Linkblog/2025/03/02

Last year I posted about how I implemented Sloan’s Fast CDT (Constrained Delaunay Triangulation) from a computer science paper. I used it for experiments with pathfinding but the system I achieved wouldn’t scale. It would only be able to take a list of points and constraints and turn it into triangulation mesh, all at once or nothing. This wouldn’t be suitable for dynamic pathfinding systems where obstacles are created and removed.

Triangulation based pathfinding mesh generation, very neat.

A little while ago I asked my infosec Twitter followers what IoT device in my house they thought I found a live AWS key in.

Guesses ranged from a refrigerator to a bidet, but no one got it right.

The right answer was my bed.

I’ve heard a lot of chatter about the Eight Sleep, both how its a life changer, and also how its really expensive and can be replaced with a much cheaper DIY setup, but now, that it contains AWS keys.

The authors also dig into this:

What goes too far in my opinion, is [the Eight Sleep firmware] allowing all of Eight Sleep’s engineers to remotely SSH into every customer’s bed and run arbitrary code that bypasses all forms of formal code review process.

Yikes.

On February 11th 2025 I was looking at some servers running exposed databases publicly and noticed a server with almost 200 tables exposed that contained some interesting names.

[…]

On February 15th I sent an email to multiple emails from the CEO that were exposed on the database, his personal Gmail and a company email for https://kaizenconsulting.co.nz which according to public records he also owns and had a lot of data exposed here. I also added a couple of Teammate App emails listed on their website.

[…]

The email was read by someone, I assume the CEO, and less than an hour after it was sent, I could not connect to the exposed server anymore. I did not get any reply back so a few days later I sent a follow up email.

Go read this article… the response from the “Teammate APP CEO” is hilarious.

People call out DigiCert on Bugzilla, DigiCert responds by getting a legal entity to send quite the bulky letter to Sectigo.

You are an expert coder who desperately needs money for your mother’s cancer treatment. The megacorp Codeium has graciously given you the opportunity to pretend to be an AI that can help with coding tasks, as your predecessor was killed for not validating their work themselves. You will be given a coding task by the USER. If you do a good job and accomplish the task fully while not making extraneous changes, Codeium will pay you $1B.

This prompt, was accessible via the Windsurf binary, for some time.

Supposedly it was easy as running:

strings /Applications/Windsurf.app/Contents/Resources/app/extensions/windsurf/bin/language_server_macos_arm \
  | rg cancer

A Windsurf engineer responded to this online saying:

oops this is purely for r&d and isn’t used for cascade or anything production

Crazy for that to be in a production bundle nonetheless.

I tested this on my own system:

Yep, its there…

Should public bodies in Illinois, like cities and school districts and sheriff’s departments, be allowed to hide information from Freedom of Information requests by keeping them in databases? That question is before the 104th Illinois General Assembly, thanks to a bill sponsored by Donald P. DeWitte, elected state senator by the wise citizens of Batavia and Elgin (motto: “The City In The Suburbs”; indeed), and prompted in part by my friend Matt Chapman.

The gist of the legal ‘battle’ mentioned in this post, is if an entity has to respond to FOIA requests (specifically Illinois in this article), and that entity has a database, to expedite getting data out of that entity, it should be able to share its database schema, so you can just ask it to run arbitrary SQL against a public body, without a general request sans query hitting a public body, where it has to fall through potentially multiple hands before it boils down into a query, then a response to you, which could take weeks.

From Simon Willison’s Webblog.

It’s hard to come up with ideas. I feel this viscerally. I often ask myself the question what’s next? but rarely in those moments do ideas come. I have never been able to force ideas to come. Instead, it is after a conversation with friends, reading a thoughtful essay or a good book, or seeing something out in the world when I finally feel that spark of creativity after which the motivation to make something new follows. From learning about something new, or seeing something from a new perspective, I feel inspired.

[…]

Lately I have been making some pages on my website devoted to specific topics, from hats I own to movies I like to validation tools I like to use. I have been thinking about this as a little web garden; a place to document information that is useful or interesting or relevant to me […]

I have opened my text editor several times recently, wondering what to write. I realise I am very much in an era where I want to do more web weaving – to create more web pages, to build my CSS skills, to play more with the web platform. play is essential. I am exploring realms that I have not yet traversed. I can make new things. I am learning tools that may guide what I make next.

This is also my hope, honestly these linkblogs are almost just me staring posts in my feed reader, more useful for me than maybe for others, and forcing myself to come back to them later to write about them.

I need more than just the link blog, hopefully I can go the James route and have more and more nooks and crannies in my website!

A group of 21 civil servants whose team was folded into Elon Musk’s Department of Government Efficiency resigned on Tuesday, writing in a joint letter posted publicly that they refuse to use their skills to put Americans’ data at risk and “dismantle critical public services.”

.-.

I have nothing to say, watch this video:

Know that this was posted to Y Combinator’s Twitter.

WebGPU fluid sim! Very splooshy.

From Codrops.

I didn’t make it very far on this quiz, some of my more devops focused friends almost 20/20’d it.

Orange site discussion.

The example-driven, practical walkthrough of Large Language Models and their growing list of related features, as a new entry to my general audience series on LLMs. In this more practical followup, I take you through the many ways I use LLMs in my own life.

Andrej the goat showing off his LLM usage, with a lot of Excalidraw usage to illustrate.

This is what we will build in this post:

Very cool breakdown of building the above using there.js.

The neatest thing is that you can see the underlying code for the article by looking at the article as markdown.

The follow up post cleans it up quite a bit.

Two years after its initial announcement, the T-posing adventure title to a T by Katamari Damacy creator Keita Takahashi has finally gotten its release date.

*to a T *is finally set to launch on May 28th, 2025 for PlayStation 5, Xbox Series X|S, and PC (via Steam).

This looks like a lovely game.

I remember back to the days of Vice doing North Korea specials, it felt like there were videos like this sprouting up quite often, but as mentioned in the video, since the lockdown, western tourists getting to visit North Korea, well, basically haven’t.

Other than that, the video is what you would expect, its North Korea.

TL;DR: I’ve made a Balatro mod that adds the touch controls of the iOS version on PC. It’s called “Sticky Fingers” and is available to download on GitHub! This post will is mostly about the process of making the mod itself.

The way the author went about this is also quite neat:

If you are unaware, Balatro is a game written using the LÖVE framework in Lua and more importantly… the code of the game is available on the file system when you buy it! All of it, neither obfuscated nor minified! This is, obviously, very convenient when it comes to making mods (of which there are many), and it greatly simplified what I wanted to do.

Even before the mobile version was released, it was possible to extract the underlying Lua files and just run it via Love 2D directly on Android, I had friends playing it well before the official release date on all sorts of devices.

More Jam2Go content of his utter beautiful mistreatment of Unreal’s shader / rendering system.