Security Wake-Up, MAUI on Linux/WASM, and Practical AI Agents
NEWSLETTER | Amplifi Labs
PSpice AES-256 Broken by Copy-Paste, Brute-Forced in Seconds
Around the web • March 19, 2026
Research reveals PSpice’s AES‑256 mode (ECB) mistakenly feeds an 8‑byte DES‑style key into the AES engine and zero‑pads the remaining 24 bytes, collapsing the effective keyspace from 2^256 to 2^32. With a fixed known‑plaintext header, the user key can be brute‑forced in seconds (AES‑NI/GPU) and the full vendor key recovered, compromising all associated encrypted models dating back to PSpice 16.6 (2014). The released SpiceCrypt tool automates key recovery and decryption across PSpice and LTspice formats, restoring interoperability but exposing serious IP‑protection gaps.
Applied AI: Agents, Voice, and UX Reality
NN/g Study: Users Skip Site AI Chatbots; Scope Narrowly, Surface Contextually
Nielsen Norman Group •March 20, 2026
Nielsen Norman Group’s qualitative study (9 users across 8 site chatbots, including Amazon Rufus, Turo, Home Depot, and Redfin) found most AI assistants are hard to notice, vague about capabilities, misaligned with user goals, and slower than established search/filters. Users default to search engines or general LLMs for research and visit retailer sites to buy, so salesy or “ask me anything” bots erode trust. Teams should target narrow, high-friction decisions (e.g., policy clarification, tailored comparisons), make bots context-aware and contextually discoverable, and clearly state what they can do.
Three-file Agent Kernel makes AI coding agents stateful via Git
Around the web •March 23, 2026
Agent Kernel is an MIT-licensed, framework-free pattern that gives any AI coding agent (OpenCode, Claude Code, Codex, Cursor, Windsurf) persistent memory using just three Markdown files in a Git repo. It defines two Git-tracked memory types—knowledge/ (current state) and notes/ (append-only session narrative)—and bootstraps behavior via standard instruction files (AGENTS.md, CLAUDE.md, .cursorules) so agents can recall and build on past sessions without a database. Setup is a simple git clone and run, enabling reproducible, auditable agent workflows developers can version, diff, and share.
How to Build a RAG‑Backed Voice Receptionist with Vapi and MongoDB
Around the web •March 23, 2026
A developer built a production-ready AI phone receptionist for a mechanic shop using a RAG stack: Voyage AI embeddings with MongoDB Atlas Vector Search for retrieval and Anthropic Claude for grounded responses. The voice agent runs on Vapi (telephony with Deepgram STT and ElevenLabs TTS) behind a FastAPI webhook, adds conversation memory and call logging, and prioritizes a strict fallback-to-callback flow; careful voice selection and prompt tuning were key to natural delivery. Upcoming work includes calendar booking, SMS alerts, a management dashboard, security hardening, and deployment—useful patterns for anyone building business-specific voice agents.
Web Engineering & Open Web Patterns
Dropdowns in Scroll Containers: Overflow, Stacking Contexts, and Real Fixes
Smashing Magazine •March 20, 2026
A deep dive into why dropdowns inside scrollable containers get clipped, layer under other content, or drift—rooted in overflow clipping, stacking contexts, and containing blocks—explaining why z-index hacks often fail. The article outlines practical solutions with trade-offs: rendering via portals, careful use of fixed positioning, CSS Anchor Positioning (with the @oddbird polyfill for Firefox), leveraging the HTML Popover API for top-layer rendering, or restructuring the DOM. It closes with a decision guide and accessibility must-haves (ARIA, focus, keyboard), making the guidance directly actionable for complex tables and component libraries.
Choose Modals or Pages Wisely: A Developer's UX Decision Tree
Smashing Magazine •March 19, 2026
A practical decision tree explains when to use modals, nonmodal overlays/drawers, or full pages based on four criteria: context retention, task complexity/duration, need to reference the underlying screen, and choosing the least-blocking overlay. Use modals only for single, high-priority, self-contained actions (alerts, destructive confirmations) and prefer pages for complex or multi-step workflows. Favor nonmodal overlays or in-place editing for repeated tasks or whenever users must compare or copy/paste, and avoid auto-triggered, nested, onboarding/notification/error modals.
IndieWeb POSSE: Publish on Your Site, Reach Every Network
Around the web •March 23, 2026
IndieWeb’s POSSE model has you publish on your own domain first, then auto- or semi-automatically syndicate copies with permalinks to platforms like Twitter, Mastodon, Bluesky, Facebook, and Medium. This preserves content ownership and canonical URLs, improves discovery/SEO, and enables backfeed of reactions via Webmention/Bridgy. The guide outlines implementation flows (server-automated or client-assisted), UI considerations, and tooling across stacks—php-helpers, SiloRider, Feed2Toot, Ghost webhooks, Docker POSSE Party—plus platform specifics like Medium’s rel-canonical support and Twitter API constraints.
Developer Tools, Cross‑Platform, and Platform Gotchas
Avalonia brings .NET MAUI to Linux and WebAssembly (Preview 1)
Around the web •March 22, 2026
Avalonia released the first preview of its .NET MAUI backend alongside Avalonia 12 and .NET 11 previews, enabling MAUI apps to run on Linux and WebAssembly with a consistent, drawn UI. Getting started is minimal—add Avalonia.Controls.Maui.Desktop, target net11.0, and call UseAvaloniaApp—with many GraphicsView and SkiaSharp.Views.Maui-based controls working via handlers. The team validated ports of Control Gallery, WeatherTwentyOne, AlohaAI, and MyConference, and is building an Avalonia-based Maui.Essentials and WinUI interop, signaling a credible path to broader MAUI reach ahead of .NET 11 GA.
Bram Cohen unveils Manyana, a CRDT-powered vision for version control
Around the web •March 22, 2026
Bram Cohen released Manyana, a public‑domain 470‑line Python demo showing how CRDTs can underpin version control: merges always succeed, conflicts are presented as structured concurrent edits (not blockers), line ordering is deterministic, and file history lives in a single weave rather than being reconstructed from a DAG. He also proposes a rebase that preserves full history via a “primary ancestor” annotation to avoid 3‑way merge pitfalls; while not a full VCS, the design outlines a credible path to features like cherry‑pick and local undo that could reduce merge/rebase pain at scale.
psql Ctrl-C Still Plaintext, Allowing Replay DoS on Shared Networks
Around the web •March 20, 2026
Cancelling a query in psql opens a new connection and sends a CancelRequest identified by backend PID and secret key—still in plaintext—even when the main session uses TLS. While libpq added TLS support for cancellations in Postgres 17 and protocol v3.2 increases the secret key to up to 256 bytes, psql hasn’t adopted encrypted cancellation, enabling sniff-and-replay DoS against future queries on the same connection. Until psql encrypts this path, use Postgres 18 with min_protocol_version=3.2, prefer VPNs/avoid Ctrl-C in psql, verify drivers encrypt CancelRequests, and note proxies may need PID+key routing (as Elephantshark 0.3 implements) due to missing SNI.
