IdeaWell

Project ideas from Hacker News discussions.

The RCE that AMD wouldn't fix

Original Article

Hacker News Discussion

📝 Discussion Summary (Click to expand)

1. “Signature verification” using CRC32 is a joke

"The "signature verification" in the fix being CRC32 is pretty hilariously clueless." (dcminter)
"CRC32 solves a different problem … it makes no guarantees about who is sending the data, which is the real problem signatures solve." (throwway120385)

2. AMD’s auto‑updater is buggy, intrusive, and reflects broader software incompetence

"AMD software is often utter trash." (mrguyorama)
"it shouldn't even be popping up a CLI! Windows task scheduling is incredible and would do this without a problem." (mrguyorama)

3. Calling an attack “out of scope” doesn’t remove its impact

"It's ridiculous to consider MITM attacks out of scope for taking over your computer." (tlb)
"Out of scope does not necessarily mean out of impact. It is merely a question of how far a company wants to be responsible for the environment their software is run in." (sigmoid10)

🚀 Project Ideas

FocusGuard – Stop Updater Focus Hijacking

Summary

  • Blocks or delays auto‑updater pop‑ups that steal focus on Windows.
  • Lets users whitelist apps and run updaters silently in the background.

Details

Key Value
Target Audience AMD GPU owners, Windows power users annoyed by focus‑stealing updaters
Core Feature System‑wide focus‑stealing prevention with per‑process whitelist
Tech Stack C# / WinUI, Windows API (SetForegroundWindow, AttachThreadInput)
Difficulty Medium
Monetization Revenue-ready: Subscription $4.99 /mo

Notes

  • Directly addresses the “steals focus” complaint from multiple HN comments.
  • Small footprint, no admin rights required, easy to toggle from tray icon.
  • Could be packaged as a lightweight installer or portable exe.

SecureUpdater Manifest Validator#Summary

  • Scans driver update manifests for insecure HTTP URLs and weak CRC32 checks.
  • Auto‑rewrites URLs to HTTPS and flags mismatched signatures.

Details

Key Value
Target Audience Security‑conscious users, IT admins, developers who download driver updates
Core Feature Real‑time validation and redirection of update downloads
Tech Stack Python 3, requests, pycryptodome, SQLite for storing known‑good manifests
Difficulty Medium
Monetization Hobby

Notes

  • Solves the CRC32‑only verification criticism and the MITM concern raised in the thread. - Can be bundled as a standalone CLI tool or integrated into existing updater workflows. - Generates warnings or logs that help users identify compromised updates.

BountyHub – Crowdfunding Platform for Vendor Bug Bounties

Summary

  • Enables users to pledge money to reward critical security bugs (e.g., AMD auto‑updater MITM).
  • Provides transparent tracking of bounty funds and bug disclosures.

Details| Key | Value |

|-----|-------| | Target Audience | Security researchers, concerned end‑users, advocacy groups | | Core Feature | Bounty posting, fund aggregation, payout on verified resolution | | Tech Stack | React front‑end, Node.js/Express back‑end, PostgreSQL, Stripe API | | Difficulty | High | | Monetization | Revenue-ready: 5% platform fee on successful payouts |

Notes

  • Directly responds to the call for rewarding the MITM researcher and frustration over unpaid white‑hat work.
  • Lowers the barrier for community‑funded bounties, encouraging more disclosures.
  • Offers a scalable model for future vendor‑bug engagements.

Read Later