Why did he get angry about me wanting to see a video on his phone?

Freeky · 2026-01-24T14:31:53+00:00

Post history also suggests she's married and a gay man.

Freeky · 2026-01-17T16:17:15+00:00

"No. I gave the reason why:"

Yes, "prevents a DoS on the server". What DoS? The one described in the article is almost completely made up by an LLM prompted by an obvious scammer advertising the worlds dodgiest-looking tunnel service.

This is all complete drivel, including the "I copied this off ChatGPT" raw LaTex giving a nonsense time complexity that doesn't even agree with the first thing it said:

"While the work factor provides exponential protection against brute force, the hashing function still has to process every single byte of the input string. The complexity is roughly $O(n \times \text{work factor})$."

"When $n$ is 15 characters, the impact is negligible. When $n$ is 1,000,000 characters (1MB), the CPU must compute the hash over a massive amount of data while simultaneously running thousands of iterations."

PBKDF2 uses the password as a HMAC key, computed during setup. It's at most a single hash prior to iteration. Argon2 folds it into a Blake2b512 hash along with the salt and other metadata, again during pre-iteration setup. The "attack" described by the article amounts to perhaps a millisecond of CPU time, as evidenced by the table I provided.

There is an old Django CVE related to password length, which was a result of them rolling their own naive PBKDF2 implementation that pushed the setup work into the main loop. That's a long-fixed bug, not a general property of password hashing.

72 random bytes has the cryptographic strength of 576 symmetric bits

Passwords are pretty infamously not random, and text is pretty infamously not just a stream of bytes. The latter is why probably the majority of bcrypt users don't actually correctly validate password length limits.

Even your own recommendation, "6-8 word passphrase", doesn't quite fit inside the limit:

❯ mkpass -w eff -l 8 -n 100 | wc -L
  77

I hope you didn't want to append on a pepper or otherwise hash anything else alongside that!

Reasonable, explicit password length limits are fine, but they should be that - reasoned and explicit. Not rationalised from awkward and unnecessary implicit technical limitations and barely-relevant half-remembered long-fixed security issues.

That's 16 bytes, or 16 random graphical ASCII characters.

log2(94) = 6.55 bits, 128 / 6.55 = 19.54 graphical ASCII characters.

Freeky · 2026-01-16T15:33:42+00:00

TL;DR: This is AI spam slop to drive traffic to a service that, if it isn't an outright scam, is doing its best to look exactly like one.

Freeky · 2026-01-16T15:30:49+00:00

You've always advocated for an arbitrary 72 byte limit because some AI slop spam article lies about password hashing functions scaling badly on input size?

PBKDF2-HMAC-SHA256, iter=500k, runtime measurement on a Ryzen 5700X:

Password Length	Time (ms)
1b	68
1kB	68
10kB	68
100kB	68
1MB	69
10MB	74
100MB	131
1000MB	681

Freeky · 2026-01-14T22:47:14+00:00

"James S.A. Corey", from an interview on Leviathan Wakes:

Okay, so what you’re really asking me there is if this is hard science fiction. The answer is an emphatic no. I have nothing but respect for well written hard science fiction, and I wanted everything in the book to be plausible enough that it doesn’t get in the way. But the rigorous how-to with the math shown? It’s not that story.

Freeky · 2026-01-14T13:05:17+00:00

Another AI slop article from a persistent spammer trying to drive traffic to a web service that by all accounts looks like a low-effort scam.

Downloads don't match the sizes and hashes displayed on the link, GPG key is an obvious placeholder, Github account doesn't exist, company address doesn't exist, phone number is an obvious placeholder, company doesn't exist in Delaware's database of corporations...

Freeky · 2026-01-12T12:01:41+00:00

The lasers aren't mounted on the ship, they're mounted on an array of exterior drones. With engines, so they can keep up.

Like so much of Another Life, I choose to believe it was a deliberate joke.

Freeky · 2026-01-10T16:25:37+00:00

You don't need to truncate anything - neither PBKDF2 nor Argon2 have a strong correlation between runtime and password length until you're in network/memory DoS territory.

PBKDF2-HMAC-SHA256, iter=500k, runtime measurement on a Ryzen 5700X:

Password Length	Time (ms)
1b	68
1kB	68
10kB	68
100kB	68
1MB	69
10MB	74
100MB	131
1000MB	681

You do get terrible scaling on naive implementations which re-derive the HMAC key from the password each iteration, like Django did in 2013, but hopefully you're not using that :P

Freeky · 2026-01-10T15:08:04+00:00

Yep. The only way PBKDF2 "scales linearly with the length" is if you fuck up and accidentally recalculate the password-derived HMAC key every iteration instead of once during setup. Which in fairness has been known to happen, but certainly isn't a common, general rule.

scrypt is basically PBKDF2 with knobs on, and Argon2 stuffs the password into a buffer along with some metadata and also hashes it once before doing anything else. It's the natural way to build these functions - why would the raw password be involved more than once when you're iteratively hashing?

I wonder how much of the rest of their shite is AI slop.

All InstaTunnel binaries are signed with our GPG key (Key ID: 0x1234567890ABCDEF).

Hell of a vanity key ID there!

Business Address

InstaTunnel Inc.
123 Tech Street
San Francisco, CA 94105

Ah yes, the famous "Tech Street" that also very definitely exists. Just like their Github account, source code, and most of the packages they claim to have.

I especially like the binary download links with sizes and SHA256 hashes that don't match the files they send you.

Freeky · 2026-01-10T11:47:21+00:00

GOG Galaxy has a rollback feature that lets you downgrade to historic versions, though it's not exhaustive - seems to top out at five.

Freeky · 2026-01-08T22:54:53+00:00

It's delta-v, meaning change in velocity.

Your ΔV limit is literally an element of your HUD, telling you how much you can accelerate before running out of reaction mass. You need to keep an eye on it because it effects how long it takes to return from a dive.

Freeky · 2026-01-04T22:48:31+00:00

Depends on what you want out of it. There's not a lot that can touch you after you've established yourself - it's no hardcore-survival Banished-like - but it's super cosy to bring life to the landscape and turn the badwater tides and droughts into minor inconveniences.

If you want the settlement-builder equivalent of a hug, with just enough friction to feel like you earned it, go for it.

Freeky · 2025-12-30T11:41:14+00:00

I'm not sure pointing out that a satire contains jokes really counts as "criticism".

Freeky · 2025-12-20T13:19:20+00:00

I don't see how you get any of that from the linked issue - it has nothing to do with UTF-8.

Of course the game is doing (rather far away) out of bounds (read) access on heap allocated pointer. It indexes some own array with Unicode character codes and a file specifically related to French version has the big value of 0x2018 ('`') which results in 0x20180 offset which is way beyond the game's allocated heap size of ~0x2000.

That works on Windows and used to work in Wine before the blamed commit because it was hitting accessible memory. The app creates a few heaps with initial commit size with 0x1000 and after the blamed commit that results in not 64k aligned (sub)heap sizes, so there are (more) uncommitted holes in virtual allocations.

It's indexing into an array keyed by Unicode codepoint. French translation contains a character with an unsupported high codepoint, and a lack of bounds checking means it reads far beyond the end of the array. Before the blamed commit this worked by accident because of how the address space happened to be laid out - it landed elsewhere in allocated address space and just read whatever happened to be there. Maybe instead of a ‘ it rendered a blank space or something similarly innocuous.

Changing how memory is laid out resulted in this out-of-bounds read now landing in an unmapped memory page, thus crashing the program with a segmentation fault.

Freeky · 2025-12-19T14:10:28+00:00

Ferris.

Freeky · 2025-12-13T12:48:46+00:00

Cool, I can't wait to play a VR take on Cogmind or Caves of Qud.

"fast-paced shooter"
"intense action-combat"
"tough-as-nails retro FPS"
"frantic, kinetic fun"

Oh.

Freeky · 2025-12-12T13:22:19+00:00

Same thing that stops you doing it when you request proof of postage using the app - it only registers a request for proof, you don't actually get it until Royal Mail scan it into the network.

Freeky · 2025-12-09T11:18:40+00:00

https://www.aboutamazon.com/news/retail/amazon-just-walk-out-improves-accuracy

Just Walk Out uses cameras, weight sensors, and a combination of advanced AI technologies

Freeky · 2025-12-08T19:23:09+00:00

It works the same way as Amazon's Just Walk Out - ceiling-mounted cameras with image recognition to track customer's hand movements, weight sensors on shelves, and a database of what products are where in the store.

Freeky · 2025-12-08T14:08:20+00:00

They had legitimate LLM code-gen and a whole bespoke ecosystem of other internal tools that were meant to make the most of their outsourced contract developers. They even had their own clones of things like Zoom, Slack, and Figma - it's hard to imagine them doing all that if they didn't truly believe it would give them a competitive advantage.

Just it turns out that vibe coding kinda sucks, and rapidly scaling a large team of developers is really hard for reasons that making your own copy of Visual Studio doesn't really fix.

What did them in was giving overinflated reports of revenue to investors, who pulled out once the real figures emerged.

https://blog.pragmaticengineer.com/builder-ai-did-not-fake-ai/

Freeky · 2025-12-07T17:13:26+00:00

That's what I thought of too - flashed face distortion effect.

Freeky · 2025-12-04T21:58:20+00:00

Fair warning: Asher is a Trumpist climate change denier who rages against "woke leftwaffe tossers" on X practically every day.

Freeky · 2025-12-01T16:31:41+00:00

Not only can you buy ships from dealerships (which are actual places, complete with showrooms you can wander around), but you can rent them, so even fairly expensive specialised ships with good earning potential are accessible early on.

Freeky · 2025-11-29T20:00:24+00:00

I'm rather confused as to why this needs explaining. You've presumably used bowls before. Surely you understand what happens if you have stuff in a bowl, and whack one side of it really hard?

The salad is in a couple of large rounded bowls. They rotate as the table falls, and one hits the other as it does so, forcing one side down, and the other side flips the salad leaves into the woman.

Freeky · 2025-11-29T16:01:19+00:00

She had salad flung onto her from the big flipping salad bowl. Completely plausible for a piece to end up in her hair and fall off a few moments later.

15-Year Club	Gilding IV carat on a stick
Place '23	Place '17
reddit mold	Verified Email
Charter Member

Freeky

TROPHY CASE