vulnerabilities & Threats

This week, we launched the Field Guide to Grid Lanes at gridlanes.webkit.org.

はじめに はじめまして。東京電機大学大学院修士1年の佐藤聖璃です。 2026年4月の1ヶ月間、株式会 ...

はじめに：生成AIの登場とQAに投げかけられた問い生成AIが登場した際、多くの職種に対して似たような疑問が投げかけられました。「この仕事はAIに代替されるのか？」「反復的な業務は自動化されるのではない...

<p><strong><a href="https://jonready.com/blog/posts/claude-fable5-is-allowed-to-sabotage-your-app-if-youre-a-competitor.html">If Claude Fable stops helping you, you'll never know</a></strong></p>Jonathon Ready highlights one of the more eyebrow-raising details from the <a href="https://www-cdn.anthropic.com/d00db56fa754a1b115b6dd7cb2e3c342ee809620.pdf">319 page system card</a> for Fable 5 and Mythos 5. Here's a longer excerpt, highlights ...

<p>I didn't have early access to today's <a href="https://www.anthropic.com/news/claude-fable-5-mythos-5">Claude Fable 5</a> release, but I've spent the past ~5.5 hours putting it through its paces. My initial impressions are that this is something of a <em>beast</em>. It's slow, expensive and has been quite happily churning through everything I've thrown at it so far. As is frequently the case with current frontier models the challenge is finding tasks that it can...

こんにちは。サイバーエージェントの佐藤です。 先日開催された CA DATA NIGH ...

はじめに LegalOn Technologiesでは、2027年卒からソフトウェアエンジニア（SWE）の新卒採用を本格的にスタートします。 以前公開した「初めての新卒SWEインターンはどう始まったか。プロジェクトメンバーで振り返る」では、新卒採用本格スタートに向けた長期インターンシップの、設計から選考、受入れまでの裏側をお届けしました。今回はその続編として、実際にインターン生を受け入れた各チームのメンターに話を聞きました。 どんなタスクを任せたのか、どんな成長を期待したのか、そしてメンター自身がどんな学びを得たのか。初めてのSWEインターンを現場視点で振り返ります。 今回話を聞いたのは以下の…

<p><strong>Release:</strong> <a href="https://github.com/simonw/llm/releases/tag/0.32a3">llm 0.32a3</a></p> <p>Almost entirely written by the new Claude Fable 5, see <a href="https://simonwillison.net/2026/Jun/9/claude-fable-5/#adding-features-to-datasette-agent-and-llm-using-claude-code">my write-up for more details</a>.</p> <p>Tags: <a href="https://simonwillison.net/tags/projects">projects</a>, <a href="https://...

<p><strong>TIL:</strong> <a href="https://til.simonwillison.net/llms/agentsview-custom-model-price">Setting a custom price for a model in AgentsView</a></p> <p>I've been really enjoying <a href="https://agentsview.io/">AgentsView</a> by Wes McKinney as a tool for exploring my token usage across different coding agents running on my laptop.</p><p>Claude Fable 5 came out today and wasn't yet included in the pricing database AgentsV...

npm confirmed a tooling bug incorrectly marked several one-character packages as security holders and said it was working on a rollback.

StepSecurity's new Threat Center API returns the compromised packages for any supply chain incident, so you can automate response and confirm exposure fast.

An attacker hijacked a co-founder's GitHub account for gpt-pilot, a 33K-star AI coding tool, and force-pushed a credential-stealing Shai-Hulud payload to the main branch. The ruff Python linter caught formatting and lint violations in the malicious code and blocked the CI build -- twice. The attacker gave up.

On June 8, 2026, multiple Graph ML PyPI packages in the bioinformatics ecosystem were compromised in the Hades campaign, deploying cross-platform memory scrapers, AI prompt injections to misdirect scanners, and a token-revocation wiper.

On June 5, 2026, the Miasma worm campaign reached Microsoft's Azure GitHub organizations. GitHub disabled 73 repositories across four Microsoft GitHub organizations after a malicious commit was pushed to the Azure/durabletask repository using a previously compromised contributor account. The attack planted configuration files that execute a credential-harvesting payload when a developer opens the repository in Claude Code, Gemini CLI, Cursor, or VS Code.

Three malicious versions of Microsoft's official durabletask Python SDK were published to PyPI on May 19, 2026. The compromised package silently downloads and executes a 28 KB payload that steals credentials from AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tool configurations, then spreads laterally through cloud infrastructure. The payload skips systems with a Russian locale, a hallmark of Eastern European cybercrime operations. The attack has been linked to the TeamPC

<blockquote cite="https://twitter.com/karpathy/status/2064409694761054332"><p>I feel a lot of things changing as working software increasingly comes out on a tap. The Jevon's paradox kicks in and I feel my own demand for software growing substantially. You can ask for anything - explainers, visualizers, dashboards, bespoke single-use apps (e.g. a full wandb that is hyper-specific just for your project), you can 10X your test suite, auto-optimize code, run giant research projects wit...

MapKit JS allows you to bring the power and simplicity of Apple Maps to your website or web app.

Custom agents let GitHub Copilot CLI understand your stack and team workflows, turning one-off terminal prompts into repeatable, reviewable processes.The post From one-off prompts to workflows: How to use custom agents in GitHub Copilot CLI appeared first on The GitHub Blog.

Deep dive into binding.gyp, the often overlooked npm build file that can execute malicious code at install time through shell expansions, sandbox escapes, and compiler hijacking.Category: Vulnerabilities & Threats

CA DATA NIGHTは、サイバーエージェントが主催するデータサイエンスに特化した技術者向けの勉 ...

Claude Fable 5 from Anthropic is now available on . A Mythos-class model, Fable 5 is a notable step up over prior Claude models on long-running, ambiguous, multi-step tasks, executing end-to-end on work that previously required frequent human check-ins.AI GatewayThe model sustains productive output across multi-day runs and dependably dispatches parallel sub-agents, and lower effort settings often match what prior Claude models produced at their highest effort. Code review, bug-finding, and repo

In our post about Project Glasswing, we made the argument that the architecture around a vulnerability matters more than the speed of the patch. Here we walk through what that architecture looks like, the threats it defends against, and how we run it ourselves as Cloudflare's customer zero.

newmoではフロントエンドとバックエンドの通信をGraphQLで行っています。GraphQLのスキーマは、フロントエンドとバックエンドが合意した唯一の正しい定義、いわば「正となる単一の情報源(Single Source of Truth)」です。このスキーマを正として、開発と自動テストの両方をここから組み立てたい。その基盤として@newmo/graphql-fake-serverを自作してOSSとして公開しています。 このライブラリは、スキーマを正としたまま、2つの使い方を1つのサーバで両立します。1つはスキーマに@example* directiveを書くだけで値が返るDeclarativ…

A designer and an engineer shipped a production MVP in four weeks on Rails + Inertia. In this post, we share our agentic coding stack, the skills we built, and why it clicked.

Node-RED 5.0 is now available to install. If upgrading, please read the upgrade instructions.

What you're actually signing up for when a customer's IdP doesn't speak SCIM.

Everything you need to know to implement and validate JWTs securely in .NET: from token creation and JWKS verification to ASP.NET Core middleware integration, with code examples and best practices throughout.

Prompt injection ends when the session closes. Memory poisoning persists across sessions, activates weeks later, and is nearly invisible to detect.

AI costs are getting harder to forecast. As teams lean more on coding agents and other token-heavy workflows, a key can burn cost faster than anyone notices:Set a spend cap on any key, and rejects further requests on that key once the limit is exceeded, until the budget resets or you raise it. The cap applies to all AI Gateway providers and models running through the key, making it easier to consolidate and govern AI costs.AI GatewayOn the , click , enable the option, enter a limit in dollars, a

You can now use the Vercel CLI to search domains. Using the command, you can supply a domain name and retrieve availability and price results for all TLDs that Vercel supports. vercel domains searchYou can also filter by TLD, apply sorting, and filter out unavailable domains.Upgrade your Vercel CLI to version to get started.54.10.1Read more

<p>Given how badly burned anyone who took Apple's <a href="https://simonwillison.net/2024/Jun/10/apple-intelligence/">2024 WWDC Apple Intelligence announcements</a> at face value was, I'm holding to a strict "I'll believe it when I see it" policy for everything <a href="https://www.apple.com/newsroom/2026/06/apple-unveils-next-generation-of-apple-intelligence-siri-ai-and-more/">they announced today</a>. </p><p>The new Siri AI features do at least look f...

こんにちは！AI事業本部/協業リテールメディアにてPdMをしております三浦です。 先日、CyberA ...

Safari Technology Preview Release 245 is now available for download for macOS Tahoe and macOS Sequoia.

Welcome to WWDC26.

Safari 27 beta is here.

Newer packages in this compromise use native extensions and .pth loaders to execute JavaScript stealers in developer environments.

Find the answers to some of the most common GitHub-related questions.The post GitHub for Beginners: Answers to some common questions appeared first on The GitHub Blog.

NGINX Ingress Controller 5.5 brings full support for mTLS in Ingress objects! This blog post gives a more in-depth overview of our GitHub deployment examples and shows how to configure both our new ingress and egress mTLS Policy CRDs in NGINX Ingress Controller using annotations. Ingress mTLS Ingress mTLS configures how NGINX verifies client certificates […]

I've said one and mean another, and I've used one when I needed another. Comparing scroll-driven animations, scroll-triggered animations, container query scroll states, and view transitions for my future self.Scroll-Driven, Scroll-Triggered, Scroll States, and View Transitions originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

Cloudflare customers can now use Cloudforce One threat intelligence directly within the WAF to block high-risk traffic. By using new cf.intel fields, security teams can automate protection against specific threat actors and targeted industries in real time.

My Take on AI as of June 2026. Most people say AI kills the creativity and the fun in building. I want to offer the other side: managing agents feels a lot like the tech lead job I already loved.

Every month, routes tens of trillions of tokens between production applications and AI labs, giving us visibility into what AI usage actually looks like, separate from leaderboards and benchmarks. We publish the data monthly in the AI Gateway production index. AI GatewayLast month, headlines about blown token budgets dominated tech news: its annual Claude Code budget shortly after Q1 and Amazon to curb unproductive tokenmaxxing. While runaway cost is a real problem, this month’s report shows tha

大規模なネイティブアプリの開発では、新しい技術を知っているだけでは足りません。難しいのは、それを歴史ある現場へどう適用するかです。ユーザー影響の大きいプロダクトでは、素早く価値を届ける「アジリティ（速...

WASI P3 is almost here, bringing native async support to the WebAssembly System Interface (WASI) and Component Model. In this post, we’re looking to the next big milestone: a stable, formally specified Component Model 1.0. At February’s Bytecode Alliance Plumbers Summit, Luke Wagner and Alex Crichton gave a preview of what the path to a stable 1.0 actually looks like. At Wasm I/O 2026 in Barcelona in March, Luke expanded on that vision. So let’s take a look at where the Component Model is headin

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-agent-edit/releases/tag/0.1a0">datasette-agent-edit 0.1a0</a></p> <p>I'm planning several plugins for <a href="https://agent.datasette.io/">Datasette Agent</a> which can make edits to existing pieces of text - things like collaborative Markdown editing, updating large SQL queries, and editing SVG files.</p><p>Agentic editing of text is a little tricky to...

カミナシエンジニアの osuzu です。 「状態管理にどのライブラリを使うか」への違和感 Reactの状態管理の話になると、だいたいライブラリの比較から始まります。少し前なら Redux か Zustand か Jotai か、最近だと TanStack Query と React Hook Form を組み合わせれば残りはわずか、みたいな話が多い印象です。 ただ、読んでいてどこか議論がかみ合わない感じがずっとありました。 理由はたぶんシンプルで、その問いは手前にすべきモデリングを飛ばしているからだと考えてます。 ライブラリ起点・コンポーネント起点はなぜこじれるのか フロントの状態管理でやりが…

AI もすなるコードレビューといふものを、人間もしてみむとてするなり。 — AI 紀貫之 AI がコードを書くようにはなっても基本的には人間がレビューする生活を続けているので, いま何を考えてどうしているかをスナップショットとして書いておきます. 仕事 メンタルモデルとして AI コーディングエージェントを単なる道具としてみなしていた時代は, 人間(A): タスクに着手, コーディングを AI に指示, 検収 AI: 人間(A)の代わりにコードを書く 人間(B): 人間(A)が書いたコードとしてレビューする というような構造だったんですが, これは人間(A)の検収と人間(B)のレビューが実質的…

Socket found 37 malicious PyPI wheels that abuse Python startup hooks to launch a Bun-powered credential stealer tied to Mini Shai-Hulud/Miasma.

AI SAST is emerging as a new SAST category, but the meaning is unclear. We clarify the difference between AI-native SAST and AI-assisted SAST, as well as how AI SAST sits in the stack between traditional SAST and AI pentesting.Category: DevSec Tools & Comparisons

<p><strong>Release:</strong> <a href="https://github.com/simonw/micropython-wasm/releases/tag/0.1a2">micropython-wasm 0.1a2</a></p> <p>I added a CLI to <code>micropython-wasm</code> (<a href="https://github.com/simonw/micropython-wasm/issues/7">issue #7</a>), inspired by the first draft of <a href="https://simonwillison.net/2026/Jun/6/micropython-in-a-sandbox/">the blog entry</a> when I realized it would be a great wa...

<p>I've been experimenting with different approaches to running code in a sandbox for several years now, but my latest attempt feels like it might finally have all of the characteristics I've been looking for. I've released it as an alpha package called <a href="https://github.com/simonw/micropython-wasm">micropython-wasm</a>, and I'm using it for a code execution sandbox plugin for <a href="https://github.com/datasette/datasette-agent">Datasette Agent</a> called &...

Vitest の `isolate: false` オプションを有効にすることで、テストの実行時間を大幅に短縮できましたが、その際に大規模なコードの修正が必要でした。Claude Code の `/goal` コマンドを活用することで、最終的なゴールを達成するために必要なステップを自律的に判断して実行させることができます。この記事ではその経験について紹介します。

AI increases engineering speed, but it also increases the cost of poor context. The best teams will not be the ones that generate the most code; they will be the ones that preserve enough understanding to review, operate, and own what they ship. Context stewardship is what keeps AI-assisted work from accelerating away from human judgment.

Every time I bet on myself instead of taking a paycheck, and what each one taught me.

<p><strong><a href="https://help.openai.com/en/articles/20001061-lockdown-mode">OpenAI Help: Lockdown Mode</a></strong></p>OpenAI first teased this <a href="https://openai.com/index/introducing-lockdown-mode-and-elevated-risk-labels-in-chatgpt/">in February</a>, but now it's live and "rolling out to eligible personal accounts, including Free, Go, Plus, and Pro, and self-serve ChatGPT Business accounts":</p><blockquote><p>Lockdown...

AI Gateway now features real-time spend limits to prevent runaway token bills across multiple AI providers. By integrating with Cloudflare Access, companies can use identity-driven budgets and policies.

eyeballIncredibly addictive game. Best to use a mouse/trackpad than a touch device to give yourself a chance too!Dollar Slice Surf Report, New York CityA cool project by Scott Jehl as, using pen, pencil, Procreate and Figma as a much needed antidote to the slop era.Speaker feedsFFconf have a huge library of previous talks and speakers. Now, you can discover their RSS feeds and follow them. Handy!Let's get creativeFolks love it when we share indexes of cool stuff, so here's another!Protecting Blu

<blockquote cite="https://ladybird.org/posts/changing-how-we-develop-ladybird/"><p>We will no longer accept public pull requests. [...]</p><p>A substantial patch used to imply substantial effort, and that effort was a reasonable proxy for good faith. That assumption no longer holds. [...]</p><p>Whether code was typed by hand is beside the point. What matters is who is responsible for it once it enters the browser. Ladybird is becoming a browser for real users...

Zed は Rust で書かれたネイティブアプリケーションで、非常に高速な動作と軽量な設計が特徴の新しいエディタです。この記事では、Zed のインストール方法と、実際に使ってみて感じた主要な機能や特徴について紹介していきたいと思います。

RubyGems and Bundler 4.0.13 introduced an opt-in cooldown feature that delays newly published gems during dependency resolution.

Renovateのクラウド版はメモリや実行時間の制限があるため、GitHub Actionsを使ったSelf Host版に切り替える方法やコストについて

now supports drives in private beta. Drives are persistent, attachable storage with a lifecycle independent from any sandbox.Vercel SandboxCreate a drive once, then mount it at a configurable path when starting a sandbox. When the sandbox stops, the drive remains available to attach to a later sandbox.Install the beta () or beta (), then create and mount a drive:SDKCLI@vercel/sandbox@betasandbox@betaSandbox Drives are useful for:During the private beta, a drive can be mounted read-write by one s

100ms deploys from Claude Code, Codex & Cursor

The API is now available. Authenticate with your project's and start querying more than 600,000 skills from across the open-source ecosystem.skills.shVercel OIDC tokenSearch for skills, pull detailed info on any one, check its security audit, and more.Vercel issues a short-lived token scoped to your team and project, rotated automatically, so there's no long-lived secret to leak or rotate. On each request, skills.sh verifies the token and applies a rate limit of 600 requests per minute per team

<p><strong><a href="https://charitydotwtf.substack.com/p/ai-enthusiasts-are-in-a-race-against">AI enthusiasts are in a race against time, AI skeptics are in a race against entropy</a></strong></p>Charity Majors neatly captures the dynamic between AI enthusiasts and AI skeptics, both of whom are trying to build great software, often in the same teams:</p><blockquote><p>The enthusiasts are <em>not wrong</em>. We are starting to see...

こんにちは。カミナシで「カミナシ 設備保全」の開発を行っている澤木です。今回はフロントエンドのコンポーネントディレクトリの構成、特に「ネストを深くしないために何をやっているか」という話をご紹介したいと思います。 feature-basedなディレクトリ構成 まず前提として私たちのチームでは機能（feature）単位でディレクトリを切り、各featureの中をさらにcomponents / hooks / contexts / model / repositoryといった責務ごとのディレクトリに分けるスタイルを採用しています。現在のフロントエンドの実装では一般的な構成かと思います。 featur…

See how CKEditor AI uses adaptive context to send the LLM only what each request needs - cutting token cost and latency on large documents.

The proliferation of agentic workflows means developers now regularly grant AI tools direct access to their infrastructure, use services that act autonomously, and build on platforms that themselves use AI to operate. We’ve updated our Terms of Service and Marketplace terms to clarify shared responsibility when actions on your account may be taken by AI, whether Vercel's own or a third-party tool you've connected, as well as other important updates detailed below.Vercel's platform increasingly i

self-replicating worm is spreading across the npm registry using binding.gyp, a file that triggers code execution during npm install without touching package.json scripts. The attack bypasses conventional security tools and has already compromised dozens of packages across multiple maintainer accounts.

<blockquote cite="https://www.404media.co/google-employees-internally-share-memes-about-how-its-ai-sucks/"><p>After this story was published Google's spokesperson reached out and asked us to publish a slightly different version of that statement. The new statement no longer stated that "it's critical that we maintain humans in the loop."</p></blockquote><p class="cite">— <a href="https://www.404media.co/google-employees-internally-share-memes-about-how...

GitHub Universe is back: returning to the historic Fort Mason Center in San Francisco on October 28–29, 2026.The post GitHub Universe is back: All together now, in the agentic era appeared first on The GitHub Blog.

We dive again into CSS Pie Charts! This time, Author Antoine Villepreux delivers semantic and flexible charts without a single line of JS.Another Stab at the Perfect CSS Pie Chart… Sans JavaScript! originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

VoidZero, the team behind Vite, Vitest, Rolldown, Oxc, and Vite+, is joining Cloudflare. Vite stays open source, vendor-agnostic, and built for everyone.

Just as with every aspect of my life, I find it hard to identify my software development skills. At my heart, I am a developer, though I spent way too much time as a high school senior fretting about whether or not I’d become an engineer. On paper, my job title has been product owner for almost the same amount of time as engineer/developer, but I was still writing code and reviewing PRs. Then comes the question of what kind of developer am I? Web developer? Mobile developer? Front-end? Full-stac

Today we're releasing Multigres v0.1 alpha to the open source community, bringing Vitess-grade horizontal scaling, high availability, and operational simplicity to Postgres.

Supabase has raised a $500M Series F at a $10B pre-money valuation, led by GIC.

Nemotron 3 Ultra from Nvidia is now available on .Vercel AI GatewayNemotron 3 Ultra is an open Mixture-of-Experts reasoning model built for orchestrating long-running agent workflows, with a 1M token context window. The model targets multi-turn agent workflows: planning, tool use, sub-agent delegation, and error recovery. Throughput reaches up to 350 tokens per second, with up to 30% lower cost on agentic tasks.To use Nemotron 3 Ultra, set model to in the .nvidia/nemotron-3-ultra-550b-a55bAI SDK

pnpm 11.5 now recognizes npm staged publish approvals in release metadata, preventing those releases from being mistaken for lower-trust package publishes.

検索やレコメンドは、ユーザーに必要な情報を届けるための仕組みです。しかし、その裏側を支える基盤開発は、単なるAPI実装でも、モデルを載せるだけの仕事でもありません。サービスごとに異なる要件、急増するト...

Get ready for a summer of sport with our new personalizable merch.

Nx Cloud recently shipped optimized resource classes and Continuous Assignment for Nx Agents. Benchmarked against GitHub Actions on a large monorepo, wall-clock time dropped 74% and cost per run fell 30%.

The skimmer never loads from a domain the attacker controls. The loader, the payload, and the stolen cards all flow through two domains every store already trusts: Google Tag Manager and Stripe.Bo...

TL;DR: We are excited to announce that VoidZero is joining Cloudflare. Vite, Vitest, Rolldown, Oxc, and Vite+ will remain open-source and MIT-licensed. Evan and the rest of the VoidZero team will continue to lead these projects, with Cloudflare fully committed to supporting our mission.

Why OAuth works the way it does: authorization codes, token expiry, and PKCE explained from first principles.

You can now create a start building a production-ready storefront in minutes.Shopify store directly from Vercel and to automatically configure your Shopify credentials in Vercel. Create a free test store, build with and deploy without leaving your workflow. When you're ready to launch, you can claim the store and take ownership of it.Install the Shopify integrationv0Coming soon: Connect an existing Shopify store to Vercel.Get started by installing , , or to start building your next .Shopify from

こんにちは、ソフトウェアエンジニアの渡邉（匠）です。「カミナシ 設備保全」の開発に携わっています。ゴールデンウィークが明けて1ヶ月ほどが経過し、休暇モードからやっと仕事モードに戻ってきました。 このプロダクトは開発開始から約2年が経ちました。バックエンドは長いあいだ presentation / domain / repository の3層で書いてきましたが、最近これにユースケース層を加えた4層へと再構成しました。 この記事では、なぜ最初から4層にしなかったのか、そしてなぜ今になって構成を取り直したのか、を書きます。 シンプルに始めた 当初のバックエンドは presentation / do…

BGP is vulnerable to routing hijacks and path leaks that negatively impact traffic on the Internet. RPKI helps solve some of these problems, but for some forged paths, we need to rely on a simpler mechanism: First AS enforcement in BGP.

The offset-path property in CSS defines a movement path for an element to follow during animation.This property began life as motion-path. This, and all other related motion-* properties, are being renamed offset-* in the spec. We’re changing …offset-path originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

The CSS @custom-media at-rule allows creating aliases for media queries.@custom-media originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

The @function at-rule defines CSS custom functions. These custom functions are reusable blocks of CSS that can accept arguments, contain complex logic, and return values based on that logic. @function originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

Practical guide on how to reduce drifts, minimize mistakes, maintain context, and improve the quality of AI-generated prototypes. Brought to you by Design Patterns For AI Interfaces, **friendly video course on UX** and design patterns by Vitaly.

<p><strong><a href="https://www.bloomberg.com/news/articles/2026-06-02/uber-caps-usage-of-ai-tools-like-claude-code-to-cut-costs">Uber Caps Usage of AI Tools Like Claude Code to Manage Costs</a></strong></p>I wrote <a href="https://simonwillison.net/2026/May/27/product-market-fit/#the-ai-failure-stories-around-this-are-pretty-thin">the other day</a> about Uber blowing its 2026 AI budget in four months, and how that wasn't particularly surprising g...