US Government Using PS3s To Break Encryption 570
Posted
by
timothy
from the purchase-order-shenanigans dept.
from the purchase-order-shenanigans dept.
Entropy98 writes "It seems that the US Immigration and Customs Enforcement Cyber Crimes Center, known as C3, has replaced its '$8,000 Tableau/Dell server combination' with more efficient and much cheaper $300 PS3s. Each PS3 is capable of 4 million passwords per second, and C3 currently has 20 PS3s with plans to buy 40 more. Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography."
And the problem with this is??? (Score:4, Interesting)
Really what is the problem with this. These computers are being searched AFTER a judge issues a search warrant. In other words constitutional law is being followed to the letter in this case.
So what is the problem? Because it may involve child porn and you think that it is harmless? Well some of those computers have pictures of the victims "children" and the criminal act happening.
There is nothing wrong with this legally.
And having a fit about it is a clear case of calling wolf.
I am sure this will be used in any investigation that involves a computer and not just for child porn.
Complaining about the legal search of a computer after a warrant is issued is just stupid.
BTW I am sure that the NSA has much better systems based on FPGAs and Cell chips for breaking encryption than PS-3s but we will never hear about those and that type of wiretap without a warrant is what I am worried about.
Re:What (Score:4, Interesting)
It's fun to laugh but on a serious note (Score:2, Interesting)
I knew a guy once who worked closely with anti-kiddie-porn cops. They rotated those guys off fairly quickly so they wouldn't go insane. What you see on Law & Order with the same cops doing the kiddie-smut patrol year in and year out may work for Munch and Stabler but it doesn't work in the real world.
Also, in the real world I'll be a cop's donut you don't get to do that kind of work in a decent-sized department unless you are emotionally stable, in a stable romantic relationship with another adult or had one in your past for a long time, and have a history of not getting irrational and emotional at the sight of disturbing visuals, while at the same time not being stone-cold about it either.
Re:What (Score:4, Interesting)
All very accurate and informative. I still wonder about the numbers here. If I did my math correctly, (282 trillion posibilities, 4 million tries a second) you exhaust the search space in 816 days. That's over a year on average. And that's if they're using a simple 6 character alphanumeric password. Given that we all have a right to a speedy trial, this just doesn't seem like it would be ready in time for court. I think they'd do a lot better to use their sneak and peak warrant power to install key loggers.
How does this work? (Score:3, Interesting)
Seems to me that a reasonably well designed OS would lock after 4 password attempts. How are they entering all these passwords w/o the system balking?
i'm asking because i don't know, please don't mod me a troll for not knowing something.
Hmmmm (Score:5, Interesting)
At 8character passwords w/ letters and numbers only, 3.3hours.
Upper and lower case increase that figure to 10.5days. (With 9 characters 7.15years)
84character set brings us up to 119.5days.
Note: I just used x^8 which isn't totally accurate, the numbers in reality are a bit larger but it doesn't matter much.
This makes me wonder in case this is true. We are running up to a physical limitation in the human brain. People already have trouble memorizing the dozens of 8character passwords. 9 characters will hold moores law off for a few more years (not the precise meaning of moores law but you know what i mean). The problem is also that people are getting more accounts for things. Most people even today use the same passwords for a variety of things. I'd say almost all people.
So I ask the
Re:What (Score:1, Interesting)
That's not true, it's British.
Re:What (Score:1, Interesting)
I call bullshit on you - US law is heavily based on English Common Law, and the premise of "Presumption of Innocence" is not an exclusive US concept.
Re:What (Score:2, Interesting)
The cell (Score:2, Interesting)
It amazes me with things like the IBM QS21 and the mercury blade servers that the cheapest solution is to get a piece of hardware like the ps3 with so many extra components not needed for number crunching.
The cell was designed for floating point calculations. Cracking requires a lot of integer calculations. You won't get the benefits that science and graphic applications get like folding@home.
Re:What (Score:3, Interesting)
Re:What (Score:4, Interesting)
+1 funny? Or +1 informative. In the UK they lock you in jail for year-after-year until you give them the encryption key. So much for the right to be presumed innocent until PROVED guilty.
Sad but true. Refusal to share your encryption key or password is now illegal in Britannia.
This is silly (Score:2, Interesting)
Re:What (Score:3, Interesting)
No, you're right. They're doing offline attacks. If they had access to the computer while on they'd do a coldboot attack or something similar where they freeze ram in LN2, take it out, stick it in a chip analyzer (or liveboot the computer), and grab the delicious, delicious key material. Also, I believe windows lacks the ability to mark a page as do-not-swap* which means that sometimes you can grab the pagefile and find key material in it. Which is why you should use Ubuntu: Linux for Pedophiles:-)
* My info is 8 years out of date. Could be wrong.
Re:What (Score:4, Interesting)
I must be missing something here. WHY would someone use the original app instead of one modified to remove said rate limit? I mean the limit itself is going to be artificially imposed with something like "sleep(5)", so "cracking" the binary would be trivial at best, and the first vector I would think. Again, am I missing something here?
Yes, you are missing something, but it is a very common misconception. The "rate limit" is in the algorithm itself, not simply in the application which implements the algorithm.
Here is an example to demonstrate how such a rate limit can be constructed. Begin with a rather fast and strong hashing algorithm such as SHA-256. Now SHA-256 operates in the Merkle-Damgaard chaining mode which is inherently serial, so what you can do to slow it down is to define your password authentication algorithm to be a SHA-256 hash of a "message" which is formed by appending your password with one-billion 32-bit unsigned integers which are just consecutive counter values. Since you don't actually have to store the counter values, this takes no additional memory to implement. Since the algorithm is strongly serial in nature, you can't short-cut the process without breaking SHA-256 (which would be very impressive). Even on the fastest processors, hashing a > 1Gig message with SHA-256 is quite time consuming... at least several seconds per attempt. This provides a very effective rate limit.
Re:Obama fails again... (Score:4, Interesting)
- All those officers and enlisted in the Pentagon would be surprised to know they are civilians.
The majority of casualties were civilian. This was not an act of traditional war. This is far, far different than the cut and dry battlefield that the Geneva Conventions were based on.
- Are they going to release KSM if he is acquitted? If not, this is just a show trial and a sham.
If 12 New Yorkers can't find this guy guilty, then I am pretty damn sure he didn't do it. And he will not be realeased in the US, no matter what.
Come on. This is no trial in any real sense of the word. Other observers have pointed out that no one wants to see this guy walk, so the judges and prosecution will go through any contortion, no matter how ridiculous, to see him convicted. Whatever rulings they issue will then become precedent the Govt can use against everyday criminals (i.e., you and me).
And neither was the case for the the unabomber, OKC bombing or any other big trial. This is no different. As for precedent... where do you live that planning (and following thru) to kill thousands isn't already firmly against the law?
Khalid Sheikh Mohammed is the *enemy*. He cannot be rehabilitated. He cannot be reconstructed. He and his comrades would seek the overthrow of our system of government and its replacement with Sharia law. He is not a common criminal, and it is disrespectful to treat him like one - and you should always respect your enemy. Send him to his god and be done with it.
Oh yeah, the prez was the one prejudging, eh?
Re:What (Score:3, Interesting)
I'll nitpick.
The presumption of innocence does not really go that far back in the history of common law. If you bothered to read a bit further into the link you provided, you'll see that in the quoted case of Woolmington v DPP (decided in 1935) that the case was about overturning a principle of the "presumption of guilt" specifically:
On appeal to the Court of Criminal Appeal, Woolmington argued that the Trial judge misdirected the jury. The appeal judge discounted the argument using the common law precedent as stated in Foster's Crown Law (1762). ... In every charge of murder, the fact of killing being first proved, all the circumstances of accident, necessity, or infirmity are to be satisfactorily proved by the prisoner, unless they arise out of the evidence produced against him; for the law presumeth the fact to have been founded in malice, unless the contrary appeareth...
http://en.wikipedia.org/wiki/Woolmington_v_DPP [wikipedia.org]
*This* is the traditional common law, the one that the USA inherited.
I'll argue that this Woolmington v DPP case changed the law significantly. At the very least, before this case was decided, the principle of presumption of innocence was not as entrenched as it were after the case. Arguably, this case established the doctrine of the presumption of innocence as we know it today.
It's fundamentally some academic quirk on common law jurisprudence - under traditional common law principles, the law is "discovered", not "made" by judges. And thus, judges do have a tendency sometimes to "pretend" that all they're doing is applying existing legal principles, instead of changing the laws by setting a precedent. And then after the decision we'll have to accept that "common law was like that all along!", which is not really that accurate.
Take note, I'm not intending to glamorize the US system (which I don't harbor complements), but just to set things straight. I do study the laws of your jurisdiction extensively, as a law student in Hong Kong.
Dissenting (Score:3, Interesting)
Aside from the fact that adequate grounds exist for military jurisdiction based on the Pentagon portion of the attack - and the fact that the act KSM is most likely to be charged with conspiracy, which certainly occurred outside of the U.S. - the analysis is far more complex if one has a basic understanding of criminal procedure. The very high standard of proof required to convict in a criminal court, and the complexity of the rules of evidence - particularly when considering the difficulty of trying a conspiracy charge. Hell, as a law student, I spent untold hours just looking at hearsay and its numerous exceptions. Not to mention the issue of evidence extracted during and after water boarding sessions and other interrogation
I obviously haven't seen the prosecution's evidence in full, but if this were a more traditional criminal charge, I'd wager that they would have one hell of a tough row to hoe. Keep in mind that, if the law is applied as it should be, a jury may only consider evidence that has been admitted before the Court. If vital bits of evidence are excluded--a scenario that is certainly feasible--can the prosecutors successfully prove the elements of the crime KSM is charged with? If not, in a real trial, he would have to be let free.
Of course, this isn't going to be a real trial.
Assume that KSM is acquitted. There is obviously no chance he'll ever be released, nor could he be released onto U.S. territory at all, of course, under the Immigration and Naturalization Act. A real criminal trial would carry with it the vagaries and risks associated with any criminal trial, no matter how "air tight" a case is (e.g., O.J. Simpson), and the possibility of an acquittal and release.
I fear what we have here with the upcoming KSM trial is more of a show trial. The conviction, execution, and virtually pre-determined, or at least that is how Obama is treating it in statements to the press [politico.com] (as a lawyer and former law professor, he should know better, as he acknowledged with his subsequent ass covering).
Aside from some of the more obvious questions (Why a criminal trial for only this handful? Why are military tribunals "good enough" for the rest? Why has Obama shifted support from the military tribunals he once supported specifically for KSM to the civilian courts? How will classified evidence be handled? Will KSM truly be given full access to all the evidence against him, including names of informants?) are the more larger concerns. Why a show trial for this person? Why now? Will show trials become the norm for the particularly loathsome among us? For those it is more politically convenient for the president to try via show trial? Is this the direction we would like to go in?
If this were to be a real trial, it would be a demonstration of the Obama administration's willingness to take unacceptable risks on national security, particularly since a much friendlier venue is allowed under law and some of the trickier, thornier aspects of the law can be avoided. Instead, it may prove to be a perversion of the criminal justice system, which has rules that are much better established and protect every single American citizen. Why open the door to show trials?