Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: What's your proudest hack?
296 points by finnlab on Dec 12, 2022 | hide | past | favorite | 402 comments
I saw this question being asked on here years ago with few but interesting answers. I'd imagine that a lot of you still have some pretty interesting stories to tell about some crafty workarounds.

I was located in Sydney Australia, trying to fix a literally showstopper bug in the signal processing of the bank of Land Mobile Radio base stations that were being used to coordinate the stage management for the Opening Ceremony of the London Olympics. Less than 24 hours to go before the final dress rehearsal, and the production company was preparing to spend megabucks to pull all the radios out and replace them with a different manufacturer's, unless the bug was fixed in the next few hours.

I ended up hacking the radio firmware to bypass the signal processing and stream the raw received samples from London to Sydney. I hacked a radio in Sydney to feed the London samples into its signal processing, then streamed the resulting samples back to the transmitter in London. I now had an LMR base station running in real-time over the Internet, with the radio hardware in London and the signal processing in Sydney. I was able to attach a JTAG hardware debugger to the DSP in the radio running the signal processing and find the bug. From there we did a firmware release and uploaded new firmware into the radios in London. Our radios stayed in and handled the stage management for the Opening Ceremony of the London Olympics.


The customer must have been happy with the outcome, as they ended up using our radios for the Sochi Winter Olympics two years later.

Thanks for reminding that classic engineering is still alive.

What bugs me the most is that when you talk about engineering or even search for anything engineering-related all that ever shows up is software engineering. It's become much harder to find information about more classical engineering subjects.

Noyce! This is 21st century if I ever saw it, and I tip my hat to thee.

I know you’re probably intending to say “nice” with an accent. But given the context I can’t help but also think of Bob Noyce, an engineer’s engineer. See https://www.esquire.com/news-politics/a12149389/robert-noyce...

It was intended as both actually: a sloppy imitation Australian accent, as well as a nod to Mr. Noyce. There are very few occasions where the two intersect so nicely.

You don't think it's safer to assume that this was an intended pun? Bob Noyce is pretty well heard of here. Neverheless, very Noyce of you to link the article.

After playing a lot of Tetris Friends, I started getting deja vu. Sometimes, after starting a new game and placing maybe 10-20 pieces, I would think, "Haven't I seen this exact board before?" Eventually I tested my theory through brute force: I would start a fresh game, write down the first 10 pieces, then restart. Over and over and over, until finally, I found it -- a duplicate!

Apparently, Tetris Friends only seeded their RNG once, and there were only a few hundred possible seeds (perhaps 256? I didn't check). So if you got the same initial seed, you got the exact same pieces for the entire game. Tetris Friends also happened to have a highly competitive global leaderboard, where you tried to clear 40 lines as fast as possible... and I happened to have recently learned how to use AutoHotKey. You see where this is going.

I restarted over and over until I got a good seed, then carefully played through a whole game, copying my inputs into a giant AutoHotKey script. Tetris Friends was a flash game, meaning it could only process so many inputs per second, so I had to insert a short delay between each input. Testing/debugging was a nightmare too, because I had to restart until I found the same seed again! But after a few hours, my script made it all the way through a game, and bam, I was #1 in the world.

Felt real good for about a week, until Tetris Friends purged the leaderboard. :^)

I had a similar experience about a decade ago with an online rock-paper-scissors vs. computer site. I quickly figured out the pattern and was able to win a few dozen times in a row (late night) and got bored, but it was a very intriguing exercise.

i wrote a script that played Facebook bejeweled for me. took screenshot and then pick out the pixel colors from a grid since they're all different and mostly static. then simulated some clicks. it was a bad player but stupid fast so it racked up the score nonetheless.

I once scripted Farmville, and quickly overtook all my friends who played it. Then somewhere at level 60 or 80 the game became so extremely slow that I gave up. The game could only handle a certain number of clicks per second, and the script would have to run for dozens of hours to gain yet another level.

EDIT: That's because gaining levels required XP, and there was literally 1 XP for each click, regardless of what you did. You could figure out a strategy to get more gold, but I already had way more gold than I could spend. But there was no strategy to get more XP other than "click more". Up to certain level it was manageable, I just let the script run when I was away from the computer, and it took a few minutes to gain another level. Up to certain point, the required XP per level grew quadratically; behind that point it started growing exponentially, so I knew that I could never make more than 5 or 10 more levels past that point.

Had a similar but simpler experience with Telegram's Lumberjack game [1]. Wrote a small Python script that scans a few pixels of screen and sends arrow key signals when sees a branch. The game was gradually speeding up to the point that script was not able to keep up yet it was beating any human easily.

[1] https://telegram.games/telegram-games/lumberjack/

In my first job I work on a database product in development that leaked memory slowly, leading to crashes after hours of usage. The software was written in C and there were no tools like Purify or Valgrind back then to deal with memory problem. It was a vexing problem that got punted until release time, when it became a show stopper.

I looked into the problem and found that the memory allocation used malloc and free. I then defined macros for malloc and free in a common header to call my_malloc and my_free functions with the standard __FILE__ and __LINE__ macros passed in as parameters. Re-compiled the whole program with the macros, which redirected every call of malloc and free to my functions. My functions logged all the calls with the allocated memory pointer, the filename, and the line number. Once I collected enough log data from test runs, I sorted the lines in the log file by the memory pointer address. Every pointer address should come in pair, one from the malloc() and one from the free(). The odd number pointer addresses are the ones with missing free(). And I got their filename and line number right there.

Hah! A few years ago I did something similar.

I was in the process of porting some C code (a physics engine) to javascript. After porting the code I benchmarked it - and, no surprises - it was waay slower than the original C code.

One reason C is faster than javascript is that C structs get "inlined" into the containing object. For example, in C struct Body { vec2 pos; vec2 velocity; } would just be 1 object. But the equivalent javascript code would allocate 3 objects instead.

I inlined vec2 (replacing it with pos_x, pos_y, etc) and performance got a lot better. But I was curious what other structs were thrashing the garbage collector. So I added a call into all my constructors which generated a stack trace (new Error().stack), and used the stack trace as the key in a javascript object - with the value being the number of times that stack trace was seen.

After sorting and printing the result, I had a hit list of the hottest stack traces which were thrashing V8's garbage collector. I fixed all the worst call sites and by the time I was done performance improved by about 3x or so!

You know, that's surprisingly an elegant hack. I'm sure it's obvious to some folks, but for some reason I never came up with it during my old C programming days.

Oh I was desperate. I was the most junior guy in the team on my first job after school whom got thrown with a hard problem. Luckily I remembered __FILE__ and __LINE__ in C, and it was a matter of working backward to link those to malloc and free somehow. My Unix command-fu (sort, uniq -c) learned back in school came through in dealing with the huge log file.

It was a huge boost to my confidence on my job and earned my cred with the team.

The eternal curse of the C programmer is knowing that macros are Right There, just waiting for you to take them up and craft the most elegant… footgun.

This is awesome, i had to do the same, ended up writing a .h file that redefined malloc/free with macros, and then reported the missing and double frees.


Oh man this brings back memories, and is the exact same approach I used a couple of decades ago — there was some undefined behaviour in some code, and it ended up being nearly impossible to reproduce when using valgrind.

Using the approach you described is extremely effective and low-overhead, and allowed me to actually reproduce the issue (I think in the end it was due some async / race condition issue, because I was using “if map[key]” in a place where I shouldn’t, which actually inserts the key if it’s missing (and thus mutates the map).

Fun times.

This is a great strategy even today, with the only difference being how you'd implement it: typically by interposing malloc and free and having it walk its own stack.

Any good tools or approach similarly for java applications? Those which crashes due to memory leaks?

I applied for a job at a medical cannabis operation in Canada right before legalization hit.

I was curious to see if they had checked out my personal website, so I grabbed my webserver logs and I recognized one IP from the city the job was based in. More than likely, the public IP of the business in question.

On a whim, I ran the IP through Shodan.io and it showed that 47808 was open - The BACNet protocol. I had no idea what this protocol was, but I was able to download some odd enterprisey software that had the ability to speak BACnet. I connected to the IP:Port and found a long list of connected things - water levels, temperatures, lights, and more.

I wasn't interested in doing anything questionable with this information. I'm not even certain it allowed me to do anything more than look, but I like to think I could have e.g. turned off lights or adjusted temperatures in the grow rooms. I made the (risky) executive decision to let the hiring manager know that their public IP had an important port open to the world. I wound up getting hired by that business, and the first task I was assigned was to fix the open port.

I'm not sure if that counts as "hacking", but I was proud of finding the vulnerability / misconfiguration nonetheless.

Reminds me of the time I found a “warm introduction” referral, an open invitation to potential network management positions at a company, buried in their BGP/ASN infrastructure information. (It’s been about a decade so I don’t remember exactly what specifics the info was in, but you wouldn’t have found this specific email and opening line without mucking round with their BGP and ASN info.)

I emailed but they weren’t hiring and I was mainly curious if the job would be better than what I had at the time.

Bandcamp once had an advert for recruiting a developer - it simply said "Check the headers" .... and this is where the trail began.

Although I didn't apply for the role it was a fun challenge solving steps along the way and I appreciate the effort put in making it.

Being in Scotland and poor to the point of trying to eat on a few pounds ($5) a week.

I discovered (by watching another customer) that a certain kind of very expensive Scottish smoked salmon was 4 pence more expensive than the price listed on the shelf. The supermarket (Tesco) also has a large sign stating that if the price was wrong on any item, they would both give you the item for free and the money it costs.

I promptly went and loaded up a cart with nothing but smoked salmon.

It took 42 minutes of arguing with different store managers and pointing to the sign, but I managed to eat for free that week and even had enough to pay my electricity bill.

The reason I don’t feel bad is that particular store very, very often charged the customers more than the listed price and no one ever seemed to catch them.

I went in three months later, and the same salmon still rang up at 4p more than it was listed at.

My uncle was in a similar situation: bought a granola bar, price was wrong, free granola bar. He went back a few days later and the price was still wrong. He’s a lawyer, and he sued the store and won (false advertising or something) to get them to fix the price. Pretty awkward because it’s the closest store to his family’s house. His son said it best one day, “dad, are you bored at work?”

"..He went back a few days later and the price was still wrong."

I've occasionally wondered about this, as an entirely new class of crime. One where a motivated regional manager at a modern supermarket chain could get together with someone in the IT infrastructure and decide to tweak a number (a price) in a database, and carefully watch the uncontested sales vs requests for refunds ratio. These 'mistakes' could be happening all across the stores' offerings and no one, including most of the employees, would ever be the wiser.

I've half-suspected that Harbor Freight does this. Doing the analytics could be a good business opportunity. I'm sure once the metadata companies (Amazon, Facebook) meet real retail (not just the high-dollar retail like Whole Foods), there will be interest in this measure of consumer's price awareness.

I like those McDonald's hacks where people exploit flaws in the price calculations to get burgers for free. IIRC in one case they noticed that you could order a hamburger without patty, and it had a slightly negative price. So they ordered twenty hamburgers without patty and one normal hamburger, and got all free of charge.

That's just the right combination of brilliant and bizarre.

It used to (and might still be) the case that at Waitrose multibuy type offers are still honoured on reduced items, and applied by discount - based on the original price - meaning you could/can get a further reduction on yellow labels, or potentially be paid to take them.

> I went in three months later, and the same salmon still rang up at 4p more than it was listed at.


was buying beer once for a party, and a crate of 12 pint bottles was ringing up for the price of a single bottle. so I bought 4 crates. we drank well that weekend

One time I accidentally overwrote my hard drive with dd while making an installation thumbdrive. While unfortunate, it was only the first 8GB or so. This nuked the partition table, bootloader, and start of the Windows partition, but fortunately my daily-driver, still-running Linux system partition was unaffected. I kept my cool and figured it was recoverable. I ended up recovering the partition table from RAM and writing it back to the disk and reinstalling a bootloader. Talk about a nervous reboot! I'm just glad the power didn't go out...

Ah, this reminds me of the time a few years ago when I accidentally deleted `sudo`. A lot of stuff broke and it was interesting running around in a system where things would sort of work, but sort of not really.

I learned then that sudo was really just a binary, so I tried to get a copy and put it in the right place. I couldn't, though, because I didn't have write permissions to it without sudo!

In hindsight I guess I could've just run the binary itself to get access, or put it elsewhere on my $PATH, or use `su` instead. Not sure if I tried those things, it was a while ago and I was pretty new to Linux. Maybe I got the file from the internet and didn't know to make it executable.

Anyway, what I ended up doing was booting up from a live Ubuntu USB and copying the sudo from the live environment to my installation on disk. It worked, and my newbie self felt like a proper hacker, fixing the unfixable. For one day I was a heart transplant surgeon :)

This reminds me my old Laptop with Linux installed that had Optical drive broken and no USB boot option, there was also no option to buy new Optical Drive. I was moving directories around to make some space on root directory. I've moved /var/ to /home directory and create symlink and it worked. But then later I wanted to do the same with /usr directory that had all shared libraries in /usr/lib/. In the process of moving files got some error I was not able to use any binary file like cd, ls or ln. Only applications that was running was working.

I was certain that the laptop was dead and I will not able to use it anymore since I will not be able to install new system. So the task was to copy somehow all my important data. Luckily I was using Firefox and I've had FireFTP installed, so I've borrow my mother Windows laptop and installed FTP server and was able to copy my data over WiFi. Later it turns out that you could buy used DVD burner for that laptop, so it was resurrected and after installing Windows XP I've given that laptop to my mother.

Nice solution and good instincts! I bet you’re a pretty advanced user by now. I used to keep an Arch Linux bootable thumb drive around as sort of an insurance policy against things like this. Good reminder for me…

Oh, what fun! Our system administrator decided once to duplicate the boot partition of a server, so we had a spare should the usual one fail. He used dd of course. And the next day, he was off to a USENIX conference. What he had forgotten, though, was that the first partition on the disk actually contained the partition table! (This was on Solaris, or possibly SunOS.) Since the source disk and the target disk had different partition tables, things started falling apart. It did not happen all at once, probably due to caching. But we started getting more and more weird errors. It took me half the day to figure out what had happened. By great luck, I had actually saved a copy of all partition tables just a few days prior. They were in human readable form, but good enough for me to restore the damaged partition table to its original state. A reboot later, all problems were gone.

Sounds like another scary reboot. "Scariest reboot ever" might make an interesting Ask HN...

I never did proofread anything more carefully than that partition table before the reboot.

How did you get it out of RAM so cleanly?

It wasn't clean, I had to manually parse it out of /proc and triple check the math before committing it with fdisk.

I had something like this happen once -- a company I was at had these old RAID arrays that we kept limping along while we waited for budget to buy ones from a company that hadn't ceased to exist, and at some point a disk failed in some way that caused the RAID system to lose its internal partition table information (to my recollection... it's been awhile).

I could still access the block devices, but couldn't instantiate the logical volumes, and dumping dd chunks showed that there was data there... so I wrote some code to scan the disk for ext2 magic numbers, and once I found them did some math on paper to find the partition boundaries and very... carefully... recreate them. I have a photo of the piece of paper here: https://www.flickr.com/photos/jedwards/4494268626/

Do you have a blog post about this with more details somewhere?

Haha, posted the same message at the same time. Great minds think alike ;]

I don't have one right now, but maybe soon!

Looking forward to it...

That's pretty hard core. Any resources you recommend to understand the steps involved? Maybe a write-up by yourself?

Reminds of this story: https://www.ecb.torontomu.ca/~elf/hack/recovery.html

(And its HN thread, with other recovery stories: https://news.ycombinator.com/item?id=25491790)

That’s great, I had the same problem but didn’t hack it like you did unfortunately. I overwrote the first 30 GB of my 6 TB HDD and am trying out GetDataBack Pro to get my files back, no luck so far. I had some tens of thousands of photos that I can’t replace.

I'm sorry that happened! What filesystem was it?

Oh yeah overwriting the partition table can be "fun". Once wrote the partition table of a floppy to my hard drive. That was when I was still running DOS. Used a disk hex editor (I think it was part of pctools) to change it back to the correct values.

That's gnarlier than what I faced, kudos to you.

An early Samsung phone had a small bug. When you tried to dial an invalid emergency number, the home screen was briefly visible.

I discoveted that, with a lot of tapping at exactly the right time, I could launch the marketplace.

With a lot of tapping at the right time I could trigger a voice search.

I then told it to install an app which disabled the lock screen.

With, again, a lot of tapping at just the right time and place I was able to launch the app and get into the phone.

Led to my first bug bounty (a new Samsung phone!) And my first million view YouTube video.


That reminds me of a hack I did. In the fairly early days of Android I realised you could install an app to a device from the Play Store using the website on the PC, and have it auto-run when triggered by an event such as the charger being plugged in. Combined with the API to disable the lock screen (eg when receiving an incoming call so the user can answer) it was a way to remotely disable the lock screen.

I created my first ever Android app in one evening and released it for free. It was the first one of its kind and was quite popular, mainly for parents who let their kids play with their phone and accidently lock it, or for people who wanted access to their loved ones device after they died.

However I received loads of bizarre and abusive support requests from people who demanded I help them, and even call them personally. Eventually I got fed up and started to charge a nominal amount and the support requests suddenly became much more polite and intelligent, filtering out the toxic support requests.

I read a post on HN about how increasing price on something can result in higher sales because people value it more. I decided to increase the price as an experiment, and sure enough the sales went up!

For 3 hours of work one evening creating the app, it made a few £10ks over a few years.

Eventually Google prevented the ability to auto-run newly installed apps due to malware using the same vector, now you have to launch the app manually the first time. While it still worked on older devices I eventually removed it because it failed more than it worked.

You sir have the patience of a saint. Cool hack!

Writing a first-gen PSX (Playstation) game, NASCAR Racing, we had an in-house physics engine that needed the physics thread to run on a constant 30 Hz. PSX SDK didn't have pre-emptive multi-tasking. Sony US "checked with Japan" who said we were out of luck.

Then I remembered my old Atari 8-bit programming days and the vertical blank interrupt (which there was on the PSX, but we couldn't run all the physics in the VBI time allotment). What we could do though, was to use setjmp/longjmp to switch contexts between threads and then hack the vertical blank interrupt to save off the registers from the main thread, longjmp back to the physics thread, which would then restore the registers of the main thread and longjmp back to it. Bingo, 29.94Hz pre-emptive two-threading (which was all we needed).

(I don't recall if we actually used setjmp/longjmp or if we just stored away the PC register to return from the interrupt and monkeyed with it to return from the interrupt to the physics thread [as if it was interrupted at the start of a cycle of the engine] and then return from there to code that would restore the registers and make it appear to the main thread that it was returning from a VBI.)

I wrote multithreaded code in C++ before for a different use case. Was the challenge here just getting 30hz or was there something limiting where you couldn’t get that output with just running a dedicated thread? I’m no expert. Teach me :)

We couldn't find another way to get a steady 30Hz. I don't think there was a pthreads implementation for the PSX SDK, but it's been a little over 27 years, so I can't swear to it. I do know we didn't do it without trying a bunch of other more conventional alternatives.

About 10 years ago, I worked for a Toyota supplier. My job as, the only software guy in a house full of hardware people, was to find out every single Toyota and Lexus dealership in America, and then find out what kind of cell phone reception they had (3G, Edge or none) for each of the major carriers (AT&T, T-Mobile and Verizon, IIRC). They imagined this would be done manually so they estimated a few weeks to do the job.

Within 3 days, I wrote a script to locate the dealerships, load each of the carriers' web pages, enter the address/coordinates into their coverage map, then take a screenshot of the results. Each of the carriers, of course, had their own way of displaying the coverage information, but it was mostly a color-coded map (example: green area = 3G, blue area = edge, gray area = no reception). So, I wrote another script to process the screenshots and deduce what kind of reception they had at the dealership (some 3500 in total, if I remember right).

Unfortunately, this feat was met with the proverbial "great, while you're fixing things can you also fix the printer" kind of response, but damn if I wasn't proud to compress a few weeks into 3 days in a clever way, even if I had no one to appreciate it.

By the way, the reason we needed this information is because we were rolling out Lexus RES+ (an early version of the remote engine starter) and they wanted to make sure that every single one of the dealerships could demo the service to potential customers.

This reminds me of the response I got once when working for a government agency. I managed to automate their quality assurance process, reducing a two week manual testing routine down to a five minute test suite. Their response? I got fired for "poor performance". I guess I made too many unproductive government employees fear for their jobs. Lesson learned!

Same thing happened to me working as an administrator in a warehouse.

I basically made all midnight-shift administrators redundant (including myself), as their job could be completely automated as long as someone on the floor could put the tickets into a slot. In the morning, the 'actual' administrator(s) would batch-scan these documents which then got picked up by a script I wrote. It categorized all the tickets and sent out the necessary emails depending on which what where when, saving the result to files to be used in reporting (normally written by hand).

They didn't like this, and refused to use it. I tried to explain that the entire office side of the company was filled with this type of low hanging fruit, but they wouldn't hear it.

Company eventually folded due to lack of solvency. When I asked the CEO why this was considering the large amount of paying customers we had, he stated 'rising employee costs'. The headcount of people working on the ground had stayed the same during this entire process, new hires were exclusively doing admin work.

But did it match reality? I know that I’ve found both Optus and Telstra’s network coverage maps next to useless in both metropolitan Melbourne and regional Victoria, Australia, for as long as I’ve been paying attention, which started in roughly 2015. They claim almost total coverage in a way that is simply not true, especially with cheaper phones’ modems (they often have poor antennae) and modems that lack total frequency band overlap (surprisingly common, even among flagship phones from the domestic market), but even on phones with good modems and support for all frequencies. Telstra only say whether it’s 3G, 4G or 5G, with no indication of likely strength (which is extremely important—near me, they claim 4G coverage, but in practice you’ll get a weak 3G signal outside and probably nothing inside, and I believe it’s served from a tower in the next town over 10km away, but of course no one that lives here uses Telstra, when there’s an Optus tower right in the town), and Optus are only a tad better, splitting it into two strengths, without and with antenna.

I wish they’d tell you where the towers actually were, because then even a layman could do a better job of estimating how usable a signal will be.

Super minor compared to a lot of the stuff here, but when I was a young data scientist I had the job of creating a model to tell our call center sales agents when an ancillary product would be a good fit to upsell to customers, and when not to waste their time. The only problem: integrating it into the sales application was nearly impossible, IT said it was a huge effort, nobody wanted to do it.

So what I did was built a greasemonkey script to watch the DOM as they went through the sales flow and record the values as they were entered. I then built decision tree model of moderate size, exported it to a string, converted that into a big javascript function. Then, if the model said things were looking good, I modified the DOM to insert a little "alert" box on the top of the page. I handled all the state manually in case they navigated away or did things in a funny order. I knew zero JS or web development at the time, so this was SUPER hacky. But it worked! I then manually walked around to sales agent computers and installed the greasemonkey extension/script. I even got IT involved eventually to serve the script from an internal endpoint, allowing for easier updates.

The actual model ended up being just okay, and didn't have a huge impact on actual sales, but the exec team was SUPER impressed with the delivery mechanism. We had a parent company and they loved to brag to their superiors how we had deployed a machine learning model "for zero IT cost". They had me a do a writeup and everything in case someone wanted to copy my revolutionary idea. I'm sure some guy at the HQ took a look at my writeup and got a good laugh out of how incredibly obtuse, insecure, and hacky the whole thing was.

That said, I still think it was a clever solution and even wondered about turning it into some kind of product at one point.

Impressive idea. I know greasyFork and it's great to remind ourselves of it's potential from time to time!

Elementary school, Windows 3.x era.

School district thought they blocked access to the built-in OS games.

Nope, from any program (Wordpad, etc) you could FILE -> OPEN to find/launch/play Minesweeper.

Nothing makes an 8-year-old feel more like a "hacker" than subverting school controls to play video games, while also gaining cred with your friends.

The good ol' days.

Reminds me of a hack I discovered in school.

I discovered that I could use VBA from Word to shell out to cmd bypassing all of the security. This opened a world of possibilities...

This being the era of AOL punters I created a neat VBA utility in a Word doc to that used netsend to spam other computers in the school. Shared the file widely.

Then I used the technique to explore the network... eventually was able to use net use to connect to a remote drive in the school administrator's office where I found a text file of every student birthday, home address, and SSN... which I then could use to sign into anyone's account (password was derivative of name and SSN).

Culminated with pwning a school rival by putting all his files in a password protected zip on the desktop and dropping a batch file in his startup folder that printed a text file with the password to the printer when he logged in.

Reminds me of high school. We also had locked down computers, but one day I noticed that one of the programs on the system had a directory structure of hundreds, if not thousands, of executable plugins that needed run-access for the program to execute properly.

My hypothesis was that the IT guys were lazy and just unblocked anything in that directory. Even if a networked computer didn't have this program on it, you could just recreate the directory structure and drop any portable executable there and run it. Pretty soon we were all playing brood war in every free period.

Ah, reminds me of the good ol' Windows 98 login bypass: https://epiclogon.ytmnd.com/

AFAIK, Win 9X login was more of a "profile loading" rather than proper login. You could just hit cancel and in you were with a default profile loaded.

Well, s/he could just click OK

School PC "hacking" and bypassing locking was a great past-time.

One of the schools I went to had a computer lab in the Library, ran on Windows NT 4. I found so many work-arounds to their security controls that they ended up making me an admin and told me to fix them all. That was my intro into group policies and domain management.

Another student made a credential-phishing program - it was a full-screen VB6 app that looked like the normal NT4 login. They'd log in, launch the credential-phishing app, and then walk away. It wrote the stolen creds to their 'home' drive and then logged out after showing some fake "There was a problem with your password, try again" message.

Many years later, but still on NT4/Windows 2000, at technical school we found that the campus-wide internet was run through a single Windows-based proxy, with rules on the router to prevent traffic to the internet except from that proxy.

They also did various content-filtering things, allowing only certain white-listed sites.

At that time Windows's networking was iffy - and if it detected that another computer was using the same IP, it'd disconnect itself from the network.

Our class had a computer lab with removable 3.5" drives and we were learning about setting up networks. Well, install a Linux distro, install squid with rules to allow all traffic. Then once it was working, change your machine's IP to that of the proxy. Now the entire campus's internet traffic was going via your lab machine, and you had free access to the internet. We just kept a 'proxy' disk around and put it in anytime we needed something that wasn't whitelisted. I don't know if the network admins either didn't care, or didn't know because it wasn't fixed for a few years.

Ha, reminds me of high school. No command line access on the school PCs.

At the time, I was learning PHP, having stepped up from plain HTML/CSS. I had also discovered that I could run a web server (XAMPP).

So, one PHP script later, and sure enough… command line access through the browser!

In WinXP You could also use the File->Open in notebook to download URLs.

It's also possible to have binary files that only consist of readable bytes that can be saved in notepad.

1 - probably you meant Notepad

2 - In all Windows versions you could do that. Notepad is rather an underrated program. You should really read Ray's entries about how Notepad works.

In my school you had to rename the binaries to calc.exe and then they'd work.

I had something similar. They installed Windows 95, but the DOS files Windows 3.1 files were still there too. I was able to open Solitaire, QBASIC, and other programs, including the Windows 3.1 registry editor, which can display and edit parts of the Windows 95 registry but not all of them. (The Windows 95 registry editor did not load, due to the policies)

Using VBA in Microsoft Word, I also had figured out, too.

Once the teacher wanted took the students to the computer lab to make greeting cards, but the program to do so was no longer in the menu; fortunately I knew where it was and was able to describe (using VBA in Microsoft Word) so that everyone in the class could load the program.

Later, they removed many restrictions but all files were reset when rebooting, so any program could be accessed without damaging it.

Something less prohibited was defining a password for print jobs to avoid getting them mixed up with everyone else's.

In high school (using windows 7) cmd.exe was blocked, but only by launching it directly.

Creating a .bat file and double clicking on it got it loading just fine.

I didn't find any cool tricks to do with it besides just running it.

After reading an inspiring story in the mid 90s about someone that collected rejection letters for jobs they weren't qualified for (CEO of a national rail carrier etc), I turned to a life built on a similar idea. I applied for jobs I thought I could do, using mostly made-up resume information. If I was scheduled for an interview I would study like mad every waking hour until the interview. My career was absurdly successful by any measure and I retired rich 30 years early.

The resume is the dumbest blocker in our society. If you can do the job, just write that on your resume along with whatever else you think they want to see.

That's insane, what are some of the jobs that you conned your way into?

Weird that you think I conned my way in. I was always able to skill up and do the job. Theoretical before, then learn the rest on the job.

Well, you did say you made up the contents of your resume. Kinda fits the description ...

You said so yourself

"write that on your resume along with whatever else you think they want to see."

Basically the protagonist of the "Pretender" show.

Please don’t tell me you were a doctor :D

You really need to give us some more details!

Did this ever backfire when it came time for the interview or was the cramming always sufficient for you to pass as qualified?

A mix. I also learned really great interview skills. That goes a long way.

> I retired rich 30 years early.

Sounds better than working as a product manager for 25 years.

That sounds oddly specific.

I was looking for an apartment to rent (circa 2010-ish), on Craigslist and Kijiji. Neither had a map feature, and both suffered from a lot of reposts. If a nice place came up, you had to be extremely responsive (like, contact the poster within minutes of the ad going up) to stand any chance against competing renters.

I wrote a pile of scripts that scraped both sites, parsed and cached the data, and displayed it on a map. I was able to set search criteria based on location, and kludged it so that if something good came up, the system would automatically email the landlord if they made the email available, text them if they left a number, and text me a notification with a link.

The scraper eventually got pretty fancy as I expanded the service across multiple cities - it self-throttled and self-scheduled, based on the average frequency of postings on each platform in each city at a given time of day. The repost detector was working pretty well too, it added a layer of data to the results (eg, "this rental was re-listed 12 times in the past two weeks).

Once I found a place I liked, I made the site public and shared it with some friends, and it didn't take long until I was seeing steady daily use. The site even won an award from CIRA.ca!

I wrapped things up when I learned of Craigslist suing Padmapper for scraping their data. I wasn't monetizing, it was a cool project, but it felt like it was done.

Thanks! I found at least one place using padmapper back in the day that worked out really well! In 2022 craigslist still sucks at removing duped postings for apartments, cars, etc.

A bit younger here, but back in elementary school we got chromebooks when chromebooks were barely becoming a thing (replacing the rack of netbooks that was normally wheeled into our classroom).

Two things I did that were very fun:

1. School blocked a lot of popular flash game websites. My friends and I downloaded a bunch of flash games and threw together a website that we hosted on our chromebooks using '200 OK - Webserver for Chrome' or something. It was just a bunch of janky HTML and CSS, but we got it working. The school didn't block it because it was on the local network. We handed out slips of paper to our friends with the local IP address of my laptop. At one point someone made a Google Site with a link to the local address. It was a hack, but playing RUN 2 on your chromebook during social studies in 5th grade... man, those were the days.

2. Around that time one of my friends stumbled across crouton, a way to run Linux on a chromebook in parallel with ChromeOS. After a lot of trial and error (didn't know what bash was at the time), we were able to get Ubuntu installed. I remember downloading Blender and trying to do a fluid sim, which was super slow. I was able to render the first 20 frames of a domino and fluid animation using Cycles, which frames I still have sitting on my hard-drive somewhere to this day.

Some of my first hacks, older me is surprised how much younger me was able to get done given how much younger me didn't know.

A lot of older techies bemoan the fact that phones and appliance-like computers lock everything down and obscure the inner workings, claiming it will stop kids from learning to hack. I think this is a great counterpoint... some kids are going to find ways around things no matter what!

When Web Sockets were still not finalized, I was writing a C# program using them but there wasn't a functional library available. There was however a nice open-source Java implementation. I copied it into Visual Studio, changed all the file extensions, and spent half an hour hitting build then fixing syntax and import red squigglies. It eventually built successfully and happily sent data to a NodeJS front end for years.

Nice. C# did start off life as Java with the serial numbers filed off…

J++ without the legal mess

Great description!

Cool. I did something similar with an old C program from the 80s by Peter Langston called Riffology, which was the algorithm used to generate the procedural music in Ballblazer.

I pasted the C files into Eclipse, deleted some `register` keywords, made a bunch of tweaks, and it ran fine as Java.

I did something similar as well

Not that hacky or mind-boggling, but does involve a hex editor and lots of money...

I added support for the '\ ' PostScript escaped space sequence to a custom, high-performance PDF parser.

A former employer used this to derive key figures from financial statements. Any change to the parser had to be Pareto-optimal: so if you modified the parser, it should not fail to parse any key figure that was previously possible to parse. Adding this improved reading word-wrapped text in hundreds of cases and key figures in dozens; I recall that my bosses thought it must be a mistake, and that I had to convince them by finding the right section in some Adobe PDF spec.

I wasn't an expert at the PDF format. But stumbling on a number split in two by apparently nothing, and digging up a 0x5C 0x20 '\ ' with a hex editor, I seemed to recall that PDF was built on top of PostScript, and that TeX / LaTeX syntax was somehow related to PostScript. So it struck me that what was a literal backslash in the PDF must just be an escape sequence.

> but does involve a hex editor

Oh, your comment reminded me of one of my proudest moments as a high school student!

Norton Utilities was a must for any MS-DOS user, and so, poor students pirated it when they could. The problem was once installed, it asked for a password, and subsequent runs would demand it. My friend got ahold of a diskette with a complete but password-locked copy, and while he knew the password, he found it annoying and wanted to bypass it.

By trial and error, we found a location where the binary stored the password, but it was encrypted. Studying the "encryption", it turned out it was an XOR of the password padded with spaces until I think 20 characters, so you could change that location to XORed spaces to enter the password with a single Enter, or change it to zeros so it behaved like a new install.

I don't know what my friend did with his copy, I just remember the high of beating the copy protection of the legendary Peter Norton.

"to build a custom, high-performance PDF parser" ?

Anyone who was in college in the US between 2013-2016 will probably have at least heard of the app Yik Yak (https://en.wikipedia.org/wiki/Yik_Yak).

For those who weren't or haven't, it was a geofenced, anonymous message board app targeted to college students that became fairly popular over the first two years of its existence before gradually fading into obscurity and finally being shut down in 2017 (but as of 2021 was rebooted with pseudonymous accounts, IIRC). Users could see any messages within a certain radius (0.5 miles or so, I think) and messages could be upvoted and downvoted, and were sorted by their vote score. Messages with a score of -5 disappeared forever, and I think also eventually aged out.

Being a chaotic sophomore with some Android experience, I decided it would be fun to decompile the app and see how it worked. I discovered that each device was assigned an ID based on a timestamp, IMEI, and a few other pieces of information that could be easily spoofed, by calling a fixed HTTP endpoint to generate as many new IDs as I liked.

I generated ~500 or so IDs using some Java code, hardcoded them into a .class file, and added some hooks to intercept existing calls to set up the Android UI and add my own event listeners. From there I added a button to the app's menu bar with a radiation hazard icon that would use the generated IDs to nuke every message in range of the user, downvoting them all to -5 and causing them all to disappear instantly. I also added the ability to long-press the upvote and downvote buttons, which would bring up a dialog with a slider allowing the user to upvote or downvote any post up to 500 times, sending it to the top of the list (or downvoting it to oblivion). Finally, I rebuilt the app with my added .class file patch.

Needless to say, this was a source of great fun and mischief for my friends and I. The most entertaining event was attending a hackathon at our (much larger) rival university's campus, where we nuked every local post a few times a day for 72 hours and voted our own posts up 500 times.

It was fun to mess with for a few months or so. We never distributed the patched app, for obvious reasons, and we never used it for anything truly malicious beyond being a mild local nuisance denial-of-service.


I have always desired to have browser extensions kinds of functionality for the mobile apps.

Wonder why this practice is not more popular

I often create screen recordings for my classes, but it's very boring and time consuming. I'm a perfectionist, and if I mistype a command I prefer to re-record everything. Moreover, every time one of the tools used in the videos gets a significant update, I feel compelled to redo the video.

I have started using xdotool [1] to create bash scripts that send mouse clicks and keystrokes to apps. Interleaving calls to xdotool with the "sleep" command [2] produce a convincing effect. If I need to redo a video to fix typos or after a program update, I just fix the bash script and restart the recording.

Alas, the only thing that is missing in my videos is the sound of keyboard clicks… But nothing is perfect!

[1] https://github.com/jordansissel/xdotool

[2] https://en.wikipedia.org/wiki/Sleep_(command)

We used something similar in 2008 at CeBIT (which was the biggest IT trade show in Germany at the time). A publishing house for IT magazines set up a side area for minibooths and gave them out to a dozen open-source projects. I was there with a bunch others to represent KDE. We only had a few posters and stickers, nothing fancy, so we had to make our booth flashy somehow. My friend quickly hacked together something with a similar input simulation tool that opened applications from the start menu, flipped through directories in Dolphin, and such, and set it up to run in a loop. It sure did help us catch people's attention.

> I have started using xdotool [1] to create bash scripts that send mouse clicks and keystrokes to apps. Interleaving calls to xdotool with the "sleep" command [2] produce a convincing effect.

Can you share some of these scripts?

Sure, here is one of them:


And here is the recording, made with asciinema:


Love this one.

For the clicking sound you could add something like the below command on each click.

'aplay click.wav'

If adding mouse/keyboard sounds the main challenge is the variability in sounds, for instance how hard keys are pressed. Also, repetetive sounds, or sounds that are mis-timed to the corresponding action, are worse than no sound at all.

Just have a disconnected model M that you type along with.

that's really cool, thanks for sharing

In the early 90s, when ECUs were just becoming a thing, my colleague, who was a weekend rally driver, plonked one on my desk and asked if I could figure out how it worked and, if possible, to tune engine parameters for maximum performance.

I identified the microprocessor as a 6502, based on board topology, even though all IC markings were removed. At the time (before the internet), I could not find a 6502 disassembler, so I wrote my own. I successfully decompiled the code, figured out how it worked and found the parameter "maps" stored in ROM.

Loaded these into Matlab and wrote scripts to allow my colleague to tune the maps and write them back to EEPROM.

It was a couple of weekends' work for me, and I never thought about monetizing the knowledge. Several years later, I met another colleague who did the same for the Mazda RX7 ECU, and made a tidy side income selling "performance ROMs". C'est la vie.

A few years ago, the company I work at switched to using Alpine-based docker images for most containerized things. One side effect was that our Ansible playbooks (running from inside one of these containers) would fail with inconsistent network timeouts when targeting a couple thousand servers. It turned out that the issue wasn't with the network nor with Ansible. The way that Ansible invoked some library functions for keeping track of SSH connections caused it to create a bunch of POSIX semaphores via sem_open().

glibc had a dynamically allocated data structure to keep track of semaphores, but musl libc only had a fixed-size 256 element array. When the semaphore limit was exhausted, Ansible would fail to keep track of the connections, resulting in a network timeout error message. I fixed the problem by forking musl's semaphore functions, making the array resizable, and loading the implementation with LD_PRELOAD: https://github.com/chenxiaolong/musl-sem-ext. Worked perfectly for 6 years until we decommed our data center :)

When requesting pizza delivery from the Domino's site I captured and modified the http request to delete the `crust_type` field. Turns out most of the price was calculated from that so I was getting incredibly cheap pizzas for a while until they found out and invalidated requests without crust selection.

What crust did they ship it with?

Sounds a little like None Pizza with Left Beef, also on Domino's: https://youtu.be/5yWTPtPYukg

Classic crust IIRC. The best thing is that even the paper receipt was lacking the crust selection, so it looks to me that every system in the pipeline looked at that `null` value, sighted, and passed it along to the next system, until it reached the cooking area where they will blame the IT guys and slap in the "default" crust. Also I waited for the day that I will receive a plastic cup with just salsa and floating ingredients, but sadly it never happened.

My proudest hack and the hack I'm most known for both happened at the same company.

My proudest (and also maybe least proud at the same time) was writing a BASH script that was able to successfully replicate a complex server environment that had been previously built by contractors for an essential service that we needed to re-deploy, both for growing regions, but also to resolve a possible security issue due to how the contractors had deployed it. I had to basically reverse engineer every aspect of the service, built a deployment backend that I triggered, and did all of it in a fully-automated way that would break in known manners if it failed. That script went on to be used to deploy the entire service globally to ~12 regions on hundreds of servers.

The thing I'm most known for in that company was when I was working night-shift support and a customer called in with a server that had one of the drives fail on a Windows box, and apparently had decided it was worth saving $1/mo to not have backups. Because it was night-shift and nothing else crazy was going on, I decided to delve deep and I managed to get things back up by rebuilding their partition table by hand in a hex editor and avoiding some specific bad blocks so we could copy the data to a second drive DCOPS temporarily installed in the server, then we reinstalled the box and I migrated all their data back and brought their website back up. It took me around 9 hours, and at the end of it, the customer called in to complain about how long their site had been down, gave me the whole spiel. I had ended up staying late, so handed things off to the most senior person on the next shift that had a chance of understanding what I had done, and when I got done transferring the call I walked up two floors to talk to them directly to warm handoff and could hear the customer screaming through their headset from 3 cubes away. I became a legend for doing the most thankless task anyone had ever done for a customer in support.

I basically have done the same thing on both occasions except the first one I have oddly done multiple times. One of the occasions still felt like I wasted all of my time and effort too because it was for a custom HPC environment(I was performing a major OS upgrade that also involved getting a lot programs to work on a 64 bit OS when they were originally written for a 16 or 32 bit OS) that was trashed within two months after the environment was fully up and running. The client not only bought new hardware(after repetitively telling me they wouldn't have a budget to do that for a couple of years) but also pulled a 180 on the decision that certain Opensource tools could be used within the environment after a code review and approval process was completed.

Did you try to recover the corrupted windows partition table first using either Testdisk by CGSecurity or Hiren's BootCD? If it was on a UNIX or Linux file system that sort of thing can be recovered a lot easier thanks to alternate superblocks and the ability to basically copy the partition sectors from another disk that is the same size with the same partitioning thanks to the dd command.

Not my hack, but a team effort. Many years ago, I worked for a premium car manufacturer. We wanted to present a new product idea to convince visitors from HQ that we had a project worth funding: The core idea was that the car could be opened not only with the normal car key but also by other means, for example from a smartwatch.

Usually we would simply have modified/rewired a car so that a bluetooth connection to open it would work (for the demo only, of course). However, the keyless entry was designed to be so secure that it would have taken us far too long, even with our insider knowledge. My team leader had the brilliant idea of simply printing a 3d housing in which the original car key and an arduino-controlled servo could be installed, so that the arduino could press the key. We placed this device close to the car and remotely controlled the arduino. The demo worked perfectly and everyone was happy (afaik the project was not funded though).

Was reminded the other day about the time I arrived early at the night shift to learn a particular manual "scheduling" technique (how to match single size and double size packages to hundreds of deliverables, and I think there was some options too).

I saw the excel file, asked for 5 minutes, came back after 15 and had solved the problem to such a degree that it went from wasting two hours for two teamleaders on every night we did this job to being almost trivial for one to do in 5 minutes.

And the solution was trivial. Like really trivial. But no one had thought of it before : )

Second best probably when I saved a messed up server in US (an person on site hadn't noticed the . in rm -rf ./bin and had proceeded to use sudo without thinking, as every Linux user does when they go through that dangerous phase).

I realized I still had one ssh connection to the server, realized either scp or rsync or something was in sbin (or somewhere else) and we could use it to copy the necessary binaries to get it back on track.

This easily saved us a 3 days (RHEL with Oracle 11g something easily took days to get right and it also was a massive pain to do).

I'd love to learn more about how you solved this scheduling problem.

First, you might have overestimated the complexity of it. I tried to describe it as uncomplicated as possible without giving up the exact details of what it was, but I admit I might have failed at it. It was utterly trivial.

Basically we produced single packs and two-packs of a product and customers would order 1-n of them, sometimes with customizations.

The trivial but immensely tedious job was to make production and packing lists that took this into account.

I.e. with these orders:

Customer 1: 5 packs Customer 2: 3 packs

That would end up like

Customer 1: 2x2-packs + 1 single pack

Customer 2: 1x2pack + 1 single pack modification x


5 2-packs

+ 1 single pack

+ 1 single pack modification x

Of course a real production run would have hundreds of these.

What I did once I got hold of the list was just to integer division (or what it is called) by 2 on each row to get the number of double packs in one column, something like (original number - 2x doublePacks) to get a 1 or 0 for single pack and then make a sum at the bottom for all columns.

I might have made som checksums too.

As for modifications I cannot remember anymore, I might have added some color or something, but once the immensely tedious first part was done it wasn't much of a problem IIRC.

One that's fun from a historical point of view was my hack for fixing palette flash. Back in the early 90s PC graphics cards typically had a "palette" of 256 colors at one time, selected from a possible 256K colors.

In theory this gave you a lot of options, but in practice, switching palettes tended to cause "palette flash" where the previous image changed color in a distracting flash.

I was doing a multimedia project that had video in it, and each CODEC had its own built in palette -- one for Cinepak, one for Indeo, etc. Then there were other palettes for the images. If you wanted to display video in a window on a page that had other graphics, you could determine the palette of the CODEC (with some effort) and then use that to dither your graphics. Theoretically they should play nice together, and it worked on some cards, but you'd still get palette flash on other mainstream graphics cards.

I tried every trick I could think of but could not eliminate the flash on every single card until I came up with this hack:

Make a video consisting of a single frame with a 1x1 black pixel, compressed in the desired CODEC, display a black screen for a moment, play that video (which was as fast as could be because it was so tiny) over the screen, then load your image and real video.

The black screen couldn't flash, and when the next screen and video (the real one we wanted to play) came up, the palette was already set correctly. And it worked on every video card.

Oh, this reminds me of something I once did, but sort of backwards. I was working on a little hobby space game, and there was a star field. I wanted a hyperspace warp effect, like in Star Wars, so I coded something up. But there was a problem. The "stars" in the hyperspace effect were different than the "stars" in the star field. So when you engaged hyperspace, it looked like all the stars kind of "jumped", changing positions immediately before the hyperspace effect began. I "fixed" this by inserting a single frame of all white to flash the screen, and this somehow prevented people from noticing that the stars jumped.

In the early 1990s, I was part of a group of high school students who wanted to enter the Finnish demo scene. I was responsible for coding most of our demos in 386 assembler. One of the things I wrote was a player for MOD, ST3, and S3M music files, which were similar to MIDI but included WAV samples. The player ran in the background on a hardware interrupt, while other code ran on the foreground to display something on the screen. For most sound cards, the player had to mix the samples in real-time and output a byte to an I/O port at a rate of 22 kHz, for example.

To enter a demo competition, one of the criteria was support for Sound Blaster sound cards. The problem was that we didn't have one and didn't want to buy one because we had already spent all our money on Gravis Ultrasound cards. Fortunately, a member of our group was able to borrow a Sound Blaster for a day. We had to figure out how to add support for it, but we had no documentation and there was no internet to speak of yet.

I figured that it must be possible to add support by sending I/O to the card. We put the card in my computer and started a third-party MOD player that had Sound Blaster support. I traced the execution in a debugger, instruction by instruction, while my friend took notes on all the I/O instructions. After some thought, it became clear that the program was scanning for a Sound Blaster and, if I recall correctly, configuring the card to DMA a particular byte in memory as the sound card output.

I added some hardcoded "OUT" instructions to my player and it worked instantly; my real-time mixer output was played through the Sound Blaster! There was a lot of cleaning up the code to be done, but we were able to add support for the Sound Blaster in just one day.

I once wrote a keygen for AI War, an indie RTS game by Arcen Games. The game was written in C#, so I decompiled it and found the function that checked the keys. It used some kind of PRNG, maybe a Mersenne twister, but customized a bit. Rather than reverse engineer the whole thing, I loaded the "buildKeyFromPrefix" function right out of the exe (like it was a DLL), then built a WinForms wrapper that would show a valid key for each of the expansions. It used a predictable incrementing integer ID for each expansion, so I even included a few future ones.

I never shared this beyond my personal friend group. We went on to play (cumulatively) probably two thousand hours of AI War using this crack. Once I got out of college and got some income, I bought 4 copies to make up for it. Sorry Arcen!

Around 1993 I had my tonsils out, which involved general anesthesia. Back then they administered a prep drug that put the patient in a weird dissociated awake state that I would describe as not realizing you're awake. This being my third time through the process (knee surgery, wisdom teeth, now tonsils), I tried really hard to maintain self awareness.

We'll, it sorta worked. In this state I somehow recognized that the device placed on my fingertip must be a blood sensor of some sort, and that squeezing my finger might mess with the readings. I made it through two rounds of setting off alarms before the nurses caught me. I was immensely pleased with myself!

I reverse engineered a part of the firmware on the (then new) Vortex 150 racing quadcopter. There were 3 different SKUs as i recall, i had the EU version with 25mW VTX transmitter limit. The hardware was capable of much more and the US version had ~200mW i think.

There was a wand thing with an NFC writer some people could buy that could temporarily ignore the region check and put it in “race mode” which allowed any power level to be set. However those were restricted sales, the consumer version of the wand didn’t have the race director mode. Eventually i ended up with one of the race director wands too but not before i tried to hack the quad.

Anyway, i dumped the firmware. Figured out what the CPU was. Disassembled the firmware blob. I traced where the region check was performed then overwrote the instructions with noop’s. Assembled, flashed and then promptly flew it into a tree at 50mph.

It survived just fine. I still have it to this day, just with upgraded motors.

    dd if=linux.iso of=/dev/sdb
should be /dev/sda instead. End up erasing my external hard drive with all my photos, instead of creating a bootable pendrive.

recovered all the images using Foremost [1], fresh out of image processing and machine learning class, end up writing a image clustering "software" [2] that help me separate the useful images from worthless thumbnails and images that chrome have cached.

1 - https://en.wikipedia.org/wiki/Foremost_(software)

2 - https://github.com/victorqribeiro/groupImg

I was 16 or 17 and had a guest account on the local universities Ultrix server. I discovered that all of /dev/tty* was world-readable UNTIL someone had successfully signed in.

So a “cat /dev/tty* > passwords.txt” and waiting an hour collected the credentials of everyone logging in to the server.

At some point, I had logged into the account of one of the sysadmins who msgd me and let me know he’d changed his password and this would be my last time on his account. (If he only knew.). He offered me my own account if I told him who I was, and he might have meant it, but I didn’t bite. About a month later, a patch fixed the issue and that was that.

On Ultrix, /dev/mem and /dev/kmem were world readable.

Fun times!

I've worked on a single-machine computer vision system which used RabbitMQ to send messages around, including JPEG frames which were rather heavy, in contrast to other messages.

After we hit a certain number of frames/second, RabbitMQ became a bottleneck. My solution was to write the JPEG frame in the shared memory, then pass around shared memory ID, offset and frame length, instead of the whole frame. Only services that actually needed the frame would read it, others would just pass around a small JSON object. After that was implemented, the bottleneck disappeared.

I don't know if this qualifies as a "hack", but it certainly felt that way in the moment.

What's really awesome about this is I think you independently discovered a huge trick in performance optimization. "Zero copy" solutions for eliminating the overhead of moving frames around are very popular - if you look up that term you'll see it pop up everywhere. Companies/teams of engineers spend months coming up with this solution and its a reliable way to reduce overhead of moving data around. It works across all layers and in fact entire hardware architectures are designed to allow for this kind of stuff. Kudos :)

Thanks :)

Single machine ... RabbitMQ. Using jpg for events locally. Using jpg for computer vision. I think I see the problem, it's this entire thing.

Most USB cameras send JPEG frames because USB 2.0 isn't nearly enough to support raw frames: 60 frames/second * 1920*1080 pixels/frame * 4 bytes/pixel = ~475MiB/s, while maximum USB 2.0 bandwidth is ~60MiB/s. You also don't want to store raw frames on the cloud storage, your bill would skyrocket. Those are some of the reasons for using JPEG.

If you're using dockerized services (which are a must for NVidia-based CV, since their CV libraries are a dependency hell), you must use some kind of networking solution to communicate. RabbitMQ might be considered overkill, but it does the job and is robust.

It's not nice to talk that way about others' work, especially when your comment insults, but doesn't provide any insight whatsoever.

> If you're using dockerized services (which are a must for NVidia-based CV, since their CV libraries are a dependency hell), you must use some kind of networking solution to communicate.

Eithen the two processes can share memory, in which case they don't need to communicate via network, much less RabbitMQ, or they can't, in which case the hack wouldn't have worked at all.

Good point.

I suppose what I meant to say is you need to communicate between processes somehow. Shared memory is fast, but it's hard to communicate with it exclusively - message-based protocols are better suited for that, and most of them are implemented over TCP.

A lot of standard protocols can run over a unix domain socket, if you're not at the level of implementing a shared memory communication protocol but want to cut some overhead for more or less free.

Yea you're right of course, I was being glib. Glad it worked out in the end for you. For the record I don't think RabbitMQ was overkill, I think it's just way too much overhead to work for something like sending frames of video (which I think is the moral of your story). Anyway I'm guessing this was for a school project and you won't have to live with it so it's moot.

It was actually a production system we built on my first job. It wasn't just sending frames from A to B, it did have a few moving parts. It eventually got stable and stopped changing, so in a way, I don't have to live with it. But it's up and running and does its job.

I mix [heavy cream powder] and powdered milk in equal portions to make half-and-half that I can keep at my desk without refrigeration. I keep it in [baby formula dispenser]s so I can shake it up for homogeneity and dispense it without digging in with a spoon.

[heavy cream powder]: https://www.amazon.com/Anthonys-Fillers-Preservatives-Friend...

[baby formula dispenser]: https://www.amazon.com/Philips-AVENT-Powder-Formula-Dispense...

I mix 5 parts of Walmart great value brand whitener, 1 partnestle choco powder, 3 parts granulated fine sugar (table sugar), 2 parts instant coffee (thumb pressed through a metal tea sieve to break all clumps). Part measurement is a scoop cradle. This gives me exact mixture as Nestle 3-in-1 coffee mix.

This is so completely random, and not really code related, but it was huge at the time (circa 1990). I was compiling large bibliographies of research documents for NSF that eventually had to be read into Word Perfect 5.1 for DOS for printing. We had written a very complex system of WP macros to search for tags that we programmatically put in the file, but they took forever to run and would often crash. My colleague and I found that we could only use search/replace to send begin/end pairs of tags for any formatting code (e.g. bold, italics). However, if we replaced the closing tags first, then the opening one, WP would notice that there were pairs of empty tags and get rid of the extra closing tag so that the underlying text would be formatted properly.

We were doing this everyday, so it cut the processing time from many hours to seconds. We swore each other to secrecy about this development and marched off to Dunkin’ Donuts with our giant ice coffee belt-loop holsters to celebrate.

I was working at Compaq in 1998 or so, and they had this thing called "SmartStart", which was a CD-ROM with drivers for Windows, SCO OpenServer, SCO Unixware, Netware, etc. Especially important were the storage drivers, because they had to be injected into the OS install to allow the OS to be installed on Compaq's newest RAID controllers, which the OS didn't have drivers for. There was a build process for all the SCO OpenServer and SCO Unixware drivers that was done once a week, through a checklist of manual steps. This was a process that took a few hours. Among the steps for this process was creating floppy disc images, and Openserver didn't have a loopback device, so we just left a floppy in the drive to write out images to physical media and read them back in via dd. Some step in the process seemed to want an actual floppy device. This was problematic because the floppy discs would fail from time to time and they were terribly slow.

I was kind of wanting to move from the SmartStart team to the storage driver team, but I didn't really know too much about drivers, so I started digging into how to write drivers for SCO OpenServer, and made a little driver where you could write 256 bytes into it, it would store this in memory, and then you could read them back out. Suddenly, an idea occurred to me... what if instead of 256 bytes, I made the buffer 1.44M bytes, the size of a floppy? I'd have a RAM disk that I could use in the build process instead of physical floppies. (The native RAM disk wouldn't work for reasons I now forget). So I tried it. It failed, on some ioctl call. I coded up some dummy code for this ioctl in my driver, and... it worked. And it was way faster than the actual floppy drive (obviously). So I ended up completely automating the build process, eliminating the error prone and slow floppy drive, and having now written a driver, I ended up getting off the SmartStart team and onto the storage driver team, which was way better.

That floppy drive requirement for drivers lasted for YEARS it seemed like. Lol.

I spilled water on my favorite keyboard and broke it, then let it dry and fixed it by using a pencil to trace over the damaged circuits. It worked fine again after that!

(Graphite in pencil lead is a weak conductor, enough to make the keyboard circuit work)

That phenomenon is the source of one of my all-time favorite man page entries: https://web.archive.org/web/20210421224904/https://nixdoc.ne...

     ep0: 3c509 in test mode. Erase pencil mark!  This means that someone has
     scribbled with pencil in the test area on the card.  Erase the pencil
     mark and reboot.  (This is not a joke).
It's the E1 pad between the barcode and the empty BIOS socket: https://en.wikipedia.org/wiki/3Com_3c509#/media/File:3Com_3C...

That's awesome! I have a handful of those 3Com cards kicking around at work. Will definitely have to check that out.

Hah, that's really great! Does that mean they used that to switch it into a test mode during development?

Pretty much -- IIRC connecting the pad bypasses the internal EEPROM and loads a default configuration, and from there you can read/write the EEPROM as well.

ah, found it! Page 88 of this PDF: https://www.ardent-tool.com/NIC/3c5x9b_Technical_Reference.p...


It is the user’s responsibility (with help from the configuration program) to avoid configuring the boot PROM on the adapter in such a way that the system is not able to boot. If this does occur, you can manually jump the Test Via using a #2 pencil. The Test Via forces the adapter into test mode, which disables the boot PROM so that the adapter configuration program can be run. You must cover the designated area thoroughly with the pencil mark.

Test mode forces the adapter not to perform the Automatic Initialization sequence, which means the EEPROM is not read and the adapter is left in the following configuration:

■ Address Configuration register = 0000h

■ Resource Configuration register = 0000h

■ Product ID register = 0000h

Test mode also shortens the ID sequence to 8 bytes (first is still FFh and last is 69h) and forces it to the active state (that is, the adapter is active and will respond to I/O cycles at base address 0200h even without going through the ID sequence).

After you are done, thoroughly erase the pencil mark.


This is amazing and hilarious at the same time. Thanks for sharing!

I like it, because you used your knowledge to minimally invasively fix the problem.

You can use the same trick to repair 'broken' TVs and monitors; ones that just mysteriously stop displaying but are otherwise ok.

that's what I call a hack

My favorite hacks mostly came from when I worked in a robotics+computer vision research lab, ~13 years ago.

If you've never worked with stereo vision systems, they have multiple cameras as input. The algorithms need to know the exact position of each camera. These calibrations are extremely sensitive - if the camera moves even a teensy bit, the algorithms start to fail because the image features aren't where they expect. Anytime we had a bad calibration, we needed to rerun calibration. This was a process where we waved a checkerboard in front of the cameras at tons of different angles, and software would process all the images and deduce the pose of each camera. It typically took at least an hour, and sometimes it'd fail and you'd need to redo it. Typically we'd need to recalibrate systems every few weeks, no matter how hard we tried to make the whole rig rigid.

Anyways, one day I accidentally drove the robot's sensor head into a table right before a demo with the people funding the project. The program started spitting out "BAD CALIBRATION" warnings. This would basically mean we'd need to cancel or postpone the demo to recalibrate, which would look really bad since they traveled all the way to our office only to be told "never mind!"

As a last-ditch effort. I grabbed the cameras and started wiggling them back and forth, and managed to force them into an orientation where the calibration worked. The demo went off perfectly. I later told the researchers about it and they hated it. "You should just always do calibration," etc.

My favorite hack that I've seen someone else do was at Google, where some specific project had a weird test that checked some ratio like "lines of tests to lines of code." Someone checked in a test with the comment "If you're not cheating you're not trying", and it just had the same assertion over and over for hundreds of lines to satisfy the metric. I never looked into why the person couldn't just disable the test, but I like the simplicity of the solution.

> "You should just always do calibration," etc.

But that is a calibration. In fact it's exactly how you'd do an automatic calibration of a system like this: mount cameras on robotic arms or some other multi-axis system, then move them around with a feedback loop until cameras produce the wanted image.

I was reading Twitter and someone posted a tweet with a photo and that it was created in CSS. It turns out the post was a hoax, but I figured that you can actually create photos in CSS, using box-shadow hack (you create 1x1px div and each pixel is single box-shadow). I was using it few years ago to create pixel graphic editor demo. So I've created something quickly on CodePen that get all pixels and create one big box-shadow. When I opened Google Chrome Dev Tools to copy the code it frozen because it was few MB of box shadow data. I was able to copy the text eventually and create HTML file. Later I've added a way to download a HTML file with your image on CodePen.

Here is the demo: https://jcu.bi/css-image

Not a hack, but something I'm proud of:

I built/launched an entire transactional site: signup/login/purchase membership while walking the Camino de Santiago in Spain, in 2017, for a small event (swing dance event).

Was supposed to spend the two months prior to going there working on it, but because of delays in planning etc. I didn't really get started until the week right before, which meant I had to haul my old MBP 2015 on the walk. So basically, I trekked something like 18-20 miles a day lugging that thing (and the charger), then spending mornings/evenings in the little hostels (more like barracks) writing code (most had wifi, thankfully), then the next 4-6 hours thinking through how to design/build every little piece, then find a cafe with wifi to implement some of that in 2 hours, then walk another 4-ish hours. Then write more code.

Surprisingly, there were almost no bugs at all, since I'd have to iron out every single thing during the walk (what else are you going to do walking through middle-of-nowhere Spain, which is all farm land, anyway?).

In the end everything worked! Paypal integration worked! Hundreds of people signed up and bought membership on the system! Oh, and this was my first project of this sort, and I was the solo designer/developer on it. I also had to design our logo, branding, and T-shirt as well.

(Stack: Meteor, DO)

A few years ago I started taking up running regularly but I didn't have a buddy that I could run with so I decided to adopt a dog. Unfortunately the shelters were relatively far away from my home making it inconvenient to go in and check continuously on the weekends. I later realized that nearly all of them connected to a central city database which contained all of the dogs in the nearby shelters and furthermore that that database was behind a publicly available rest endpoint.

I whipped up a program that periodically every 10 minutes would query the database filtering for dogs matching the qualifications I was looking for using a combination of regex to search for any dogs that were:

- Between 50 and 100 lbs

- Did not have a history of behavioral problems

- Matched a list of active breeds

When it found a potential match it would send an SMS via Twilio to my phone with a picture of the dog, a link to the shelter, and a picture.

Several years later my huskee / Pyrenees hybrid is the best running partner I could ever have asked for. That's my proudest hack and I think she would agree with me.

So I once made a script with python and selenium to make fake petitions to bring back Wendy's spicy chicken nuggets. It stopped around 9,000 when the script crashed after awhile... I think they did bring it back though so I feel like I was responsible.

One of my favorite pandemic memories is of a roommate surprising the house with hundreds of spicy nugs. Thank you, null-shell!

I must have been about 12 years old. I wanted to rent a movie on DirectTV.

To rent a movie, a phone line had to be connected to the receiver box. The box would dial out to DirectTV and send over the information that "jrib purchased movie X".

I learned that I could connect two phones directly with a 9V battery and the right resistor in the middle. So I connected a phone line on one end to the DirectTV receiver and on the other end to random phone.

The receiver waited for a dial tone, so then I played a dial tone sound on repeat on my computer into the phone's microphone.

It worked and I got to see the movie!

I felt really guilty though so I told my parents a few days later and we let the satellite box connect to a real phone line to pay for the movie :)

This link explains how the phone circuit is setup: https://hackaday.com/2012/06/08/using-old-phones-as-an-inter...


Years ago I worked in the VAX/VMS development group at Sybase where SQLServer originated. SQLServer was basically an SQL interpreter consisting of several layers of loops. The innermost loop was written in assembler for speed.

I was able to remove one (1) machine language instruction from that innermost loop. I no longer recall if this resulted in a measurable difference but I've always been proud of this.

Happy to read VAX/VMS here :-) - my first project as a college fresher was migrating critical data from VAX/VMS ISAM files (written using Fortran code) to Digital Unix. The days when these two machine's did not talk to each other. Learnt dd, tape drive record limiter issues, all data was floating point so issues with binary compatibility etc. One of the best accomplishments in my career.

Hi from another Sybase alumni, though I joined after the VAX era, on the PC side, when Microsoft stole the SQLServer source code.

Was the innermost loop doing the table join or the table scan?

Very carefully scheduling NMI and IRQ updates to achieve a virtual sound channel on an old NES, resulting in a sawtooth bassline with volume control. This steals about 13% of the CPU time. The biggest hack in the arrangement is the scheduling of OAM DMA to sneakily just barely fit between timed audio updates, since it pauses the CPU and would otherwise cause an audible glitch. Among other things, if NMI notices that it interrupted IRQ, it apologizes profusely and exits immediately, which is a rather unusual workaround on 6502 systems.

I've open sourced the technique with a more detailed writeup [1] and I like to think the game I created with it is pretty fun, [2] but of course that's subjective. You can try it in your browser here. [3]

[1] https://github.com/zeta0134/z-saw

[2] https://zeta0134.itch.io/tactus

[3] https://rusticnes.reploid.cafe/wasm/?cartridge=tactus.nes

Cool. Kind of unrelated, but is there anything stopping someone from just generating a sawtooth DPCM sample at runtime and using the channel as normal without having to use crazy timing stuff?

Yes, it comes down to how the DPCM channel encodes sound data. A sawtooth gets most it's energy and harmonics from the sudden jump at one end. This impulse is impossible to encode in 1-bit delta encoding, the closest you can get is a slightly steeper slope. The audible effect is similar to a low pass, with the strength dependent on the intended amplitude, so instead of a nice sharp saw, you get a muddy not quite triangle.

A few commercial games did use the DPCM channel melodically, but the main drawback is the large size of the samples relative to the commonly available ROM chips of the era. Price is a big factor when you need to put one chip in every game. Here's how that sounded in practice:


Ah sure, but how about just generating a triangle using a small block of code in RAM? Then you're not wasting any storage.

Further problems! The DPCM channel can only address memory from the region 0xC000 - 0xFFFF, due to how its "address" byte is interpreted. Most cartridges cannot place RAM in this memory region, so you're stuck baking the samples into ROM space. Many cartridges cannot even bank switch this region, so the samples additionally cut into your "fixed" ROM that is usually precious space for interrupt service routines and common framework code.

Ah very interesting, thanks for the explanation! I'll definitely check out your lib if I ever get around to writing a homebrew NES game, I love quirky audio tricks :)

Debugging mysterious recurring hangs in a storage appliance. The nodes were connected via Infiniband, so there were two parts to the hack. The first was to write a program which would find all of the kernel memory areas and register them with the Infiniband controller. The second was to slurp up all of the memory on a hung node via Infiniband from one of its peers, and convert that into dump format so we could use gdb on it. After collecting a couple of dozen such dumps and poring over them for a couple of days, I was finally able to debug one of our most intractable problems.

That led to a second, though lesser, hack. The problem turned out to be code that was allocating way too much memory. (Userland programmers working in the kernel, ugh.) This would sometimes cause the stack pointer for one task to jump all the way over its task structure into the stack of the previous task, which would make that stack very confusing. That's why it took two days to figure out, even with dumps in hand. (Also, putting the stack right next to the task structure was a stupid decision on Linux's part.) To find the dozens of places where this was happening, I wrote a tool to disassemble all of our kernel code and look for the part of the function prolog that allocated stack space, thus creating a list of those that were allocating too much. Then I spent a week fixing them.

It was a grueling process, under lots of pressure at a struggling startup, but ultimately the result was very rewarding.

I was just curious if I could improve our PHP-based site’s performance. So I attached strace to an Apache process and followed the log of syscalls and counted milliseconds between them. Sure enough, I discovered that 20 ms was being spent each time on a DNS lookup to a statsd metrics collector service over UDP (I remember being told that this was lightweight, since it was UDP). PHP didn’t cache DNS lookups and this was sometimes happening many times per request. I added a static entry in /etc/hosts and the overall latency improved by 30% across all endpoints.

Another hack: I once was consulting for a client who was running Drupal and was going to launch their new site the next day, but suddenly it started crashing on some of the pages. I found out that you can take a core dump of Apache and load it into gdb. Then if you run some gdb macros, you can see the PHP stack trace at the time the crash occurred. Turns it it was some module (tokens?) they had recently enabled which was recursively calling into itself. Not sure why it didn’t hit some stack limit, though. We disabled the module, which fixed it and the client was super happy. If I knew more about Drupal, I probably would have disabled modules in a form of binary search as a first troubleshooting step. But I did know a little about gdb, so that came in handy.

A bit of a different meaning of "hack".

I was working for a medical device company that shall remain nameless. They had a system that was used in operating rooms that had a fairly nice user interface - bubble keyboard, touch screen, good graphics. It let you input patient information and stuff. (At least part of it was running embedded Linux under the hood.)

In the source code, I saw what it did with the patient name - it used a call to system() to store it in a file. So naturally, I tried an injection attack. I put in "[Name]; sync; sync; reboot". Sure enough, it rebooted the system.

But before the reboot, it had also saved the "patient name" in the file (and, because of the "sync", it had been written out). On boot, it read the information from the file and tried to treat it like a newly-entered patient name, which caused it to reboot again...

We had to re-image the device to recover. We added some validation to user input after that little demonstration.

Way back in the Napster days before streaming services were a thing, I'd ripped all of my CDs to MP3 and had a bunch of live stuff from P2P networks. I wanted to listen to this stuff at work, but technology of the time was either CD based or limited to 16-32 MB of solid-state memory.

At the time, Microsoft had some live broadcast streaming service built into Windows 2k server that would allow you to stream audio from the computer, so I put together a web front that allowed me to build and save a WMP playlist file along with controls for to start/stop WMP, causing it to re-read the file.

The result was that I could listen to my own music on any device capable of receiving streamed audio, and could control it on anything with a web front end.

I worked on a MIPS SOC that had a pair of registers that controlled DDR timing. The formula for calculating the correct timing was complicated and I am bad at math. Most of it was constant but 2 values were important. After failing to get it right a few times I wrote a firmware program (had to fit in 16k of I-Cache) to try every value, run a simple memory test, and print the number of errors to the serial console. This resulted in a grid where the number of errors would converge to 0 at the correct settings.

As it turned out, due to bugs in the hardware and the board, the "correct" answer by the manual would not work and this was the only way to get a working setting. My little hack became part of every boot of the system - it auto-generated the DDR timing. This was back in the early 2000's before DDR training at boot became standard practice.

When I was in highschool I wrote a Tetris game for the TRS-80. My clever hack was that I could make it twice as fast by keeping the state of the falling shapes in video memory instead of a separate object model. In an early version of this, I failed to completely draw the "cup" the objects were falling into, and one fell straight through the bottom into system memory and crashed the machine.

I did the same for a snake game for the TI-83. I didn't think of it as a clever hack so much as it was inexperience; I figured it's how games normally worked. System dialogues like "your battery is low" suddenly became parts of the playing field which was funny if nothing else. My code was slow enough that I didn't need any sleeps or busy loops, maxing out the CPU with my inefficient code just turned out to be the right playable speed which didn't occur to me as a coincidence until much later

Reminds me of a similar story of someone creating a Tron lightcycle game on an Apple IIgs. They had created a bug so that the lightcycle could travel off-screen and into memory, causing all sorts of undefined behaviour.


That sounds pretty immersive into the world of Tron!

About 15 years ago, my brother used to run a shoutcast (Internet radio) server. He wasn’t getting many listeners since the list of stations people browse was sorted by popularity - number of listeners. So I disassembled and then hexedited the shoutcast server binary so that the initial number of listeners was 60-something (which meant the listener count would never drop below that). Then he actually started getting a few listeners :)

You fixed the cold start problem! Not a bad idea :)

Not that I'm particularly skilled in this, but for fun I once decompiled an Android app that accompanied cheap electronic door locks we had installed in the office. I found the C files that were generating temporary passwords, manually parsed for what I was looking for, then wrote a shell script (with help from a friend) that could find/generate more temporary passwords from any existing temporary password+approximate timestamp pair.

About a year later an intern showed me that a coffee stirrer also can work to open the lock, but I bet he won't write about that in a forum.

I hosted a server, in my bedroom back in the late 90s. By server, I mean a desktop running Slack, connected to the internet and allowing me to SSH into it. It could recover just fine from a power outage, but unfortunately due to a RAM issue it would just randomly die - and RAM just wasn't something the local computer store was ready to bring in.

Enter my Lego Mindstorm. I effectively built a box, on wheels with a big thick stick pointing out I loaded that guy up with NQC - built a small application for my Palm Pilot. The modem on the palm pilot would pick up, accept a certain DTMF code, and fire via the infrared port a signal to the Mindstorm. The Mindstorm rolled forward X revolutions of the wheels so that the long arm hit the reboot button, rolled back.

Yes, eventually I bought RAM, but that eliminated all the fun.

This reminds me of a story that isn't mine; one of my coworkers working a university and had a similar problem. They glued a stick to the CD-ROM drive of one server pointing at the restart button of another server. When they needed to force reboot that second server, they issued a command to the first server to open its CD-ROM drive.

For the confused: Slack isn't just the modern messaging platform.

Seriously i was wondering what sort of time traveler OP was

Slack == slackware.

Back in 2003 while I was still studying I spent some time working at a bank helping write some boring web form using a java servlet. I was really junior, and the code was an absolute mess - every time they made a new web form they copy+pasted a 3000 line java class (with no unit tests) from the previous form and modified it. For source control we were using visual source safe - which is one of the worst programs I've ever used. Every few days the repository corrupted itself and needed to be rebuilt.

Well, I made a horrible mistake. Right after deploying (compiling then manually copying a .class file onto our server), I accidentally lost the source code to all my work. There was no backup of the changes I'd made, and source control didn't have it. All testing was manual - which was a horrible process we went through before every deployment. So if I half remembered my changes, I'd have to manually test everything again and hope I didn't mess anything up.

All I had left was the compiled java .class with my changes in it. I was terrified to even tell my boss given all the work.

Well, I tried decompiling the .class file with my changes in it - but the result was 10k lines of nightmare fuel. How could I find my changes in that? But I also had the java file from a few weeks earlier, before I made my changes. So I compiled the previous version, then decompiled it. Then I diffed the two decompiled source code files. That showed me (in decompiled java form) all the places where I'd made changes, and with some work I managed to figure out what all my changes were.

A few hours later I had re-implemented all my changes in the java source file. I could guarantee I'd done it correctly because the output from the decompiler matched perfectly. So we didn't even need to re-do all our manual testing.

I don't think I ever told my boss.

I was a junior freelancer. Barely knew what i was doing with web development. Was given SSH credentials to a server hosting a WordPress site. Had to change a bunch of lines in a bunch of files. Hundreds of them.

Took two hours to begin learning about a sed command.

Spent a half hour testing it locally on the MacOS terminal. I didn't wanna screw it up. Made several mistakes on local. But eventually I think I got the hang of it.

Now it was time to run it on live. I'm nervous again even though I just spent a while testing. Ran the sed command to search and replace text.

Worked like a charm.

Pretty much a trial by fire moment. No mentor to show me how. Just me and my ability to read to documentation and apply it. That's all I had at my disposal.

I know server admins do this shit like in a couple of minutes but at the time this was me venturing into servers and making a change on live site and reading a man page and blog tutorial. So for me it was a big deal. It taught me not to fear to learn the shell.

I've done way harder things since but I still remember this moment of almost a decade ago.

> I know server admins do this shit like in a couple of minutes

Yeah, but only from the second time on, and just until our notes become so crowded that we start gambling on re-learning being faster than maybe finding wherever the solution was documented ;)

Internet related would be, back in the early 2000s when I was building out infrastructure of pinkbike/trailforks I was optimizing things and discovered that this initcwnd parameter was hardcoded to something like 2 or 3 packets in the linux kernels. This was causing the initial page to require multiple RTTs to load so I figured I would change that and recompile the kernel to make sure all out pages would be transmitted in one go. This made out site perform a lot better compared to most sites at the time. Funny at the time I was a bit worried that the IETF would discover this and shut us down or something. These days that parameter is default to something like 10 and you can increase it with a config parameter.

My first IT job was supporting Point of Sale systems for service stations and other retail outlets. The company had some clients in really remote areas, and we provided 24 hour phone support. The software we supported was DOS based, and the configuration was really arcane. Lots of serial port hardware, but instead of configuring it on a COMn port, you needed to know the exact port address and interrupt. This incident happened back in the mid-90's, so very much pre-internet.

One Saturday afternoon a call was escalated to my mobile while I was at a friend's house. A remote site had a server failure, everything was down, and they couldn't pump petrol, help! I spent a little bit of investigation aided only by a non-technical console operator acting as my remote hands we determined the server was beyond repair. So then I talked the operator through installing the network operating system on a different computer, reinstalling the POS software, re-configuring all of the serial hardware for the ports on the new machine, setting up file sharing, restoring data backups, etc. Essentially building an entirely new system from scratch.

After 4-5 hours on the phone they were back up and pumping petrol again. All completely from memory, no computer, manuals or documentation to hand.

Proudest is probably my first and not particularly clever, but I am very fond of it.

Early 90s, a friend let me borrow a copy of a game he had, which included a physical codewheel you use to prove that you own the shareware. I thought about copying the codewheel so I could return the floppy to him and still play, but I'd read that computers have no way to make random numbers and usually seed the random number generator with the current time. I made a batch file that set the time to a specific value and then launched the game, and memorized the code I'd get if I sped through the main menu as fast as possible.

About 10 years ago I was contacted by an agency I used to work with, that they needed to change a little feature in the android app for the austrian lotteries.

The problem they had was that they had managed to lose the source code of the app, lol. Since the app was a simple webview wrapper I decompiled the apk to some horrendous java monstrocity and carefully extracted all used logic, the html, css and js and created a new webview app with the slightly modified code.

Oh and I had no experience in Java or Android development :)

Another hack I was very proud of:

Some weeks ago I had to pick something up with a car trailer. I went to my parent's place to get it and when checking if the lights worked (it was dark already) it turned out that they did not. Since I was driving to a larger city I could not just go without lights.

The problem was, that I really had to pick this up and also I had no extra time to find an alternative solution, so I wiggled the jack of the trailer's cable in all directions hoping to clear out some oxidation. After some minutes of trying I found a specific position in which the lights seemed to work.

Taking out the good old duct tape from my car's trunk I fixated the jack against the trailer hitch. For some reason it actually worked and did not break. I was very proud of this hack!

Obviously I didn't fix it yet :-P

Maybe not the proudest, but here's a fun one for which my friend Nial Peters should get most of the credit.

We were on Mt Erebus and I needed to power some 6V carbon dioxide sensors for my work. We had lots of 12V lead-acid batteries, but we knew they were made up of 6 roughly 2V cells. We drilled a hole and put a screw in the middle. Now we had 6V batteries.

Tribes 2 had in-game scripting. You could open a console and enter commands or run script files. I was young and just beginning to learn programming.

I noticed that if you malformed a certain command, a mere syntax error, it would crash the game clients of everyone else you were in a chat room with (the game had in-game chatrooms). I was apparently one of the few who knew this because the game didn't immediately become a crash fest as it would have if word had spread.

There was a game mode where players would begin the game frozen with the clock stopped. This allowed serious games to be organized where all players were ready before the match began. I found a command that allowed me to unfreeze my character, and I could move about while everyone else was frozen.

There was a debug command that would dump the location of all players and deployable items. I wrote a script to dump this data, parse it, and update my hud with the data, several times per second. This was cheating, but it did serve as one of of my first experiences with programming. It was a hack I made myself and did not share, although I know others were aware of this cheating technique. This was later in patched out of the game.

When I was 18 I found an offshore online casino that had a video poker game that paid out slightly over 100% if played perfectly. I don’t remember exactly why I couldn’t just reverse engineer the API so I wrote a program that would scrape the screen for the cards, determine which cards to hold, and physically move the mouse and click the correct buttons. I had the program running on a laptop in my mom’s kitchen all day and night, it drove her crazy (I liked having the sound effects on so I knew it was running 24/7). Made the house sound like a casino, lol. I was skeptical that it would actually work, I figured this random offshore casino probably rigs the RNG anyway, but it actually did pay out as expected. I logged every hand and it was pretty amazing seeing the royal flushes actually come up once every ~40,000 hands - needed those to make the whole thing work, obviously.

They eventually caught on after around 10 million hands I think, banned me, stopped me from cashing the remaining funds out (wasn’t that much since I withdrew frequently), and changed the odds of the game.

Very low tech, but helps me communicate privately with friends and family over non-private channels (like email).

Also use it to store critical password and keys, and have copies of my passport with me everywhere.


Looks like someone collected the btc bounty?

Damn! Well, great!

Whoever you are, well done!

(I'd love to know how!)

Did you use a brainwallet (ie, the hash of the password as the private key)?

It looks like the funds were drained within an hour of you loading the bounty. People have made giant lookup tables of brainwallet passwords and monitor the corresponding addresses for transactions. Reddit user u/btcrobinhood is known for doing this and returning the funds.

Interesting! I suspected the attack vector was my poor use of BTC rather than someone cracking AES so quickly, I'll look into this.

I created the wallet using a popular opensource wallet app, and just moved some funds there. Don't know more than that...

Thank you for the pointers!

Update: funds were not stolen. PortableSecret wasn't cracked (yet)!

What happened is: the wallet app I'm using automatically performs CoinJoin[1] when funds are received (In fact, this is their business model! They take 0.3% of the amount to automatically anonymize all inbound coin).

CoinJoin is a protocol that breaks up the sum received in tiny pieces and scatters them across a large number of "sub-wallets".

So my wallet still has the funds. Bt the 'receive' address I used looks drained, that's because it was only a temporary address to share with the sender. Funds were soon after scrambled/tumbled/anonymized.

This was an interesting experience. I spent all day thinking about what could have happened, researched and learned a bunch of stuff in the process.

[1] https://en.bitcoin.it/Privacy#CoinJoin

Why bother with BTC? Monero implements such protections (plus many stronger ones) with TX fees in the order of a single cent, and obviously without any fees for laundering your entire balance every time you're given money.

Not your keys, not your coins.

This is really cool. I can see this being a very useful tool, especially for helping out my folks and tech illiterate family.

Not the one I'm most proud but at least this one I can explain.

I initial did it to help a friend who wanted to customize and sell bycicle bells. since most printing techniques are made for flat surfaces this creates an interesting challenge. The solution I eventually arrived at involves a pen plotter and a custom fixture. There's actually a article about it here: https://www.evilmadscientist.com/2019/bike-bells-with-axidra...

And by the way, the obvious way to produce them would probably using transparent stickers a heat gun an a coat of varnish but where's the fun in that.

In my master's thesis, I was generating component graphs from source code. One issue I had was the generated graphs were suuuuper ugly due to the connections between components overlapping in a non-optimal way. Turns out, untangling graphs is a NP-HARD problem. I got around it by using a spring-repulsion simulation, where connections between components pulled them together but components repelled other components when they got close. It wasn't a perfect solution, but it got me 90% of the way!

It's such a powerful technique and it's so simple to implement! I used the same technique for putting a bunch of icons on a map and making sure they were as close as possible to their target position without overlapping.

A few years ago I was planning to meet some friends in Brazil for the holidays. I waited until the last possible day to apply for a visa. When I tried to apply for the visa, there was an off by one error in the front end form validation that was checking that some dates were valid, and since one of the dates on the form was in December, the validation thought that it wasn't a valid date. I had to edit the JavaScript on-page to allow myself to submit the form. Got it submitted and got my visa a couple days later. I'm wondering if I'm the only person who managed to apply online for a Brazilian visa that day.

I automated math education for my 9 year-old. It's a Unity application where a student required to solve basic (currently) math examples.

For 10 examples you're getting a 25-cent coin from a coin dispenser. You can keep it or you can use this money to buy Internet access. My OpenWrt router is connected straight to coin acceptor. For one coin you're getting 30 minutes of Internet on all devices (iPad and PC).

Since it's all automated I don't need to involve too much into education process. Math score in school has greatly improved, the kiddo solved thousands of examples.

Coin dispenser is proprietary (found on ebay, one of popular model), so I literally had to hack the USB protocol. The coin acceptor had no USB interface, so I had to introduce one. I've connected this USB to my OpenWrt 32-bit router, which is also ARM - so I had to hack some USB libraries along the way so my binaries can work with USB right from OpenWrt.

This is outstanding.

I moved back to Texas from college without any job prospects and found myself living in my car, relying on Walmart Wi-Fi for internet access.

So, I resorted to a few low-quality hacks.

The first was a QR Code parking app. It worked by just placing a qr code on public parking meters. I marked up the parking from like from 50 cents to a dollar. I kept 50 cents and payed for the parking through the official app with mitmproxy. Someone eventually reported it.

I had to ask my dad for help reimbursing the city—which he was not too happy about.

The second hack of a washing machine was disclosed properly, although no firmware patch was ever released.

[1] https://news.ycombinator.com/item?id=29814973

[2] https://shakey.blot.im/reverse-engineering-a-popular-laundry...

Wow, that's quite a story! It sounds like you got a bit of a wake-up call from your dad, but it's commendable that you took responsibility for your actions. It's also great that you reported the washing machine hack properly so that it could be fixed. It's unfortunate that no firmware patch was released, but at least you did the right thing.

I was color calibrating a prototype holographic printer with a 30Hz pulsed laser spatially modulated by a 60Hz LCOS, phase locked of course. I was chasing down a funny issue where the response curve of the LCOS seemed to change every time we power cycled the machine - specifically, it would randomly flip between one of two modes. I had a suspicion that the LCOS was flickering (they're known to do that) and that therefore the two possible embeddings of 30Hz in 60Hz behaved differently.

But how to measure this? The LCOS displays were buried deep inside some optics, and the only light that reached them was the laser light which was pulsing at the same frequency as the signal I wanted to measure, and the laser PSU was incapable of driving it faster. I did however have an pulsed energy meter, which I'd managed to interface to a computer so I got a readout for every pulse.

Sudden insight: flip the switch on the laser power supply from "Ext. trigger" to "Internal trigger". Twiddle the fine adjustment on the PSU frequency knob until the laser frequency was 29.95Hz. Watch in satisfaction as the energy meter described a neat sine wave over the course of 20 seconds - the beat frequency between 30Hz and 29.95Hz - confirming that the reflected energy swung wildly depending on the relative phase.

It was a small and simple hack, and I've poured much more sweat into much grander "hacks", but I will always be proud of that lightbulb moment.

very cool

Honestly, probably futzing around with Prince of Persia level assets in ResEdit to bypass the piracy check, as a child. My capacity for pride diminished with exposure to the world.

More recently, replacing `7z.exe` with a PowerShell script that logged input, to get archive passwords for an obfuscated data format. Not technically impressive at all but a few days were saved and lolz were had.

Hadn't heard of that idea. That's pretty smart.

As a young buck who's parents didn't want him tying up the only phone line in the house to get on the internet whenever he wanted, I was limited to an hour of internet time a day. I also would pick up free trial discs from local stores, even though I couldn't sign up for a free trial without a credit card or checking account, of which teenage me had neither. One day, however, late at night on a weekend, I tossed in a PeoplePC disc into my machine and ran it through the trial setup to see what I could do.

PeoplePC's sign up was completely online, which was pretty new for the day. The trial setup would first dial a toll-free number to get local POP numbers, and then dial the local number to complete the registration. Well, after poking around to see if I could get around the dialup procedure for the temporary Dial Up Networking account (young me at the time wouldn't know that those creds were in the registry for my perusal), I popped open a web browser, and to my surprise, the local pop account had full internet access. Unfortunately, the trial had a timebomb, so after 10 minutes of inactivity in the setup app, it would close the connection, and remove the DUN account.

Young me however was a wannabe hacker, and had among other tools, a hex editor at my disposal. Finding the temporary setup directory, I copied the contents into another folder that would persist beyond the setup, and started scanning through various files. Eventually, I found what looked like a username and password cleartext in a binary, and copied them out. Tossed them into a fresh DUN entry, and discovered that the account... just worked. Like that, I had free dial-up networking, effectively whenever and wherever PeoplePC had a POP. I rode that for a good couple years until we eventually got our first DSL modem.

Honestly not the hardest or most impressive hack in the world. For all I know, PeoplePC was aware of my usage of it, but because the password was etched into hundreds of thousands of setup discs, it's not like they could rotate the creds. But for a teenage me that just wanted access to the unfettered internet, it was pretty neat.

When I was a teenager, my friends and I played this free MMO game online. A friend was told by another friend of him about a bug in the game. This bug would let you receive the reward of a certain mission without marking it as complete, so you could get the reward as many time as you wanted.

Me and my friend started exploiting the bug like crazy, spending hours literally just doing that. The problem was that the process to exploit this bug was very convoluted and a pain to do manually.

I had no experience of programming nor anyone around who knew anything about it, but I felt that there must be a way to do the whole process automatically. Computers are meant to automate stuff, right? Anyway, I started investigating online and found AutoIt, which is a BASIC-like scripting language that allows you to automate GUI stuff.

I then began building a script that did literally what I had to do manually to exploit that bug. And literally means literally. The way I made it work was by scanning colors in coordinates (to check whether a window it's opened, etc), moving the mouse and clicking. The script was full of duplicate code. I didn't knew about loops. All I knew was if conditions and mouse actions. I even remember having to go to a forum and asking for help (in super broken English) because I wanted to keep the program running indefinitely (they told me to use `while true`). But it worked.

Anyway, I spent about two weeks of after school afternoons building this bot. Then, when I had it working, got banned in a matter of days :^)

This might not seems like much, but I remember it fondly as this was my introduction to programming and the reason this became my career. I'm still holding onto the (terrible, terrible) script.

Emulating a lineprinter at our end of a frame relay circuit to capture print jobs from a service provider's mainframe and putting them into a database. This was in the 90s and it saved us a boatload of money and paper.

I migrated 5 independent svn repos into a single git mono repo while maintaining history.

1. Synced all 5 using git-svn into 5 branches

2. Used filter branch to rewrite each into its own folder

3. Handcrafted a single merge commit that combined all 5 branches into one

Shared a house with some friends in college and we found a bug in a local Pizza place's site to stack coupons and get huge pies that were normally like $30 for $5, basically really good fancy pizza for cheaper than dominos. Really a blessing and a curse since it became breakfast, lunch, and dinner since it was hard to justify buying anything else.

Project was months behind schedule and had "six months to go" but the truth was nobody knew. The mpp calendar had all these 4 day blackout periods for loading data. I ended up getting that down to 2 hours but scheduled it between india/USA shifts so all the 4 day periods went away and (literally) months of project time got clawed back.

Vendors wouldn't share code so I broke it, looked at the error logs and wrote my own version of a indexed vector that reordered the operations using a knapsack algorithm and in a way that allowed us to run 50-100 parallel threads. Maybe 500 lines of code.

Knocked some heads together to get downstream systems to start importing data as soon as the first files arrived rather than wait until the end.

CTO (I'd never heard of him, it was a $30B company) didn't believe management about the months of time we'd saved, needed it all explained, was very happy.

Access to a Facebook profile of a bully, from a PSP console, when I had 10 years old using social engineering. I literally only asked for the answer of his email recovery secret answer and I got access to all his stuff.

Best hack:

Rewriting a C++ matrix library to change its API back in 1996/1997, for a 100x speedup.

It was a nice library... It had things like a = b + c; ... but back then, C++ really didn't have tools to support that syntax with great performance. Especially mixed with a bad allocator, that prevented multi-threaded allocation.

A few jobs ago I was working on printer firmware. There was some bug where after so many pages were printed the colors would start to band. Anyways, the fix ended up changing a == to a <=. I looked up an ascii table and it was literally a 1-bit change. I like to brag about that one on occasion but it also put things into perspective how the difference between something working or not can literally come down to a single bit.

Yeah, most software cracks on x86 used to involve changing a byte's value from 0x74 to 0x75 or vice versa, literally a single bit change making it a cracked program or not :)

About ten years ago I got invited to do a college recruiting event for my company. All of the opportunities were for weekend visits to podunk colleges in the US and Canada, but there was one week long trip to a couple of colleges in Europe. The problem was the button was greyed out and I couldn't click it (probably reserved for people in a higher pay grade). F12ed that mf-er and got a free vacation...

We needed to take delivery data from a proprietory legacy system. It already printed delivery notes so I spliced into the RS232 cable to the printer and took a feed into a second PC.

I then wrote a quick and dirty comms program to suck the data in, discard the unwanted control codes etc, and scrape the data into a usable form.

This was in pre-windows days, so the data going to a dot matrix printer was pretty simple. It would be a lot more chewy now I suspect.

An old manager used to like giving me PITA (Pain In The Ass) Projects that solved something useful, but were a bit arcane for some reason or other. A couple were printer-related, for our customers.

One customer had a cheque-printing routine that used a blob of HP PCL (Printer Control Language) for some reason when printing these cheques. The blob included image date of the finance person's signature, and they'd changed executives. We didn't have information about how this blob had been created initially, but I was able to pick it apart with a printer manual and hexl-mode in Emacs. That let me edit hex data which could still change size, and replace one image with another.

Another customer had salt mines, which are very corrosive environments, and you didn't want much in the way of computer gear there. They needed to be able to print shipping sheets from head office, ideally without any PC or server on-site. Using a modem and a dot-matrix printer with a serial interface, I figured out a way to connect and send a print job that worked. Not sure if they ever ended up using it though.

About 15 years ago I was trying to debug a pesky timing issue and couldn't reproduce it.

I wrote a script to capture and replay network traces from Wireshark (then called Ethereal) that included keeping the timings intact. Caught the bug reliably every time.

I still think that's the best thing I every did.

I worked for a client in the streaming music space. They were going through the technical testing phase of partnering with a high end audio manufacturer. One of their requirements was to retrieve the metadata of N songs within a fixed time limit, simulating their customer playing our streaming audio on their hardware.

The testing office was in LA. The audio and metadata was in Ireland. The lag across the public internet consistently failed their tests.

So I deployed a small read-only copy of the API in an LA data centre which tunnelled inside the cloud provider back to Ireland. I used DNS geo tools to ensure the tester transparently hit the local LA data centre.

We passed their tests with ease and landed a 6-figure contract.

The hardware customers probably had a terrible experience though...

I hacked the Doodle Jump high scores [1] in the back of Steve Bellovin's computer science class [2] in '09

[1] https://imgur.com/a/sN8om7u [2] https://en.wikipedia.org/wiki/Steven_M._Bellovin

Almost 25 years ago i got an trial version of NuMega Soft-Ice for Win 95. And i was able to hack it using same Soft-Ice.

I worked for a healthcare startup that interfaced with a lot of large insurance companies. They had no API access for their patient information and would just give us credentials to ancient web portals instead.

I wrote my own browser automation scripts to create our own internal patient API. Ended up reducing claim billing errors by a ton and resulted in 6 figures a month in additional revenue.

What impact did the 6 figures in additional revenue bring to you personally vs. the owners of your startup? How were you acknowledged or compensated for this feat?

Honestly I was a brand new hire and it was my first real engineering job so I gained nothing from it. At the time I had no idea how to advocate for myself or my accomplishments. Big lesson learned.

I once needed to install a very large piece of enterprise software in a locked-down enterprise environment. The client had contractually agreed that we would download the software rather than using physical media and for complicated reasons due to IP licensing we were not allowed to install via physical media.

However the enterprise IT/infosec folks at the client didn’t like our project and refused to whitelist our upstream host so it was not possible to download things into the client environment without going through a virus-checking firewall. This imposed various restrictions:

1) It prevented any executable, tarball etc from being downloaded. Basically if it was in a useful file format it was no bueno.

2) It prevented any file over a certain size from being downloaded. If it was over the size, the firewall would just cut the connection.

Time to get the unix toolset out and get to work. I realised first that I could easily get around #2 by slicing the file into chunks, downloading each chunk and then reassembling on the client side

#1 was a bit more tricky. The first thing I tried was encrypting the file. This would theoretically mean the virus scanner wouldn’t be able to find any signatures of hostile file formats, but it turned out that the encryption itself made the first bit of the file predictable and so my first chunk kept getting blocked.

Soo….. I added some random noise onto the front of the file. Once I tuned the length, it meant the virus scanner didn’t understand the encrypted file so it got through.

The two resulting shellscripts (called “shred” and “unshred”) are probably my favourite ever hack. You’d run “shred” on the far side, which would take any listed input files, put them in a tarball, encrypt it, add some random noise to the front and then cut it up into chunks small enough to get through the firewall, and then on the far side you’d download them and run “unshred”, which would reverse the process.

Once we had demonstrably got our software through the firewall a few times, IT/infosec realised their objections were futile and they relented and whitelisted our upstream so we could just do a normal install for all future releases.

Oh I just thought of another one. I was working at a client and it was going pretty well until we did a demo to a pretty quantitively aware person and he asked whether our thing (a time-series analysis and reporting tool basically) did linear algebra. Well it didn’t, and he was pretty sarcastic about that.

So I went back to my hotel room, put on some coffee and spent most of the night writing a bunch of boilerplate code wiring in various methods in apache commons math. The next day I had another meeting with him to discuss something. I chose as an example a function we had quickly knocked up that did a bunch of matrix math. “I thought you said it didn’t do linear algebra?” He said. Felt pretty good to say “Yeah that was yesterday. I just added it”.

2 daily scheduled 20 minute naps (8AM, 3PM) with noise cancelling headphones and a face mask neutralizes the side effects of sleep fragmentation with a new child.

isn't 8AM still part of the night sleep? do you wake up super early? I would expecting something like 11AM, 3PM :D

Kids love to wake up really really early. Like 5 or 6am. By 8am, the OP here probably had their kid in daycare or something already.

Interesting. Do you know how many hours you sleep per day in total?

I have a couple:

1. I was working as an intern at a router company (basically doing manual QA of software releases). One day one of the software developers comes by and wants to see how hard it would be to add a feature (IP address autonegotiation for point-to-point links). The code already existed in a library, but there was not official way to enable it. The developer did mention that it could happen automatically if the up address was unspecified. I was able to get it active by creating a virtual interface with a manually set IP address, setting the point-to-point link to use the same IP address as the virtual interface, then deleting the virtual interface.

2. I was working on a Government funded research project and some other company was responsible for developing the board support package. The board we were working on had 1 ARM core and a 7-core DSP in a NUMA configuration. I had a processing pipeline that split the processing between cores so that each core handled a different part of the chain. The full code did not fit in DSP memory, so we had separate images for each core. I was seeing crashes every time one of the DSP cores finished handling a message. Eventually I was able to determine that the messages passed between cores by the platform were actually C++ classes with a virtual destructor. My work-around was to overwrite the first 4 bytes of any message the DSPs received with 4 bytes from an empty reference message created locally. That overwrote the vtable and prevented the crash.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact