frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Al Lowe on model trains, funny deaths and working with Disney

https://spillhistorie.no/2026/02/06/interview-with-sierra-veteran-al-lowe/
50•thelok•3h ago•6 comments

Hoot: Scheme on WebAssembly

https://www.spritely.institute/hoot/
116•AlexeyBrin•6h ago•20 comments

OpenCiv3: Open-source, cross-platform reimagining of Civilization III

https://openciv3.org/
811•klaussilveira•21h ago•246 comments

Stories from 25 Years of Software Development

https://susam.net/twenty-five-years-of-computing.html
49•vinhnx•4h ago•7 comments

The AI boom is causing shortages everywhere else

https://www.washingtonpost.com/technology/2026/02/07/ai-spending-economy-shortages/
91•1vuio0pswjnm7•7h ago•102 comments

Reinforcement Learning from Human Feedback

https://rlhfbook.com/
72•onurkanbkrc•6h ago•5 comments

The Waymo World Model

https://waymo.com/blog/2026/02/the-waymo-world-model-a-new-frontier-for-autonomous-driving-simula...
1053•xnx•1d ago•600 comments

Start all of your commands with a comma (2009)

https://rhodesmill.org/brandon/2009/commands-with-comma/
471•theblazehen•2d ago•174 comments

U.S. Jobs Disappear at Fastest January Pace Since Great Recession

https://www.forbes.com/sites/mikestunson/2026/02/05/us-jobs-disappear-at-fastest-january-pace-sin...
47•alephnerd•1h ago•14 comments

Vocal Guide – belt sing without killing yourself

https://jesperordrup.github.io/vocal-guide/
197•jesperordrup•11h ago•68 comments

Selection Rather Than Prediction

https://voratiq.com/blog/selection-rather-than-prediction/
8•languid-photic•3d ago•1 comments

Speed up responses with fast mode

https://code.claude.com/docs/en/fast-mode
9•surprisetalk•1h ago•2 comments

France's homegrown open source online office suite

https://github.com/suitenumerique
537•nar001•5h ago•248 comments

Coding agents have replaced every framework I used

https://blog.alaindichiappari.dev/p/software-engineering-is-back
204•alainrk•6h ago•312 comments

A Fresh Look at IBM 3270 Information Display System

https://www.rs-online.com/designspark/a-fresh-look-at-ibm-3270-information-display-system
33•rbanffy•4d ago•6 comments

72M Points of Interest

https://tech.marksblogg.com/overture-places-pois.html
26•marklit•5d ago•1 comments

Unseen Footage of Atari Battlezone Arcade Cabinet Production

https://arcadeblogger.com/2026/02/02/unseen-footage-of-atari-battlezone-cabinet-production/
110•videotopia•4d ago•30 comments

Software factories and the agentic moment

https://factory.strongdm.ai/
63•mellosouls•4h ago•68 comments

Where did all the starships go?

https://www.datawrapper.de/blog/science-fiction-decline
69•speckx•4d ago•71 comments

Show HN: Kappal – CLI to Run Docker Compose YML on Kubernetes for Local Dev

https://github.com/sandys/kappal
21•sandGorgon•2d ago•11 comments

Show HN: Look Ma, No Linux: Shell, App Installer, Vi, Cc on ESP32-S3 / BreezyBox

https://github.com/valdanylchuk/breezydemo
271•isitcontent•21h ago•36 comments

Learning from context is harder than we thought

https://hy.tencent.com/research/100025?langVersion=en
199•limoce•4d ago•110 comments

Monty: A minimal, secure Python interpreter written in Rust for use by AI

https://github.com/pydantic/monty
284•dmpetrov•21h ago•152 comments

Making geo joins faster with H3 indexes

https://floedb.ai/blog/how-we-made-geo-joins-400-faster-with-h3-indexes
155•matheusalmeida•2d ago•48 comments

Hackers (1995) Animated Experience

https://hackers-1995.vercel.app/
553•todsacerdoti•1d ago•267 comments

Sheldon Brown's Bicycle Technical Info

https://www.sheldonbrown.com/
424•ostacke•1d ago•110 comments

Ga68, a GNU Algol 68 Compiler

https://fosdem.org/2026/schedule/event/PEXRTN-ga68-intro/
41•matt_d•4d ago•16 comments

An Update on Heroku

https://www.heroku.com/blog/an-update-on-heroku/
467•lstoll•1d ago•308 comments

Show HN: If you lose your memory, how to regain access to your computer?

https://eljojo.github.io/rememory/
348•eljojo•1d ago•214 comments

Show HN: I spent 4 years building a UI design tool with only the features I use

https://vecti.com
367•vecti•23h ago•167 comments
Open in hackernews

Reverse Engineering Vercel's BotID

https://www.nullpt.rs/reversing-botid
109•hazebooth•7mo ago

Comments

codedokode•7mo ago
Note that the bot detection script uses WebGL to obtain GPU name. I assume this (fingerprinting) is the most popular use of WebGL. Sad that independent browsers like Firefox do not supply fake values.
nullpt_rs•7mo ago
Sadly, spoofing GPU vendor & renderer can be an even larger flag since they can hash the resulting image of the canvas to compare it with a database of collected fingerprints[0]

[0]: https://research.google/pubs/picasso-lightweight-device-clas...

reaperducer•7mo ago
Until a major player gets on board. Then it works.

Apple does this by sending an imposter user agent from Safari on iPads.

If only that was expanded to iPhones, too. And then send rotating, or randomized user agents.

nerdsniper•7mo ago
Apple does it because they don’t have a vested financial interest in internet-wide tracking.

Google does.

And while Mozilla does too because the vast majority of their funding comes from Google, it’s more pertinent that they don’t have the market share to pull this off. Firefox would just stop working on major websites if they did this.

ZebulonP•7mo ago
Doesn't that just move the goal post though? Instead of using your GPU vendor for the fingerprint they can just hash the output canvas after they a bunch of odd rendering calls, getting a hash from the quirks of your graphics driver and GPU hardware.
andrewmcwatters•7mo ago
It’s funny that trying to click on the Google Scholar link there falsely identifies me as a bot.
grishka•7mo ago
IMO the use of <canvas> needs to be behind a permission prompt, the same as e.g. geolocation or WebRTC. Few websites actually need canvas/WebGL for legitimate purposes.
chocolatkey•7mo ago
This would break way too many websites to be feasible. And if implemented, would be something requested on so many sites that users would learn to automatically say yes which would weaken the power of permission prompts in general.

For example, almost every major Japanese book/comic site uses canvas in their e-reader

codedokode•7mo ago
The best solution would be if canvas only allowed displaying pixels on the page but not drawing (meaning you need to bring your own drawing library) so that it would be unusable for fingerprinting.
ATechGuy•7mo ago
> At the moment, it seems Basic mode is so basic that it allows everything to pass as human. That’ll likely change as they gather more telemetry to better identify what a bot signal looks like.

So they are basically collecting telemetry in the name of "free basic anti-bot" solution.

cchance•7mo ago
free basic anti-bot solution that literally NEVER BLOCKS A BOT, like what the actual fuck
b0a04gl•7mo ago
why is bot detection even happening at render time instead of request time. why can't tell you’re a bot from your headers, UA, IP, TLS fingerprint. imo making it a surveillance. 'you're a bot, ok not just go away, let’s fingerprint your GPU and assign you a behavioral risk score anyway'
n2d4•7mo ago
It's really hard to detect it at request time. It's practically trivial for an attacker to fake headers to resemble a real browser.
indrora•7mo ago
Anubis does it pretty decently.
iovoid•7mo ago
Anubis is not meant to fully stop bots, only slow them down so they don't take down your service. This kind of bot detection is meant to prevent automation.
baby_souffle•7mo ago
You absolutely have options at request time. Arguably, some of the things you can only do at request time are part of a full and complete mitigation strategy.

You can fingerprint the originating TCP stack with some degree of confidence. If the request looks like it came from a Linux server but the user agent says Windows, that's a signal.

Likewise, the IP address making the request has geographic information associated with it. If my IP address says I'm in Romania but my browser is asking for the English language version of the page... That's a signal.

Similar to basic IP/Geo, you can do DNS and STUN based profiling, too. This helps you catch people that are behind proxies or VPNs.

To blur the line, you can use JavaScript to measure request timing. Proxies that are going to tamper with the request to hide its origins or change its fingerprint will add a measurable latency.

n2d4•7mo ago
None of these are conclusive by any means. The IP address check you mentioned would mark anyone using a VPN, or English speakers living abroad. Modern bot detection combines lots of heuristics like these together, and being able to run JavaScript in the browser (at render-time) adds a lot more data that can be used to make a better prediction.
cAtte_•7mo ago
> If my IP address says I'm in Romania but my browser is asking for the English language version of the page... That's a signal.

jesus christ don't give them ideas. it's annoying enough to have my country's language forced on me (i prefer english) when there's a perfectly good http header for that. now blocking me based on this?!