Hacker News: varun_ch

New comment by varun_ch in "Doom, Played over Curl"

varun_ch — Sun, 12 Apr 2026 18:55:17 +0000

Oh wait I didn't even register that! yeah of course you can do anything in a terminal using curl if you're piping to bash!!!

New comment by varun_ch in "Doom, Played over Curl"

varun_ch — Sun, 12 Apr 2026 15:33:34 +0000

One interesting side effect of having a LLM write the thing including the README, is that the models tend to leave little hints of the authors intention or prompt as over-explained passages that make it obvious that AI help was used.

https://github.com/xsawyerx/curl-doom?tab=readme-ov-file#how...

eg. > A browser hitting the same URL gets a tiny landing page that just shows the one-liner

it’s subtle but once you notice it, it’s hard to miss.

As an aside, I feel like projects like this used to be really fun and impressive (I guess due to the fact that you’d think “Wow a human put their time into this wacky crazy thing”), whereas now you can have Claude consistently crap out something like this in 5 minutes, so it ruins the whole appeal to me…

New comment by varun_ch in "Show HN: Eve – Managed OpenClaw for work"

varun_ch — Sat, 11 Apr 2026 00:27:01 +0000

hosting user content on the main domain seems like a Bad Idea..

New comment by varun_ch in "Veracrypt project update"

varun_ch — Wed, 08 Apr 2026 15:21:17 +0000

If someone was a bad actor, right now would be a pretty good time to start exploiting zero days in WireGuard…

New comment by varun_ch in "Ex-Meta worker investigated for downloading 30k private Facebook photos"

varun_ch — Wed, 08 Apr 2026 01:58:49 +0000

That is not standard even today. The main threat is in transit over the network, which https/TLS solves, but obviously this won’t stop error traces or logging on the server from including request bodies.

If you do hash locally (not sure I’ve seen any big players do this), you also need to be hashing server side (or else the hash is basically a plain text password in the database!)

That said, I’m not sure why companies don’t adopt this double hashing approach. Complexity maybe? I know it could limit flexibility a little as some services like to be able to automatically attempt capitalization variations (eg. caps lock inverse) on the server. Anyways in 2026 we should all be using passkeys (if they weren’t so confusing to end-users, and so non-portable)

My university uses prompt injection to catch cheaters

varun_ch — Sun, 05 Apr 2026 21:57:52 +0000

Article URL: https://varun.ch/til/prompt-injection-catch-cheaters/

Comments URL: https://news.ycombinator.com/item?id=47654317

Points: 112

# Comments: 62

New comment by varun_ch in "Gone (Almost) Phishin'"

varun_ch — Thu, 02 Apr 2026 13:13:12 +0000

Microsoft is really bad with this. Login might be live.com or microsoftonline.com or maybe onmicrosoft.com. I went to report a vulnerability to their security portal this week and it redirected me to b2clogin.com.

OneDrive email attachments link to, I kid you not, 1drv.ms, or maybe it was 1drv.com…

Not to mention, they use .ms as if it’s their personal TLD, but obviously anyone can register a .ms domain. It’s like they want people to get phished.

New comment by varun_ch in "We intercepted the White House app's network traffic"

varun_ch — Wed, 01 Apr 2026 03:49:01 +0000

that said, mitming stuff even on Android can be a pain, so I use a rooted Android emulator with Frida. Even that can be a hassle sometimes.

https://www.trickster.dev/post/setting-up-rooted-android-emu...

New comment by varun_ch in "We intercepted the White House app's network traffic"

varun_ch — Wed, 01 Apr 2026 03:47:39 +0000

Yes, it is _a lot_ easier to set up mitmproxy on iOS vs Android. But once you encounter an app with certificate pinning, being on a more open platform that lets you install your own apps can help get around that.

New comment by varun_ch in "Font Smuggler – Copy hidden brand fonts into Google Docs"

varun_ch — Tue, 17 Mar 2026 13:22:08 +0000

I knew about this for Google’s own fonts but had no idea they offered the option to use custom fonts. Is there any easy place to find a list of them? I wonder if the custom fonts are just hardcoded/pushed to their CDN alongside all the other ones.

New comment by varun_ch in "The “small web” is bigger than you might think"

varun_ch — Mon, 16 Mar 2026 18:43:16 +0000

A fun trend on the "small web" is the use of 88x31 badges that link to friends websites or in webrings. I have a few on my website, and you can browse a ton of small web websites that way.

https://varun.ch (at the bottom of the page)

There's also a couple directories/network graphs https://matdoes.dev/buttons https://eightyeightthirty.one/

New comment by varun_ch in "Quillx is an open standard for disclosing AI involvement in software projects"

varun_ch — Mon, 16 Mar 2026 03:59:15 +0000

A little ironic that the README, SPEC.md and the poster's comment here all smell of LLM writing!

New comment by varun_ch in "Mouser: An open source alternative to Logi-Plus mouse software"

varun_ch — Sat, 14 Mar 2026 16:31:09 +0000

The only way my Logitech MX Master mouse is remotely usable on macOS is with both linearmouse and mos, and that was really disappointing to me, because online, the MX Master mouse is sold as the best Mac mouse. Unbelievable that anyone actually uses it without those tweaks.

Without both, the mouse scroll wheel is so slow, laggy and imprecise. It’s unbelievably bad.

CRusTTY: A pedagogical C interpreter with time-travel debugging capabilities

varun_ch — Wed, 11 Mar 2026 18:57:58 +0000

Article URL: https://github.com/aicheye/crustty

Comments URL: https://news.ycombinator.com/item?id=47339705

Points: 20

# Comments: 2

New comment by varun_ch in "FontCrafter: Turn your handwriting into a real font"

varun_ch — Tue, 10 Mar 2026 02:11:01 +0000

For sure! I was so surprised to see that this was done all in browser. I mean there’s no reason that shouldn’t be possible in 2026 considering there’s services that do this server side, but still it’s always impressive when something like this comes along.

New comment by varun_ch in "“ma” is a minimalistic clone of the acme editor used in Plan 9"

varun_ch — Tue, 10 Mar 2026 02:09:06 +0000

there’s something so beautiful about the plan9 aesthetic https://plan9.io/plan9/img/screenshot-small.png

Wonder if it’s possible to recreate on any mainstream operating system…

New comment by varun_ch in "JSLinux Now Supports x86_64"

varun_ch — Mon, 09 Mar 2026 18:10:45 +0000

Maybe if you’ve got some ancient software that’s missing source code and only runs with X Y and Z conditions, you could continue to offer it on the web and build around it like that? Not sure if that would be practical at all, but could be interesting

New comment by varun_ch in "FontCrafter: Turn your handwriting into a real font"

varun_ch — Mon, 09 Mar 2026 18:08:17 +0000

The website does say that it was ‘vibe coded’[0] so perhaps the author didn’t test it very thoroughly? They apparently do ‘vibe coding’ courses so.. that’s something.

[0] https://arcade.pirillo.com/

New comment by varun_ch in "Wikipedia was in read-only mode following mass admin account compromise"

varun_ch — Thu, 05 Mar 2026 17:53:33 +0000

but any interaction is good for Chrome, like dismissing a cookie banner

Exfiltrating passwords with no interaction using autofill

varun_ch — Thu, 05 Mar 2026 17:45:08 +0000

Article URL: https://varun.ch/posts/autofill/

Comments URL: https://news.ycombinator.com/item?id=47264765

Points: 2

# Comments: 0