I blogged a while back about a contest where you were asked to find input for an MD5 hash that would produce a result that matched at least some number of bits to a hash value the contest provided.
I found the contest by watching the promotion video on the Novena crowd funding campaign web site. Towards the end of the video you’ll see some text appear for a fraction of a second on the screen behind Andrew Huang. It’s a base64 encoded URL for the contest web site. The contest awarded a Novena laptop to the person who found the most strings whose hashes matched a given number of bits. The contest web site stated the number of bits you had to match might change depending on how difficult the challenge proved to be.
When I found the contest, the number of bits you had to match was up to 107. There was one person at the top who already had several hundred matches under their belt. Either they are and expert at MD5 and its vulnerabilities, or (my guess) they found the contest much sooner when the difficulty was much lower.
The target hash for the contest was “29c986a49abf80e9edf2ffe8efb7e040” which is the MD5 hash of the string “novena”.
The most number of bits I was able to match was 105 after running my HashAway program for 48 hours on a 4-core Intel i5 processor. That I didn’t even find one was a bummer, but it was a great exercise in the search to pull out the best performance from my program. For example I had initially written the program to generate a random string and hash that to search for matches. What I eventually did was hash the result of the previous hash. This had a great boost in performance as the overhead of generating random strings, and converting them to byte values to hash, was gone. A simple trick with big results. It was also a great exercise in becoming familiar with multi-threading in Java.
The last version of the code I had posted was version 1.3. Here is HashAway version 1.4 which is what I used to find my best 105-bit match.
I did do a quick search and found one other person’s source code for this problem. In the source you can see they found the contest when the difficulty was at 105 bits. If only I’d found the contest sooner. The comments in the source also state the contest started out at 90 bits! I can get 90-bit matches at a rate of 4/5 a second even on an old dual-core processor.
Ah well. So it goes.
My first thought: I’d like to hack that. All manner of scenarios flooded my mind. What happens if I just tipped it on its side? Does it send out some kind of SOS to it’s robot overlords? If I’m going up in an elevator with one, what happens if I press all the buttons? Can I give it commands using the touch screen? Maybe make it open up and take whatever is inside it? Can I reprogram it to send its delivery to a different room? After it makes a delivery, can I tell it to pay a visit to another room? Reading further about this robot, I’ve learned it uses a wireless connection to talk to, among other things, the software on the elevator to control where it wants to go. So that means the elevator is accepting commands via a wireless network? Can I send the elevator commands too? Can I send the robot a false response from the elevator so it gets off at the wrong floor? What if I wrap the whole thing in foil to block any wireless signals from reaching the thing at all? Can I force it into some kind of debug or developer mode? Can I plug into it with my laptop? Can I install Linux on it?
Then I thought… is this the robot equivalent of sexism? If I see a particular attractive woman, that initial “I’d like to … enjoy her company” thought that crosses the mind, is that in the same zip code as looking at a robot and thinking “I’d like to hack that”? Is that objectification … of an object? And if so, is it a bad thing since it’s an actual object? Would humanizing an object be as incorrect as objectifying a human?
That I was listening to The Electric Lady at the same time may have influenced these thoughts a bit.
Perhaps we’re living in the Mad Men equivalent era of human/robot relations, where humans drink hard and treat robots as objects created only to fulfill personal desire. Awesome! The time to abuse what is acceptable, but in the future be seen as abhorrent, behavior is now. Grab a robot and hack it. Hack it hard.
Earlier this year I caught wind of a campaign to raise funds to purchase hardware and develop software to then communicate with an abandoned satellite and bring into orbit near Earth. The International Sun/Earth Explorer 3 (ISEE-3) was launched on August 12, 1978. It’s original mission was to sit in an orbit around the Sun-Earth Lagrangian point (L1) and monitor various properties of the Sun, the Earth, and the interactions between the two.
In 1982, after completing it’s original mission, NASA repurposed it to chase down a comet and study it. Over a few years it made a series of maneuvers, making the most of it’s remaining fuel and gravity to slingshot around the moon and Earth and put it into an orbit around the sun with an eye towards Halley’s Comet.
By 1999 NASA ended the mission, powered down the satellite, and donated it to the Smithsonian. Or so they thought. In 2008 NASA found out that it had not been powered down and that all of its instruments, save one, were still operating. This presented an opportunity to take control of the satellite once more, move it back to L1 and let it continue to do science for however long its systems keep running.
One problem: NASA didn’t have the equipment to properly communicate with it anymore. After they thought it had been turned off in 1999, the necessary equipment was decommissioned.
Enter the ISEE-3 reboot project. A private group of scientists and engineers made a bid to take back control of the satellite by recreating the lost hardware using software-defined radio (SDR), in other words use a computer to simulate the physical hardware. Money was needed to fund development of the system as well as hardware to transmit the signal and to buy time on radio telescopes like the one at Arecibo Observatory (as made famous by the 1997 film Contact).
By the end of May the project was funded and the group immediately got to work. Within a month they were back in communication with ISEE-3 and began preparations to fire its thrusters and bring it back to L1. The entire project chronicled in their ISEE-3 Reboot blog.
This week, on Tuesday July 8, they attempted to make the Trajectory Correction Maneuver (TCM) to bring ISEE-3 to L1. Unfortunately the thrusters sputtered and died. The next day they tried to troubleshoot the problem as best you can from several hundreds of thousands of miles away. The diagnosis: the nitrogen gas used to pressurize the fuel tanks and force the fuel out of the tanks and into the thrusters had been depleted. The fuel is there, but without pressure it’s not going anywhere. The whole effort played out live on the ISEE-3 Reboot Twitter account.
So what now? The ISEE-3 Reboot team have put the satellite into science collecting mode. As long as its systems allow, it will continue to collect data and transmit it back to Earth. Unfortunately it will eventually head back out towards the sun and be too far for us to listen to it in a cost effective manner. We’ve got about three months until it’s too far away and so they’ll make the most of it.
And maybe in another 30 years it’ll come back and we can listen once again, for a few months, about what else ISEE-3 can see.
I saw a video on the internet not too long ago. In it, on a screen in the background, for just a few seconds, displayed a string of text I immediately recognized as being base64 encoded data. I paused the video, typed the text into my base64 decoder ring, and found it was a URL. I put the URL into my browser and found out that I’d stumbled upon a little contest that would begin sometime in the future and that I should keep checking back to see if the contest has started.
Well I forgot about all of that and only went back this evening to check and sure enough the contest had begun. It ends on May 10th.
The contest is fairly straightforward computer geek stuff. An MD5 hash value was provided and the contest was to find strings that, when similarly hashed, shared X number of the 128 bits in the hash on the page. There’s a form asking for a name and e-mail address to register. Once registered, you can submit strings you find that meet the criteria. When the contest is over, the person with the most number of found hashes wins a new, very cool computer.
There’s only 10 people on the leader board and only 2 of them have over 10 found hashes, but those two currently have over 100. The number of bits you need to match can be changed as the contest operators sees fit. It’s currently set at 107 bits. With nothing to do on a Friday night and a desire to take a little Java refresher, I dug in.
It’s multi-threaded to maximize all the cores in my CPU (4). Thread priority is set to minimum, so I can keep doing whatever I want on my computer and it won’t slow down. I’m averaging about 900,000 hashes a second and after an hour I haven’t found a match. This may take some time. The program can be set at the command line to use more or less threads and change the difficulty to. Try it at difficulty of 90 and you’ll see a few start popping up immediately.
I’m not providing a URL to the contest and the hash in the source isn’t the real hash the contest wants you to use. Maybe I’ll mention it after the contest finishes. For now I just want to find my first hash with the program I wrote. My electric company will love me.
— Update 2 Days Later —
It started out at about 900,000 hashes a second. I found some ways to speed things up such as avoiding string manipulation wherever possible and using bit operations instead of Java objects like BitSet and I found a slightly faster RNG than the native java.util.Random. That got me up to 3.5 million hashes a second. I then realized I was running a 32-bit JVM (for browser compatibility). I installed a 64-bit JVM and now I’m up to 5.5 million hashes a second.
The source linked above has been updated to my latest.
I probably have about 36 hours running this thing so far and I haven’t found a match yet. I modified the code to keep track of the highest number of bits matched against so I can get some sense of progress. The highest I’ve matched is 103 bits. So close, but so exponentially far away.
I’ve got six days left.
— Update 3 Days Later —
I’ve removed the use of String objects from the search loop (except when outputting a match, that doesn’t mean much from a performance standpoint) by writing my own code to generate the hexadecimal values instead of using Long.toHexString(). I have also removed the calls to the random number generator in the loop. Now I seed the loop with a random value, but then keep hashing the previous results. This is, in a way, how RNGs work and for my purposes (i.e. this is not a security application) it gets the job done without the overhead of generating new values with every iteration.
This has boosted performance up to 10 million hashes a second. 5 days left to go and no matches yet. Still trying to squeeze out every last drop I can from this code (“SO USE ASM or C!” Yeah, I know, but I want to stick with Java as this is a Java learning experience.)
Maybe “bigotry” wasn’t the right word, but the catchy, matching B’s in the title were more interesting than trying to accurately describe the subject matter. It’s like network news programs.
I come here merely to provide to you a video I’m three months late in providing. This:
About a week ago Adria Richards, a developer evangelist, overheard a couple guys behind her engaging in “dongle” jokes and may have misconstrued a “forking” reference as another crude joke while attending PyCon. Frustrated at the situation she snapped their picture and called them out on Twitter for their behavior. She also alerted PyCon staff to what was happening and they responded by talking to the individuals in question.
A couple days later one of the guys she called out was fired from his job at Playhaven, a sponsor of PyCon.
Word got out and the internet exploded. DDoS attacks were made against Adria Richards’ web site, her employer’s web site, and Playhaven’s web site. And Adria’s been flooded with the most vile of vitriol, threats, and harassment.
Plenty of commentary on this incident, from many different perspectives, have already been written and there’s little, if anything, of value that I could contribute to the situation. All I have to add is utter frustration at the whole situation. The guys making jokes could have been more aware of their surroundings. Richards didn’t need to call them out in such a public manner. Playhaven didn’t need to overreact and fire one of the guys because of it. The internet didn’t need to lose its shit on Richards in such an unconstructive and counterproductive manner. Now everyone is polarized over this and any chance of having a rational dialog about what happened is about as likely as Israelis and Palestinians settling their “disagreement”.
How do we prevent shit like this from happening? Education. Open dialog. Open minds willing to explore all perspectives. Santa Claus.
And, when all else fails, an emergency anti-rage app for you phone that shows you cute as fuck kittens. Feeling angry? Want to share that rage on the internet in a brutally uncooperative manner? Why don’t you watch some cute as fuck kittens first, then see how you feel.
Brian Krebs is a journalist who specializes in computer security. His blog, Krebs on Security, is worth a bookmark even if you’re not into computer security. If nothing else, it will help expand your knowledge of all things related to that metal box sitting next to you that lets you play on the internet. That’s not a bad thing.
Recently Krebs profiled a web site that specializes in providing personal information about people (for a small fee). With such information it’s possible to gain even more personal information such as full credit reports. Such a scenario was recently put on stage with the news of celebrity credit records being posted online.
Not long after Krebs’ report went online he found his web site being DDoSed (flooded with massive amounts of traffic to the point it became inaccessible to anyone). Some people apparently didn’t like what Krebs was writing about. This was nothing that Krebs hadn’t experienced before. What was new about this particular experience was opening his front door a day later and finding himself staring down the barrel of a police officer’s gun. He had been SWATed.
I tore off the top of the thick, plastic bag and immediately popped the first piece of dehydrated meat into my mouth. I sat the bag down next to my keyboard and continued on with my internet travels. On occasion I would pop another piece into my mouth. The sixth piece caught my eye. One end of it was covered in what looked like a thin layer of cotton. It certainly peeled off the meat like cotton. I was just about to pop the now naked meat into my mouth, but then a small suggestion in the back of my head trickled forward and suggested I look into the bag o’ meat. There I saw that mass of meat pieces, stuck together to form a single entity, were covered on either side of the two-dimensional bag with more white cotton. I was confused at first. It took a good thirty seconds for the next suggestion to trickle forward: inspect the bag. It didn’t take long. I flipped it over and saw it. A long slice right down the middle. Probably made by the person opening the box containing these packages of jerky with an appropriately named “box cutter”.
There were only two questions left to answer. What the fuck was it and how lethal was the unknown amount that had already passed my lips.
I was wavering between writing a post about fantasy baseball or a radio show that you need to be adding to your listening rotation, when a thread on a message board I frequent forced its way into my brain. Though it would be easy to simply list and post over there, the idea is simply too fun to NOT post here. First, the concept:
“Okay. You’ve been made editor-in-chief of MARVEL. You have been given a command by your Corporate Disney Masters: Eliminate the entire X-Universe, save twelve. Twelve Mutants to restart the entire X-Franchise. No more, no less. And the kicker? Anyone you DON’T pick will be killed and the character rights sold off so that they can never be brought back to life.”
Great idea, right? You have the power to trim 50 duodecillion mutants down to 12 and potentially save a comic book franchise that has gotten fat and unwieldy. The problems? First, the idea that any you don’t pick gets killed and the character rights sold. It’s unrealistic – if you hate Wolverine and he doesn’t make the cut, do you REALLY think Disney/Marvel would just sell him off? Of course not, so let’s remove that provision right off the bat. The second problem: Wolverine. You may hate him, but he’s not going anywhere. Fanboys, old and young, love Wolverine. It’s why he’s on every X-Men team, the Avengers, has at least two solo books, multiple monthly appearances, and (for all I know) a regular cameo in DC Comics’ titles. Wolverine makes the cut, so there. Last problem: Who are your villains? You gotta have villains, or X-Men becomes Glee with less singing and more superpowers. Which elevates Glee, but who wants that in their monthly fiX-Men?
So. We refine the original premise: One X-Men team. 12 members. No mutant who misses the cut gets to join…EVER. And you better come up with some sweet villains for your team to fight. Got it? Good. Here’s my list:
Already, I hear the cries of fanboys everywhere. “Where’s Rogue and Gambit, or [random mutant you love]???” Not here. “What about New Mutants and X-Force???” None made it cut, sorry. “For Heaven’s sake, where’s CHARLES BLEEPING XAVIER???”
And on that bombshell, I leave you to your teeth-gnashing, comments, and hate mail. Part Two will explain why Chuck didn’t make the cut, provide you those sweet villains I promised, and maybe even offer up some solid allies who will help our newly streamlined team in their battles.
Yesterday was haircut day for yours truly. I pulled out of my driveway and threw on the radio, ignoring sports talk, the wife’s pop stations, and the local college’s radio offering in favor of some nice rock radio channel-surfing. I tuned into what I thought was the local classic rock station out of Boston and settled in for some Boston or Bob Seger or Led Zeppelin. Maybe some Gimme Shelter, Feel Like Makin’ Love, or Somebody To Love (the Queen version, as Jefferson Airplane would be on the oldies channel). But I had clearly made a mistake of preset, because instead of the sweet riffs of Hendrix or the octopus-style drumming of Ginger Baker or Michael Anthony’s ignorable bass lines, I got an earful of…Slash.
She’s got a smile it seems to me
Reminds me of childhood memories
Where everything was as fresh as the bright blue skies
Well that couldn’t be right. My wife must’ve changed up the presets, right? Obviously I was too busy driving safely out of my street to pay attention to which station I hit, right? Clearly I had stumbled on the rock station out of Providence, RI, right? Classic rock wouldn’t be playing Guns ‘n’ Roses, right? Right? RIGHT???
But it could, and it did, and it had. And as I listened to the song that extended hair metal’s life by about five years, a few things occurred to me:
1) Guns ‘n’ Roses’ classic debut, Appetite For Destruction, is 25 years old this year.
2) The music that I listened to growing up and considered “classic rock” was between 15 and 25 years old at the time.
3) Which means, goddamn it, I am getting older…
* * *
Believe me, I don’t fear it, or try to fight against it. I’m quite comfortable with my age. On my 30th birthday, as I discovered strands of grey in my hair while getting ready for the day, I found myself smiling with pride and relief – grey hair on your head isn’t brown hair in the sink, and I’d rather be grey than bald any day of the week. I am exactly 20 years older than my niece, and 24 years older than my nephew, and I have had the joy and privilege of watching them grow and mature into people that I not only love as family but truly like as people on their own terms. The horror flicks I could only dream of renting as a wee lad are now part of my permanent DVD collection, to be savored any time I want. And I wouldn’t want to be a teenager again for anything – I’m not so far removed from those years that nostalgia colors the reality of those awkward, sometimes terrifying, rites of passage into adulthood.
But I will not lie to you. Hearing Guns ‘n’ Roses (a band that not only has its roots in the 80s, but in the late 80s, which makes it older than a college’s Class of 2012) on classic rock radio (which traditionally featured music from the late 60s through the 70s) was a cold slap of reality. The only 80s music that classic rock would play was (should be?) the later albums of bands with their roots in the earlier decades (Aeromsmith’s Permanent Vacation and Pump…The Police…Van Halen…AC/DC with Brian Johnson on vocals…you get the idea). Now I have to realistically expect music from my teenage years to feature prominently, though I pray it’ll only be true rock bands like Guns ‘n’ Roses, Def Leppard (up to Pyromania, please, as I was sick of the Hysteria album after the 3rd listen), Scorpions, Motley Crue…and not the pretty-boy “glam metal” of Poison, Warrant, Enuff Z’Nuff, Trixter, and what a female friend from my distant past referred to as “White bands” (White Lion, Whitesnake, Great White…). I don’t think my heart can take those slow-dancing pop standards (“Love Of A Lifetime,” “When The Children Cry,” “Fly High Michelle,” “Heaven,” and so on ad nauseum) being lumped in as “classic rock” alongside “More Than A Feeling,” “Seasons Of Wither,” “Unchained,” “Night Moves,” and so many just-plain-great tunes.
Which may be music snobbery on my part. I like those songs for the most part, but I don’t think they belong with the giants of my own youth. Put it this way: whether you love or hate Bruce Springsteen, Ozzy Osbourne (with Black Sabbath or solo), or the Rolling Stones, do you REALLY think Poison’s Open Up And Say Ahhh! album belongs alongside Born To Run, Paranoid, or Sticky Fingers? Can you name a single hair band that belongs in the Rock ‘n’ Roll Hall of Fame? That music speaks to a time in our pop culture history, true, but so do the exploitation films of the 70s. And while I love Coffey, Foxy Brown, the Blind Dead series, The Devil’s Nightmare, School Of The Holy Beast, and the slasher flicks of the 80s, I have no illusions that those movies are not classics in the traditional sense. I’m not kidding myself by putting them at the same level of the first two Godfather films, Glengarry Glen Ross, or the majority of Hitchcock’s filmography. The exploitation genre, and glam metal, is junk food. And while I like junk food, I’m not eating it for dinner.
But the truth is the truth. Time passes whether you like it or not. The “latest” of our parents becomes our “classic.” The music that I remember as new and revolutionary is oftentimes dismissed as “old people’s music.” And so, in the end, I have to make my peace with the fact that I am…shudder…an adult. To be referred to as “Mr. Scheckland” by the kids in my neighborhood. To remember where I was and how I reacted to my first time seeing Guns ‘n’ Roses and Michael Jackson’s “Thriller” video on MTV. To chuckle at the memories of slow dancing with girlfriends to those wonderfully, awfully cheesy hair ballads. To grit my teeth and get used to hearing “Rock You Like A Hurricane” and “Rock Of Ages” and maybe “I Wanna Rock” on the same radio channel as “Rock ‘n’ Roll Never Forgets” and “Rock ‘n’ Roll” and “We Will Rock You.” To accept my pop culture age with the same grace that I accepted my biological age. Hey, at least I have my iPod to help me ease into that particular tar pit with “Peace Of Mind,” right?
But I swear, the first time I hear “Wish You Were Here” segue-way into “Give It To Me Good” or “Talk Dirty To Me” or – God help me – “The Final Countdown,” I will tear my car stereo out with my bare hands and toss it out of my car…
And John Adams? I wouldn’t laugh. You’re less than five years away from Smashing Pumpkins being tossed in with the rest of us dinosaurs…