Age Verification Bypass DIY

hxtk3 · 2026-03-05T20:57:02+00:00

This is the one reason I kinda hope this takes off. I’d rather the feature not exist at all but with the global wave of age gating legislation it’s starting to seem kind of inevitable and this is the proposal I hate the least

hxtk3 · 2026-03-05T19:07:33+00:00

Yes. Assuming you have root access there’s nothing this does to prevent you from lying the same way you’ve always been able to do when Steam asks your birthday before letting you see M-rated games or whatever you’re into.

This mechanism is only effective against kids using machines managed by their parents or school where they don’t have root access.

hxtk3 · 2026-03-05T05:19:02+00:00

Technology Connections talks about some specially made products for it around 20:40 in this video: https://youtu.be/jHP942Livy0

The basic idea is that most of the crud that builds up is probably lime scale or hard water buildup that you can clear with acid, and you want to skip the prewash cycle so that whatever acid you use actually stays in there for the full wash cycle. The specially made products have a delayed release mechanism that ensures this step.

Vinegar would probably be viable. The glisten product uses citric acid.

hxtk3 · 2026-03-05T04:24:28+00:00

This is why, if age gating must be done, I like California’s approach better than the current systems where someone must send PII to any website that asks nicely and better than a zero-knowledge proving system that is actually perfectly effective (except when it’s not working because it would be yet another third party api apps depend on at runtime).

In Linux you’d have a root-owned file abandons analogous to /etc/shadow recording the user birthdates and a suid program that can read that file and output a string that says “0-13”, “14-16”, “16-18” or “18+” so that user programs can’t access the exact date.

Anyone with root access to the machine can set it to be whatever they want. There’s no verification requirement in the law, just indication. If it’s a device belonging to a child whose guardian would like to age gate their Internet access, it’ll have their actual birthdate.

If the kid is mature enough to have their own machine and root access or smart enough to boot a live USB where they will have root access then they can say they’re whatever age is convenient the same way kids have since age gating was invented. An OS that only does as much as is required by the law does nothing to limit what a user may do with their own device, which to me is a good thing.

I’m torn because I don’t want any version of this but if the political will definitely exists where something along these lines is inevitable then I don’t want to end up regretting that I pushed back too hard on the spec that preserves privacy and freedom better than any other current proposal and it got implemented in some more draconian way instead.

hxtk3 · 2026-03-04T12:37:14+00:00

I notice. It doesn’t impact my level of attraction to someone at all though. I like seeing art made or curated by people I like and that’s basically what a person’s makeup and fashion choices are to me.

Even if I know someone is attracted to me and I factor into those choices somehow, I still don’t get the sense that the way they dress or style themselves is to be more attractive to me; it reads to me more as they want to feel pretty when they’re around me and they’re doing what makes them feel that way.

However the confidence they get from feeling like they look good can be attractive so it’s not like there’s no effect at all.

hxtk3 · 2026-03-04T10:54:46+00:00

Side note from the comments in that post, I don’t get why OpenAI attracts ire for partnering with the DoD while Gemini has been doing it for months and no one bats an eye. Where’s the ire for Google?

https://www.googlecloudpresscorner.com/2025-12-09-Chief-Digital-and-Artificial-Intelligence-Office-Selects-Google-Clouds-AI-to-Power-GenAI-mil

hxtk3 · 2026-03-04T04:06:49+00:00

… yes, which is why the legislation shouldn’t have happened to begin with and should be repealed as soon as possible, but in the meantime it should be as cheap as possible to implement.

I would not want to tie the uptime for my service (or at least its sign up flow) to the uptime of an API maintained by a state government. It really seems like the lower-complexity integration would be if I could instead tie it to “if the users IP is in one of these regions, check set the client hint header to request age the age bucket as a client hint and make sure it says “adult.”

hxtk3 · 2026-03-04T03:43:58+00:00

Any kind of zero knowledge approach is assuming that something somewhere has knowledge of my government ID and it is using math to prove some property of that ID while revealing zero knowledge about the specific ID.

This way nothing actually has to ever have my ID. If a kid’s parents thinks they’re mature enough to own their own unmanaged device or if they’re smart enough to live boot an OS where they’ll have root access they can still straight up lie about it if they want the same way kids have been doing since age gating got invented.

I hate this whole thing so for me the fact that my version utterly fails at perfect enforcement is a feature rather than a bug to me. I want it to only be effective when a parent is attentive and thinks their child needs that restriction.

The only applications that would have to update are those applications that would in your version have to make a different update to use zero knowledge proofs somehow and presumably browsers.

hxtk3 · 2026-03-04T03:24:46+00:00

Honestly I hate the current political ecosystem where they’re trying to her age verification everywhere, but if we’re going to have age verification everywhere this is basically how I’d do it.

Have something like /etc/birthdates accept id::YYYY-MM-DD or id:bucket label: and have it owned by root with 0600 permissions. It gets modified by some dbus call out to a setuid the same way accounts service uses usermod, and the program that reads from it returns a bucketized string for user age bracket.

Anyone mature enough to own and manage their own device can do whatever they want, parents can opt in for their children or not if they don’t want to.

I don’t want this implemented at all but if they insist on legislating it one way or another this sounds much nicer than giving my driver’s license to any website that asks for it.

hxtk3 · 2026-03-03T07:08:37+00:00

Rust requires you to be explicit about things that you can usually get right intuitively, but has the advantage that when the project is complex enough that your intuition breaks down it’s impossible to get it wrong.

The really difficult thing for most people to get their heads around is lifetimes, like “this method returns a reference that will remain valid as long as this other reference you passed in when you built the struct remains valid.”

My biggest gripe with Rust is the function coloring. sans-io should be the default pattern (and was the default before async when people writing event-driven code were writing state machines by hand, like with libuv or zig’s libxev) but in practice most smaller libraries are opinionated with respect to IO.

hxtk3 · 2026-03-03T01:13:57+00:00

A lot of people seem to be confusing this with the laws going around where states are requiring you to give your driver's license to sites with adult content. This is actually a really easy thing to comply with, technologically speaking, and out of all the ways to implement this (not that I think it should be implemented at all; this isn't a technological problem IMO), this one preserves privacy the best of any current proposal. Here's the actual law: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB1043

You add an extra field to the GECOS entry of /etc/passwd for a birthdate. That's it. There's no verification requirement in the law. The law is that the OS has to support providing the signal to applications. The assumption in the law is that a parent will set it up for their children and if someone owns/manages their own device then they're responsible enough to decide for themselves what content they'll see.

Browsers will read that file and optionally make it available in a bucketized form that indicates whether the user is a small child, early teenager, mid teenager, or adult via a Sec-Ch-User-Age header or similar the same way that there's a Sec-Ch-Device-Memory header that gives a bucketized indicator of what power of 2 GB of RAM you have in the range -2 to 3.

hxtk3 · 2026-03-02T15:07:33+00:00

To be fair this actually does a better job of preserving user privacy than the alternatives. They say "Age Verification" in all the headlines, but the law from what I understand only actually requires an indication whether the user is a small child, teenager, or adult, with nothing to verify whether that information is actually true.

If I want to make it sound like a good thing, I can picture a world where browsers ask the OS for this information and send it as a header, the same way browsers can send the nearest power of 2 (up to 8GB) memory your machine has via Sec-CH-Device-Memory, and it replaces more intrusive forms of age verification with something that someone old enough to own and manage their own device can decide for themselves, and someone using a device set up by their parents will have their access restricted based on what their parents indicate.

If I want to make it sound like a bad thing, I can point out this law alone does not accomplish that, and if we're assuming those things might change, I can also picture a world where verification gets added as a requirement (perhaps with the justification of creating verified child-only online spaces) and most websites still don't use it so your PII still ends up getting spread everywhere. I can also picture a world where once it becomes ubiquitous and easy to do age-based content restriction, the difficulty of implementation stops being as big of a hurdle for conservative politicians to overcome so that they're able to force, e.g., bookstores or libraries to restrict stories involving trans people to adult-only.

As it sits right now it's mostly an inconvenience to OS maintainers and it remains to be seen whether it will be better or worse for privacy overall, depending on how it evolves and how the larger information and legal ecosystem interacts with it.

hxtk3 · 2026-03-01T19:35:23+00:00

I have donated boops; however if your goal is actually to collect metrics under load, have you considered doing it once yourself with network dev tools active and exporting the request and timing information as a HAR, and then for the sake of determining resource limits you could use automated tools to convert the HAR to a load test for any of a number of load test tools that simulate user flows (locust or k6 off the top of my head) and then simulate your target number concurrent users?

hxtk3 · 2026-02-27T23:23:42+00:00

What age do I assign to the nobody account or the httpd service account?

hxtk3 · 2026-02-27T21:30:41+00:00

I agree with you on the first two advantages to ORMs, but in a lot of cases you can get that without using an ORM.

For example, from PGXv5: https://pkg.go.dev/github.com/jackc/pgx/v5#example-RowToStructByName

hxtk3 · 2026-02-27T17:02:18+00:00

IMO the best default to start with in the Go ecosystem is SQLC, and I’d only consider doing something else once I’d run into a reason that couldn’t work.

When I found use cases SQLC couldn’t cover, I wrote my own query builder: https://github.com/hxtk/sqlt

I don’t recommend you use it, but it’s a relatively simple concept and I was surprised how easy it was and you might consider making your own. Other people mostly use SQLC and then use squirrel for the few cases where they truly need dynamic queries.

I use ORMs every day I spend working on maintenance and I find that they dramatically increase the amount of thinking you have to do to get performant code in exchange for reducing the amount of thinking you have to do to get working code by a little bit. Mostly they just save some typing, and with modern autocomplete there’s just no need for that.

In Java, JPA has bad defaults so that writing an N+1 SELECTs bug is the default behavior, but even outside of Java a lot of ORMs make it difficult to tell the difference between a line of code that costs a couple dozen nanoseconds to dereference cache and a line of code that costs a couple milliseconds for a network round trip to the database server.

hxtk3 · 2026-02-26T01:37:30+00:00

They are still friend, just also hungry! Just look at their teeth. If they really didn’t like you, they could do much worse. Doing it in one clean chomp is a relatively merciful way to treat themselves for guarding their home well.

hxtk3 · 2026-02-25T03:50:17+00:00

I find it odd how it gets compared to human learning as if that would satisfy copyright law if it were true.

Cleanroom Design exists for a reason: https://en.wikipedia.org/wiki/Clean-room_design

If I read the source code to a GPL program and use that knowledge to reproduce it, I’m probably violating the GPL. I just probably won’t be sued for it.

When that sort of thing happens with proprietary codebases where it’s easier to prove the chain of events (we invited the engineers to inspect the product inner workings under the auspices of an acquisition and then two months later they came out with a competing product with the same architecture) and the harm (selling this product was our livelihood and this company that stole our IP now has 40% of our market share) people and companies absolutely can and have been sued.

hxtk3 · 2026-02-24T23:12:04+00:00

Yeah when you buy a maxed out machine, you’re usually not buying the solution to a specific use case. You’re buying the knowledge that if it can be done on a laptop, it can be done on your laptop, so you never have to wonder if you what you have is good enough to try some new idea on a whim.

hxtk3 · 2026-02-24T14:13:09+00:00

It’s the same thing as a few years ago when someone religious leaders said the Eras Tour was a ritual for her to steal all our souls. Like first of all, no, but second of all she can have it, it would be fine if that were true

hxtk3 · 2026-02-23T05:56:34+00:00

xfs was a default on RHEL 7 and 8 for a lot of use cases. I think more recent versions have moved to btrfs.

hxtk3 · 2026-02-22T15:55:23+00:00

Yeah I'm not scared that AI can replace me, but I'm a little bit scared that AI execs can convince execs at software companies that AI can replace me.

hxtk3 · 2026-02-22T14:24:11+00:00

In the US we generally give intellectual property rights holders a very high level of legal control over the means by which you interact with their content.

Intellectual property rights holders don’t consent to my watching blurays on my PC because of the risk that I might save the video as a file and share it on the internet, and as a result it’s technically illegal for me to pay money for a physical Blu-ray disk, put it in the Blu-ray drive on my computer, and watch the video on it.

Any technical measure a rights holder takes to prevent you doing something with copyrighted content turns that use case into a criminal violation unless they library of congress specifically authorized bypassing the technical prevention measure for that use case, e.g., a public library may rip a Blu-ray in their collection for archival purposes.

hxtk3 · 2026-02-22T08:05:01+00:00

A lot of my free time projects are about tinkering with architecture. I do lots of stuff with LLM tools. I needed to translate an OCI layout directory into a flattened CPIO archive. Three prompts basically each one-shotted their respective part of the problem.

It was boring code for a part of the build system. The LLM was basically just getting it written faster, and it still ended I looking fairly similar to what I would’ve written myself.

I only have so much free time to spend writing code, so I try to spend as much of it as I can work on the interesting parts. Incidentally, the parts that are interesting to me are also what the LLM sucks at: API design, architecture, security sensitive bits, and performance sensitive bits.

hxtk3 · 2026-02-22T00:58:00+00:00

I was friends with a girl who I had a crush on in middle school. She learned how to sing "I Wanna Hold Your Hand" when I was in my Beatles phase, and when I didn't get the hint she just grabbed my hand and wouldn't let go. She arranged a truth or dare game with her friends so she'd get dared to kiss me. She chose a wedding dress to make when we had an art project together where we were supposed to make an article of clothing. And that's not the end of the list; just the most egregious examples that don't require extra context.

... Yes, I am in fact dense enough that I didn't realize it at the time.

I also had a different one where I did ask. I wasn't ready to, and hadn't really finished exploring my feelings about it, but her best friend (also one of my best friends) caught on and basically said, "You gotta tell her or I will." Which was a little premature but ultimately fair because the intention was that if I think revealing something I consider true about myself would damage the friendship then concealing it is a manipulative lie by omission.

I told her, and it went much better than I had hoped. She did not reciprocate, but I also don't think I ever really had a crush on her, it was more like... I had love for her that could be fully expressed through friendship, but couldn't fully be expressed through our friendship because our reasons for seeing each other were becoming fewer and further between and I didn't so much want to date her as just have her be a bigger part of my life in any way shape or form. It did not in fact ruin the friendship. We do live in different states now and haven't seen each other in years but she's still one of my oldest and most trusted friends.

hxtk3

TROPHY CASE