US Government Using PS3s To Break Encryption 570
Entropy98 writes "It seems that the US Immigration and Customs Enforcement Cyber Crimes Center, known as C3, has replaced its '$8,000 Tableau/Dell server combination' with more efficient and much cheaper $300 PS3s. Each PS3 is capable of 4 million passwords per second, and C3 currently has 20 PS3s with plans to buy 40 more. Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography."
What (Score:5, Insightful)
being used to break encryption
Each PS3 is capable of 4 million passwords per second
Something doesn't match up. For first the different encryption schemes take different times to try even one password, and even more if you combine several of them together. Secondly you cannot try 4 million passwords in a second if its encrypted content, it takes a lot more than that.
Re:What (Score:5, Funny)
Re: (Score:2, Informative)
+1 funny? Or +1 informative.
In the UK they lock you in jail for year-after-year until you give them the encryption key. So much for the right to be presumed innocent until PROVED guilty.
Re:What (Score:4, Interesting)
Re:As Idiomatick puts it... (Score:4, Informative)
So I ask the /. crowd are there any good alternatives to passwords that are feasible? Something secure. Something that can be implemented on websites. What do you think we should be working towards? Is there already something in place that you can give an example of?
The best possible password is a phrase. Something simple like 'whereartthouromeo' is long, difficult to crack, and yet, still easy to remember. Now add some numbers, case change, and sepcial characters... 'WHEr3@r7thourom#)' is virtually impossible to crack. The password is not inherently flawed. It's still valid, useful, and machines are still too underpowered to crack that stuff.
Re:What (Score:4, Funny)
And that is why my password is"Pleasestophittingmeononotthewaterboardblipdoolpoolp"
Re:What (Score:5, Funny)
+1 funny.
What's your password?
"Please stop hitting me."
What's your password?
"Please stop hitting me!"
What's your password?
"I TOLD you my password!"
(smack). No you didn't! You're acting like a child. Stop playing these games. Tell us your password!
"pleasetophittingme"!!!!!
(smack). Oh great. He's unconscious.
Re:What (Score:5, Funny)
Re:What (Score:4, Funny)
Could be worse, imagine if it was "fuck you, stupid customs official"
My secret answer for a gaming account was "Your moms box." When I called them up and had to change my information, the guy asked me and I immediately realized what it was. Good thing he had a sense of humor, otherwise he might have thought my childhood superhero was his mom's box.
Close... (Score:3, Funny)
My current one is something like "StupidITPassWordPolicy#23"
I can't wait til I somehow get locked out or something and have to call IT help desk to look it up...
Notice length, upper and lower, special chara, numbers..... and know that that number is required to change frequently...
The one concession they made was it used to also compare the only and the new and if ANY part of it was identical it wouldn't accept it (like Password3 and Password4, etc...)
I am sure that not brings down the percentage of people
Re: (Score:2, Informative)
If by "year-after-year" you mean two years* [openrightsgroup.org] then yes, you are correct. However, I get the feeling that's not what you intended to imply.
* Or 5 years in terrorism-related cases
Re:What (Score:4, Interesting)
+1 funny? Or +1 informative. In the UK they lock you in jail for year-after-year until you give them the encryption key. So much for the right to be presumed innocent until PROVED guilty.
Sad but true. Refusal to share your encryption key or password is now illegal in Britannia.
Re:What (Score:4, Informative)
The best part of RIPA is that if you genuinely do no know the encryption key then the onus is on you to prove it, otherwise the assumption is that you do know and are simply witholding the information; off to jail for 5 years...
Re:What (Score:5, Informative)
Why do you quote US sentences with other countries? "Innocent until proved guilty" comes from US, and while usually true elsewhere too, you seem to just flame with this shit again.
Sorry to disapoint you but your legal system is only based on ours (I am a UK citizen). The presumation on innocence and the adversarial system you inherited just stems from english common law. Here is a link regarding presumption of innocence:
http://en.wikipedia.org/wiki/Presumption_of_innocence [wikipedia.org]
Here is a link on english common law:
http://en.wikipedia.org/wiki/English_law [wikipedia.org]
For the most part it is a reasonable system so your founding fathers chose not to change too much of it when they threw off the yoke of english rule.
Re: (Score:3, Interesting)
I'll nitpick.
The presumption of innocence does not really go that far back in the history of common law. If you bothered to read a bit further into the link you provided, you'll see that in the quoted case of Woolmington v DPP (decided in 1935) that the case was about overturning a principle of the "presumption of guilt" specifically:
On appeal to the Court of Criminal Appeal, Woolmington argued that the Trial judge misdirected the jury. The appeal judge discounted the argument using the common law precedent as stated in Foster's Crown Law (1762). ... In every charge of murder, the fact of killing being first proved, all the circumstances of accident, necessity, or infirmity are to be satisfactorily proved by the prisoner, unless they arise out of the evidence produced against him; for the law presumeth the fact to have been founded in malice, unless the contrary appeareth...
http://en.wikipedia.org/wiki/Woolmington_v_DPP [wikipedia.org]
*This* is the traditional common law, the one that the USA inherited.
I'll argue that this Woolmington v DPP case changed the law
Re:Obama fails again... (Score:5, Insightful)
It's pretty simple. The military courts are appropriate for combatants captured on a foreign field of battle. By trying KSM and the others in civilian courts (because the 9/11 victims were civilians on US soil), the case establishes a couple of things that neo-cons don't want to happen:
a) since evidence obtained through torture is ineligible in civilian courts, the information used by the prosecution will be what was obtained before he was tortured. So when KSM gets convicted on the basis of all the incriminating information that was available prior to torture, it will be a strong indictment that the torture used on him was not necessary. The whole neo-con "we had to torture" argument is shown for the pack of lies it is. Since Cheney was the biggest proponent of torture, it's not surprising he's also the most opposed to this happening since a conviction changes his place in history from question mark to a sadistic torturer.
b) it re-establishes the primacy of the standard US criminal justice system for acts committed on U.S. soil.
Basically, if KSM and his buddies can be convicted and put in jail through the civilian courts, it means that the wholesale raping of the Geneva Convention, habeus corpus, and other civil rights by the (neo-con) Republicans was unnecessary. It also sets a strong counter-precedent in case the neo-cons (inevitably) try the whole "Permanent Emergency" gambit again.
So yeah, the neo-cons and their water bearers like Lieberman are seriously against this and using FUD to slam the effort. Big surprise.
Re:Obama fails again... (Score:5, Insightful)
- All those officers and enlisted in the Pentagon would be surprised to know they are civilians.
- Are they going to release KSM if he is acquitted? If not, this is just a show trial and a sham.
- Whatever your stance on waterboarding, they didn't do it to KSM to get him to confess. They did it to acquire intel to prevent further attacks and/or take the battle to Al Qaeda.
- During an interview with NBC tonight, the interviewer asked Obama if people would find it offensive that KSM would receive all the rights of an American citizen in a trial. Obama replied "I don't think it will be offensive at all when he's convicted and when the death penalty is applied to him." Pre-judging much? Tainting the jury?
Come on. This is no trial in any real sense of the word. Other observers have pointed out that no one wants to see this guy walk, so the judges and prosecution will go through any contortion, no matter how ridiculous, to see him convicted. Whatever rulings they issue will then become precedent the Govt can use against everyday criminals (i.e., you and me).
Khalid Sheikh Mohammed is the *enemy*. He cannot be rehabilitated. He cannot be reconstructed. He and his comrades would seek the overthrow of our system of government and its replacement with Sharia law. He is not a common criminal, and it is disrespectful to treat him like one - and you should always respect your enemy. Send him to his god and be done with it.
Re:Obama fails again... (Score:4, Interesting)
- All those officers and enlisted in the Pentagon would be surprised to know they are civilians.
The majority of casualties were civilian. This was not an act of traditional war. This is far, far different than the cut and dry battlefield that the Geneva Conventions were based on.
- Are they going to release KSM if he is acquitted? If not, this is just a show trial and a sham.
If 12 New Yorkers can't find this guy guilty, then I am pretty damn sure he didn't do it. And he will not be realeased in the US, no matter what.
Come on. This is no trial in any real sense of the word. Other observers have pointed out that no one wants to see this guy walk, so the judges and prosecution will go through any contortion, no matter how ridiculous, to see him convicted. Whatever rulings they issue will then become precedent the Govt can use against everyday criminals (i.e., you and me).
And neither was the case for the the unabomber, OKC bombing or any other big trial. This is no different. As for precedent... where do you live that planning (and following thru) to kill thousands isn't already firmly against the law?
Khalid Sheikh Mohammed is the *enemy*. He cannot be rehabilitated. He cannot be reconstructed. He and his comrades would seek the overthrow of our system of government and its replacement with Sharia law. He is not a common criminal, and it is disrespectful to treat him like one - and you should always respect your enemy. Send him to his god and be done with it.
Oh yeah, the prez was the one prejudging, eh?
Re: (Score:3, Insightful)
Khalid Sheikh Mohammed is the *enemy*. He cannot be rehabilitated. He cannot be reconstructed. He and his comrades would seek the overthrow of our system of government and its replacement with Sharia law. He is not a common criminal, and it is disrespectful to treat him like one - and you should always respect your enemy. Send him to his god and be done with it.
He would love that. treating him like a common criminal is the most humiliating thing you can do to him.
And seriously... unless the state has evidence to prove such allegations I would not want to live in a place that any government officials have the power to just go around and kill people with no due process.
This is a land where the rule of law, the constitution, and the fundamental principles of justice are supreme. if you hate your justice system so much that you would try to thwart it and impose your
Re: (Score:3, Insightful)
Khalid Sheikh Mohammed is the *enemy*. He cannot be rehabilitated. He cannot be reconstructed. He and his comrades would seek the overthrow of our system of government and its replacement with Sharia law.
My view is, he's just like Timothy McVeigh, or an abortion clinic shooter. There's no way they can actually overthrow our system of government. They are non state terrorists, little more than common criminals, and really have very little power. Our system of the rule of law is much stronger and more important than any of them - and if we can't convict him in a court of law, then he should be freed. If he is freed and viewed as a serious threat, he should be kept under surveillance, but the rule of law is mo
Dissenting (Score:3, Interesting)
Aside from the fact that adequate grounds exist for military jurisdiction based on the Pentagon portion of the attack - and the fact that the act KSM is most likely to be charged with conspiracy, which certainly occurred outside of the U.S. - the analysis is far more complex if one has a basic understanding of criminal procedure. The very high standard of proof required to convict in a criminal court, and the complexity of the rules of evidence - particularly when considering the difficulty of trying a con
Re: (Score:3, Informative)
Re:What (Score:5, Funny)
"Look, we'll give you a PS3 if you tell us your password.
"We'll even throw in the HDMI cable. We'll get it eventually; this way you and I can both go home before lunchtime."
Re: (Score:3, Informative)
It's a news article featuring small sound bites and quotes. It's not an in-depth technological review. Nobody quoted the environment in which they benchmarking their tests: AES-128, 3DES, DES, or whatever.
And yes you certainly could test 4 million passwords a second on these machines, but again it really depends entirely on what algorithm you're attacking.
Re: (Score:2)
it really depends entirely on what algorithm you're attacking
2ROT13
Re:What (Score:5, Informative)
You're right. The submitter didn't read the article (or lacked the reading comprehension to understand it).
The article says that "the networked Playstation 3s can process 4 million passwords per second, cutting down on the time necessary to find the correct combination.". Nowhere does it say that a single PS3 can do that.
This only works on poor passwords (Score:5, Informative)
I've done a lot of password-cracking math, even toyed with the idea of writing an academic paper on it. Generally, I work on the (generous) assumption that a well-groomed single node can chunk through 100k passwords per second and that things scale perfectly, so 20 nodes would work through 2M passwords per second. They're claiming their 20-node cluster can handle twice that, and I fully believe it. Powerful GPUs are known to perform extremely well on password cracking, and PS3s certainly have them. That's twice the performance for half to a fifth the cost. Nice, but not "OMG."
They plan to scale up to 60 nodes, which is 12M pass/s. To break a 8-character monospace password (37 bits of complexity, which is pretty weak), it would take just under five hours ( 26^8/(12*10^6) /60/60 ). However, to break an 8-character alphanumeric password (case and numbers), that becomes seven months ( (26+26+10)^8/(12*10^6) /60/60/24/365*12 ).
This is only scary when you have a super-intelligent dictionary attack. Scrape the hard drive and any subpoenaed documents for words and add that to a dictionary of common password parts, then perform your dictionary attack -- dreadfully powerful. To avoid falling victim to this, a good rule of thumb is that words are awesome to use, and they're more secure, but they're only about as secure as two random characters (three with a rich vocabulary including 3 or more of: arcane words, uncommon foreign words, uncommon misspelled words, uncommon proper nouns, l33t-speak ...). So that 13-char "secure password" you use that looks like metropolitan8 effectively only has three or four characters to a dictionary attacker, and that clever 14-char password of spageti4dinner has only five or six, depending on how good the attacker's dictionary is at misspelled words. A tip: put punctuation inside your words to break them up (without forming words), e.g. metr[opo;%litan8, and you've pretty much defeated the dictionary attack.
A tip: (Score:3, Informative)
put punctuation inside your words to break them up (without forming words), e.g. metr[opo;%litan8, and you've pretty much defeated the dictionary attack.
I tried that once and was told I could not use a punctuation mark. I mix alphanumeric characters though.
Re:This only works on poor passwords (Score:5, Informative)
However, to break an 8-character alphanumeric password (case and numbers), that becomes seven months
Ah... theory!
In practice, even very long passwords are trivially cracked in little time, using simple methods.
Unfortunately, I lost the source, but while studying cryptography myself, I stumbled upon a quote from some guy involved in government decryption in the US, and (paraphrasing), he said that their technique was basically to pick up the hard disk from the machine with the protected content, and then simply try every consecutive range of bytes as a password.
Unless the disk was encrypted with 'whole disk encryption', it works something like 90% of the time, simply because of stupid software saving plain-text passwords, users reusing passwords for various purposes, things like hibernation and page files, etc... I suspect that on disks from corporate networks, it would work even better, because if any one disk reveals the network admin password, you can unlock everything else from there.
So if you have a 100 GB disk, and you try all byte ranges from 4 to 20 bytes long (to account for various password lengths), and you try every byte range as both an ASCII and UTF-16 string, that's merely 17x2x100*10^9 = 3400 billion passwords to try, or 3.2 days at your quoted "12 million passwords per second".
In practice, most disks would crack much faster than that, if you aim the algorithm at the most likely sources first, such as the page and hibernation files, the user registry, and the web browser cache and configuration folders.
The lesson I took away from that is that against an attacker with physical access, it really doesn't make the slightest difference how strong your password is, unless the entire disk is encrypted.
Re:I call sheeninagan on that (Score:5, Informative)
That would only works if the password is kept on a temporary file. Otherwise there is no reason whatsoever the password would be anywhere on disk. And that does not work at all if you use a bootable CD.
But that's not how it happens in the real world. Most people don't run their computers from read-only media with the swap turned off!
First of all, there's lots of bad developers out there. Passwords get saved all over the place, in the registry, configuration files, etc... I've seen web sites that were "https", but then put the plain text password into the URL, which is saved in the unencrypted browser history!
Second, even if you store passwords in memory only, the pagefile might still contain it, if a page containing the password was swapped out. It's even more likely with hibernation files, which swap out everything, including kernel space marked as non-pageable.
In theory, there's features like "protected memory" that developers can use to store passwords securely in memory, but this takes a lot of work. In Win32 there's a set of APIs for it, but many developers don't use it, or haven't even heard of it. It's such a low level "buffer manipulation" style API that lots of high-level languages can't or don't use it. It's only recently that C# got support for it, for example, and I don't think Java has anything comparable. Most garbage-collecting languages are vulnerable, because memory can be relocated (copied) at any time, which may prevent buffers from being properly cleared.
One of the worst culprits are those "I forgot my password" web pages that email you your plain text password to your mailbox, so that your email client can then cheerfully write it all over the place. Even if you encrypt your PC's disk, but use corporate email, your password is now in plain text, on the server's disk.
In practice, real security is hard. Very, very hard. As a consultant, I've been to over 100 clients, including major banks and very security sensitive government institutions, and I've only ever seen 2 secure networks: One financial services company, and the internal LAN on the new generation Boeing planes.
Re:What (Score:5, Informative)
You usually don't care what the variable encryption scheme is when you're cracking -- typically, there is a method of simply verifying that the password is accurate, which is what they're doing. (Brute-forcing keys is fairly foolish with modern encryption systems, but brute-forcing passwords isn't.)
Re: (Score:2)
If the encryption scheme is designed and done correctly, there isn't. Only way (besides getting the password out of the guy) is to brute-force all possible keys, several times for each encryption scheme and their combinations. Sure, you don't need to decrypt all the possible content right away there but just to see if it works, but you still need to go through every combination.
Re: (Score:2)
Exactly. I may be using 2048 bits keys to protect my data, but I am surely not going to enter a 256-byte password every time I need to authenticate. That makes my passwords clearly the weakest link. And if you consider that I can't even use all possible byte values in my password, the link becomes even weaker ...
Re: (Score:3, Insightful)
Your passphrase should be quite a bit longer than eight characters if you care about your key at all.
Re: (Score:2)
The keys could be stored on a 2nd secure device, something like a TPM chip that nukes it storage after 3 invalid password attempts.
Re: (Score:3, Interesting)
Re: (Score:3, Interesting)
No, you're right. They're doing offline attacks. If they had access to the computer while on they'd do a coldboot attack or something similar where they freeze ram in LN2, take it out, stick it in a chip analyzer (or liveboot the computer), and grab the delicious, delicious key material. Also, I believe windows lacks the ability to mark a page as do-not-swap* which means that sometimes you can grab the pagefile and find key material in it. Which is why you should use Ubuntu: Linux for Pedophiles:-)
* My info
Re:What (Score:4, Interesting)
I must be missing something here. WHY would someone use the original app instead of one modified to remove said rate limit? I mean the limit itself is going to be artificially imposed with something like "sleep(5)", so "cracking" the binary would be trivial at best, and the first vector I would think. Again, am I missing something here?
Yes, you are missing something, but it is a very common misconception. The "rate limit" is in the algorithm itself, not simply in the application which implements the algorithm.
Here is an example to demonstrate how such a rate limit can be constructed. Begin with a rather fast and strong hashing algorithm such as SHA-256. Now SHA-256 operates in the Merkle-Damgaard chaining mode which is inherently serial, so what you can do to slow it down is to define your password authentication algorithm to be a SHA-256 hash of a "message" which is formed by appending your password with one-billion 32-bit unsigned integers which are just consecutive counter values. Since you don't actually have to store the counter values, this takes no additional memory to implement. Since the algorithm is strongly serial in nature, you can't short-cut the process without breaking SHA-256 (which would be very impressive). Even on the fastest processors, hashing a > 1Gig message with SHA-256 is quite time consuming... at least several seconds per attempt. This provides a very effective rate limit.
Re: (Score:2)
The number of combinations in a 128b encryption key is roughly equal to the number of combinations in a 20 (random) character password, when typed on a US keyboard.
128b encryption is unbreakable even by military (2^128 is a cosmological number, and they only have astronomical computers ;-)). But if you use 19 characters instead of 20, the possible combinations shrink by roughly 99%. Compound that for each less password, and you see that a 10-character password takes about 0.0000000000000000001% of the time
Re: (Score:2)
gpg4win
It needs polish, but it does work. I wouldn't trust it though to not corrupt your data. I've used it with mixed results, but overall a good program.
Re: (Score:3, Insightful)
this commodore64_love is just trolling...
Re: (Score:2)
Thanks for the recommendation. I don't like the idea of GnuPrivacyGuard (GnuPG) corrupting my files, but I didn't find any reports of problems on google so I'll give it a test
Re: (Score:2)
TrueCrypt ( www.truecrypt.org )
Rubberhose ( http://iq.org/~proff/marutukku.org/ [iq.org] )
Some others, but these come to mind first...
Re: (Score:2)
Re:What (Score:4, Interesting)
All very accurate and informative. I still wonder about the numbers here. If I did my math correctly, (282 trillion posibilities, 4 million tries a second) you exhaust the search space in 816 days. That's over a year on average. And that's if they're using a simple 6 character alphanumeric password. Given that we all have a right to a speedy trial, this just doesn't seem like it would be ready in time for court. I think they'd do a lot better to use their sneak and peak warrant power to install key loggers.
Re: (Score:2)
You're assuming that all 282 trillion possible passwords are equally likely. In reality, 90% of passwords will be in the first million checked (real, pronouncable words), 90% of what's left will be discoverable in the first several billion (real words, intermixed with digits/symbols).
Re: (Score:2)
Re: (Score:2)
``Remember - it's not trying to brute force the key, just the container password.''
And you don't even have to run through the encryption algorithm for each password, either. You can get a long way by just storing pre-computed results for a lot of common passwords, or even every possible combination of characters that can be typed using the keyboard up to a certain length. It all depends on what is quicker.
Call me paranoid, but (Score:5, Insightful)
Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography.
... suuuuuure.
Re: (Score:2)
Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography.
... suuuuuure.
No really, it is true. The guys that don't follow the law get much better funding, and they can afford to make their own custom ASICs to do it much faster. It is only the ones that take the silly 'legal route' that have to scrimp and save like this.
-Charlie
Re: (Score:3, Insightful)
Trust me. (Score:2)
That is the only thing they use them for... Wink, wink, nudge, nudge, Know what I mean?
Re: (Score:3, Funny)
Look... are you insinuating something?
Re: (Score:2)
If there's grass on the field, play through
If not, retreat
New metric...??? (Score:2)
Each PS3 is capable of 4 million passwords per second
4 million passwords a second what?
Re: (Score:2)
I just accidentally 4 million passwords.
Lovely encryption (Score:5, Insightful)
Good to know when the Government is cracking the encryption implemented by the public it's "cracking down on child pornography." When it's the public cracking encryption implemented by corporations it's a violation of the DMCA.
Re: (Score:2)
I had this thought exactly. And likewise if someone in Iran had assembled a cluster of PS3's as a super computer, we'd accuse them of being involved in other nefarious deeds...
Re: (Score:2)
submitter failed a lot in the summary, TFA says: C3 focuses on transnational Internet crimes, including child pornography that has crossed national boundaries.. It's not just for kiddie porn. It seems they would use the same tech if it was a suggested terrorist pc.
Re: (Score:2)
Ugh, replied to the wrong post. I need to go home. Sorry
Re: (Score:2)
1) The cases you tend to think about where "the public" cracks encryption implemented by corporations are DMCA violations. However, that's not (as you imply) because of who's doing it or who implemented the encryption; it's because of what function the encryption is serving. If I crack the boot password on your laptop, DMCA violations aren't what I'm guilty of.
2) Yes, there are many, many things that are permissable when done by the government but illegal if done by a private citizen. There always have b
Wow, 4 million passwords per second... (Score:3, Insightful)
Re: (Score:2)
I wonder how long it'll take it to break it if the perp uses "id10t". Still, they are probably not using brute force.
Re: (Score:2)
Depends. If you're using MD5 to verify the password that protects your stuff, you might be in trouble. Sure, that'd be looking for collisions, but all you have to do is find the right one.
Re:Wow, 4 million passwords per second... (Score:5, Funny)
Thanks, we'll just skip ahead to the password we would have be trying 36,030,233,524,592,808,479,552,335 years from now, and crack your encryption today!
Nit-picking the article (Score:3, Informative)
"He explained that the number of possible combinations in a six-digit password is 256 to the sixth power."
Um, only if the person uses characters that can't be typed on a normal keyboard.
In practice, the password "alphabet" is either 26, 52, 62, 84, or some other number not much above 84 characters. 84^6 is much less than 256^6.
However, in practice, people who fear the cops will use a lot more than 6 digits.
If the passwords are decent passphrases of, say, 6 words, taken out of a dictionary of even 2,000 common words, that's 2,000^6, or "still not that big of a number" as it's known in the security field. And that's if the person makes it easy by not using any spaces, using all lowercase, etc.
The real smart crooks encrypt their stuff in a way that nothing short of banging them over the head with a $5 pipe wrench will ever reveal.
Re: (Score:2)
The real smart crooks encrypt their stuff in a way that nothing short of banging them over the head with a $5 pipe wrench will ever reveal.
how would giving someone a concussion reveal their password?
Re: (Score:2)
Yeah. And there's no reason to do any "banging" anyway. Everyone I've ever wanted to get a password from just gave it to me when I showed them my tools!
Re:Nit-picking the article (Score:5, Informative)
If the smart crooks are using any version of Windows then they can access all extended characters from their normal keyboard by holding down the ALT key and typing the character code on the numeric keypad.
I used character 255 back in the Windows 3.1 days to make directories that no one else could figure out how to get in to. (DOS had no problem but windows couldn't handle a file with that character in the name)
Re: (Score:3, Funny)
And the problem with this is??? (Score:4, Interesting)
Really what is the problem with this. These computers are being searched AFTER a judge issues a search warrant. In other words constitutional law is being followed to the letter in this case.
So what is the problem? Because it may involve child porn and you think that it is harmless? Well some of those computers have pictures of the victims "children" and the criminal act happening.
There is nothing wrong with this legally.
And having a fit about it is a clear case of calling wolf.
I am sure this will be used in any investigation that involves a computer and not just for child porn.
Complaining about the legal search of a computer after a warrant is issued is just stupid.
BTW I am sure that the NSA has much better systems based on FPGAs and Cell chips for breaking encryption than PS-3s but we will never hear about those and that type of wiretap without a warrant is what I am worried about.
Re: (Score:3, Informative)
Who said there was a problem?
Re:And the problem with this is??? (Score:5, Insightful)
>>>There is nothing wrong with this legally.
Nope. Searches performed with the permission of a judge (warrant) are perfectly legal. ----- That's fine. It's the law that needs to be changed. IMHO there should actually be three stages - childhood, teenager, and adulthood. Then we'd no longer have the nonsense of teenaged boy/girlfriends being charged for "child porn" simply because they took photos of their own bodies. (For that matter nudity shouldn't even be illegal, regardless of age.)
>>>wiretap without a warrant is what I am worried about.
Agreed, As Judge Napolitano keeps repeating, the Patriot Act gives federal cops the ability to write their own warrants, without need to stand before a judge and swear an oath. That's just plain ridiculous.
Yeah right (Score:2)
" Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography."
You know, if you buy that one, I have this little red bridge I'd like to sell you.
Re: (Score:2)
What is known (Score:2)
FARC data was opened after
"It took Interpol two weeks running 10 computers simultaneously 24 hours a day to break into the encrypted files, the agency said." in 2008.
C3 seems to be funded with extra millions so whats missing with this story?
Why buy toys? Toys have cheap bottlenecks as "Halo" at 620p showed.
Sony PR, a cry for funding and power ? Why this dependance on Sony suburban plastic?
If federal agents find more PS3's via forfeitu
4 million passwords? Umm, no. (Score:2)
As we all most likely know, It would be impossible* to actually try 4 million passwords per second. I'd be willing to wager the actual headline should be:
"PS3s have been purchased to calculate 4 Million hash-table lookups per second."
Step 1: load hash table to RAM.
Step 2: let the brute force CPU bang away at it till it finds a match.
4MFLOPS seems much more likely.
They aren't cracking Encryption! (Score:4, Insightful)
There is a difference between cracking encryption and the password used to secure the encryption. The article says they are using the systems to crack passwords, not encryption. The submitter has a reading problem.
How does this work? (Score:3, Interesting)
Seems to me that a reasonably well designed OS would lock after 4 password attempts. How are they entering all these passwords w/o the system balking?
i'm asking because i don't know, please don't mod me a troll for not knowing something.
Re:How does this work? (Score:4, Informative)
If instead your machine is deactivated and everything is off, they would run a program versus the actual data on the drive (or rather, on a COPY of the drive that they make). At no point would they run your OS, and obviously if you just have a bunch of data to try to crack, there's nothing to "lock"- the only code running is the cracking code, guessing solutions. However, I wouldn't think that brute force would actually crack any secure passwords ever.
Hmmmm (Score:5, Interesting)
At 8character passwords w/ letters and numbers only, 3.3hours.
Upper and lower case increase that figure to 10.5days. (With 9 characters 7.15years)
84character set brings us up to 119.5days.
Note: I just used x^8 which isn't totally accurate, the numbers in reality are a bit larger but it doesn't matter much.
This makes me wonder in case this is true. We are running up to a physical limitation in the human brain. People already have trouble memorizing the dozens of 8character passwords. 9 characters will hold moores law off for a few more years (not the precise meaning of moores law but you know what i mean). The problem is also that people are getting more accounts for things. Most people even today use the same passwords for a variety of things. I'd say almost all people.
So I ask the
Riiiight.... (Score:4, Funny)
Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography.
Naturally. (*wink-wink* *nudge-nudge* say no more...)
Re: (Score:2)
Using GPU processing to crack passwords isn't news. In Soviet Russia [elcomsoft.com], they have beeing doing it for some time now.
Re: (Score:2)
Outside of lame Slashdot jokes, Soviet Russia hasn't existed since 1991. Elcomsoft is in the Russian Federation.
Re: (Score:2)
In Soviet Russia, they have beeing doing it for some time now.
Slashdot Meme Parse Error at line 1: "they have beeing doing it for some time now" not recognized.
Re: (Score:2)
The PS3 _is_ very powerful, and I think somebody just realized how to make good use of that power.
Re: (Score:2)
If you're the RPG type, I played Demon Souls the other week and it was breathtakingly fantastic, arguably better than Dragon Age in some respects.
Re:Is this April 1st? (Score:4, Informative)
Re: (Score:2)
Wait, Sony released versions of the PS3 that _don't_ allow you to install Linux? Why am I only hearing about this now?
Linux supported for PS3 (Score:2)
Linux was supported on PS3 before the latest model, they could be using the older units...
Or it's quite possible they simply wrote the needed drivers to work with the updated PS3 units.
Neither is cracking the console nor against the law.
Re: (Score:2)
FTFA:
They're buying the old PS3s. The $300 figure comes from the fact that you can get a PS3 for $300, but they aren't necessarily buying sub-$
Re: (Score:2)
Thinking about children as much as they do can't be normal.
Hmm, there might be some ulterior motives for cracking those passwords...
It's fun to laugh but on a serious note (Score:2, Interesting)
I knew a guy once who worked closely with anti-kiddie-porn cops. They rotated those guys off fairly quickly so they wouldn't go insane. What you see on Law & Order with the same cops doing the kiddie-smut patrol year in and year out may work for Munch and Stabler but it doesn't work in the real world.
Also, in the real world I'll be a cop's donut you don't get to do that kind of work in a decent-sized department unless you are emotionally stable, in a stable romantic relationship with another adult or
Re: (Score:2)
Is that why Pennsylvania prosecutors have *twice* locked-up teens (for one night in each case)? Just because they took "mirror photos" of themselves nude? I suppose those prosecutors believed they were thinking of the children, when they locked-up these minors and charged them with a child pornography crime, but I don't agree. If a young adult can't even take a photo of his/her own body, then freedom is dead.
Re: (Score:2)
Assuming you can brute force it that easily and not, say, have to deal with any CPU intensive encryption/decryption process for each password. And that he only used 8 characters.
Re: (Score:2)
Sony loses money on each PS3 sold. If the government isn't buying any games, then this is a loss for Sony.
Re: (Score:2, Offtopic)
>>>Go download
"Awwww! You're gonna get in trou-ble! Daddy that man said a baaaad word."
Yes I know honey.
Re: (Score:2, Informative)
Sorry to inform you that your memory isn't serving you. The SPEs work in Linux just fine, it's the videocard that doesn't. In short, Sony doesn't want you to play games under Linux so no one can develop games that run on Linux (cirvumventing Sony's stranglehold on the hardware) for the PS3. Linux games wouldn't need to pay Sony for each game sold as the normal titles do.
Re:Big bad lawyers fron Sony (Score:4, Insightful)
Installing Linux is a Sony supported function on the PS2 (fat model) and the PS3 (fat model), no hacks/mods needed.
Truecrypt is not open source (Score:3, Informative)
TrueCrypt [truecrypt.org] is open source and is available for download from Source Forge [sourceforge.net], which hosts open source projects. And here's the downloadable source code [truecrypt.org].
Falcon