24 Apr 19:05

micdotcom: Watch: This whole interview is honestly so...

24 Apr 15:23

A Softer World: 1226

buy this comic as a print!
Or share on: facebookreddit
If you enjoy the comic, please consider supporting A Softer World on Patreon
24 Apr 07:49

Had a source that said ‘additional added value’.

Had a source that said ‘additional added value’.

23 Apr 22:47

The most amazing Hubble Space Telescope fly-through yet defies belief

by Casey Chan on Sploid, shared by Lauren Davis to io9

If space traveling the universe had a scenic route, this would be it. It’s a 3D fly-through of the nebula Gum 29 with the stunning star cluster Westerlund 2 in the middle and it’s absolutely gorgeous. The image was taken by the Hubble and shown off for its 25th anniversary. It’s the stuff of dreams.


26 Apr 15:14

sandandglass: Video: Cecily Strong at the 2015 White House...

26 Apr 15:10

sandandglass: Top ten Obama jokes from the 2015 WHCD (full...


Top ten Obama jokes from the 2015 WHCD (full speech)

26 Apr 04:30

(photo via barrymcockner)

(photo via barrymcockner)

26 Apr 04:13

Цитата #433487

*Врач на повышенных тонах в коридоре отчитывает какую-то соседнюю больницу за нехватку мест и что-то ещё. Дед-посетитель не выдерживает, громко возмущается*
- Что Вы тут разорались?! Держите себя в руках!
- Я не ору! Это Вы тут не выступайте! И вообще, запишитесь к невропатологу!
*дед, недовольно*
- А я, собственно, к нему на приём и записан!
*врач, после некоторого замешательства*
- А я, собственно, невропатолог...
*бабуля, сидящая в сторонке*
- Вот, они и нашли друг друга...
25 Apr 19:00


25 Apr 15:06

Hewlett-Packard-01 wrist instrument, 1977

by adafruit



HP Virtual Museum: Hewlett-Packard-01 wrist instrument, 1977.

The HP-01 wrist instrument looked like a digital watch but was smarter than many pocket calculators. It performed more than three dozen functions to manipulate and interrelate time, calendar and numeric data. With six interactive functions (time, alarm, timer/stopwatch, date/calendar, calculator and memory) the HP-01 had 28 tiny keys that the user operated with a stylus built into the bracelet.

The HP-01, code-named “Cricket,” was not a successful product for HP. It was too bulky and heavy, and HP sold it though upscale jewelry stores. But miniaturizing the math functions was quite an engineering feat, and when HP discontinued manufacturing the HP-01, its inner workings were destroyed so no one would copy the extraordinarily small package engineering. The HP Archives has a few of the remaining elements.

The HP-01 currently is one of the most sought after collectibles in the antique electronics market, often fetching two or three times its original price ($650 for the silver color, $750 for the gold version).

25 Apr 13:51

design-is-fine: Acquaintance cards, a variety of calling cards,...


Acquaintance cards, a variety of calling cards, 1870s-80s. USA. Via dangerousminds. More to see: Mays / flickr. They were used “by the less formal male in approaches to the less formal female.”

25 Apr 08:01

Lego Flip-dot Display

by Elliot Williams

We don’t need to mention that flip-dot displays are awesome. They use no power except in transitions, are visible on even the brightest of days, and have a bit of that old-school charm. So then it stands to reason that the flip-dot display that [AncientJames] made out of LEGO is awesome-plus. Heck, it even spells out “awesome”.

The display is programmed by arranging single-unit bricks on a template to either turn on or off a pixel. A set of fingers raise up, the new template slides in, and the fingers are lowered onto the template to set the display dot discs. Sounds easy, right?

The single pixel mechanism is interesting enough on its own:

But then the transfer mechanism’s choreography is really sweet. If you’re interested in the mechanics, read through [AncientJames]’s explanation, and don’t skip the animations of Chebyschev’s Lambda Mechanism on Wikipedia.

It’s truly amazing what one can get done with a single crankshaft. Nice work, [AncientJames]!

If we can beg, any chance you’d make a video of the transfer mechanism on its own?

Thanks [Daniel Kennedy] for the tip.

Filed under: toy hacks
25 Apr 04:03


25 Apr 01:15

harikondabolu: I said this on Australian television.


I said this on Australian television.

24 Apr 23:25


24 Apr 23:09

Oh, Portland.

I just got invited to a house party with cocktails, food, and baby goats. I love you, Portland. 

24 Apr 22:47

flux-and-felines:caffeinatedfeminist:magicalnaturetour:Lion Gets...




Lion Gets Stuck In A Tree Before His Brother Helps Him Down. All photos by Carters News via The Huffington Post ~ Please click through to see the gif they made of this hilarious incident. It was too big for me to post it here for you. :D

The brother on the ground is displaying the most perfect face of “This asshole got stuck up a fucking tree again” I think I’ve ever seen.

And then the one coming down from the tree is like “I am grace, I am divine!”

24 Apr 21:24

Github DDoS Attack As Seen By Google

by Soulskill
New submitter opensec writes: Last month GitHub was hit by a massive DDoS attack originating from China. On this occasion the public discovered that the NSA was not the only one with a QUANTUM-like capability. China has its own "Great Cannon" that can inject malicious JavaScript inside HTTP traffic. That weapon was used in the GitHub attack. People using Baidu services were unwitting participants in the denial of service, their bandwidth used to flood the website. But such a massive subversion of the Internet could not evade Google's watchful eye. Niels Provos, engineer at Google, tells us how it happened. Showing that such attacks cannot be made covertly, Provos hopes that the public shaming will act as a deterrent.

Share on Google+

Read more of this story at Slashdot.

24 Apr 17:00

Crow Expertly Trolls Cat

24 Apr 07:13

Цитата #433476

Фраза с женского Интернет-форума:
- Замуж по-прежнему не зовёт, но пердит уже не стесняясь...
24 Apr 05:46

Цитата #433469

Сижу на работе, пытаюсь сосредоточиться. А коллега мельтешит по кабинету туда-сюда. Мне это в какой-то момент надоедает, хватаю подвернувшуюся под руку батарейку и кидаю в него. Но в этот момент коллега наклоняется над своим столом, батарейка каким-то чудом залетает к нему в карман. И тут до меня доходит, что такой шанс нельзя упустить! "Сань, подойди на минутку" - зову я его. "Чего?" - отзывается коллега. Я смотрю на него пристально, аки Дэвид Блейн и произношу:"У тебя в правом кармане батарейка Duracell AA." Саша с ухмылкой засовывает руку в карман... Но постепенно выражение его лица становится как у той собаки с пироженками. Во всеобщей тишине он извлекает из кармана искомую батарейку. Да! Это был триумф! Надо было поспорить...
24 Apr 02:10

Comic for Wednesday, April 22nd, 2015

Comic for Wednesday, April 22nd, 2015 is located at http://twokinds.keenspot.com/archive.php?p=0
24 Apr 00:00

Win by Induction

This would be bad enough, but every 30th or 40th pokéball has TWO of them inside.
23 Apr 23:51

Person: how are you?

Person: how are you?
Me: im ok
Person: why just ok?
Message appears: you are not an experienced enough friend to unlock this response yet. try again after reaching friendship level 10.
23 Apr 22:30

Your Password is Too Damn Short

by Jeff Atwood

I'm a little tired of writing about passwords. But like taxes, email, and pinkeye, they're not going away any time soon. Here's what I know to be true, and backed up by plenty of empirical data:

  • No matter what you tell them, users will always choose simple passwords.

  • No matter what you tell them, users will re-use the same password over and over on multiple devices, apps, and websites. If you are lucky they might use a couple passwords instead of the same one.

What can we do about this as developers?

  • Stop requiring passwords altogether, and let people log in with Google, Facebook, Twitter, Yahoo, or any other valid form of Internet driver's license that you're comfortable supporting. The best password is one you don't have to store.

  • Urge browsers to support automatic, built-in password generation and management. Ideally supported by the OS as well, but this requires cloud storage and everyone on the same page, and that seems most likely to me per-browser. Chrome, at least, is moving in this direction.

  • Nag users at the time of signup when they enter passwords that are …

    • Too short: UY7dFd

    • Lack sufficient entropy: aaaaaaaaa

    • Match common dictionary words: anteaters1

This is commonly done with an ambient password strength meter, which provides real time feedback as you type.

If you can't avoid storing the password – the first two items I listed above are both about avoiding the need for the user to select a 'new' password altogether – then showing an estimation of password strength as the user types is about as good as it gets.

The easiest way to build a safe password is to make it long. All other things being equal, the law of exponential growth means a longer password is a better password. That's why I was always a fan of passphrases, though they are exceptionally painful to enter via touchscreen in our brave new world of mobile – and that is an increasingly critical flaw. But how short is too short?

When we built Discourse, I had to select an absolute minimum password length that we would accept. I chose a default of 8, based on what I knew from my speed hashing research. An eight character password isn't great, but as long as you use a reasonable variety of characters, it should be sufficiently resistant to attack.

By attack, I don't mean an attacker automating a web page or app to repeatedly enter passwords. There is some of this, for extremely common passwords, but that's unlikely to be a practical attack on many sites or apps, as they tend to have rate limits on how often and how rapidly you can try different passwords.

What I mean by attack is a high speed offline attack on the hash of your password, where an attacker gains access to a database of leaked user data. This kind of leak happens all the time. And it will continue to happen forever.

If you're really unlucky, the developers behind that app, service, or website stored the password in plain text. This thankfully doesn't happen too often any more, thanks to education efforts. Progress! But even if the developers did properly store a hash of your password instead of the actual password, you better pray they used a really slow, complex, memory hungry hash algorithm, like bcrypt. And that they selected a high number of iterations. Oops, sorry, that was written in the dark ages of 2010 and is now out of date. I meant to say scrypt. Yeah, scrypt, that's the ticket.

Then we're safe? Right? Let's see.

You might read this and think that a massive cracking array is something that's hard to achieve. I regret to inform you that building an array of, say, 24 consumer grade GPUs that are optimized for speed hashing, is well within the reach of the average law enforcement agency and pretty much any small business that can afford a $40k equipment charge. No need to buy when you can rent – plenty of GPU equipped cloud servers these days. Beyond that, imagine what a motivated nation-state could bring to bear. The mind boggles.

Even if you don't believe me, but you should, the offline fast attack scenario, much easier to achieve, was hardly any better at 37 minutes.

Perhaps you're a skeptic. That's great, me too. What happens when we try a longer random.org password on the massive cracking array?

9 characters 2 minutes
10 characters 2 hours
11 characters 6 days
12 characters 1 year
13 characters 64 years

The random.org generator is "only" uppercase, lowercase, and number. What if we add special characters, to keep Q*Bert happy?

8 characters 1 minute
9 characters 2 hours
10 characters 1 week
11 characters 2 years
12 characters 2 centuries

That's a bit better, but you can't really feel safe until the 12 character mark even with a full complement of uppercase, lowercase, numbers, and special characters.

It's unlikely that massive cracking scenarios will get any slower. While there is definitely a password length where all cracking attempts fall off an exponential cliff that is effectively unsurmountable, these numbers will only get worse over time, not better.

So after all that, here's what I came to tell you, the poor, beleagured user:

Unless your password is at least 12 characters, you are vulnerable.

That should be the minimum password size you use on any service. Generate your password with some kind of offline generator, with diceware, or a passphrase approach – whatever it takes, but make sure your passwords are all at least 12 characters.

Now, to be fair, as I alluded to earlier all of this does depend heavily on the hashing algorithm that was selected. But you have to assume that every password you use will be hashed with the lamest, fastest hash out there. One that is easy for GPUs to calculate. There's a lot of old software and systems out there, and will be for a long, long time.

And for developers:

  1. Pick your new password hash algorithms carefully, and move all your old password hashing systems to much harder to calculate hashes. You need hashes that are specifically designed to be hard to calculate on GPUs, like scrypt.

  2. Even if you pick the "right" hash, you may be vulnerable if your work factor isn't high enough. Matsano recommends the following:

    • scrypt: N=2^14, r=8, p=1

    • bcrypt: cost=11

    • PBKDF2 with SHA256: iterations=86,000

    But those are just guidelines; you have to scale the hashing work to what's available and reasonable on your servers or devices. For example, we had a minor denial of service bug in Discourse where we allowed people to enter up to 20,000 character passwords in the login form, and calculating the hash on that took, uh … several seconds.

Now if you'll excuse me, I need to go change my PayPal password.

[advertisement] What's your next career move? Stack Overflow Careers has the best job listings from great companies, whether you're looking for opportunities at a startup or Fortune 500. You can search our job listings or create a profile and let employers find you.