Hacker News: drum55

New comment by drum55 in "Put your SSH keys in your TPM chip"

drum55 — Thu, 16 Apr 2026 16:50:36 +0000

Seems a little pointless, your keys can't be stolen but they can be instantly used by malware to persist across anything you have access to. The keys don't have any value in their own right, the access they provide does.

New comment by drum55 in "BlueHammer abuses Windows Defender's update process to gain SYSTEM access"

drum55 — Sat, 11 Apr 2026 11:20:03 +0000

More or less, no desktop OS other than Qubes and MacOS (to a very limited extent) can handle the user being even vaguely compromised, much less a user with privilege. Keys to the kingdom are already in the user domain, SSH keys, all your emails and photos, contacts, access to other devices in your network. The user can backdoor themselves to get passwords by modifying their own environment, can escalate by modifying the DNS settings of the users browser to gain more access. Root access by and large is completely irrelevant.

New comment by drum55 in "Phone-free bars and restaurants on the rise across the U.S."

drum55 — Sun, 05 Apr 2026 18:55:11 +0000

Intentionally interfering with 911 would probably be a poor decision.

New comment by drum55 in "Axios compromised on NPM – Malicious versions drop remote access trojan"

drum55 — Tue, 31 Mar 2026 05:15:46 +0000

The ones you hear about are caught quickly, I’m more worried about the non obvious ones. So far none of these have been as simple as changing a true to a false and bypassing all auth for all products or something, and would that be caught by an automated scanner?

New comment by drum55 in "The bot situation on the internet is worse than you could imagine"

drum55 — Sun, 29 Mar 2026 20:36:34 +0000

The language matters, but your original guess was actually correct, you can do tricks with sha256 where you only end up calculating a fraction of the total double hash in order to get a pass or fail.

Modern bitcoin miners do a double sha256 hash and increment in just a little bit more than a single hash of work. The input is 80 bytes, which is two compression rounds of 64 bytes in sha256, only the data in the second round has changed (the appended nonce), so you don’t bother doing the first compression round again. With other quirks you can end up doing multiple hashes at once “asicboost” due to partial collisions within the input too.

New comment by drum55 in "The bot situation on the internet is worse than you could imagine"

drum55 — Sun, 29 Mar 2026 20:33:36 +0000

Yes, Anubis is just non standard and obscure, the proof of work bit is completely irrelevant (except for getting people on their phone to not visit your website).

New comment by drum55 in "The bot situation on the internet is worse than you could imagine"

drum55 — Sun, 29 Mar 2026 17:37:06 +0000

Anybody can prompt Claude to implement this, which was my point, it doesn't stop bots because a bot can literally write the bypass! My prompt was the proof of work function from the repository, asked it to make an implementation in C that could solve it faster, and that was about it.

New comment by drum55 in "The bot situation on the internet is worse than you could imagine"

drum55 — Sun, 29 Mar 2026 17:30:48 +0000

It doesn't matter if your hottest loop is using string comparisons, as another poster pointed out in C you aren't even doing the majority of the second hash because you know the result (or enough of it) before finishing it. The JavaScript version just does whole hashes and turns them into a Uint8Array, then iterates through it.

New comment by drum55 in "The bot situation on the internet is worse than you could imagine"

drum55 — Sun, 29 Mar 2026 17:26:01 +0000

Bravo, you even implemented the midstate speedup from Bitcoin, that's way more impressive.

New comment by drum55 in "The bot situation on the internet is worse than you could imagine"

drum55 — Sun, 29 Mar 2026 17:18:00 +0000

Ironically I used a LLM to write a bypass for this ridiculous tool, doing hashing in a browser makes no sense, Claude's very bad implementation of it in C does tens of megahash a second and passes all of the challenges nearly instantly. It took about 5 minutes for Claude to write that, and it's not even a particularly fast implementation, but it beats the pants off doing string comparisons for every loop in JavaScript which is what the Anubis tool does.

    for (; ;) {
        const hashBuffer = await calculateSHA256(data + nonce);
        const hashArray = new Uint8Array(hashBuffer);

        let isValid = true;
        for (let i = 0; i < requiredZeroBytes; i++) {
          if (hashArray[i] !== 0) {
            isValid = false;
            break;
          }
        }

It's less proof of work and just annoying to users, and feel good to whoever added it to their site, I can't wait for it to go away. As a bonus, it's based on a misunderstanding of hashcash, because it is only testing zero bytes comparison with a floating point target (as in Bitcoin for example), the difficulty isn't granular enough to make sense, only a couple of the lower ones are reasonably solvable in JavaScript and the gaps between "wait for 90 minutes" and "instantly solved" are 2 values apart.

New comment by drum55 in "ICAO issued new power bank restriction on flight"

drum55 — Sat, 28 Mar 2026 17:59:04 +0000

That's a bit surprising to me, wonder what the root cause of that was. It seems to be shared across multiple products at once so maybe they had a bad batch of cells?

New comment by drum55 in "ICAO issued new power bank restriction on flight"

drum55 — Sat, 28 Mar 2026 17:31:01 +0000

I've never had any issues with brand name, not dollar store power banks and I've been using them for more than a decade. I'd totally expect a $5 pink power bank from a alphabet amazon seller to be an issue, but anything modern and reasonable like Anker are very unlikely to cause you any issues. Balancing, protection are very much solved issues at this point for the cell chemistries we use.

If LiPo was the issue, using LiFePo4 or LTO cells for planes would be a totally reasonable alternative too. LTO cells are so safe the manufacturer of them has videos on youtube of them hammering nails into the cells, cutting them with a saw, and crushing them with a press and they don't really care.

New comment by drum55 in "ICAO issued new power bank restriction on flight"

drum55 — Sat, 28 Mar 2026 17:23:40 +0000

That's a kind of meaningless comparison. Peanuts are about 8kJ per gram supposedly, by your measure we should ban even small amounts of peanuts on planes because 100 grams of them contain more energy than a hand grenade. Without talking about the time frame over which the energy can be released you'd have to make sure that everybody went onto the plane completely naked lest their clothes ignited.

New comment by drum55 in "ICAO issued new power bank restriction on flight"

drum55 — Sat, 28 Mar 2026 17:21:30 +0000

There are fire extinguishers and smoke detectors in the holds of aircraft.

New comment by drum55 in "We broke 92% of SHA-256 – you should start to migrate from it"

drum55 — Fri, 27 Mar 2026 19:13:14 +0000

> it is possible that we'll find relations that carry across the entire double-SHA-256 pipeline

Bitcoin mining is a partial second preimage of 0x00 though, not a collision, that statement just seems to be so outside the realm of what they’re claiming to have done. Even MD5, the most widely known to be broken hash, would be secure when used in the same way bitcoin uses SHA256 (other than being too short now, bitcoin miners have done 80 bits of work at this point many times over).

New comment by drum55 in "Cloudflare flags archive.today as "C&C/Botnet"; no longer resolves via 1.1.1.2"

drum55 — Sun, 22 Mar 2026 08:14:41 +0000

Should providing a public service absolve all sins?

New comment by drum55 in "Dumping Lego NXT firmware off of an existing brick (2025)"

drum55 — Sat, 07 Mar 2026 23:04:48 +0000

My first ever programming was with the original brick, I made a scanner with the light sensor and a terrible python script that took the values from the serial port and turned them into a bitmap.

New comment by drum55 in "ATAboy is a USB adapter for legacy CHS only style IDE (PATA) drives"

drum55 — Tue, 24 Feb 2026 19:27:38 +0000

“ Some of this firmware code was written with AI assistance. It currently contains an IPC re-entry, and possibly other bugs that could cause the RP2350 to crash under certain circumtstances. ”

Seems like an admission they’ve not really read the code either.

New comment by drum55 in "I think WebRTC is better than SSH-ing for connecting to Mac terminal from iPhone"

drum55 — Tue, 24 Feb 2026 19:20:15 +0000

What portion of the security-critical code is written by a human? A shell is literally keys to the kingdom in every regard.

New comment by drum55 in "Show HN: PIrateRF – Turn a $20 Raspberry Pi Zero into a 12-mode RF transmitter"

drum55 — Sat, 21 Feb 2026 05:02:52 +0000

https://raw.githubusercontent.com/psyb0t/piraterf/88c5fc416d...

That's because it's in the .gitignore.

It's just very obviously made with claude, from the style, to the commits of tens of thousands of lines of code a day, to the parts where Claude commits something sensible and the author goes back to add in curse words. Nobody has ever developed software in the same way that claude tends to, where suddenly a whole readme appears in a commit fully formatted and filled with emojis.