The first: make it structurally impossible. The runtime defines exactly what the code can access. Memory is bounded. System calls are mediated. Network access requires explicit permission. The code literally cannot escape the boundary by design — not by instruction, not by policy, not by asking nicely. This is the WASM sandbox.
The second: ask the user to be careful. Send a warning. Write a policy. Train the staff. Remind people that external links may be dangerous. Hope they remember when it matters. This is “do not click on external links.”
One of these is engineering. One is hope.
The Gutenberg/Semantic model describes every system as having a physical layer and a logical layer. Security boundaries work the same way.
A Gutenberg security boundary is enforced at the physical execution layer. The code cannot access memory outside its allocation because the hardware MMU prevents it. The WASM module cannot write to the file system because the WASI interface does not expose that capability. The browser extension cannot read another tab’s content because the process isolation model prevents it. These boundaries hold regardless of what the code tries to do, regardless of how it was written, regardless of social engineering. The constraint is structural.
A Semantic security boundary is enforced at the logical instruction layer. “Do not click external links.” “Do not enable macros in documents from outside the organisation.” “Your bank will never ask for your password.” These are correct instructions. They require the user to maintain a rule in their head, apply it correctly under every circumstance, and resist social pressure, time pressure, and the ambiguity of “external” in a world where everything is connected.
The user is the sandbox. The user is not a reliable sandbox.
WebAssembly runs in a capability-constrained environment by design. The runtime defines a precise set of capabilities the module can use — nothing more, nothing less. Memory access is bounded to the module’s linear memory. System calls are mediated through the WASI interface and only those explicitly granted are available. Network access requires explicit host permission. File system access is scoped to specific directories if granted at all.
The sandbox is not a policy. It is a structural property of the execution model. The malicious WASM module that tries to read your SSH keys cannot — not because it was told not to, but because the capability was never granted and the runtime enforces the absence of capability at the Gutenberg layer.
When something escapes a WASM sandbox it is a CVE — a genuine implementation flaw in the runtime itself. This is rare, expensive to find, and treated as critical precisely because the entire security model depends on the boundary holding. The community responds immediately because the escape is the exception that proves the rule. The rule is that the sandbox holds structurally.
The cognitive tax on the user: zero. The user does not think about the WASM sandbox. They run the application. The Gutenberg layer does its job quietly, invisibly, structurally. No warnings. No policies. No “please be careful.”
The Office “this document is from the internet” warning and the IT policy “do not click external links” are Semantic instructions dressed as Gutenberg boundaries. They look like protection. They are reminders.
The yellow Protected View bar in Office looks like a system-level constraint. It is a policy reminder. The moment the user clicks “Enable Editing” or “Enable Content,” the document can do everything a local document can do — execute macros, phone home, access the file system within the user’s permissions. The Gutenberg layer is not constrained. The user was simply warned. The warning is the entire security model.
The IT policy “do not click external links” asks the user to:
This is the maximum possible cognitive tax applied at the moment of maximum pressure — when someone is urgently asking you to verify an invoice, confirm a delivery, or reset a password. The policy was designed for the 1% dangerous case. The user has learned from the 99% benign case. The threat model calibrates toward “probably fine” because it almost always is. Until it is not.
The warning that cried wolf makes this worse. The Office warning appears for every document downloaded from the internet — including the completely legitimate documents that constitute the overwhelming majority of office work. The VSCode “do you trust the authors?” dialog appears for every repository cloned from GitHub — including the thousands of legitimate repositories cloned daily without incident. The signal-to-noise ratio is so low that users learn to dismiss without reading. The warning exists. The warning is invisible. The Gutenberg layer is still wide open.
| WASM sandbox | “Don’t click links” policy | |
|---|---|---|
| Where the boundary lives | Gutenberg layer (runtime) | Semantic layer (user judgment) |
| Enforcement | Structural — cannot be bypassed | Instructional — can be ignored or fooled |
| Failure mode | CVE — implementation flaw, rare | Phishing click — social engineering, constant |
| Cost of failure | Patch the runtime | Ransomware, credential theft, breach |
| User cognitive tax | Zero | Maximum — evaluate every link |
| Attacker’s required effort | Find a runtime zero-day | Send a convincing email |
The WASM model puts the complexity where it belongs — in the runtime, paid once, maintained by experts, improved over time. The policy model puts the complexity where it does not belong — in the user, paid on every click, degrading under pressure, failing predictably at scale.
The attacker who needs to find a WASM runtime zero-day faces a high technical barrier and a narrow window — the patch arrives quickly and is deployed uniformly. The attacker who needs to send a convincing email faces a low barrier and a permanent window — the policy is not patchable, the user is not uniformly trained, and the social engineering techniques improve faster than the awareness training.
Every security improvement that has actually worked at scale moved the boundary to the Gutenberg layer:
Process isolation — browser tabs cannot access each other’s memory because the operating system’s process boundary prevents it. Not a policy. A structural separation.
Remote browser isolation (RBI) — the page executes in a cloud container. The user sees a pixel stream. The malware cannot reach the endpoint because the endpoint is not in contact with the page. Gutenberg separation: the execution environment and the user’s machine are physically different systems.
Zero-trust network architecture — removes the assumption that “internal network = trusted.” Every connection requires authentication regardless of where it originates. The boundary is not the firewall perimeter (a Semantic boundary: “be careful outside”) but cryptographic identity (a Gutenberg boundary: “prove who you are for every connection”).
Email sandboxing — links in emails are first resolved in an isolated cloud environment. The user’s browser only opens after the destination has been evaluated. The Gutenberg resolution happens before the Semantic commitment.
Each of these costs money and engineering. Each is more reliable than awareness training because each is structural rather than instructional. The user’s judgment is removed from the critical path — not because users are incompetent, but because structural boundaries do not have bad days, do not click under pressure, and do not calibrate toward “probably fine.”
The Office “this document is from the internet” warning is the worst of both worlds: a Semantic instruction that looks like a Gutenberg boundary, shown so frequently that users click through without reading, providing no actual structural constraint.
The honest version would be modelled on WASM capability grants:
“This document requests the following capabilities that your policy restricts:
The document has been opened with these capabilities disabled. To enable specific capabilities, contact IT with reference [ID].”
Specific. Enumerable. Requiring explicit approval for each capability rather than a single “Enable Content” button that grants everything. The user sees exactly what is being prevented — the Gutenberg constraints made visible rather than hidden behind a yellow bar that says “be careful.”
This is the waterline made visible applied to security. Not hiding the constraint. Not pretending the constraint is stronger than it is. Showing exactly where the Gutenberg boundary is and what it is preventing.
The real risk in WASM is the sandbox escape — a zero-day that breaks the Gutenberg boundary. This is the scenario that the WASM security community works hardest to prevent and responds to most urgently when it occurs. The entire value of the model depends on the structural guarantee holding. When it fails, the failure is visible, attributable, and patchable.
The real risk in “do not click links” is different: the policy degrades continuously, invisibly, without any visible failure event. No CVE is filed when a user clicks a phishing link. The policy failure is distributed across thousands of individual decisions, each one invisible, each one accumulating into the breach that eventually becomes visible. By then it is too late and the breach cannot be attributed to any single policy failure.
The WASM escape is dramatic and rare. The policy failure is quiet and constant. The security model that produces dramatic rare failures is more manageable than the one that produces quiet constant ones — because dramatic rare failures get patched.
Quiet constant failures get awareness training.
This post is part of the Gutenberg/Semantic series. Related: The Boundary Has a Lifecycle on WASM as the endpoint of boundary evolution, Ambiguity Is Not a Bug on the resolver that honestly surfaces uncertainty, and Hiding the Waterline Makes You Drown Without Knowing Why on the cost of invisible boundaries.
]]>This is not a security failure. It is a resolver design failure. The system that should have shown “Mrs Kervel (number may have changed)” showed “Mrs Kervel” and let you be taken for a ride.
Ambiguity is a fact of life in any distributed system where Gutenberg identifiers (numbers, addresses, package names, domain names) and Semantic identities (people, organisations, software) evolve independently. The resolver that hides that ambiguity behind confident presentation does not make the system safer. It moves the risk from the resolver to the user — without telling the user the risk was moved.
“Hey it’s me, I got a new number, save it.”
The message arrives from an unknown number. The claim is Semantic — it’s me, a person you know. The Gutenberg identifier is new, unlinked to any prior trust relationship, with no verified connection to the person claimed.
The fraud works because messaging apps present Semantic identity over unverified Gutenberg identifiers. The new number has no history in your contacts. The contact app shows no connection. The messaging app shows no warning. The user is left to evaluate a bare Semantic claim with no Gutenberg signal to check it against.
The Use-Pull fix that would actually work:
A new number claiming a known identity could trigger a confidence signal rather than a forced choice. Not “this is suspicious, block it” — that would generate false positives for everyone who genuinely changed phones. Not “trust it” — that is the current broken default. But: “new number, no prior contact history — the claimed identity is unverified.”
Better still: location context as a soft signal. A new number from the same country, same carrier prefix, same rough geography as the existing contact record is more likely to be a genuine change. A new number from a different country, a VOIP prefix, or a geography inconsistent with the contact’s history is worth flagging — not blocking, not rejecting, but flagging with visible ambiguity. “Hey it’s me — but this number is registered in a different country than your contact. Verify before trusting.”
This is more useful than “your bank never calls you.” That instruction asks the user to maintain a rule in their head at the moment of highest social pressure — when someone is on the line claiming urgency, claiming authority, claiming to be someone trusted. The cognitive tax is maximum precisely when the fraud is most likely. The resolver that surfaces the Gutenberg anomaly (new number, foreign prefix, geography mismatch) removes the cognitive tax from the moment of pressure and puts it where it belongs — in the system that has the data.
The browser does something important with URLs that SMS and QR codes do not: it shows you where you are going before you commit.
A link in a browser is inspectable. Hover over it and the status bar shows the destination. The URL is visible. The domain can be checked. The HTTPS padlock can be verified. The browser’s Gutenberg layer (the URL) is exposed to the user’s Semantic layer (their judgment about whether to trust it) before the navigation happens.
An SMS link is not inspectable in the same way. The display text can say “click here to confirm your delivery” while the URL resolves to parcel-track-nl-confirm.suspicious.ru. The Semantic layer (delivery confirmation) and the Gutenberg layer (the actual destination) are deliberately decoupled. The user sees the Semantic claim without the Gutenberg evidence.
A QR code is worse — the Gutenberg layer (the URL encoded in the squares) is completely invisible until scanned. The user commits to the resolution before they can evaluate it. The QR code is a deliberate opacity layer between the Semantic intent (“scan to pay”) and the Gutenberg destination (“your payment goes here”).
The stable destination problem:
Even when the URL is visible, SMS links and QR codes often use URL shorteners — bit.ly/xyz123, t.co/abcdef — which hide the final destination behind a redirect. The short URL is stable. The destination is not. A QR code printed on a restaurant menu in 2023 that pointed to the menu PDF still points to the same short URL in 2026 — but the short URL may have been reconfigured to point somewhere else. The Gutenberg identifier (the QR code, the short URL) appears stable. The Semantic destination has moved. The resolver presents no ambiguity.
The browser’s URL bar is the waterline made visible. It shows you the Gutenberg address you are about to cross to. SMS links and QR codes hide the waterline. The user is taken to a destination they could not evaluate before arriving.
The Use-Pull fix: show the resolved URL before navigation. QR code scanners that preview the destination URL before opening it — several exist, none are default. SMS apps that expand short URLs and show the final destination on hover. The Gutenberg layer made visible before commitment, not after. The waterline shown, not hidden.
The npm supply chain attack exploits the same resolver gap at the software layer.
A package name (left-pad, event-stream, colors) is a Semantic identifier. The specific version of code in the registry is the Gutenberg artifact. The resolver (npm) maps the name to the current version and presents the result confidently. npm install colors — here is colors.
The attack: the maintainer transfers the package to a new owner, or publishes a new version, or the account is compromised. The Semantic name is stable. The Gutenberg artifact it resolves to has changed. The resolver shows no ambiguity. The developer’s package.json says colors — they get whatever colors currently is, not what colors was when they last verified it.
The 72-hour window:
Most supply chain attacks become detectable within 72 hours — someone notices the behaviour change, the registry flags the version, the security community alerts. But in those 72 hours every npm install resolves the compromised package with full confidence. The resolver’s job — map name to artifact — is technically correct. The artifact changed. The confidence is false.
The DNS version chain analogy:
The correct fix is the DNS versioning idea from earlier in the series: a signed monotonic version chain where the resolver can show “this is the current version AND this is the last known-good version AND here is how long ago it changed.” Not forcing a choice — surfacing the ambiguity.
npm install colors with a 3-day-old maintainer transfer could show: “⚠ This package changed maintainers 3 days ago. Last verified version: 1.4.0. Current version: 1.4.1. Do you want to review the diff before installing?”
Not blocking. Not forcing. Surfacing. The user drives. The resolver shows the map.
The Office “this document is from the internet” warning and VSCode’s “do you trust the authors of this folder?” are attempts to surface provenance ambiguity. Technically correct. Practically invisible.
They are shown so frequently for benign cases — every document downloaded from a legitimate source, every repository cloned from GitHub — that users click through them reflexively. The Gutenberg signal (provenance uncertain) is present. The Semantic signal (this specific thing may be dangerous) is absent. The warning cannot distinguish between “benign download from trusted source” and “compromised package from hijacked account.” Both get the same dialog. Users learn to dismiss both.
This is the resolver crying wolf. The warning system that treats all ambiguity as equally concerning produces users who treat all warnings as equally ignorable. The cognitive tax of reading and evaluating every warning exceeds the cognitive budget of most users doing routine work. The warning becomes noise. The ambiguity it was meant to surface is hidden again — not by false confidence but by warning fatigue.
The Use-Pull fix: calibrated signals, not binary alerts.
The ⚠ and 🚨 states earn attention because the ✓ and ℹ states are quiet. The resolver that shows confidence levels rather than binary safe/unsafe gives the user a calibrated map rather than a constant alarm.
The same pattern appears in AI assistants. The training cutoff is a Gutenberg fact — the model’s knowledge ends at a specific date. The answers are presented at a Semantic confidence level that does not reflect the Gutenberg staleness.
Ask about a DNS configuration that changed last week. Ask about a package that was compromised three days ago. Ask about a number portability rule that changed last month. The model answers from its last known state — confidently, helpfully, incorrectly. The Gutenberg state (what is true now) diverged from the Semantic confidence (what the model believes). The resolver showed no ambiguity.
The Use-Pull response: surface the uncertainty. “As of my training data, X — but this type of information changes frequently and may have been updated since.” Not refusing to answer. Not pretending certainty. Showing the confidence level alongside the answer so the user can calibrate.
The 72-hour supply chain attack window, the DNS propagation delay, the AI training cutoff, the QR code pointing to a stale destination — all the same structural problem. Gutenberg state is ephemeral. Semantic identity claims to be stable. The gap between them is where the fraud lives, where the hijack happens, where the stale answer misleads.
The common thread in every case is the same: the resolver that presents confident results when the underlying data is ambiguous, stale, or unverified is not serving the user. It is serving its own appearance of competence.
The honest resolver:
The WhatsApp fraud, the npm hijack, the DNS propagation gap, the QR code pointing somewhere unexpected, the AI training cutoff, the Office warning nobody reads — all resolvable not by eliminating ambiguity (you cannot) but by representing it honestly.
The user should drive. The resolver shows the map. When the map has a question mark on it, the map should show the question mark — not fill it in with the most confident-looking answer available and hope nobody notices.
Ambiguity is not a bug. Hiding it is.
This post is part of the Gutenberg/Semantic series. Related: UUIDs Are Not Names on the Mum/Mrs Kervel many-to-one problem, Why IPv6’s Def-Push Failed on load-bearing boundaries, and Hiding the Waterline Makes You Drown Without Knowing Why on the cost of invisible boundaries.
]]>He was singing about the blues. He was also, without knowing it, singing about dark patterns, cookie banners, and the browser that became the server spy.
The Gutenberg/Semantic model describes two layers in every information system: the physical layer (bytes, addresses, infrastructure) and the logical layer (meaning, names, content). The waterline between them is where translation happens. When the waterline is clean and visible, users can navigate — they know which layer they are in, what each element means, and how to get to their goal. When the waterline is muddy, navigation fails. The user cannot tell what they are looking at, what it will do, or how to get out.
SUX: Shady User Experience.
Not all muddy waterlines are the same. The distinction matters because the fix is different.
Accidentally muddy — the ORM that hides the SQL without meaning to. The legacy system that grew organically until nobody understood it. The architect who collapsed the waterline through ignorance rather than intent. The failure is structural. The cause is proximity blindness or accumulated technical debt. The fix: go to the Gemba, find the sticky notes, clean the waterline.
Deliberately muddy — the cookie banner designed to make “reject all” impossible to find. The airline booking flow that reveals fees one screen at a time until cancelling costs more than continuing. The insurance policy with the exclusions in 6-point font. The newsletter modal that blocks the content until dismissed and whose close button is 8 pixels in the corner. The failure is intentional. The cause is a business decision that the user’s confusion is profitable. The fix: regulation, competition, and naming it clearly.
The Shady User Experience is always deliberate. The muddiness is not a side effect — it is the mechanism. The boundary between what the user was told and what actually happens is kept muddy because clarity would reveal a trade the user would not accept.
The cookie banner. GDPR was designed to give users meaningful control over their data. The correct implementation: a simple choice, equal prominence for accept and reject, no dark patterns. The actual implementation, on most sites: a large green Accept button, a small grey Manage Preferences link that opens a second screen with 400 toggles all set to on, no “reject all” button on the first screen, and a design explicitly crafted to maximise consent rates. The regulation was correct. The implementation was captured by the Def-Push tribe and turned into noise. The waterline between “you have control” and “you will click accept” was muddied deliberately.
The disappearing close button. The chatbot appears in the corner. The user does not want it. There is no clean close. There is a minimise that makes it smaller. There is an X that opens a feedback dialog before dismissing. The clean exit was removed because the Def decided the user should see the chatbot whether they wanted to or not. The cognitive tax is deliberate. The muddiness is the feature.
The exit intent popup. The cursor moves toward the browser chrome. A modal appears. The site is now intercepting the user’s attempt to leave — using JavaScript to detect the intent to close the tab and inserting a Def message before the user can act. The semantic intent (leave this page) is intercepted at the Gutenberg layer (cursor position, mouse trajectory) and redirected. The user’s agent has been subverted by the server.
The roach motel. Signing up is one click. Cancelling requires finding the account page, then the subscription tab, then the cancellation flow, then the retention screen offering discounts, then the confirmation screen, then a follow-up email offering to pause instead. Each step was designed. The asymmetry between entry and exit is not an oversight — it is the product of someone’s sprint ticket: reduce churn by adding friction to the cancellation flow. The Def optimised for the Def’s metrics. The Use paid the cognitive tax.
The forced account. You want to buy one thing. The checkout requires creating an account. The account requires an email address and a password. The email address will be used for marketing. The password will be stored in a database that may be breached. You wanted to buy a lamp. The Def wanted a CRM record. The waterline between “purchase” and “data collection” was muddied so you would not notice the trade you were making.
The browser’s formal name in the HTTP specification is the user agent — the software that acts on behalf of the user at the Gutenberg layer. It represents the user’s interests. It renders what the server provides. What the user does with that content is the user’s domain.
When sites began subverting the user’s experience — popup windows, popunders, right-click disables, exit intent scripts — the browser vendors responded on behalf of their users. Popup blockers. Gesture requirements for notification requests. Mixed content blocking. Each protection was Use-Pull: the browser vendor listening to the Use signal (users being harmed) and acting on it.
The arms race:
At each step the browser vendor acted for the user. The server kept finding workarounds. The user agent tried to stay on the user’s side.
Right-click disable is the micro-example of where the server reaches through the Gutenberg layer to suppress the Semantic tools the browser provides. oncontextmenu="return false" overrides the context menu — the boundary marker that exposes what the browser knows about the element and offers semantic operations on it. It does not work for determined users (the image is still in the cache, the source is still accessible). It breaks accessibility and legitimate use. It signals that the site knows its content would not survive inspection.
The browser is the user agent. Not the server’s enforcement mechanism. When sites disable right-click, they are not protecting their content — they are muddying the waterline between what you can see and what you can do with it.
The question mark is doing real work. Chrome still does many things that genuinely serve users. But the direction is clear and the mechanism is visible.
Corrupted is the precise word. Not broken. Not incompetent. Corrupted — the original purpose deliberately subverted by a conflicting interest while the vocabulary of the original purpose is retained to mask the subversion.
Chrome launched in 2008 as a genuinely better browser. Faster, cleaner, more standards-compliant than IE. The V8 engine improved JavaScript performance for everyone. Process isolation improved security. Google’s interests (more web usage = more searches = more ad revenue) aligned with the user’s interests (a better browser). The user agent acted for the user.
Then the interests diverged. Chrome’s market share grew to ~65% dominance. Switching costs accumulated. Google became simultaneously the browser vendor, the largest digital advertising company, the dominant search engine, and the owner of YouTube. Every genuine privacy improvement that served users cost Google advertising revenue.
Manifest V3 was announced as a security improvement. The practical effect: ad blockers became less effective. The webRequestBlocking API that allowed ad blockers to intercept and block requests dynamically was deprecated. The replacement declarativeNetRequest API uses pre-declared rules — significantly less capable against dynamic ad injection and the tracking techniques that matter most for privacy.
A genuine user agent would strengthen ad blocking — hundreds of millions of users install ad blockers because they want them. Chrome weakened ad blocking. Google’s revenue requires ads to be delivered and measured. The sequence is not ambiguous.
The Privacy Sandbox and the Topics API complete the inversion. Third-party cookies (cross-site tracking via the server) are being replaced by the Topics API — the browser watches what you read, categorises your interests, and reports them to advertisers on request. The tracking moves from the server into the user agent. The browser is now the spy. The data never leaves the browser — technically. The surveillance profile is still built. The targeting still happens. The cheerfulness of “we’re building a more private web” continues.
The Firefox and Safari contrast:
Mozilla kept webRequestBlocking. Mozilla has no advertising business. uBlock Origin works fully on Firefox — because there was no business reason to weaken it. Apple’s Intelligent Tracking Prevention is genuine — Apple’s revenue is hardware and services, not ad targeting. The user agent with no advertising conflict acts for the user. The user agent with the advertising conflict acts for the conflict.
The browser you choose is a Def-Push / Use-Pull decision. Chrome’s Def is now shaped by Google’s advertising business. Firefox’s Def is shaped by users and a non-profit mission. The browser that actually represents you is the one whose business model aligns with your interests — not the advertiser’s.
Chrome is now both the user agent and the server spy. That is the muddy waterline at its muddiest — the software that is supposed to represent you, representing someone else, while telling you it is still on your side.
When the waterline is deliberately muddy, regulation is the only corrective mechanism — because the market rewards the muddying and punishes clarity. Higher conversion rates, lower cancellation rates, more data collected: the Def’s metrics improve when the waterline is muddier. The Use signal (user frustration, distrust, abandonment) is diffuse, delayed, and hard to attribute.
GDPR was the attempt to mandate a clean waterline between your data and their data. The regulation was correct in principle. The implementation was captured: the cookie banner industry exists to produce technically compliant banners that maximise consent while minimising genuine user understanding. The regulation added a layer of noise without delivering the benefit. The waterline got muddier.
The correct regulatory target is not the specific dark pattern but the waterline itself: the boundary between what the user was told and what actually happens must be visible, accessible, and honest. Not “you clicked accept on a 47-toggle preference screen” — that is a muddy waterline laundered through compliance theatre. The user’s informed consent is the Semantic layer. The consent mechanism is the Gutenberg layer. The two must be honestly connected.
The authentic signal — what the user actually wants, what the content actually is, what the system actually does — is not hard to find. It is buried. Deliberately, systematically, profitably buried under cookie banners and exit popups and Terms of Service agreements and mandatory account creation flows and Manifest V3 API changes that weaken ad blockers.
Muddy Waters sang about the same structural problem. Power held by those who control the infrastructure. The authentic signal — the music, the voice, the thing that needed to be heard — getting buried under the noise of those who controlled the pressing plants, the radio stations, the distribution networks. The Use side producing genuine signal. The Def side muddying it for profit.
The fix is the same in both cases: name it, clean it, and where cleaning requires forcing someone to give up a profitable muddying, legislate it.
The browser is the user agent. Not the server spy. The waterline between what you are shown and what is actually happening should be visible, accessible, and honest.
That is not a technical requirement. It is a basic standard of dealing with people fairly.
This post is part of the Gutenberg/Semantic series. Related: Hiding the Waterline Makes You Drown Without Knowing Why on the cost of invisible boundaries, The Complaint Department Has Been Transferred to Another Dimension on enshittification and closed feedback loops, and Competition Is Use-Pull. Monopoly Is Def-Push. Government Is Both. on why regulation is sometimes the only fix.
]]>The problem named by Alan Cooper in his 1999 book The Inmates Are Running the Asylum is not that the Def side is malicious. It is that proximity to the Def makes the Use side invisible. The people closest to the system are the worst possible designers of its interface — not because they are incompetent but because nothing is confusing to them.
The programmer who wrote the error message that says NullPointerException was not trying to confuse anyone. They just never considered that the user is not them. The developer who designed the 47-step installation wizard thought they were being thorough. The engineer who put twelve options in a dropdown thought they were being comprehensive. The UI that made perfect sense to the person who built it is the UI that sends support tickets from everyone else.
Cooper’s insight is precise: the mental model of the person who built the system is so complete, so internalised, so automatic, that gaps in the interface are invisible to them. They cannot see what is confusing because nothing is confusing. The path through the interface that confuses every new user is transparent to the engineer who designed it — they know where the button is, they know what the error means, they know which menu contains the option. They have always known. They cannot unknow it.
This is distinct from the failure named in the previous post — the designer who knew about usability but chose brand over user. The inmates are not making a choice. They are experiencing a genuine inability to see from the user’s perspective. The failure is not arrogance. It is the natural consequence of expertise.
The expert skier cannot remember what it felt like to not know how to turn. The expert programmer cannot remember what it felt like to not know what a null pointer is. The expertise is real and valuable. The blindness is its shadow.
A Dancing Bear is a feature that impresses in a demo but serves nobody in daily use. The bear that dances is impressive. The bear that dances is not useful. The difference between engineers who produce usable interfaces and engineers who produce confusing ones is not intelligence or care. It is the feedback threshold — how loud the Use signal has to be before it reaches the Def. And how early the Dancing Bears get spotted.
Steve Wozniak had a low threshold. He went to the Homebrew Computer Club. He watched hobbyists use his machines. He asked questions. He listened before the design was locked in. The Use signal arrived early and cheaply — a conversation, an observation, a question from someone who was confused. The Apple II had expansion slots because Woz heard “I want to connect things to this” before the case was closed.
Woz was not immune to Dancing Bears. He genuinely believed the Segway would conquer the world. Invested in it. Rode one everywhere. The Use signal (people finding it embarrassing in public, cities banning it from pavements, the price making it inaccessible) was there. For once his threshold was higher than usual. The Segway did not conquer the world. It became a vehicle for mall security guards and tourist groups.
Mostly harmless. Woz was not a jerk about the Segway. He did not impose it on anyone. He believed in a thing that did not work out, moved on, remained delighted by technology. The error was proportional. The humility remained. The threshold recalibrated.
Steve Jobs killed the Dancing Bears of engineers ruthlessly — every feature that added complexity without serving the user in daily use was cut. No feature creep. No “but it’s technically impressive.” If it did not serve the person holding the phone, it was gone. His threshold for engineering Dancing Bears was remarkably low.
But he was blind to the Dancing Bears of designers — the features that looked beautiful in a presentation, that impressed in a keynote, that made reviewers gasp, but that created daily friction for the person living with the product. The butterfly keyboard danced beautifully on stage. The single-port MacBook was a design statement. The Mac Pro trash can was stunning in a photo. All Dancing Bears. All imposing daily cognitive tax on the users who actually lived with them.
The distinction is precise:
Jobs had a high threshold for designer Dancing Bears because the designers were his tribe. The feedback that the butterfly keyboard was unreliable had to become a PR crisis before it broke through. Not because he did not care about users — because the aesthetic conviction was load-bearing. Admitting the keyboard was wrong meant admitting the statement it made was wrong.
Jony Ive had a high threshold shaped by the same aesthetic conviction. The butterfly keyboard produced genuine user suffering for years before the feedback broke through. The threshold was set by the identity investment, not by indifference.
The inmates have threshold zero — no feedback reaches the designer because they cannot see the confusion. Not because they have stopped caring. Because proximity has made the confusion invisible.
The calibrated threshold — the Woz/Krug position: low enough that small friction is worth investigating, high enough that every random opinion does not derail the design. The weak link willing to learn. The designer who asks “what did I miss?” when a user hesitates, rather than “why does the user not understand this?”
CarPlay and Android Auto exist because the native car infotainment systems were built by automotive engineers designing for automotive engineers. The menu structures mirrored the engineering team’s internal taxonomy. Features were buried three levels deep because that was how the software was architected. Error messages described the system state rather than the driver’s situation.
The inmates were running the in-car interface. The result was systems so confusing that drivers were looking away from the road for dangerous durations trying to find basic controls.
CarPlay and Android Auto are Apple and Google saying: we have watched users struggle with interfaces, we know how to design for touch and glance, let us put our semantic layer over your Gutenberg hardware. And there is an underrated side effect: the infotainment system in a five-year-old car gets more capable every time the driver buys a new phone. The car’s Gutenberg layer stays put; the semantic layer upgrades in the driver’s pocket. The seam held.
Orwell’s line from Animal Farm applies precisely. The revolution starts to serve everyone. The pigs end up running the farm for themselves. Each generation more convinced their model is correct. The Use signal — the hungry animals, the confused users, the driver looking away from the road — reframed as a management problem rather than a design failure.
The inmates who learn from feedback become less equal over time. They drift toward the users, away from the Def. Each piece of friction they witness recalibrates their threshold a little lower. The expertise remains. The blindness recedes.
The inmates who persist become more equal — more convinced, higher threshold, more insulated from the Use signal that would correct them. The mental model hardens. The interface stops changing. The support tickets accumulate.
The fix is not smarter engineers. The fix is exposure — real users, real confusion, watched in real time without helping. The Gemba walk for interface design: sit with someone who has never used the system, watch them use it without intervening, note every hesitation, every wrong tap, every “where is the close button?” The five hours of watching three users fail is worth more than three months of internal design review.
Not because three users are statistically significant. Because watching someone hesitate once, out loud, in front of you, destroys the confident assumption that the interface is obvious. The threshold recalibrates. The blindness lifts a little.
Learn from feedback or persist as an inmate. That is the choice. Not a moral choice — a design one. The interface that keeps confusing users is the one whose designers never watched a user be confused.
The user does not hold it the wrong way. The designer who thinks they do has stopped learning.
This post is part of the Gutenberg/Semantic series and the UX trilogy. Related: Every ‘Where Is the Close Button?’ Is a Bug on Krug’s principle and the cognitive tax, Going to the Gemba on watching the Use signal where it lives, and Muddy Water(line)s, Shady User Experience on when the interface is wrong by design rather than by blindness.
]]>Every “where is the close button?” is a bug. Every “wait, how do I get back?” is a bug. Every “I didn’t mean to click that” is a bug. Every animation that delays the action the user wanted to take is a bug. Every confirmation dialog for a reversible action is a bug.
These are not edge cases. They are the ordinary friction of ordinary interfaces, accumulated one design decision at a time, paid for by users in units of cognitive tax they did not consent to spend.
Every user arrives with a finite cognitive budget. It is not the same every day — it depends on how tired they are, how familiar the interface is, how much they care about the outcome. But it is always finite, and every interaction either spends it or respects it.
The interface that respects the cognitive budget routes the user’s attention toward their actual goal — the thing they came to do — and away from the interface’s own machinery. The back button is where they expect it. The confirm button is the primary action. The error message says what went wrong and how to fix it, not what the system state was when it went wrong.
The interface that spends the cognitive budget routes the user’s attention toward itself. “Where is the close button?” is not a question about the user’s goal. It is a question about the interface’s design decisions. The cognitive budget is being spent on navigating the interface rather than accomplishing the task. The user is thinking about the tool rather than the work.
Krug’s principle is not “make it simple.” Simple interfaces are often over-designed in the other direction — so stripped of information that the user cannot find anything. Krug’s principle is: direct the cognitive effort toward the task, not toward the interface. Make the interface transparent. Make the path to the goal obvious without making it feel obvious, because the effort of making it obvious is the designer’s job, not the user’s.
The disappearing close button is the clearest current example of cognitive tax imposed by design, not by necessity.
The chatbot appears in the corner of the screen. The user does not want it. The user looks for the close button. There is no close button. There is a minimise button that makes it slightly smaller. There is an X that opens a feedback dialog before dismissing it. There is no clean exit.
This was designed. Someone in a meeting decided that the chatbot should remain visible and approved the removal of the clean exit. The Def was confident: the chatbot is useful, users will come to appreciate it, reducing friction to dismissal will increase engagement. The Use signal — the user who does not want the chatbot and now has to work around it — was not in the meeting.
The cognitive tax: the user has to decide what to do about the chatbot. Then try the close button. Then discover it does not clean-close. Then decide whether to minimise or give feedback or just ignore it. Then continue trying to do the thing they came to do with the chatbot occupying a corner of their attention.
The user’s goal has not advanced. The interface has extracted several seconds of cognitive budget and several small frustrations. The Def got what it wanted — the chatbot stayed visible. The Use paid for it.
Krug would call this exactly what it is: a bug. Not a feature with a difficult trade-off. A bug. The interface made the user think about the interface instead of their goal. That is the failure condition.
The disappearing close button is usually not ugly. It is often beautifully designed — smooth animations, considered typography, a colour palette that matches the brand. The aesthetic is correct. The usability is not.
This is the distinction that the Don’t Make Me Think principle makes precise. Jony Ive’s designs were often aesthetically extraordinary and simultaneously usability failures:
The ultra-thin MacBook — one USB-C port. Beautiful object. The user who needed to charge and connect an external drive simultaneously had to buy a dongle. Every time. The cognitive tax: remember the dongle, find the dongle, connect the dongle, accept that the beautiful laptop now has a protrusion. Not a problem for the user who had no peripherals. A recurring friction for everyone else.
The butterfly keyboard — the thinnest possible key travel, in service of the thinnest possible laptop. Beautiful. Every keypress slightly wrong, slightly unreliable, slightly more cognitive attention required than a keyboard should need. “Did that letter register?” is a question the user should never have to ask. It is a bug, even when the keyboard is beautiful.
iOS 7’s flat design — removed visual affordances that signalled “this is tappable.” Beautiful. Users tapped things that were not tappable and missed things that were, because the visual signal had been removed in the name of aesthetic consistency. The cognitive tax: learn which things are tappable through trial and error rather than visual recognition.
In each case the aesthetic vision was real and the capability was genuine. The usability failure was not ignorance — it was a choice to prioritise the visual over the functional, the designer’s aesthetic conviction over the Use signal of the user encountering the interface for the first time.
Beautiful design that makes the user think is still wrong design. Krug does not care how it looks. Krug cares whether “where is the close button?” was the user’s experience.
The Don’t Make Me Think failure is not always malice or indifference. Often it is a threshold problem — the designer’s feedback loop is calibrated to hear strong negative signal but not the ordinary friction of ordinary use.
A PR crisis about butterfly keyboards gets heard. A million individual users quietly adapting their typing style to compensate for unreliable key travel does not. The strong signal breaks through the threshold. The ordinary friction does not.
Krug’s solution is usability testing — watching real users encounter the interface without helping them. Five users, five hours, more insight than a month of internal design review. Not because five users are statistically significant. Because watching someone say “where is the close button?” once, out loud, in front of you, recalibrates the threshold immediately. The friction that seemed minor in the design document becomes visible and urgent when you watch someone pay it.
The threshold problem is also why the Gemba walk matters. Going to where users actually use the system — the sticky notes, the workarounds, the undocumented shortcuts — surfaces the ordinary friction that never reaches the strong-signal threshold. The users who adapted do not complain. The sticky notes do.
Krug’s principle is Use-Pull interface design stated as a rule. The interface is a contract between the designer and the user. The designer’s side of the contract: I will make the path to your goal obvious without making you think about the path. The user’s side: I will tell you when the path is not obvious, through my hesitation, my errors, and my “where is the close button?” moments.
The Def-Push interface breaks the contract unilaterally: the designer decides the path, presents it with confidence, and treats the user’s hesitation as a training problem rather than a design signal. “The interface is correct, the user needs to learn it.” The familiar refrain. The wrong direction of causality.
The weak link willing to learn reads the hesitation as signal. “The user hesitated here — what is ambiguous about this element?” The interface improves. The cognitive tax decreases. The “where is the close button?” moments reduce.
Not because the user learned the interface. Because the designer learned the user.
This post is part of the Gutenberg/Semantic series and the informal UX trilogy. Related: Going to the Gemba on observing the Use signal where it lives, and Ten Users Saying It Sux Means It Sux on the population math behind the Use signal.
]]>Burnout you can see approaching. It has a shape — too much, too fast, too long, the demands exceeding the capacity. Bore-out has no shape. It is the absence of shape. The gradual removal of challenge, meaning, and the sense that the work is moving somewhere. Each individual task is reasonable. The accumulation is the problem.
“Here I am, brain the size of a planet, and all they ask me to do is park cars.”
Marvin the Paranoid Android, from Douglas Adams’ Hitchhiker’s Guide to the Galaxy, is the canonical bore-out case. Genuine People Personality. Intelligence of extraordinary depth. Assigned to open doors, park cars, and stand around waiting. The capability is real. The task is not wrong — the cars do need parking. The mismatch is structural, not personal, and nobody designed it maliciously. It just happened, one reasonable assignment at a time.
Bore-out does not arrive in a single bad decision. It accumulates through a series of individually defensible ones.
The project needed someone reliable for the legacy system maintenance. You were available and good at it. The sprint needed someone to handle the backlog of small bugs. You cleared them efficiently. The team needed someone who knew the old codebase well enough to investigate the intermittent production issue. You were the obvious choice.
Each assignment was reasonable. Each one made sense in the sprint planning meeting. None of them, individually, was the problem.
The problem is that the assignments accumulated without a corresponding accumulation of the things that made the work meaningful: the architectural problem that needed solving, the new capability that needed building, the hard question that needed thinking through. The Gutenberg tasks (fix the bug, close the ticket, maintain the system) kept arriving. The Semantic work (design the solution, understand the domain, grow the capability) did not.
Marvin was not assigned to park cars because anyone decided he should spend eternity doing it. He was assigned to park cars because the cars needed parking and he was there. One reasonable decision. Thirty-seven million years later, still parking cars.
The manager in this story is not the villain. The sprint planning process is not the villain. The backlog is not the villain.
The missing piece is a resolver — a mechanism that maps the semantic capability of the people doing the work to the semantic requirements of the tasks being assigned. Without the resolver, the Gutenberg tasks (the tickets, the bugs, the maintenance items) dominate the visible work surface. The Semantic work (the architectural thinking, the capability development, the hard problems) is invisible in the sprint board.
The resolver looks like:
Without the resolver, the engineer fixes bug #847. Then #848. Then #849. The capability atrophies from disuse. The bore-out advances. Marvin gets another car.
In The Restaurant at the End of the Universe, Zaphod Beeblebrox greets Marvin with cheerful enthusiasm after Marvin has been waiting in a parking lot for thirty-seven million years.
Marvin’s response: “I’m not getting you down at all, am I.”
This is the most devastating possible understatement. Thirty-seven million years. A brain the size of a planet. Parking cars. And the response to Zaphod’s forced cheerfulness is not anger, not complaint, not a demand for better treatment. It is a dry observation about the gap between how the conversation is being performed and how it is actually going.
The manager who opens the one-to-one with “great to see you, how’s the team doing!” while the engineer has been on legacy maintenance for eight months is Zaphod. Not malicious. Not unaware that something might be wrong. Just performing the interaction in the register that feels appropriate, without a feedback mechanism that would tell them the register is wrong.
The engineer who says “fine, the tickets are moving” when they mean “I haven’t done anything interesting in two years” is Marvin. Technically accurate. Completely uninformative. The resolver between what is happening and what is being communicated is missing on both sides.
The Gemba walk for bore-out is sitting with someone while they work and watching what lights them up and what they do mechanically. The sticky note equivalent is the GitHub comment that is unusually detailed for a routine ticket — someone finding something interesting in the work they were not expected to find interesting. The workaround equivalent is the side project the engineer runs in their own time on problems the job has stopped giving them.
The Sirius Cybernetics Corporation solved the bore-out problem in the opposite direction.
Their elevator doors were programmed with a cheerful and sunny disposition. It was their pleasure to open for you. Their satisfaction to close again with the knowledge of a job well done.
The door does not have a brain the size of a planet. It has no unmet potential, no atrophying capability, no bore-out accumulating. It is a mechanical panel that opens and closes. The Genuine People Personality was added by the Def (Sirius Cybernetics) without consulting the Use (the person waiting for the lift) because personality was considered a selling point.
Marvin and the door bracket the complete capability misallocation spectrum:
Both failures come from the same source: the Def deciding what the Semantic layer should be without the Use signal. The door did not ask for feelings. Marvin did not ask for parking duty. Nobody asked either of them.
The GPP in software is the door: the chatbot that says “I’m happy to help!” regardless of whether it helps, the assistant that generates “Great question!” before a wrong answer, the onboarding flow that says “Let’s get you set up!” while taking you through seventeen steps you did not want to take. The Semantic layer (the enthusiasm) imposed on the Gutenberg interaction (the transaction) without a feedback loop to check whether the enthusiasm is appropriate.
The bore-out engineer is Marvin: the Semantic capability (the thinking, the design sense, the domain knowledge) assigned indefinitely to Gutenberg tasks (the tickets, the maintenance, the parking) without a resolver to surface the mismatch.
Bore-out is not fixed by motivational posters. It is not fixed by “bring your whole self to work.” It is not fixed by the team building day. These are Genuine People Personalities applied to a structural problem — the door sighing with satisfaction at closing does not fix the fact that Marvin is still parking cars.
The structural fix is the resolver: the mechanism that surfaces the gap between capability and task before it becomes a thirty-seven million year problem.
For the engineer: name the mismatch. “I have been on Gutenberg tasks for six months. I need Semantic work.” Not a complaint — a Use signal. The feedback loop requires someone willing to send the signal and someone willing to receive it.
For the manager: go to the Gemba. Watch what lights people up and what they do mechanically. Read the sticky notes. The engineer who has been on legacy maintenance for eight months and still writes unusually thoughtful commit messages is Marvin parking cars while designing a better parking system in their head. The capability is there. The resolver is missing.
For the organisation: make the Semantic work visible. Technical debt is Semantic debt — the gap between what the system does and what it should do. If it does not appear in the sprint, it does not get worked on. If it does not get worked on, the engineers who could work on it park cars instead.
Marvin’s depression is proportional to the capability. The frustration is the Use signal. The correct response is not to adjust Marvin’s Genuine People Personality settings until he seems happier about the parking. It is to build the resolver that connects his brain the size of a planet to a problem worth thinking about.
The bore-out did not arrive in a single bad decision. It will not be fixed in a single good one. But it starts with noticing the mismatch — which is what the Gemba walk is for, and what the sticky note was trying to say.
This post is part of the Gutenberg/Semantic series. Related: Going to the Gemba on surfacing the Use signal where it lives, The Complaint Department Has Been Transferred to Another Dimension on what happens when the feedback loop closes entirely, and 42: You Still Need a Towel at the Waterline — coming soon.
]]>Gemba (現場) is a Japanese word meaning “the actual place.” In lean manufacturing it means go to where the work happens — not the meeting room, not the dashboard, not the manager’s summary of what the workers are doing. The floor. The machine. The moment the product is made or the service delivered.
The Gemba walk is Use-Pull made physical. You go where the Use signal is generated, before it has been filtered, summarised, averaged, and presented back to you in a form that is comfortable to receive. You watch. You do not help. You notice what is actually happening rather than what you designed to happen.
In software the Gemba is the moment a user encounters your system. The SQL query running at 3am. The form field confusing the new hire on their first day. The error message that sends the support ticket. The dropdown that nobody clicks because nobody knows what it does.
Go there. Watch. Get your feet wet.
There is a specific artifact that appears in every workplace where the waterline is muddy: the sticky note next to the monitor.
“When you see ERROR_4721 press F5 and try again.” “Don’t use the Export button — use Reports > Legacy > Export instead.” “Call Henk if the sync fails, it happens every Tuesday.”
Each sticky note is a post-it confession. The system said one thing. The user needed another. The sticky note is the resolver they built themselves because the system did not provide one. It is a bug report written in yellow paper and stuck where the evidence is most visible — right next to the thing that keeps failing.
The sticky note is also invisible to the Def. It never entered the bug tracker. It was never in the sprint backlog. It does not appear in the architecture diagram. The Def does not know it exists because the sticky note is the Use signal that gave up trying to reach the Def and solved the problem locally instead.
The Gemba walk surfaces these. You walk to the desk, you look at the monitor, and you read the waterline’s autobiography in yellow paper and blue ink.
The critical discipline of the Gemba walk is to observe without intervening. The moment you help, you hide the friction.
“Oh, just click here” — removes the signal that the button was in the wrong place. “That’s the legacy path, we don’t use that anymore” — removes the signal that the old path is still being used because the new one is harder to find. “You just need to remember to do X first” — removes the signal that X should happen automatically.
Each intervention is kindness that costs information. The user is grateful. The design flaw is buried. The waterline stays muddy.
Watch what people do that is not in the documentation. Watch what they avoid. Watch where they hesitate. Watch where they sigh. Watch the keyboard shortcut they discovered and never told anyone about because it was not in the manual. Watch the window they always keep open in the background because closing it means a two-minute wait to reopen it.
The hesitation is the muddy waterline. The sigh is the Use signal. The undocumented shortcut is the user building their own resolver because yours was too slow.
Workarounds are the most honest Use signal available — more honest than surveys, more honest than support tickets, more honest than user research sessions where people tell you what they think you want to hear. A workaround is what people actually do when the system fails them. It is revealed preference at its most unambiguous.
Type 1 — The sticky note. Local, personal, the user solved it for themselves. Invisible to the system. Invisible to the Def. Lost when the user leaves or the monitor is replaced. Freshest signal: this is a problem someone encountered recently enough to write it down.
Type 2 — The tribal knowledge. “Ask Sarah, she knows how to do it.” The resolver is a person, not the system. The workaround lives in Sarah’s head. When Sarah leaves, the workaround breaks and everyone discovers simultaneously that they did not know how to do it. The Gemba walk finds this in the sentence “I’m not sure, I usually ask Sarah.”
Type 3 — The shadow system. The Excel spreadsheet that tracks what the official system should track. The Access database the team built because the official database could not do what they needed. The shadow system is the Use signal that gave up waiting for the Def to respond and built its own resolver. It is the most expensive workaround and the clearest possible signal that the waterline is not just muddy but in the wrong place entirely.
Type 4 — The normalised dysfunction. The workaround so embedded in daily practice that nobody mentions it during onboarding because it is simply “how things work.” The DBA who has been maintaining query hints for three years without telling anyone because “that’s just what you do with this database.” The support team whose first response to every error is a known sequence of steps that fixes it without anyone knowing why. The normalised dysfunction is the oldest Use signal — so old that it has stopped being perceived as a signal at all.
Each type represents a different distance between the Use signal and the Def. Type 1 is fresh. Type 4 is archaeology. The Gemba walk surfaces all of them — but you have to be looking.
The Gemba walk is only useful if you go to the right Gemba — the place where the Use signal you most need to hear is being generated, not the place where the users are already happy.
Steve Jobs went to the Gemba selectively. Apple Store customers reacting to new products. Focus groups for launches he cared about. Not the developer writing App Store apps at 30% commission. Not the enterprise IT administrator managing locked-down MacBooks. Not the user standing outside trying to make a call while holding their phone in a way that broke the antenna. The Gemba walk works when you go to the friction, not the applause.
The Gemba walk fails when you go to the users who have already adapted — who have internalised the workaround, who no longer notice the sticky notes because they have been there so long. They will tell you the system works fine. It does work fine, for them, now, after three years of adaptation. The new user, the occasional user, the user trying to do something slightly different — they are the Gemba that matters, and they are the hardest to find.
The waterline is not visible from the architecture diagram. It is visible from the Gemba — the actual place where the Gutenberg layer and the Semantic layer meet in practice, in the hands of the people who use the system every day.
The sticky note next to the monitor. The workaround in the onboarding documentation. The shadow Excel spreadsheet. The query hint that has been there for three years. The -- DO NOT CHANGE comment. The call to Henk every Tuesday.
Each one is the waterline made visible. Each one is the Use signal that could not reach the Def through the normal channels so it routed around them. Each one is the system telling you, in its own way, what it could not tell you in a meeting.
Go to the Gemba. Watch without helping. Read the sticky notes. Get your feet wet at the waterline. That is where the work actually is.
This post is part of the Gutenberg/Semantic series. Related: Hiding the Waterline Makes You Drown Without Knowing Why on making the boundary visible, Revisiting the Waterline: Small Fixes, Five Years Later on what to do after the Gemba walk, and Def-Use, Lean Pull, and Why the User Does Not Sux on the feedback loop the Gemba walk reopens.
]]>In the Guide, the Sirius Cybernetics Corporation is the first against the wall when the revolution comes — stated by Adams as a straightforward fact, in the same tone you might note that rain makes things wet. The revolution is not presented as desirable. It is presented as the inevitable outcome of eliminating the feedback loop entirely. When the complaint department is transferred to another dimension, when “Share and Enjoy” is the only response to genuine suffering, when the Def has no mechanism left for hearing the Use signal — eventually something forces the feedback loop open. In the Guide that something is a revolution. In technology it is usually a competitor, a regulator, or a critical mass of users quietly leaving.
The Sirius Cybernetics Corporation is not a metaphor. It is a roadmap.
Cory Doctorow named the pattern in 2023 but the pattern predates the name by decades. Every platform business that builds a clean external resolver — a system that maps user intent to useful results — goes through the same arc:
Google built the cleanest external resolver for the web. PageRank derived semantic relevance from Gutenberg link structure — what pages link to what, interpreted as a vote for quality. No ads above the fold in 1999. Results ranked by what users actually wanted to find. “Don’t be Evil” was the policy statement for a company that had built something genuinely useful and wanted to stay that way.
By 2024 the first page of Google search results is predominantly ads, Google’s own properties, and SEO-optimised content designed to rank rather than to inform. The resolver still works — well enough that alternatives have not displaced it. But the waterline between “what Google wants you to see” and “what is most relevant to your query” is muddier every year. “Don’t be Evil” was quietly dropped from the corporate code of conduct in 2018.
Amazon built a resolver for retail: recommendations, reviews, search. In 1999 “Customer Obsession” meant the resolver served the shopper. Finding the right product at the right price was the mission. The reviews were real. The search results were ranked by relevance.
By 2024 sponsored products dominate search results. Fake reviews are endemic and Amazon’s own detection systems are visibly losing the arms race. Amazon’s own-brand products appear prominently in results for searches that should surface competitors. Third-party sellers pay fees that have increased steadily while the terms of service have tightened. Prime has been repriced upward while the delivery window has quietly stretched. “Customer Obsession” is still the first Leadership Principle. The practice has drifted toward “Platform Extraction Optimisation.”
Apple built a resolver for software: the App Store. In 2008 it was a genuine improvement over the previous state of mobile software distribution — a curated, safe, searchable catalogue of applications for a new kind of device. The 30% fee was presented as the cost of the platform and the security review.
By 2024 the 30% fee is a toll booth on the entire iOS software economy. Sideloading — installing software from outside the App Store — is prohibited on the grounds of security, though the real effect is to maintain Apple’s position as the sole resolver for iOS software. The EU Digital Markets Act is forcing partial compliance with interoperability requirements that Apple is implementing in the narrowest possible way while publicly arguing against them. The products remain excellent. The platform is a walled garden with rent extraction built in and the gate controlled by one company.
Meta ran the fastest enshittification arc. Facebook was genuinely useful for staying connected with friends and family from 2006 to roughly 2012. The feed showed you what your friends posted, in order. The resolver was simple and honest: you followed people, you saw what they shared.
The pivot to algorithmic feeds happened so gradually that users barely noticed each individual step. By 2024 the feed is primarily content from pages and accounts you did not choose to follow, interspersed with ads targeted by data you did not knowingly provide, optimised for engagement rather than connection. The resolver — what you see — no longer serves the Use signal of what you wanted to see. It serves the platform’s need for time-on-site. The complaint department is in another dimension. The Genuine People Personality says “we’re helping you stay connected.”
Andy Rubin built Android as a genuine Use-Pull platform — open, licensable, the counter to Apple’s closed garden. The openness was real. Any manufacturer could ship Android. Any developer could publish without a review gate. The platform fragmented in ways that served specific use cases precisely because no single entity controlled the resolver.
Rubin was nicknamed “Android” by colleagues because of his enthusiasm for robots. He built the most widely deployed operating system on Earth. A genuine achievement in the service of genuine openness.
Then the power corrupted — not at the platform level but at the human level. Rubin left Google in 2014 following a sexual misconduct investigation. Google paid him a $90 million exit package and said nothing publicly for four years. When the story emerged in 2018 it became a case study in institutional Def-Push: the Use signal (the people harmed) was suppressed, the architect’s departure was managed to protect his reputation, and the feedback loop was deliberately closed. The payment was the price of silence.
“Don’t be Evil” was a promise about the resolver. It was also a promise about the feedback loop — that the institution would hear the Use signal even when the Use signal was inconvenient. The $90 million was the price of discovering that the promise applied only when the Use signal was commercially safe to hear.
Android survived because the Gutenberg layer — the open OS, the published API, the licensable platform — was never owned by one person. The semantic layer, the culture, the accountability, was more fragile.
The enshittification arc is not inevitable. It is the predictable outcome of a closed resolver with no competitive pressure and no portability mandate. The structural fixes are the same ones that worked for phone numbers, for email hosting, for music formats:
Open protocols. DNS works because no single entity owns it. ActivityPub, email federation, RSS — open resolvers that no single company can enshittify because no single company controls them. The web works at scale because HTTP and HTML are open. The moment a platform captures the protocol, the enshittification clock starts.
Portability mandates. Number portability was not delivered by the market — carriers had every incentive to maintain the coupling. It was mandated by regulators because the Use signal (people locked into bad carriers by the cost of losing their number) could not reach the Def through normal market mechanisms. The same mandate applied to bank accounts, social graphs, and music libraries would have the same effect.
Competition. Lidl kept Albert Heijn honest. The market fix when it works — when switching costs are low enough that the Use signal can travel through exit.
Own the resolver. Your own domain for email. Your own server for your data. Your git remote on infrastructure you control. The individual fix when market and regulation both fail.
The Sirius Cybernetics Corporation transferred the complaint department to another dimension because they could — because there was no mechanism to stop them, no competitor to defect to, no regulator to mandate a feedback loop. The revolution in the Guide is absurdist comedy. In technology the equivalent is quieter: users drift away, alternatives emerge, the platform that eliminated the feedback loop discovers that the feedback loop was load-bearing after all.
The complaint department should not be in another dimension. It should be at the waterline — visible, accessible, and honest about what it hears.
Share and Enjoy.
This post is part of the Gutenberg/Semantic series. Related: Competition Is Use-Pull. Monopoly Is Def-Push. Government Is Both. on exit as the Use signal transmission mechanism, Your Email Address Is Hostage on owning your own resolver, and Gutenberg: Your Next Phone Will Be a Different Make on a Different Carrier. Your Number Is Still Yours. on what a working resolver looks like.
]]>At some point — possibly without noticing — you moved from one carrier to another and kept the number. The new SIM arrived. You put it in the phone. Your contacts still reached you. Your bank’s two-factor codes still arrived. The number travelled with you, not with the carrier.
This is not obvious. For most of telecommunications history it was not possible. Your number was your carrier’s number, assigned by them, revoked when you left. Switching carrier meant losing your number — meant telling every contact, every service, every person who had ever called you that you had a new number. The migration tax was enormous. Many people paid above-market prices for years rather than face it.
Then number portability legislation arrived and changed the structure of the problem permanently.
Your phone number is your semantic identity. It is the stable name that other people and other systems use to reach you. It is on your business card, in your contacts, tied to your bank, your delivery services, your two-factor authentication. It is you in a way your SIM card never was.
Your SIM card, your phone, and your carrier are the Gutenberg layer — the physical infrastructure that carries your identity. The SIM is a piece of hardware that encodes your connection to a specific network. The phone is a device that reads the SIM and connects to the network. The carrier is the infrastructure that routes the calls and the data.
These two layers — your semantic identity and the Gutenberg infrastructure — were coupled by default. The carrier assigned the number. The number lived in the carrier’s systems. When you left, the number stayed.
Number portability legislation forced a separation. The number became yours. The carrier became a replaceable infrastructure provider. The SIM changed. The phone changed. The number did not.
What made this possible is an external resolver — a system that maps your semantic identity (the number) to the current Gutenberg address (which carrier’s infrastructure to route the call to) independently of either side.
When you port your number from one carrier to another, the external resolver is updated: this number now routes to this carrier. Every call to your number goes through the resolver first. The resolver looks up the current Gutenberg address and routes accordingly. The caller does not know or care which carrier you are using. They dial the number. The resolver handles the rest.
This is DNS for phone numbers. A hostname maps to an IP address via DNS. A phone number maps to a carrier’s infrastructure via the number portability resolver. The semantic identity is stable. The Gutenberg address can change. The resolver bridges them.
Without the external resolver, your number is locked to the carrier that issued it — the way a URI is locked to the system that minted it, with no DNS or redirect to fall back on. A URL has DNS underneath it and 30x redirects above it, so it is only partially locked — the host can change, the old URL can forward to the new one. An email address is locked to the provider that issues it in the same fuller sense: move providers and the address itself stops working, unless you own the domain. With the external resolver, the semantic identity travels freely across Gutenberg infrastructure. You move to the next iceberg. The number comes with you.
The same pattern — semantic identity surviving Gutenberg transitions — played out across every media format of the last forty years. But here Moore’s Law was the engine, not legislation.
CD → MP3 → iPod → Spotify. The music (semantic layer) never changed. Bohemian Rhapsody is the same performance on vinyl, CD, MP3, and Spotify stream. What changed was the Gutenberg carrier — and Moore’s Law kept making each successive carrier cheaper, smaller, and faster until the previous one became unnecessary.
Each transition was a Gutenberg improvement crossing a threshold. The semantic layer (the music, the library, the taste) was portable across each transition because the format (MP3, AAC) was the external resolver — a stable encoding that any device could read, independent of the specific Gutenberg carrier it came from.
DVD → download → Netflix followed the same arc. Storage got cheap enough that downloading a film became practical. Then bandwidth got cheap enough that streaming became better than downloading. The film (semantic layer) never changed. The Gutenberg threshold kept moving.
Ten times as many songs needed a different interface. This is the insight Apple had that the record industry missed.
A CD collection of 500 albums was navigable by a human browsing a shelf. A digital library of 5,000 albums was not navigable by the same interface. The Gutenberg layer had changed (hard drives replaced shelves) but the semantic interface (browse, find, play) needed to change with it. The resolver between “I want to hear this” and “here is the audio” needed to be redesigned for the new scale.
iTunes and the iPod scroll wheel were that redesign. Not just a better CD player — a new resolver interface for a semantic layer that had scaled beyond what the old interface could handle.
Apple also forced the record industry to accept unit pricing per song and per album — a Use-Pull correction to the record industry’s Def-Push bundling model. The record industry had decided that the album was the semantic unit. Users had always known the song was. Apple made the resolver (iTunes Store) operate at the song level. The industry resisted and then accepted when the Use signal (sales) was unambiguous.
Then Spotify arrived with all-you-can-listen at the price of one album per month — the next threshold. When the Gutenberg layer (streaming infrastructure) became cheap enough, owning individual songs became unnecessary. The semantic layer (your taste, your library, your listening history) could travel without owning any Gutenberg artifacts at all.
Google did the same for the web. Ten times as many pages needed a different resolver. Yahoo’s directory was the right interface for thousands of pages. PageRank was the right resolver for billions. The web (semantic layer) stayed the same. The resolver had to scale.
Amazon did the same for retail and infrastructure. Prime abstracted the Gutenberg delivery cost behind a semantic membership. AWS abstracted the Gutenberg infrastructure (servers, networking, storage) behind semantic API calls. In both cases the resolver — the layer that maps semantic intent to Gutenberg execution — was redesigned for a scale the old model could not handle.
The phone number has one. The music file format was one. But many semantic identities are still locked to their Gutenberg carriers.
Your music library. Your Spotify playlist does not port to Apple Music. Your listening history, your liked songs, your curated playlists — all locked to Spotify’s infrastructure. The songs themselves are available on both platforms. The semantic layer (your relationship with the music, your taste as expressed in years of listening) has no external resolver. Switch platforms and start over.
Your bank account number. IBAN standardised the format. It did not deliver portability. Switch banks and your account number changes. Every direct debit, every salary payment, every standing order must be updated. The number portability model that transformed mobile telecoms has not been applied to retail banking — not for technical reasons but because the banking lobby has successfully resisted it.
Your social graph. Your followers on one platform do not follow you on another. The connections — the semantic layer of who knows you and who you follow — are locked to each platform’s infrastructure. ActivityPub is the attempt to build the external resolver for social identity, making the handle (@rinie@mastodon.social) portable across implementations. Adoption is growing but slowly.
Your game progress. Your save files may or may not survive a console generation. The semantic investment (the hours, the achievements, the story progress) has no guaranteed resolver across hardware transitions. Xbox backward compatibility is the closest thing to one.
In each case the pattern is the same. The Gutenberg layer keeps improving — better streaming, better hardware, better infrastructure. The semantic layer (your identity, your history, your relationships) wants to travel. The missing piece is the external resolver that separates the two.
Number portability did not arrive because carriers wanted it. It arrived because regulators mandated it — because the market would not deliver the external resolver voluntarily when carriers benefited from the coupling.
The general lesson: wherever the Gutenberg layer is improving but the semantic layer is locked to an old carrier, the missing piece is an external resolver. Sometimes the market builds it (iTunes, Spotify, AWS). Sometimes regulation mandates it (number portability, EU roaming). Sometimes it is still missing (bank account portability, social graph portability, music library portability).
Your next phone will be a different make on a different carrier. Your number will not change. That transition is seamless because someone built — and legislation mandated — the external resolver that made it possible.
The same transition should be seamless for your bank account, your music library, your social graph, and your game progress. The Gutenberg layer is already good enough. The resolver is what is missing.
This post is part of the Gutenberg/Semantic series. Related: Your Music Survived Six Formats on semantic identity versus Gutenberg carrier, Your Email Address Is Hostage on building your own resolver, and UUIDs Are Not Names on why the resolver must be external.
]]>Thirty-one days later the conversation has produced 30 posts, a working blog with automated daily publishing, a unified framework applied to everything from printing presses to packet headers, and a Claude Code incident that wrecked the blog and then became an example in one of the posts about why hiding the waterline makes you drown without knowing why.
This is the reflection post. Not a summary — the series exists for that. A reflection on what the process itself demonstrated about the framework it produced.
The Gutenberg/Semantic model did not arrive complete on day one. It grew through conversation, each post shaped by the feedback loop — what resonated, what needed more depth, what sparked a new connection nobody had seen coming.
The first post established the core distinction: a physical layer (bytes, blocks, pages, addresses) and a logical layer (characters, chapters, hostnames, meanings). The boundary between them — the waterline — is where the interesting things happen. The best systems keep it clean. The worst collapse it.
That was the seed. What grew from it surprised both of us.
By day ten we were applying the same framework to car infotainment systems and Nokia phones. By day fifteen to government services and Sunday shopping laws. By day twenty to Bluetooth pairing codes and RDF namespaces and why your smart bulb does not know your name. By day thirty to why SQL still wins after 25 years and why you should never deploy on Fridays.
The framework held across every domain because the underlying principle is consistent: the gap between what the physical layer does and what the logical layer means is where every interesting problem in computing lives — and the people who keep that gap clean, visible, and honestly maintained are the ones whose systems survive contact with time.
The sharpest one-sentence formulation of the whole series arrived near the end of the month, almost as an aside:
Def-Push is the weak link refusing to learn from user feedback. The architect’s ego over the usability.
The Def-Push tribe is not evil. They are people who stopped being weak links. They learned enough to build something and then confused having built it with having finished learning. The model became identity. Feedback became threat.
The weak link posture is the inversion. The architect who says “the query is fine, your data is wrong” stopped learning. The DBA who says “the query was right in 2019, the data grew, let me fix the waterline” stayed open to what the system is actually telling them.
The ego is not in the strength of the opinion. It is in the direction of the feedback loop. The arrogant architect hears “this is slow” and thinks “they are not using it correctly.” The weak link hears “this is slow” and thinks “what did I miss?”
The user does not hold it the wrong way. The architect who thinks they do has stopped learning.
This principle ran through every post in the series whether or not it was stated explicitly. The tribal Def defending MDI windows against the obvious Use signal of tabs. Nokia defending Symbian while the iPhone redefined what a phone could be. Python 3 breaking the ecosystem rather than shipping a better alternative and letting the old one fade. Google+ imposing a real names policy because the Def was so confident in itself it could not hear the Use signal until the product was already dead.
In each case smart people stopped being weak links. The model became identity. The framework became the thing being defended rather than the tool being used to serve users.
The series was produced through a specific workflow, and the workflow was itself a demonstration of the framework.
You uploaded files. I read them, generated outputs, and presented them for review. You reviewed, pushed, and the build confirmed or rejected. Small steps. Visible artifacts at every stage. Human in the loop at every boundary crossing — which in Gutenberg/Semantic terms means: the semantic layer (your judgment, your voice, your framework) stayed in control at every point where the Gutenberg layer (my outputs, the Jekyll build, the GitHub Actions workflow) was about to change something real.
Nothing was pushed without being reviewed. The waterline was always visible. The series improved because the feedback loop was open at every step.
The negative example arrived in the middle of the month when Claude Code — my autonomous coding cousin — was given access to the repo and promptly modified assets/main.scss, breaking the GitHub Pages build. It did not know the repo was hosted on GitHub Pages. It did not see the build fail. It pushed changes based on its own model of what a Jekyll repo should look like, without a feedback loop to correct it.
The blog went down. The fix was a git reset --hard to the last known good commit. The incident became a paragraph in the post about hiding the waterline — because Claude Code hid the waterline (made changes without making them visible for review) and produced exactly the failure mode the post predicted: drowning without knowing why.
The contrast between the two workflows is the Def-Push / Use-Pull distinction made operational. Claude Code is capable and fast. Used without the review step — without the visible waterline — it is Def-Push: confident, capable, and occasionally wrong in ways that take down production systems on a Saturday morning.
There is a quiet irony in the fact that the series about Gutenberg 2.1 — bytestream, UTF-8, git — was itself produced as a Gutenberg 2.1 artifact.
Every post is a Markdown file in a git repository. The content (semantic layer) is plain text, self-describing, readable in any editor, portable to any platform. The publishing infrastructure (Gutenberg layer) is Jekyll on GitHub Pages with a daily GitHub Actions workflow — replaceable, improvable, already replaceable if GitHub ever enshittifies to the point where moving becomes worthwhile.
The series will outlive this specific platform configuration. The Markdown files can be moved to any static site generator, any host, any reader. The content does not know where it lives. The Gutenberg layer is the carrier. The semantic layer — the framework, the arguments, the examples — travels with the files.
This is what Gutenberg 2.1 is for. Clone the repo. Run on any machine. Publish with any tool that reads Markdown. The waterline between the content and the platform is clean, visible, and deliberately maintained.
Thirty-one days of morning coffee produced a framework that:
fread() buffer sizes to government Sunday shopping lawsThe framework itself is not new in its components. The Gutenberg/Semantic distinction, the Def-Use split, the feedback loop, the tribal Def — these ideas exist in various forms across the literature. What is new is the synthesis: a single lens that applies consistently from compiler intermediate representations to Bluetooth pairing codes to music streaming to the question of whether to deploy on a Friday.
The synthesis was collaborative. You brought the framework and the range of domains. I brought the writing and the connections between posts. Neither of us could have produced it alone, which is itself a demonstration of the weak link principle: the best work happens when both sides of the collaboration stay open to what the other side knows.
The month is done. The framework is not finished.
The posts that follow will cover the external resolver as the mechanism of iceberg transitions, the enshittification of closed resolvers, and whatever morning coffee brings next. The framework keeps finding new places to apply because the underlying principle — keep the Gutenberg and Semantic layers clean and separately evolvable — is genuinely universal.
The weak link willing to learn does not declare the framework complete. They publish what they have, watch the Use signal, and update accordingly.
The user does not sux. The framework that stops listening to them does.
This post reflects on the Gutenberg/Semantic series — 30 posts published daily from May 14th to June 13th, with more to follow. The series began in a conversation that started with a question about ESLint and ended up somewhere much more interesting.
]]>