Slashdot Mirror
US Government Using PS3s To Break Encryption
Entropy98 writes "It seems that the US Immigration and Customs Enforcement Cyber Crimes Center, known as C3, has replaced its '$8,000 Tableau/Dell server combination' with more efficient and much cheaper $300 PS3s. Each PS3 is capable of 4 million passwords per second, and C3 currently has 20 PS3s with plans to buy 40 more. Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography."
being used to break encryption
Each PS3 is capable of 4 million passwords per second
Something doesn't match up. For first the different encryption schemes take different times to try even one password, and even more if you combine several of them together. Secondly you cannot try 4 million passwords in a second if its encrypted content, it takes a lot more than that.
Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography.
... suuuuuure.
GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
Good to know when the Government is cracking the encryption implemented by the public it's "cracking down on child pornography." When it's the public cracking encryption implemented by corporations it's a violation of the DMCA.
More Twoson than Cupertino
On the old (pre slim) PS3, you can install Linux legally and without any hard or soft mods. This was also possible with the old (pre slim, see the pattern?) PS2, if you bought a hard disk.
So, with a brute force attack, I've only got 36,030,233,524,592,808,479,552,335 years before they will reach mine!
"He explained that the number of possible combinations in a six-digit password is 256 to the sixth power."
Um, only if the person uses characters that can't be typed on a normal keyboard.
In practice, the password "alphabet" is either 26, 52, 62, 84, or some other number not much above 84 characters. 84^6 is much less than 256^6.
However, in practice, people who fear the cops will use a lot more than 6 digits.
If the passwords are decent passphrases of, say, 6 words, taken out of a dictionary of even 2,000 common words, that's 2,000^6, or "still not that big of a number" as it's known in the security field. And that's if the person makes it easy by not using any spaces, using all lowercase, etc.
The real smart crooks encrypt their stuff in a way that nothing short of banging them over the head with a $5 pipe wrench will ever reveal.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Really what is the problem with this. These computers are being searched AFTER a judge issues a search warrant. In other words constitutional law is being followed to the letter in this case.
So what is the problem? Because it may involve child porn and you think that it is harmless? Well some of those computers have pictures of the victims "children" and the criminal act happening.
There is nothing wrong with this legally.
And having a fit about it is a clear case of calling wolf.
I am sure this will be used in any investigation that involves a computer and not just for child porn.
Complaining about the legal search of a computer after a warrant is issued is just stupid.
BTW I am sure that the NSA has much better systems based on FPGAs and Cell chips for breaking encryption than PS-3s but we will never hear about those and that type of wiretap without a warrant is what I am worried about.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
Look... are you insinuating something?
If I have seen further it is by stealing the Intellectual Property of giants.
I knew a guy once who worked closely with anti-kiddie-porn cops. They rotated those guys off fairly quickly so they wouldn't go insane. What you see on Law & Order with the same cops doing the kiddie-smut patrol year in and year out may work for Munch and Stabler but it doesn't work in the real world.
Also, in the real world I'll be a cop's donut you don't get to do that kind of work in a decent-sized department unless you are emotionally stable, in a stable romantic relationship with another adult or had one in your past for a long time, and have a history of not getting irrational and emotional at the sight of disturbing visuals, while at the same time not being stone-cold about it either.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Sorry to inform you that your memory isn't serving you. The SPEs work in Linux just fine, it's the videocard that doesn't. In short, Sony doesn't want you to play games under Linux so no one can develop games that run on Linux (cirvumventing Sony's stranglehold on the hardware) for the PS3. Linux games wouldn't need to pay Sony for each game sold as the normal titles do.
There is a difference between cracking encryption and the password used to secure the encryption. The article says they are using the systems to crack passwords, not encryption. The submitter has a reading problem.
Seems to me that a reasonably well designed OS would lock after 4 password attempts. How are they entering all these passwords w/o the system balking?
i'm asking because i don't know, please don't mod me a troll for not knowing something.
Utilizing the synergization of benchmark e-solutions to pre-workaround action items!
With the planned 60 PS3s assuming they brute force it and worst-case. It will take them:
/. crowd are there any good alternatives to passwords that are feasible? Something secure. Something that can be implemented on websites. What do you think we should be working towards? Is there already something in place that you can give an example of?
At 8character passwords w/ letters and numbers only, 3.3hours.
Upper and lower case increase that figure to 10.5days. (With 9 characters 7.15years)
84character set brings us up to 119.5days.
Note: I just used x^8 which isn't totally accurate, the numbers in reality are a bit larger but it doesn't matter much.
This makes me wonder in case this is true. We are running up to a physical limitation in the human brain. People already have trouble memorizing the dozens of 8character passwords. 9 characters will hold moores law off for a few more years (not the precise meaning of moores law but you know what i mean). The problem is also that people are getting more accounts for things. Most people even today use the same passwords for a variety of things. I'd say almost all people.
So I ask the
I've done a lot of password-cracking math, even toyed with the idea of writing an academic paper on it. Generally, I work on the (generous) assumption that a well-groomed single node can chunk through 100k passwords per second and that things scale perfectly, so 20 nodes would work through 2M passwords per second. They're claiming their 20-node cluster can handle twice that, and I fully believe it. Powerful GPUs are known to perform extremely well on password cracking, and PS3s certainly have them. That's twice the performance for half to a fifth the cost. Nice, but not "OMG."
They plan to scale up to 60 nodes, which is 12M pass/s. To break a 8-character monospace password (37 bits of complexity, which is pretty weak), it would take just under five hours ( 26^8/(12*10^6) /60/60 ). However, to break an 8-character alphanumeric password (case and numbers), that becomes seven months ( (26+26+10)^8/(12*10^6) /60/60/24/365*12 ).
This is only scary when you have a super-intelligent dictionary attack. Scrape the hard drive and any subpoenaed documents for words and add that to a dictionary of common password parts, then perform your dictionary attack -- dreadfully powerful. To avoid falling victim to this, a good rule of thumb is that words are awesome to use, and they're more secure, but they're only about as secure as two random characters (three with a rich vocabulary including 3 or more of: arcane words, uncommon foreign words, uncommon misspelled words, uncommon proper nouns, l33t-speak ...). So that 13-char "secure password" you use that looks like metropolitan8 effectively only has three or four characters to a dictionary attacker, and that clever 14-char password of spageti4dinner has only five or six, depending on how good the attacker's dictionary is at misspelled words. A tip: put punctuation inside your words to break them up (without forming words), e.g. metr[opo;%litan8, and you've pretty much defeated the dictionary attack.
Use my userscript to add story images to Slashdot. There's no going back.
Seriously, this whole article sounds like a load of horsebull. As far as I know, things like RSA and AES use integer math for the encryption and decryption schemes. It therefore doesn't make much sense to use a product designed for large numbers of floating point operations, as I would imagine the PS3 is. I'm actually pretty curious how many GMIPS the PS3 can perform. In any case, why would they pay for a device that contains all sorts of hardware ancillary to the core processing task. For instance, any gaming system is going to have a fairly powerful GPU, as well as extraneous RAM and sound hardware, etc. Also, in terms of the 4 million passwords or keys or whatever per second, I just wrote a very minimalist C program to try cracking passwords on an encrypted disk image I just created and it was definitely not reaching 4 million tries a second on my Core 2 Quad...
Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography.
Naturally. (*wink-wink* *nudge-nudge* say no more...)
"Every great cause begins as a movement, becomes a business, and eventually degenerates into a racket." -- Eric Hoffer
Installing Linux is a Sony supported function on the PS2 (fat model) and the PS3 (fat model), no hacks/mods needed.
It's pretty simple. The military courts are appropriate for combatants captured on a foreign field of battle. By trying KSM and the others in civilian courts (because the 9/11 victims were civilians on US soil), the case establishes a couple of things that neo-cons don't want to happen:
a) since evidence obtained through torture is ineligible in civilian courts, the information used by the prosecution will be what was obtained before he was tortured. So when KSM gets convicted on the basis of all the incriminating information that was available prior to torture, it will be a strong indictment that the torture used on him was not necessary. The whole neo-con "we had to torture" argument is shown for the pack of lies it is. Since Cheney was the biggest proponent of torture, it's not surprising he's also the most opposed to this happening since a conviction changes his place in history from question mark to a sadistic torturer.
b) it re-establishes the primacy of the standard US criminal justice system for acts committed on U.S. soil.
Basically, if KSM and his buddies can be convicted and put in jail through the civilian courts, it means that the wholesale raping of the Geneva Convention, habeus corpus, and other civil rights by the (neo-con) Republicans was unnecessary. It also sets a strong counter-precedent in case the neo-cons (inevitably) try the whole "Permanent Emergency" gambit again.
So yeah, the neo-cons and their water bearers like Lieberman are seriously against this and using FUD to slam the effort. Big surprise.
Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
put punctuation inside your words to break them up (without forming words), e.g. metr[opo;%litan8, and you've pretty much defeated the dictionary attack.
I tried that once and was told I could not use a punctuation mark. I mix alphanumeric characters though.
Should there be a Law?
- All those officers and enlisted in the Pentagon would be surprised to know they are civilians.
- Are they going to release KSM if he is acquitted? If not, this is just a show trial and a sham.
- Whatever your stance on waterboarding, they didn't do it to KSM to get him to confess. They did it to acquire intel to prevent further attacks and/or take the battle to Al Qaeda.
- During an interview with NBC tonight, the interviewer asked Obama if people would find it offensive that KSM would receive all the rights of an American citizen in a trial. Obama replied "I don't think it will be offensive at all when he's convicted and when the death penalty is applied to him." Pre-judging much? Tainting the jury?
Come on. This is no trial in any real sense of the word. Other observers have pointed out that no one wants to see this guy walk, so the judges and prosecution will go through any contortion, no matter how ridiculous, to see him convicted. Whatever rulings they issue will then become precedent the Govt can use against everyday criminals (i.e., you and me).
Khalid Sheikh Mohammed is the *enemy*. He cannot be rehabilitated. He cannot be reconstructed. He and his comrades would seek the overthrow of our system of government and its replacement with Sharia law. He is not a common criminal, and it is disrespectful to treat him like one - and you should always respect your enemy. Send him to his god and be done with it.
- All those officers and enlisted in the Pentagon would be surprised to know they are civilians.
The majority of casualties were civilian. This was not an act of traditional war. This is far, far different than the cut and dry battlefield that the Geneva Conventions were based on.
- Are they going to release KSM if he is acquitted? If not, this is just a show trial and a sham.
If 12 New Yorkers can't find this guy guilty, then I am pretty damn sure he didn't do it. And he will not be realeased in the US, no matter what.
Come on. This is no trial in any real sense of the word. Other observers have pointed out that no one wants to see this guy walk, so the judges and prosecution will go through any contortion, no matter how ridiculous, to see him convicted. Whatever rulings they issue will then become precedent the Govt can use against everyday criminals (i.e., you and me).
And neither was the case for the the unabomber, OKC bombing or any other big trial. This is no different. As for precedent... where do you live that planning (and following thru) to kill thousands isn't already firmly against the law?
Khalid Sheikh Mohammed is the *enemy*. He cannot be rehabilitated. He cannot be reconstructed. He and his comrades would seek the overthrow of our system of government and its replacement with Sharia law. He is not a common criminal, and it is disrespectful to treat him like one - and you should always respect your enemy. Send him to his god and be done with it.
Oh yeah, the prez was the one prejudging, eh?
No comprende? Let me type that a little slower for you...
TrueCrypt is open source and is available for download from Source Forge, which hosts open source projects. And here's the downloadable source code.
Falcon
Should there be a Law?
Aside from the fact that adequate grounds exist for military jurisdiction based on the Pentagon portion of the attack - and the fact that the act KSM is most likely to be charged with conspiracy, which certainly occurred outside of the U.S. - the analysis is far more complex if one has a basic understanding of criminal procedure. The very high standard of proof required to convict in a criminal court, and the complexity of the rules of evidence - particularly when considering the difficulty of trying a conspiracy charge. Hell, as a law student, I spent untold hours just looking at hearsay and its numerous exceptions. Not to mention the issue of evidence extracted during and after water boarding sessions and other interrogation
I obviously haven't seen the prosecution's evidence in full, but if this were a more traditional criminal charge, I'd wager that they would have one hell of a tough row to hoe. Keep in mind that, if the law is applied as it should be, a jury may only consider evidence that has been admitted before the Court. If vital bits of evidence are excluded--a scenario that is certainly feasible--can the prosecutors successfully prove the elements of the crime KSM is charged with? If not, in a real trial, he would have to be let free.
Of course, this isn't going to be a real trial.
Assume that KSM is acquitted. There is obviously no chance he'll ever be released, nor could he be released onto U.S. territory at all, of course, under the Immigration and Naturalization Act. A real criminal trial would carry with it the vagaries and risks associated with any criminal trial, no matter how "air tight" a case is (e.g., O.J. Simpson), and the possibility of an acquittal and release.
I fear what we have here with the upcoming KSM trial is more of a show trial. The conviction, execution, and virtually pre-determined, or at least that is how Obama is treating it in statements to the press (as a lawyer and former law professor, he should know better, as he acknowledged with his subsequent ass covering).
Aside from some of the more obvious questions (Why a criminal trial for only this handful? Why are military tribunals "good enough" for the rest? Why has Obama shifted support from the military tribunals he once supported specifically for KSM to the civilian courts? How will classified evidence be handled? Will KSM truly be given full access to all the evidence against him, including names of informants?) are the more larger concerns. Why a show trial for this person? Why now? Will show trials become the norm for the particularly loathsome among us? For those it is more politically convenient for the president to try via show trial? Is this the direction we would like to go in?
If this were to be a real trial, it would be a demonstration of the Obama administration's willingness to take unacceptable risks on national security, particularly since a much friendlier venue is allowed under law and some of the trickier, thornier aspects of the law can be avoided. Instead, it may prove to be a perversion of the criminal justice system, which has rules that are much better established and protect every single American citizen. Why open the door to show trials?
That would only works if the password is kept on a temporary file. Otherwise there is no reason whatsoever the password would be anywhere on disk. And that does not work at all if you use a bootable CD.
But that's not how it happens in the real world. Most people don't run their computers from read-only media with the swap turned off!
First of all, there's lots of bad developers out there. Passwords get saved all over the place, in the registry, configuration files, etc... I've seen web sites that were "https", but then put the plain text password into the URL, which is saved in the unencrypted browser history!
Second, even if you store passwords in memory only, the pagefile might still contain it, if a page containing the password was swapped out. It's even more likely with hibernation files, which swap out everything, including kernel space marked as non-pageable.
In theory, there's features like "protected memory" that developers can use to store passwords securely in memory, but this takes a lot of work. In Win32 there's a set of APIs for it, but many developers don't use it, or haven't even heard of it. It's such a low level "buffer manipulation" style API that lots of high-level languages can't or don't use it. It's only recently that C# got support for it, for example, and I don't think Java has anything comparable. Most garbage-collecting languages are vulnerable, because memory can be relocated (copied) at any time, which may prevent buffers from being properly cleared.
One of the worst culprits are those "I forgot my password" web pages that email you your plain text password to your mailbox, so that your email client can then cheerfully write it all over the place. Even if you encrypt your PC's disk, but use corporate email, your password is now in plain text, on the server's disk.
In practice, real security is hard. Very, very hard. As a consultant, I've been to over 100 clients, including major banks and very security sensitive government institutions, and I've only ever seen 2 secure networks: One financial services company, and the internal LAN on the new generation Boeing planes.
My current one is something like "StupidITPassWordPolicy#23"
I can't wait til I somehow get locked out or something and have to call IT help desk to look it up...
Notice length, upper and lower, special chara, numbers..... and know that that number is required to change frequently...
The one concession they made was it used to also compare the only and the new and if ANY part of it was identical it wouldn't accept it (like Password3 and Password4, etc...)
I am sure that not brings down the percentage of people that write their password each week on a sticky note and stick it to their monitor from 95% to 80%... Well done IT genius, well done. Truly we are all more secure for your wonderfully well through out ideas.
-Bitter.
Khalid Sheikh Mohammed is the *enemy*. He cannot be rehabilitated. He cannot be reconstructed. He and his comrades would seek the overthrow of our system of government and its replacement with Sharia law. He is not a common criminal, and it is disrespectful to treat him like one - and you should always respect your enemy. Send him to his god and be done with it.
He would love that. treating him like a common criminal is the most humiliating thing you can do to him.
And seriously... unless the state has evidence to prove such allegations I would not want to live in a place that any government officials have the power to just go around and kill people with no due process.
This is a land where the rule of law, the constitution, and the fundamental principles of justice are supreme. if you hate your justice system so much that you would try to thwart it and impose your own vigilantee justice, then you are just as bad as any common criminal attempting to replace justice with Sharia law.
Justice demands a fair trial. And if the US can't give it, they should turn these people over to the Hague.
No one has a right to their *own* opinion. They have a right to the TRUTH.
So I ask the /. crowd are there any good alternatives to passwords that are feasible? Something secure. Something that can be implemented on websites. What do you think we should be working towards? Is there already something in place that you can give an example of?
The best possible password is a phrase. Something simple like 'whereartthouromeo' is long, difficult to crack, and yet, still easy to remember. Now add some numbers, case change, and sepcial characters... 'WHEr3@r7thourom#)' is virtually impossible to crack. The password is not inherently flawed. It's still valid, useful, and machines are still too underpowered to crack that stuff.
Bullish Machine Tzar
Khalid Sheikh Mohammed is the *enemy*. He cannot be rehabilitated. He cannot be reconstructed. He and his comrades would seek the overthrow of our system of government and its replacement with Sharia law.
My view is, he's just like Timothy McVeigh, or an abortion clinic shooter. There's no way they can actually overthrow our system of government. They are non state terrorists, little more than common criminals, and really have very little power. Our system of the rule of law is much stronger and more important than any of them - and if we can't convict him in a court of law, then he should be freed. If he is freed and viewed as a serious threat, he should be kept under surveillance, but the rule of law is more important than any one individual.