Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Government Using PS3s To Break Encryption

Posted by timothy on from the purchase-order-shenanigans dept.

Entropy98 writes "It seems that the US Immigration and Customs Enforcement Cyber Crimes Center, known as C3, has replaced its '$8,000 Tableau/Dell server combination' with more efficient and much cheaper $300 PS3s. Each PS3 is capable of 4 million passwords per second, and C3 currently has 20 PS3s with plans to buy 40 more. Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography."

5 of 570 comments (clear)

  1. Re:What by Swift+Kick · · Score: 5, Informative

    You're right. The submitter didn't read the article (or lacked the reading comprehension to understand it).

    The article says that "the networked Playstation 3s can process 4 million passwords per second, cutting down on the time necessary to find the correct combination.". Nowhere does it say that a single PS3 can do that.

    --
    "We'll need 2000 crickets, 4 cans of Easy Cheese, and the fluid from 18 glowsticks for this plan to work...." - ph0n1c
  2. Lovely encryption by Applekid · · Score: 5, Insightful

    Good to know when the Government is cracking the encryption implemented by the public it's "cracking down on child pornography." When it's the public cracking encryption implemented by corporations it's a violation of the DMCA.

    --
    More Twoson than Cupertino
  3. This only works on poor passwords by Khopesh · · Score: 5, Informative

    I've done a lot of password-cracking math, even toyed with the idea of writing an academic paper on it. Generally, I work on the (generous) assumption that a well-groomed single node can chunk through 100k passwords per second and that things scale perfectly, so 20 nodes would work through 2M passwords per second. They're claiming their 20-node cluster can handle twice that, and I fully believe it. Powerful GPUs are known to perform extremely well on password cracking, and PS3s certainly have them. That's twice the performance for half to a fifth the cost. Nice, but not "OMG."

    They plan to scale up to 60 nodes, which is 12M pass/s. To break a 8-character monospace password (37 bits of complexity, which is pretty weak), it would take just under five hours ( 26^8/(12*10^6) /60/60 ). However, to break an 8-character alphanumeric password (case and numbers), that becomes seven months ( (26+26+10)^8/(12*10^6) /60/60/24/365*12 ).

    This is only scary when you have a super-intelligent dictionary attack. Scrape the hard drive and any subpoenaed documents for words and add that to a dictionary of common password parts, then perform your dictionary attack -- dreadfully powerful. To avoid falling victim to this, a good rule of thumb is that words are awesome to use, and they're more secure, but they're only about as secure as two random characters (three with a rich vocabulary including 3 or more of: arcane words, uncommon foreign words, uncommon misspelled words, uncommon proper nouns, l33t-speak ...). So that 13-char "secure password" you use that looks like metropolitan8 effectively only has three or four characters to a dictionary attacker, and that clever 14-char password of spageti4dinner has only five or six, depending on how good the attacker's dictionary is at misspelled words. A tip: put punctuation inside your words to break them up (without forming words), e.g. metr[opo;%litan8, and you've pretty much defeated the dictionary attack.

    --
    Use my userscript to add story images to Slashdot. There's no going back.
    1. Re:This only works on poor passwords by bertok · · Score: 5, Informative

      However, to break an 8-character alphanumeric password (case and numbers), that becomes seven months

      Ah... theory!

      In practice, even very long passwords are trivially cracked in little time, using simple methods.

      Unfortunately, I lost the source, but while studying cryptography myself, I stumbled upon a quote from some guy involved in government decryption in the US, and (paraphrasing), he said that their technique was basically to pick up the hard disk from the machine with the protected content, and then simply try every consecutive range of bytes as a password.

      Unless the disk was encrypted with 'whole disk encryption', it works something like 90% of the time, simply because of stupid software saving plain-text passwords, users reusing passwords for various purposes, things like hibernation and page files, etc... I suspect that on disks from corporate networks, it would work even better, because if any one disk reveals the network admin password, you can unlock everything else from there.

      So if you have a 100 GB disk, and you try all byte ranges from 4 to 20 bytes long (to account for various password lengths), and you try every byte range as both an ASCII and UTF-16 string, that's merely 17x2x100*10^9 = 3400 billion passwords to try, or 3.2 days at your quoted "12 million passwords per second".

      In practice, most disks would crack much faster than that, if you aim the algorithm at the most likely sources first, such as the page and hibernation files, the user registry, and the web browser cache and configuration folders.

      The lesson I took away from that is that against an attacker with physical access, it really doesn't make the slightest difference how strong your password is, unless the entire disk is encrypted.

  4. Re:Obama fails again... by ppanon · · Score: 5, Insightful

    It's pretty simple. The military courts are appropriate for combatants captured on a foreign field of battle. By trying KSM and the others in civilian courts (because the 9/11 victims were civilians on US soil), the case establishes a couple of things that neo-cons don't want to happen:

    a) since evidence obtained through torture is ineligible in civilian courts, the information used by the prosecution will be what was obtained before he was tortured. So when KSM gets convicted on the basis of all the incriminating information that was available prior to torture, it will be a strong indictment that the torture used on him was not necessary. The whole neo-con "we had to torture" argument is shown for the pack of lies it is. Since Cheney was the biggest proponent of torture, it's not surprising he's also the most opposed to this happening since a conviction changes his place in history from question mark to a sadistic torturer.

    b) it re-establishes the primacy of the standard US criminal justice system for acts committed on U.S. soil.

    Basically, if KSM and his buddies can be convicted and put in jail through the civilian courts, it means that the wholesale raping of the Geneva Convention, habeus corpus, and other civil rights by the (neo-con) Republicans was unnecessary. It also sets a strong counter-precedent in case the neo-cons (inevitably) try the whole "Permanent Emergency" gambit again.

    So yeah, the neo-cons and their water bearers like Lieberman are seriously against this and using FUD to slam the effort. Big surprise.

    --
    Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire