undefined

points

[-]

After 2 minutes at 150 kHashes on mobile, I finally see the first pixel of the progress bar filling up. Seems like it will take hours or a day to finish. Some estimate would have been nice.

by drum555 hours ago|

parent|

[-]

Ironically I used a LLM to write a bypass for this ridiculous tool, doing hashing in a browser makes no sense, Claude's very bad implementation of it in C does tens of megahash a second and passes all of the challenges nearly instantly. It took about 5 minutes for Claude to write that, and it's not even a particularly fast implementation, but it beats the pants off doing string comparisons for every loop in JavaScript which is what the Anubis tool does.

    for (; ;) {
        const hashBuffer = await calculateSHA256(data + nonce);
        const hashArray = new Uint8Array(hashBuffer);

        let isValid = true;
        for (let i = 0; i < requiredZeroBytes; i++) {
          if (hashArray[i] !== 0) {
            isValid = false;
            break;
          }
        }

It's less proof of work and just annoying to users, and feel good to whoever added it to their site, I can't wait for it to go away. As a bonus, it's based on a misunderstanding of hashcash, because it is only testing zero bytes comparison with a floating point target (as in Bitcoin for example), the difficulty isn't granular enough to make sense, only a couple of the lower ones are reasonably solvable in JavaScript and the gaps between "wait for 90 minutes" and "instantly solved" are 2 values apart.

by Retr0id5 hours ago|

parent|

[-]

I wrote one that uses opencl: https://github.com/DavidBuchanan314/anubis_offload

by drum555 hours ago|

parent|

[-]

Bravo, you even implemented the midstate speedup from Bitcoin, that's way more impressive.

by Retr0id4 hours ago|

parent|

[-]

It's not exactly rocket science heh, just baffling that the original anubis impl left an order-of-magnitude speedup on the table.

by GeoAtreides4 hours ago|

parent|

prev|

[-]

>It's less proof of work and just annoying to users, and feel good to whoever added it to their site,

this is being disproved in the article posted:

>And so Anubis was enabled in the tar pit at difficulty 1 (lowest setting) when requests were pouring in 24/7. Before it was enabled, it was getting several hundred-thousand requests each day. As soon as Anubis became active in there, it decreased to about 11 requests after 24 hours, most just from curious humans.

apparently it does more than annoying users and making the site owner feel good (well, i suppose effective bot blocking would make the site owner feel quite good)

by bawolff2 hours ago|

parent|

[-]

That doesnt mean the PoW is doing anything, it might just mean bots have js disabled.

I dont think the person was claiming annubis doesnt work, they were disputing PoW is the reason it actually works.

by drum552 hours ago|

parent|

[-]

Yes, Anubis is just non standard and obscure, the proof of work bit is completely irrelevant (except for getting people on their phone to not visit your website).

by Aurornis3 hours ago|

parent|

prev|

[-]

The Anubis difficulty setting is (or was) so high that nobody could visit the site without leaving it open for minutes or hours.

by GeoAtreides3 hours ago|

parent|

[-]

>Anubis was enabled in the tar pit at difficulty 1 (lowest setting) when requests were pouring in 24/7

>difficulty 1 (lowest setting)

literally in the comment you're responding to

by tredre32 hours ago|

parent|

[-]

> After 2 minutes at 150 kHashes on mobile, I finally see the first pixel of the progress bar filling up. Seems like it will take hours or a day to finish. Some estimate would have been nice.

Literally the grandparent of the comment chain you're responding to.

by bawolff5 hours ago|

parent|

prev|

[-]

Shouldnt browser also have it implemented in c? Like i assume crypto.subtle isnt written in js.

by drum555 hours ago|

parent|

[-]

It doesn't matter if your hottest loop is using string comparisons, as another poster pointed out in C you aren't even doing the majority of the second hash because you know the result (or enough of it) before finishing it. The JavaScript version just does whole hashes and turns them into a Uint8Array, then iterates through it.

by bawolff2 hours ago|

parent|

[-]

I dont understand what you mean. Are you saying that in C you only calculate the first few digits of the hash? That's not how sha256 works.

Edit: oh i think you mean in c the string comparison short curcuits. I would expect the same to be true in javascript too. Its true in most languages.

Maybe you are just worried about general language overhead, which is a fair point. Is the anubis check even using multiple threads? For the c case, the real benefit wouldn't be if you can use C, but if you can use the GPU.

The whole thing is kind of silly though. SHA256 is a terrible choice of hash for PoW. They should be using argon2 or something memory heavy.

by drum552 hours ago|

parent|

[-]

The language matters, but your original guess was actually correct, you can do tricks with sha256 where you only end up calculating a fraction of the total double hash in order to get a pass or fail.

Modern bitcoin miners do a double sha256 hash and increment in just a little bit more than a single hash of work. The input is 80 bytes, which is two compression rounds of 64 bytes in sha256, only the data in the second round has changed (the appended nonce), so you don’t bother doing the first compression round again. With other quirks you can end up doing multiple hashes at once “asicboost” due to partial collisions within the input too.

by yborg5 hours ago|

parent|

prev|

[-]

Maybe post your brilliant solution to commercial companies with hundreds of millions in funding unrestrained bot scraping the Internet for AI training instead of complaining about people desperate to rein it in as individuals.

by drum555 hours ago|

parent|

[-]

Anybody can prompt Claude to implement this, which was my point, it doesn't stop bots because a bot can literally write the bypass! My prompt was the proof of work function from the repository, asked it to make an implementation in C that could solve it faster, and that was about it.

by throw109204 hours ago|

parent|

prev|

[-]

This is fallacious and extremely disrespectful (or even malicious?). You don't have to propose a way to fix a broken thing to point out that it's broken.

Normal and sane people understand this intuitively. If someone goes to a mechanic because their car is broken and the mechanic says "well, if you can tell that you car is broken, then you should be able to figure out how to fix it" - that mechanic would be universally hated and go out of business in months. Same thing for a customer complaining about a dish made for them in a restaurant, or a user pointing out a bug in a piece of software.

by raincole5 hours ago|

parent|

prev|

[-]

At this point I wonder if you can post a crypto miner page on HN and people will fall for it.

by dheera5 hours ago|

parent|

prev|

[-]

I don't get this kHash thing. Do we have captchas mining bitcoin in a distributed fashion for free now?

by throw109205 hours ago|

parent|

[-]

The page says

> Anubis uses a Proof-of-Work scheme in the vein of Hashcash

And if you look up Hashcash on Wikipedia you get https://en.wikipedia.org/wiki/Hashcash which explains how Hashcash works in a fairly straightforward manner (unlike most math pages).

by dheera1 hours ago|

parent|

[-]

Oh fun so now we're effectively draining users' phone and laptop batteries now just to prove that they have batteries and somehow that's a proxy for them being human

by coryrc4 hours ago|

prev|

[-]

On what page? https://gladeart.com/blog/the-bot-situation-on-the-internet-... loaded effectively instantly for me.

by prewett4 hours ago|

prev|

[-]

The cynic in me thinks that they’re mining bitcoin on our phones… And after completing, it claimed the page was misconfigured.

by luxuryballs4 hours ago|

prev|

[-]

I think we got honeybotted.