This is a great post, it captures the true essence of an engineer. It is funny, intriguing, and inspirational. Congrats! You are a hacker at heart.
When I went to the US for 3 months I joined PureGym and they gave me a PIN number. I cancelled my membership after that, and one day Chrome told me my PureGym PIN had been compromised. 2 years later, I went to the US again, rejoined, and received the same PIN. Massive red flag.
I was also intrigued by the app, the token and PIN, and remember finding a security flaw in the system that activates the hydro massage chairs. It accepts your PIN or any PIN, with no security at all.
In case anyone else was wondering, not all 8 digit pins are "compromised", although many are, and of course an 8 digit pin has limited security in any automatable scenario.
To get an example that was already in the haveibeenpwned dataset, I wrote a quick script:
var httpClient = new System.Net.Http.HttpClient();
httpClient.BaseAddress = new Uri("https://api.pwnedpasswords.com/");
while (true)
{
var password = string.Join("", Enumerable.Range(0, 8).Select(e => Random.Shared.Next(0, 10)));
var hash = Convert.ToHexString(System.Security.Cryptography.SHA1.HashData(Encoding.UTF8.GetBytes(password)));
var passwordRange = await httpClient.GetAsync($"range/{hash.Substring(0, 5)}");
passwordRange.EnsureSuccessStatusCode();
var allhashes = await passwordRange.Content.ReadAsStringAsync();
var splitHashes = allhashes.Split(Environment.NewLine);
var compromised = splitHashes.SingleOrDefault(h => h.StartsWith(hash.Substring(5)));
if (compromised != null)
{
Console.WriteLine($"Password {password} Compromised! Found {compromised.Split(':')[1]} time(s)");
Console.WriteLine($"Hash: {hash}");
return;
}
await System.Threading.Tasks.Task.Delay(1_000);
}
The "most compromised" I've seen so far is "17385382", in the DB an astonishing 119 times. It would only take a few hours to iterate through all pins and collect stats for all pins.
I had this constantly the last couple of days. I've been doing some UI mockups in Claude and it includes a password field, and either it puts in a placeholder of like 1234 or I type asdf to test the field. Then as soon as I do anything else Chrome has a fit because "my" password has (obviously) been "pwned."
What worries me the most is that if the ACS can't issue new PINs, there's no way to replace them. If a single PIN is shared or compromised, anyone with it can walk in undetected until the whole system is replaced. And if the entire PIN list is exposed, all hell breaks loose.
> Think about this for a second. The physical keypad -- exposed to British weather, coated in a mysterious film of protein shake and regret, probably being livestreamed to TikTok by someone's ring doorbell -- accepts my ancient PIN without question. But the digital QR code needs cryptographic rotation that would make the NSA jealous.
It took years for people to accept that some photos had filters applied, enhancing them to look as good as professional shots. The same will happen with text.
This is a great blog post, whether it's editorialised or not.
My favourite inexplicable feature of the PureGym app on iOS is that when you open it, it stops any audio you are listening to. In the same way as if you have opened another audio app. Yet it isn’t playing any sound. Crazy
1. They will have added code that declares the app requires an exclusive audio context. So iOS pauses all other audio when the app is foregrounded.
Or
2. It’s possible that they use anti screenshot technology which sometimes involves embedding a secure video in place of an image. The video playback might be grabbing the audio context.
I've had this a few times on Android (eg the new Subway app). I'm 99% sure it's the latter but not for security, just a fancy splash screen animation that was implemented as a video without thinking about setting it as "no audio".
"and very good reasons for not implementing Apple Wallet"
Judging by the screenshots, it looks like a thin wrapper around a mobile-optimized web site, or at best something like Flutter, so the likelihood that they have in-house developers that are sufficiently versed in the dustier corners of Apple's APIs is slim.
So why can’t they learn? We have Google, we have Stack Overflow, we have LLMs. My cynical take is that there’s just nobody there who gives a shit about the UX, most likely the team that built all of their backend stuff is long gone (quit or laid off) and now there’s a skeleton team of the cheapest possible engineers just keeping it running.
I used to work in the fitness industry, and we built apps for some big players (not PureGym, though they were a customer for other parts of our stuff). Anyway, we'd often sit in meetings with them to discuss new features. One time, we discussed adding notifications. They got hung up on this -- there were about 8 different departments -- and they decided to add a notification to ask how clean the gym was... because it was "safe". These people, in general, are terrified of scaring away members by bothering them about anything.
But yeah, we cared deeply about the UX/UI, but these things are built by committee and the committee is pretty dumb, very political, and non-technical.
The amazing part of that story is that they had the correct concern, but decided to bother people with something stupid anyway. That's like getting a notification asking how the weather is. Things like that are exactly why I said elsewhere a gym app would be a hard no from me.
Your story makes it sound like somehow the meeting was "let's add notifications, but for what?" and landed on that, which is exactly the type of thing that will lead to massively annoying people. If they don't have an obvious customer need for notifications (clearly they don't), why have them?
The original idea was to add notifications about classes... like if you scheduled a class, to be notified if it was canceled or modified. They felt like they would rather have people be in the gym for a canceled class than to not show up at all.
Having engineers specialized in a specific stack learn on the job for the sake of/while working on a project is a great way to end up with really funky code and poor user experiences. I speak as a developer tasked with doing exactly that several times at a previous job, and the long-term is never pretty. The first code you write is immediately legacy code, but if you're learning as you write for a project that is already in motion, you're usually stuck with that legacy code until someone goes out of business or the rapture comes and they have to do a reorg because half the team was hauled to the kingdom of heaven, and now there's an MBA running the department who doesn't like you and wants to leverage AI to do the block chain.
I’ve used PureGym before, as the author points out the app is terrible, even on a good signal it takes 30s+ to “warm up”, whatever that means. I don’t want the app to “warm up”, I want the QR code right now, I’m left standing outside the gym like an idiot waiting for the bloated app to call a REST endpoint.
It’s probably developed by one or two people, likely not full time, who spend most of their time on it implementing whatever the next special promotion needs, not stuff users want.
Because that’s what they’re told to do with the little time allocated to it.
it's probably a random app development studio. the gym most likely doesn't employ their own app dev employees. the app developement studio basically cares about two things: earning money and keeping their client just happy enough so they come back. the users of the app are not their customers and at best a secondary concern.
I was talking more generally about the general design of the app. It is "ok".
I have a really rubbish signal (I live in the sticks in the North West). There was almost no reception on near the gym. It never took 30 seconds. Generally scanning the QR code itself wouldn't get recognised by the scanner. I just ended up using the 8 digit code. This was using the iPhone app.
I ended up cancelling because quite honestly I prefer walking and cycling. But I was using them until earlier this year.
Considering Pure Gym is cheap, has reasonably decent equipment and is kept clean (at least where I am). The app being a bit shit sometimes is like a whatever problem IMO.
In a single weekend the OP changed the app experience from “somewhat annoying and frustrating” to “very convenient”.
The budget required to improve the customer experience is near nothing, but I suspect no one at PureGym has actually evaluated that the experience is really not great, they probably don’t have the experience or expertise to do so.
This is it. It's a well-established gym chain, their core business is getting subscriptions and making it hard to unsubscribe - not development. If you're lucky, they have a couple of in-house web developers working on website and database maintenance, who then ask a contractor to just "make it run like an app". If you're unlucky, they outsource all their web operations to a contractor that milks them every time they want to change a title from H2 to H3.
Ya and if they add apple wallet they have to do android wallet and then that’s more code to maintain. But they could make the in house app always show the QR code on launch.
Great article, I went through something similar with TrainMore in The Netherlands, where they replaced an NFC key fob with a similarly refreshing QR code (but this one rotates every 30 seconds)
In my case, I didn't make a native app because I don't use the wallet integration.
I think the even better crown jewel here is that the code is predictable, with no lock-out facility at the gym door for wrong attempts. The format is (or was when I signed up) something in the format
>[minute of the hour you created the account][random number, 2 digit][day (or maybe month) of birth][year of birth]
So <59341295> is the code for a user who signed up at :59 past the hour, and their birthday is December 1995.
If you know someone’s birth month, you can just scan through ~6000 possible codes in a for loop to get their access code. At my gym, the PT coaches would celebrate their clients birthdays loudly,
I’d not be surprised if the random number component was just an integer that increases with each sign up at a gym.
> Number of times they've asked me to make them one: 23
> Number of times I've had to explain copyright law: 23
It's not clear to me why sharing an app that puts the qr code in Apple wallet would violate copyright law. This wouldn't require redistributing the app or any of its copyrighted contents. Maybe "unauthorized" use of the API is against TOS, but that's not illegal.
In the US, it wouldn't be, but this is the UK, which doesn't have the same views about what is and isn't copyrightable that the US has. (Despite vague sentiments to the contrary, the US is a lot better at saying, "No, you can't stop people from doing that" than the UK or the EU when it comes to overbroad attempts by creators/rightholders to exert control.)
In the US, the Computer Fraud and Abuse Act outlaws unauthorized access to computer systems. “Unauthorized” has sometimes been interpreted to include terms of service violations. So if their click-through agreement nobody reads says you’re only allowed to use their official app to access the service, using a third party app to access it may be criminal.
I made a similar comment below, but I’ll add to this one too: If I, as a gym member, use their api when I run their app and that’s ok, why can I not run the same api from a third-party app for the exact same use-case? If his app asked me to punch in my eight-digit pin and then just kept that stored locally for convenience, what is the issue?
OP here. Yeah, "copyright law" was a lazy shorthand, but it reads better than "tortious interference."
PureGym's T&Cs [1] have a ridiculously long "PIN abuse policy" (probably meant to stop people sharing with mates). They can cancel memberships or even retroactively charge for gym use if you "knowingly provided your PIN to another individual."
I'm not a lawyer and don't fancy being the test case for whether entering your PIN on a third-party website/app counts as "knowingly providing" it. Given how their app works, I suspect they might just ban a bunch of accounts instead.
Though now that I think about it, the squat racks are always packed, so maybe I should just distribute the app to people who go at the same time as me.
> I'm not a lawyer and don't fancy being the test case for whether entering your PIN on a third-party website/app counts as "knowingly providing" it.
I guess I'm assuming that you would design the iOS app to collect and store the PIN number on the device, and never ever share it, since (if I read the post correctly) that's all you'd need to get to basic auth. I take your point that that might still be considered "sharing with a third party" but honestly I suspect that (a) they wouldn't notice for a long long time and (b) they would typically start by sending a c&d, not hiring a team top-notch lawyers and going straight to court unless you're really wealthy and there's some prize to be had for all of those legal fees.
Look at it this way. If I buy something from a store and pay in cash, and then the cashier takes some money from the register and hands me the change, that's okay. But if I open the register myself and take the money, they call the police.
i.e. just because it's POSSIBLE to do something doesn't mean it's okay to do it.
on security theater: the morons running my garbage company demand not just a email + pass but also security questions in order to login and... pay your bill. That's the functionality available.
Example security question: favorite book. Which is, naturally, case sensitive.
Someone wrote this to prevent people from stealing my password and paying my bill.
In the past, every company thought they were the next Facebook and needed to build complex super-scalable architecture because tomorrow a million users would appear out of nowhere and try to log in at the same time.
Now everyone thinks they are the next Experian and tomorrow a million hackers are going to attack and steal everyone's private info.
> Now everyone thinks they are the next Experian and tomorrow a million hackers are going to attack and steal everyone's private info.
But this is demonstrably the case today... I don't think I've gone a week without hearing about some major data-breach.
...my own org got h4x0red a few months ago: our CEO didn't have 2FA enabled on his God-tier global-admin-rights OIDC/SSO login and somehow, someone found our internal login page, had a snoop around, found our Twilio account keys and sold them off to some spammer who then sent spam texts to our customers (fortunately our (immutable) access logs showed there was no further intrusion, but it was still an incredibly unsettling experience considering how uninteresting and un-sexy my SaaS day-job is).
...so if it can happen to me, a random fellow HN troglodyte, then it can happen to you; or the hospital down the street from my old office[1].
Except in the real world almost every gym I've used just gives you a keychain barcode with your account number and it works fine. You scan in and it checks whether you're current. Maybe shows your picture to a front door attendant on their computer. No complicated cryptography required.
A gym requiring an app would be a hard no from me. I don't know why anyone (especially technical) would put up with that.
> I don't know why anyone (especially technical) would put up with that.
Answer from someone that has to put up with that: other gyms are significantly harder to get to (distance) and it’s already hard enough to get motivated to go. My options are shitty app or no gym.
Not everything is technically perfect and sometimes your only option is to put up with the stupidity of other developers/product managers.
...and, of course, all of these companies are just as bad at security as they are at scaling - they don't even have the capacity to understand (organizationally - I'm not anthropomorphizing them) that Experian happened because their servers were breached, not because users' accounts got stolen.
It's pathetic. There should be regulation that prevents overly onerous "security" controls on users accounts.
> garbage company demand not just a email + pass but also security questions
thank goodness they do this, because I use the same email + password with my garbage as with my bitcoin wallet, my brokerage account and my online mistress finder app.;
My utility company used to include the bill amount in their email which I used to pay using my banking app. But no, where is the fun in that! So they built an app, because what is the utility of a utility company without an app, removed the amount from the email so that I can give my fingertips some much needed workout and open the cursed app just to see the amount. I think the app has a feature to pay as well but being the minor lord of pettiness that I am, I refuse to use that and still pay using my trusty banking app.
They do that to match your device ID or cookies with their customer records. Since cookies don't last long they prefer to have you do that every month.
My supermarket requires email 2Fa for grocery delivery and enforces it on basically every login. It means whenever my wife or I are doing the shopping we have to have the account owner there to get the secondary code.
I keep meaning to auto forward all emails from then to me….
There has been a spate of Russian hackers recently paying other people's garbage bills, it's becoming an epidemic. The company is right to want to curtail it by asking you for your favourite books, which is the hobbit, not the Hobbit
Out of curiosity to the OP, did you use an AI to tweak/refine the text? It contains a lot of similar writing patterns as some read-aloud 4chan greentext/copypaste YouTube channels, especially liberal use of whimsical similes: "like it's 2000 and I'm downloading a JPEG on dial-up" "starting to feel like cosmic punishment" "like it's protecting nuclear launch codes", and jocular asides: " -- exposed to British weather, coated in a mysterious film of protein shake and regret, probably being livestreamed to TikTok by someone's ring doorbell -- ".
So I started to wonder if my AI-radar was spot on, or is that style of writing something people naturally do – because I wouldn't bother, but then again, I don't run a blog that people actually read.
I got the exact same uncanny valley feel from the text. Great article, though. Some people just don't have great writing skills and need a leg up, so I think it's totally excusable to use AI to help you write something. Writing up a little pet project like this is super valuable and I'd hate it to only exist on the author's system because they didn't enjoy writing or didn't feel good at it.
Heh, I guess so. It's just an uneasy feeling I can't get rid of. Maybe I'm just being paranoid. Then again, I wonder if the said greentexts are AI-generated still. At least the contents are likely to be fakes.
Truth: "PureGym probably has a roadmap, sprint planning, and very good reasons for not implementing Apple Wallet. Maybe it's not a priority. Maybe they have data showing only 0.3% of users would use it. Maybe their KPIs are based on the number of online classes previewed in the app, and forcing users to see them every time the app loads secures someone's annual bonus."
The service itself is a several week endeavor to do properly, you have to understand the impact of all the pushed passes on the QR code generator, put together telemetry, dashboards, and alerting for the new service. Depending on their infrastructure that could be difficult to spin up. You have to do a design and review with the team so this isn’t just understood by one person and can be supported by a team. Documentation, ADRs, etc. setting up processes for managing the cert chain over the long term. And you probably want to keep parity between the iOS and android apps, so you need to understand that work.
Then yeah, it lowers engagement with the app, which is probably tied to someone’s bonus.
A lot of those pain points are involved by virtue of being the original developer. Generating a QR code every single minute for every single user can indeed easily lead to issues, but that's much less of an issue when you're able to change the QR code validity to, say, a week.
If you use online validation you can even dynamically rotate them whenever it suits you - either to adjust server load, or as some kind of "every Nth check-in" scheme. Heck, with online validation it doesn't even matter if the rotation service goes offline for a while!
Or just generate a fixed QR code which never changes. You know, like the 8-digit pin the QR code is the alternative for.
Many gyms let you rent lockers by the month, so you can store your gym bag there and be able to drop by without necessarily having planned on it when you left home. Can’t do that if you have to carry a wristband around to get in.
Did I interpret correctly that this sends a push notification every minute telling your phone to download a new code? If so, that seems like a battery problem…
I think ideally you'd do it maybe every day or so, so that if the user goes offline for a while, or the server you're running goes down or something, the pass will continue to work for at least 6 days. It buys you a lot of time to fix things.
Yeah, screenshot on Monday, messed with the app that evening, tried using it Tuesday morning -- dead.
I've seen people on PureGym's Twitter successfully refreshing screenshots weekly though, and the API response suggests the same.
That being said, I couldn't find a validation endpoint to check if mine got invalidated by something specific (maybe signing out?) or if there's some other magic happening.
I wonder if opening the app invalidated it, and those people who had it working just screenshot once.
My gym has a similar system but I realised it's time based and the app functions without Internet. I installed the app onto an old android with no sim, logged in at home over WiFi and it successfully regenerated QRs without data
You can send background push notifications which are delivered when the phone is ready for them. They don't deliver when the phone is low battery or in low battery mode. It's specifically made to reduce battery consumption.
Higher priority push notifications require a user visible UI element and ca be delivered regardless of certain low power situations.
It sounds like this only helps power consumption after you've already run low on power. Seems like processing frequent notifications would accelerate your progress toward that low power state.
> A Pass Type ID certificate from Apple Developer Portal
How much does this cost? I'd love to create Apple Wallet passes for things, but I'm weary of setting up a Apple Developer account and paying even more fees for just this.
The Pass Type ID certificate requires an Apple Developer Program membership which costs $99/year, but there are no additional fees specifically for Wallet pass functionality.
This is obnoxious given PKPass is an open standard. Third party apps can use them without any requirement to be verified by some authority, but Apple just has to maintain some sort of control.
> My first approach was embarrassingly naive. "I'll just screenshot the QR code and add it to Apple Wallet as a static image!"
> Reader, I actually did this.
How? I’m very interested in that part.
I remember wanting it because (despite it being possible) services don’t usually allow you to add Wallet passes when you buy from the web, instead requiring you to install their app (which I do not want). But I can already see myself using this for services which don’t even provide Wallet passes.
From the author’s wording, it seems there’s a way to add such screenshots without using a third-party app.
Thank you for the recommendation, but I don’t want to pay a subscription for something I use sporadically, especially (according to the App Store page) an AI-generated app which tracks you. I want to do what the author mentioned: take a static image and add it to Wallet. I don’t mind some legwork.
> anyone with an Apple dev account can do the same with Passkit.
Yes, that’s what the article is about, I read it all. But the author also mentioned the screenshot approach before using Passkit and called it the naive approach, so it’s likely they did something considerably simpler.
Feels like I’m on the worst parts of Stack Overflow and Reddit. I know other options exist, I’m asking about one specific approach. It is OK to not reply or say “I don’t know how to do it like that”. That’s fine, I don’t know either and I’m not embarrassed by that, that’s why I’m asking. I want to learn a new trick.
> But the author also mentioned the screenshot approach before using Passkit and called it the naive approach, so it’s likely they did something considerably simpler.
I guess I didn't realize it was that simple a question.
The "how" there is "take a screenshot of the first-party app". In many cases (especially with physical barcodes like a loyalty card you can just photograph), that's all you need; just keep it in your photo roll. It didn't work in this case because the QR codes contain some sort of signature or expiration date that prevents a screenshot from last week from working this week.
I mean, clearly, that’s the whole point of the article. What I’m asking is how do you make a wallet pass from a static image. Is is difficult? Is it simple? What are the steps?
This is like if I asked “how do I boil an egg” and you had answered “you can boil an egg yourself”. Yes, I know that. That’s obvious but also unhelpful. The correct (short) answer would’ve been “bring water to a boil on the stove, lower an egg into it, wait around 10 minutes, turn it off and place the egg in cold water for an easier peel”. Or “here’s a link with instructions: <URL>”.
> What I’m asking is how do you make a wallet pass from a static image. Is is difficult? Is it simple? What are the steps?
It's simple, there are lots of libraries that can generate it. You can probably even ask Claude Code or something like that to generate you one.
I understood your question as: can I do this myself or do I need an app and the answer is that you can do it yourself. The documentation for it is easily Googleable.
What you need is a signing key so you will need to pay the apple tax.
It could be interesting to understand the actual content of the qrcode.
part1 is a static id, so likely linked to the membership.
part2 seems to be a timestamp. Maybe we can try to forge the value to "now - 10 seconds".
And if the implementation has been done right, the "part3" should be a signature of part1 and part2, not a "salt" (so forging part2 should be detected and code rejected).
Judging by the size of the qr code, part 3 is too short to be a signature. Probably the token is just registered in a centralized system that the qr code scanner checks with to see if the code is valid.
I heartily approve of this kind of guerrilla development.
The only downside is that they hold all the keys to the kingdom, so either they (or someone inside the org with political weight) will be pissed off straight out of the gate, or you’ll always be walking on eggshells trying your best to not piss them off.
I love reading about this sort of thing. My personal solution to the issues with the app and the wait for it to work (if it worked) was to memorize the pin. I believe I'm still quicker getting in than even the OPs solution, and with less hassle too since I don't need a device or any services.
> Should I package this up properly? Probably not: it's a proof of concept that solves my specific problem. Plus, PureGym would probably just hire me to shut it down, and I'm not ready for that level of corporate responsibility.
Don’t take a job if they offer one to you then?
> SaaS Dreams: Package this properly, get sued immediately, become a cautionary tale at product management conferences.
I genuinely don’t think that this is how it would go down, unless you’re marketing it as an official product. As a consumer I’m allowed to buy things that I find useful, and if this was packaged as a third-party convenience for personal use I don’t see the issue.
I suppose that if the company even noticed (very unlikely) they could get pissy but then I’d expect a c&d to arrive not some multi-million dollar lawsuit. Caving in at this point is an option.
Honestly I think getting past app review and into the App Store would be the hard part.
Great work! I did something similar before with supermarket loyalty cards before Wallet support was widespread, even had the. Co-op loyalty balance on the card which updated.
wouldn't work for me because i usually don't have my gym bag with me when i don't plan going. have a regular schedule and a program with a progression scheme.
lol counting the amount of “time saved” to justify the amount of time u spent building the thing is relatable but also slightly cancerous if it takes over your mindset in the building or brainstorming process. (which unless it’s a jokey bit that has no core of truth it might very well do.)
I used to do it too and in my mind I still do out of habit but I try not to let it influence projects anymore, what else will I do with my time + doing stuff like this keeps ur skills up to date.
I would say that for something like this, it’s still worth it even if you spent more time on it than you’ll ever save.
Not only have you learned new skills and got better at the craft, but you also removed a frequent source of frustration and get satisfaction every time your system works and you remember “heck yeah, I did this”. It increases your happiness and well-being overall into the future and keeps on giving.
It’s still true. I said something like this, not only this specifically. But even for this exact case it would remain true for me. I have several situations where that has been the case, I’m speaking from experience. Maybe it wouldn’t be true for you—which is fair, everyone is different—but don’t ignore the gained experience which makes the next project even faster to finish.
POST https://auth.puregym.com/connect/token
grant_type=password&username={EMAIL}&password={PIN}&scope=pgcapi offline_access
Authorization: Basic cm8uY2xpZW50Og==
Looks like it could be feasible to brute force some PINs using this API. Assuming it's not rate-limited, an average of 50,000,000 API calls isn't that many.
I can't believe this criminal that is writing this. Won't people think of the poor data brokers that are sucking down data from this forced app about who he is, what his device profile is, where is location is etc?
It doesn't to me. I can tell AI writing because it has irrelevant details that don't add facts or colour to the story, but this doesn't have any of that really. The tangents come across as human, not AI doing a bad impression of human.
Things like em-dashes are a really bad way to detect AI because they can be good grammar and improve text readability, same with curly quotes. I use them all the time in my writing, and I wouldn't be surprised if this iOS dev feels similarly as Apple platforms have emphasised this stuff for years.
Humorously, after re-learning about em-dashes due to their use by AI (an otherwise forgotten part of high-school English), I started using them more often in my writing. They really do look nicer!
As an academic I’ve always used “delve”, too, so at this point I guess my writing is going to be flagged as AI a lot…
I do note that some of the AI slop I’ve received from students include other fancy Unicode characters (superscript numerals, variant Greek letters, blackboard bold R, etc.) that are difficult to type, and which especially would not be used in e.g. code comments. em-dashes at least can be produced by certain word processors or text IMEs automatically, whereas many of these others require specifically looking for the character.
> some of the AI slop I’ve received from students include other fancy Unicode characters... that are difficult to type...
This is the bit I'd still caution against. Yes AI does this, but also writing in some software will correct 1/2 to ½, writing in tools that support MathJax will give you nice greek letters, etc. At university I spent days setting up nice LaTeX setups so that I could get good looking documents, including documents that didn't immediately appear to be LaTeX authored.
I think it's best to focus on the content, the writing quality, whether it targets the right audience, and whether it answers the question or just features a lot of words in the right ballpark. Focusing on the specific words and mechanical features of the text is going to catch out the wrong students, and it's going to be harder to justify from your perspective because you can't score a student badly for using an esoteric unicode character.
Since you know the tells of LLM generated text, you'll know that this is a classic: No X. Just Y.
Proxyman -- pick your poison.
And if you're from PureGym reading this—let's talk.
There's a mixture of em dashes joining words and double hyphens spaced between words, suggesting the former were missed in a find and replace job.
"And if you're from [COMPANY] reading this[EM DASH]let's talk" is a classic GPT-ism.
It's like the API is saying "Hey buddy, I know this is odd, but can you poll me every minute? Thanks, love you too."
Shame Notifications: "You were literally 100 meters from the gym and walked past it"
It's just a ZIP archive with delusions of grandeur
Clear examples of fluff. Not only do these fail to "add facts or colour to the story", they actually detract from it.
I agree with you that em dashes in isolation are not indicative, but the prose here is dripping with GPT-speak.
OP here! Appreciate you actually pulling examples instead of just dropping "this is AI".
> There's a mixture of em dashes joining words and double hyphens spaced between words, suggesting the former were missed in a find and replace job.
The em dash conspiracy in the comments today is amazing -- I type double hyphens everywhere, and some apps (e.g a Telegram bot I made for drafts, or the macOS' built-in auto-correct) replace them with em dashes automatically–I never bother to edit those out (ok, now this one I put here on purpose).
> It's just a ZIP archive with delusions of grandeur
> Clear examples of LLM fluff that don't "add facts or colour to the story".
Yeah, no that's fair enough, should've known better than to attempt humour on HN.
I've got to say though, pkpass is a ZIP archive, and no ZIP archive should require one to spend 3 hours to sign it.
I enjoyed the humour.
(We’re heading towards a sad world if any attempt at levity in an article is interpreted as evidence of LLM usage by critical killjoys.)
Edit: total random thought: something in your prose shouted ‘Brit’ to me very quickly. Is it possible that part of this is simply cultural differences in humour and writing, and over-interpretation of subtle differences as evidence of LLM use?
Or do LLMs just write in a subtlety more British style because, well, Shakespeare and Dickens and Keats and Milton? Or does ChatGPT just secretly channel PG Wodehouse?
Authors use humour as a form of connection with their audience. It's a way of saying hey I'm a human and I have the same human experiences as you dear reader. Take the first paragraph for example:
> Wednesday, 11:15 AM. I'm at the PureGym entrance doing the universal gym app dance. Phone out, one bar of signal that immediately gives up because apparently the building is wrapped in aluminum foil
It says, "Hey I'm a human who goes to the gym and experiences the same frustrations as you do". Now imagine for a second this paragraph was written by AI. The AI has never been to the gym, the AI doesn't feel impatience trying to pass through the turnstile, the AI has never experienced the anxiety of a dodgy internet connection in a large commercial building. The purpose of any humour in this paragraph is completely undermined if you assume it was actually written by AI.
So please don't conflate being anti-LLM with being anti-humour. It's just the opposite. We want humour because we want to feel a connection with our fellow humans and for the same reason we should also want writing that comes from a human, not a machine.
> So please don't conflate being anti-LLM with being anti-humour. It's just the opposite.
I'm not.
I'm trying to analyse, or hypothesise, why this author's particular writing style seemed to trigger people's nascent LLM warning heuristics.
I considered the humour, because, well, other people brought it up. From the surrounding discussion, it seemed that the jocular writing style was one of the points generating suspicion.
Does sound like some people just don't get the humour which is fine, personally I liked it (but then I am british).
British people do tend to have a fairly humorous indirect way of communicating that can take some getting used to for people from other cultures, but that doesn't mean we're all secretly LLMs
FWIW, I found "It's just a ZIP archive with delusions of grandeur" pretty funny and for me it was an example of a human adding (relevant) colour to the content.
I swear some folks have just been normalised to the shit writing that AI does so much that they look for tricks like punctuation rather than just reading the damn text. Although maybe they're just blatting the whole thing into ChatGPT and asking it to summarise, or determine if it's AI generate.
FWIW I enjoyed the article and the humour, and I don't know where the AI conspiracy is coming from – I wish I could get the AI to write copy this good. So thanks, that was a fun read!
There’s no such thing as “AI dashes”. Em-dashes are valid typographical marks which have been employed for literal centuries. The only reason LLMs even used them is because humans do too, as they were trained on that input. It’s your prerogative to not care about proper punctuation, but that in no way indicates that those who do are machines.
I was thinking the same thing -
Went back and re-read it though, and I think it’s more that the author wrote a first draft and then had AI to help spice some stuff up. He either:
1. Used AI to help and doesn’t care if it sounds a little AI generated / actually likes it
2. Didn’t use AI but reads enough AI slop that his writing style is directly influenced by it (scary)
3. Used AI but doesn’t use AI enough to immediately recognize when language sounds like it was generated by ChatGPT and didn’t bother correcting (this is my guess)
There’s a few times I got tripped up because it went from pretty human writing to “holy shit shit that’s ChatGPT I’m going to stop reading,” yet the author would save it with human writing right after.
This is kind of a ramble, but it actually was one of those pieces of writing that I felt was genuine and improved by some of the ChatGPT language rather than just clickbait garbage - I could tell the author was just trying to make it worthwhile and interesting to read, and I honestly really enjoyed it.
"The crown jewel? Your 8-digit gym door PIN is your API password and you most likely didn't set it yourself. The same PIN that hasn't changed since the iPhone 8 was cutting-edge technology."
When I went to the US for 3 months I joined PureGym and they gave me a PIN number. I cancelled my membership after that, and one day Chrome told me my PureGym PIN had been compromised. 2 years later, I went to the US again, rejoined, and received the same PIN. Massive red flag.
I was also intrigued by the app, the token and PIN, and remember finding a security flaw in the system that activates the hydro massage chairs. It accepts your PIN or any PIN, with no security at all.