hrbrmstr's Daily Drop

Drop #779 (2026-06-01): Monday Morning Grab Bag

hrbrmstr

Nordstjernen; The Attack On Competence; quien

New $WORK onboarding and new project immersion is slowing down to a more human pace and we’re done-done with fam holidays for a bit, so let’s try to get the Drops back into daily form.

Today we’ve got a real new browser alternative, a somewhat distressing piece on “AI”, and a new tool for your CLI toolbox.

TL;DR

(This is an LLM/GPT-generated summary of today’s Drop. Ollama and ibm/granite4.1:8b.)

  • Nordstjernen is a clean-room web browser written entirely in C that uses a no-JIT bytecode interpreter, extensive sandboxing, and strict privacy defaults to minimize attack surface (https://nordstjernen.org/)
  • Iris Meredith’s essay argues that competence requires knowledge, skill, and a genuine desire for good outcomes, asserting that LLMs are disrupting the existing equilibrium by allowing the investor class to substitute the appearance of competence for actual reality-checking expertise (https://deadsimpletech.com/blog/attack-on-competence)
  • quien is a Go-based CLI and TUI replacement for whois that provides structured domain intelligence across eight views—including RDAP, DNS, mail authentication, and TLS—with scriptable JSON output and layered protocol fallbacks (https://benword.com/quien-a-better-whois-and-domain-intelligence-toolkit)

Nordstjernen

Nordstjernen (GH) is an independent web browser written entirely in C, built in Norway by Andreas Røsdal. Current release is 0.8.1 (31 May 2026). It’s a clean-room rendering engine, meaning no Blink, no WebKit, no Gecko lineage. And, it is surprisingly robust at a mere ~50 kLOC.

The engine pieces are vendored in-tree, no submodules: lexbor for HTML5/CSS parsing and the WHATWG URL module, quickjs-ng for JavaScript, and Wuffs for memory-safe image decoding (PNG/GIF/BMP/JPEG/WebP-lossless). GTK 4 drives the UI, libcurl handles networking over HTTP/2. It claims about 76% coverage of the in-scope WHATWG HTML standard, measured against spec text section by section rather than against other browsers.

The central design choice is no JIT. QuickJS runs as a bytecode interpreter, so W^X (write XOR execute” — a memory protection policy where any given page of memory can be writable or executable, but never both at once) holds process-wide. This means we trade JS throughput for a smaller, harder attack surface. On top of that: Landlock + seccomp sandbox, PIE (“Position-Independent Executable” — a binary compiled so its code can be loaded at any base address rather than a fixed one. The whole executable is built from position-independent code so the loader can drop it anywhere in the address space), full RELRO (” RELocation Read-Only” — a hardening technique that makes the ELF relocation/linking sections read-only after the dynamic linker has resolved them, so they can’t be overwritten at runtime), Intel CET (”Control-flow Enforcement Technology”_ — a hardware feature that enforces control-flow integrity to defeat the most dominant techniques for hijacking execution once memory corruption is achieved).

Privacy defaults are on out of the box — no telemetry of any kind, partitioned cookies, third-party cookies off, HSTS, CSP, mixed-content blocking.

Media is deliberately punted: it ships no codecs, hands <audio>/<video> off to an external player (mpv, VLC, etc.) via a broker process forked before the sandbox locks down, so the player runs unconfined while the browser stays confined. Streaming sites get the page URL handed to yt-dlp instead.

Builds exist for Windows, macOS, and Linux (Debian/Ubuntu/openSUSE/Alpine-musl), plus a Java embedding API targeting JDK 21 and an Android port in progress. License is the Nordstjernen Source License v1.0 — free to use/modify/redistribute except as a competing browser, converting to MIT ten years after each release.

It’s pre-1.0 and the maintainer is candid that nightlies are bleeding edge, but the combination of clean-room C, no-JIT-by-design, and sandbox-first packaging makes it worth a look if browser attack surface is your thing.

The section header is the browser rendering The Daily Drop

The Attack On Competence

Iris Meredith recently penned The attack on competence. While it may not be a longform piece, the argument it makes has stayed with me in a way that a lot of other longer blathering on this topic has not.

Her core assertion is to redefine competence. Not as knowledge plus skill (most folks stop there) but as knowledge plus skill plus wanting good outcomes badly enough to actually pursue them. That third element is the load-bearing piece. You can be technically capable and organizationally inert if you don’t have the desire part. The reason that definition matters is what she does with it next.

The investor class (her [accurate] term) maintains its legitimacy through an innovation narrative. LinkedIn posts, conference appearances, meetings about meetings about innovation. The words they speak in those contexts get treated as truth by the people around them. This is due to selection effects, partly because that’s how power works. Genuinely competent people are a problem for this arrangement, because they’re not just technically threatening. They bring competing value systems and they’re walking reality checks. They notice when the working software doesn’t work, when the vaccine trial data doesn’t support the conclusion, when the public service has quietly stopped being a service. That’s intolerable if your legitimacy depends on the innovation narrative holding.

So, for a time, there was an equilibrium of sorts. Truly competent people stayed at a distance from the investor class. Somewhat competent professionals did adequate maintenance work, and the system degraded slowly enough that it held together. While not ideal, it had been stable in the way that a lot of bad systems are stable: the people nominally in charge could sustain the illusion that things were working, and things were mostly working enough that the illusion wasn’t immediately falsifiable.

LLMs (or, rather, the way they’ve been shilled and brokered to us) broke that equilibrium. That’s the part of Meredith’s argument I find hardest to dismiss, because the mechanism she’s describing is pretty clearly visible if you’ve watched how these tools get deployed in organizations. The investor class has found something that produces the appearance of competence – the outputs look like what competent people make – without the associated inconvenience of competent people. No competing value systems. No reality checks. No one in the room who’ll say the working software doesn’t work.

Previous rounds of competence-devaluation happened into systems resilient enough to absorb the damage. Offshoring, automation waves, the MBA-ification of everything – all of those degraded things, but the underlying systems had enough slack to not fully break. Meredith’s concern, which I share, is that this round is different. Things are actually breaking now (i.e., software quality is genuinely worse, public institutions are genuinely hollower, scientific credibility is genuinely shakier), but the people who’d typically notice and care are being systematically excluded from the rooms where those conclusions could matter. The investor class thinks they’ve won (I kind of think they’re at least close to winnning, too).

Iris doesn’t know what happens next, and to her credit she says so. Neither do I. But the scenario where this resolves cleanly – where the breaks become obvious enough and costly enough that the equilibrium re-establishes itself – requires the people with the leverage to notice to also have the desire to act on what they notice. That third element of competence. There’s not much evidence of it in the places that would need to exhibit it.

Again, please go read the piece. It’s short, and her voice is more comeplling than my breakdown.

quien

We’ll make this quick due to my blathering in the mid-section.

quien (GH) is a Go CLI that replaces whois with a tabbed TUI covering eight views: WHOIS/RDAP, DNS, mail authentication (MX/SPF/DMARC/DKIM/BIMI), SSL/TLS, HTTP headers, SEO, tech stack detection, and IP intelligence. Worth trying immediately without installing: ssh quien.sh.

The protocol story is the interesting part. RDAP is the primary lookup path — structured JSON, automatic TLD bootstrap via an IANA referral map covering ~1,200+ TLDs — with plain WHOIS as a fallback only when RDAP has no coverage. IP lookups pull RDAP first, drop to BGP origin ASN/prefix when RDAP omits ASN data, and layer in PeeringDB enrichment for peering policy and traffic profile. That layered fallback chain is what whois always should have been.

JSON subcommands (quien whoisquien dnsquien mailquien tlsquien httpquien seoquien stackquien all) make it scriptable without the TUI overhead. The SPF renderer itself is pretty spiffy as it expands the full include/redirect tree and counts DNS lookups against the RFC 7208 ten-lookup limit, which is the thing most folks get wrong when performing the checks manually. DKIM probes a common-selector list by default, extendable via --dkim-selector or QUIEN_DKIM_SELECTORSalias whois=quien is probably the right call.

The section header is quien run on dailydrop.hrbrmstr.dev, and this tool should 100% be in your daily drivers.

FIN

Remember, you can follow and interact with the full text of The Daily Drop’s free posts on:

  • Mastodon via @dailydrop.hrbrmstr.dev@dailydrop.hrbrmstr.dev
  • Bluesky via <https://bsky.app/profile/dailydrop.hrbrmstr.dev.web.brid.gy>

☮️

Leave a Reply

Discover more from hrbrmstr's Daily Drop

Subscribe now to keep reading and get access to the full archive.

Continue reading