DHH's decision to move Basecamp and HEY out of the public cloud sparked intense debate in the tech community. Still, as someone who interviewed him back in 2008 (which ended with us literally running from Chicago police over a filming permit), I respect his position: real numbers and real success back his argument. For mature applications with predictable loads and strong ops talent, owning infrastructure can absolutely make economic sense. But there's a lot more to this calculation than hardware versus EC2 pricing.

The public cloud bill that feels punishing is actually a feature you need to exploit. It forces immediate architectural decisions—why store 3 years of debug logs? Why run dev environments 24/7? That monthly invoice is a diagnostic tool that keeps waste visible. In private infrastructure, that pressure evaporates. Spend becomes sunk CapEx that feels "free" until you run out of capacity— and then you can't just spin up new instances.

Security is where the conversation gets serious. Hyperscalers handle thousands of quiet tasks—microcode patches, live VM migrations off suspect hosts, hardware attestation, cross-region controls. With vulnerabilities like TEE.fail affecting trusted execution environments across AMD, Intel, and Nvidia, you need an information security team plugged into a much larger community of experts. Your colo facility won't have hundreds of people thinking about physical security, side-channel attacks, and supply chain risks.

Then there's risk transfer. I learned this firsthand when lightning struck my search engine business in 1997, destroying both the central systems and the backups. Since then, I've seen unpredictable events in every role—multiple disk failures, backhoes cutting fiber, supply chain shocks that made SSDs scarce for months. Remember the Chelyabinsk meteor in 2013 that caused widespread infrastructure damage? Black Swan events happen on decade timelines, and one event can nullify years of savings.

We also cover today's tech news: NPM's "PhantomRaven" attack targeting AI-suggested packages, UV's promise to unify Python tooling with Rust-powered speed, and why 987654321/123456789 equals almost exactly 8.

• Why We're Leaving the Cloud - DHH
• TEE.fail Vulnerability Disclosure
• Chelyabinsk Meteor Event Documentation

• NPM flooded with malicious packages downloaded more than 86,000 times
• PhantomRaven NPM malware analysis by Koi
• UV is the best thing to happen to the Python ecosystem in a decade
• UV GitHub Repository
• UV Official Documentation
• 987654321 / 123456789
• Character.AI to Bar Children Under 18 From Using Its Chatbots
• GM Will Cut 1,750 Jobs in Electric Vehicle Business
• Microsoft Increases Investments Amid A.I. Race
• Alphabet Revenue Jumps 16% With Strong Cloud Sales

In the main segment, Tim unpacks the deceptive nature of utilization reports that FinOps teams rely on to identify "waste" in infrastructure. While industry statistics show servers running at shockingly low utilization rates—often 12-50%—Tim argues that acting on these numbers without context is like "performing surgery with a chainsaw." He explores how CPU utilization percentages are fundamentally misleading with modern processors, why databases legitimately need low utilization for disaster recovery and peak loads, and how operational realities like global teams, inherited systems, and technical debt create legitimate reasons for apparent over-provisioning.

The news segment covers significant security and policy developments: researchers demonstrate TEE.fail, a new physical attack that defeats trusted execution environments from Nvidia, AMD, and Intel using under $1,000 in equipment. The Python Software Foundation rejected a $1.5 million NSF security grant rather than comply with new anti-DEI requirements, highlighting how political decisions now directly affect open-source development. Plus coverage of Nvidia hitting a $5 trillion valuation, Amazon's 14,000-person layoffs targeting multiple departments, and analysis of OneUptime's bare-metal migration claiming $1.2M in annual savings.

Tim emphasizes that good FinOps requires understanding the full picture—technical constraints, business requirements, and human factors—rather than simply optimizing utilization metrics. The episode concludes that sustainable cost management comes from partnering with teams and recognizing that some "inefficiency" is actually necessary insurance for reliable operations.

• Tim O'Brien: "FinOps and Utilization Reports: It's More Complicated Than That"
• Brendan Gregg: "CPU Utilization is Wrong"
• Brendan Gregg: Systems Performance Book
• Brendan Gregg: The USE Method
• Gartner: "How to Make the Data Center Eco-Friendly"
• Uptime Institute: Enterprise data center utilization studies
• WifiTalents: Server Statistics and Industry Reports
• David Kopp: Server Utilization Research Notes

• FinOps: AWS to Bare Metal Two Years Later
• Security: New physical attacks are quickly diluting secure enclave defenses from Nvidia, AMD, and Intel
• Programming: Python plan to boost software security foiled by Trump admin's anti-DEI rules
• Weird: Man accidentally gets a leech up his nose. It took 20 days to figure it out.
• Nvidia hits record $5 trillion mark as CEO dismisses AI bubble concerns
• Amazon plans to lay off approximately 14,000 employees

In the main segment, we unpack “The Humble Programmer” (1972) and why it still reads like a briefing for 2025. Dijkstra’s claim that “programming will remain very difficult” lands squarely in the age of AI code generation: as tools remove circumstantial cumbersomeness, our ambitions expand and the problems get harder. We connect his call to “prepare ourselves for the shock” with today’s anxieties about what changes (tooling, surface syntax) versus what persists (the intellectual work of modeling complex systems, making tradeoffs, and ensuring software actually works).

We also look at the economic and perception cycles Dijkstra flagged—how developers oscillate between being overpraised and undervalued—and argue for humility plus discipline over curmudgeonly fatalism. The takeaway: better tools don’t trivialize programming; they raise the ceiling on what we attempt.

Then in the news roundup: (1) Chrome will warn by default on first‑time HTTP navigations, effectively finishing the move to HTTPS‑everywhere; (2) Apache Fory Rust promises zero‑copy, cross‑language, high‑throughput serialization; and (3) Samsung makes idle‑screen ads official on high‑end smart fridges.

• Original blog post: 53 Years Later, The Humble Programmer Still Explains Our Existential Panic
• E. W. Dijkstra — The Humble Programmer (EWD340), PDF
• E. W. Dijkstra — The Humble Programmer (EWD340), HTML transcription
• Edsger W. Dijkstra — Wikipedia
• “Go To Statement Considered Harmful” — DOI
• Dijkstra's algorithm — Wikipedia
• Structured programming — Wikipedia
• ALGOL — Wikipedia
• Fortran — Wikipedia
• Lisp (programming language) — Wikipedia

• Chrome to warn on unencrypted HTTP by default
• Introducing Apache Fory Rust: A Versatile Serialization Framework for the Modern Age
• Samsung makes ads on $3,499 smart fridges official