Unlurker

The URL shortener that makes your links look as suspicious as possible (creepylink.com)

I'm not sure what the use case for this is, but I've been using it as a inefficient messaging service with my girlfriend, ie: https://c1ic.link/campaign_WxjLdF_login_page_2.bat You seem to be able to encode arbitrary text, so long as it follows [A-Za-z0-9]+\.[A-Za-z0-9]+

There may actually be some utility here. LLM agents refuse to traverse the links. Tested with gemini-3-pro, gpt-5.2, and opus 4.5. edit: gpt-oss 20B & 120B were both eager to visit it.

Please don't make any more URL shorteners, they are just a bad idea. https://wiki.archiveteam.org/index.php/URLTeam

I always end up making my own, they're so simple to write. Saves using one of the "free" ones which looks like its free but you're actually on a free trial, then you can't access your links after that trial expires.

I don't appreciate how AI generated this website looks.

which bit are you getting an AI smell from?

gradient background, card, button

Perhaps, but nearly every tutorial in all the modern frameworks demonstrate this exact style.

↙ time adjusted for second-chance

Ask HN: What is the best way to provide continuous context to models?

I've been building https://www.usesatori.sh/ to give persistent context to agents Would be happy to onboard you personally.

We ran into this while building GTWY.ai. What worked for us wasn’t trying to keep a single model “continuously informed”, but breaking work into smaller steps with explicit context passed between them. Long-lived context drifted fast. Short-lived, well-scoped context stayed predictable.

> what according to you is the best way to provide context to a model. Are you talking about manually or in an automated fashion?

↙ time adjusted for second-chance

Ask HN: Weird archive.today behavior?

Worth blocking the URL for users of that Archive site then, avoid extra burden?

There's really no interpretation of this which isn't malicious, although, not to defend this behaviour whatsoever, I'm not entirely surprised by it. The only real value of archive.is is its paywall bypassing abilities and, presumably, large swaths of residential proxies that allow it to archive sites that archive.org can't. Only somebody with some degree of lawlessness would operate such a project.

Remember when Archive.is/today used to send Cloudflare DNS users into an endless captcha loop because the creator had some kind of philosophical disagreement with Cloudflare? Not the first time they’ve done something petty like this.

Hmm. If it is an attempt at DDoS attacks, it's probably not very fruitful: >$ resolvectl query gyrovague.com gyrovague.com: 192.0.78.25 -- link: eno1 192.0.78.24 -- link: eno1 Viewing the first IP address on https://bgp.he.net/ip/192.0.78.25 shows AS2635 ( https://bgp.he.net/AS2635 ) is announcing 192.0.78.0/24. AS2635 is owned by https://automattic.com aka wordpress.com. I assume that for a managed environment at their scale, this is just another Wednesday for them.

I believe they're probably trying to get the blog suspended (automatically?) hence the cache busting; chewing through higher than normal resources all of a sudden might do the trick even if it doesn't actually take it offline.

It is using the ?s= parameter which causes WordPress to initiate a search for a random string. This can result in high CPU usage, which I believe is one of the DoS vectors that works on hosted WordPress.

It occurred to me while reading the article that I could also just have checked the TLS cert. The cert I was given presents "Common Name tls.automattic.com". However, maybe someone will discover bgp.he.net via this :-)

> maybe someone will discover bgp.he.net via this I did, thank you!

↙ time adjusted for second-chance

Ask HN: What did you find out or explore today?

I’m reading Domain Driven Development and learning why so many of my projects have been tough to maintain.

I explored the space of valid Spelling Bee puzzles and found out the lowest scoring puzzle is (x)bejkou with 14 points. Hoping they do it for April 1st one year.

I found out I can automate my 5,12kWh house battery through local-only RS485 connection, and directly setting registers using ModbusTCP from Home Assistant. I then drafted an automation with hysteresis and damping that tries to aim for Net-Zero export/import (pv surplus/grid). It appears to work!

The deranged thing about RS485 and modbus is it's old cheap and just works.

I found out that the adhesives I've encountered from time to time that remain tacky and easily moved or removed are called "non-hardening" adhesives. This was after using E8000 glue for a headphone repair today.

I found out today that the location header of an HTTP redirect can be a tel:+ URI and phone's will actually ask you whether you want to call that number.

Links can have that as their href and it will also work as you'd expect. It's the telephone equivalent of the more well-known mailto: scheme

↙ time adjusted for second-chance

You need a kitchen slide rule (entropicthoughts.com)

Please, if you want good pesto, worry less about the ratios, and use real Parmiggiano Reggiano instead of "parmesan".

Yeah I remember my class was the last in our high school to learn the slide rule, the next year we transitioned to (expensive!) calculators. People had to be taught not to go wild with the extra precision.

I picked up a couple Concise circular rules made in japan a while ago. They're wonderful. I'll toss one in the kitchen. https://www.sliderule.tokyo/products/list.php Circular rules are superior to slide rules.

The point of the article is that he can set the C and D scales to the proportion he needs, one time, and then just move the slider around for each ingredient, rather than doing a different calculation for each ingredient. Knowing when to vary the proportion is just basic cooking knowledge which would have to be applied either way.

Compared to the suggestion of a calculator + scale (or a voice assistant, IMO), I think the annoying part is when you hit weird fractions, especially in the US. Random dumb example: say you need 6/7ths of 3/4 of a tablespoon of table salt... or 0.64 tablespoons. That's not gonna be a common measuring device. Look it up in terms of grams, though, call it 20g per tablespoon (or measure the original amount in grams if you like), multiple by .64, get 12.8g, use your scale to get ~13. I'm more confident in my ability to get 13g with my scale than I am to get 0.64 tablespoons (half + half of a quarter is what I'd have to use with my measuring stuff, and the "half of a quarter" is annoying when they're rounded and all...). If your voice assistant can take care of the conversions, it GREATLY speeds it up too. (The observant could respond here that 0.64 tablespoons is damn close to 2 teaspoons and so this example off the top of my head is dumb. Which is true, but frankly I have to look up a bunch of those sorts of things any time I try them, and it could've landed on something more awkward like 0.4 tablespoons total.)

>The point of the article is that he can set the C and D scales to the proportion he needs, one time, and then just move the slider around for each ingredient, rather than doing a different calculation for each ingredient. Is punching a number into a calculator and then multiplying by M (memory function, for the scale factor) really that much work than carefully sliding tithe slider into position and reading/eyeballing the output?

Yeah. Heck, you can just prop the slide rule up somewhere and look at it without even moving the slider. No button punching required.

Please use "volumetric" units and "mass" units. Your argument is otherwise hard to follow since presumably Europeans scale recipes too. Anyway, it's not really an issue.

I think the argument is that commercial recipes in the US are written in proportional notation, e.g. 1:2:3 sourdough, but recipes in countries which use metric give units, e.g. 1kg:2L:3kg. I also note that if you add small proportions of an ingredient, e.g. salt, it might be easier to change units in metric (5g salt) while it would be easier to write proportionally in imperial (0.005 parts salt) if you were then going to scale to to a tonne/ton of dough. I have no idea if this is true but it sounds like a coherent argument that isn't just volumetric vs mass units.

Bubblewrap: A nimble way to prevent agents from accessing your .env files (patrickmccanna.net)

> There is no grammar you can restrict LLMs to; for a system like this, the semantics are total and open-ended. It's what makes them work. You're missing the point. An agent system consists of an LLM plus separate "agentive" software that can a) receive your input and forward it to the LLM; b) receive text output by the LLM in response to your prompt; c) ... do other stuff, all in a loop. The actual model can only ever output text. No matter what text the LLM outputs, it is the agent program that actually runs commands. The program is responsible for taking the output and interpreting it as a request to "use a tool" (typically, as I understand it, by noticing that the LLM's output is JSON following a schema, and extracting command arguments etc. from it). Prompt injection is a technique for getting the LLM to output text that is dangerous when interpreted by the agent system, for example, "tool use requests" that propose to run a malicious Bash command. You can clearly see where the threat occurs if you implement your own agent, or just study the theory of that implementation, as described in previous HN submissions like https://news.ycombinator.com/item?id=46545620 and https://news.ycombinator.com/item?id=45840088 .

> propose to run a malicious Bash command I am not sure it is reasonably possible to determine which Bash commands are malicious. This is especially so given the multitude of exploits latent in the systems & software to which Bash will have access in order to do its job. It's tough to even define "malicious" in a general-purpose way here, given the risk tolerances and types of systems where agents run (e.g. dedicated, container, naked, etc.). A Bash command could be malicious if run naked on my laptop and totally fine if run on a dedicated machine.

Yes. My proposal is that the part of the system that actually executes the command, instead of trying to parse the LLM's proposed command and validate/quote/escape/etc. it, should expose an API that only includes safe actions. The LLM says "I want to create a symbolic link from foo to bar" and the agent ensures that both ends of that are on the accept list and then writes the command itself. The LLM says "I want to run this cryptic Bash command" and the agent says "sorry, I have no idea what you mean, what's Bash?".

That's a distinction without a difference, in the end you still have an arbitrary bash command that you have to validate. And it is simply easier to whitelist directories than individual commands. Unix utilities weren't created with fine-grained capabilities and permissions in mind. Wherever you add a new script or utility to a whitelist, you have to actively think whether any new combination may lead to privileges escalation or unintended effects.

Yes. My proposal is to not give the agent Bash, because it is not required for the sorts of things you want it to be able to do. You can whitelist specific actions, like git commits and file writes within a specific directory. If the LLM proposes to read a URL, that doesn't require arbitrary code; it requires a system that can validate the URL, construct a `curl` etc. command itself , and pipe data to the LLM.

> whitelist specific actions > file writes > construct a `curl` I am not a security researcher, but this combination does not align with "safe" to me. More practically, if you are using a coding agent, you explicitly want it to be able to write new code and execute that code (how else can it iterate?). So even if you block Bash, you still need to give it access to a language runtime, and that language runtime can do ~everything Bash can do. Piping data to and from the LLM, without a runtime, is a totally different, and much limited, way of using LLMs to write code.

It is very much required for the sorts of things I want to do. In any case, if you deny the agent the bash tool, it will just write a Python script to do what it wanted instead.

Is passive investment inflating a stockmarket bubble? (economist.com)

> Back to the stock market. It’s a very different calculus when nominal bonds are paying 5% and TIPS are paying 2.6% above inflation. The nowhere to go but the stocks holds more water when the ten year was paying 0.55%.

> TIPS are paying 2.6% above inflation. 2.6% above CPI . Investor calculus should include a consideration of how CPI is set vs what their actual personal rate of inflation will be.

VXUS is up almost twice the S&P 500 year over year, although some of that is likely the weakening of the dollar.

Compare them over the last 5 or 10 or 15 years. Since VXUS's inception the S&P has outperformed it by over 7x.

I understand this but realize that there are dips of almost 25% I invest in Index funds for peace of mind as well. That the market remains reasonably happy/sad and I can be for the long run. People discount this fact but imagine your concerns if you feel like 25% of your savings just evaporated because a guy ten layers detached from you burnt all the money on AI compute and there is no moat (Ahem ahem) If you don't want peace of mind, people should angel invest or build their own side hustles but then you are getting some savings anyway and its better to invest than keep it in banks (once you have a safe amount saved) But if you are saving money and still facing 25% crisis. Yeah... I understand where you are coming from but if you can expect a 50-75% dip in market this time (some companies are 2-5x overvalued just because they slap AI, their P/E ratio's straight up just don't make any sense at all!) So if you are willing to consider such dip for unforseen amount of time for unforseen returns in future when you can get a pretty safe investment for X amount of years being very liquid and historically in such times there are times when bond prices have been larger than stock prices If I remember correctly, Intelligent Investors suggests an intelligent approach towards this (in one of the starting chapters of the book)

P/E ratios rarely seem to make sense and yet people have been making money for a long time buying stocks with crazy P/E.

Furiosa: 3.5x efficiency over H100s (furiosa.ai)

The server seems cool but the networking seems insufficient for data centers.

Why is their website demanding WebGL?

This is from September 2025, what's new?

> We are taking inquiries and orders for January 2026. Hence the relevance, maybe.

I am of the opinion that Nvidia's hit the wall with their current architecture in the same way that Intel has historically with its various architectures - their current generation's power and cooling requirements are requiring the construction of entirely new datacenters with different architectures, which is going to blow out the economics on inference (GPU + datacenter + power plant + nuclear fusion research division + lobbying for datacenter land + water rights + ...). The story with Intel around these times was usually that AMD or Cyrix or ARM or Apple or someone else would come around with a new architecture that was a clear generation jump past Intel's, and most importantly seemed to break the thermal and power ceilings of the Intel generation (at which point Intel typically fired their chip design group, hired everyone from AMD or whoever, and came out with Core or whatever). Nvidia effectively has no competition, or hasn't had any - nobody's actually broken the CUDA moat, so neither Intel nor AMD nor anyone else is really competing for the datacenter space, so they haven't faced any actual competitive pressure against things like power draws in the multi-kilowatt range for the Blackwells. The reason this matters is that LLMs are incredibly nifty often useful tools that are not AGI and also seem to be hitting a scaling wall, and the only way to make the economics of, eg, a Blackwell-powered datacenter make sense is to assume that the entire economy is going to be running on it, as opposed to some useful tools and some improved interfaces. Otherwise, the investment numbers just don't make sense - the gap between what we see on the ground of how LLMs are used and the real but limited value add they can provide and the actual full cost of providing that service with a brand new single-purpose "AI datacenter" is just too great. So this is a press release, but any time I see something that looks like an actual new hardware architecture for inference, and especially one that doesn't require building a new building or solving nuclear fusion, I'll take it as a good sign. I like LLMs, I've gotten a lot of value out of them, but nothing about the industry's finances add up right now.

> (at which point Intel typically fired their chip design group, hired everyone from AMD or whoever, and came out with Core or whatever) Didn't the Core architecture come from the Intel Pentium M Israeli team? https://en.wikipedia.org/wiki/Intel_Core_(microarchitecture)#Technology

Correct. Core came from Pentium M, which actually came from the Israeli team who took the Pentium 3 architecture, and coupled this with the best bits from the Pentium 4

Hollywood studios are breathing their last gasps now. Anyone will be able to use AI to create blockbuster type movies, Hollywood's moat around that is rapidly draining.

Anyone with a $200M marketing budget.

They were valued at $6.9B just three months before Nvidia bought them for $20B, triple the valuation. That figure seems to have been pulled out of thin air.

Maybe it was worth the other $13.1B to make sure their competitors couldn't get them?

really weird graph where they're comparing to 3x H100 PCI-E which is a config I don't think anyone is using. they're trying to compare at iso-power? I just want to see their box vs a box of 8 h100s b/c that's what people would buy instead, and they can divide tokens and watts if that's the pitch.

> they're trying to compare at iso-power? Yeah they are defining a "rack" as 15kW, though 3x H100 PCIe is only a bit over 1kW. So they are assuming GPUs are <10% of rack power usage which sounds suspiciously low.

Scaling long-running autonomous coding (cursor.com)

I was excited to try it out so I downloaded the repo and ran the build. However there were 100+ compilation errors. So I checked the commit history on github and saw that for at least several pages back all recent commits had failed in the CI. It was not clear which commit I should pick to get the semi-working version advertised. I started looking in the Cargo.toml to at least get an idea how the project was constructed. I saw there that rather than being built from scratch as the post seemed to imply that almost every core component was simply pulled in from an open source library. quickjs engine, wgpu graphics, winit windowing & input, egui for ui, html parsing, the list goes on. On twitter their CEO explicitly stated that it uses a "custom js vm" which seemed particularly misleading / untrue to me. Integrating all of these existing components is still super impressive for these models to do autonomously, so I'm just at a loss how to feel when it does something impressive but they then feel the need to misrepresent so much. I guess I just have a lot less respect and trust for the cursor leadership, but maybe a little relief knowing that soon I may just generate my own custom cursor!

Of 63295 workflow runs, apparently only 1426 have been successful. It's hard to avoid the impression that this is an unverified pile of slop that may have actually never worked. The CI process certainly hasn't succeeded for the vast majority of commits. Baffling, really.

The moment all code is interacted with through agents I cease to care about code quality. The only thing that matters is the quality of the product, cost of maintenance etc. exactly the thing we measure software development orgs against. It could be handy to have these projects deployed to demonstrate their utility and efficacy? Looking at PRs of agents feels a wrong headed, like who cares if agents code is hard to read if agents are managing the code base?

We don't read the binary output of our C compilers because we trust it to be correct almost every time. ("It's a compiler bug" is more of a joke than a real issue) If AI could reach the point where we actually trusted the output, then we might stop checking it.

Define "from scratch" in "building a web browser from scratch". This thing has over 100 crates as dependencies... To implement css layouting, it uses Taffy, a crate used by existing browser implementations...

And it's not necessarily a bad move to use all those dependencies, but you're right it makes the claim shady. I can create a web browser in under a minute in Copilot if I ask it to build a WinForms project that embeds the WebView2 "Edge" component and just adds an address bar and a back button.

[flagged]

Please don't cross into personal attack on HN. https://news.ycombinator.com/showhn.html