The previously mentioned SwashBot now has a page on the CrabFu site, featuring the original dome-headed creature, which includes this…
…the (much bigger) SwashBot2!
Stick with the video for more explanation of the concept.
Behold: A way to automatically calibrate a projector to put a full image onto an arbitrarily aligned screen.
Even, thanks to the non-zero size of the image source, if that screen is facing slightly away from the projector.
(Via.)
This system can only lay as many pixels across the screen as the projector’s lens would manage anyway, of course, but if the Carnegie Mellon researchers do manage to turn this into a real-time system, the image will be able to follow the screens around pretty much seamlessly.
So it’ll be kind of like a real-world version of those augmented reality systems in which video images of specially printed objects “grow” extra stuff:
Behold: The SwashBot! (via)
It’s based around swashplate-type linkages, and it’s another fine CrabFu product (previously). It’s not as steam-y or track-y as CrabFu’s usual products, and it’s also not yet mentioned on the CrabFu site.
That cat’s clearly dealt with things a lot scarier than this.
Phoenix is the winner of the Trossen Robotics TRC Project Contest…
…and deservedly so.
She’s a little small to really conquer the indoor environment, but the design is very scalable; I think a double-size Phoenix made with super-torque standard-sized servos or the big quarter-scale ones could scuttle up ordinary stairs quite easily.
(One could, in fact, be climbing your stairs right now. What was that noise?)
More at the forum thread.
(Via.)
The Mana Energy Potion Robopult is purest genius.
It’s not the most straightforward, or mechanically efficient, way of achieving the same feat; it wouldn’t even beat the human-powered punkin’ chunkers. But point-and-click aiming for a trebuchet-type flinger (actually, this is more of a staff sling) is still a pretty nifty achievement.
More information, and one much more disgusting video (which is also rather surreal, thanks to inspired costume choices), at the Mana site.
There’s something you don’t see every day. (Via.)
The White Glove Tracking project got a lot of people who probably should have been working to identify the location of Michael Jackson’s famous sequined white glove in every frame of his 1983 TV performance of Billie Jean.
Then they made this video.
The video is just one - relatively trivial - example of what you can do when you turn elements of moving video into separately manipulable data, and then start fooling with that data programmatically, in this case with Processing. There are several more examples on the whiteglovetracking.com gallery page.
Another, different but related, concept:
Making 3D models from video clips (via).
Thanks to Ole Kirk Christiansen’s disturbingly compelling TechnicBRICKs blog, I now know that a Lego automatic transmission can be surprisingly simple.
I’ve seen outrageously bulky and complex variable-ratio Lego transmissions before, but this one…
…is pretty much pocket-sized.
It’s actually a continuously variable transmission (based on differentials rather than the belts often found in full-scale designs), not a conventional auto with a small integer number of ratios.
But don’t worry, there are plenty of separate-ratio autos, too:
Check out the TechnicBRICKs post for more videos and pointers to further info.
After I saw this episode of Boing Boing TV…
…I of course had to check out Carl Rankin’s Web site.
Wherein is prominently displayed The Mama Bear…
…”the largest radio-controlled plane constructed from plastic-wrap, drinking straws and tape ever built”.
Super-light spindly radio controlled planes are not new. Gossamer concoctions of balsa, carbon fibre and Mylar film have been buzzing peacefully around in high-school halls for ages, and they’re now even leaking into the commercial market.
Those indomitable little foam living-room planes and twin-motor helicopters (the original Picoo Z and its numerous, often inferior, knock-offs) are cheaper even than a plane made from take-out containers. But they’re not actually very controllable - you can only kind of suggest where you’d like them to go, after which luck takes over.
Carl Rankin’s creations, in contrast, are proper controllable aircraft made on a near-zero budget for everything except the electronics.
This post on the Light Blue Touchpaper blog tells us all yet another thing we can do with Google:
Find a password, if our l337 h4XX0r skillz have already allowed us to harvest the MD5 hash for it.
The completely stupid way to store passwords, implemented by small children writing programs in BASIC and by $300-an-hour consultants writing enterprise software, is to just save all of the usernames and matching passwords as plain text in a file somewhere. If an attacker can read that file, they can now log in as anybody.
A much better, but still not as secure as it should be, method of saving passwords is to “hash” them using a “one way” or “trapdoor” algorithm, like MD5. A trapdoor algorithm runs very quickly in one direction (turning a password into an almost-unique string of seemingly random characters), but is almost impossible to run the other way, if you don’t have access to cubic kilometres of sci-fi nanotech.
If someone gets hold of the file in which you store password hashes, the one-wayness of the hash algorithm means the attacker still can’t figure out what passwords correspond to what hashes, and so cannot make use of his discovery.
Well, that’s the theory.
In practice, attackers can take a dictionary of passwords, hash them all, then search for matches between their new hash dictionary and the password hashes. There are even helpful online tools that’ll do it for you, like the long-established passcracking.com/ru, or md5oogle. When there’s a match, you’ve got the password.
And this is what Google allows you to do in two seconds, if the password hash you’re trying to “reverse” corresponds to a common word.
The word “elephant”, for instance, hashes to e4b48fd541b3dcb99cababc87c2ee88f. Search for that in Google and you’ll get a bunch of pages which, for reasons explained in the Light Blue Touchpaper post and its comments, often also have the word “elephant” on them, or right in their title.
(This post will probably be very high in those search results in a day or two. Check out the above-linked online reverse MD5 hash lookup tool if you’d like to explore other options - it lets you hash any string you like, then checks some databases for it. While it’s checking, you can be Googling the same string. Md5oogle lets you generate MD5 hashes as well, but it converts everything to uppercase first - which many password systems also do.)
This technique only works for passwords that’re common words - or, at least, have for some reason been hashed and stored in a Google-visible file. If your password is something nonsensical like dj347F, which hashes to 54041c87e2e431f3fc4c47e55d114ef3, the hash won’t be found anywhere on the Web (except, again, on this page, once Google indexes it).
This technique also doesn’t work if the passwords are “salted” with some extra data before being hashed. So if a user foolishly decides to choose “mypassword” as his password, the software actually hashes, say, 28391mypassword, and thus creates an un-findable hash.
Adding a simple fixed salt to every password still doesn’t give you really industrial-strength security, but it’s streets ahead of a lot of the junk that makes it to production. And it does stop dumb attacks like Google searching - well, at least until people find out that MurderDeathKill 3D’s online gaming logon system just adds 28391 before hashing passwords, and start making tables of dictionary words with 28391 in front of ‘em.
Lots of current popular software uses unsalted hashes, including the WordPress software that runs this blog.
So it’s pretty lucky that I made my admin password “3hv78UEr”, isn’t it?
It would appear that the previously mentioned “herbal marijuana” business (which, as I explain in that earlier post, is probably actually just a scam to harvest credit card numbers) is burgeoning.
From: “Bud Shop” <dancitep_yzpsoy@gte.net>
Date: Fri, 16 Nov 2007 14:05:42 -0700
To: “dan” <dan@dansdata.com>
Subject: Smoke up the budDo You Smoke Big Buddha Bud Or Any Other Legal Bud To Go Crazy ?
http://shabaaloo.com
My buddy Mark stopped hanging out with me because he now works at the post
office and has to do a piss test every other week. Just last week though, i
see him sparking up. I’m like “Dude are you smoking bud again??” and he is
all “Yeah! i bought ONE POUND of Legal Bud at cheapestbuds.com and i dont
need to worry, this shit doesnt come up in piss tests and its some potent
shit!” cheapestbuds.com is too good to be kept a secret.One warning though, Dont drive with this potent bud.
My friend blasted up before going on his mailing route and he ended up
crashing the postal truck LOL.
Oh and he still smokes up the Legal Bud!http://www2.shabaaloo.com
OR
http://3I.shabaaloo.com
The shabaaloo.com site being promoted here looks exactly the same as the previous thebudshop.net. Note also the mention of “cheapestbuds.com”, which was perhaps an earlier URL for the same scammers. That’s dead now, but all of the other ones are still up. The “www2″ and “3I” subdomains spreading the botnet hosting out even further.
Once again, these sites are all shuffling from one home broadband IP address to another, a technique I now know is called “fast-flux“, which was apparently originally used to hide spam mail servers. Their nameservers occasionally seem to be pointing more than one domain at the same IP address - both shabaaloo.com and thebudshop.net were at 69.141.166.10 (someone’s virus-infected PC on a Comcast address) when I first checked. Mere moments later shabaaloo had moved to 75.22.25.116 (another zombie, this time connected via AT&T) and thebudshop had moved to 63.131.13.17 (Choice One Communications). Then shabaaloo was 82.10.184.121 (NTL Internet, a UK ISP) and thebudshop was 70.92.159.113 (Road Runner). The subdomains all have their own separate changing addresses, too.
Thebudshop’s nameservers are still ns1.b4cf5f189.com and ns2.b4cf5f189.com; those are currently at 68.16.9.22 (AT&T) and 75.66.195.228 (Comcast), respectively. NS1 has stayed the same since I first checked four and a half days ago, but NS2 has changed at least twice since then.
The DNS entry for shabaaloo.com lists no fewer than five nameservers - four is the usual limit. It’s got NS1 through NS5.b4cf5f189.com. As I said in the comments for the previous post, that probably makes it virtually invincible, at least by spam-site-hosting standards.
When botnets first hit the news, many people (me included) had some difficulty figuring out what they were for, exactly. Yes, you could use them to send spam, or to launch denial-of-service attacks, or as your own personal massively parallel supercomputer for cracking encryption or something. But none of those features sounded hugely marketable.
Bulletproof hosting for any site you want is different, though. There are plenty of people who already pay big bucks for that.
I think we’ll be seeing a lot of spam-scam sites shifting to botnet hosting soon. Perhaps that’ll be what it takes to get the major ISPs to start actually disconnecting people whose computers are part of a botnet. Thus far they’ve resisted taking such action, despite being urged to do so by such minor entities as the US Government for going on three years.
One might cynically surmise that the lack of action is because there’s no money to be made in disconnecting zombies. Actually, there’s money to be lost; even if all you do is direct all of the customer’s Web requests to a “you’ve been quarantined” page with information about antivirus software, you’re still going to get irate support calls that’ll rapidly eat up every penny the customer’s paying you. If you cut ‘em off altogether, they’ll probably tell all of their friends that you’re a terrible ISP, and may file complaints with their credit card company. It’s a nightmare.
And botnet members don’t generally actually use a whole lot of the ISP’s precious bandwidth, either. J. Random Hacker with his squeaky-clean computer that’s downloading TV all day is the user an ISP really wants to cut off.
And if every ISP doesn’t adopt a no-zombies policy, at least some disgruntled customers are not going to actually put their house in order - they’ll just switch to an ISP that’ll let their lurching zombie of a PC onto the Internet.
Here’s a good article about the current sad state of affairs. Busting the people who set up the botnets seems to be the most promising course of action. That strategy hasn’t exactly stamped out spam so far, though.
Get your free blog up and running in minutes with Blogsome