Comment by mxmlnkn

3 days ago

After 2 minutes at 150 kHashes on mobile, I finally see the first pixel of the progress bar filling up. Seems like it will take hours or a day to finish. Some estimate would have been nice.

25 comments

mxmlnkn

drum55 3 days ago

Ironically I used a LLM to write a bypass for this ridiculous tool, doing hashing in a browser makes no sense, Claude's very bad implementation of it in C does tens of megahash a second and passes all of the challenges nearly instantly. It took about 5 minutes for Claude to write that, and it's not even a particularly fast implementation, but it beats the pants off doing string comparisons for every loop in JavaScript which is what the Anubis tool does.

    for (; ;) {
        const hashBuffer = await calculateSHA256(data + nonce);
        const hashArray = new Uint8Array(hashBuffer);

        let isValid = true;
        for (let i = 0; i < requiredZeroBytes; i++) {
          if (hashArray[i] !== 0) {
            isValid = false;
            break;
          }
        }

It's less proof of work and just annoying to users, and feel good to whoever added it to their site, I can't wait for it to go away. As a bonus, it's based on a misunderstanding of hashcash, because it is only testing zero bytes comparison with a floating point target (as in Bitcoin for example), the difficulty isn't granular enough to make sense, only a couple of the lower ones are reasonably solvable in JavaScript and the gaps between "wait for 90 minutes" and "instantly solved" are 2 values apart.

Retr0id 3 days ago
I wrote one that uses opencl: https://github.com/DavidBuchanan314/anubis_offload
- drum55 3 days ago
  
  Bravo, you even implemented the midstate speedup from Bitcoin, that's way more impressive.
  
  1 reply →
GeoAtreides 3 days ago
>It's less proof of work and just annoying to users, and feel good to whoever added it to their site,
this is being disproved in the article posted:
>And so Anubis was enabled in the tar pit at difficulty 1 (lowest setting) when requests were pouring in 24/7. Before it was enabled, it was getting several hundred-thousand requests each day. As soon as Anubis became active in there, it decreased to about 11 requests after 24 hours, most just from curious humans.
apparently it does more than annoying users and making the site owner feel good (well, i suppose effective bot blocking would make the site owner feel quite good)
- Aurornis 3 days ago
  
  The Anubis difficulty setting is (or was) so high that nobody could visit the site without leaving it open for minutes or hours.
  
  4 replies →
- bawolff 3 days ago
  
  That doesnt mean the PoW is doing anything, it might just mean bots have js disabled.
  I dont think the person was claiming annubis doesnt work, they were disputing PoW is the reason it actually works.
  
  1 reply →
bawolff 3 days ago
Shouldnt browser also have it implemented in c? Like i assume crypto.subtle isnt written in js.
- drum55 3 days ago
  
  It doesn't matter if your hottest loop is using string comparisons, as another poster pointed out in C you aren't even doing the majority of the second hash because you know the result (or enough of it) before finishing it. The JavaScript version just does whole hashes and turns them into a Uint8Array, then iterates through it.
  
  3 replies →
yborg 3 days ago
Maybe post your brilliant solution to commercial companies with hundreds of millions in funding unrestrained bot scraping the Internet for AI training instead of complaining about people desperate to rein it in as individuals.
- drum55 3 days ago
  
  Anybody can prompt Claude to implement this, which was my point, it doesn't stop bots because a bot can literally write the bypass! My prompt was the proof of work function from the repository, asked it to make an implementation in C that could solve it faster, and that was about it.
- throw10920 3 days ago
  
  This is fallacious and extremely disrespectful (or even malicious?). You don't have to propose a way to fix a broken thing to point out that it's broken.
  Normal and sane people understand this intuitively. If someone goes to a mechanic because their car is broken and the mechanic says "well, if you can tell that you car is broken, then you should be able to figure out how to fix it" - that mechanic would be universally hated and go out of business in months. Same thing for a customer complaining about a dish made for them in a restaurant, or a user pointing out a bug in a piece of software.

raincole 3 days ago

At this point I wonder if you can post a crypto miner page on HN and people will fall for it.

dheera 3 days ago

I don't get this kHash thing. Do we have captchas mining bitcoin in a distributed fashion for free now?

throw10920 3 days ago
The page says
> Anubis uses a Proof-of-Work scheme in the vein of Hashcash
And if you look up Hashcash on Wikipedia you get https://en.wikipedia.org/wiki/Hashcash which explains how Hashcash works in a fairly straightforward manner (unlike most math pages).
- dheera 3 days ago
  
  Oh fun so now we're effectively draining users' phone and laptop batteries now just to prove that they have batteries and somehow that's a proxy for them being human
  
  1 reply →