HackerTrans
TopNewTrendsCommentsPastAskShowJobs

jwally

no profile record

Submissions

Show HN: My Attempt at QR as a Captcha

qr.arcades.click
4 points·by jwally·letzten Monat·2 comments

[untitled]

1 points·by jwally·vor 2 Monaten·0 comments

AI Powered Exploit Kit

github.com
1 points·by jwally·vor 4 Monaten·0 comments

Show HN: In Browser, Serverless Quake 3 Arena

quake.wolcott.cc
1 points·by jwally·vor 5 Monaten·4 comments

Anonymous Age Verification Demo

app.hornpub.click
2 points·by jwally·vor 10 Monaten·3 comments

Show HN: Free and Anonymous Age Verification Demo

youtube.com
1 points·by jwally·vor 10 Monaten·0 comments

comments

jwally
·vor 13 Tagen·discuss
Maybe I'm not paying close enough attention (probably) - but I feel that China is providing a glimmer of hope that this (only the uber elite can get good AI assistance) isn't true, and we're maybe at a weird inflection point of sorts wrt the leverage that tech can now provide.

China gets sanctions and stale chips - fine, they just DIY the algorithms through CPU instead of GPU and open source it.

American warships have the latest, coolest, highest-tech tactical weaponry imaginable - which is great until you have to fend off 10,000 consumer/wal-mart/IED grade drones at $2mm/clip.

Money is amazing, but if you lean on it too heavily in lieu of _practical_ innovation, it'll bite you in the ass. The apocryphal story of the Soviet Rocket scientist who suggested using a pencil instead of investing 100k in a space pen that worked in 0g's.
jwally
·vor 21 Tagen·discuss
Brutal own goaling by the USA. I'm glad it happened, but the USA had a golden opportunity to subsidize domestic providers for 10 years and lease to China to discourage competition and side innovation.

DeepSeek and Qwen would have been neat parlor tricks, never developed further because the US subsidized mega models would have been too cheap and reliable to make them necessary.

Nope! USA played its hand and forced the world to have to account for its USA exposure risk and deversify. A serious one time use strategic advantage pissed away.

Doesnt really bother me personally per se; but armchair quarterbacking the USA's decisions seem Suboptimal...
jwally
·vor 2 Monaten·discuss
This also exists: https://abrahamjuliot.github.io/creepjs/

TBH, its never anything super exotic (though it helps) but simple stupid basic things like cookies that does 70% of the work here. Also, your IP address at home is _really_stable_.

If I can give you a sticky cookie (cookies, indexdb, localstorage), a half-assed fingerprint, and tie it to your IP-address, and know you're not on a cell-tower; this is probably good enough for most purposes.

Use safari on private relay in private mode.
jwally
·vor 2 Monaten·discuss
[flagged]
jwally
·vor 2 Monaten·discuss
its ease is also vastly inflated. If it was as simple as this site makes it out to be, companies like fingerprint.com don't exist.
jwally
·vor 3 Monaten·discuss
Literally where my head was. Take every negation statement and append "...yet!"
jwally
·vor 3 Monaten·discuss
The world isn't binary. People want to look for jobs and network.

At the same time they don't want their data turned over and sold to the kind of people who scrape LinkedIn.

Plus - Your data is LinkedIn's cash cow. They're not going to leave it out for every Tom, Dick, and Harry to export en masse whenever they want.
jwally
·vor 3 Monaten·discuss
Fingerprint (and its ilk) use a tiered identification system to identify you, with a decrease in confidence with each step down.

They start with a supercookie approach (first-party cookies, third party cookies, indexdb, localstorage, session storage, favicon timing, etc) which is a direct look up, and unique. This is tier-1.

Next they slam as many signals as they can get your browser and network to cough up into an ML db and find your nearest neighbor. If its greater than threshold ${x} - they return its ID with a confidenc of say 85%

If that misses, they slide down to tier 3 which is your IP address plus some browser signals on a TTL so they don't just call everyone with your IP address "you". This is maybe say 50% confident.

Below that, they create a new record.

If you want to beat it - tbh - Safari, especially on IOS is a monster. Most people with an iPhone default to it, and they remove their biggest entropy signals (offlineAudio, canvas profiling), so they're left with almost nothing to work with that is really unique.

Fingerprint _really_ pushes merchants to reverse proxy their services so that they can serve cookies as first party and Apple doesn't nuke them after 1 week. Its complicated and most merchants don't want to diddle with it - but it circumvents adblockers (ps - use an adblocker and call out fingerprint specifically if you want to hit them. LLM to see who else you need to include).

After that, if you're on Apple, use their Apple-VPN service (forget what its called) - which exists _literally_ for this.
jwally
·vor 5 Monaten·discuss
Thanks!

That's really cool - thanks for sharing!
jwally
·vor 5 Monaten·discuss
Sorry about that...public now.

So the whole selling point of this approach is that after coordination with other browsers - the server is completely out of the picture. All telemetry is done peer-to-peer instead of coordinating with a central server for someone to maintain and pay for.
jwally
·vor 6 Monaten·discuss
The API cost...ughhhhh

I set $10 on fire the other day as I was running through some tests.

Like old school arcade games "Please insert more ${money} to keep playing...". Local, smaller, specialized (unix philosophy?) seems like the way to go so you don't bk yourself having AGI distill pintrest recipes to just recipes.
jwally
·vor 6 Monaten·discuss
Thanks for sharing.

For the past month or so I've been slowly having claude build something in the same ballpark. Basically something to nag you to take care of grown-up things so your boss/spouse/local municipality doesn't have to.

I was going to call it "Nagatha Christy", but the joke gets old after 48 hours. At the moment, its called "Jarbis" (old Simpsons reference).

For me, checklists are useful but I suck at creating them, maintaining them, etc. I want this thing to be able to look at my calendar/email/groupme and be able to say things like:

"Hey, you have 2 kid birthday parties this weekend and a soccer game - you're bringing snacks. You want me to update your shopping list?"

or

"The dentist office just sent out a reminder - you have an appointment on Thursday that's not on the calendar. It conflicts with your daily standup. You want me to create a task for you to resolve it?"

Its using: - AWS CDK - Telegram as primary chat interface - Trello/Jira/Something Custom - Integrations into GoogleCalendar and GMail - Ability to use Claude/OpenAI and different models

FWIW, if someone figures out how to create a reliable "secretary in a box" that I don't have to DIY but doesn't scream data-collection-watering-hole (facebook) I'd _happily_ pay $200 / mo for it. ;-)
jwally
·vor 6 Monaten·discuss
I updated a really outdated, but surprisingly popular repo for linear programming:

https://github.com/JWally/jsLPSolver

I'm tinkering around building "JARVIS" (I didn't want to come up with a clever self deprecating name - this works) - a personal project to manage my life. Integrates into Google Mail, Google Calendar, Trello, GroupMe, EveryDollar. Basically it nags me to do grown up thing and is a better UX than Google Calendar/Trello - I just talk to it and ask it things.

Also experimenting with a new Claude-Code flow; give the bot its own AWS account, Put a bunch of tickets on my personal JIRA, be persnickity about what constitutes "pass" and tell the bot "follow these instructions, pull down tickets until there are no more. Your branch cannot merge until you have integration tests passing in your own dev env first" (I use AWS CDK). Then let it loose to build. The instant feedback loop that Claude has with Build-Code->Deploy to AWS->Run Integration Tests->Address Failures is really nifty fwiw...
jwally
·vor 9 Monaten·discuss
When the crusader army reached Béziers, they demanded that all heretics be handed over. The townspeople refused, and the crusaders stormed the city. Once inside, they couldn’t tell Catholics from Cathars—everyone spoke the same language and lived side by side.

That’s when the Cistercian legate Arnaud Amalric supposedly gave his infamous order:

“Caedite eos; Novit enim Dominus qui sunt eius.” “Kill them all; for the Lord knows those that are His.”

It’s a paraphrase of 2 Timothy 2:19 (“The Lord knoweth them that are his”).

The crusaders slaughtered virtually the entire population—estimated between 10,000 – 20,000 people—before burning the city.

ps I have an irrational fear of wasps
jwally
·vor 10 Monaten·discuss
Thanks for the feedback.

I don't see this as the end all ultimate solution for age verification. I see it more as a tourniquet; imperfect - but better than bleeding to death.
jwally
·vor 10 Monaten·discuss
Banks and most sites requiring age verification are _littered_ with tracking software that does _literally_ this.

Further, if you put on an adblocker and I get access to the logs at ironbank and hornpub; I could just query them for your IP address.

Collusion to this degree is possible, but doesn't seem worth worrying about if the aforementioned attack vectors still exist. My $0.02.
jwally
·vor 10 Monaten·discuss
Not asking to troll or be a jerk. Promise.

What would need to happen in the United States to implement a reliable ZKP age verification system - and how long would it take to roll it out?

Asking because it feels like the Titanic has sunk, and we're eschewing a floating door because the coast guard has regulation conformant life rafts that would work better.
jwally
·vor 10 Monaten·discuss
Chase.com currently is using:

mPulse

Google Marketing Platform Meta

LinkedIn Ads

Trade Desk

Aggregate Knowledge (Trans Union)

Adobe Audience Manger

Can you elaborate on how the risk of ironbank and hornpub colluding by de-anonymizing you via rainbow tables or IP forensics is substantially greater than Chase and PornHub using - Google Marketing?
jwally
·vor 10 Monaten·discuss
If I work for Aylo (pornhub, etc) I'm telling every fintech and click-and-mortar bank who wants more customers to do this yesterday!

"Hey third fifth of Oregon! Do you want to triple your customer base in Oregon for the cost of a small dev team and 1 month of work?!"

> f*cking app on my phone

I need another app on my phone like I need another hole in my head...
jwally
·vor 10 Monaten·discuss
Here's my crack at a good-enough solution for the U.S. It doesn't have a ton of granularity - but the concept is shovel ready now, dirt cheap, and privacy preserving.

Video Demo: https://www.youtube.com/watch?v=MmcUJ5u65Q0

Actual Demo: https://app.hornpub.click

How it works:

1) Go to app.horpub.click

2) Create an ephemeral passkey

3) Extract its public-key and id (this binds the credential you're creating to your device)

4) The user copies this data to their bank's Age-Verification-Section

5) The bank creates an object that it signs with an attestation of the user's age (KYC) and their pass-key-public-key

6) The user copies this back to app.hornpub.click

7) The passkey is verified on the server, the bank's signature is verified by the server, some other meta-data is verified to make sure nothing weird is happening.

8) The user's age has been verified by their bank without the bank knowing who is asking for verification

* This method is more private than anything requiring sharing your photo-id online

* This method doesn't trigger GLBA or GDPR (user copies data themselves)

* This method is free to the merchant (hornpub)