Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

US Government Using PS3s To Break Encryption

timothy posted more than 4 years ago | from the purchase-order-shenanigans dept.

Encryption 570

Entropy98 writes "It seems that the US Immigration and Customs Enforcement Cyber Crimes Center, known as C3, has replaced its '$8,000 Tableau/Dell server combination' with more efficient and much cheaper $300 PS3s. Each PS3 is capable of 4 million passwords per second, and C3 currently has 20 PS3s with plans to buy 40 more. Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography."

cancel ×

570 comments

What (4, Insightful)

sopssa (1498795) | more than 4 years ago | (#30149520)

being used to break encryption

Each PS3 is capable of 4 million passwords per second

Something doesn't match up. For first the different encryption schemes take different times to try even one password, and even more if you combine several of them together. Secondly you cannot try 4 million passwords in a second if its encrypted content, it takes a lot more than that.

Re:What (4, Funny)

edittard (805475) | more than 4 years ago | (#30149562)

Perhaps they're just hitting people [xkcd.com] with them?

Re:What (2, Informative)

commodore64_love (1445365) | more than 4 years ago | (#30149736)

+1 funny? Or +1 informative.

In the UK they lock you in jail for year-after-year until you give them the encryption key. So much for the right to be presumed innocent until PROVED guilty.

Re:What (4, Interesting)

isama (1537121) | more than 4 years ago | (#30149898)

[sarcasm]You are guilty! You won't give us the key so you must be![/sarcasm]

Re:What (2, Informative)

plover (150551) | more than 4 years ago | (#30149622)

It's a news article featuring small sound bites and quotes. It's not an in-depth technological review. Nobody quoted the environment in which they benchmarking their tests: AES-128, 3DES, DES, or whatever.

And yes you certainly could test 4 million passwords a second on these machines, but again it really depends entirely on what algorithm you're attacking.

Re:What (-1, Troll)

commodore64_love (1445365) | more than 4 years ago | (#30149634)

Just curious: ...how does one encrypt files with a password? Any free software available for that task?

Re:What (1)

digitalunity (19107) | more than 4 years ago | (#30149740)

gpg4win

It needs polish, but it does work. I wouldn't trust it though to not corrupt your data. I've used it with mixed results, but overall a good program.

Re:What (3, Insightful)

Anonymous Coward | more than 4 years ago | (#30149798)

this commodore64_love is just trolling...

Re:What (1)

commodore64_love (1445365) | more than 4 years ago | (#30150022)

Thanks for the recommendation. I don't like the idea of GnuPrivacyGuard (GnuPG) corrupting my files, but I didn't find any reports of problems on google so I'll give it a test

Re:What (0)

Anonymous Coward | more than 4 years ago | (#30149744)

GnuPG in --symmetric mode. GPGee is a nice wrapper for it on Windows, if that's your thing.

Re:What (1)

Pentium100 (1240090) | more than 4 years ago | (#30149768)

TrueCrypt ( www.truecrypt.org )
Rubberhose ( http://iq.org/~proff/marutukku.org/ [iq.org] )

Some others, but these come to mind first...

Re:What (1, Informative)

Anonymous Coward | more than 4 years ago | (#30149804)

Just curious: ...how does one encrypt files with a password? Any free software available for that task?

BitLocker for Windows Vista/7 does the trick.

Re:What (1)

Korin43 (881732) | more than 4 years ago | (#30149980)

LUKS [wikipedia.org]

Re:What (5, Informative)

Swift Kick (240510) | more than 4 years ago | (#30149636)

You're right. The submitter didn't read the article (or lacked the reading comprehension to understand it).

The article says that "the networked Playstation 3s can process 4 million passwords per second, cutting down on the time necessary to find the correct combination.". Nowhere does it say that a single PS3 can do that.

A network of 20, at most (1)

davidwr (791652) | more than 4 years ago | (#30149764)

ICE is hoping to buy 40 more original PS3s, through auction sites such as eBay.com, to add to the 20 it already has, Davenport said.

Assuming they have 1 or 2 in a testbed environment, we are probably talking 18 or 19 actively crunching numbers. Maybe 20 if the testbed machines also play ball.

Re:A network of 20, at most (1)

Cryacin (657549) | more than 4 years ago | (#30150054)

25 if the boys aren't playing Halo in the back.

Re:A network of 20, at most (1)

larry bagina (561269) | more than 4 years ago | (#30150106)

good luck playing halo on a ps3.

Re:What (4, Informative)

blueg3 (192743) | more than 4 years ago | (#30149686)

You usually don't care what the variable encryption scheme is when you're cracking -- typically, there is a method of simply verifying that the password is accurate, which is what they're doing. (Brute-forcing keys is fairly foolish with modern encryption systems, but brute-forcing passwords isn't.)

Re:What (1)

sopssa (1498795) | more than 4 years ago | (#30149852)

If the encryption scheme is designed and done correctly, there isn't. Only way (besides getting the password out of the guy) is to brute-force all possible keys, several times for each encryption scheme and their combinations. Sure, you don't need to decrypt all the possible content right away there but just to see if it works, but you still need to go through every combination.

Re:What (1)

RAMMS+EIN (578166) | more than 4 years ago | (#30149928)

Exactly. I may be using 2048 bits keys to protect my data, but I am surely not going to enter a 256-byte password every time I need to authenticate. That makes my passwords clearly the weakest link. And if you consider that I can't even use all possible byte values in my password, the link becomes even weaker ...

Re:What (2, Insightful)

Wonko the Sane (25252) | more than 4 years ago | (#30150062)

Your passphrase should be quite a bit longer than eight characters if you care about your key at all.

Re:What (1)

MadnessASAP (1052274) | more than 4 years ago | (#30150094)

The keys could be stored on a 2nd secure device, something like a TPM chip that nukes it storage after 3 invalid password attempts.

Re:What (0)

Anonymous Coward | more than 4 years ago | (#30149732)

They're getting fed up that the password always turns out to be either "password" or "12456", and want to play some games instead.

Re:What (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30149814)

Fuck off, TripMaster Monkey. Seriously. You clearly know nothing about computer security and encryption, and even less about what the government is doing in this case.

Re:What (1)

black3d (1648913) | more than 4 years ago | (#30149854)

For the first point, this is true - different algorithims take differing times to process. One would expect that this is a "best case scenario" with a relatively fast algorithim like AES-128.

As for trying 4-million passwords per seconds, its the way the process is broken down. They don't get the original laptop, network 20 PS3s into it, and have it spam the hell out of Truecrypt. They take a small header portion of the original data - enough only to verify their decryption. Then you program in a specific decryption algorithim in at a low processing level. You don't even have the same PS3 verifying the successful results. It just runs through it's parameters, applying keys to the data as a natural process, and sending the output to a secondary system. This secondary system (or cluster) is what verifies if any of the keys hit a result. The result checking is a lot faster than the algorithmic application, and can process the input from several systems simultaneously.

It isn't that one PS3 is capable of decrypting a pr0n file 4 million times a second. It's simply that a PS3 can be programmed with a algorithim and apply that to a sample string 4 million times a second. Something else processes the results. Remember - it's not trying to brute force the key, just the container password.

Re:What (3, Interesting)

Hatta (162192) | more than 4 years ago | (#30149976)

All very accurate and informative. I still wonder about the numbers here. If I did my math correctly, (282 trillion posibilities, 4 million tries a second) you exhaust the search space in 816 days. That's over a year on average. And that's if they're using a simple 6 character alphanumeric password. Given that we all have a right to a speedy trial, this just doesn't seem like it would be ready in time for court. I think they'd do a lot better to use their sneak and peak warrant power to install key loggers.

Re:What (1)

RAMMS+EIN (578166) | more than 4 years ago | (#30150070)

``Remember - it's not trying to brute force the key, just the container password.''

And you don't even have to run through the encryption algorithm for each password, either. You can get a long way by just storing pre-computed results for a lot of common passwords, or even every possible combination of characters that can be typed using the keyboard up to a certain length. It all depends on what is quicker.

Right... (1)

epdp14 (1318641) | more than 4 years ago | (#30149530)

News flash: All of the servers of (insert opposition party) have been seized by the (insert party in power) government under child pornography charges.

Is this April 1st? (0, Troll)

commodore64_love (1445365) | more than 4 years ago | (#30149532)

Wait. (goes back to re-read). They are using videogame consoles to run their server? Seriously??? Wow.
I guess the PS3 is more powerful than I realized; maybe I ought to go buy one. Any good games (not on Xbox) for the PS3?

Re:Is this April 1st? (0, Troll)

commodore64_love (1445365) | more than 4 years ago | (#30149598)

P.S.

How ironic that the U.S. Cyber Crime unit is breaking U.S. Law to accomplish their goal (modding the hardware and installing Linux). Hmmm. But I doubt Sony or anybody else will file suit. They don't want to go after a big target like the United States government.

Re:Is this April 1st? (4, Informative)

Rattenhirn (1416947) | more than 4 years ago | (#30149680)

On the old (pre slim) PS3, you can install Linux legally and without any hard or soft mods. This was also possible with the old (pre slim, see the pattern?) PS2, if you bought a hard disk.

Re:Is this April 1st? (1)

RAMMS+EIN (578166) | more than 4 years ago | (#30149896)

Wait, Sony released versions of the PS3 that _don't_ allow you to install Linux? Why am I only hearing about this now?

Re:Is this April 1st? (1)

spectralfreak (1372145) | more than 4 years ago | (#30149726)

Besides, this has already been done before with the research group that broke SSL certificates that used MD5 http://www.win.tue.nl/hashclash/rogue-ca/ [win.tue.nl]

Re:Is this April 1st? (0)

Anonymous Coward | more than 4 years ago | (#30149812)

They are breaking a EULA not the law. Worst thing Sony can do is not repair the system. Not to mention the older PS3's allowed you to install Linux.

Linux supported for PS3 (1)

SuperKendall (25149) | more than 4 years ago | (#30149832)

Linux was supported on PS3 before the latest model, they could be using the older units...

Or it's quite possible they simply wrote the needed drivers to work with the updated PS3 units.

Neither is cracking the console nor against the law.

Re:Linux supported for PS3 (1)

tlhIngan (30335) | more than 4 years ago | (#30149904)

Linux was supported on PS3 before the latest model, they could be using the older units...

Or it's quite possible they simply wrote the needed drivers to work with the updated PS3 units.

Neither is cracking the console nor against the law.

FTFA:

ICE is hoping to buy 40 more original PS3s, through auction sites such as eBay.com, to add to the 20 it already has, Davenport said.

They're buying the old PS3s. The $300 figure comes from the fact that you can get a PS3 for $300, but they aren't necessarily buying sub-$300 units. OTOH, I wonder why they don't just clean out GameStop/EBGames?

SO they're running Linux legally. Would be fun if they could force Sony to re-add "Other OS" support to the new PS3 slims.

Re:Is this April 1st? (1)

MaliciousSmurf (960366) | more than 4 years ago | (#30149650)

Uncharted?

Re:Is this April 1st? (1)

jonbryce (703250) | more than 4 years ago | (#30149678)

Using GPU processing to crack passwords isn't news. In Soviet Russia [elcomsoft.com] , they have beeing doing it for some time now.

Re:Is this April 1st? (1)

fm6 (162816) | more than 4 years ago | (#30149960)

Outside of lame Slashdot jokes, Soviet Russia hasn't existed since 1991. Elcomsoft is in the Russian Federation.

Re:Is this April 1st? (1)

CannonballHead (842625) | more than 4 years ago | (#30150038)

In Soviet Russia, they have beeing doing it for some time now.

Slashdot Meme Parse Error at line 1: "they have beeing doing it for some time now" not recognized.

Re:Is this April 1st? (1)

RAMMS+EIN (578166) | more than 4 years ago | (#30149864)

The PS3 _is_ very powerful, and I think somebody just realized how to make good use of that power.

Re:Is this April 1st? (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#30149940)

If you're the RPG type, I played Demon Souls the other week and it was breathtakingly fantastic, arguably better than Dragon Age in some respects.

Don't forget the terrorists! (1)

davidwr (791652) | more than 4 years ago | (#30149538)

Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography."

What about those computers seized with a warrant and suspected of harboring stored communications with terrorists? Are we going to just ignore them?? Huh??? Huh????

Re:Don't forget the terrorists! (0)

plover (150551) | more than 4 years ago | (#30149644)

Hey, at least SOMEBODY is thinking of the children!

Re:Don't forget the terrorists! (1)

Duradin (1261418) | more than 4 years ago | (#30149762)

Thinking about children as much as they do can't be normal.

Hmm, there might be some ulterior motives for cracking those passwords...

It's fun to laugh but on a serious note (2, Interesting)

davidwr (791652) | more than 4 years ago | (#30149920)

I knew a guy once who worked closely with anti-kiddie-porn cops. They rotated those guys off fairly quickly so they wouldn't go insane. What you see on Law & Order with the same cops doing the kiddie-smut patrol year in and year out may work for Munch and Stabler but it doesn't work in the real world.

Also, in the real world I'll be a cop's donut you don't get to do that kind of work in a decent-sized department unless you are emotionally stable, in a stable romantic relationship with another adult or had one in your past for a long time, and have a history of not getting irrational and emotional at the sight of disturbing visuals, while at the same time not being stone-cold about it either.

Call me paranoid, but (4, Insightful)

Eudial (590661) | more than 4 years ago | (#30149546)

Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography.

... suuuuuure.

HCF (1)

davidwr (791652) | more than 4 years ago | (#30149570)

GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!

Halt first, then catch fire.

GAAH! MY PRINTER WON'T PRINT!! HELP!!! OH AND BY THE WAY WHAT'S THAT SMELL?

Re:Call me paranoid, but (0)

Valdrax (32670) | more than 4 years ago | (#30149586)

Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography.

... suuuuuure.

Oooh, meta-sarcasm! How impressive!

Re:Call me paranoid, but (1)

Groo Wanderer (180806) | more than 4 years ago | (#30149884)

Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography.

... suuuuuure.

No really, it is true. The guys that don't follow the law get much better funding, and they can afford to make their own custom ASICs to do it much faster. It is only the ones that take the silly 'legal route' that have to scrimp and save like this.

                    -Charlie

Re:Call me paranoid, but (1)

spanky the monk (1499161) | more than 4 years ago | (#30149890)

I don't think the OP even believes that.

This wasn't in the commercials... (1)

Romicron (1005939) | more than 4 years ago | (#30149552)

Seems that the "it only does everything" slogan has greater scope than I initially thought - if "breaking encryption" was advertised explicitly, I may have picked one up...

Nice move Sony (1)

TheVidiot (549995) | more than 4 years ago | (#30149566)

Nice that Sony took out the ability to install Linux on the slim PS3. How hard could it have been to have a left the feature in that is useful in a number of ways? Of course, they have recently announced the ability to post trophy acquisitions to Facebook.... but they take 'Other OS' support out?!

Re:Nice move Sony (0, Troll)

Reikk (534266) | more than 4 years ago | (#30149742)

Linux sucked on PS3. It had no 3D acceleration, little/no support for the controller, could only access like 200 megs of the RAM, couldn't access all of the processors, no flash, couldn't align the image right on monitors, and so on. It was useless. Good riddance.

Re:Nice move Sony (1)

Hatta (162192) | more than 4 years ago | (#30149844)

Sony loses money on each PS3 sold. If the government isn't buying any games, then this is a loss for Sony.

Re:Nice move Sony (0)

Anonymous Coward | more than 4 years ago | (#30149978)

It's a lot of free advertisement...

I see a trend here (1)

kammat (114899) | more than 4 years ago | (#30149576)

The PS2 was restricted for export because people thought Saddam would use them to build missile guidance units. We're using the PS3 to crack encryption. I can't wait to see what uses they'll think up for the Playstation 4. Nuclear simulation?

What do you mean "simulation"??? (1)

davidwr (791652) | more than 4 years ago | (#30149606)

You must be young. Go download War Games.

Re:What do you mean "simulation"??? (1, Offtopic)

commodore64_love (1445365) | more than 4 years ago | (#30149874)

>>>Go download

"Awwww! You're gonna get in trou-ble! Daddy that man said a baaaad word."
Yes I know honey.

Right idea, poor execution (1)

beefnog (718146) | more than 4 years ago | (#30149604)

If memory servers, the cell platform in a PS3 doesn't allow you to use all of the cores when you're running linux. So, for the price of a new ps3, they could just as easily use commodity hardware from last year and probably get better throughput.

Re:Right idea, poor execution (0)

Anonymous Coward | more than 4 years ago | (#30149700)

Do you realy think the US Government is afraid of hacking a simple game console to do what they whant?
This post crapchap is "illegal"

Re:Right idea, poor execution (1)

beefnog (718146) | more than 4 years ago | (#30149710)

damn sleep deprivation. if memory SERVES.

Re:Right idea, poor execution (0)

Anonymous Coward | more than 4 years ago | (#30149722)

memory does not servers

Re:Right idea, poor execution (0)

Anonymous Coward | more than 4 years ago | (#30149790)

IIRC, it lets you use 7 of the 8 Vector cores. So while you can't use ALL of them, you can use most of them.

Re:Right idea, poor execution (0)

Anonymous Coward | more than 4 years ago | (#30149866)

It allows you to use 6 SPEs at 3.2 GHz, for around 150GFlops throughput at $300 for the whole system. If your algorithm is suited for Cell you won'te even come close to that efficiency using PC hardware. (And IBM's Cell servers are around 15 times more expensive)

Re:Right idea, poor execution (1)

sternn64 (1648727) | more than 4 years ago | (#30149998)

You get access to six of the eight SPEs of the Cell under Linux. One core is disabled for a better yield, and one is reserved for the hypervisor. Just the RSX is locked out.

Re:Right idea, poor execution (2, Informative)

klingens (147173) | more than 4 years ago | (#30150108)

Sorry to inform you that your memory isn't serving you. The SPEs work in Linux just fine, it's the videocard that doesn't. In short, Sony doesn't want you to play games under Linux so no one can develop games that run on Linux (cirvumventing Sony's stranglehold on the hardware) for the PS3. Linux games wouldn't need to pay Sony for each game sold as the normal titles do.

Trust me. (1)

Capt.DrumkenBum (1173011) | more than 4 years ago | (#30149628)

Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography.

That is the only thing they use them for... Wink, wink, nudge, nudge, Know what I mean?

Re:Trust me. (2, Funny)

turing_m (1030530) | more than 4 years ago | (#30149836)

That is the only thing they use them for... Wink, wink, nudge, nudge, Know what I mean?

Look... are you insinuating something?

Oh, no, no, no, no, no... (0)

Anonymous Coward | more than 4 years ago | (#30150016)

Yes. ;-)

New metric...??? (1)

aztektum (170569) | more than 4 years ago | (#30149642)

Each PS3 is capable of 4 million passwords per second

4 million passwords a second what?

wait a minute... (1)

thehostiles (1659283) | more than 4 years ago | (#30149648)

could this be used on the public end as well? And if a ps3 can break encryption that well, could it make it?

Lovely encryption (5, Insightful)

Applekid (993327) | more than 4 years ago | (#30149658)

Good to know when the Government is cracking the encryption implemented by the public it's "cracking down on child pornography." When it's the public cracking encryption implemented by corporations it's a violation of the DMCA.

Re:Lovely encryption (1)

BobMcD (601576) | more than 4 years ago | (#30149706)

I had this thought exactly. And likewise if someone in Iran had assembled a cluster of PS3's as a super computer, we'd accuse them of being involved in other nefarious deeds...

Re:Lovely encryption (1)

shawn(at)fsu (447153) | more than 4 years ago | (#30149748)

submitter failed a lot in the summary, TFA says: C3 focuses on transnational Internet crimes, including child pornography that has crossed national boundaries.. It's not just for kiddie porn. It seems they would use the same tech if it was a suggested terrorist pc.

Re:Lovely encryption (1)

shawn(at)fsu (447153) | more than 4 years ago | (#30149868)

Ugh, replied to the wrong post. I need to go home. Sorry

Wow, 4 million passwords per second... (3, Insightful)

Animal Farm Pig (1600047) | more than 4 years ago | (#30149716)

So, with a brute force attack, I've only got 36,030,233,524,592,808,479,552,335 years before they will reach mine!

Re:Wow, 4 million passwords per second... (1)

JavaBear (9872) | more than 4 years ago | (#30149906)

I wonder how long it'll take it to break it if the perp uses "id10t". Still, they are probably not using brute force.

Nit-picking the article (3, Informative)

davidwr (791652) | more than 4 years ago | (#30149718)

"He explained that the number of possible combinations in a six-digit password is 256 to the sixth power."

Um, only if the person uses characters that can't be typed on a normal keyboard.

In practice, the password "alphabet" is either 26, 52, 62, 84, or some other number not much above 84 characters. 84^6 is much less than 256^6.

However, in practice, people who fear the cops will use a lot more than 6 digits.

If the passwords are decent passphrases of, say, 6 words, taken out of a dictionary of even 2,000 common words, that's 2,000^6, or "still not that big of a number" as it's known in the security field. And that's if the person makes it easy by not using any spaces, using all lowercase, etc.

The real smart crooks encrypt their stuff in a way that nothing short of banging them over the head with a $5 pipe wrench will ever reveal.

Re:Nit-picking the article (1)

sweatyboatman (457800) | more than 4 years ago | (#30149846)

The real smart crooks encrypt their stuff in a way that nothing short of banging them over the head with a $5 pipe wrench will ever reveal.

how would giving someone a concussion reveal their password?

Re:Nit-picking the article (1)

binary paladin (684759) | more than 4 years ago | (#30150026)

Yeah. And there's no reason to do any "banging" anyway. Everyone I've ever wanted to get a password from just gave it to me when I showed them my tools!

Re:Nit-picking the article (4, Informative)

Wonko the Sane (25252) | more than 4 years ago | (#30150030)

Um, only if the person uses characters that can't be typed on a normal keyboard.

If the smart crooks are using any version of Windows then they can access all extended characters from their normal keyboard by holding down the ALT key and typing the character code on the numeric keypad.

I used character 255 back in the Windows 3.1 days to make directories that no one else could figure out how to get in to. (DOS had no problem but windows couldn't handle a file with that character in the name)

Hey.. (1)

lazylocomotives (1645339) | more than 4 years ago | (#30149720)

At least they didn't claim to use Wiis for that!

We Are Using PS3 For (0)

Anonymous Coward | more than 4 years ago | (#30149758)

Renewable Energy Simulations [google.com] .

Yours In Peace,
Kim Jong iL [youtube.com]

And the problem with this is??? (3, Interesting)

LWATCDR (28044) | more than 4 years ago | (#30149794)

Really what is the problem with this. These computers are being searched AFTER a judge issues a search warrant. In other words constitutional law is being followed to the letter in this case.
So what is the problem? Because it may involve child porn and you think that it is harmless? Well some of those computers have pictures of the victims "children" and the criminal act happening.
There is nothing wrong with this legally.
And having a fit about it is a clear case of calling wolf.
I am sure this will be used in any investigation that involves a computer and not just for child porn.
Complaining about the legal search of a computer after a warrant is issued is just stupid.

BTW I am sure that the NSA has much better systems based on FPGAs and Cell chips for breaking encryption than PS-3s but we will never hear about those and that type of wiretap without a warrant is what I am worried about.

Re:And the problem with this is??? (1)

EmagGeek (574360) | more than 4 years ago | (#30149982)

Okay, say I see you walking through an airport terminal with a laptop. Having no other evidence, what do I have that rises to the level of Probable Cause to obtain a warrant to confiscate your laptop and search it?

Re:And the problem with this is??? (2, Informative)

Hatta (162192) | more than 4 years ago | (#30150032)

Who said there was a problem?

Re:And the problem with this is??? (0)

Anonymous Coward | more than 4 years ago | (#30150036)

Really what is the problem with this

The problem is that a tool is being used weirdly. Is a PS3 really a more powerful parallel computer per dollar than the various cards from Nvidia and ATI? Maybe it is, but if it is, then I have a gripe against Nvidia and ATI.

they'll need more... a lot more (1)

v_1_r_u_5 (462399) | more than 4 years ago | (#30149800)

assuming a perp uses a password from a set of 26 letters to choose from, it will take roughly two minutes to brute-force an 8-letter or fewer password with 40 Ps3's. (26^8 + 26^7 + ...) / (40 * 4 * 10^7). wow, that's great! but....

assuming a set of approximately 90 characters to choose from, it will take approximately a month :(

Re:they'll need more... a lot more (1)

ledow (319597) | more than 4 years ago | (#30149816)

Assuming you can brute force it that easily and not, say, have to deal with any CPU intensive encryption/decryption process for each password. And that he only used 8 characters.

Re:they'll need more... a lot more (0)

Anonymous Coward | more than 4 years ago | (#30149914)

The other question is where will they get these new PS3s?
All new PS3s (and any old ones that are updated to the latest firmware) are incapable of booting Linux.

imagine (0, Redundant)

trb (8509) | more than 4 years ago | (#30149858)

Imagine a Beowulf cluster of these.

Yeah right (1)

JavaBear (9872) | more than 4 years ago | (#30149880)

" Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography."

You know, if you buy that one, I have this little red bridge I'd like to sell you.

This is important people, it's for CHILD PORN (0, Troll)

BigHungryJoe (737554) | more than 4 years ago | (#30149946)

Can we waive the Constitution and give these brave law enforcement folks a billion trillion dollars to buy PS3's? This is about fighting CHILD PORN.

Child porn is almost as big a threat as terrorism. ALMOST.

Terrible story. PR fluff, with several errors: (0)

Anonymous Coward | more than 4 years ago | (#30149958)

Firstly, basic error: it's not going to be 256^6. That's six bytes, not six characters. But your passphrase very, very probably does not contain zero-bytes, and very probably not control characters. Entropy of passphrases is almost always quite a lot less than 8 bits per character. And you try common dictionary attacks first of course, which is what this is really used for. Or Rainbow table generation.

Secondly, the use of PS3 in crypto attacks is not news; most of the massively-parallel crypto/computational stuff Cell was aimed at in the workstation sector actually ended up causing labs to buy hundreds of cheap commodity PS3s instead, which ended up being way more cost-effective than the overpriced Cell workstations, with only one more SPU each. The MD5 SSL "tunneled" collisions were calculated using a 200-strong PS3 cluster, for example.

It's rather unfortunate the "Other OS" thing was taken out for the slim, because running using less power and heat would have been helpful for clusters, as AccessData points out in the article.

However, they've now fallen somewhat behind, because modern graphics cards (see ElcomSoft's recent work, for example) can use CUDA or various shaders to get quite a lot more power for exactly this kind of computation, and it's made the PS3 approach almost obsolete overnight. A PS3 Cell can push about 20 GigaFLOPs, optimally (source: Folding@home). Impressive when it came out. But a fast quadcore CPU today is 70 GigaFLOPs. And your £150 4870 X2 not only plays a mean game, in the right circumstances it's 30-100 times faster at password cracking than a PS3 Cell. You could buy just one ordinary gaming PC, put a couple of 4870 X2s in it, like I don't doubt many of us have, and clean the clock of this entire 60 PS3 cluster, for a fraction of the price and running cost. And, the extremely rapid rate of development in graphics card technology means it's getting faster, rapidly (the R800 is about 3000 GigaFLOPs).

Thirdly, this attack is totally, stunningly ineffective against a good passphrase, which anyone who'd done their homework, or read the documentation of the crypto software, would know to use. A 6-word random "Diceware" (google it) passphrase (or the equivalent, roughly 16 randomly-chosen lower-case letters) wouldn't be crackable with anything of this magnitude in the next few years, making such an attack impractical. 10 random Diceware words (or a 22 alphanumeric mixed-case passphrase, or 28 lower-case letters) would get you over 128 bits of entropy and make any attack of this kind beyond anyone's reach for the foreseeable future.

Fourthly, because of the above, a dumb brute force attack like this, after the fact on hard drives you've seized, is decidedly the wrong way to do it. The right way to do it is to get a bugging warrant and plant a hardware keylogger or observe the passphrase being entered, then seize the hard drive. That's what the FBI do when they're actually being serious, say with Mafia bosses. (Or coercion, but there's the 4th Amendment barrier to law enforcement doing that.)

Fifthly, it mentions paedophiles for apparently very little actual reason. Brass Eye moment, right there. It's a transparent appeal to emotion used to grab headlines with little actual substance. I don't actually see where it mentions any convictions as a result of this. (That's odd, surely you'd be crowing about successfully bringing child molesters to justice if there were any successes, wouldn't you?) And, this isn't the FBI in this article, this is ICE. Odd, again; surely the wrong agency for child protection work? Is there a point to this other than to say that ICE just bought 40 PS3s off eBay? 60 PS3s, as I said above, ain't gonna get you far.

And finally, the dude says "There's no controllers hooked up". I'd just like to point out that that does not say they're not playing them; PlayStation®3 controllers are wireless, so almost by definition, unless you're charging them... they're not hooked up. Hmm. Now if there were no monitors hooked up, maybe then I wouldn't be so sceptical... :)

This makes no sense (0)

Anonymous Coward | more than 4 years ago | (#30149962)

Seriously, who does this? Forgetting about the whole "oh look we can spy on our citizens better" thing, if you have a 128 bit password, and lets assume that, for whatever reason, it's really only 100 bits. Then we have 2^100 possibilities. Further, lets assume than instead of 4 million a second, they meant 4 TRILLION a second, so 4 million * 1000 * 1000.

2^100 = 1267650600228229401496703205376

Divided by 4,000,000,000,000 = 316912650057057350 seconds, which is 3667970486771.497110812219922963 days, or 10420370700 years.

10420370700 years.

gl hf

I think these numbers are right... (0)

Anonymous Coward | more than 4 years ago | (#30149990)

--Valid password characters --
26 * 2 = 52 letters
10 * 2 = 20 numbers/symbols
10 * 2 = 20 other symbols

92 usable characters

92^8 = 5,132,188,731,375,616
92^9 = 472,161,363,286,556,672

--Break Speed--
Speed = 240,000,000 / per second

--8 character password--
5132188731375616 / 240000000 = 247 days

--9 character password--
472161363286556672 / 240,000,000 = 22,770 days = 62 years

Let this be a lesson to you (1)

CSFFlame (761318) | more than 4 years ago | (#30150058)

Use long passwords for encryption (minimum 10 chars, preferably 20). Use upper-case, lower-case, numbers, and symbols. Do NOT use the password anywhere else or write it down. Sorry, but you're going to have to commit it to memory. Do not use windows built in encryption or any retail encryption schemes. Use open source. Truecrypt is not open source, but people use it anyway, so read up first before you decide.

What is known (1)

AHuxley (892839) | more than 4 years ago | (#30150068)

http://afp.google.com/article/ALeqM5itMBF-kPRgoyoD97Y_DtvcyItGSQ [google.com]
FARC data was opened after
"It took Interpol two weeks running 10 computers simultaneously 24 hours a day to break into the encrypted files, the agency said." in 2008.
C3 seems to be funded with extra millions so whats missing with this story?
Why buy toys? Toys have cheap bottlenecks as "Halo" at 620p showed.
Sony PR, a cry for funding and power ? Why this dependance on Sony suburban plastic?
If federal agents find more PS3's via forfeiture laws, this might allow a super grid of units?
Also shows how good MS and archive encryption is :)
Real world numbers:)

4 million passwords? Umm, no. (1)

B5_geek (638928) | more than 4 years ago | (#30150076)

As we all most likely know, It would be impossible* to actually try 4 million passwords per second. I'd be willing to wager the actual headline should be:

"PS3s have been purchased to calculate 4 Million hash-table lookups per second."

Step 1: load hash table to RAM.
Step 2: let the brute force CPU bang away at it till it finds a match.

4MFLOPS seems much more likely.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...