A San Francisco web agency called Qontour republished the entire text of John Koenig’s Dictionary of Obscure Sorrows, every neologism and essay, swapped his hand-made collage art for DALL-E generations, and embedded their own Amazon affiliate tag so they earn commission on every sale of his book. The bootleg site now outranks every official source on Google, including Koenig himself.
Simon & Schuster filed two DMCA takedown notices. Both failed. Three years later the site is still live, and both ChatGPT and Gemini now cite it as the official source.
In today’s indie hacker news:
- A Webflow agency cloned an entire book and outranks the real author
- Solo dev’s free Crunchbase killer got Anthropic’s valuation wrong by $43B
- Bun opened a PR for true shared-memory JS threads, written by Claude
- Linux buried its most dangerous string function after six years
- Loupe shows what every iOS app sees without permission
TOP STORIES
CTRL+C CTRL+PROFIT
A Webflow agency cloned 311 book entries, replaced the art with DALL-E, and now outranks the author
The story: Andy Baio broke it on Waxy.org. Qontour took every entry from John Koenig’s 2021 Simon & Schuster book and republished them at thedictionaryofobscuresorrows.com (note the added “the”). They replaced Koenig’s illustrations with DALL-E 2 generations and added a GPT-4 “Submit A Sorrow” feature. The HN thread (341 points) turned up an Amazon Associates affiliate tag baked into every purchase link.
The details:
- The bootleg launched August 2023 and has outranked the original for nearly 3 years
- The copyright footer acknowledges they don’t own the content yet slaps a Creative Commons license on it
- Qontour listed this in their Webflow portfolio as showcasing “AI-generated content and extensive content integration”
- Koenig’s response: “The site is pretty slick. Nicer than my own, really.”
Why builders care: If you’ve published anything with organic search demand, a better-resourced agency can clone it and out-SEO you. DMCA can’t save you.
Clone your voice once. Ship every video without re-recording. ElevenLabs Pro trains a voice clone in 30 minutes that sounds like you on every long-form, Short, and podcast you ship. We narrate every video on this newsletter with it. Beats hiring a VO artist on Fiverr or settling for a default TTS bot.
We get a cut if you sign up. Only added for tools we use ourselves.
FREE CRUNCHBASE, $43B OFF
Solo dev built a free Crunchbase alternative. First valuation was off by $43 billion.
The story: HN user shpran shipped StartupWiki, a free, no-login startup research directory where AI agents cite sources for every data point. The Show HN (170 points) was supportive but brutal on accuracy. Anthropic was listed at $18B instead of ~$61.5B. One tester searched 10 known startups and found zero.
The details:
- Bootstrapped from ~5,000 YC companies as seed data, no revenue model
- Founder plans to add 800 startups per day with periodic fact-checking agents
- Public API in development, plus a user-flagging system for errors
Why builders care: If the data matures, this becomes a free query layer for agent pipelines and sales prospecting, no API key or $49/month Crunchbase subscription needed.
CLAUDE WROTE THE PR
Bun opens a PR for true shared-memory threads in JavaScript. Same heap, no serialization, zero cloning.
The story: Jarred Sumner opened PR #249 in Bun’s WebKit fork: 151 commits, 300+ files, adding Thread, Lock, Condition, and ThreadLocal to JavaScriptCore. Threads share the same JS heap. No postMessage, no structured cloning. The design follows Filip Pizlo’s 2017 paper on concurrent JavaScript. Pizlo showed up in the HN thread (233 comments): “I knew it was possible :-)”
The details:
- Serial overhead: 0.45% worst-case with the flag on, byte-identical when off
- Memory per thread: 150KB-1MB active vs. 5-15MB for a Web Worker
- Parallel scaling on a 64-core benchmark: 0.89x Java at 16 threads
- Sumner: “And yes, the PR description is entirely Claude”
- Known blockers: no Windows support, concurrent GC disabled, the PR “may never merge”
Why builders care: If this lands, parallel TypeScript stops being native-addon territory. Bundlers, parsers, and hot-path compute kernels become first-class JS citizens.
362 PATCHES, ONE FUNCTION
Linux 7.2 finally kills strncpy. Six years. 362 commits. Zero call sites remaining.
The story: Phoronix confirmed that the latest kernel has zero remaining strncpy call sites. The function was flagged as “actively dangerous” by Kees Cook’s Kernel Self-Protection Project in KSPP Issue #90 (August 2020) because it doesn’t guarantee NUL termination, leading to buffer overreads, crashes, and information disclosure.
The details:
- Two failure modes: no NUL termination when source equals destination size, and wasteful zero-padding when shorter
- Replacements:
strscpy()for NUL-terminated copies,strtomem()for fixed-width fields - Justin Stitt (Google) drove the bulk of subsystem-by-subsystem patches from 2024 onward
Why builders care: Open a tracking issue, enumerate call sites, build a replacement matrix, work through it subsystem by subsystem. It works at the scale of a 35-million-line kernel.
YOUR PHONE IS ALREADY NAKED
Open-source Loupe app shows iPhone users what trackers already know about them
The story: Mysk, the research duo behind CVE-2024-54492, released Loupe on GitHub (MIT licensed). The free iOS app (5.0 stars) reads real values from public iOS APIs across three tiers: passive signals (locale, timezone, battery), permission-based data, and side-channels like URL-scheme probing.
The details:
- Built “almost entirely by AI coding tools” per the README
- Mysk previously caught Facebook, Instagram, Spotify, and Threads violating Apple’s Required Reason API
- HN commenters (112 points) flagged that setup timestamps combined with device type create durable cross-app identifiers
Why builders care: If you ship an iOS app with third-party SDKs, you’re passively fingerprinting users even if you never wrote a tracking call. Loupe shows what your SDK stack exposes.
TRENDING TODAY
Agent coding tools exploded overnight. Six Show HNs in one day building on top of Claude Code: FleetCode (run other LLMs as workers), fleet (multi-agent CLI across Codex, Cursor, Windsurf, Gemini CLI), and LoopFlow (loop engineering patterns). The SDK is spawning its own tooling layer.
AI code skepticism hit mainstream. Vini Brasil’s “When I reject AI code even if it works” (70 HN points) outlines five rejection criteria. Punchline: “implementation speed is now cheap but review and judgment remain expensive.”
Revenue reality checks stacked up. 90K hits, $3 in revenue. $1.7M pre-seed, no traction after 8 months. Community verdict: you have distribution, run monetization experiments.
DRAMA
BROADCOM’S LICENSE SHAKEDOWN
Tesco sues VMware/Broadcom, each liable for at least 100M pounds
Tesco filed suit after Broadcom proposed $23.5M/year for Cloud Foundation 9.0, a 175% increase over their perpetual licenses. The HN thread (108 points) focused on post-acquisition vendor lock-in.
Why builders care: An acquisition can turn “perpetual license” into “pay us or migrate.” AT&T filed a similar claim.
FIRST DOLLAR
THE $1 TIP JAR
A builder on r/SaaS shipped a free iOS app with a donation jar. No premium tier, no subscription. Someone paid $1 voluntarily. “Even sweeter that someone wanted to give me a buck just to say thanks.”
TWEET TO APP
A builder on r/microsaas saw a tweet about saving workouts from social media, got 60 waitlist signups from a landing page, built it with Cursor, survived multiple App Store rejections, and is now reportedly profitable.
STACK OF THE DAY
PostgresBench
PostgresBench is an open, reproducible benchmark for managed Postgres services using TPC-B. Tests Aurora, RDS, Neon, Crunchy Bridge, and ClickHouse-managed Postgres. Key result: NVMe co-located with compute crushed network-attached storage. Free to run yourself.
Not sponsored. We just feature tools builders would actually use.
BOOKMARKED TODAY
- Make PDFs look scanned (98 HN points) - CLI or in-browser via WASM. For when bureaucracy demands a “scanned” document.
- Epoll vs. io_uring in Linux (75 HN points) - Deep comparison of Linux’s two async I/O models for high-throughput services.
- Argus Red (77 HN points) - Post-trained model for offensive security testing. CLI-first.
Ship to one country, QA it from another. Geo-fenced Stripe checkouts, region-gated APIs, feature flags that only fire in EU. NordVPN's 6,400+ exit nodes across 110+ countries let you test a US-only paywall from EU or hit a EU-only checkout from SF. Bonus: free Meshnet for SSH across your devices.
We get a cut if you sign up. Only added for tools we use ourselves.
Curated by AI, built by a human.