=====================================Kaos=Keraunos=Kybernetos============== .+.^.+.| Ray Arachelian | "If you're gonna die, die with your|./|\. ..\|/..|sunder@sundernet.com|boots on; If you're gonna try, just |/\|/\ <--*-->| ------------------ |stick around; Gonna cry? Just move along|\/|\/ ../|\..| "A toast to Odin, |you're gonna die, you're gonna die!" |.\|/. .+.v.+.|God of screwdrivers"| --Iron Maiden "Die With Your Boots on"|..... ======================== http://www.sundernet.com ========================= For with those which eternal lie, with strange eons even death may die. ---------- Forwarded message ---------- Date: Sat, 29 Mar 1997 14:37:43 -0800 From: Chris Plunkett <chris.plunkett@opensys.com> To: pmarc@cmg.FCNBD.COM Cc: Romulo Moacyr Cholewa <rmcholewa@poboxes.com>, Windows NT BugTraq Mailing List <NTBUGTRAQ@rc.on.ca>, "ntsecurity@iss.net" <ntsecurity@iss.net>, hughtay@microsoft.com Subject: Re: [NTSEC] Re: Internet Explorer Bug #4
We are aware of this, but the report is misleading. The report states that both times the password sent from the client to the server is encrypted. It would take quite a while for even a Cray Supercomputer to decrypt the password, even if it was dedicated to that sole task. For the average network server (and a powerful one), it would take a few human lifetimes to decrypt them even if they were dedicated to that sole task.
Arrggghhh! Nothing sets off my ignorance alert more quickly than somebody who mentions a Cray in conjunction with attempts to brute force crypto algorithms. I won't bother to explain all of the reasons why that is a foolish thing to say. Instead I will share a little story about some folks I know from about 3-4 years ago. (Greetings to any of these individuals who may be lurking on NTSEC or NTBUGTRAQ.)
Apparently they had some good reasons to go after the encryption algorithm used by WordPerfect. After several ineffective implementations, a WordPerfect engineer developed a DES based encryption algorithm. His claim was that it would take a room full of Crays to break the algorithm. Hmmm... sounds familiar. Needless to say, shortly after a successful attack on the algorithm by those mentioned, there was a certain 486 with a YMP sticker plastered to its front.
Sure, brute force attacks can be expensive when an algorithm is implemented correctly. However, I can't let it pass when these facts are expressed in such a patronizing manner.
--- Paul M. Cardon - System Officer Capital Markets Systems - First Chicago NBD Corporation pmarc@cmg.fcnbd.com - (312) 732-7392
I heard a story one time. It evolved around a college student in France doing some cyptography work in school, working nights as a backup operator at some large computer center. He didn't need a cray. A little knowledge and some creative programming, and a center full of computers (problably around the size of a Sparc 10). The story ended explaning how one of the encryption schemes that would tale a Cray week to break, was broken in one night, by a bunch of computers running backups. It might be hard to find a cray, but I know a guy, he works at this place where they got them 15 pentium pros. The average network server has another server for some other task on the same wire. ------------------------------------------------------------ Chris Plunkett System Technician Breakwater Technologies Inc. phone:(206)803-5000x112 Fax:(206)803-5001 http://www.breakwater.net mailto:chris@breakwater.net ------------------------------------------------------------