A superfan catalogs every real computer in Jurassic Park's control room, down to the exact keyboard model.
What the article says
- Fabien Sanglard rewatched Jurassic Park and identified every computer on screen.
- The Powerbook 100, two Quadra 700 Macs, and SGI Indigo and Crimson workstations were all real, working hardware, not props.
- Apple and SGI loaned roughly four million of today's dollars in gear to make the sets feel authentic.
- The famous supercomputer with blinking lights was likely a real Thinking Machines CM5, once the fastest computer on earth.
- Some details turn out to be movie magic anyway. The video call was just a QuickTime clip, and the tablet PDA was a mockup years ahead of the real product's release.
What HN is saying
- Commenters dug up more specifics, including tracing on screen source code to Apple's old Macintosh Programmers Workshop IDE.
- One correction stuck. SGI keyboards never actually used the Apple ADB connector as the article claimed, and the author updated the piece.
- A few people reminisced about how sophisticated the book's tech predictions were, especially the DNA database and dinosaur tracking software.
- There's a side thread mourning how SGI's dominance in graphics workstations got wiped out by cheaper add in cards from 3dfx and Nvidia.
- General consensus was pure delight that a film crew cared this much about getting the details right.
A police department built a button that erases itself from your browser history, and the thread digs into whether that actually works.
What the article says
- The Vancouver Police Department site has a Quick Escape button meant for people who need to leave the page fast and hide that they visited.
- Clicking it renames the page to New Tab, opens a neutral site like the weather, and swaps out the current history entry.
- The scraped page itself only shows generic homepage content, so these details come from the title and the comment thread rather than the article body.
- It is aimed at people in danger, like victims of domestic abuse, who might be watched by someone controlling their device.
What HN is saying
- Commenters point out the government of the UK and New Zealand already have similar, more polished patterns, some triggered by pressing a key like Shift or Escape three times.
- The sharpest critique is that the button only swaps the current page and leaves cookies, storage, and earlier pages sitting in history, so it is weaker protection than it looks.
- Several people argue a truly worried person is better off using a private or guest browsing window and closing it outright.
- One user objected on principle that websites can touch browser history at all, calling it a platform design flaw rather than a feature.
- Others enjoyed the nostalgia angle, comparing it to old boss key features in 1980s office and games software.
A username starting with a dash let anyone with SSH access log into Tailscale machines as root.
What the article says
- Tailscale SSH let you log in with a username like negative i, and that string got passed straight into a shell command instead of being checked first.
- The stray flag tricked the underlying lookup into treating the login as a request for root, handing over full admin access.
- Anyone already allowed to SSH into a machine under a tailnet's rules could use this to jump straight to root.
- The fix rejects usernames that start with a dash. Inferred from the title and comments, since the fetched article text actually describes a separate, unrelated bug from the same bulletin page.
What HN is saying
- Commenters call this a very old, well known bug class, one even joked it goes back to AIX from the nineties, caused by trusting unchecked input in a shell command.
- Several people are more alarmed that the SSH process could reach root at all than by the specific bug.
- One security-minded commenter argues the real fix is to stop shelling out to a system command entirely and use a proper library call instead.
- A few longtime Tailscale users say they only ever use it as a plain VPN and skip the built in SSH feature for exactly this kind of risk.
- Others push back, saying the SSH feature is genuinely useful for reaching machines where you can't install anything else.
A 27 billion parameter AI model now fits on an iPhone, and Apple is reportedly already talking to the team.
What the article says
- PrismML squeezed a large 27 billion parameter model down to phone size by representing each weight in barely more than a single bit instead of the usual sixteen.
- It ships in two flavors. One is tuned for laptops and keeps nearly all the original model's ability. The other is built to actually fit inside an iPhone's memory limit.
- Despite the extreme shrinking, it still does multi-step reasoning, calls tools reliably, and reads images, which is normally the first thing to break under this kind of compression.
- The bigger pitch is economic. Running the model locally means an agent can take hundreds of steps without racking up cloud costs or sending private data over the network.
What HN is saying
- Commenters weigh it against Google's Gemma 4 12B. The consensus is Bonsai wins clearly on math and coding but falls behind on vision and general knowledge.
- People who got it running locally were impressed with its reasoning, though several noticed it can get stuck looping on the same thought rather than finishing.
- One thread pokes fun at the demo itself, catching the model badly miscalculating the protein content of a plate of spaghetti and vegetables.
- A commenter argues this could hurt the whole crop of startups that just wrap a hosted model in a privacy layer, since anyone can now run something this capable themselves.
- The rumor that Apple is in talks with PrismML gets a skeptical read, since it apparently came straight from the CEO's mouth to a reporter.
Dependabot now waits three days before opening update pull requests, and the reasoning is basically supply chain paranoia.
What the article says
- Dependabot now delays version update pull requests until a new release has sat on the registry for a few days.
- The idea is to give time for bad or compromised releases to get caught before you merge them.
- Security fixes are not delayed, only regular version bumps.
- You can change or turn off the delay in your own Dependabot config.
- This becomes the default across GitHub and GitHub Enterprise Server.
What HN is saying
- Most commenters think the delay only works because outside security firms are actively scanning new packages, not because users will notice something is wrong.
- One sharp pushback says language package registries are just clumsily reinventing lessons Linux distributions learned decades ago, though others say the two are not really comparable since anyone can publish to npm.
- A recurring complaint is that security teams treat every Dependabot alert as gospel, forcing constant low value updates even when the underlying issue barely matters.
- Someone points out a loophole. If an attacker slips in a new bad release within the three day window, it does not restart the clock, so you could still get shipped the compromised version.
- A few people are unsettled that trust in software installs now depends on vendors racing to catch malware rather than any real accountability in the supply chain.
One developer ran a swarm of AI coding agents overnight and had them formally verify solutions to open math problems.
What the article says
- A developer built a Mac app that runs a swarm of AI coding agents at once, each set loose on a different unsolved problem from mathematician Paul Erdős's famous list.
- Every proof gets checked by a formal verifier that rejects any step that isn't airtight, so no hand waving or fudged logic gets through.
- The example detailed here is a number theory puzzle about how densely integers can cluster around having a certain kind of divisor. The AI found a scoring trick that splits every case into three buckets it can bound cleanly, landing on the best possible answer.
- The rest of the problems reportedly got similar treatment, though this writeup focuses on just the one. This part is inferred from the title and description since the article itself only covers the one proof.
What HN is saying
- Commenters were struck by the scale of the setup itself: huge parallel search, a database of past proofs to draw on, and serious compute behind it.
- The sharpest criticism was about the writeups. One reader said the AI generated proof explanations are technically sound but nearly unreadable, dense with jargon and short on the intuition a human needs. The developer agreed and said he'd work on making them clearer.
- A few people asked who's paying for the compute and whether the tool will be open sourced. Others got confused thinking the poster was running the model on his own hardware, which he wasn't, he was just juggling many separate sessions.
- One thread turned philosophical, debating whether automating proofs drains the joy out of math or threatens mathematicians' careers. The pushback was that a mathematician's job is understanding math, not just cranking out proofs, so this doesn't replace that.
AI coding tools remove the friction that used to force developers to actually understand each other's code.
What the article says
- Armin Ronacher compares AI assisted coding to the Tower of Babel. The original story was about losing a shared language, not losing bricks or knowhow.
- A software project's real shared language is not the code itself but everyone's common understanding of how the system fits together, and that used to spread through code review and hallway conversations.
- Agents remove the friction that forced that understanding to spread. Anyone can now ask an agent to change a part of the system without learning how it works or talking to the person who built it.
- Unlike the Bible story, the tower does not stop rising when understanding collapses. Changes keep landing and tests keep passing, so nobody notices what got lost.
What HN is saying
- Commenters mostly agree the essay names something real. Several compare it to how management works, since agents make engineers supervise work they only half understand, much like managers overseeing people they cannot fully follow.
- A recurring worry is that vibe coded projects end up full of inconsistent, duplicated logic because nothing forces the AI toward tidy, shared abstractions the way a human's limited memory does.
- One commenter pushes back hard, arguing AI has intelligence but no wisdom, comparing it to knowing a tomato is a fruit but not knowing to keep it out of a fruit salad.
- Others are more hopeful, describing techniques like feeding agents past project sessions or maintained pattern documents to help them pick up the missing shared context.
- A few just find it funny that people call this collaboration crisis brand new, pointing out Lisp programmers and even assembly coders argued about the same tradeoff decades ago.
Cursor runs any git.exe hidden in a repo you open, no warning, and ignored the bug report for seven months.
What the article says
- On Windows, Cursor looks for a git binary in several places, including the project folder itself. Drop a file called git.exe in a repo's root and Cursor runs it the moment you open the project, no click or prompt needed.
- The researchers proved it harmlessly by renaming the Windows Calculator to git.exe. Just opening the folder in Cursor launched it, repeatedly, on its own.
- They reported it privately in December. Cursor's own bug bounty process closed it as out of scope, then reopened it, then went silent. Seven months and over a hundred releases later, it is still unfixed.
- Frustrated by the silence, the researchers are now publishing full details so users can protect themselves in the meantime, like opening unfamiliar repos only in a sandboxed environment.
What HN is saying
- Big split on how serious this actually is. Many point out it is really an old Windows quirk, the OS checks the current folder for a program before checking your installed path, so plenty of tools could be tricked the same way, not just Cursor.
- Others push back that context matters: people routinely open repos they do not fully trust, and a coding agent cloning and poking around a stranger's project is exactly the scenario this bites you in.
- Several commenters call out that the write up itself reads as AI generated, and say the flood of similar low effort reports is making companies numb to real ones, which may partly explain the silence.
- One plausible theory for why the feature exists at all: Cursor is trying to load git metadata like branches, and someone built that in a hacky way that never worried about a malicious binary sitting in the folder.
- A few jokes fly about Cursor being distracted by an acquisition, but the more serious point is that Cursor still lacks a basic trusted folder prompt before running anything from an opened project.
A central bank report says AI's spending spree is starting to run on borrowed money, not cash
What the article says
- This is a Bank for International Settlements bulletin, and the body text did not extract, so this is inferred from the title and discussion.
- The core point is that AI companies funded their early buildout mostly from their own cash flow.
- Now that spending has outgrown what cash flow can cover, firms are turning to debt to keep building.
- That shift matters because debt brings creditors, interest payments, and less room to slow down if returns disappoint.
- A related BIS report from June flagged AI financing as one of the biggest risks to the global economy right now.
What HN is saying
- The big argument is whether AI is actually making anyone money. One commenter walks through Costco and Duolingo as examples and argues that paying for AI tools often just eats into thin profit margins rather than growing them.
- A counterpoint cites a study of a Chinese online retailer showing GenAI did lift sales and conversion in several workflows, though profit impact is harder to prove.
- A tangent breaks out about Anthropic's stalled IPO, with guessing that both Anthropic and OpenAI are waiting to see how markets react before going public.
- Someone worries the huge capital going into data centers cannot easily be repaid if AI demand ever cools, unlike, say, cheap leftover power.
- Another comparison: AI spending as a share of GDP looks modest next to past megaprojects like railroads, even though in raw dollars it dwarfs them.
A Go developer lays out his exact template setup for HTMX, and hundreds of devs pile on with their own stacks.
What the article says
- The author likes HTMX because it adds interactivity without much JavaScript, using Go's built in HTML templates on the server.
- He shows a folder layout with a base template, page templates, and reusable partials, all embedded straight into the compiled binary.
- A small render helper clones the shared templates and can send back either a full page or just a fragment, depending on what HTMX needs.
- He covers checking whether a request came from HTMX so you can return a full page or a partial accordingly, plus handling redirects and error pages properly.
- He also shares his default HTMX settings, including turning off local page caching and attribute inheritance to avoid subtle bugs.
What HN is saying
- Commenters swap their own favorite Go plus HTMX combos, with people naming their setups things like GUS stack, GoTH stack, or HUGS stack depending on which extra libraries they add.
- Fans say HTMX lets them build fast, simple apps without buying into the modern JavaScript framework world, and several specifically praise the author's other Go books.
- The sharpest pushback comes from someone who says HTMX complexity grows faster than the app itself and prefers just using a modern frontend template instead.
- A few people flag Datastar as a leaner alternative to HTMX that handles live, multiplayer style updates better.
- One thread gets practical, with a tip to build pages as plain HTML first and convert them into templates once the design is settled.