[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bank transactions on Internet
> >>>>> "Dave Emery" <[email protected]> pessimised:
>
> > [... the tools are too expensive...]
> > [... and the skills required are too high...]
> > [... for anyone on cypherpunks...]
>
> Come on, Dave, this isn't alt.2600!
>
I want to immediately applogize to the list readership if
anything in my posting seems to imply that I doubted that some of the
list members possess the skills or brainpower to build a key cracker. I
am sure a considerable number (at least by comparison with most other
net communities) do, and many more certainly have the raw brainpower to
learn the required technology if not currently up on it. Motivation and
available time are another matter however.
My only disparaging comment (at least as intended by me) was that
the task was probably beyond some of the alt.2600 type crackers who
primarily use canned programs and scripts to perpetrate their attacks.
That comment was actually intended as a left handed warning about the
advisablity of releasing a readily reproduced hardware key cracker
design to the world at large. This seems especially true if entire FPGA
array PC plugin boards are becoming a commodity item and readily
available and the cracker recipe is buy one of those and install this canned
software on it.
> Most of the subscribers to this list are professionals -- engineers,
> programmers, mathematicians, lawyers -- not phone phreaks. I'm sure
> that there are more than a few of us with the knowledge, experience,
> and free access to the resources needed to handle most relatively
> small-scale designs like this.
>
> (It's like saying that no one on cypherpunks has access to the
> distributed computing resources necessary to perform other sorts of
> brute-force cracking -- which is patently ludicrous.)
>
I'm sorry, but rereading my post I simply don't find the
statement that cypherpunks readers couldn't carry out the task, My
comments were directed at the original cost and effort estimates that I
thought were a little low - I'm certainly aware that many cypherpunks
list members are working professionals or grad students/researchers with
very considerable "free" resources at their beck and call. And even the
pessimistic resource estimate I posted is not beyond motivated people.
particularly if they see a large profit or advantage in it.
But most importantly I may be making a very nieve assumption
about the list readership - that it is mostly good guys and not thieves
preparing to rip off hundreds or thousands of credit card numbers/ bank
access codes from the Internet for gain. It is the implication that for
this thief group it would be an easy $400 project to *design* and build
a useful key cracker that I was challenging. (I might add that there
certainly are other easier ways of obtaining large numbers of credit
card numbers and access codes by such means as tapping unencrypted
non-Internet data or voice communications and/or altering existing
credit card terminal firmware to make it save up and deliver credit card
numbers via a backdoor or bugging device. Gaining illegal access to the
phone cables or credit terminals at a mall is certainly easier for most
crackers and more typical of their experiance base than designing
efficient pipelined key schedulers that fit into an FPGA).
Presumably most of the competant, talented cypherpunks who could
easily design a cracker are already far too well paid for these design
skills to have much of any motivation to build such hardware for
criminal purposes.
And I might add that to my knowlage (admitedly rather limited) I
know of no hardware crackers having been built with this technology (at
least outside of the classified world). If it really is a simple
trivial project that can be carried out with $400 worth of resources why
aren't there NYT front page articles about someone having built a useful
one and cracked something ? There certainly are lots of ambitious young
grad students with lots of resources available to them and time to do
this who would love to make their reputation by being the first to crack
DES in under a week ...
> For instance, from where I'm sitting in my *home* office, I can see
> the full development packages for Xilinx and AT&T FPGAs, Viewlogic
> VHDL, schematic, and simulation tools, an HP 1660A logic analyser, and
> a Tek THS 720 500 MHz digital scope.
>
You have better tools than I do (I have a 16500B for example
rather than a 1660A (which I'd love), but not hugely so, and I've been
mostly semi-retired, taking a sabbatical to care for my newborn son and
haven't wanted to spend the money to update resources I'd be largely
using occasionally for very casual playing.
> And I doubt if I'm the only one here who does this for a living.
>
Judging from other posts I've seen I have little doubt.
Certainly I have done related stuff in the past...
> The problem isn't resources, but time and motivation -- what sort of
> situation would it take to get me (for instance), and one of
> cypherpunk's cryptography wizards, to take the time to collaborate on
> something like this.
I completely agree.
But I'd be surprised if it took much of a crypto wizard to do a
brute force cracker as a just a simple brute force cracker. The task
would demand much more of the skills of a good clever parallel logic
designer to figure out how to effectively pipeline the well known and
well defined crypto algorithms within the constraints of a still limited
FPGA. What a crypto wizard might add might lie more in the direction of
optimized strategies for key generation and scheduling to reduce the
number of clock ticks and or gates devoted to this. The game of course
is how many keys per second per dollar... anyone can build something
that will eventually try a key, it is building something that will try
keys at a maximum rate on cheap hardware that is interesting.
(Sorry to take so much list bandwidth on this)..
Dave Emery
[email protected]