Slashdot Mirror
US Government Using PS3s To Break Encryption
Entropy98 writes "It seems that the US Immigration and Customs Enforcement Cyber Crimes Center, known as C3, has replaced its '$8,000 Tableau/Dell server combination' with more efficient and much cheaper $300 PS3s. Each PS3 is capable of 4 million passwords per second, and C3 currently has 20 PS3s with plans to buy 40 more. Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography."
being used to break encryption
Each PS3 is capable of 4 million passwords per second
Something doesn't match up. For first the different encryption schemes take different times to try even one password, and even more if you combine several of them together. Secondly you cannot try 4 million passwords in a second if its encrypted content, it takes a lot more than that.
News flash: All of the servers of (insert opposition party) have been seized by the (insert party in power) government under child pornography charges.
Wait. (goes back to re-read). They are using videogame consoles to run their server? Seriously??? Wow.
I guess the PS3 is more powerful than I realized; maybe I ought to go buy one. Any good games (not on Xbox) for the PS3?
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography."
What about those computers seized with a warrant and suspected of harboring stored communications with terrorists? Are we going to just ignore them?? Huh??? Huh????
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography.
... suuuuuure.
GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
Seems that the "it only does everything" slogan has greater scope than I initially thought - if "breaking encryption" was advertised explicitly, I may have picked one up...
Nice that Sony took out the ability to install Linux on the slim PS3. How hard could it have been to have a left the feature in that is useful in a number of ways? Of course, they have recently announced the ability to post trophy acquisitions to Facebook.... but they take 'Other OS' support out?!
GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
Halt first, then catch fire.
GAAH! MY PRINTER WON'T PRINT!! HELP!!! OH AND BY THE WAY WHAT'S THAT SMELL?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The PS2 was restricted for export because people thought Saddam would use them to build missile guidance units. We're using the PS3 to crack encryption. I can't wait to see what uses they'll think up for the Playstation 4. Nuclear simulation?
If memory servers, the cell platform in a PS3 doesn't allow you to use all of the cores when you're running linux. So, for the price of a new ps3, they could just as easily use commodity hardware from last year and probably get better throughput.
You must be young. Go download War Games.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
That is the only thing they use them for... Wink, wink, nudge, nudge, Know what I mean?
If I were God, wouldn't I protect my churches from acts of me?
Each PS3 is capable of 4 million passwords per second
4 million passwords a second what?
No sig for you!!
could this be used on the public end as well? And if a ps3 can break encryption that well, could it make it?
Good to know when the Government is cracking the encryption implemented by the public it's "cracking down on child pornography." When it's the public cracking encryption implemented by corporations it's a violation of the DMCA.
More Twoson than Cupertino
So, with a brute force attack, I've only got 36,030,233,524,592,808,479,552,335 years before they will reach mine!
"He explained that the number of possible combinations in a six-digit password is 256 to the sixth power."
Um, only if the person uses characters that can't be typed on a normal keyboard.
In practice, the password "alphabet" is either 26, 52, 62, 84, or some other number not much above 84 characters. 84^6 is much less than 256^6.
However, in practice, people who fear the cops will use a lot more than 6 digits.
If the passwords are decent passphrases of, say, 6 words, taken out of a dictionary of even 2,000 common words, that's 2,000^6, or "still not that big of a number" as it's known in the security field. And that's if the person makes it easy by not using any spaces, using all lowercase, etc.
The real smart crooks encrypt their stuff in a way that nothing short of banging them over the head with a $5 pipe wrench will ever reveal.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
At least they didn't claim to use Wiis for that!
Renewable Energy Simulations.
Yours In Peace,
Kim Jong iL
ICE is hoping to buy 40 more original PS3s, through auction sites such as eBay.com, to add to the 20 it already has, Davenport said.
Assuming they have 1 or 2 in a testbed environment, we are probably talking 18 or 19 actively crunching numbers. Maybe 20 if the testbed machines also play ball.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Really what is the problem with this. These computers are being searched AFTER a judge issues a search warrant. In other words constitutional law is being followed to the letter in this case.
So what is the problem? Because it may involve child porn and you think that it is harmless? Well some of those computers have pictures of the victims "children" and the criminal act happening.
There is nothing wrong with this legally.
And having a fit about it is a clear case of calling wolf.
I am sure this will be used in any investigation that involves a computer and not just for child porn.
Complaining about the legal search of a computer after a warrant is issued is just stupid.
BTW I am sure that the NSA has much better systems based on FPGAs and Cell chips for breaking encryption than PS-3s but we will never hear about those and that type of wiretap without a warrant is what I am worried about.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
assuming a perp uses a password from a set of 26 letters to choose from, it will take roughly two minutes to brute-force an 8-letter or fewer password with 40 Ps3's. (26^8 + 26^7 + ...) / (40 * 4 * 10^7). wow, that's great! but....
assuming a set of approximately 90 characters to choose from, it will take approximately a month :(
Linux was supported on PS3 before the latest model, they could be using the older units...
Or it's quite possible they simply wrote the needed drivers to work with the updated PS3 units.
Neither is cracking the console nor against the law.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Imagine a Beowulf cluster of these.
" Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography."
You know, if you buy that one, I have this little red bridge I'd like to sell you.
I knew a guy once who worked closely with anti-kiddie-porn cops. They rotated those guys off fairly quickly so they wouldn't go insane. What you see on Law & Order with the same cops doing the kiddie-smut patrol year in and year out may work for Munch and Stabler but it doesn't work in the real world.
Also, in the real world I'll be a cop's donut you don't get to do that kind of work in a decent-sized department unless you are emotionally stable, in a stable romantic relationship with another adult or had one in your past for a long time, and have a history of not getting irrational and emotional at the sight of disturbing visuals, while at the same time not being stone-cold about it either.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Can we waive the Constitution and give these brave law enforcement folks a billion trillion dollars to buy PS3's? This is about fighting CHILD PORN.
Child porn is almost as big a threat as terrorism. ALMOST.
Firstly, basic error: it's not going to be 256^6. That's six bytes, not six characters. But your passphrase very, very probably does not contain zero-bytes, and very probably not control characters. Entropy of passphrases is almost always quite a lot less than 8 bits per character. And you try common dictionary attacks first of course, which is what this is really used for. Or Rainbow table generation.
Secondly, the use of PS3 in crypto attacks is not news; most of the massively-parallel crypto/computational stuff Cell was aimed at in the workstation sector actually ended up causing labs to buy hundreds of cheap commodity PS3s instead, which ended up being way more cost-effective than the overpriced Cell workstations, with only one more SPU each. The MD5 SSL "tunneled" collisions were calculated using a 200-strong PS3 cluster, for example.
It's rather unfortunate the "Other OS" thing was taken out for the slim, because running using less power and heat would have been helpful for clusters, as AccessData points out in the article.
However, they've now fallen somewhat behind, because modern graphics cards (see ElcomSoft's recent work, for example) can use CUDA or various shaders to get quite a lot more power for exactly this kind of computation, and it's made the PS3 approach almost obsolete overnight. A PS3 Cell can push about 20 GigaFLOPs, optimally (source: Folding@home). Impressive when it came out. But a fast quadcore CPU today is 70 GigaFLOPs. And your £150 4870 X2 not only plays a mean game, in the right circumstances it's 30-100 times faster at password cracking than a PS3 Cell. You could buy just one ordinary gaming PC, put a couple of 4870 X2s in it, like I don't doubt many of us have, and clean the clock of this entire 60 PS3 cluster, for a fraction of the price and running cost. And, the extremely rapid rate of development in graphics card technology means it's getting faster, rapidly (the R800 is about 3000 GigaFLOPs).
Thirdly, this attack is totally, stunningly ineffective against a good passphrase, which anyone who'd done their homework, or read the documentation of the crypto software, would know to use. A 6-word random "Diceware" (google it) passphrase (or the equivalent, roughly 16 randomly-chosen lower-case letters) wouldn't be crackable with anything of this magnitude in the next few years, making such an attack impractical. 10 random Diceware words (or a 22 alphanumeric mixed-case passphrase, or 28 lower-case letters) would get you over 128 bits of entropy and make any attack of this kind beyond anyone's reach for the foreseeable future.
Fourthly, because of the above, a dumb brute force attack like this, after the fact on hard drives you've seized, is decidedly the wrong way to do it. The right way to do it is to get a bugging warrant and plant a hardware keylogger or observe the passphrase being entered, then seize the hard drive. That's what the FBI do when they're actually being serious, say with Mafia bosses. (Or coercion, but there's the 4th Amendment barrier to law enforcement doing that.)
Fifthly, it mentions paedophiles for apparently very little actual reason. Brass Eye moment, right there. It's a transparent appeal to emotion used to grab headlines with little actual substance. I don't actually see where it mentions any convictions as a result of this. (That's odd, surely you'd be crowing about successfully bringing child molesters to justice if there were any successes, wouldn't you?) And, this isn't the FBI in this article, this is ICE. Odd, again; surely the wrong agency for child protection work? Is there a point to this other than to say that ICE just bought 40 PS3s off eBay? 60 PS3s, as I said above, ain't gonna get you far.
And finally, the dude says "There's no controllers hooked up". I'd just like to point out that that does not say they're not playing them; PlayStation®3 controllers are wireless, so almost by definition, unless you're charging them... they're not hooked up. Hmm. Now if there were no monitors hooked up, maybe then I wouldn't be so sceptical... :)
Seriously, who does this? Forgetting about the whole "oh look we can spy on our citizens better" thing, if you have a 128 bit password, and lets assume that, for whatever reason, it's really only 100 bits. Then we have 2^100 possibilities. Further, lets assume than instead of 4 million a second, they meant 4 TRILLION a second, so 4 million * 1000 * 1000.
2^100 = 1267650600228229401496703205376
Divided by 4,000,000,000,000 = 316912650057057350 seconds, which is 3667970486771.497110812219922963 days, or 10420370700 years.
10420370700 years.
gl hf
--Valid password characters --
26 * 2 = 52 letters
10 * 2 = 20 numbers/symbols
10 * 2 = 20 other symbols
92 usable characters
92^8 = 5,132,188,731,375,616
92^9 = 472,161,363,286,556,672
--Break Speed--
Speed = 240,000,000 / per second
--8 character password--
5132188731375616 / 240000000 = 247 days
--9 character password--
472161363286556672 / 240,000,000 = 22,770 days = 62 years
Yes. ;-)
Use long passwords for encryption (minimum 10 chars, preferably 20). Use upper-case, lower-case, numbers, and symbols. Do NOT use the password anywhere else or write it down. Sorry, but you're going to have to commit it to memory. Do not use windows built in encryption or any retail encryption schemes. Use open source. Truecrypt is not open source, but people use it anyway, so read up first before you decide.
http://afp.google.com/article/ALeqM5itMBF-kPRgoyoD97Y_DtvcyItGSQ :)
FARC data was opened after
"It took Interpol two weeks running 10 computers simultaneously 24 hours a day to break into the encrypted files, the agency said." in 2008.
C3 seems to be funded with extra millions so whats missing with this story?
Why buy toys? Toys have cheap bottlenecks as "Halo" at 620p showed.
Sony PR, a cry for funding and power ? Why this dependance on Sony suburban plastic?
If federal agents find more PS3's via forfeiture laws, this might allow a super grid of units?
Also shows how good MS and archive encryption is
Real world numbers:)
Domestic spying is now "Benign Information Gathering"
As we all most likely know, It would be impossible* to actually try 4 million passwords per second. I'd be willing to wager the actual headline should be:
"PS3s have been purchased to calculate 4 Million hash-table lookups per second."
Step 1: load hash table to RAM.
Step 2: let the brute force CPU bang away at it till it finds a match.
4MFLOPS seems much more likely.
"The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
It sounds like they are guessing passwords rather than cracking keys. But is there any advantage in using a CELL processor for this?
AES, for example, is the encryption standard used by PGP's whole disk encryption. From
http://en.wikipedia.org/wiki/Brute_force_attack:
"AES permits the use of 256-bit keys. Breaking a symmetric 256-bit key by brute force requires 2128 times more computational power than a 128-bit key. A device that could check a billion billion (1018) AES keys per second would require about 3×1051 years to exhaust the 256-bit key space."
Hence my thought that they are not cracking keys.
There is a difference between cracking encryption and the password used to secure the encryption. The article says they are using the systems to crack passwords, not encryption. The submitter has a reading problem.
look up a bit
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Ok, leave the data in the cloud and travel with a laptop with a 100% blank drive and an os install disk to use when you get there.
If the smart crooks are using any version of Windows
ROTFLOL Oh you slay me with your humor and wit!!!
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
http://ciphersaber.gurus.org/
No sig today...
Is this why SONY introduced the slim? Some company scooping up a large number of PS3, on each Sony takes a loss on, for computation purpose with no intend of buying game?
They could have just asked Red Octane to release "Child Porn Encryption Hero".
The only possible interpretation of any research whatever in the 'social sciences' is: some do, some don't
If the perp's not crypto-savvy, this will work pretty well, I think. I use John The Ripper for password cracking the machine I admin, and it actually catches people from time to time. Once back in college (when computer people were friendly to this sort of thing) I wrote and ran a naive password cracker using /usr/dict/words--it caught an instructor with the password "sunshine". Most people, including most child pornography enthusiasts, will use shitty passwords.
If the perp uses 160 characters of plain English text, however, the PS3s are going to have their work cut out for them, cracking passwords in an average of 300 trillion years per.
I'm pretty sure the PS3s will be out of warranty by then, but the C3 will be able to run 37 quintillion full-speed PS3 emulators on the Dimension 37 Interuniversal Hadron Computer.
I'm sure Sony loves this! They get to subsidize the cost of the PS3s without ever recouping licensing fees. Even with subsidies, Isn't there a more cost effective Cell solution?
My 8800GT gets about 100 million passwords per second when cracking MD5 and SHA1 hashes. I thought the CELL was supposed to make the PS3 faster?
Seems to me that a reasonably well designed OS would lock after 4 password attempts. How are they entering all these passwords w/o the system balking?
i'm asking because i don't know, please don't mod me a troll for not knowing something.
Utilizing the synergization of benchmark e-solutions to pre-workaround action items!
even if they had the top500 supercomputers dedicated to breaking an encryption key, its still going to take a few thousand times the age of the universe to check every possible key. not to mention all the energy requirements. 30GW-years just to generate all possible keys in the 128-bit key space assuming you'r at the limit of what is possible and operating at 300K. and then many many times that to actually perform the checks.
also, why use PS3's when you can buy up some cell servers and chuck some CUDA capable graphics cards in for some real crazy power.
Now, when we get some quantum computers capable of performing at a useful level then i might worry. but by then we'll have quantum encryption or something which will be nice and secure.
With the planned 60 PS3s assuming they brute force it and worst-case. It will take them:
/. crowd are there any good alternatives to passwords that are feasible? Something secure. Something that can be implemented on websites. What do you think we should be working towards? Is there already something in place that you can give an example of?
At 8character passwords w/ letters and numbers only, 3.3hours.
Upper and lower case increase that figure to 10.5days. (With 9 characters 7.15years)
84character set brings us up to 119.5days.
Note: I just used x^8 which isn't totally accurate, the numbers in reality are a bit larger but it doesn't matter much.
This makes me wonder in case this is true. We are running up to a physical limitation in the human brain. People already have trouble memorizing the dozens of 8character passwords. 9 characters will hold moores law off for a few more years (not the precise meaning of moores law but you know what i mean). The problem is also that people are getting more accounts for things. Most people even today use the same passwords for a variety of things. I'd say almost all people.
So I ask the
Good thing the government is inept and everything they do is an unmitigated failure!
Surely to load custom code on these PS3, they must penetrate the console DRM. Didn't Sony sued people for doing this sort of things?
Speaking of "innocent until proven guilty:"
http://www.breitbart.com/article.php?id=D9C1VP3O0&show_article=1
So Obama says that Khalid Sheikh Mohammed will be found guilty in a criminal court in NY. What then is the point of putting him on trial there instead of in front of a military tribunal (you know, where wartime enemies of the US have always been tried)? Why the dog-and-pony show if there is no presumption of innocence? If we put him on trial in a criminal court, then he is entitled to a presumption of innocence, and all the rights that go along with that (such as confronting all of his accusers, be they deeply embedded spies or not). If he MIGHT be innocent, then why the heck are we blowing up his country? The answer is that this is more of the same political posturing and gamesmanship that Obama promised to put a stop to. Once again, Obama has proved himself to be all hat and no cattle. Mr. Obama, why are you wasting the taxpayers' time and money with what you have already acknowledged is a show trial, put on solely to make the rest of the world feel all warm and fuzzy about us?
This must be why the 3rd party OS option was removed from the Playstation Slim! SONY *loves* them some customers! {cough}
It amazes me with things like the IBM QS21 and the mercury blade servers that the cheapest solution is to get a piece of hardware like the ps3 with so many extra components not needed for number crunching.
The cell was designed for floating point calculations. Cracking requires a lot of integer calculations. You won't get the benefits that science and graphic applications get like folding@home.
heavily indebted country turns to externalities to solve problems. The externality being that Sony sells PlayStations to sell games... no shit the new slim version is locked down. Sony is not in the business of subsidising broke-ass governments.
My 8800GT gets about 100 million passwords per second when cracking MD5 and SHA1 hashes. I thought the CELL was supposed to make the PS3 faster?
[Citation Needed]
Sorry to be an ass but that sounds a little outlandish...
I've done a lot of password-cracking math, even toyed with the idea of writing an academic paper on it. Generally, I work on the (generous) assumption that a well-groomed single node can chunk through 100k passwords per second and that things scale perfectly, so 20 nodes would work through 2M passwords per second. They're claiming their 20-node cluster can handle twice that, and I fully believe it. Powerful GPUs are known to perform extremely well on password cracking, and PS3s certainly have them. That's twice the performance for half to a fifth the cost. Nice, but not "OMG."
They plan to scale up to 60 nodes, which is 12M pass/s. To break a 8-character monospace password (37 bits of complexity, which is pretty weak), it would take just under five hours ( 26^8/(12*10^6) /60/60 ). However, to break an 8-character alphanumeric password (case and numbers), that becomes seven months ( (26+26+10)^8/(12*10^6) /60/60/24/365*12 ).
This is only scary when you have a super-intelligent dictionary attack. Scrape the hard drive and any subpoenaed documents for words and add that to a dictionary of common password parts, then perform your dictionary attack -- dreadfully powerful. To avoid falling victim to this, a good rule of thumb is that words are awesome to use, and they're more secure, but they're only about as secure as two random characters (three with a rich vocabulary including 3 or more of: arcane words, uncommon foreign words, uncommon misspelled words, uncommon proper nouns, l33t-speak ...). So that 13-char "secure password" you use that looks like metropolitan8 effectively only has three or four characters to a dictionary attacker, and that clever 14-char password of spageti4dinner has only five or six, depending on how good the attacker's dictionary is at misspelled words. A tip: put punctuation inside your words to break them up (without forming words), e.g. metr[opo;%litan8, and you've pretty much defeated the dictionary attack.
Use my userscript to add story images to Slashdot. There's no going back.
Seriously, this whole article sounds like a load of horsebull. As far as I know, things like RSA and AES use integer math for the encryption and decryption schemes. It therefore doesn't make much sense to use a product designed for large numbers of floating point operations, as I would imagine the PS3 is. I'm actually pretty curious how many GMIPS the PS3 can perform. In any case, why would they pay for a device that contains all sorts of hardware ancillary to the core processing task. For instance, any gaming system is going to have a fairly powerful GPU, as well as extraneous RAM and sound hardware, etc. Also, in terms of the 4 million passwords or keys or whatever per second, I just wrote a very minimalist C program to try cracking passwords on an encrypted disk image I just created and it was definitely not reaching 4 million tries a second on my Core 2 Quad...
which is too bad. You can no longer install linux on it. I keep hoping (against hope) that Sony will release the full SDK and really allow people to use the power of the Cell. Throw us hobbyists some love, Sony. Tell us what we gotta do.
how do they prove that the owner of the computer put the child porn on the system?
Just like many warez groups and pedo groups they use technology to house their "goods" on systems with exploits.
Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography.
Naturally. (*wink-wink* *nudge-nudge* say no more...)
"Every great cause begins as a movement, becomes a business, and eventually degenerates into a racket." -- Eric Hoffer
4 megaflops seems more like? For a cluster of 20 PS3's? Are you posting from 1983 or something?
(Brute-forcing keys is fairly foolish with modern encryption systems, but brute-forcing passwords isn't.)
Only if the person who created the password used lowercase letters, and kept it under 7-8 characters. Around 8 characters, things get expensive VERY fast.
Example: 6 mixed case, numbers, plus punctuation marks (only those on number keys): 140BN combinations, which would take 9.6 hours.
Not very good, right? Well, make it 8 characters, and they're looking at roughly 722 TRILLION combinations, or about 5.7 YEARS (provided I didn't make any power-of-ten mistakes.)
Please help metamoderate.
While TrueCrypt encrypts what makes it real good is it hides files.
Falcon
Should there be a Law?
actually they're using the ps3's to play rock band and gta 4. but the higher ups wouldn't let the purchase order through without a more official sounding reason...
put punctuation inside your words to break them up (without forming words), e.g. metr[opo;%litan8, and you've pretty much defeated the dictionary attack.
I tried that once and was told I could not use a punctuation mark. I mix alphanumeric characters though.
Should there be a Law?
Did they figure out a way to access the GPU on the PS3 through Linux? As far as I can tell, the GPU is not accessible to linux and some of the RAM is unaccessible as well. Linux runs more like it would on virtual machine than it would running as a native OS. Most of my info comes from forums related to PS3 modding for home theater PCs and Im no expert. Anyone care to elaborate? If the GPU is really locked out, then are these guys just using a pretty average PowerPC computer with a few extra processors?
"4MFLOPS seems much more likely."
For a PS1 maybe.
I.T. Guy gets called into his Bosses office:
"PS3s, huh? What? On invoice... right, ooooh, those PS3s... oh, hmm yeah I ordered those, they are for... uhm... they're for breaking passwords to... crack down on... hmm, child pornography. Right! Yeah, that's what they are for. The guys are just finishing testing the... the hardware. I'll go check on them."
*Runs back to desk and hides copies of Modern Warfare 2*
It should be. If you don't know what you're talking about, you have your choice of not saying anything or doing some research. I don't think there's any excuse to spread misinformation, even by implication!
I modified code from this SHA1 cracker. Good enough evidence?
Fat PS3s are built
No, fat PS3s were built. Sony has since discontinued the form factor.
...they should check under the mousepad
Those of us who think they know everything annoy those of us who do.
Fair enough. Sorry to doubt you at first, but at the time it seemed there was no basis for your claim.
You should take a look at www.distributed.net. Supposedly the RC5-72 challenge could end in 6 months with about 100 PS3s contributing.
I have a custom password entry box whereby I enter a filename, offset and length and then it grabs the password from inside of the file at the offset and length I specified. The filename can by ANY file on the whole machine (or on removeable media like a USB key).
PS3s use the Cell microprocessor.
Falcon
Should there be a Law?
Innocent until proven guilty disappeared slowly, but surely... bit by bit... a long time ago in the USA. Think of drunk driving check points... if everyone is presumed guilty, until proven innocent... then nobody is innocent until proven guilty. Same thing as scanning everyone at the airports. Guilty until proven innocent.
The Cell is the CPU, not the GPU, of the PS3. Anyone saying the CPU is powerful because of its GPU is wrong. The GPU in the PS3 is actually kinda weak, but the six 128 bit vector processors hanging off the back of a main processor in the Cell are quite fast. Not as fast at SOME tasks as something capable of running CUDA code, but still really fast and far more general purpose.
That said, for this application I don't know why they aren't using something like a machine with a few NVidia graphics boards in it.
"Upon attaching the waterblock to my penis, I began to notice that I know nothing about computers." -- JRockway
regarding your sig
I once had a printer catch on fire. At least the paper. It had four big matrix heads with big selenoids driving the wires. They drew quite a bit of current. One jammed up the wires, heated up, and paper started smoking and charing. Naturally, it was the payroll checks, but as a result I was keeping a close eye on them. Only time I missed payroll deadlines.
Democratic People's Republic of Korea ... and they've abandoned democracy, a republic, and their people ...
No, North Korea is still a republic, there is no monarchy in North Korea.
Falcon
Should there be a Law?
If memory servers, the cell platform in a PS3 doesn't allow you to use all of the cores when you're running linux
It's the hardware Sony includes on PS3s that don't work well with Linux. IBM supports Linux on Cells.
Falcon
Should there be a Law?
So, with a brute force attack, I've only got 36,030,233,524,592,808,479,552,335 years before they will reach mine!
If that figure is accurate and (very) precise, I can actually go and compute what your password is ;-)
I know there are plenty of real pervs out there, but are the authorities really seizing so much suspected, carefully encrypted kiddie porn to necessitate systems of this magnitude and complexity? My suspicion is that they are using this for "off the record" uses, as well as legitimate ones. Surely some criminally perverted folks are smart enough to use some sort of electronic security measures to protect their stash, but how many, out of how many pedophiles there are, and how many of them are caught and have their filthy computers analyzed? I guess politicians and appointed officials can't ask about supposed anti-child porn measures, just as no one can question anything done in the name of patriotism, fighting terrorism, or when something like cancer prevention is involved. Or is this problem that much bigger than the rest of us take it to be?
This is a hacked account, for which the owner can not be held responsible.
Have you read any of his books? I haven't yet but I've thought of buying one. From what I've heard or read about him I'd like him on the US Supreme Court as a Justice.
Falcon
Should there be a Law?
TrueCrypt is open source and is available for download from Source Forge, which hosts open source projects. And here's the downloadable source code.
Falcon
Should there be a Law?
If the child porn smuggler is smart and careful, 20 PS3's won't be anywhere near enough to break strong, modern, encryption.
If he's dumb, there will be an easier way to decrypt the suspect data. Maybe the perp left the encryption key in plaintext somewhere, or used an obvious passphrase, or a weak or buggy encryption software.
There's no happy medium. What can you break with 20 PS3's? Maybe 56-bit DES?
While the key of DES is easy to brute-force today, and 80-bit keys are becoming questionable, 128-bit keys of high-quality algorithms are thought to be unbreakable via conventional (non-quantum) computers for the foreseeable future. There's a reason that the NSA is the second-largest electric utility user in Maryland...
My bicyles
Some of the system I used allowed to enter with alt+3 digits other ascii char like 00. You just need to know and try if it allows it or not, taking the risk that a later update will break it down, but that is valid only if you updates on regular basis. I do not use that trick anymore but when i use a passphrase for important stuff, there is no space but the dictionary word are distorted (1 br3ak [th!s] 0_n_e) and mixed with various char like ,;:.-_+/ etc... 6 words out of a dictionary is not a decent passphrase *at all* as you can use dictionary. 6 word warped and mixed with various char is neigh unbreakable.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
That would only works if the password is kept on a temporary file. Otherwise there is no reason whatsoever the password would be anywhere on disk. And that does not work at all if you use a bootable CD.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Aside from the fact that adequate grounds exist for military jurisdiction based on the Pentagon portion of the attack - and the fact that the act KSM is most likely to be charged with conspiracy, which certainly occurred outside of the U.S. - the analysis is far more complex if one has a basic understanding of criminal procedure. The very high standard of proof required to convict in a criminal court, and the complexity of the rules of evidence - particularly when considering the difficulty of trying a conspiracy charge. Hell, as a law student, I spent untold hours just looking at hearsay and its numerous exceptions. Not to mention the issue of evidence extracted during and after water boarding sessions and other interrogation
I obviously haven't seen the prosecution's evidence in full, but if this were a more traditional criminal charge, I'd wager that they would have one hell of a tough row to hoe. Keep in mind that, if the law is applied as it should be, a jury may only consider evidence that has been admitted before the Court. If vital bits of evidence are excluded--a scenario that is certainly feasible--can the prosecutors successfully prove the elements of the crime KSM is charged with? If not, in a real trial, he would have to be let free.
Of course, this isn't going to be a real trial.
Assume that KSM is acquitted. There is obviously no chance he'll ever be released, nor could he be released onto U.S. territory at all, of course, under the Immigration and Naturalization Act. A real criminal trial would carry with it the vagaries and risks associated with any criminal trial, no matter how "air tight" a case is (e.g., O.J. Simpson), and the possibility of an acquittal and release.
I fear what we have here with the upcoming KSM trial is more of a show trial. The conviction, execution, and virtually pre-determined, or at least that is how Obama is treating it in statements to the press (as a lawyer and former law professor, he should know better, as he acknowledged with his subsequent ass covering).
Aside from some of the more obvious questions (Why a criminal trial for only this handful? Why are military tribunals "good enough" for the rest? Why has Obama shifted support from the military tribunals he once supported specifically for KSM to the civilian courts? How will classified evidence be handled? Will KSM truly be given full access to all the evidence against him, including names of informants?) are the more larger concerns. Why a show trial for this person? Why now? Will show trials become the norm for the particularly loathsome among us? For those it is more politically convenient for the president to try via show trial? Is this the direction we would like to go in?
If this were to be a real trial, it would be a demonstration of the Obama administration's willingness to take unacceptable risks on national security, particularly since a much friendlier venue is allowed under law and some of the trickier, thornier aspects of the law can be avoided. Instead, it may prove to be a perversion of the criminal justice system, which has rules that are much better established and protect every single American citizen. Why open the door to show trials?
... suuuuuure.
Purely as a novelty, the geek might ask himself what ICE is and what it does.
U.S. Immigration and Customs Enforcement has quite a lot on its plate, as this list of Programs would suggest.
The Cyber Crimes Center (C3) Child Exploitation Section (CES) investigates the trans-border dimension of large-scale producers and distributors of images of child abuse, as well as individuals who travel in foreign commerce for the purpose of engaging in sex with minors. The CES employs the latest technology to collect evidence and track the activities of individuals and organized groups who sexually exploit children through the use of websites, chat rooms, newsgroups, and peer-to-peer trading. These investigative activities are organized under Operation Predator, a program managed by the CES. The CES also conducts clandestine operations throughout the world to identify and apprehend violators.
C3 brings the full range of ICE computer and forensic assets together in a single location to combat such Internet-related crimes as:
* Possession, manufacture and distribution of images of child abuse.
* International money laundering and illegal cyber-banking.
* Illegal arms trafficking and illegal export of strategic/controlled commodities.
* Drug trafficking (including prohibited pharmaceuticals).
* General Smuggling (including the trafficking in stolen art and antiquities; violations of the Endangered Species Act etc.)
* Intellectual property rights violations (including music and software).
* Immigration violations; identity and benefit fraud
The phrase "images of child abuse" is telling. This is how the professional in law enforcement defines child pornography.
Operation Mango -- An extensive investigation that closed down an American-owned beachside resort in Acapulco, Mexico, which offered children to sexual predators. The resort was a haven for pedophiles that traveled to the facility for the sole purpose of engaging in sex with minors. The proprietor of the business was convicted. As a result of this investigation and others, the government of Mexico recently created a Federal task force to address crimes against children in its country. Cyber Crimes Center
The VGTF is an international alliance of law enforcement agencies from the U.S., UK, Australia and Canada, working together to make the Internet a safer place; to identify, locate and help children at risk; and to hold those who commit on-line child abuse appropriately accountable. On-line child abuse includes activities such as searching for, sharing and downloading images of children being physically and sexually abused and engaging children in chat rooms with the intention of committing sexual abuse both on and off-line. The VGTF delivers innovative crime prevention and crime reduction initiatives to prevent and deter individuals from committing on-line child abuse.
ICE also partners with several Non-Governmental Organizations, including the National center for Missing & Exploited Children, Netsmartz, World Vision and Rape, Abuse and Incest National Network, to fight crimes against children. Operation Predator
ighashgpu bruteforces Windows NTLM password hashes at a rate of 2.4 billion password/sec on a single GPU (HD 5870). What does this mean with respect to TFA and its measly "4 million/sec"?
Many of the discussions here completely miss the point that bruteforcing rates depend entirely on what is being bruteforced. For example if you look at JtR password hash bruteforcing benchmarks you can see rates with a Core i7 920 anywhere between a measly 758 password/sec (bcrypt) up to 14.6 million password/sec (LanMan). This spans 5 orders of magnitude! It's the same for encrypted files. For example PGP files encrypted with a symetric key issued from the Simple S2K mechanism can be bruteforced at millions of password/sec with a regular CPU, but this can drop to only a handful of password/sec if Iterated+Salted S2K was used with a decent S2K count...
Therefore all these discussions about whether "4 million/sec" is good/bad/improbable are completely irrelevant since the article is devoid of any info about what is being bruteforced.
I reckon that by replacing the word 'method' with the word 'methodology' they made themselves 45% smarter and that boosted their ability to decrypt stuff.
Sheesh! Nothing like using a longer word to replace a shorter one to convince yourself that you're smarter but make everyone else realise that you are dimmer.
Yeah. Because if the fucking retards who run the legislature pass some outrageous bill against thought crime or victimless crime which gets signed into law by a President or Governor who is devious and pandering enough to be elected by a majority of the drooling morons who make up the voting citizenry, and then some prosecutor who has something against my politics and has the goods on some judge and gets a baseless warrant at three o'clock in the morning; then I must be guilty as Hell, right?
This news is obviously fake... how it got on Slashdot is even more interesting!
The Cell (at least the usable portion) is less than twice as powerful as the xbox 360's tri-core cpu. The gpu is weaker than the 360's, and it is slightly more powerful than the cell, but even harder to program for. Overall, both consoles have a similar theoretical performance.
The cpu+gpu put together in either one are still outclassed by just your 8800GT, let alone a modern gpu (the GTX 285 is single-chip and readily available, and 3-4x as powerful as your 8800). This is all working in single-precision, and I can't find any single-precision performance numbers for a modern cpu, but I'd bet that they easily outclass PS3s too.
Though the article makes it sound like they chose PS3s for their performance/cost ratio, so the fact that it doesn't have top-end outright performance is perhaps irrelevant to them. I still think they should have got a cell-chip-based blade server, using the double-precision version of the cell chip (which is not the one that's in the PS3), and probably would have access to two more SPUs (the PS3 reserves one for OS and has one disabled for yeild) per cell chip. Knowing reporting these days, that's probably what they did get.
Two words: Rainbow tables.
One word: Salt
I lost my sig.
"Fascinating."
I honestly had no idea that government was capable of thinking this far outside the box. This is cause for either great optimism, or equal fear, depending on your perspective.
Hm, 60 PS3s chrunching away at 4 million passwords per second each. Giving a total of 240 million passwords tested each second.
My TrueCrypt volume has a 19 character alphanumerical password, not truly random but nothing you can use a dictionary against. Only lowercase + numbers but still more than 30 characters to choose from.
Given that they knew all this and tried to brute force my password using their PS3s it would still take them more than 1535 billion years...
I think they need to up their game or go a totally different route if they ever want to be able to look inside my harddrive and prosecute me for any of its content before I'm burried in a chest...
Just a small note to all those clever people who are calculating the time taken to perform an exhaustive keyspace search on the potential passwords.
We should distinguish between the MAXIMUM time taken to exhaust the symbol space, versus the AVERAGE time.
Assuming uniform distribution of passwords through the space, and a sufficiently large sample of challenges, we would naturally expect the time taken to find the correct password to converge on n/2 -- i.e., half of the maximum time.
Thus, if a symbol space can be exhaustively searched in one year, on average, finding passwords with a similar difficulty level will take an average of 6 months, with a typical normal distribution.
Paul Gillingwater
MBA, CISSP, CISM
You talk nonsense. The PPE is about the same as the 360 tri-core, and the 7 usable SPEs are each capable of some stupidly high single precision maths numbers. A quick looking on folding@home shows a single PS3 outputiing 10x what a GPU based algorythm is kicking out.
You tripe sounds like the usual copy and paste nonsense that all Xbox owners seem to be programmed with.
I can't find any single-precision performance numbers for a modern cpu, but I'd bet that they easily outclass PS3s too.
It depends on the benchmark. The IBM whitepapers on the Cell have a matrix multiplication program which (after quite a bit of tuning) went just over 200 gflops. A Core2Duo has a theoretical peak of about 15 gflops.
Of course the C2D will be much faster than the Cell with most general programs, but with math that parallelises well and that you spend some time hand-tuning, the Cell can be very quick.
I did find that the Intel Core i7 has a theoretical of 70 double-precision gflops. The single-precision number should be much higher, as the Pentium 4 apparently managed 70 single-precision gflops.
Still, compared to the top-end gfx chips' over 1 TFlop of power, the cell is weedy.
Link: http://www.tomshardware.com/news/Asus-Nvidia-Supercomputer-Cores-960,8943.html I know it costs more but when you consider you'll get 1.1 teraflops of power, it'll munch away at a mental speed. All this in a standard PC tower!!!
Not sure why you insist so much about the presumption of innocence being established by the US as "...we know it today". It seems it goes really far far back in time at least to the Roman Empire. http://faculty.cua.edu/pennington/Law508/InnocentGuilty.htm
Dear
Why would you want the double-precision version? Crypto is all about integer math.
The "double-precision version" I was talking about wasn't for its double-precision capabilities, more for the fact that it's a newer and more powerful version of the cell chip in general. My apologies for not being clearer.
it's not just finding out what's on a pc that's a worry. they could plant child porn just as easily. indict the target. BLAMMO! you are now a child molester and THEY have PROOF.
So here are some stats calculated at worst-case for 60 PS3s doing brute force cracking:
/. crowd are there any good alternatives to passwords that are feasible? Something secure. Something that can be implemented on websites. What do you think we should be working towards? Is there already something in place that you can give an example of?
8-character passwords w/ letters and numbers only: 3.3 hours.
Upper and lower case: 10.5days. With 9 characters, it's 7.15 years
An 84-character set brings us up to 119.5 days.
Note: I just used x^8 which isn't totally accurate, the numbers in reality are a bit larger but it doesn't matter much.
This makes me wonder in case this is true. We are running up to a physical limitation in the human brain. People already have trouble memorizing the dozens of 8character passwords. 9 characters will hold moores law off for a few more years (not the precise meaning of moores law but you know what i mean). The problem is also that people are getting more accounts for things. Most people even today use the same passwords for a variety of things. I'd say almost all people.
So I ask the
Hear ye, hear ye!
The PPE is almost exactly the same as a single core of the 360's chip. The SPUs are each about the same as well, but their power is limited by insanely small local memory and huge latencies to the main memory (to the point where they can't read it directly, they have to issue DMA transfers).
This gives the PS3's cell theoretically 2.3x the performance of the 360's cpu (1 PPE + 6 SPUs in the PS3 vs essentially 3 PPEs in the 360), but in practice less than 2x. When running games the OS reserves one SPE, and one is disabled to improve manufacturing yield, which is why I say 6 SPUs. I don't know if the 7th is available to use when the PS3 is running Linux, but I doubt it.
Folding's own PS3 FAQ says that "The GPU client is still the fastest", blowing your claim of "a single PS3 outputiing 10x what a GPU based algorythm is kicking out". In fact, the stats page shows GPUs contributing more TFLOPS worth of work units than PS3s, with fewer active clients, suggesting that GPUs are on average 3-4x as powerful as PS3s.
Lastly, I have been a PS3 and 360 developer for a few years now, so I think I might have some clue about their relative performance.
And before someone mentions it, I was talking in FLOPS because it's easier to find those numbers than integer ops numbers.
If your passphrase is reduced to an SHA1 or MD5 hash (apparently Linux distros use salted md5 for user passwords by default), it doesn't need to be brute-forced. You can generate a collision, the speed of which is affected only by the length of the hash and the available computing power (that is, sha1(password) takes just as long as sha1(I.u5e5^ub3r-l337+p@$VV0rds,y0!*I_R=a#5m4rt3y/m4n!) to break)
http://en.wikipedia.org/wiki/MD5#Vulnerability
http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
http://en.wikipedia.org/wiki/Collision_attack
Of course this probably has very few practical uses - It can't be used to break into a TrueCrypt volume, and if someone has hashes (weak or otherwise) of your passwords they've either gained physical access to your PC with an unencrypted disk (and once your physical security is broken, you also become vulnerable to the xkcd wrench attack), or you're a total idiot (or both).
"When information is power, privacy is freedom" - Jah-Wren Ryel
Not one mention yet of plausible deniability. Tell that Customs high-school dropout the "secondary" password, and instead of your child porn/material criticizing the government, they wind up with pictures of cats playing pianos.
What counts is how fast the target of such a brute-force attack accepts the passwords. If it only accepts one password every five seconds, guess what?
Idiot article.
Regards;
This is an *informative* post
You get 2 English-keyboard characters for every 2-byte Chinese character.
So, 84*84=7056, which is a bit more than 4000.
In other news, 25 US Governemtn employees working on breakinf ecrypted passwords lose their jobs for playing Modern Warfare 2 on the clock.
The world is how you make it
Are those 8-bit characters, 16-bit characters, 32-bit characters, or the kind of characters you find in a typical IT dept.
It does make a difference.
Wonder what the PS3's are being used for in between crack attempts.....
My current one is something like "StupidITPassWordPolicy#23"
I can't wait til I somehow get locked out or something and have to call IT help desk to look it up...
Notice length, upper and lower, special chara, numbers..... and know that that number is required to change frequently...
The one concession they made was it used to also compare the only and the new and if ANY part of it was identical it wouldn't accept it (like Password3 and Password4, etc...)
I am sure that not brings down the percentage of people that write their password each week on a sticky note and stick it to their monitor from 95% to 80%... Well done IT genius, well done. Truly we are all more secure for your wonderfully well through out ideas.
-Bitter.
I mis-read my notes; that 100k/s figure for your standard desktop is actually 100M/s and comes from the password cracking competition at distributed.net. According to their current live stats, the fastest single-CPU system (an Intel Core i7 2666Mhz) is cracking ogrng at 204M/s and the average is 5.5M (with a wild standard deviation of 8.6M) and from current live multi-CPU stats, a 4-CPU Intel Core 2 quad-core (16 cores) at 3110MHz is cracking rc572 at 450.8M/s and the average is 36M (stdev=51M). That puts 100M/s at more than a standard deviation above average for even a multi-CPU system and more than ten standard deviations above the average single-CPU system.
The PS3s at 200k apiece look pretty measly now, falling well under the average desktop on Dnet (5.5M). Since even an AMD K6 can crunch away at 300k/s on rc572, it's probably reasonable to say that they're cracking something tougher than anything at Dnet. Generously pinning the PS3 to the Intel Core 2 Quad 3GHz (40M/s) means dividing my Dnet numbers by 200 or multiplying the government's numbers by 200.
At 40M/s times the 60 PS3s, we'd come to 2.4G/s, which can break an 8-character alphanumeric password in a day and an 8-character random printable (includes punctuation et al, 6.5 bits of complexity) in 22.7 days. Bring that to ten characters or six characters plus two words and you're suddenly talking about 500 years. Assuming they actively upgrade with no loss to data (to fit Moore's Law) and you're looking at 9 years ( log2(500) ).
I figure military-grade is probably 10-100G/s (with continuous upgrades according to Moore's Law), which would still take 3-7 years to find a 10-char password but blows through the 8-char password in 4-7 hours.
Use my userscript to add story images to Slashdot. There's no going back.
It sounds like these PS3s are being "reverse-engineered" to run "non-stock" software on them, vis-a-vis password cracking.
I posit a direct and urgent need to determine two things:
(1) Method of operation;
(2) Scope and reach of the program.
This could make for an interesting legal test of DMCA/PATRIOT act laws.
The article doesn't say what type of encryption they are trying to crack...
I assume it's only a fairly limited number of well known encryption programs they target with this, and by using something else you could avoid their attacks quite easily, at least until they implement support for it.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I mean, really, on such a tech-y I'm surprised more people aren't annoyed by Sony's thinly-rationalized retroactive lockout of other OSes! (Personally, it's the reason why I've gone from "yeah, I should definitely pick up a PS3" to "hmm, maybe if I run into a used one I'll buy it, I guess.") It's also interesting that even the U.S. government is locked out of such hardware when a company like Sony decides to restrict "homebrew" uses. There's a lot more to be said on that issue . . .
I remember sigs. Oh, a simpler time!
A 'Monarchy' is a form of government in which supreme power is absolutely or nominally lodged with an individual, who is the head of state, often for life or until abdication, and "is wholly set apart from all other members of the state."
That can is applied to a number of people. Hitler was a supreme leader as was Il Duce and Stalin. More recently, Iran has a Supreme Leader, Ayatollah Ali Khamenei. There are better words than "Monarch" in all these cases. And in the case of Benito Mussolini, Italy had a king while Benito Mussolini ruled, Victor Emmanuel III of Italy.
Falcon
Should there be a Law?