[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [NTSEC] Re: Internet Explorer Bug #4 (fwd)





=====================================Kaos=Keraunos=Kybernetos==============
.+.^.+.|  Ray Arachelian    | "If  you're  gonna die,  die  with your|./|\.
..\|/..|[email protected]|boots on;  If you're  gonna  try,  just |/\|/\
<--*-->| ------------------ |stick around; Gonna cry? Just move along|\/|\/
../|\..| "A toast to Odin,  |you're gonna die, you're gonna die!"    |.\|/.
.+.v.+.|God of screwdrivers"|  --Iron Maiden "Die With Your Boots on"|.....
======================== http://www.sundernet.com =========================
  For with those which eternal lie, with strange eons even death may die.


---------- Forwarded message ----------
Date: Sat, 29 Mar 1997 14:37:43 -0800
From: Chris Plunkett <[email protected]>
To: [email protected]
Cc: Romulo Moacyr Cholewa <[email protected]>,
    Windows NT BugTraq Mailing List <[email protected]>,
    "[email protected]" <[email protected]>, [email protected]
Subject: Re: [NTSEC] Re: Internet Explorer Bug #4

> > We are aware of this, but the report is misleading.  The report states
> > that both times the password sent from the client to the server is
> > encrypted.  It would take quite a while for even a Cray Supercomputer to
> > decrypt the password, even if it was dedicated to that sole task.  For
> > the average network server (and a powerful one), it would take a few
> > human lifetimes to decrypt them even if they were dedicated to that sole
> > task.
> 
> Arrggghhh!  Nothing sets off my ignorance alert more quickly than somebody
> who mentions a Cray in conjunction with attempts to brute force crypto
> algorithms.  I won't bother to explain all of the reasons why that is a
> foolish thing to say.  Instead I will share a little story about some folks I
> know from about 3-4 years ago.  (Greetings to any of these individuals who
> may be lurking on NTSEC or NTBUGTRAQ.)
> 
> Apparently they had some good reasons to go after the encryption algorithm
> used by WordPerfect.  After several ineffective implementations, a
> WordPerfect engineer developed a DES based encryption algorithm.  His claim
> was that it would take a room full of Crays to break the algorithm.  Hmmm...
> sounds familiar.  Needless to say, shortly after a successful attack on the
> algorithm by those mentioned, there was a certain 486 with a YMP sticker
> plastered to its front.
> 
> Sure, brute force attacks can be expensive when an algorithm is implemented
> correctly.  However, I can't let it pass when these facts are expressed in
> such a patronizing manner.
> 
> ---
> Paul M. Cardon - System Officer
> Capital Markets Systems - First Chicago NBD Corporation
> [email protected] - (312) 732-7392
> 
I heard a story one time.  It evolved around a college student in
France doing some cyptography work in school,  working nights 
as a backup operator at some large computer center.  He didn't need
a cray.   A little knowledge and some creative programming,  and 
a center full of computers (problably around the size of a Sparc 10).
The story ended explaning how one of the encryption schemes that 
would tale a Cray week to break,  was broken in one night,  by a 
bunch of computers running backups.

It might be hard to find a cray,  but I know a guy,  he works 
at this place where they got them 15 pentium pros.  The average
network server has another server for some other task on the
same wire.
------------------------------------------------------------
Chris Plunkett                             System Technician
Breakwater Technologies Inc.
phone:(206)803-5000x112                    Fax:(206)803-5001
http://www.breakwater.net        mailto:[email protected]
------------------------------------------------------------