“It was the best of times, it was the blurst of times?” Perhaps not anymore, if this Ig Nobel-worthy analysis of the infinite monkey theorem is to be believed. For the uninitiated, the idea is that if you had an infinite number of monkeys randomly typing on an infinite number of keyboards, eventually the complete works of Shakespeare or some other famous writer would appear. It’s always been meant to be taken figuratively as a demonstration of the power of time and randomness, but some people just can’t leave well enough alone. The research, which we hope was undertaken with tongue firmly planted in cheek, reveals that it would take longer than the amount of time left before the heat death of the universe for either a single monkey or even all 200,000 chimpanzees in the world today to type the 884,647 words of Shakespeare’s complete works in the proper order.

We feel like they missed the point completely, since this is supposed to be about an infinite number of monkeys. But if they insist on sticking with real-world force monkey labor, what would really be interesting is an economic analysis of project. How much space would 200,000 chimps need? What would the energy requirements be in terms of food in and waste out? What about electricity so the monkeys can see what they’re doing? If we’re using typewriters, how much paper do we need, and how much land will be deforested for it? Seems like you’ll need replacement chimps as they age out, so how do you make sure the chimps “mix and mingle,” so to speak? And how do you account for maternity and presumably paternity leave? Also, who’s checking the output? Seems like we’d have to employ humans to do this, so what are the economic factors associated with that? Inquiring minds want to know.

Speaking of ridiculous calculations, when your company racks up a fine that only makes sense in exponential notation, you know we’ve reached new levels of stupidity. But here we are, as a Russian court has imposed a two-undecillion rouble fine on Google for blocking access to Russian state media channels. That’s 2×10³⁶ roubles, or about 2×10³³ US dollars at current exchange rates. If you’re British and think a billion is a million million, then undecillion means something different entirely, but we don’t have the energy to work that out right now. Regardless, it’s a lot, and given that the total GPD of the entire planet was estimated to be about 100×10¹² dollars in 2022, Google better get busy raising the money. We’d prefer they don’t do it the totally-not-evil way they usually do, so it might be best to seek alternate methods. Maybe a bake sale?

A couple of weeks back we sang the praises of SpaceX after they managed to absolutely nail the landing of the Starship Heavy booster after its fifth test flight by managing to pluck it from the air while it floated back to the launch pad. But the amazing engineering success was very close to disaster according to Elon Musk himself, who discussed the details online. Apparently SpaceX engineers shared with him that they were scared about the “spin gas abort” configuration on Heavy prior to launch, and that they were one second away from aborting the “chopsticks” landing in favor of crashing the booster into the ground in front of the launch pad. They also expressed fears about spot welds on a chine on the booster, which actually did rip off during descent and could have fouled on the tower during the catch. But success is a hell of a deodorant, as they say, and it’s hard to argue with how good the landing looked despite the risks.

We saw a couple of interesting stories on humanoid robots this week, including one about a robot with a “human-like gait.” The bot is from China’s EnginAI Robotics and while its gait looks pretty good, there’s still a significant uncanny valley thing going on there, at least for us. And really, what’s the point? Especially when you look at something like this new Atlas demo, which really leans into its inhuman gait to get work done efficiently. You be the judge.

And finally, we’ve always been amazed by Liberty ships, the class of rapidly produced cargo ships produced by the United States to support the British war effort during WWII. Simple in design though they were, the fact that US shipbuilders were able to ramp up production of these vessels to the point where they were building a ship every eight hours has always been fascinating to us. But it’s often true that speed kills, and this video shows the fatal flaw in Liberty ship design that led to the loss of some of the early ships in the class. The short video details the all-welded construction of the ships, a significant advancement at the time but which wasn’t the cause of the hull cracks that led to the loss of some ships. We won’t spoil the story, though. Enjoy.

Wired has a fascinating story this week, about the length Sophos has gone to for the last 5 years, to track down a group of malicious but clever security researchers that were continually discovering vulnerabilities and then using those findings to attack real-world targets. Sophos believes this adversary to be overlapping Chinese groups known as APT31, APT41, and Volt Typhoon.

The story is actually refreshing in its honesty, with Sophos freely admitting that their products, and security products from multiple other vendors have been caught in the crosshairs of these attacks. And indeed, we’ve covered stories about these vulnerabilities over the past weeks and months right here on this column. The sneaky truth is that many of these security products actually have pretty severe security problems.

The issues at Sophos started with an infection of an informational computer at a subsidiary office. They believe this was an information gathering exercise, that was a precursor to the widespread campaign. That campaign used multiple 0-days to crack “tens of thousands of firewalls around the world”. Sophos rolled out fixes for those 0-days, and included just a bit of extra logging as an undocumented feature. That logging paid off, as Sophos’ team of researchers soon identified an early signal among the telemetry. This wasn’t merely the first device to be attacked, but was actually a test device used to develop the attack. The game was on.

Sophos managed to deploy it’s own spyware to these test devices, to stealthily keep an eye on this clever opponent. This even thwarted a later attack before it could really start. Among the interesting observations was a bootkit infection on one of these firewalls. This wasn’t ever found in the wild, but the very nature of such an attack makes it hard to discover.

There’s one more interesting wrinkle to this story. In at least one case, Sophos received the 0-day vulnerability used in an attack through their bug bounty program, right after the wave of attacks was launched. The timing, combined with the Chinese IP Address makes it pretty clear this was more than a coincidence. This might be a Chinese hacker making a bit of extra cash on the side. It’s also reminiscent of the Chinese law requiring companies to disclose vulnerabilities to the Chinese government.

PTA 0-Day

GreyNoise runs a honeypot and an AI threat detection system, and found something interesting with that combination. The PTZOptics network security camera was the intended target, and there were a pair of vulnerabilities that this attack was intended to exploit. The first is a simple authorization bypass, where sending HTTP packets without an authorization header to the param.cgi endpoint returns data without any authorization needed. Use the get_system_conf parameter, and the system helpfully prints out valid username and password hashes. How convenient.

Gaining arbitrary command execution is trivial, as the ntp configuration isn’t properly sanitized, and the ntp binary is called insecurely. A simple $(cmd) can be injected for easy execution. Those two were being chained together for a dead simple attack chain, presumably to add the IoT devices to a botnet. The flaws have been fixed, and law enforcement have been on the case, at least seizing the IP address observed in the attacks.

Speaking of camera hacks, we do have an impressive tale from Pwn2Own 2024, where researchers at Synacktiv used a format string vulnerability to pwn the Synology TC500 camera. The firmware in question had a whole alphabet of security features, like ASLR, PIE, NX, and Full RelRO. That’s Address Space Layout Randomization, Position Independent Executables, Non-Executable memory, and Full Relocation Read-Only protections. Oh, and the payload was limited to 128 characters, with the first 32 ASCII characters unavailable for use.

How exactly does one write an exploit in this case? A bit of a lucky break with the existing memory layout gave access to what the write-up calls a “looping pointer”. That seems to be a pointer that points to itself, which is quite useful to work from offsets instead of precise memory locations. The vulnerability allowed for writing a shell command into unused memory. Then finally a bit of Return Oriented Programming, a ROP gadget, manages to launch a system call on the saved command line. Impressive.

Maybe It Wasn’t a Great Idea

…to give LLMs code execution capabilities. That’s the conclusion we came to after reading CyberArk’s post on how to achieve Remote Code Execution on a Large Language Model. The trick here is that this particular example, LoLLMs, can run python code on the backend to perform certain tasks, like do math calculations. This implementation uses Python sandboxing, and naturally there’s a known way to defeat it. The trick can be pulled off just by getting the model to evaluate the right JSON snippet, but it’s smart enough to realize that something is off and refuse to evaluate the JSON.

The interesting detail here is that it is the LLM itself that is refusing, so it’s the LLM that needs bypassed. There has been very interesting work done on LLM jailbreaks, like DAN, the Do Anything Now prompt. That would probably have worked, but this exploit can be even sneakier than that. Simply ask the LLM to help you write some JSON. Specify the payload, and ask it to add something to it. It gladly complies, and code is executed. Who knew that LLMs were so gullible?

More Quantum Erratta

This story just keeps on giving. This time it’s [Dan Goodin] at Ars Technica that has the lowdown, filling in the last few missing details about the much over-hyped quantum computing breakthrough. One of the first of those details is that the story of the compromise of AES was published in the South China Morning Post, which has over-hyped Chinese quantum progress before. What [Goodin]’s article really adds to the discussion is opinions from experts. The important takeaway is that the performance of the D-Wave quantum computer is comparable to classical approaches.

Bits and Bytes

Remember the traffic light hacking? And part two? We now have the third installment, which is really all about you, too, can purchase and hack on one of these traffic controllers. It may or may not surprise you that the answer is to buy them on Ebay and cobble together a makeshift power supply.

It’s amazing how often printers, point of sale, and other IoT gadgets are just running stripped-down, ancient versions of Android. This point of sale system is no exception, running an old, custom Android 6 system, that seems to actually be rather well locked down. Except that it has an NFC reader, and you can program NFC tags to launch Android apps. Use this creative workaround to get into Android settings, and you’re in business.

I have long maintained that printers are terrible. That sentiment apparently is extending into security research on printers, with Lexmark moving to a new encrypted filesystem for printer firmware. Thankfully, like most of these schemes, it’s not foolproof, and [Peter] has the scoop on getting in. May you never need it. Because seriously, printers are the worst.

At this point in the tech dystopia cycle, it’s no surprise that the initial purchase price of a piece of technology is likely not the last payment you’ll make. Almost everything these days needs an ongoing subscription to do whatever you paid for it to do in the first place. It’s ridiculous, especially when all you want to do is charge your electric motorcycle with electricity you already pay for; why in the world would you need a subscription for that?

That was [Maarten]’s question when he picked up a used EVBox wall mount charger, which refused to charge his bike without signing up for a subscription. True, the subscription gave access to all kinds of gee-whiz features, none of which were necessary for the job of topping off the bike’s battery. A teardown revealed a well-built device with separate modules for mains supply and battery charging, plus a communications module with a cellular modem, obviously the bit that’s phoning home and keeping the charger from working without the subscription.

After some time going down dead ends and a futile search for documentation, [Maarten] decided to snoop into the conversation between the charger boards and the comms board, reasonably assuming that if he knew what they were talking about, he’d be able to mimic the commands that make the charger go. He managed to do exactly that, reverse engineering enough of the protocol to do a simple replay attack using a Raspberry Pi. That let him use the charger. Problem solved, right?

Not so fast — this is a “Fail of the Week,” after all. This is where [Maarten] should have called it a day, but he decided to keep poking enough to snatch defeat from the jaws of victory. He discovered that the charging module’s firmware was only doing limited validation of messages coming from the comms module, and since he’d only found fourteen of the commands in the protocol, he thought he’d take advantage of the firmware’s openness to explore all 256 possible commands. Scanning through all the commands proved fatal to the charger, though, bricking the poor thing right after he’d figured everything out. Ouch!

To his credit, [Maarten] was only trying to be complete in his exploration of the protocol, and his intention to make it easier for the next hacker is laudable in the extreme. That he took it a byte too far is unfortunate, but such is the price we sometimes pay for progress. Everything he did is thoroughly documented, so if you’ve got one of these chargers you’ve got all the tools needed to make it a standalone. Just make sure you know when to stop.

Out of curiosity, I redrew the Supercon Vectorscope badge schematics in KiCad last year. As you might suspect, going from PCB to schematic is opposite to the normal design flow of KiCad and most other PCB design tools. As a result, the schematics and PCB of the Vectorscope project were not really linked. I decided to try it again this year, but with the added goal of making a complete KiCad project. As usual, [Voja] provided a well drawn schematic diagram in PDF and CorelDRAW formats, and a PCB design using Altium’s Circuit Maker format (CSPcbDoc file). And for reference, this year I’m using KiCad v8 versus v7 last year.

Importing into KiCad

This went smoothly. KiCad imports Altium files, as I discovered last year. Converting the graphic lines to traces was easier than before, since the graphical lines are deleted in the conversion process. There was a file organizational quirk, however. I made a new, empty project and imported the Circuit Maker PCB file. It wasn’t obvious at first, but the importing action didn’t make use the new project I had just made. Instead, it created a completely new project in the directory holding the imported Circuit Maker file. This caused a lot of head scratching when I was editing the symbol and footprint library table files, and couldn’t figure out why my edits weren’t being seen by KiCad.  I’m not sure what the logic of this is, was an easy fix once you know what’s going on. I simply copied everything from the imported project and pasted it in my new, empty project.

While hardly necessary for this design, you can also import graphics into a KiCad schematic in a similar manner to the PCB editor. First, convert the CorelDRAW file into DXF or SVG — I used InkScape to make an SVG. Next do Import -> Graphics in the Kicad schematic editor. However, you immediately realize that, unlike the PCB editor, the schematic editor doesn’t have any concept of drawing layers. As a work around, you can instead import graphics into a new symbol, and place this symbol on a blank page. I’m not sure how helpful this would be in tracing out schematics in a real world scenario, since I just drew mine from scratch. But it’s worth trying if you have complex schematics.

Note: this didn’t work perfectly, however. For some reason, the text doesn’t survive being imported into KiCad. I attribute this to my poor InkScape skills rather than a shortcoming in KiCad or CorelDRAW. Despite having no text, I put this symbol on its own page in sheet two of the schematic, just for reference to see how it can be done.

Just like last year, the footprints in the Circuit Maker PCB file were imported into KiCad in a seemingly random manner. Some footprints import as expected. Others are imported such that each individual pad is a standalone footprint. This didn’t cause me any problems, since I made all new footprints by modifying standard KiCad ones. But if you wanted to save such a footprint-per-pad part into a single KiCad footprint, it would take a bit more effort to get right.

Recreating Schematics and Parts

After redrawing the schematics, I focused on getting the part footprints sorted out. I did them methodically one by one. The process went as follows for each part:

• Start with the equivalent footprint from a KiCad library
• Duplicate it into a local project library
• Add the text SAO to the footprint name to avoid confusion.
• Position and align the part on the PCB atop the imported footprint
• Note and adjust for any differences — pad size and/or shape, etc.
• Update the part in the project library
• Attach it to the schematic symbols in the usual manner.
• Delete the imported original footprint (can be  tricky to select)

Some parts were more interesting than others. For example, the six SAO connectors are placed at various non-obvious angles around the perimeter. I see that [Voja] slipped up once — the angle between connectors 4 and 5 is at a definitely non-oddball angle of 60 degrees.

SAO Angle Difference
#1   326  102  6->1
#2     8   42  1->2
#3    61   53  2->3
#4   118   57  3->4
#5   178   60  4->5
#6   224   46  5->6

With all this complete, the PCB artwork consists of all new footprints but uses the original traces. I needed to tweak a few traces here and there, but hopefully without detracting too much from [Voja]’s style. Speaking of style, for those interested in giving that free-hand look to hand-routed tracks in KiCad, check the options in the Interactive Router Settings menu. Choose the Highlight collisions / Free angle mode and set the PCB grid to a very small value. Free sketch away.

Glitches

I used two photos of the actual board to check when something wasn’t clear. One such puzzle was the 3-pad SMT solder ball jumper. This was shown on the schematic and on the fully assembled PCB, but it was not in the Circuit Maker design files. I assumed that the schematics and photos were the truth, and the PCB artwork was a previous revision. There is a chance that I got it backwards, but it’s an easy to fix if so. Adding the missing jumper took a bit of guesswork regarding the new and adjusted traces, because they were hard to see and/or underneath parts in the photo. This redrawn design may differ slightly in appearance but not in functionality.

DRC checks took a little more iterating than usual, and at one point I did something to break the edge cuts layer. The irregular features on this PCB didn’t help matters, but I eventually got everything cleaned up.

I had some trouble sometimes assigning nets to the traces. If I was lucky, putting the KiCad footprint on top of the traces assigned them their net names. Other times, I had traces which I had to manually assign to a net. This operation seemed to work sporatically, and I couldn’t figure out why. I was missing a mode that I remember from another decade in a PCB tool, maybe PCAD?, where you would first click on a net. Then you just clicked on any number of other items to stitch them into the net. In KiCad it is not that simple, but understandable given the less-frequent need for this functionality.

You may notice the thru hole leads on the 3D render are way too long. Manufacturers provide 3D files describing the part as they are shipped, which reasonably includes the long leads. They are only trimmed at installation. The virtual technician inside KiCad’s 3D viewer works at inhuman speeds, but has had limited training. She can install or remove all through hold or SMT parts on the board, in the blink of an eye. She can reposition eight lamps and change the background color in mere seconds. These are tasks that would occupy a human technician for hours. But she doesn’t know how to trim the leads off of thru hole parts. Maybe that will come in future versions.

Project Libraries

I like to extract all symbols, part footprints, and 3D files into separate project libraries when the design wraps up. KiCad experts will point out that for several versions now this is not necessary. All (or most) of this information is now stored in the design files, alghouth with one exception — the 3D files. Even so, I still feel safer making these project libraries, probably because I understand the process.

KiCad can now do this with a built-in function. See the Export -> Symbols to New Library and Export -> Footprints to New Library in the schematic and PCB editors, respectively. These actions give you the option to additionally change all references in the design to use this new library. This didn’t work completely for me, for reasons unclear. Eventually I just manually edited the sch and pcb file and fixed the library names with a search and replace operation.

Hint: When configuring project libraries in KiCad, I always give them a nickname that begins with a dot. For example, .badge24 or .stumbler. This always puts project libraries at the top of the long list of libraries, and it makes it easier to do manual search and replaces in the design files if needed.

What about 3D files, you say? That isn’t built into KiCad, but have no fear. [Mitja Nemec] has you covered with the Archive 3D Models KiCad plugin. It was trivial to activate and use in KiCad’s Plugin and Content Manager.

All Done

In the end, the design passed all DRCs, and I could run Update PCB from Schematic... without errors. I went out on a limb and immediately placed an order for five PCBs, hoping I hadn’t overlooked something. But it’s only US$9.00 risk. They are on the way from China as I type this.

All the files can be found in this GitHub repo. If you find any errors, raise an issue there. I have not done this procedure for any of the SAO petals, but when I do, I will place a link in the repository.

This week, Jonathan Bennett and Dan Lynch chat with Josh Bressers, VP of Security at Anchore, and host of the Open Source Security and Hacker History podcasts. We talk security, SBOMs, and how Josh almost became a Sun fan instead of a Linux geek.

– https://opensourcesecurity.io
– https://hackerhistory.com
– https://infosec.exchange/@joshbressers
– https://anchore.com

Did you know you can watch the live recording of the show Right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

Even in the advanced world of 2024, robots are still better in science fiction than in reality. Star Trek gave us the erudite and refined Data, Rogue One gave us the fierce yet funny K-2SO, and Big Hero 6 gave us the caring charmer named Baymax. All these robots had smarts, capability, and agency. More than that, though—they were faithful(ish) companions to humans, fulfilling what that role entails.

The thing is, we’re not gonna get robots like that unless somebody builds them. [Angela Sheehan] is a artist and an educator, and a maker—and she’s trying to create exactly that. She came down to the 2023 Hackaday Supercon to tell us all about her efforts to create cuddly companion bots for real.

Beep Boop

You might remember Angela from her 2019 Supercon costume—she showed up dressed as a color-changing fairy. In fact, she has dabbled in all kinds of fields, which has given her a broad skillset applicable to creating companion bots. She’s done lots of costuming and cosplay over the years, she’s worked in product design, and she brands herself a bit of a fashion hacker. These skills might not be particularly relevant to building a high-speed industrial robot arm to perform 2000 welds an hour. However, they come in absolute clutch when you’re trying to build a robot that acts as a soft, cuddly companion. She notes that she was inspired to create her own companion bots by the work of others formerly showcased by Hackaday—you might remember work in this field from Alex Glow and Jorvon Moss.

Angela’s talk soon tackles the elephant in the room—from the drop, you’ve probably been wondering about the cute critter perched on her shoulder. The long-tailed creature is named Nova, and she’s remarkably friendly and soothing once you get to know her.

Development took some time, with Angela doing lots of research and development to create the Nova we see today. “I actually did a lot of the prototyping and field testing for this bot in the library makerspace that I work at,” she explains. “It was great to see people who don’t know the inside and out of technology interact with [Nova] and I could pinpoint the moment that she became alive to people.” The bot got quite a response, transcending the level of basic machine to something a little more. “People wanted to come in and visit her and pet her,” says Angela. “That was such a powerful moment… that happened as soon as I started putting a face on her.” Angela doesn’t just tell the tale—during the talk, she passes Nova to the audience so they can interact with her up close. She explains that this is something that she does regularly—and we get to see photos of the lovely interactions Nova has had with dozens of smiling, happy people.

The face, though, was perhaps most crucial—as is the case for any anthropomorphic character. She took inspiration from Toothless from How To Train Your Dragon, using a stuffed toy as reference. Initial attempts weren’t particularly satisfying though, so she learned 3D sculpting for a further attempt in clay. Feedback from Twitter helped her develop the face further into the Nova we see today. The eyes were sourced from an Etsy supplier specializing in doll eyes. Angela notes there’s some magic there—when backlit with LEDs, switching them on and off can create a really believable blink pattern that feels super realistic. “What are those elements that make it feel alive?” Angela muses. “There are just little pieces of the psychology of it that you can dial into and you can make something that feels very alive.”

The talk then covers the rest of the design that helps create the “illusion of life.” Angela explains using servos and a robot gripper mechanism to flap the wings, and dialing in the motion so it felt as authentic as possible. She also covers robustness, designing “cuddle-worthy” bodies, and the value of designing for modularity. There’s also a useful discussion about how to make these builds more accessible, including useful starting points like which microcontroller and code platforms are good to use.

Even better, we get a look into the companion bot community, and we learn about the emotional impact these robots can have. Sometimes that’s intentional, other times, it’s down to a happy accident. “There is an unintended effect with [Nova’s] servos, that it feels like a purr,” says Angela. “It’s very comforting right on your shoulder, and I was thinking maybe I should try and insulate it a little bit, but actually people love it.”

Fundamentally, companion bots are a bit like virtual reality. We’ve seen a ton of products make big promises over the years, but we’ve never seen a killer app. However, as [Angela] demonstrates, it’s very possible to create something very real and very lovable if you pay attention to the right things. Perhaps it’s the personal touch that makes DIY companion bots so seemingly lifelike in a way that Furby never was.

In any case, if you’ve ever wanted a robot companion of your very own, there’s no reason you can’t start building your own. With maker skills, enthusiasm, and the will to succeed, you can create a fun and cuddly robot critter that has that magical spark of life.

Problem solved? If the problem is supplying enough lithium to build batteries for all the electric vehicles that will be needed by 2030, then a new lithium deposit in Arkansas might be a resounding “Yes!” The discovery involves the Smackover Formation — and we’ll be honest here that half the reason we chose to feature this story was to be able to write “Smackover Formation” — which is a limestone aquifer covering a vast arc from the Rio Grande River in Texas through to the western tip of the Florida panhandle. Parts of the aquifer, including the bit that bulges up into southern Arkansas, bear a brine rich in lithium salts, far more so than any of the brines currently commercially exploited for lithium metal production elsewhere in the world. Given the measured concentration and estimated volume of brine in the formation, there could be between 5 million and 19 million tons of lithium in the formation; even at the lower end of the range, that’s enough to build nine times the number of EV batteries needed.

There are still a lot of unknowns, not least of which is whether any of the lithium in the brine is recoverable, and there are surely technical and regulatory hurdles aplenty. But the mere existence of a brine deposit that rich in lithium that covers such a vast area is encouraging; surely there’s somewhere within the formation where it’ll be possible to extract and concentrate the brine in an environmentally sensitive manner. And, once again just for fun, Smackover Formation.

While not ones to cheer for interstellar catastrophes, we can’t say that we haven’t been rooting for Betelgeuse to go supernova these last few years. Ever since the red supergiant star that sits on Orion’s shoulder started its peculiar dimming a while back, talk among astronomy buffs was that the activity presaged an imminent explosion of the star, one that could make Betelgeuse the brightest object in the night sky for a few months, and possibly make it visible in the daytime as well. As thrilling — and foreboding, at least by ancient astronomy standards — as that sounds, it seems as if the unusual dimming recently observed has a more prosaic explanation: a “Betelbuddy” star. According to astronomers who pored over observations, after ruling out all the other possibilities to explain the dimming, it seems like there must be a smaller star orbiting Betelgeuse that’s periodically plowing a clear spot through the cloud of dust surrounding the dying star. That would explain the periodic dimming and brightening, but why have we not seen this Betelbuddy before? It could be that the smaller star is lost in the giant’s glare, hiding in its halo of incandescent gas. So, don’t hold your breath on seeing a supernova anytime soon.

Do you find password rules annoying? We sure do, and even using a password manager with a generator that can handle all sorts of restrictions like password length and special characters, being told how to generate a password seems silly, especially since the information on what characters a valid password would have seems like valuable clues to potential crackers. But if for some reason you haven’t had enough password pestering, try out the password game. You start by entering a password — we, of course, started with correct horse battery staple — and then deal with the consequences of your obviously poor choices. You’ll be asked to do all the silly stuff that only decreases the entropy of your password, which only makes it harder to remember and easier to guess. We haven’t played it through — it’s way too annoying — but we assume that if you ever actually manage to compose a suitable password, you’ll be asked to change it every 90 days.

And finally, we’ve managed to live long enough now to have cycled completely through all the major music recording modalities except wax cylinders. Having heard them all, we’ve got to agree with the hipsters: vinyl is the best. That’s especially true after watching this fascinating look at the LP record production process, which covers everything from mastering to packaging. The painstaking steps at the beginning are perhaps the most interesting, but anyone who doesn’t appreciate the hot vinyl squeezing out from the press is a cold, heartless monster. The video is only 15 minutes long and mercifully free of narration, so enjoy.