A 2FA app that tells you when you get `314159` (2024)
91 comments
·March 14, 2025neilv
cdelsolar
I was driving my wife's car a few years ago when I managed to look down and see that the temperature was 55 degrees, and the odometer read 55,555. For a split second I couldn't believe my eyes; what are the chances?
neilv
That this-can't-be-correct reaction can be useful in emergencies, if it gets your attention, and activates a mode in which you can focus and act decisively in an instant.
I once was applying a spray-can anti-slip treatment to a bathroom floor, when I might've heard a whoosh, looked up, and had a thought (that I remembered afterwards as) "fire shouldn't be coming from that direction".
From the adjacent room, there was this flash fire shooting across the floor at me.
That got my attention, and activated an emergency mode, parts of which I had no recollection. I somehow leapt backwards up onto the tub edge in an instant. Then the floor was on fire and lapping at the walls of the small bathroom I was in. The next thing I knew, I'd leapt over the flame, into the next room, somehow gotten the fire extinguisher from inside a cabinet, and was putting out the fire. Which worked nicely.
Then, I guess, as that mode was winding down, without really thinking about it, I put the exhausted fire extinguished back in its spot in the cabinet. As I went to call the fire department to check out that there were no lingering problems.
(Turned out that the floor treatment application also emitted a highly flammable gas, which rolled across the floor, into the next room, until it hit the pilot light in an old nat-gas oven.)
Now, if we had an adrenaline reaction every time we saw unlikely numbers, that would be a problem. But, however the cognitive scientists deconstruct it, I'm fond of having what I'll call a good emergency mode feature.
ezekg
> Now, if we had an adrenaline reaction every time we saw unlikely numbers, that would be a problem.
I think there's a relatively new TV show about this, actually.
ipaddr
Based on NOAA weather data, a rough estimate for the probability of experiencing exactly 55°F at any given time in temperate U.S. cities is around 2-5% on average
ipaddr
If you run the fob 100 times, the probability of seeing "123456" at least once is about 1% (1 in 100 chance).
One person in every hundred
KeplerBoy
It's not?
There's a (1**6-1)/1**6 chance of not getting it on any given try, so there's a ~1/10**4 chance of getting it within 100 tries. So quite unlikely, but of course possible and bound to happen among millions of users.
neilv
I got 100 actuations has 1 chance in 10,000, which is unlikely, but not maybe not as unlikely as it seemed at first glance.
1 actuation has 1 chance in 1e6
1e2 actuations has 1e2 chances in 1e6
1e2 actuations has 1 chance in 1e4TZubiri
Cute, but ultimately cute features are not compatible with a critical security application.
If it had been developed as a feature of an existing application maybe it would fly (and probably even not there). But as a third party app, or even a third party library that needs to be added to the security supply chain? Not a chance for any serious business.
tasuki
> Not a chance for any serious business.
Why would you think "serious business" is the target audience? I think "serious business" is about as far from the target audience as possible...
avidiax
Yeah, unfortunately "Easter eggs" call into question the security of the software pipeline.
Did PMs and other engineers review and OK this? -> Suggests a lack of judgement or just rubber-stamping.
Did a lone engineer add this "just to be cute", and it didn't get caught and stopped? -> Proof that your development/release processes are insufficient and you are intensely vulnerable to insider threats.
Neither is good for a security product. At a previous company we were explicitly told that any easter egg was an immediate firing. The company's products had a long history of easter eggs before that.
zamadatix
This calls me heavily towards the quoted note about halfway through:
"Does nobody make apps for fun anymore?"
mckn1ght
This doesn’t mean every app has to be fun. If I want to have fun, I’ll go play with something specifically built for fun. If I’m balls deep in an incident and suddenly my MDM security policy login TTL expires and I have to reauthenticate, the last thing I want to see is yet another interstitial with some cutesy BS to nuke my working memory.
umanwizard
Thank you. I absolutely hate fun, silly or cutesy stuff in serious programs. I’m probably in the minority on this — lots of people say things like “why can’t we have more whimsy in the world?”. But personally being involuntarily conscripted into participating in someone else’s sense of humor really annoys me.
avianlyric
You might want to read the quote again.
> “Does nobody make apps for fun anymore?"
The author isn’t making a fun app, they’re making an app for fun. Your crazy incident doesn’t really have much bearing on how much fun the author has writing an app.
TZubiri
"interstitial"
Sidetrack but this is interesting wording, what do you mean exactly? As in some software that is accesory to other software? Or something that you have to access while moving between software?
jakey_bakey
I feel like sometimes I’m the only person in the world not shipping ultraniche paywall aso slop
remram
Complete tangent: "voila" is French for "here it is", but "viola" is French for "raped". Careful using foreign words if you're not sure you can spell them.
xandrius
Viola also means purple/violet or the instrument. Let's try to be more chill about people making typos, nobody, even a fluent French speaker would read it as "raped". Only someone with a keen eye for drama and being a nuisance.
remram
I very much meant it as a nitpick. This is a single comment labeled as a tangent, how is it "drama"? Chill.
umanwizard
Only in the exclusively literary tense that is never used in normal speech.
Edit: below you say you’re French, so you know this already, I guess.
mog_dev
Not exactly, its the 3rd person of passé simple
tedunangst
What if I want someone to look at my big violin?
ipaddr
Voilà - there it is
Viola - musical instrument
violé - raped
Accents matter but not as much as different letters. Don't correct spelling without knowing the proper term.
umanwizard
Confidently wrong while being a dick to the person who was right. Classic HN.
remram
I'm literally French. I'm sorry you don't know the passé simple.
jakey_bakey
Scare bleu!
thaumasiotes
> "voila" is French for "here it is"
I thought it was French for "look at that" (or I guess, literally, "look over there").
dvektor
Love it :) Glad to hear there are others who appreciate things like this
johnisgood
So... can I get 314159 by setting the time_step and start_time to a specific value? (With either hash algorithms like SHA-1 or SHA-512).
mmsc
Dubs and I upvote.
>Like all recovered edgelords who came of age in the early 2010s, I somewhat miss the heyday of image-boards like 4chan. They were the final bastion of the wild-west early internet before the nazis ruined everything.
Extremely true. I don't know anywhere like those times these days. Where do the young people/trolls hang out and push to the edge of acceptance these days? Or is the culture of "getting right to the edge of getting banned but not crossing the line for lulz" and "act in a way nobody knows whether you're actually trolling or not" dead?
probably_wrong
I want to argue that there are some rose-tinted glasses at play. /b/ (which is what most people think of when they think about 4chan) has been considered "no longer good" since at least 2006 [1], probably earlier. And even by that time they were already organizing raids and causing real harm to communities, both online and offline.
I'm not sure that it's 4chan the one who has changed but rather that the world got a lot more connected [2]. A 2010 edgelord may say "pool's closed" while a 2025 edgelord may say "it was a Roman salute", but the spirit behind is probably the same.
[1] https://en.wikipedia.org/wiki/Talk:4chan/Archive_4#Death_of_...
[2] https://ourworldindata.org/grapher/number-of-internet-users
mmsc
As the other poster pointed out, /b/ was never good;).
But:
>A 2010 edgelord may say "pool's closed" while a 2025 edgelord may say "it was a Roman salute", but the spirit behind is probably the same.
I think I disagree. I don't think "pool's closed" was ever boosted into the mainstream, nor was it legitimized across truly fascist or racist communities; it was an internet meme for internet people. "It was a roman salute" is a phrase of normies that likely have limited experience with computers and online communities; without getting into the politics, a certain class of people actually believe "it was a roman salute". "pool's closed" meant nothing outside of specific communities.
ToucanLoucan
All of this 100%. And on a more personal level, while I had a grand old time as a 3edgy5me t(w)eenage boy on the early, "free" internet, that time has left me with numerous mental scars I carry with me every day.
- Thanks to shock sites, for showing me things a 13 year old kid really should not be seeing, and I wish I meant something as banal as pornography. I'm still occasionally haunted by images I've seen to such a degree where I have to take short breaks at work to compose myself.
- Thanks to political discussion boards, which turned important, real life issues and global problems that have genuine life or death stakes for people who weren't me into an alternative to sports that also let me pretend I was in any way intellectually superior to my peers for simply being willing and able to regurgitate conservative political propaganda that I barely comprehended.
- Thanks to the entire thing, for helping me nurture a shut-in mentality, that other people were too much work to be worth it, that my peers were dumb and not worth my time, that they wouldn't understand me at all and so involving myself in school was completely pointless, ensuring I would have no social life or skills whatsoever when I graduated high school and later college. Instead you gave me an entire other world of similarly uninformed, loud assholes to live in that would completely dissolve by the year 2009, leaving me 20 years old with no idea who the fuck I was, or what I believed in, ripe for recruitment into reactionary politics that would make me an insufferable douchebag for the next 10 years or so until I managed to pull my head out of my ass.
rpmisms
> I'm still occasionally haunted by images I've seen to such a degree where I have to take short breaks at work to compose myself.
This is PTSD. Get checked out.
xandrius
So well put. This should be posted every time someone is nostalgic of those times.
I'm not pro-walled garden, all is dandy and barbie but there is an opposite extreme.
For me the most fun time as a teenager was role-playing on forums: free, fun and harmless.
pinoy420
[dead]
Brookeden55
[flagged]
Modified3019
“Any community that gets its laughs by pretending to be idiots will eventually be flooded by actual idiots who mistakenly believe that they're in good company.“ (https://news.ycombinator.com/item?id=1012082)
Having been an early user of 4chan back in late 2003, from what I saw, the tone shift of nazi stuff just being edgy belligerence for the shock value to people saying “no really, this is my serious political ideology” really got traction somewhere around 2012-2014. Prior to that, there was still pushback. Much like how the idea of having a “waifu” was originally a derisive joke, but somehow turned into actual practice.
This coincided with a few things, massive increase in internet use, raids having increased 4chans notoriety, but most importantly it was the timeframe when Russia prepared for and invaded invaded crimea, which included ramping up “active measures” to shift conversation with troll farms/propaganda. 4chan (and later, 8chan, which had a huge population of boomers buying into “qanon” nonsense) became an ideal host to try to amplify disruptive propaganda.
I didn’t quite notice what was going on, since by that time I was mostly only on select boards like /tg/ or alt chans like operatorchan, but the Russian influence became obvious in the lead up to the 2016 election.
And it wasn’t just nazi stuff, it was all sorts of bullshit like Marxism, esoteric magic and conspiracy shit that was being thrown around to see what stuck. And they were active across every social media site. Though as bad as 4chan was, I’d argue russian presence on Facebook and twitter was especially harmful and far reaching. They didn’t even need to be subtle or target groups: https://qz.com/1284222/russian-facebook-ads-were-barely-targ...
0x138d5
>around 2012
"the post that killed /new/" comes to mind
Workaccount2
Trump being a meme is what got him off the ground. And here we are.
Goronmon
Community size and reach plays a big part in this.
Aside from the the whole "Am I trolling as a racist or am I a racist trolling?" issue, communities get away with a lot more when they are smaller, more insular and more hidden from the public. Once the community starts to bleed out beyond the immediate site, you start to run into issues. Not just because the jokes and content are spreading, but the attitudes behind those jokes. And those attitudes (even if they make up just a portion of the users) have a tendency to not be great.
I think a perfect example of this would be what happened on Reddit with the /r/antiwork subreddit. As soon as the community got too large and started spilling into other areas of the site, the cracks started to show. Culminating with the interview by one of the mods (?) on Fox News I believe. All of a sudden a chunk of the users are questioning "Wait, this is who I'm siding with?" and then the only people left are the people who aren't bothered.
mmsc
Well said, and I think it extends to many communities which are founded on negativity of some sort: eventually people move on, except for those so-filled with negativity, it is all they have.
sanex
I think a part of what happened has to do with >"act in a way nobody knows whether you're actually trolling or not"
Some people were joking and some weren't, or were just too dim to understand that it was a joke, and then when they all showed up in Charlottesville to march. They were mostly serious except for that one poor guy who still thought it was a meme and ran away.
jampa
There was even an old 4chan joke for this:
"Any community that gets its laughs by pretending to be idiots will eventually be flooded by actual idiots who mistakenly believe that they're in good company." -Rene Descartes
mmsc
The amusing thing being that the original source of this is hn, not 4chan [1]. deserves a spot on https://news.ycombinator.com/highlights imo.
stavros
My god, DarkShikari... I haven't heard that name in a decade.
square_usual
> Where do the young people/trolls hang out and push to the edge of acceptance these days?
Discord. It's all underground. The public internet is hostile to it, everyone has had to built their own spaces.
ivan888
> Dubs
Not sure if anyone else noticed the item id of this comment does indeed end in 88?
jakey_bakey
Dubz get!!!
dpedu
Particularly ironic since it mentions nazis...
gbalduzzi
Instagram reels.
There is a ton of content with dark jokes, black humor, very provocative content and even "nazi" memes and people send it to each other to laugh about it.
Those reels usually have very few likes / comments but A TON of sends. I personally am on multiple group chats where we only send each other those kind of memes.
The thing is, instagram being a huge echo chamber. Before you have no idea those exists, and once you are in you see a ton of those
chatmasta
The echo chamber on Instagram is deep. Even when there are a ton of comments, they’re sorted beginning with the most “relevant” (i.e. worldview affirming). So if you’re viewing a controversial video, you’ll see comments echoing your own beliefs, and others will see the opposite. You’ll both move onto the next video thinking “wow, everyone agrees with me!”
I deleted instagram last year and haven’t reinstalled it. Those reels are so addicting. I’m glad I never installed TikTok because I imagine it’s just as bad. I still suffer from YouTube Shorts but at least the mobile web UI is janky enough to eventually push me out of its trance.
Workaccount2
Instagram is a special level of degeneracy. That is an app made for the masses. I never used tik tok, but youtube shorts gives me actual quality content while instagram feels like its gunning for a mix of reality TV, post 2005 history channel, and animal brain fondling.
Although I will admit that Instagram has their advertising insanely dialed in. The content is gross junk food but the ads I have actually clicked before.
wongarsu
TikTok has the same issue. Two people can see the same video, come to opposite conclusions, and only see comments that agree with them.
TikTok is maybe the last bad echo chamber of the big short video platforms: stitches encourage some sort of debate and expose you to snippets of opposing view points, and the algorithm gives you at least a chance of finding new types of content you also like. But it's only the least bad, it's still very bad. Especial once you factor in your own confirmation bias and the comment algorithm
pests
Find a lot of it on discord.
hooverd
Eventually, the ironic becomes unironic. If you're pretending to be an idiot, eventually you'll find yourself surrounded by actual idiots. Or bigots.
scarlehoff
I felt real joy reading this, thanks :)
As someone starting to feel a bit of burnout I think I needed to read something like this.
jakey_bakey
This was 100% the most fun I’ve ever had coding anything. I was missing my tube stop levels of engaged
jmholla
I think this is a bad idea and insecure. Obtaining a code needs to be an intentional effort and not just available to someone who happens to be screen surfing my phone at the right time. It's worse that it's on the lock screen as it seems the author does based on their screenshots. Lose your phone, and your passcode will not protect someone from using your codes.
jakey_bakey
To be clear, you don’t see the account details in the notification, just the number, and can’t even read it until unlocking the device
lxgr
I think it's a great idea, but definitely very insecure, yes. Don't load your actual TOTP credentials into it, obviously.
a_tyler_
That’s a fun little Easter egg! It’s always cool to see small details like this that add some personality to otherwise routine tasks. Makes me wonder what other quirky things could be hidden in security tools without compromising functionality.
jonas21
I love Easter eggs -- but security tools are the last place I want them showing up.
Like do you really want to entrust your TOTP secrets to a random app by a guy you've never met just to get some fun push notifications?
hiatus
TOTP seeds are only useful if you have the account they are associated with. How would the 2fa app by some random guy discern the identity associated with the seed?
xp84
Isn't one issue the display of the codes on the lockscreen? If viewing notification contents there is enabled, it would be problematic if it popped up while you were away from your device to say "Your Google 2fa is 100000 right now". I get that the iOS default requires unlock to view the actual content of the notification, but still, that seems less than perfect from a security standpoint.
Still the app is fun and I appreciate it.
jonas21
To add an item, you scan a QR code. That QR code usually contains the name of the service and your username. For example, the format of Github's QR code is:
otpauth://totp/GitHub:[username]?secret=[secret]&issuer=GitHub
TZubiri
It's not even worth the thought.
freehorse
What? The same way that when you look at the 2fa codes in your app you know which account they are associated with. The qr codes people typically scan for that do not just contain the seed itself but metadata for the account associated with it like email address or account name.
jakey_bakey
The password manager that... writes very short puns!
beny23
Giving a random app your 2FA secrets? Raises eyebrow…
jakey_bakey
Feel free to network proxy and check I’m not being cheeky - I have another blog post about that ;)
freehorse
What if one bad actor does it not initially do that, but only after the app has enough users, with a random upgrade? Not that _you_ would do that, of course. But it makes sense that people are wary about where they trust their TOTPs.
Some time ago people were locked out of their TOTPs because some guy bought their app from its creator and turned it into ransomware having them pay to not lose their codes.
jakey_bakey
Yeah that’s fair to be honest, at least until my blog starts pulling enough money to not be worth destroying my reputation on a rugpull
notorandit
And not telling when you get 271828? Racist!
jakey_bakey
Honestly making it configurable for birthdays would be pretty neat
lxgr
The obvious solution here is to discover an important natural or mathematical constant that happens to match your birthday in its first six digits.
null
I have one of those time-based number hardware fobs, with the 6-digit 7-segment LCD display, which I'd guess I'd actuated less than 100 times, yet on one such actuation, it displayed 1-2-3-4-5-6.
Maybe because the whole mode when using it is infosec, my snap first thought was about how this is highly unlikely and is someone messing with me.
My next thought was to run to get a camera from the other room, regardless of whatever is going on.
By the time I got back with a camera, and just barely missed photographing the display, I realized that someone compromising my airgapped self-contained hardware fob was even more unlikely than this number sequence coming up randomly within 100 actuations.
And, like this article points out, there are many "unlikely" numbers that might come up, so the chance of any of them is not as unlikely as it would first seem until you thought about it.