Sources & Bibliography

Article about Andy George's sandwich experiment.

Coverage of Andy George's experiment.

Interview with Andy George about the sandwich experiment.

Report on mobile component market.

Article describing supply chains in semiconductor industry.

Quarterly report on global smartphone application processor market share.

Review of research on dependency solvers, comparison matrix of package managers, and discussion of CUDF.

Recent paper (February 2026) formalizing dependency resolution semantics as Package Calculus, showing the problem is NP-complete.

Continuation of the above work, more practical, explains differences across ecosystems.

The only canonical source for SemVer. Written by GitHub co-founder. Short, precise, with examples.

How npm interprets SemVer in practice (tilde ~, caret ^).

Author runs ecosyste.ms and libraries.io. Catalogued resolver algorithms (SAT, PubGrub, ASP, backtracking) with concrete implementations per package manager. Best available synthesis for technical readers.

Best popular technical text on the topic. Clear typology of dependency circles with technical examples. Written by a Google/Kubernetes engineer.

Short, precise definition from the person who brought these concepts to the mainstream. Co-creator of Continuous Delivery (Humble & Farley, 2010).

Most widely cited practical guide to distinguishing the three phases. Clear, with diagram. Used as a reference standard by most teams.

Good definition from one of the most popular CI/CD platforms. Clearly distinguishes continuous deployment (automatic) from continuous delivery (can be deployed).

Technical blog with personal response from Martin Fowler in comments. Best practical text focused solely on distinguishing the three phases.

Official npm post-mortem. Contains timeline, decision about 'un-unpublishing,' and Laurie Voss quote: 'Un-un-publishing is an unprecedented action.' Ground truth for the entire incident.

Author's own statement. Indirectly quoted in most articles, important for understanding his motivation.

Live coverage from the day of the incident. Contains left-pad source code, Laurie Voss quote, and data: 'Left-pad was fetched 2,486,696 times in just the last month.' Solid primary press source.

Precise confirmation: Babel, Atom, Ember, React Native as affected projects. Good technical synthesis from the next day.

Most analytical of the hot-take texts. Confirms React.js, Babel, and Ember.js as affected frameworks. Important observation: 'no major interruptions appear to have hit live services' — builds failed but end users mostly noticed nothing.

Engineer writing on the day of the incident. Contains direct reference to React: 'Just ask the React team how well their week has been going.' Good as a quotable community voice.

Confirms Facebook, Netflix, Spotify via Babel and React. Quotes npm CEO Isaac Schlueter from Ars Technica.

Wikipedia article describing the incident. Contains source code — note that including empty lines the package had 17 lines, which some articles referenced.

Article published June 11, 2025, shedding different light on the event by revealing that the script to delete all packages was provided to the author by npm.

Official entry in US government's National Vulnerability Database. CVSS 10.0, technical description, list of affected versions (2.0-beta9 to 2.14.1), patch links. Canonical source for any CVE citation.

The original post-mortem — LunaSec coined the name 'Log4Shell' and was first to publish detailed technical analysis. Updated over several weeks as subsequent CVEs were discovered. Cited by CISA, Apache, and practically everyone else.

Note: At time of compilation, lunasec.io domain is inactive (DNS issue). Blog sources are available on GitHub. Linked file is source in MDX format, fully readable but note this is not the actual published page.

Fun fact: blog uses roughly the same tech stack as the bibliography you're reading now. Except this site's repo is not public.

Official US Cybersecurity and Infrastructure Security Agency page with Emergency Directive 22-02, links to all CVEs, and guidance for federal agencies. Good as institutional source.

Solid analysis for non-specialists by Lawfare (Harvard Law / Brookings). Describes Minecraft as the starting point, critical infrastructure impacts, and SBOM implications. Good for broader context.

Coverage from disclosure day, includes quote from expert Marcus Hutchins about the Minecraft exploit. Good as mainstream confirmation of scale.

Official Japanese source — Nippon.com is funded by Japan Foundation. Description of the technique, its applications, and spread beyond Japan.

Article from Australian aviation authority CASA. Good context for application of the technique beyond railways, includes bibliography with original scientific sources (Railway Technical Research Institute 1994).

Technically most accurate non-academic description of history: Mocha → LiveScript → JavaScript, role of Netscape/Sun agreement, quotes Brendan Eich. Often linked as canonical source.

For the naming footnote, sufficient as additional confirmation — contains quote from Eich himself who called the name change 'a marketing ploy by Netscape.'

Canonical government entry. CVSS 10.0, technical description, list of affected versions.

Official post from React team (Meta). Contains disclosure timeline, list of affected packages and frameworks, patching instructions, and — notably — list of all follow-up CVEs updated through January 26, 2026. Best single source for the entire saga.

Official React team post listing all follow-ups: CVE-2025-55183, CVE-2025-55184, CVE-2025-67779 (December), CVE-2026-23864 (January). Also includes a quote that could be used in the book: 'This pattern shows up across the industry, not just in JavaScript. For example, after Log4Shell, additional CVEs were reported as the community probed the original fix.'

Primary source for Jackpot Panda and Earth Lamia. Report from MadPot honeypot infrastructure. One of the best intelligence documents on who exploited and how.

Wiz researchers published the first PoC and had the earliest cloud exploitation telemetry. Contains data: 39% of cloud environments with vulnerable versions, confirmation of AWS credential harvesting.

Original discoverers' report — Sansec was the first company to publish attack details. Contains timeline, sample malicious script code, list of affected domains, and updates from subsequent days (Namecheap domain suspension, Cloudflare response). Only first-order canonical source for the entire story.

First extensive press coverage from disclosure day. Contains Google's communication to advertisers, Andrew Betts quotes, and attack mechanism details. BleepingComputer was the first medium to cover Sansec's report — hence the DDoS on their infrastructure in response.

Good article with broader perspective — describes scale after a week, Funnull's restart attempt under polyfill.com domain (also taken down by Namecheap), and long-term implications. Good as supplement to live coverage.

Source for the 384,773 hosts number. Also includes scan of alternative domains taken over by the same operator, historical DNS records, and list of affected platforms (Hulu, Mercedes-Benz, WarnerBros). Only credible source for this specific number.

Most widely cited medium covering Hudson Rock findings. Contains summary of forensic evidence (credentials from LummaC2 infostealer, domain configuration conversations), operation goal (cryptocurrency laundering via Suncity Group gambling network), and attribution certainty caveats. Well-balanced between 'this is strong evidence' and 'this is one research firm.'

Original and only canonical source — Birsan himself describes methodology, timeline, code examples, list of vulnerable companies, and technical details. Everything else is secondary to this text.

Solid press coverage from publication day. Quotes Birsan directly, describes Microsoft's response (whitepaper, CVE-2021-24105), and remediation recommendations. Good institutional context.

Technical and published simultaneously with Birsan's report — Sonatype as a supply chain security company had ready analysis on publication day. Best text for readers wanting to understand the mechanism without reading the Medium post.

Most detailed breakdown of payouts: Microsoft $40,000 (program record), Shopify $30,000, Apple $30,000, PayPal $30,000, total over $130,000. Also quotes Apple confirmation that RCE on servers would have been possible. Good as verifiable source for specific numbers.

Official ACS landmark document. Confirms 1929 publication, the decade of stagnation, the role of Florey and Chain, and mass production during WWII.

Primary academic source for the Cleveland ironworks case. Documents the open exchange of blast furnace performance data between 1850 and 1875. Vol. 4, pp. 1–24.

Primary source for the Cornwall case. Documents the practice of publishing pump efficiency data in Lean's Engine Reporter rather than seeking patent protection. Vol. 28, pp. 347–363.

Primary institutional source — Henry Ford Museum archive. Confirms the court ruling of January 10, 1911 overturning the Selden patent.

Canonical academic study of the Ford–Selden patent dispute. Confirms the link between the 1911 ruling and the free cross-licensing system adopted by the industry in 1915 and maintained until 1956. ISBN: 0814335128.

Review citing the outcome of the Selden case: the automotive industry adopted a unique system of free cross-licensing in 1915, kept in force until 1956.

Canonical document defining what 'open source' means in legal and technical terms.

Stallman's original text describing the distinction between 'free software' and 'open source' from the FSF perspective. Essential reading for understanding why the distinction exists at all.

Comprehensive FSF-annotated list of software licenses, covering GPL, LGPL, AGPL, Apache, MIT, BSD and dozens of others. Authoritative from the free software movement perspective.

Accessible plain-English summaries of software licenses. Useful contrast to dry legal documentation — ideal for readers who want to quickly understand the difference between MIT and GPL without reading full legal texts.

List of licenses approved by OSI as conforming to the Open Source Definition. Less ideological than FSF, more pragmatic.

Official OpenSSL security bulletin issued on the day of disclosure. Short, technical, authoritative.

Official NIST/NVD record for Heartbleed.

Dedicated site describing the Heartbleed vulnerability — created at the time of disclosure.

Cloudflare's Heartbleed Challenge confirmed that private keys could indeed be stolen via the vulnerability.

Google Cloud post describing real-world exploitation of Heartbleed to bypass multi-factor authentication on VPNs.

Contains the responsible developer's own explanation of how the bug was introduced.

The legendary post in which Stenberg publishes an ultimatum email from a corporation demanding an audit of a Java library that curl does not use. He describes the level of ignorance and incompetence as breathtaking. Best single source illustrating how compliance processes replace actual thinking.

Stenberg publishes a death threat received because curl 'didn't work correctly' in a user's closed system. Illustrates the extreme end of free support expectations — users who treat maintainers' time as their entitlement.

Explains why Stenberg shut down the curl Bug Bounty program. He describes AI-generated security reports as a 'DDoS on human attention' — technically plausible-looking but factually wrong reports flooding maintainers at scale.

List of companies using curl, maintained by the tool's author.

Stenberg's company offering paid commercial support for curl.

Reddit thread containing a screenshot of the faker.js repository after Marak's deletion. Primary contemporaneous record since the original repo no longer exists on GitHub.

Archived snapshot showing the entire repository history reduced to a single commit.

npm registry entry. Worth noting the version number at the time of the sabotage.

Original disclosure by Andres Freund. The primary source for the entire XZ backdoor story.

Detailed attack timeline analysis. Widely cited reconstruction of Jia Tan's multi-year social engineering campaign.

Academic bachelor's thesis with extensive technical breakdown and references. Detailed analysis of the backdoor mechanism and attack chain.

Debian maintainers noted how Jia Tan attempted to manipulate them into ignoring valgrind warnings as 'false positives'. Debian rolled back all XZ packages to the safe 5.4.5 version and revoked Jia Tan's infrastructure access. The incident showed that Debian's 'bureaucracy' functioned as a protective filter.

Canonical confirmed the malicious XZ version reached Noble Numbat repositories but was removed before the official LTS release thanks to Freund's discovery. Had it shipped, millions of corporate servers would have received a backdoor as part of a 'secure' Long-Term Support release.

Official announcement of the licensing change (August 31, 2021). Introduces the 250-employee / $10M revenue thresholds, grace period until January 31, 2022, and new subscription tiers.

Best available source for a private company. Reports ARR of $20M in 2021 (pre-license change), $165M in 2023, $207M in 2024. Secondary source — Docker Inc. is private and does not publish full financials.

Official post from Docker Inc. after the first full subscription year. CEO Scott Johnston reports ARR above $50M — over four-fold year-on-year growth. Only primary source with figures directly from the company.

Original document announcing dockershim deprecation in Kubernetes 1.20. Explains technical reasons (CRI incompatibility), timeline, and implications for users.

Post accompanying dockershim removal in Kubernetes 1.24. Confirms the decision was technical and long-planned, and that the majority of clusters still used Docker at the time of the licensing announcement.

Day-of-announcement coverage. Business context, market reaction, quotes from CEO Scott Johnston.

Connects both threads — dockershim deprecation timeline and the post-license-change market situation. Also explains Mirantis's role as maintainer of cri-dockerd.

Software Asset Management perspective — practical compliance implications for IT and procurement departments. Useful for the 'compliance panic' context described in the case study.

OCI homepage describing the image-spec and runtime-spec standards. Includes the history of the initiative (founded 2015, emerging from Docker and CoreOS).

Technical source for the claim about image portability across different container runtimes.

Primary canonical source — co-founder Dadgar's official post explaining the motivation (hyperscalers monetizing without contributing), scope of the change, and what remains under MPL. August 10, 2023.

Official IBM press release. $6.4 billion enterprise value, $35 per share. April 24, 2024.

Most comprehensive analysis of practical consequences — full timeline of the saga (August 10, 2023 through OpenTofu GA in January 2024), breakdown of who is affected and how, ecosystem perspective.

At the time link was verified, the article was updated (Feb 2026). Archive link points to the original version of the text.

Perspective from one of the largest Terraform ecosystem partners, directly affected by the change. Good example of enterprise reaction and 'compliance panic' described in the case study.

Original announcement of the project's adoption by the Linux Foundation. Includes quotes from Jim Zemlin, list of 140+ supporting companies, and commitment of 18+ FTE developers for a minimum of 5 years. September 20, 2023.

Journalistic coverage with a quote from Jim Brikman (Gruntwork) explaining the name and project plans.

Canonical description of the provider model: 'Terraform relies on plugins called providers to interact with cloud providers, SaaS providers, and other APIs.' Providers are distributed separately from Terraform Core with their own release cycles.

Technical description of the plugin architecture — providers as separate binaries communicating with Terraform Core via RPC. Confirms providers can be written by any party. Companion to the Providers doc above.

This URL originally contained the runtime fee announcement (September 12, 2023). Unity subsequently replaced the content with the cancellation notice — the original announcement is no longer available at this address.

Best account of the reversal — documents how quickly Unity was forced to retreat, revised thresholds, removal of retroactivity, and general chaos. Includes stock price context ($39 → $32 in one week).

Documents Riccitiello's departure from Unity and detailed breakdown of his exit package (~$8.4M in stock options). Most credible source for a specific figure used in the book.

Immediate official response from Slay the Spire developer (September 13, 2023): 'We have never made a public statement before. That is how badly you fucked up.' Includes announcement of migration to a new engine.

Re-Logic (Terraria developer) declared it would never use Unity again and donated $200,000 to alternative engines including Godot. One of the most financially significant gestures of the protest.

Retrospective quoting EA interim CEO Larry Probst after two consecutive 'Worst Company in America' titles (2012 and 2013). Confirms both titles and management's reaction.

Secondary reference for EA 'Worst Company in America' titles (2012, 2013). The original Consumerist voting results are archived but the site is defunct — Wikipedia's EA section footnotes point to the original Consumerist articles.

French agricultural research agency. Concise and direct: 'Phytophthora infestans which is not a fungus but a water mould also known as oomycete.'

Comprehensive visual timeline of browser engine history and consolidation.

Slack's own account of adopting Electron for its desktop application.

Accessible overview of CEF (Chromium Embedded Framework) prevalence in desktop applications.

Confirms Notion's use of Electron. Detailed performance analysis.

Analysis of Warcraft 3 Reforged's use of a Chromium-based renderer and resulting performance issues.

Example of a AAA game using a Chromium-based UI rendering solution.

Official, technical, authoritative overview of browser architecture and rendering pipeline.

More accessible description of browser rendering engine architecture. Companion to the MDN article above.

Community discussion with usable definitions distinguishing engines, frameworks, and libraries.

Accessible explainer with concrete examples distinguishing library, framework, and engine concepts.

FSF's response to Google's Web Environment Integrity API proposal — one of several examples of Google's unilateral influence over web standards.

Google ultimately abandoned the Web Environment Integrity proposal following widespread backlash.

Documents Google's unilateral decision to drop JPEG-XL from Chrome despite community support for the format.

Google reversed its JPEG-XL decision. Illustrates the cycle of unilateral moves and reversals.

Overview of the AMP saga — Google's proprietary web framework that received artificial search ranking boosts, and its eventual demise.

History of Chrome OS from its first release to the tenth anniversary. Good quotes about the original vision.

Factual reference — dates, 2009 announcement, origin story.

Primary data source for game engine market share statistics.

More accessible discussion of the VGInsights report findings.

Official ILM press release on StageCraft technology. Cites all partners and describes the virtual production pipeline powered by Unreal Engine.

Narrative account of the StageCraft technology. Good background companion to the ILM press release.

Official Epic Games overview of Unreal Engine use cases across industries: automotive, film, architecture, broadcast.

Covers BMW and other cross-industry Unreal Engine adoption examples.

Film, aerospace, architecture, automotive — concrete examples of UE5 adoption beyond gaming.

Interview with Gabe Amatangelo. Best qualitative account of CD Projekt RED's decision to abandon REDengine for UE5.

Broader industry context — other studios making the same switch, implications for the market.

Community discussion confirming that practitioners recognize and debate the 'Unreal look' phenomenon.

Corridor Crew regularly discusses and critiques the 'Unreal Engine look' — identifying it as an aesthetic where virtual productions appear too sterile, plasticky, or 'cheap' despite high technical quality.

Counterargument to the 'Unreal look' thesis. Useful for presenting a balanced view.

Director Gore Verbinski's public criticism of Unreal Engine aesthetics in film production. January 2026.

Official survey results. PostgreSQL ranked #1 most-used database for the second consecutive year.

Commentary on the survey results with historical context.

Official description of the Core Team structure — 7 members, roles, and governance model.

Official page of the non-profit legal entity behind the project.

Documents the EDB/2ndQuadrant conflict and the unwritten 50% contributor rule that emerged from it.

In-depth discussion of PostgreSQL governance, the majority rule, and structural tensions within the project.

Accessible explanation of the decentralized power model in the PostgreSQL project.

History of JSON support from PostgreSQL 9.2 to 9.4, written from the developer perspective. Part of the JSON/JSONB (2012→2014) evolution story.

Official documentation of JSONB introduction in PostgreSQL 9.4.

History written by one of the primary contributors — from logical decoding in 9.4 to full logical replication in v10 (2014→2017).

Official press release. Contains Core Team quote about 'years of work' on logical replication.

Reference for footnote on potato history — dates, initial European suspicion, spread across the continent.

Academic source for the potato footnote.

Torvalds on Git's decentralization philosophy — ideal source for the irony of the world's decentralized version control system being centralized on a single Microsoft-owned platform.

Source for the 500M+ repositories figure and other GitHub scale statistics.

At the time of access, article was updated on May 11.

Primary source for the entire Sherlock/Watson story — Dan Wood's own account, including his paraphrase of the conversation with Jobs. Note: the site had an invalid SSL certificate at the time of checking; using a Web Archive version is recommended.

Note: At the time of access original article had an invalid SSL certificate. The Web Archive version is recommended for access.

Concise factual summary of the Watson/Sherlock case.

Good overview with the key quote and historical context explaining how the term entered tech vocabulary.

Tile's reaction on the day of the AirTag announcement. Covers the U1/UWB access issue and unfair competition claims.

Fuller context for Tile's antitrust allegations against Apple.

Full official text of the Digital Markets Act.

Footnote reference for AICOA — factual summary of the proposed US legislation.

Footnote reference. Analysis of why AICOA failed to pass.

Academic source confirming that not all UWB chips are open to third-party developers, limiting possible applications — the technical basis for the Tile/AirTag competitive asymmetry.

Accessible explanation of time-of-flight technology, Precision Finding, and the AirTag context.

Technical analysis of the U1 chip including UWB history and the proprietary nature of Apple's implementation.

Primary account of the rejected acquisition offer, based on the original Wall Street Journal report.

Concise factual reference for the $3B offer and other key Snap milestones.

Firsthand account of the acquisition process: Zuckerberg invited Systrom to his Menlo Park home, and both completed the deal documents over a weekend with a single lawyer present.

Original day-of-announcement coverage of the $1 billion acquisition.

Original launch coverage (August 2, 2016). Includes user numbers at the time: Instagram 500M total, Snapchat 150M DAU.

Key source for the 82% growth slowdown figure, based on Snap's IPO documents.

Source confirming Instagram surpassed Snapchat's daily active story users within eight months of launch.

One-year anniversary coverage with user comparison figures in the context of Snap's IPO.

Official Snap press release for the Perplexity partnership.

Quarterly chart showing AWS + Azure + GCP + Alibaba accounting for approximately 70% of the cloud infrastructure market.

Redis Labs: 'Cloud providers contribute very little (if anything) to those open source projects.' Core source for the Vampire Strategy mechanism.

Redis Labs CMO: 'AWS are simply poaching open source investment.' The 'strip mining' framing.

Broader context covering Kafka, Redis, MongoDB and the managed services dynamic.

MongoDB CTO: DocumentDB is '34 per cent compatible' and a 'Frankenbase'. Primary source for the Amazon DocumentDB vs MongoDB case.

MongoDB's official comparison — naturally one-sided but useful for specific technical incompatibility claims.

Official Elastic announcement of the license change away from Apache 2.0 (January 2021). Starting point of the Elasticsearch/OpenSearch saga.

History of the AWS OpenSearch fork and its eventual transfer to the Linux Foundation.

Official announcement of the OpenSearch Software Foundation under the Linux Foundation (September 2024).

Concise history of the Elasticsearch fork.

History of Kubernetes' creation at Google and donation to CNCF. Wikipedia used as reference here given strong community maintenance of open source project articles, and verified against author's professional experience.

Reference for Go's origin at Google — part of the 'home field advantage' context.

Optional background. Good context for the Databricks/Azure dynamic and open source monetization models generally.

History of the phrase, first known print usage (1957), George Fuechsel, context from the early years of computing.

Best narrative account of the phrase's history. Documents the earliest known printed occurrence in the Times Daily of Hammond, Indiana (November 10, 1957) and the Fuechsel story. Most thorough source found on the topic — the author searched press archives and appears to have corrected the existing historical record.

Distinguishes random error from systematic error (bias), defines selection bias and sampling bias in a research context.

Classic epidemiological definition of selection bias.

Definition, types, and examples of selection bias. More accessible than the UNC source.

Practical discussion with concrete examples.

References Gartner estimates on the financial impact of poor data quality.

Comprehensive overview of common survey design errors: leading questions, assumptive questions, double-barreled questions.

Clear distinction: double-barreled = ambiguity, leading = bias.

Practical examples including loaded questions.

Academic discussion of primacy effect, left-side selection bias, and acquiescence bias in Likert scales.

Peer-reviewed study demonstrating that response option ordering significantly affects survey results.

Accessible overview of Likert scales, response order effects, and their impact on results.

Original Google report. Primary source for the 53% abandonment / 3-second threshold statistic. Available as PDF.

Google's own blog post promoting the report findings.

Shows that bounce rate — the metric underpinning the 53% statistic — cannot distinguish satisfied from frustrated users. Google Analytics 4 introduced 'engaged sessions' precisely because the classic metric was misleading. Good counterpoint to cite alongside the Google report.

The article in which the popular formulation of Goodhart's Law appears: 'When a measure becomes a target, it ceases to be a good measure.' Published in European Review, Vol. 5(3), pp. 305–321.

The most widely read contemporary book on metric pathologies. Connects Goodhart's Law to case studies from education, medicine, the military, and business. ISBN: 9780691174952.

Official Google documentation defining TTFB and its relationship to FCP and LCP. Authoritative and kept up to date.

Main documentation for Google's UX metric suite: LCP, INP, CLS — each measuring a different aspect of user experience.

Practical breakdown of the metric hierarchy (TTFB → FCP → LCP → INP) from an e-commerce engineering perspective. Illustrates precisely the ambiguity of 'loading time' discussed in this chapter.

Well-written practical guide on the pitfalls of proxy metrics in A/B testing, written by Meta engineers with strong methodological grounding. Ideal for the 'we measure what we can, not what we want' argument.

Accessible synthesis of Muller, Goodhart's Law, and Campbell's Law with examples. Useful bridge between technical and popular-science audiences.

At the time of composing this list the original article was not available (HTTP/404), but the content was archived by the Wayback Machine.

Contains the original Literary Digest text from October 31, 1936. Most accessible source with the verbatim forecast.

Election results, Gallup and Digest comparison, with references to primary sources. Acceptable as a supplementary reference.

The most important academic source for this case. The only empirical study of the failure's causes, based on 1937 Gallup data. Concludes that non-response bias — not sampling bias — was the dominant cause. Vol. 52, No. 1, Spring 1988, pp. 125–133. Also available via JSTOR (https://www.jstor.org/stable/2749114) and as PDF (https://criticalthinkingtext.wordpress.com/wp-content/uploads/2017/02/squire-literary-digest.pdf).

Good historical context for the Gallup breakthrough. Credible popular-science source.

References original press archives from the Boston Globe. Interesting detail: Gallup publicly predicted his own accuracy in advance.

Raw state-by-state Digest data. Useful for readers who want to see the scale of the error directly.

Original blog post, no longer available at the original URL (blog.okcupid.com) — full text archived here. Only source containing the complete original text with all figures: 44%, 2,200 conversations, match counts.

First major press account of the story. Frequently cited in academic literature.

Direct interview with Rudder. Good quotes for context.

The original Facebook study. Its publication in PNAS was itself part of the scandal.

Official PNAS editorial concern regarding the lack of informed consent from participants.

Useful analysis covering both scandals simultaneously.

Brief, accessible ethical analysis by a psychologist. Compares both experiments and explains the IRB question.

Formal legal letter requesting access to IRB protocols under Maryland state law. For readers interested in the legal dimension.

Original GFT paper. Published in Nature (online November 2008, print February 2009). Primary source for the entire case study. Nature 457, 1012–1014.

February 2013 Nature article that first publicized the scale of GFT's failure. Starting point of the public story. Nature 494, 155–156.

The most important academic source for this case. Science article analyzing the causes of failure: algorithm dynamics, big data hubris, absence of CDC data as a corrective signal. Coined the terms 'parable of Google Flu' and 'big data hubris'. Science 343, 1203–1205.

Follow-up analysis showing the problems persisted after Google's modifications.

Accessible synthesis by the authors of the key Science paper. Good companion to the academic source.

Journalistic account with direct Lazer quotes. Includes the 'Dewey beats Truman' comparison.

Official reference vocabulary for metrology. Defines measurement error, systematic error, random error, and uncertainty.

The authoritative document for the science of measurement — unmatched as a reference.

JCGM (Joint Committee for Guides in Metrology) is the international body by BIPM (Bureau International des Poids et Mesures / International Bureau of Weights and Measures) responsible for this standard.

Key definition: random error = noise, systematic error = bias. Good overview from a metrology and statistics perspective.

Clear explanation with examples. Includes the key framing: random error is 'noise' that blurs the true signal of what's being measured.

Classic academic treatment from a physical sciences and laboratory experiment perspective.

Defines bias, systematic error, and random error with medical examples and clear diagrams distinguishing noise from bias.

The only source in this group written strictly for scientists rather than engineers.

Classic Stanford paper on crawler architecture. Foundational for the field and cited in hundreds of subsequent works.

Contemporary academic survey covering definitions, methods, stages, and technologies.

Official internet standard defining how crawlers communicate with site owners via robots.txt.

Also provides background for the concept of a crawler operating 'politely' — robots.txt is the mechanism of that politeness.

History, definitions, methods, and legal and technical considerations.

Clear engineering-perspective distinction between a crawler and a scraper.

Compares scraping with API as an official data access channel. Explains the fragility of scrapers in the face of HTML changes.

Wikipedia article on the landmark case on the legality of scraping public data. Six years of litigation, ended in settlement. Background for the 'other side of a courtroom' framing.

Documents the scale of the click farm problem and platform responses.

Primary source for the entire case. Nature 453, 646–649.

Full text available as PDF via the author's site: https://www.atmos.colostate.edu/~davet/ao/ThompsonPapers/Thompson_etal_Nature2008.pdf

Short accessible summary of Thompson's findings for a general audience. Includes quotes from Phil Jones.

Discussion by climate scientists explaining both the Thompson paper and the broader context of bucket/engine-intake corrections going back decades. Written for an educated non-specialist reader.

More recent analysis confirming and refining Thompson's results. Reduces the WW2 warm anomaly by 0.26°C using more advanced statistical methods.

Primary source for the entire case. The paper that effectively removed the 'hiatus' from the scientific debate. Science 348(6242), 1469–1472.

Independent verification of Karl's results using buoy, satellite, and Argo data. Includes a clear explanation of the ship/buoy bias mechanism.

Accessible summary of the Hausfather et al. paper. Includes brief interview with Zeke Hausfather on YouTube

Solid day-of-publication journalism. Quotes multiple independent climate scientists.

Technical explanation of the ship intake vs. buoy data difference with charts. Explains exactly where the 0.12°C offset comes from.

Documents the Lamar Smith subpoena and NOAA's refusal to comply. Includes quotes from Zeke Hausfather as verification author.

Official NOAA source on the Argo program: history, scope, and technical specs — 4,000 floats, 2,000m depth, 10-day cycle.

Footnote reference. 14-cylinder version rated at 80.08 MW (107,390 hp). First commercial deployment on Emma Mærsk (2006).

Footnote reference. Official manufacturer press release confirming 80,080 kW output.

Footnote reference. Peer-reviewed source confirming ~50% thermal efficiency, close to the Carnot limit — meaning roughly half the energy is lost as waste heat.

Footnote reference for household energy consumption context.

Footnote reference for household energy consumption benchmarks. Specific calculations are left to the reader.

Primary source for the entire case.

Accessible summary of the Clough et al. paper. Includes quotes from lead author Madeline Clough.

Federal final report. Confirms that 75.6% of outages resulted from frozen components and fuel supply problems. Describes the gas–power–gas feedback loop.

Note: At the time of writing I encountered 'Sorry, you have been blocked' message on the FERC site. I keep the original link but I was forced to use the Wayback Machine version.

Official ERCOT breakdown of generator outage causes by category.

Note: Ercot's security service is now blocking direct access to the report. It is still available via the Wayback Machine.

Most detailed independent academic analysis. Includes full timeline, frequency drop data, and analysis of nameplate capacity vs. actual winter performance.

CDC excess mortality analysis estimating 700+ deaths as the upper bound of official undercounting.

Official Texas DSHS figure of 246 deaths with breakdown by cause, as cited by Insurance Journal (January 2022).

Official EIA data: average price $22/MWh in 2020, $9,000/MWh cap held for 77 hours during the crisis.