Phones pretending to be datacenters, routers under export blacklists, and regexes that slow you to a crawl

Intro

Today's selection swings between clever engineering theatrics and policy- and correctness‑level changes that actually affect users and ships. Expect one eyebrow-raising demo, one hands-off research workflow, a policy that will reshuffle router supply chains, and a neat algorithmic patch for a decades-old regex problem.

In Brief

iPhone 17 Pro Demonstrated Running a 400B LLM

Why this matters now: The demo signals that on-device AI experiments are accelerating — but the headline "400B on a phone" mostly shows clever engineering rather than a usable mobile assistant today.

Developers showed an iPhone 17 Pro doing inference with a model advertised as 400 billion parameters, but the practical consequence is small: throughput was painfully low — reportedly about "0.6 t/s" — and latency remains high. The trick is a mixture-of-experts (MoE) architecture where only a tiny slice of the model is active per token, extreme quantization to shrink weights, and streaming weights from flash instead of RAM so the phone never needs the full working set loaded.

"Running 400B model on iPhone!" is a true but misleading headline — the working set is small because most experts are inactive.

That means this is a neat proof-of-concept for local, open-weight LLMs but not a near-term replacement for cloud services. If you care about privacy, offline capability, or vendor diversity, it's an interesting signal; if you care about speed and interactivity, the demo is mostly engineering theater for now. See the demo thread on Twitter for details.

Autoresearch on an old research idea

Why this matters now: Agentic loops can automate many cheap, repetitive experiments — freeing researchers for higher‑value decisions — but they still rely on human judgment for structural changes and safety.

A researcher rebuilt Andrej Karpathy’s Autoresearch loop and put Claude Code in control for a constrained eCLIP project. The agent ran 42 short experiments (13 committed) and cut mean-rank from 344.68 to 157.43 largely by finding one simple bug and doing systematic hyperparameter tuning. The workflow was succinctly described as:

"hypothesize → edit → train → evaluate → commit or revert → repeat."

The practical lesson is clear: when the search space is bounded and runs are cheap, agents can reliably find low-hanging fruit and surface bugs. But when the agent tried structural or ambitious changes it tended to "throw spaghetti at the wall." Sandboxing and strict permissions matter — the agent sometimes attempted odd shell commands — and human oversight still handles the last mile of quality and novelty. Full writeup at the author's blog.

Deep Dive

FCC updates covered list to include foreign-made consumer routers

Why this matters now: New foreign-made consumer router models will face a de facto ban from the U.S. market unless vendors satisfy national‑security reviewers — that reshapes supply chains and product strategy immediately.

The FCC has added all consumer-grade routers manufactured abroad to its Covered List, which means new foreign-made models are barred from equipment authorization and therefore from import and sale in the U.S., unless a conditional exemption is granted. The agency framed it as a national-security response:

“Malicious actors have exploited security gaps in foreign-made routers to attack American households, disrupt networks, enable espionage, and facilitate intellectual property theft.”

Practically, this will force vendors to produce U.S.-domiciled models or open themselves to lengthy exemption processes that demand detailed ownership, supply-chain, software update practices, and onshoring plans. Existing approved routers are grandfathered, but any new model built overseas will need either to be reworked or to obtain high-level clearances.

Why you should care: consumer networking is a low-margin market; manufacturing location and firmware practices are already tight levers on cost. Expect three immediate outcomes:

• Manufacturers that sell in the U.S. will push for partial onshoring or new U.S. SKUs.
• The policy raises the value of auditable firmware and long-term update commitments, because those are explicit review criteria.
• Critics worry this could be used as industrial policy or create a pay‑to‑play approval dynamic; others say it misses the real problem — poor firmware and short update windows — and that vendor accountability would be a more surgical fix.

HN reactions ranged from support for hardening a known attack surface to skepticism about country‑of‑origin as a proxy for insecurity. Whatever the rhetorical framing, this is a market shock: import routes, inventory, and product roadmaps will all be reevaluated now. See the FCC announcement for the official rationale and mechanics: FCC statement.

Finding all regex matches has always been O(n²)

Why this matters now: If your code calls find_all or iterates over regex matches on long inputs, you might already have latent quadratic slowdowns that can blow up real workloads — there’s a practical fix you can adopt.

The common story — that modern regex engines are "linear time" — only holds when finding a single match. When you ask for all matches, many engines restart matching at each position, producing a triangular work pattern that becomes quadratic on adversarial or unlucky inputs. The post bluntly states:

"every regex engine, in every language, has had this problem since the 1970s, and nobody fixed it."

The proposed solution from RE# is elegant and pragmatic: do two passes. A reverse DFA marks candidate start positions, then a forward DFA resolves leftmost-longest matches retroactively. That preserves the usual POSIX leftmost-longest semantics (important for existing expectations) and avoids the restart-at-each-position cost. There's also an optional "hardened" mode that guarantees linear time by resolving end positions in one forward scan, at the cost of a steady slowdown on ordinary patterns.

Implications for engineers:

• If you use regex-heavy streaming or text-processing code, consider engines or modes that avoid the restart behavior — otherwise complex inputs or scan patterns can explode CPU time.
• The two-pass idea is a low-friction optimization for engines to adopt, but it has trade-offs: RE# currently omits capture groups and some lazy quantifier features, and hardened mode can be measurably slower on typical queries.
• For untrusted input, practical defenses (sandbox timeouts, input limits) still make sense alongside algorithmic fixes.

This is one of those fixes where the cost/benefit is obvious: a modest engineering cost in the engine can prevent catastrophic slowdowns for many users. The original analysis and benchmarks are in the author's blog post.

Closing Thought

We often treat demos and policy moves as separate genres — the former are showpieces, the latter practical levers. Today’s highlights remind us both kinds matter: engineering ingenuity flags possible futures (phones hosting larger models), while policy and correctness fixes (router import rules, regex runtime guarantees) change what gets built and what ships. Track both: the showpieces point where hackers will push, and the hard changes determine which of those pushes actually make it into users' hands.

Sources

• iPhone 17 Pro Demonstrated Running a 400B LLM (Twitter demo)
• Autoresearch on an old research idea (blog)
• FCC updates covered list to include foreign-made consumer routers (FCC)
• Finding all regex matches has always been O(n² (blog)