[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [NTSEC] Re: Internet Explorer Bug #4 (fwd)
=====================================Kaos=Keraunos=Kybernetos==============
.+.^.+.| Ray Arachelian | "If you're gonna die, die with your|./|\.
..\|/..|[email protected]|boots on; If you're gonna try, just |/\|/\
<--*-->| ------------------ |stick around; Gonna cry? Just move along|\/|\/
../|\..| "A toast to Odin, |you're gonna die, you're gonna die!" |.\|/.
.+.v.+.|God of screwdrivers"| --Iron Maiden "Die With Your Boots on"|.....
======================== http://www.sundernet.com =========================
For with those which eternal lie, with strange eons even death may die.
---------- Forwarded message ----------
Date: Sat, 29 Mar 1997 14:37:43 -0800
From: Chris Plunkett <[email protected]>
To: [email protected]
Cc: Romulo Moacyr Cholewa <[email protected]>,
Windows NT BugTraq Mailing List <[email protected]>,
"[email protected]" <[email protected]>, [email protected]
Subject: Re: [NTSEC] Re: Internet Explorer Bug #4
> > We are aware of this, but the report is misleading. The report states
> > that both times the password sent from the client to the server is
> > encrypted. It would take quite a while for even a Cray Supercomputer to
> > decrypt the password, even if it was dedicated to that sole task. For
> > the average network server (and a powerful one), it would take a few
> > human lifetimes to decrypt them even if they were dedicated to that sole
> > task.
>
> Arrggghhh! Nothing sets off my ignorance alert more quickly than somebody
> who mentions a Cray in conjunction with attempts to brute force crypto
> algorithms. I won't bother to explain all of the reasons why that is a
> foolish thing to say. Instead I will share a little story about some folks I
> know from about 3-4 years ago. (Greetings to any of these individuals who
> may be lurking on NTSEC or NTBUGTRAQ.)
>
> Apparently they had some good reasons to go after the encryption algorithm
> used by WordPerfect. After several ineffective implementations, a
> WordPerfect engineer developed a DES based encryption algorithm. His claim
> was that it would take a room full of Crays to break the algorithm. Hmmm...
> sounds familiar. Needless to say, shortly after a successful attack on the
> algorithm by those mentioned, there was a certain 486 with a YMP sticker
> plastered to its front.
>
> Sure, brute force attacks can be expensive when an algorithm is implemented
> correctly. However, I can't let it pass when these facts are expressed in
> such a patronizing manner.
>
> ---
> Paul M. Cardon - System Officer
> Capital Markets Systems - First Chicago NBD Corporation
> [email protected] - (312) 732-7392
>
I heard a story one time. It evolved around a college student in
France doing some cyptography work in school, working nights
as a backup operator at some large computer center. He didn't need
a cray. A little knowledge and some creative programming, and
a center full of computers (problably around the size of a Sparc 10).
The story ended explaning how one of the encryption schemes that
would tale a Cray week to break, was broken in one night, by a
bunch of computers running backups.
It might be hard to find a cray, but I know a guy, he works
at this place where they got them 15 pentium pros. The average
network server has another server for some other task on the
same wire.
------------------------------------------------------------
Chris Plunkett System Technician
Breakwater Technologies Inc.
phone:(206)803-5000x112 Fax:(206)803-5001
http://www.breakwater.net mailto:[email protected]
------------------------------------------------------------