On Sep 20, 1:12am, sameer wrote:
I believe that it would take much longer than 1 minute to mount an attack against a mac, pc, or unix machine that the attacker was not
"time to mount an attack" is not "computation time".
I'm really not debating with -you- though here, just describing how the release was inaccurate. I don't deny any of your statements
The issue is that any statement that only mentions the 1 minute figure is only stating part of the story, just as a statement giving a figure of several hours is only mentioning a part of the story. All of the news articles I've seen (not an exhaustive sample) have only mentioned the 1 minute number, which only really effects a relatively small number of our customers. If you don't know the pid and ppid, or the tick count in the case of Mac/PC, you will have to add them to your search, which could make it take much longer than 1 minute to crack. If you assume that the unix machine has been up for a while and has a decent turnover of processes (not a valid assumption for determining strength) then you would have to search on average half of 16 bit pid space, and then add a few bits for the ppid(assuming that it is likely to be close to the pid). Even if you only got 8 extra bits from pid and ppid, that turns your one minute attack into a several hour attack. Anyway, I'm not trying to say that "several hours" is the only answer, just that it is just as good an answer as "one minute". As far as I know, no one has tried this attack without knowing the pids.
logged on to. I don't know exactly how the few hour number was calculated, since it was done by marketing with input from someone else in the group. Another interesting data point is that the unix version, which was most vulnerable, accounts for less than 10% of our user base, according to the yahoo random link stats.
Is UNIX really the most vulnerable? How many bits did the tickcount account for? Seems to me that guessing just time & tick would be easier than guessing time, pid and ppid if you are not logged into the machine in question. . .
This is really dependent on how long window has been running. If you boot windows and immediately start an ssl connection, then the number will be pretty low, but if you don't make the first SSL connection until later, it should get better. I think an hour would get you around 16-bits, but this is just a guestimate on my part. If you leave your machine running windows for days you will get close to 32bits.
Do you mean that cypherpunks offered to review the netscape code if only we made all the source available on the net? I think that it is unrealistic to expect us to release all of our source code to the net.
I was referring to Jim Bidzos's comment, posted to cypherpunks. The release I will be sending out is written much more cleanly than what I initially posted to cypherpunks.
We had a conference call with RSA folks tuesday, and they will be in wednesday to take a look at our fix. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.