Passive interference like this isn’t illegal, although you might have a lawsuit if a customer gets injured and it takes a few extra seconds for someone to step outside and dial 911 (people will sue over anything). It’s active jamming that violates FCC regulations.
Hi, I have worked in numerous shielded environments, built one, and am in the process of building a second.
Wifi works perfectly fine inside a shielded enclosure, if both the AP and the client are inside the shield. It should not work across the shield, if the AP is inside and the client is outside, or vice versa. (If that worked, it wouldn't be a very good shield.)
It is entirely plausible, practical, and not even all that hard, to build precisely the environment described up-thread. "Magnetic" paint is not necessary, it just has to be conductive. Ecofoil® Ultra NT® is my favorite shielding material, it's good as a radiant energy barrier (say, to keep your hot roof from radiating heat down at your attic) and as a radiant signal shield. Which makes sense, when you consider that RF is just RF is just RF. Filtered power passthroughs aren't particularly hard (Start with the Delta 20DBAG5 and add some ferrite beads), and if you really want to be snazzy with your data passthrough, use fiber. There are all sorts of cheap-and-cheerful ethernet switches with SFP slots now.
The door seals are the tricky part. Commercial shielded enclosures go all-out with complicated lever-actuated doors that wouldn't feel out-of-place on a bank vault, but I've found that simply sanding the paint off a commercial steel door and covering the bare steel with copper tape, then engaging it with beryllium-copper spring finger-stock around the doorjamb, is sufficient for about 60-80dB of isolation, which is plenty in many environments.
Good to know! I only knew about the magnetic paint because a company I worked for a long time ago wanted to put up big mural-like pictures throughout the office space and decided to mount them on magnets and cover the walls in magnetic paint so they would stick. But then some of our conference rooms couldn't get good wifi even though the AP was right next door... We only figured out later (after putting hard-wired APs in every room LOL) that it was because of the magnetic paint.
Inside of the cage it'll be fine. It just won't do great traversing the boundary. As long as there's a WAP/antenna inside the cage everything inside the cage will get a signal.
The ones you hear about are caught quickly, I’m more worried about the non obvious ones. So far none of these have been as simple as changing a true to a false and bypassing all auth for all products or something, and would that be caught by an automated scanner?
There are definitely levels to this. Yes I think it can be caught by automated scanners in theory. Either commit by commit scanning and reproducible builds or fuzzing and getting the behavioral differences between versions
Ironically I used a LLM to write a bypass for this ridiculous tool, doing hashing in a browser makes no sense, Claude's very bad implementation of it in C does tens of megahash a second and passes all of the challenges nearly instantly. It took about 5 minutes for Claude to write that, and it's not even a particularly fast implementation, but it beats the pants off doing string comparisons for every loop in JavaScript which is what the Anubis tool does.
for (; ;) {
const hashBuffer = await calculateSHA256(data + nonce);
const hashArray = new Uint8Array(hashBuffer);
let isValid = true;
for (let i = 0; i < requiredZeroBytes; i++) {
if (hashArray[i] !== 0) {
isValid = false;
break;
}
}
It's less proof of work and just annoying to users, and feel good to whoever added it to their site, I can't wait for it to go away. As a bonus, it's based on a misunderstanding of hashcash, because it is only testing zero bytes comparison with a floating point target (as in Bitcoin for example), the difficulty isn't granular enough to make sense, only a couple of the lower ones are reasonably solvable in JavaScript and the gaps between "wait for 90 minutes" and "instantly solved" are 2 values apart.
>It's less proof of work and just annoying to users, and feel good to whoever added it to their site,
this is being disproved in the article posted:
>And so Anubis was enabled in the tar pit at difficulty 1 (lowest setting) when requests were pouring in 24/7. Before it was enabled, it was getting several hundred-thousand requests each day. As soon as Anubis became active in there, it decreased to about 11 requests after 24 hours, most just from curious humans.
apparently it does more than annoying users and making the site owner feel good (well, i suppose effective bot blocking would make the site owner feel quite good)
> After 2 minutes at 150 kHashes on mobile, I finally see the first pixel of the progress bar filling up. Seems like it will take hours or a day to finish. Some estimate would have been nice.
Literally the grandparent of the comment chain you're responding to.
Yes, Anubis is just non standard and obscure, the proof of work bit is completely irrelevant (except for getting people on their phone to not visit your website).
It doesn't matter if your hottest loop is using string comparisons, as another poster pointed out in C you aren't even doing the majority of the second hash because you know the result (or enough of it) before finishing it. The JavaScript version just does whole hashes and turns them into a Uint8Array, then iterates through it.
I dont understand what you mean. Are you saying that in C you only calculate the first few digits of the hash? That's not how sha256 works.
Edit: oh i think you mean in c the string comparison short curcuits. I would expect the same to be true in javascript too. Its true in most languages.
Maybe you are just worried about general language overhead, which is a fair point. Is the anubis check even using multiple threads? For the c case, the real benefit wouldn't be if you can use C, but if you can use the GPU.
The whole thing is kind of silly though. SHA256 is a terrible choice of hash for PoW. They should be using argon2 or something memory heavy.
The language matters, but your original guess was actually correct, you can do tricks with sha256 where you only end up calculating a fraction of the total double hash in order to get a pass or fail.
Modern bitcoin miners do a double sha256 hash and increment in just a little bit more than a single hash of work. The input is 80 bytes, which is two compression rounds of 64 bytes in sha256, only the data in the second round has changed (the appended nonce), so you don’t bother doing the first compression round again. With other quirks you can end up doing multiple hashes at once “asicboost” due to partial collisions within the input too.
Oh good point. It looks like anubis is using 64 byte random plus a nonce. Unless i'm missing something it seems like using 56 bytes random plus 8 byte nonce would be a better design or maybe hmac'ing the nonce & data together.
But then again using sha256 doesn't make sense at all.
Maybe post your brilliant solution to commercial companies with hundreds of millions in funding unrestrained bot scraping the Internet for AI training instead of complaining about people desperate to rein it in as individuals.
Anybody can prompt Claude to implement this, which was my point, it doesn't stop bots because a bot can literally write the bypass! My prompt was the proof of work function from the repository, asked it to make an implementation in C that could solve it faster, and that was about it.
This is fallacious and extremely disrespectful (or even malicious?). You don't have to propose a way to fix a broken thing to point out that it's broken.
Normal and sane people understand this intuitively. If someone goes to a mechanic because their car is broken and the mechanic says "well, if you can tell that you car is broken, then you should be able to figure out how to fix it" - that mechanic would be universally hated and go out of business in months. Same thing for a customer complaining about a dish made for them in a restaurant, or a user pointing out a bug in a piece of software.
I've never had any issues with brand name, not dollar store power banks and I've been using them for more than a decade. I'd totally expect a $5 pink power bank from a alphabet amazon seller to be an issue, but anything modern and reasonable like Anker are very unlikely to cause you any issues. Balancing, protection are very much solved issues at this point for the cell chemistries we use.
If LiPo was the issue, using LiFePo4 or LTO cells for planes would be a totally reasonable alternative too. LTO cells are so safe the manufacturer of them has videos on youtube of them hammering nails into the cells, cutting them with a saw, and crushing them with a press and they don't really care.
That's a bit surprising to me, wonder what the root cause of that was. It seems to be shared across multiple products at once so maybe they had a bad batch of cells?
I'm sure people do. People will buy the absolute shittiest things to save a buck. The power bank could come with a skull and crossbones painted on it, and have the product name "Deadly Explosive Power Bank" and people would still buy it if it was $10 cheaper than a reputable one.
That's a kind of meaningless comparison. Peanuts are about 8kJ per gram supposedly, by your measure we should ban even small amounts of peanuts on planes because 100 grams of them contain more energy than a hand grenade. Without talking about the time frame over which the energy can be released you'd have to make sure that everybody went onto the plane completely naked lest their clothes ignited.
Not good enough, body fat contains about 35kJ per gram. So nobody with over 1lb of excess body should be allowed on board. People are known to occasionally spontaneously combust.
Li-ion fires do not require external oxygen, the cathode decomposes to release its own oxygen gas during thermal runaway... fire extinguishers will not stop it.
> it is possible that we'll find relations that carry across the entire double-SHA-256 pipeline
Bitcoin mining is a partial second preimage of 0x00 though, not a collision, that statement just seems to be so outside the realm of what they’re claiming to have done. Even MD5, the most widely known to be broken hash, would be secure when used in the same way bitcoin uses SHA256 (other than being too short now, bitcoin miners have done 80 bits of work at this point many times over).
Also, a collision on single-sha256 would imply a collision of double-sha256 right off the bat, since the inputs to the second round would be matching. But as you say, a collision attack doesn't do much to BTC mining.
Thanks, you're right. My "it is possible" is doing some heavy lifting there :). We've found theorems (stated in the paper) that carry through 64 rounds, so it is possible that theorems might carry through the full 128 rounds of double-SHA256. Bitcoin's proof-of-work is indeed a "partial second preimage", and constraints a certain number of leading zeros, i.e. a certain number of set bits. It's possible (there we go again) that this could leave enough wiggle room for large algabraic solvers like kissat to satisfy a large number of clauses about them. So far nobody is doing that, and ASICs are very simplistic. However, we are not making any claims about preimage attacks in this paper!
The person who runs archive.today decided to involve me, and every other visitor, in their dispute. They decided to use us to hurt someone else. That's a pretty big sin in my book.
By this logic, the Code Green worm is ethical; forcing a security patch upon users who didn’t install one is obviously Not Evil. And that’s why operating systems aren’t wrong to force security updates on their users using invisible phone-home systems that the users aren’t aware of: it’s a small sin that is entirely justified self defense for the users and the device maker. Clearly we should all be updated to iOS 26 without our consent.
The ‘small sin’ of wielding your userbase as a botnet is only palatable for HN’s readers because the site provides a desirable use to HN’s readers. If it were, say, a women’s apparel site that archived copies of Vogue etc. (which would see a ton of page views and much more effective takedown efforts!) and pointed its own DDoS of this manner at Hacker News, HN would be clamoring for their total destruction for unethical behavior with no such ‘it’s just a evil for so much good’ arguments.
Maintaining ethical standards in the face of desire for the profits of unethical behavior is something tech workers are especially untrained to do. Whether with Palantir or Meta or Archive.today, the conflict is the same: Is the benefit one derives worth compromising one’s ethics? For the unfamiliar, three common means of avoiding admitting that one’s ethics are compromised: “it’s not that bad”, “ethics don’t apply to that”, and “that’s my employer’s problem”. None of those are valid excuses to tolerate a website launching DDoS attacks from our browsers.
archive.today has a documented history of altering the archived content, as such they immediately lose the veil of protection of a service of "public good" in my books.
Just my 2 ¢, not that it really matters anymore in this current information-warfare climate and polarization. :/
What do you want me to address? I'm just pointing out that there are no great archival services, and the only real alternative to archive.today is worse.
>Pay attention to this type of behavior, folks. It's revealing
People are painting this as a mutually exclusive ideological decision. Yet two things can be true:
1) The act of archive.today archiving stories (and thus circumventing paywalls) is arguably v low level illegal (computer miss-use/unauthorized access/etc) but it is up for interpretation whether a) the operator or the person requesting the page carries the most responsibility b) whether it's enforceable in third party countries neither archive.today or the page requester reside in
2) DDoSing a site that writes something bad about you is fundamentally wrong (and probably illegal too)
No, pschastain has malware on their computer. I just hit a ratelimit on another account I was using, and decided it'd be funny if I replied from their own account.
Not really sure if circumventing paywalls is that unlawful across the world, but basically copying and pasting an entire web page is just clear and simple copyright violation.
I know it's petty. But don't act surprised when you find your garbage strewn all over your lawn next morning after you flipped off your neighbor the fourth time.
My first ever programming was with the original brick, I made a scanner with the light sensor and a terrible python script that took the values from the serial port and turned them into a bitmap.
“ Some of this firmware code was written with AI assistance. It currently contains an IPC re-entry, and possibly other bugs that could cause the RP2350 to crash under certain circumtstances. ”
Seems like an admission they’ve not really read the code either.
I guess the question is: would I trust this with a ~35-year old hard drive that I have to baby lest it finally die? Well, I'd rather wait for the (slightly more) inevitable kinks to be ironed out.
reply