From: Bill Stewart <stewarts@ix.netcom.com>
To: shank@netscape.com (Peter Shank)
Message Hash: e86089ee70a6084259be7c77772d4cb9c4c07012c45802aca6f0db9cbcb0069c
Message ID: <199508180750.AAA27087@ix4.ix.netcom.com>
Reply To: N/A
UTC Datetime: 1995-08-18 07:53:53 UTC
Raw Date: Fri, 18 Aug 95 00:53:53 PDT
From: Bill Stewart <stewarts@ix.netcom.com>
Date: Fri, 18 Aug 95 00:53:53 PDT
To: shank@netscape.com (Peter Shank)
Subject: Re: Netscape security
Message-ID: <199508180750.AAA27087@ix4.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain
Mr. Shank - I'm a bit disappointed by your posting about the RC4-40 crack.
>Late Tuesday evening a person from France posted a news article to the
>hacker community claiming success at decrypting a single encrypted message
(You could have used his name, and use of the term "hackers" to the press
tends to be interpreted as a negative...) Anyway, as to content:
>What this person did is decrypt one encrypted message that used RC4-40 for
>encryption. He used 120 workstations and two parallel supercomputers for 8
>days to do so.
"Two" parallel supercomputers? You can't really call the Encore Multimax
or the Sequent B8000 a supercomputer - both of them together are slower than
the HP workstation. The KSR gets closer to supercomputer territory, but
it's only
cracking keys about six times as fast as the faster DEC Alpha (which Damien
only had one of); it increased his horsepower about 20% for two days.
Now, I can see calling a MasPar a "parallel supercomputer"; another effort
at the SSL challenge got the answer about 2 hours before Damien's did,
and used about 4 days of spare time on the MasPar. Last time I looked,
a MasPar was selling for about $150K, though I don't know how big the one
used on SSL was. At that price, you could have your own for ~$500/day,
and ripping off $2000 on a credit card isn't tough in today's automated world.
Next year - computer time costs half as much.
Yes, it's still cheaper to get good credit card numbers by scamming carbons
at a mall clothing store or yuppie restaurant, but computer networks let
criminals run their scams wholesale, putting the public at risk both from
organized criminals with their own equipment and any dishonest college
student or office worker who's got a roomful of idle computers to use at night.
Trading off the cost of breaking security vs. the value to be gained is
a good start - lots of people have $2000 of credit limit left on their cards,
and most people have more than $0 left.
> This level of security has been available in the
>U.S. versions of our products since last April. Because of export controls
>it has not been available outside the U.S. We would appreciate your support
>in lobbying the U.S. government to lift the export controls on encryption.
>If you'd like to help us lobby the government send email to
>export@netscape.com.
Thanks for working on this!
Bill Stewart
==================== The list of computers ===========================
type speed (keys/s) number notes
- --------------------------------------------------------
DEC (alpha) 18000-33000 34
DEC (MIPS) 2500-7500 11
SPARC 2000-13000 57
HP (HPPA/snake) 15000 3
Sony (R3000) 1100-4000 3
Sun 3 600 2
Sequent B8000 100 x 10 1 (1)
Multimax (NS532) 600 x 14 1 (1)
KSR 3200 x 64 1 (1) (2)
Notes:
1. These are multiprocessor machines
2. The KSR spent only about 2 days on this computation.
The total average searching speed was about 850000 keys/s,
with a maximum of 1350000 keys/s (1150000 without the KSR).
====================================================================
#---
# Thanks; Bill
# Bill Stewart, Freelance Information Architect, stewarts@ix.netcom.com
# Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281
#---
"The fat man rocks out
Hinges fall off Heaven's door
"Come on in," says Bill" Wavy Gravy's haiku for Jerry
Return to August 1995
Return to “Bill Stewart <stewarts@ix.netcom.com>”