

Show HN: LeapFM - A new way to find music - Apane
http://www.leapfm.com

======
anigbrowl
Like it, but why do you care how long my damn password is? I have a short one
that I like to use for stuff where I don't care about security, and I hate
having to manage/remember longer ones. So far I don't value the service enough
to want to do that - my attempt to sign up has resulted in an annoyance rather
than a benefit.

Needs on-screen genre tags, also needs submitter ID so you can spot people
whose taste you know you like. Otherwise clicking on an unknown artists is a
complete crapshoot.

~~~
bigiain
I'm of two minds about password stuff like that - while requiring long
passwords "adds friction", it's also clear that sub-eight-char passwords are
trivially reversible in the face of many common password hashing schemes, and
even you write your own or use a framework with bcrypt/scrypt/PBKDF2 password
storage, short or dictionary passwords are easily vulnerable if the password
hashes are exposed.

As a site owner I'd like to be able to look people (or a judge) in the eye and
say "I followed realistic best practices in protecting your password - I put
technical measures in place to ensure the password storage wasn't so weak they
could be expected to fall in under an hour to a curious journalist running
HashCat on has laptop as part of a story he's writing."

(Story time: I once signed up for this interesting sounding new
website/service "just to see what it was". I used my usual "throw away"
password. The same email and password I'd signed up to PerlMonks with. Several
years later, that new website had become a regular part of my online work and
social life, and a place where I cared about my reputation. I hadn't - back
then - had a process in place to remind myself where I was using weak or
reused passwords, so when the PerlMonks site got hacked (with their plain-text
password storage!), all of a sudden my friends/colleagues/clients started
getting Acai Berry Spam from my Twitter account…)

~~~
rcfox
I don't know a whole lot about this area, but why would dictionary passwords
be more vulnerable when considering a password hash? Couldn't you just salt
the hashes with enough characters to defeat rainbow tables?

~~~
bigiain
There's a lot of modern password hash attacks like HashCat that don't use
rainbow tables.

There just aren't enough words in most people's vocabulary for a "dictionary
word" to provide enough bits.

Salts help, but HashCat on a decent GPU will test over 2million password/sec
for salted MD5 hashes using phpass (the current WordPress password storage).
That'll rip through the whole RockYou password list (32m words) in 15 seconds.
Anecdotal evidence suggests something like 25% of typical passwords from
publicly available dumped hashes fall to the RockYou list. Salts mean I ned to
run each hash individually, but a 25% chance of revealing each hash's password
in ~15secs isn't much of a challenge.

(Oh, and the "journalist with a laptop" comment was about this:
[http://arstechnica.com/security/2013/03/how-i-became-a-
passw...](http://arstechnica.com/security/2013/03/how-i-became-a-password-
cracker/) not a bad read if you're curious. See page 3, almost 5000 passwords
out of a list of 17000 unsalted MD5 hashes in _one_ minute - on a laptop
without using a GPU…)

------
zachbeane
"Apane" has resorted to spamming #lisp on IRC to get upvotes on this
submission.

~~~
rweir
and #python

~~~
zachbeane
I asked Apane if there was a Lisp connection. Apparently, the site runs on
CMUCL. Why CMUCL? Because that's what Apane's mentor/teacher pg knows like the
back of his hand.

Wonder who the marketing mentor/teacher is.

~~~
ryanbigg
The site is running on Ruby on Rails. He's been asking questions in
#rubyonrails since about May.
[http://logs.ryanbigg.com/p/Apane](http://logs.ryanbigg.com/p/Apane)

~~~
zachbeane
Bummer. A breakdown of how to run a website with CMUCL on Heroku would be
pretty interesting.

------
williadc
Why would I use this instead of subscribing to r/listentothis or one of the
other subreddits for music discovery?

------
dmix
Heh I did this in 2007: [http://techcrunch.com/2007/08/27/contrastream-to-
join-social...](http://techcrunch.com/2007/08/27/contrastream-to-join-social-
music-sites/)

With reddit-style voting and embedded youtube/uploaded mp3 tracks.

------
tuananh
i thought i could find some fancy recommender system's algorithm here. A bit
disappointed.

In fact, I would rather go to youtube and sort by videos by popular instead.
They have bigger user base; users are more actively participating in voting,
etc...

------
jackschultz
How do you plan to deal with repeat submissions and a hive mind mentality?
Places like /r/music just have the same already popular songs get to the top
every few months just depending on how many upvotes they get at submission
time.

~~~
Apane
We have a few mods on-board ATM to minimize that. Although we do plan on
adding an automated feature to prevent duplicates very soon.

------
skndr
I recommend seeding the song lists from a lot of the popular genre subreddits.

~~~
Apane
thanks my man, i'll look into it!

------
Apane
Thanks to those that gave real feedback. I was sharing the HN link with a few
IRC channels for feedback but they took it as as spam unfortunately. Oh well.
Can't please everyone.

------
jamesgagan
nothing new about this - it's just /r/listentothis repackaged

------
ryen
Was expecting something to do with Leap Motion tech, but cool anyways

------
glifchits
leap.fm is a missed domain name opportunity... but fun project!

------
renownedmedia
Looks like someone really appreciates the HN UI...

------
zeckalpha
Nice! Is the decay for high ranked items longer than on HN?

