Hacker News

I’ve been sitting on this page for two minutes and it’s still not sure whether I’m a bot lol. What did I do in a past life to deserve this :(

mxmlnkn 6 hours ago [ - ]

After 2 minutes at 150 kHashes on mobile, I finally see the first pixel of the progress bar filling up. Seems like it will take hours or a day to finish. Some estimate would have been nice.

drum55 6 hours ago [ - ]

Ironically I used a LLM to write a bypass for this ridiculous tool, doing hashing in a browser makes no sense, Claude's very bad implementation of it in C does tens of megahash a second and passes all of the challenges nearly instantly. It took about 5 minutes for Claude to write that, and it's not even a particularly fast implementation, but it beats the pants off doing string comparisons for every loop in JavaScript which is what the Anubis tool does.

    for (; ;) {
        const hashBuffer = await calculateSHA256(data + nonce);
        const hashArray = new Uint8Array(hashBuffer);

        let isValid = true;
        for (let i = 0; i < requiredZeroBytes; i++) {
          if (hashArray[i] !== 0) {
            isValid = false;
            break;
          }
        }

It's less proof of work and just annoying to users, and feel good to whoever added it to their site, I can't wait for it to go away. As a bonus, it's based on a misunderstanding of hashcash, because it is only testing zero bytes comparison with a floating point target (as in Bitcoin for example), the difficulty isn't granular enough to make sense, only a couple of the lower ones are reasonably solvable in JavaScript and the gaps between "wait for 90 minutes" and "instantly solved" are 2 values apart.

Retr0id 5 hours ago [ - ]

I wrote one that uses opencl: https://github.com/DavidBuchanan314/anubis_offload

drum55 5 hours ago [ - ]

Bravo, you even implemented the midstate speedup from Bitcoin, that's way more impressive.

Retr0id 5 hours ago [ - ]

It's not exactly rocket science heh, just baffling that the original anubis impl left an order-of-magnitude speedup on the table.

GeoAtreides 5 hours ago [ - ]

>It's less proof of work and just annoying to users, and feel good to whoever added it to their site,

this is being disproved in the article posted:

>And so Anubis was enabled in the tar pit at difficulty 1 (lowest setting) when requests were pouring in 24/7. Before it was enabled, it was getting several hundred-thousand requests each day. As soon as Anubis became active in there, it decreased to about 11 requests after 24 hours, most just from curious humans.

apparently it does more than annoying users and making the site owner feel good (well, i suppose effective bot blocking would make the site owner feel quite good)

Aurornis 4 hours ago [ - ]

The Anubis difficulty setting is (or was) so high that nobody could visit the site without leaving it open for minutes or hours.

GeoAtreides 4 hours ago [ - ]

>Anubis was enabled in the tar pit at difficulty 1 (lowest setting) when requests were pouring in 24/7

>difficulty 1 (lowest setting)

literally in the comment you're responding to

tredre3 2 hours ago [ - ]

> After 2 minutes at 150 kHashes on mobile, I finally see the first pixel of the progress bar filling up. Seems like it will take hours or a day to finish. Some estimate would have been nice.

Literally the grandparent of the comment chain you're responding to.

bawolff 3 hours ago [ - ]

That doesnt mean the PoW is doing anything, it might just mean bots have js disabled.

I dont think the person was claiming annubis doesnt work, they were disputing PoW is the reason it actually works.

drum55 2 hours ago [ - ]

Yes, Anubis is just non standard and obscure, the proof of work bit is completely irrelevant (except for getting people on their phone to not visit your website).

bawolff 5 hours ago [ - ]

Shouldnt browser also have it implemented in c? Like i assume crypto.subtle isnt written in js.

drum55 5 hours ago [ - ]

It doesn't matter if your hottest loop is using string comparisons, as another poster pointed out in C you aren't even doing the majority of the second hash because you know the result (or enough of it) before finishing it. The JavaScript version just does whole hashes and turns them into a Uint8Array, then iterates through it.

bawolff 3 hours ago [ - ]

I dont understand what you mean. Are you saying that in C you only calculate the first few digits of the hash? That's not how sha256 works.

Edit: oh i think you mean in c the string comparison short curcuits. I would expect the same to be true in javascript too. Its true in most languages.

Maybe you are just worried about general language overhead, which is a fair point. Is the anubis check even using multiple threads? For the c case, the real benefit wouldn't be if you can use C, but if you can use the GPU.

The whole thing is kind of silly though. SHA256 is a terrible choice of hash for PoW. They should be using argon2 or something memory heavy.

drum55 2 hours ago [ - ]

The language matters, but your original guess was actually correct, you can do tricks with sha256 where you only end up calculating a fraction of the total double hash in order to get a pass or fail.

Modern bitcoin miners do a double sha256 hash and increment in just a little bit more than a single hash of work. The input is 80 bytes, which is two compression rounds of 64 bytes in sha256, only the data in the second round has changed (the appended nonce), so you don’t bother doing the first compression round again. With other quirks you can end up doing multiple hashes at once “asicboost” due to partial collisions within the input too.

yborg 5 hours ago [ - ]

Maybe post your brilliant solution to commercial companies with hundreds of millions in funding unrestrained bot scraping the Internet for AI training instead of complaining about people desperate to rein it in as individuals.

drum55 5 hours ago [ - ]

Anybody can prompt Claude to implement this, which was my point, it doesn't stop bots because a bot can literally write the bypass! My prompt was the proof of work function from the repository, asked it to make an implementation in C that could solve it faster, and that was about it.

throw10920 5 hours ago [ - ]

This is fallacious and extremely disrespectful (or even malicious?). You don't have to propose a way to fix a broken thing to point out that it's broken.

Normal and sane people understand this intuitively. If someone goes to a mechanic because their car is broken and the mechanic says "well, if you can tell that you car is broken, then you should be able to figure out how to fix it" - that mechanic would be universally hated and go out of business in months. Same thing for a customer complaining about a dish made for them in a restaurant, or a user pointing out a bug in a piece of software.

raincole 6 hours ago [ - ]

At this point I wonder if you can post a crypto miner page on HN and people will fall for it.

dheera 6 hours ago [ - ]

I don't get this kHash thing. Do we have captchas mining bitcoin in a distributed fashion for free now?

throw10920 6 hours ago [ - ]

The page says

> Anubis uses a Proof-of-Work scheme in the vein of Hashcash

And if you look up Hashcash on Wikipedia you get https://en.wikipedia.org/wiki/Hashcash which explains how Hashcash works in a fairly straightforward manner (unlike most math pages).

dheera 2 hours ago [ - ]

Oh fun so now we're effectively draining users' phone and laptop batteries now just to prove that they have batteries and somehow that's a proxy for them being human

coryrc 4 hours ago [ - ]

On what page? https://gladeart.com/blog/the-bot-situation-on-the-internet-... loaded effectively instantly for me.

prewett 5 hours ago [ - ]

The cynic in me thinks that they’re mining bitcoin on our phones… And after completing, it claimed the page was misconfigured.

luxuryballs 5 hours ago [ - ]

I think we got honeybotted.