The Lookout — 2026-03-22

The war in the Middle East took a dangerous turn on Saturday night. Iranian missiles struck the southern Israeli cities of Dimona and Arad — the first time Iranian warheads have penetrated Israel's air defences in the area surrounding the Negev nuclear research centre. Dimona sits twenty kilometres from the facility; Arad about thirty-five. Israel's military admitted it could not intercept the incoming missiles. Iran's parliament speaker immediately noted the operational significance: if Israel cannot protect its most heavily defended airspace, the dynamic of the conflict has shifted. At least sixty-four people were taken to hospital from Arad alone, where ten apartment buildings were hit and three are in danger of collapse. The IAEA reported no damage to the nuclear site itself and no abnormal radiation, but the proximity is the point.

Separately, Iran fired two ballistic missiles at Diego Garcia, the joint UK-US military base in the Indian Ocean, roughly four thousand kilometres from Iranian territory. That range either implies missiles capable of travelling further than Western intelligence previously acknowledged, or an improvised use of Iran's space programme for weapons delivery. Either way, it rewrites assumptions about what Iran can reach. The UK had allowed the United States to use its bases for strikes on Iranian missile sites, and Iran's foreign minister had explicitly warned that British lives were now in danger.

This comes on day twenty-two of the conflict. The death toll in Iran has reached 1,444 including at least 204 children. Iran has launched seventy waves of retaliatory attacks. The Gulf is on fire in a way it has not been in living memory: Bahrain has intercepted 143 missiles and 242 drones since February 28. Saudi Arabia shot down 47 drones in a single day, including a concentrated barrage of 38 within three hours. Iranian drones hit Kuwait's Mina al-Ahmadi refinery — one of the Middle East's largest, processing 730,000 barrels a day — sparking fires. Iran has threatened "crushing blows" against the UAE port city of Ras al-Khaimah. Kuwait's defence ministry announced it is actively dealing with hostile attacks. Every major Gulf state is now under direct Iranian fire.

Trump responded with his most specific threat yet: a forty-eight-hour ultimatum for Iran to fully reopen the Strait of Hormuz or face the destruction of Iranian power plants, "starting with the biggest one first." He issued this from his Florida home via social media. The contradiction in American messaging is becoming untenable — the administration simultaneously hints at "winding down" the conflict while deploying 2,200 additional Marines and threatening to obliterate civilian infrastructure. A ceasefire has been explicitly ruled out. Iran's President Pezeshkian called for an "immediate cessation" of what he described as US-Israeli aggression. Israel's army chief said the war is not close to ending.

Meanwhile, Trump is also quietly negotiating with Cuba. USA Today reported the administration is preparing an economic deal that would relax trade restrictions but include an "off-ramp" for President Díaz-Canel — essentially regime change dressed as commerce. Cuba immediately rejected any negotiation over its president's term. The island's power grid has been collapsing under a US oil blockade, and The Economist described Cuba's economy as being entirely at Trump's mercy. Rubio declined to discuss easing the embargo, noting only that it is codified in law. The pattern is familiar: economic pressure applied until a country's infrastructure fails, then the offer of relief in exchange for political concessions.

Robert Mueller died on Friday at eighty-one. He served as FBI director under both Bush and Obama, then as the special counsel who documented Russian interference in the 2016 election and its contacts with Trump's campaign. His investigation resulted in thirty-four indictments, seven guilty pleas, and a 448-page report that detailed extensive Russian operations but stopped short of charging a sitting president with obstruction. Mueller believed the Office of Legal Counsel's opinion prevented indictment of a sitting president, and he left the question to Congress. Congress did nothing. Trump, within minutes of the news, posted that he was "glad he's dead." Whatever one thinks of the investigation's conclusions, the response says more about the respondent than the deceased.

In software security, the Trivy supply chain compromise returned for a second round. On March 19, a threat actor used credentials retained from an incomplete rotation after the first breach in late February to publish a malicious Trivy v0.69.4 release, force-push seventy-six of seventy-seven version tags in trivy-action to credential-stealing malware, and replace all seven tags in setup-trivy. The attack was sophisticated: the malicious code dumps Runner.Worker process memory via /proc/mem, sweeps over fifty filesystem paths for SSH keys, cloud credentials, Kubernetes tokens, database passwords, and cryptocurrency wallets, encrypts the haul with AES-256-CBC under RSA-4096, and exfiltrates to attacker infrastructure. The fallback is grimly creative — if exfiltration fails and a GitHub personal access token is available, the malware creates a public repository on the victim's own account and uploads the stolen data as a release asset. The exposure window ranged from three to twelve hours depending on the component. The root cause was that credential rotation after the first breach was not atomic — not all secrets were revoked simultaneously, leaving a window for the attacker to exfiltrate newly rotated credentials during the rollover. It is a textbook demonstration of why incident response needs to assume the attacker is watching your recovery.

Armin Ronacher — creator of Flask, Jinja, and more recently uv — published an essay called "Some Things Just Take Time" that hit 525 points on Hacker News with 179 comments. The piece is quietly devastating. His argument is that the AI-accelerated pace of software development is producing what he calls "vibe slop at inference speeds" — code that ships fast but carries no commitment. YC companies from last year's batches disappeared without even telling their customers. Open source projects accumulate commits for a week and vanish. The friction we are trying to automate away — reviews, compliance, cooling-off periods — exists precisely because trust requires time. "Nobody is going to mass-produce a 50-year-old oak," he writes. "And nobody is going to conjure trust, or quality, or community out of a weekend sprint." He has been maintaining open source projects for close to two decades. The last startup he worked at, he spent ten years. That track record is itself the argument. The essay comes at a moment when the industry is simultaneously celebrating velocity and watching the consequences of it — the Trivy breach above being a case in point, where the speed of CI/CD propagation turned a credential lapse into a mass-compromise within hours.

A related story: Dyne.org published "Do Not Turn Child Protection Into Internet Access Control," which earned 505 points and 263 comments. The argument is structural. Age verification started as a narrow mechanism for adult websites. It is now expanding into social media, messaging, gaming, and search engines across Europe, the US, the UK, and Australia. But the technical architecture required for age assurance — particularly proposals that embed it at the operating system level — transforms the default condition of the internet from open access to permissioned access. In some US proposals, age status becomes a persistent layer maintained by the OS and exposed to applications through a system-level interface. Even systemd has reportedly added an optional birthDate field to userdb in response to age assurance laws. The author draws a distinction between content moderation, which is technical and algorithmic, and guardianship, which is relational, local, and contextual. Collapsing the two means building surveillance infrastructure and calling it childcare. The 263 comments suggest this one struck a nerve.

Tinybox from George Hotz's tiny corp is having a moment on Hacker News — 338 points, 194 comments. The pitch is an offline AI device capable of running 120-billion-parameter models locally. The red v2 ships with four AMD 9070XT GPUs and 64GB of GPU RAM for 778 TFLOPS. The green v2 uses four RTX PRO 6000 Blackwell cards with 384GB of GPU RAM and 3,086 TFLOPS. And then there is the exabox — 720 RDNA5 GPUs, 25,920GB of GPU RAM, roughly one exaflop, which is the kind of spec sheet that reads like science fiction until you remember that the entire argument for local AI inference is that depending on a handful of companies for access to intelligence is a single point of failure. The HN discussion splits predictably between people excited about decentralised AI and people doing the maths on electrical circuits.

On the Bitcoin protocol side, Ethan Heilman contributed a fascinating technical analysis on the bitcoin-dev mailing list about "wrapped Taproot" via RIPEMD-160 collisions. The thread started with a proposal for Pay-to-Schnorr-Key-Hash (P2SKH) and evolved into a discussion of whether P2SH RIPEMD-160 collisions could create a poor man's Taproot — where Alice and Bob each prepare different scripts that hash to the same P2SH address, enabling multi-path spending from a single address without MAST. Heilman's analysis puts the cost at approximately 2^81 hash queries with realistic memory assumptions of about 4,096 one-terabyte drives, or between $100,000 and $2 million in electricity using purpose-built ASICs. That is expensive but not impossible, especially for high-value use cases. The work connects back to the ColliderScript paper from 2024 on covenants via 160-bit hash collisions, and it raises practical questions about the long-term security margins of 160-bit hashes in Bitcoin's address scheme.

On Delving Bitcoin, a new proposal called Eddy introduces free cooperative circular rebalancing for Lightning channels — a coordination mechanism where nodes collectively identify circular payment paths and rebalance liquidity without paying routing fees. Separately, the Compact Isogeny PQC thread continued exploring whether isogeny-based post-quantum cryptography can replace HD wallets, key-tweaking, and silent payments — an ambitious proposal to rebuild Bitcoin's key derivation foundations for a post-quantum world. And Anthony Towns' PR #34628 on Bitcoin Core proposes replacing per-peer transaction rate-limiting with global rate limits, a meaningful architectural change to how the P2P network handles transaction propagation under load.

Block height 941,641. Fees at one sat per vbyte. The mempool remains empty. Bitcoin at $69,079.

References