> Edit: This is going to have huge ramifications for the tech security industry as these systems will be able to break security systems as easily it solved the proof. The sooner the good guys, if there are any left, understand this the better it will be for everybody.
What can the good guys do? Fire up Claude to improve their systems? Unless you have it working fully autonomously to counter-act abuse, I don't see how you can beat the "bad guys". There may be some industries where this is a solved problem (e.g. you can do all the validation server-sided, religiously follow best practices to prevent and mitigate abuse), but a lot of stuff like multiplayer video games will be doomed unless they move to a "you must use a locked down system we control" model. I honestly don't consider it liberating as someone that has various hobby projects, that now in addition to plain old DDoS I'll also have people spin up layer 7 attacks with just their credit card. It almost makes me want to give up instead of pushing forward in a world where the worst of the worst has access to the best of the best.
Nothing as heavy as the above but here's my small anecdote:
I was putting off security updates on my npm dependencies in my personal project because it's a pain to migrate if the upgrade isn't trivial. It's not a critical website, but I run npm scripts locally, and dependabot is telling me things.
I told Claude Code to make a migration plan to upgrade my deps. It updated code for breaking changes (there were API changes, not all fixes are minor version upgrades) and replaced abandoned unmaintained packages with newer ones or built-in Node APIs. It was all done in an hour. I even got unit tests out of it to test for regressions.
In this case, I was able to skip the boring task of maintaining code and applying routine updates and focus on the fun feature stuff.
I am curious, have you attempted to do this to any binary packed with commercial obfuscation/"virtualization" schemes (e.g. Orean's Themida/Code Virtualizer and VMProtect)?
No, I would need to find a binary to test on. I suspect it would produce horrible code at the decompiler layer but ultimately I would expect that function signatures are still relatively clean?
Its scary - once you get the differential testing harness set up it seems to be just a matter of time/tokens for it to stubbornly work through it.
https://news.ycombinator.com/item?id=46624740 has the earliest writeup that I know of. It was running it via a script and intentionally using cache busting techniques to try to increase load on the hosted wordpress infrastructure.
Ah good to know. My pi-hole actually was blocking the blog itself since the ublock site list made its way into one of the blocklists I use. But I've been just avoiding links as much as possible because I didn't want to contribute.
This is an impressively unhinged take. I still have no idea what the person is trying to achieve. And I'm sad we're likely going to lose that resource in the future.
I understand being mad but no, unfortunately, despite me knowing humans are human and they get angry at times, this response does still leave a bitter taste in the mouth and many people will perceive it that way. Changing the content of the archived pages is the worst thing they've done honestly. The "3 Hz DDoS" is funny perhaps but then if it's so harmless, then why even bother? But regardless, tampering with the archives, that is, tainting the content that people appreciate you for won't sit well with people.
We're taking about both now, at least one a week it seems. Without the DDoS, we'd mostly forget about the blog. I didn't even know about the blog until the DDoS started.
One thing that is amusing about the prevalence of advanced anti-cheat in Windows gaming is it's actually causing said API/ABIs to undergo ossification. A good data point is the invention of Syscall User Dispatch^1 on Linux which would allow a program to basically install a syscall handler when they originate from various regions of memory. I do not know how usable this is in practice, admittedly -- but I think the fact it was contributed at all speaks to the growing need.
This exists although not in the traditional BOINC space, it's Archiveteam^1. I run two of their warrior^2 instances in my home k3s instance via the docker images. One of them is set to the "Team's choice" where it spends most of its time downloading Telegram chats. However, when they need the firepower for sites with imminent risk of closure, it will switch itself to those. The other one is set to their URL shortener project, "Terror of Tiny Town"^3.
Their big requirement is you need to not be doing any DNS filtering or blocking of access to what it wants, so I've got the pod DNS pointed to the unfiltered quad9 endpoint and rules in my router to allow the machine it's running on to bypass my PiHole enforcement+outside DNS blocks.
There's nothing new or original in a lot of things that get posted here. Reading about someone starting a journey provides an interesting catalyst for discussion. What they did right, what they did wrong, other things to try, or even just providing a push to someone else to also try.
I'll take my turn on the soapbox to say I hope people keep posting about their adventures and misadventures in trying something new. I'd much rather be reading that than seeing yet another post on LLM-based agentic startups or pelicans riding bicycles.
In theory, IPv6 Privacy Extensions (https://datatracker.ietf.org/doc/html/rfc4941) could mitigate this. In practice, I imagine when you bind to `[::]:port`, that also means that the randomized addresses would work for new inbound connections, too. Not sure how long they typically last, but you'd be fighting against the clock at least before a new randomized address.
That being said, on a slightly less common note: it is quite possible to have each individual service running on a /128. E.g. on IPv6 k8s clusters, each pod can have a publicly addressable /128, so activities like NTP would require the container to have an NTP client in it to expose in that way. That'd mitigate a good chunk of information exposure -- that being said, I agree with the larger point about security via obscurity being insufficient.
If you have a shitty ISP that rotates prefixes like it's 2005, hosting anything public is a massive pain already. DDNS works just as well on IPv6, though.
Internally, a ULA will keep things reachable even if you move ISPs. You could even set up a NAT66 setup to translate your changing prefix to your stable ULA so you don't need to update any firewall rules, but that's a pretty terrible workaround for a problem that shouldn't be on you to fix in the first place.
I'm glad I stumbled across this: life circumstances have allowed me go abroad for a trip the past two years. One thing I had forgotten about since the last trip were some of my group being unable to get one of the cheap prepaid data eSIMs because their phone was still locked to the carrier. I've been tempted to replace my aging iPhone SE 2022 (^1) with a trade-in deal and get a new phone, but it never occurred to me that would mean being forced to use AT&T's $10/day (capped at $100 in one billing cycle) "International Day Pass" during future trips until it had been paid off for long enough.
(^1) I wish I wasn't so tempted after ~4 years, but the battery health has dropped to 75% and the performance has suffered dramatically. A new battery is on the table I suppose, but I am split between just putting that money towards a new phone.
>I wish I wasn't so tempted after ~4 years, but the battery health has dropped to 75% and the performance has suffered dramatically.
Won't help with performance, but I've found that keeping bluetooth and location turned off lets me use the phone for the whole day without needing a recharge. Only thing that eats battery is video calls.
What can the good guys do? Fire up Claude to improve their systems? Unless you have it working fully autonomously to counter-act abuse, I don't see how you can beat the "bad guys". There may be some industries where this is a solved problem (e.g. you can do all the validation server-sided, religiously follow best practices to prevent and mitigate abuse), but a lot of stuff like multiplayer video games will be doomed unless they move to a "you must use a locked down system we control" model. I honestly don't consider it liberating as someone that has various hobby projects, that now in addition to plain old DDoS I'll also have people spin up layer 7 attacks with just their credit card. It almost makes me want to give up instead of pushing forward in a world where the worst of the worst has access to the best of the best.
reply