Boing Boing 

Nuts-and-bolts look at password cracking

Ars Technica's Nate Anderson decided to try cracking passwords (from a leaked file of MD5 hashes), to see how difficult it was. After a very long false start (he forgot to decompress the word-list file) that's covered in a little too much detail, Anderson settles down to cracking hashes in earnest, and provides some good data on the nuts and bolts of password security:

By this point I had puzzled out how Hashcat worked, so I dumped the GUI and switched back to the command-line version running on my much faster MacBook Air. My goal was to figure out how many hashes I could crack in, say, under 30 minutes, as well as which attacks were most efficient. I began again on my 17,000-hash file, this time having Hashcat remove each hash from the file once it was cracked. This way I knew exactly how many hashes each attack solved.

This set of attacks brought the number of uncracked MD5 hashes down from 17,000 to 8,790, but clearly the best "bang for the buck" came from running the RockYou list with the best64.rule iterations. In just 90 seconds, this attack would uncover 45 percent of the hashed passwords; additional attacks did little more, even those that took 16 minutes to run.

Cracking a significant number of the remaining passwords would take some much more serious effort. Applying the complex d3ad0ne.rule file to the massive RockYou dictionary, for instance, would require more than two hours of fan-spinning number-crunching. And brute force attacks using 6-character passwords only picked up a few additional results.

The point, really, is that if you want to understand the relative security of different password-generation techniques, you need to understand what's involved in state-of-the-art password cracking techniques.

How I became a password cracker

Boxes sealed with ATHEIST tape lost by USPS 10X more often than controls

Atheist Shoes ("a cadre of shoemakers and artists in Berlin who hand-make ridiculously comfortable, Bauhaus-inspired shoes for people who don't believe in god(s)") noticed that a disproportionate number of their shipments to the USA were delayed or lost. A customer suggested this may be because USPS workers were taking offense at the ATHEIST packing tape they used to seal the boxes. So the company tried an A/B split, and found that boxes emblazoned with ATHEIST tape were 10 times more likely to go missing in the USPS and took an average of three days longer than their generic equivalents. They've stopped using the ATHEIST packing tape.

ATHEIST / USPS Discrimination Against Atheism? (Thanks, Alice!)

Abandoned cake-box at airport turns into inadvertent Portal-themed security worry

An empty cake-shipping box abandoned at the Tampa airport reportedly freaked out passengers and Portal players: "My visit to Tampa has drawn to a close, and The Lady just dropped me off at the airport. Right by the Air Canada entrance, this styrofoam box marked “CAKE” has been unnerving passengers. It’s empty — it probably held cake for transport but was too big to fit into the car that picked it up — but I let some airport staff know that it was beginning to worry some people. Namely, the security-conscious and Portal players."

Unnerving People at the Airport (or: The Cake is a Lie!)

RPG inside an Excel workbook

Cary Walkin, an accountant in Toronto, knows a thing or two about Excel. So great is his expertise that he was able to create a full-fledged RPG inside of its scripting environment, called Arena.Xlsm. I couldn't get it to run in LibreOffice, but it sounds like it's very featurful and fun, provided that you're willing to use Microsoft products:

* Random enemies: Over 2000 possible enemies with different AI abilities.
* Random items: 39 item modifiers result in over 1000 possible item combinations and attributes.
* An interesting story with 4 different endings depending on how the player has played the game.
* 8 boss encounters, each with their own tactics.
* 4 pre-programmed arenas followed by procedurally generated arenas. Each play-through has its own challenges.
* 31 Spells. There are many different strategies for success.
* 15 Unique items. Unique items have special properties and can only drop from specific enemies.
* 36 Achievements.
* This is all in a Microsoft Excel workbook.

Arena.Xlsm Released! (via Digg)

Documentary on activist who taught people to make solar cottage industries in 16 countries

Gmoke sez, "Richard Komp has taught people how to make solar as a cottage industry in at least 16 different countries over the last few years. There's a documentary called "Burning in the Sun" about his work in Mali and he's even got an Introduction to Photovoltaics series on YouTube. Reports from his 25 international trips available here"

Solar as a Cottage Industry

Toronto Mayor Rob Ford's long history of public drunkenness and brawling

Two weeks ago, Toronto Mayor Rob Ford was accused of drunkenly groping and propositioning former mayoral race rival Sarah Thomson at a Canadian Jewish Political Affairs Committee charity event. He denied it, and smeared Thomson on his radio show.

Now, many people have come forward to say that Ford had become drunk and disorderly at military charity event called the Garrison Ball. These are just the latest in a series of incidents of public drunkenness for the mayor, who is a horrible embarrassment to the city of my birth.

The Toronto Star has a long account of Ford's frequent bouts of public drunkenness and brawling, including events that he lied about at the time and later had to apologise for.

However, over the next hour, people in attendance noticed that the mayor seemed impaired. According to interviews, he was “incoherent,” “stumbling,” “rambling,” “intoxicated,” “slurring,” “seemed to be drunk,” “was nervous, excited, sweaty, out of it.”

Military guests were offended at the mayor’s behaviour, according to guests interviewed by the Star. “It felt disrespectful to the event,” said one organizer.

The six guests who provided accounts of the mayor’s condition spoke on condition of anonymity. The Star found that while these guests were concerned with the mayor’s condition, they did not want to be identified for two reasons. First, they did not want to be linked to a story that would cast a poor light on the annual Garrison Ball, which raises money for Wounded Warriors, a federally registered charity. Second, these guests, who all have prominent positions in the community, feared they would somehow be blacklisted for speaking out about the mayor.

Rob Ford: ‘Intoxicated’ Toronto mayor asked to leave military ball [Toronto Star/Robyn Doolittle & Kevin Donovan]


Read the rest

Cake hotel whose rooms were filled with edible fixtures and decor

Last week, Tate & Lyle Sugars created a one-day pop-up cake hotel in Soho, where the rooms were stuffed with edible fixtures and furniture:

A Mediterranean-inspired bedroom, with edible furnishings, a caramel popcorn-filled bathtub, floating meringues and edible pearlescent popcorn bunting, all created using Light Soft Brown sugar. The perfect location for a midnight feast!

A Pirates of the Caribbean room, with a giant treasure chest full of edible pearls, ginger spiced doubloons and cutlasses, which visitors can spray gold themselves, and rum and raisin chocolate brownies and tea cakes – all made from Taste Experience Caribbean-inspired Light Muscovado sugar

A British-inspired Golden syrup sugar room, with a giant golden-syrup lion, patriotic treacle tarts in the shape of the British Isles and a giant tower of doughnuts

A Mayan-inspired room hidden in the cellar featuring a Mayan fudge temple, complete with floating meringue ‘clouds’, ‘sacrificial’ salted caramel and chocolate hearts, and Mayan-inspired carved gold cookies all made from Taste Experience Mayan-inspired golden caster sugar

A Mississippi-inspired ‘Mardi Gras’ room featuring a five foot long rainbow cake in the traditional colours of green, yellow & purple, gold baby heads and of course King Cakes

A Barbados-inspired library, with edible shells, and beautiful hand-painted cookies, fruit cakes and florentines showcased as museum features inside vintage glass jars, all made from Barbados inspired Dark Muscovado sugar

A Guyanese-inspired room, complete with a sea turtle cake, and cake ‘turtle eggs’ buried in mounds of Demerara sugar

A South Pacific-inspired room with a huge two metre high Easter Island statue, made entirely from chocolate mud cake baked using Golden Granulated sugar


Summary of experimentally verified pricing heuristics

A post on ConversionXL sums up a bunch of experiments on pricing and suggests ways of combining them to best effect. All electronic goods can be had for free, so every person who buys an electronic good is essentially entering into a voluntary transaction. Getting pricing right is the best way to convince (rather than coerce) customers to pay, and to frame that payment so that it's as large as possible.

Researches found that sale price markers (with the old price mentioned) were more powerful than mere prices ending with the number nine. In the following split test, the left one won:

9 not so magical after all? Not so fast!

Then they they split tested the winner above with a similar tag, but which had $39 instead of $40:

This had the strongest effect of all.

I’m wondering whether the effect of this price tag could be increased by reducing the font size of $39. Say what?

Marketing professors at Clark University and The University of Connecticut found that consumers perceive sale prices to be a better value when the price is written in a small font rather than a large, bold typeface. In our minds, physical magnitude is related to numerical magnitude.

Pricing Experiments You Might Not Know, But Can Learn From (via O'Reilly Radar)

Muzzle-suppressor shot glasses

A mere $200 gets you this pelicanoid case with four of Muzzleshot's muzzle-suppressor-shaped shot-glasses, machined from solid aluminum and covered in a matte black anodized finish.

Muzzleshot (via OhGizmo)

Ms. Boing Boing breastfeeds calf

Sabrinaaabbbb Brazilian DJ/model Sabrina Boing Boing has apparently caused quite a stir by posting Instagram photos of herself pretending to breastfeed a calf. I knew we were planning to grow our brand but I can't recall if this idea was on the whiteboard. (Daily Dot, thanks Puce!)

19 year old develops plan to clean up ocean trash vortexes

Inhabitat shares the story of Boyan Slat, a 19 year old who seems hell-bent on cleaning up 7.25M tons of trash from our oceans. He started with a research paper in school, which won several awards. Next, Slat developed a floating array of booms and garbage processing plants which he presented at TedxDelft last year, and now he's created a foundation to produce these technologies.

From Inhabitat:

Slat went on to found The Ocean Cleanup Foundation, a non-profit organization which is responsible for the development of his proposed technologies. His ingenious solution could potentially save hundreds of thousands of aquatic animals annually, and reduce pollutants (including PCB and DDT) from building up in the food chain. It could also save millions per year, both in clean-up costs, lost tourism and damage to marine vessels.

The CONET Project: spy station recordings reissued


In 1999, I wrote an article for the bOING bOING Digital site about the CONET Project, a multi-CD collection of mysterious "numbers stations" heard on shortwave. For decades, intelligence organizations have reportedly broadcast one-way messages to their agents in the field via shortwave, and the transmissions happen to sound weirder than any Stockhausen score or minimalist electronica you've ever heard -- a child's voice, or the obviously synthesized intonation on what's known as the "Lincolnshire Poacher" station, named for the folk song accompanying the numbers. Wilco's album Yankee Hotel Foxtrot is named for, and samples, a numbers station. The CONET Project has been available for several years for free download from various places online, including Now, the original compilers, Irdial-Discs MMX, have re-released The Conet Project in a special CD edition that includes the four original discs plus a fifth CD containing recordings of very strange "noise stations."

"The CONET Project: Recordings of Shortwave Numbers Stations / 1111"

"Spy vs. Spy: The Soundtrack" (bOING bOING Digital)

DIY cellphone

David Mellis at the High-Low Tech group at the MIT Media Lab built a DIY Cellphone, making a custom circuit-board and laser-cutting his own wooden case. The files are hosted on GitHub in case you'd like to try your hand at it.

An exploration into the possibilities for individual construction and customization of the most ubiquitous of electronic devices, the cellphone. By creating and sharing open-source designs for the phone’s circuit board and case, we hope to encourage a proliferation of personalized and diverse mobile phones. Freed from the constraints of mass production, we plan to explore diverse materials, shapes, and functions. We hope that the project will help us explore and expand the limits of do-it-yourself (DIY) practice. How close can a homemade project come to the design of a cutting edge device? What are the economics of building a high-tech device in small quantities? Which parts are even available to individual consumers? What’s required for people to customize and build their own devices?

The initial prototype combines a custom electronic circuit board with a laser-cut plywood and veneer enclosure. The phone accepts a standard SIM card and works with any GSM provider. Cellular connectivity is provided by the SM5100B GSM Module, available from SparkFun Electronics. The display is a color 1.8″, 160×128 pixel, TFT screen on a breakout board from Adafruit Industries. Flexures in the veneer allow pressing of the buttons beneath. Currently, the software supports voice calls, although SMS and other functionality could be added with the same hardware. The prototype contains about $150 in parts.

Mellis's Master's thesis is "Case studies in the digital fabrication of open-source consumer electronic products" and includes a 3D printed mouse, fabbed speakers and a fabbed FM radio.

High-Low Tech – DIY Cellphone (via Hacker News)

(Images: Laser-cut plywood and veneer case, a Creative Commons Attribution (2.0) image from mellis's photostream; Making a call, a Creative Commons Attribution (2.0) image from mellis's photostream)

Games to play during commercial breaks

The nice people at Hide and Seek have a collection of Tiny Games you can play while the commercials are on TV, like each player putting a finger on the screen and scoring a point for every face that they poke during the break -- winner is the most prolific face-poker.

A game for two or more overconfident players.

As soon as a show segment ends, player one must say what the first advert will be advertising. Player two immediately mutes the television, and as the advert plays, whatever it is for, player one must explain how they were right, and the advert is definitely for the product they suggested, regardless of what it is actually advertising. Scoring is entirely subjective.

A game for two or more verbose players.

At the very start of an advert break, shout out a word. The other players have to shout out something else. Earn one point every time your word is said during the advert break. If someone chooses a word that’s not within the spirit of the game – “the” or “and” or “be” or anything like that – then the other players can reject it by unanimous agreement.

Hide and Seek also brought us the Board Game Remix Kit, and now they're running a Kickstarter to fund a bazillion tiny games as a mobile app.

Tiny Games For Ad Breaks (via Super Punch)

"Garden apartment" redefined in new green apartment building


Architect/developer Sebastian Mariscal designed and is expecting to build a 44-unit apartment building in densely-populated Boston where most of the space you'd expect to be used for parking spots is instead given over to a variety of gardens. There's a 7,000 public garden on the ground level and a roof that's 70 percent dedicated to community gardening. Meanwhile, each living unit includes a 144 square foot "outdoor room… full of vegetation."

"The Apartment Complex of Tomorrow—0 Parking Spots, 46 Personal Garden Spaces" (TakePart)

While Mariscal's original design only had six parking spaces, meant for rentals, and he only planned to rent to tenants who didn't own cars, the community was concerned that tenants would own cars anyway and park them on the street. So the architect added 35 spots to his plans and has apparently received preliminary approval to build from the Boston Redevelopment Authority. (Universal Hub, thanks Lis Riba!)

Automate collecting wonderful things

Sponsored by For information about Rackspace, go to

One unique and special treat in working as Boing Boing's web developer has been to see how truly prolific writers do their work. Not only are they all hugely practiced at writing, but they've each developed a process and a format for creating or curating content that enables them to write more and quickly. I've spent the last couple years trying to cheat a bit at collecting large volumes of curated content by putting as much of the work as possible onto computers.

My main experiment with rapid blogging is the animated GIF section of my media blog. I love animated GIFs, and I'd picked up a habit of saving my favorites to a folder on my desktop. A year and a half ago I moved that folder to my Dropbox's Public folder, which syncs all the files out to the cloud and lets anyone view them in their browser. Then I set up an IFTTT action to slurp new files into the blog. And then I forgot about it and went about my business.

With basically no added effort I've posted over three thousand GIFs to my blog. It averages six new posts a day, sometimes I'll post thirty at a time when I find a bunch of good ones. IFTTT can connect to lots of other services, so I've set it to push out GIFs to my Tumblr as well. It's a great treat to scroll back through hundreds of fun images I've saved, and I often find myself pleasantly surprised by what I've posted.

This method of curating things gives some neat advantages over other sharing services. When you set up the rules for posting and IFTTT or another automated system does the legwork, you create limitations to what you can post in the process. It forces an editorial voice: now I know I'm going to only post GIFs by saving them to that folder, so all I have to worry about is whether they fit the collective whole. Applying this process to other content types proves to be very successful: a friend and I have collected nearly an album a day on our shared music blog for nine months through some really simple custom scripts to ease the process. I never run short of excellent tunes now that we've collected it so quickly.

Building large collections of content, even if it's focused at dumb GIFs or indie music albums, is easier than ever. Spend some time thinking about the parts of the process you can automate for your collections and start enjoying them more.

Spooky tree sculpture in Bali


BB pal Karen Marcelo photographed this magnificent living tree sculpture in Ubud, Bali. More beautiful photos in Karen's Flickr stream, k0re.

Your WiFi-enabled camera might be spying on you

Every networked sensor package in your immediate vicinity can be used to spy on you unless it is well-designed and transparent to you and the wide community of security researchers. If that sounds paranoid, check out the video above, wherein some security researchers show that they can covertly operate WiFi-enabled personal cameras and turn them into bugs.

But, as proven by Daniel Mende and Pascal Turbing, security researchers with German-based IT consulting firm ERNW, these capabilities also have security flaws that can be easily exploited for turning these cameras into spying devices.

Mende and Turbing chose to compromise Canon's EOS-1D X DSLR camera an exploit each of the four ways it can communicate with a network. Not only have they been able to hijack the information sent from the camera, but have also managed to gain complete control of it.

In this presentation from Shmoocon 2013, they explained in detail how they managed to mount the attacks, and have also offered advice for users on how to secure their cameras and connections against these and similar attacks.

Stuff like this is why DRM and EULAs are so insidious. The existence of devices that attack their owners affects us all. It is a public health problem. Any time we pass a law that makes it illegal or legally perilous to point out flaws in technology, we make it harder to solve the public health problem, and we're all at risk.

Digital cameras easily turned into spying devices, researchers prove (via /.)

Guatemala genocide trial: Day 6. "If I die, the story of what I lived will never be forgotten"

Photo: NISGUA. A witness testifies in the trial of Rios Montt, with aid of court-appointed Nebaj Ixil interpreter.

As Emi McLean writes on the Open Society Justice Initiative's blog about the genocide trial in Guatemala, "Semana Santa (or Holy Week) seemed to slow down Guatemala City everywhere but in Judge Jazmin Barrios’s courtroom on Monday."

And the trial continues at breakneck speed. The prosecution of Jose Efraín Rios Montt, the Army general who ruled Guatemala from 1982-1983, and his then-chief of military intelligence Jose Mauricio Rodriguez Sanchez, re-opens for the 6th day today in Guatemala City. The charges of genocide and crimes against humanity they face are based on evidence of systematic massacres of Mayan citizens by Guatemalan troops and paramilitary forces during a most bloody phase of the country's 36-year civil war. The US government provided assistance to Ríos Montt and other Guatemalan military dictators that followed in that era, in the form of funding, training, military and CIA personnel, and weapons that were used against the indigenous population.

Watch live video from the courtroom here; listen to audio here. A Twitter list with accounts who are live-tweeting the trial is here.

On Monday, March 25, the court heard 13 witnesses for the prosecution recount horrifying accounts of atrocities they witnessed and survived, committed by soldiers under Ríos Montt's command.

Read the rest

Cardboard cops to deter traffic violators

TraffffffffI've heard anecdotal evidence that lifesize cardboard cut-outs of police officers in shops can deter shoplifting. Now Bangalore police are using the same method to deter traffic violators. "It is not a gimmick. Wherever we have put up these cut outs, violations have come down," Traffic Commissioner MA Saleem told the BBC.

Police called over man singing "Free Falling"

From the Seaside, Oregon police log.

Wanting to glide down over Mulholland? Not a crime.

Thanks Ryan!!

Daft Punk's new album due out May 21

NewImageDaft Punk's new album Random Access Memories has an official release date of May 21. Continuing the tease, the band released 15 seconds of music as the above TV spot on Saturday night. This follows the previous TV ad heard on March 2. Chic's Nile Rodgers confirmed to Rolling Stone magazine that it is indeed his funky guitar you're hearing. Perfect. Daft Punk: Random Access Memories (Amazon)

Saving for retirement as an act of wild optimism

Photo: Mark Makela for The New York Times. "Virginia C. McGuire, her partner, Matthew, and their son, Leo, 9, play the board game Pandemic in their Philadelphia home."

When is setting aside money with which to retire at a happy old age a potentially recklessly optimistic decision? When you have cancer.

Librarian, freelance writer, and mom Virginia C. McGuire writes in the New York Times how during the worst of it, her anxiety was sometimes "all about money," and she worried about what would happen if and when her cancer returned. "Nobody pays freelancers for sick time."

"Sometimes I find it easier to fret about money than to worry about big things like cancer," she writes. "It seemed crazy to keep saving for retirement when my chances of living that long were so uncertain."

The Royal Road to Card Magic DVDs & Book

I've spent around two decades practicing sleights of hand, flourishes and card tricks. Nearly every thing I have learned is in the Royal Road to Card Magic, a book first published in 1949 and written by Jean Hugard and Frederick Braue.

I have struggled and struggled with what I felt were poor illustrations and overly complex descriptions to learn many of the secrets housed in this famous book. No more! I was recently introduced to a 6 DVD demonstration of the book that clearly and easily shows each move!

I've spent a few hours with the DVD set and I'm very happy! The set is filling in gaps where I felt the book was incomprehensible. I'd skipped a number of tricks where lack of a strong visual made it impossible for me to learn. I'm picking things up very quickly! I'm thrilled!

For beginners I highly recommend both a copy of the book and the DVDs.

The Royal Road to Card Magic by Jean Hugard and Frederick Braue

The Houdini Magic Royal Road to Card Magic 6 DVD set

Why architects should stop drawing trees on top of skyscrapers

Vanessa Quirk Tim De Chant argues that the practice of drawing trees on top of skyscrapers in architectural renderings should stop. First, because pretty, high-altitude foliage is the first thing that cost-conscious developers jettison when the actual building is underway; but secondly, because trees can't really survive at that altitude:

There are plenty of scientific reasons why skyscrapers don’t—and probably won’t—have trees, at least not to the heights which many architects propose. Life sucks up there. For you, for me, for trees, and just about everything else except peregrine falcons. It’s hot, cold, windy, the rain lashes at you, and the snow and sleet pelt you at high velocity. Life for city trees is hard enough on the ground. I can’t imagine what it’s like at 500 feet, where nearly every climate variable is more extreme than at street level.

Wind is perhaps the most formidable force trees face at that elevation. Ever seen trees on the top of a mountain? Their trunks bow away from the prevailing winds. That may be the most visible effect, but it’s not the most challenging. Wind also interrupts the thin layer of air between a leaf and the atmosphere, known as the boundary layer. The boundary layer is tiny by human standards—it operates on a scale small enough that normally slippery gas particles behave like viscous fluids.

Bottom line: if we're going to have skyscrapers, let's build them without the illusion that they'll harbor high-altitude forests.

Can We Please Stop Drawing Trees on Top of Skyscrapers? (Thanks, Fipi Lele!)

(Images: “Le Cinq” Office Tower / Neutelings Riedijk Architects, Rendering by Visualisatie A2STUDIO, Pentominium / Murphy/Jahn. Image courtesy of Murphy/Jahn.)

Friendly darkness in the palace of utopian fantasy

In Wendy and Richard Pini's ElfQuest saga are the echoes of an old thread of utopian fantasy, removed from epic homily to intimate fable.Read the rest

Stanislaw Burzynski vs. regulations protecting human research subjects, revisited: Orac on Cancer quackery

"The Burzynski Clinic is drawing me back below its event horizon again, like the irresistable black hole made up of supercompressed greed that I see it to be," writes health-skeptic blogger Orac, about the Houston-based clinic that runs roughshod over human subjects protections. Today's post digs into recent FOIA'd FDA documents on the case."How he has continued to get away with it for over 30 years is one of the great questions in drug regulation," Orac says. "Somehow, he does, year after year." [Respectful Insolence]

Alaa Wardi, a capella YouTube star from Saudi Arabia: "Risala Ela..."

Alaa Wardi (Twitter, instagram) is an Iranian-born singer based in Saudia Arabia whose vocal harmonies and one-man viral videos have become big hits throughout the mideast. His latest, "Risala Ela...", is out today in video and as a DRM-free pay-what-you-want download. Many of his earlier videos are a capella, this one's notable in a new way, with instrumentation.

Read the rest

The fable that helped me find the others

Fables are portals to other worlds, writes Heather Johanssen—and to new places in this one.Read the rest