Amazon EC2 Enables Cheap Brute-Force Attacks 212
snydeq writes "German white-hat hacker Thomas Roth claims he can crack WPA-PSK-protected networks in six minutes using Amazon EC2 compute power — an attack that would cost him $1.68. The key? Amazon's new cluster GPU instances. 'GPUs are (depending on the algorithm and the implementation) some hundred times faster compared to standard quad-core CPUs when it comes to brute forcing SHA-1 and MD,' Roth explained. GPU-assisted servers were previously available only in supercomputers and not to the public at large, according to Roth; that's changed with EC2. Among the questions Roth's research raises is, what role should Amazon and other public-cloud service providers play in preventing customers from using their services to commit crimes?"
That's silly. (Score:5, Insightful)
"what role should Amazon and other public-cloud service providers play in preventing customers from using their services to commit crimes?"
The same role that Ford Motor Company is responsible to fill in preventing the use of it's vehicles as Getaway cars from scenes of crimes.
Wikileaks (Score:5, Insightful)
Amazon provide infrastructure services. They need not, should not, must not know or seek to know how these services are used.
Oh wait, Wikileaks...
None? (Score:5, Insightful)
They should not take any steps in this direction. We should have learned that. it. just. don't. work. Brute-forcing a hash is not illegal anyway. If the customer of amazon decides to misuse the result, than this is not the responsibility of Amazon. Many services and tools can be abused for crime.
Easy answer (Score:5, Insightful)
what role should Amazon and other public-cloud service providers play in preventing customers from using their services to commit crimes?"
No role whatsoever; let law enforcement agencies handle criminal investigations.
Well I Can Answer the Last Question (Score:5, Insightful)
Among the questions Roth's research raises is, what role should Amazon and other public-cloud service providers play in preventing customers from using their services to commit crimes?"
None whatsoever. Amazon and other service providers are retailers. They are not a police force. If a crime is being committed, let the designated authorities (i.e. cops) investigate it, police it, and arrest the criminal. No business should ever be involved in policing anything. That's a role specially held for the executive branch of governments.
Re:Why use EC2? (Score:2, Insightful)
"In the same amount of time" is the biggie. They are talking about using short timeslices of hundreds of computers. The article mentions using 400 GPUs (but isn't very clear on whether 400 GPUs for 20 minutes is what costs $1.68). If that's true, then decoding it with a single GPU would take about 5 1/2 days, assuming you had the same class of hardware Amazon is using.
Not earth-shattering amounts of time, true, but if speed is of the essence you probably don't want to wait the better part of a week.
What role should they take? None, maybe? (Score:4, Insightful)
I would expect Amazon to cooperate with the law enforcement should they discover that their service was abused to commit a crime. But why should they required to "avoid" it? And most of all, how? The only way to really keep people from using that service for criminal means would be to explicitly disallow certain uses and then monitor whether it is used this way. And that in turn raises a question: How? Because one of the core reasons this service is interesting is that it offers cheap calculation power. If you attach a metric ton of red tape and surveillance, it's most likely cheaper and faster to let your old Pentium do it.
Re:That's silly. (Score:4, Insightful)
There are perfectly legal reasons for cracking encryption...
Data recovery (eg forgotten passwords)
Security auditing
Crypto development (ie stress testing)