A handful of things that caught my attention this week.

1. Browser-based Tools

Two bookmarks worth keeping close at hand. Squoosh from Google Chrome Labs is a browser-based image compressor: drop an image in, tweak the encoder settings, and watch the file size fall off a cliff. I’ve reached for it a couple of times in the last week and it’s saved me from installing yet another one-off tool. tools.rmv.fyi is a bigger grab bag with color palette tools, image utilities, QR code generation, a pile of calculators, and much, much more. The source for both is available, which is always nice when you’re trusting a tool to process your files.

2. Deleted User

I wrote about gail.com back in March: the domain that receives a mountain of misdirected traffic (and presumably, email) thanks to a single fat-fingered letter. Mike Sheward, an infosec author, went a step further and registered deleteduser.com, then sat back and watched the inbox fill up with mail from banks, hotels, a dating app, and plenty more. He’s since picked up internaluser.com, service-account.com, and various other obvious candidates. He’s reaching out to the organisations involved to let them know, but I gather that the response has been pretty poor. The properly scary bit is that in at least one case he was able to trigger a password reset and log into a real system.

3. 30 Days of an LLM Honeypot

On a similar note, here’s a wonderful Reddit write-up from someone who stood up a fake Ollama instance on a Raspberry Pi 3B – no GPU, 1GB of RAM, a template engine seeded with 500 real responses from an uncensored model – and pretended it was a reckless homelabber running Qwen3-Coder on an RTX 5090. Shodan indexed it in three hours. Thirty days later it had logged 113,314 requests from thousands of IPs, and 23% of that traffic was specifically hunting AI infrastructure: /api/tags, /v1/models, .cursor/rules, /.well-known/mcp.json, paths that only make sense if you know what you’re looking for.

I kinda expected credential theft or crypto miners, but more interesting to me was what they called the “Free Riders”. A firmware engineer in Tunisia firing ten parallel structured-JSON prompts to extract STM32 memory maps from datasheets. A Chinese security researcher running CVE write-ups through the “model” 39 times in 41 minutes because the spoofed output didn’t match their parser. Someone on AWS Stockholm trying to proxy Claude API calls through the endpoint for free inference. The whole thing is worth reading in full.

4. More Ruby Desktop/Mobile App Libraries

Also in that same March issue I covered Shoes and a few of the newer libraries for building desktop apps in Ruby. Three more have crossed my desk since:

  • wxRuby3: bindings to wxWidgets, with the latest release announced on the Ruby Users Forum.
  • RubyNative: a (paid) option for turning a Rails app into an iOS app without leaving Ruby.
  • kredki: an interesting one that builds on ThorVG and SDL, so you get vector rendering and a proper game-dev-style event loop under the hood.

I used wxWidgets for a project back in the early naughties with C++, so it’s fun to see that it’s both still running (Wikipedia tells me it was started in 1992) and that there are Ruby bindings for it.

And speaking of x-platorm Ruby, we’ve just announced the Ancient & Nameless & Fun & Stupid - A DragonRuby Community Game Jam. This is the 4th annual Keep It Fun And Stupid, Stupid! game jam, and starts May 21st. It’s relaxed and beginner friendly, and (at least) 3 weeks long. DragonRuby will be available free during the jam (Standard Edition, free forever).

If you’ve been looking for an excuse to try your hand at making a game, this is a great opportunity.

5. jemalloc 5.3.1

jemalloc shipped its first release in nearly four years! 5.3.0 came out in 2022, and for a while it looked like that was going to be the end of the story. Meta wound down its investment in the project, and in June 2025 the founder, Jason Evans, published a postmortem saying he didn’t see a viable path forward without hundreds of hours of refactoring to clear the accumulated technical debt. The repo was archived. That felt like that.

But, happily, Meta changed its mind. In March they announced a renewed commitment to jemalloc, the upstream repo was unarchived, and 5.3.1 is the first tangible sign of life: nearly four hundred commits worth of portability fixes, performance work, and modernisation. Worth flagging if you’ve been watching the Ruby side of things: jemalloc is not the default allocator for Ruby, but it’s a popular swap-in because it tends to give long-running Ruby processes noticeably lower memory usage and less fragmentation. The easiest way to get it under a Rails app is the LD_PRELOAD trick in a Docker image: this Gist from jjb shows how to do it, and Nate Berkopec’s write-up is still the clearest explanation of why it helps.