NSA Brute-Force Keysearch Machine

The Intercept published a story about a dedicated NSA brute-force keysearch machine being built with the help of New York University and IBM. It's based on a document that was accidentally shared on the Internet by NYU.

The article is frustratingly short on details:

The WindsorGreen documents are mostly inscrutable to anyone without a Ph.D. in a related field, but they make clear that the computer is the successor to WindsorBlue, a next generation of specialized IBM hardware that would excel at cracking encryption, whose known customers are the U.S. government and its partners.

Experts who reviewed the IBM documents said WindsorGreen possesses substantially greater computing power than WindsorBlue, making it particularly adept at compromising encryption and passwords. In an overview of WindsorGreen, the computer is described as a "redesign" centered around an improved version of its processor, known as an "application specific integrated circuit," or ASIC, a type of chip built to do one task, like mining bitcoin, extremely well, as opposed to being relatively good at accomplishing the wide range of tasks that, say, a typical MacBook would handle. One of the upgrades was to switch the processor to smaller transistors, allowing more circuitry to be crammed into the same area, a change quantified by measuring the reduction in nanometers (nm) between certain chip features.

Unfortunately, the Intercept decided not to publish most of the document, so all of those people with "a Ph.D. in a related field" can't read and understand WindsorGreen's capabilities. What sorts of key lengths can the machine brute force? Is it optimized for symmetric or asymmetric cryptanalysis? Random brute force or dictionary attacks? We have no idea.

Whatever the details, this is exactly the sort of thing the NSA should be spending their money on. Breaking the cryptography used by other nations is squarely in the NSA's mission.

Posted on May 16, 2017 at 6:40 AM • 52 Comments

Comments

Don't Notice MeMay 16, 2017 8:00 AM

I think that economics is what will protect me.
It hopefully is to economically difficult to attack everyone at scale.

PhMay 16, 2017 8:04 AM

It just stands to reason that any technology that is growing in use is first implemented in specialty ASICs before they become mainstream and part of other instruction sets (CPU/GPU/ALU).

De/Encryption is just the latest resource eater that can be optimised.

I can still remember my excitement when i got my mpeg decoder card.
Or the VooDoo 3DFX cards.
Something a CPU/GPU could not do very well back then.

Sok PuppetteMay 16, 2017 8:13 AM

NYU, on the other hand, has no business being involved, even to the extent of permitting any of the work to be done on its campus.

Classified research is incompatible with the purpose of a university.

trentMay 16, 2017 8:52 AM

> Breaking the cryptography used by other nations is squarely in the NSA's mission.

Of course. But is it still fair to assume that there aren't also domestic applications?

Cegfault McIrishMay 16, 2017 9:08 AM

Someone correct me if I'm wrong, but if I recall from my graduate days the encryption algorithms we have are built around the limitations of Turing machines in general.

What the NSA (well, NSA contractors) are doing here is simply making something *really* fast - but that's not helpful if *really* fast takes you from billions of years of time to crack down to millions or even hundreds of thousands.

In other words, this (a) will only be helpful for either extremely targeted attacks, or in building out a gigantic hash map of sha256 sums or something, and (b) isn't this what the NSA normally does?

The Omega GolyMay 16, 2017 9:22 AM

Count me among the skeptics. It may be that spending money in this fashion is squarely within NSA's mission but that is not to say that spending money in this fashion is WISE. As the above poster insinuates, if the difference between a slower machine and a faster machine is the difference between one billion years and one million years that is a huge leap computationally but is treading water practically. So the cost/benefit calculation is suspect.

Math is math. Unless the NSA has some fundamental breakthrough in math that no one knows about I personally don't think wasting the money on this type of project is wise. Not, to use the trope, when it can be done with a five dollar wrench.

CallMeLateForSupperMay 16, 2017 9:48 AM

I read the article the same day it was published. Initial enthusiasm quickly dissipated when it became clear that there was only sizzle, no beef. As Bruce put it, "We have no idea."

On the up-side, seeing the familiar, mundane "IBM Confidential" again for the first time in two decades was surprisingly nostalgic.

Cegfault McIrishMay 16, 2017 9:53 AM

@The Omega Goly : exactly. Also, if they could break the math or the algorithms, they wouldn't need ASICs to do it.

After looking more at the link ordinaryperson posted (https://www.documentcloud.org/documents/3718332-Pages-From-WindsorGreen-ASIC-Status-Report-12-07.html), it appears that all they're really doing is trying to merge CPU and GPU concepts.

GPUs are hundreds to thousands of cores, but moving memory around isn't easy. This seems to be a multi-core solution which has better access and ability to move memory around. So theoretically this will make code-breaking faster, but that seems like hype at this point. More than likely this will simply be for increasing computational power for things the NSA does which can run somewhat in parallel.

*One* such application would be making known-plaintext attacks much, much faster. And, I suppose, brute forcing encryption. But also other things - like examining and encrypting their own data.

WillemMay 16, 2017 10:07 AM

The article says that this is a brute-force password-guesser. As pointed out by others, the initiative seems to be to build a really fast machine. If it can break a passphrase of length 's' (with a certain entropy) in in time 't,' then why could not the target increase the passphrase length by one more random symbols, which would increase the mean time to guess the password to 128*t? In other words, faster is practically useless. Or am I missing something?

Patriot COMSECMay 16, 2017 10:10 AM

This compromise is exactly the kind I spoke of as being likely--given that the NSA thinks of itself as a business--just as a computer network increases its attack surface by adding distant routers.

Bill C.May 16, 2017 10:14 AM

"Whatever the details, this is exactly the sort of thing the NSA should be spending their money. Breaking the cryptography used by other nations is squarely in the NSA's mission."

However, can we really trust that cracking encryption other nations are using is all they'll use it for? I'm not sure I'll ever trust the NSA, and by extension, the US government, again.

BradMay 16, 2017 10:27 AM

>build systems resistant to scalable state-grade targeted attacks for wide-market availability. But they can't unless we come out with a way they can do that and provide an offline ultra-safeguarded way to provide legitimate and constitutional lawful access.

Why not? I'd love to hear your tortured logic on this but it'd be a waste of space. Not only is ridiculous on its face, EVEN IF you could do such a thing why would anyone opt in? No one is going to willingly use encryption with back doors. Not going to happen. So what are you going to do? Make it the law? You're working on an impossible task that even if you achieved no one would use. What a joke.

ScottMay 16, 2017 10:35 AM

@Willem It's still useful for offline attacks, where an item protected by the password is seized or copied, and whatever password used can't be changed. It's also useful to get an idea of what others can do to your systems, again assuming they can also work on a copy of your 'stuff'.

phred14May 16, 2017 10:53 AM

As a former IBM employee, I share the amusement of CallMeLateForSupper.

But I also have to say that in those days, I worked on the IBM ASIC eDram program, on both of the technologies listed in the presentation, as well as a few others. Without a doubt, the eDram for both of these designs must have passed through my hands, at some point. It's good to identify use of your handiwork in the real world. It's amusing to see where, in this case.

Jim AMay 16, 2017 12:09 PM

The perfect currency has a marginal cost of pennies or less, but requires incredibly expensive machinery to create. So that only large organizations (like governments) can create, but the cost for each bill is very low. It occurs to me that as far as governments are concerned, cryptography is the same. They want cryptography to be easy and reasonably effective (much of the economy depends on it) but susceptible to cracking with incredibly expensive, custom hardware that only the government can afford.

Tony H.May 16, 2017 12:28 PM

CallMeLateForSupper • May 16, 2017 9:48 AM

> On the up-side, seeing the familiar, mundane "IBM Confidential" again for the
> first time in two decades was surprisingly nostalgic.

That struck me too. IBM Confidential is the second lowest of IBM's internal levels of document secrecy. I've never worked for IBM, but I've seen (legitimately) a ton of IBM Confidential material. Even the marketing name for IBM's next mainframe is more secret than mere IBM Confidential. It seems highly improbable that anything Really Important, and certainly anything that is US Government classified at any level, would carry only this low level label.

TatütataMay 16, 2017 1:17 PM

I saw that article last week, and wanted to serve it as a side-dish to Friday's serving of squid. But the order never came.

I indeed found the lack of specifics rather odd on the part of The Intercept, especially if the info was out in the open, and might have been crawled repeatedly.

An idea crossed my mind: I imagine a rogue NSA programmer configuring the beast to mine Bitcoins, while pretending to crack passwords...

WaelMay 16, 2017 2:10 PM

@Tatütata,

An idea crossed my mind: I imagine a rogue NSA programmer configuring the beast to mine Bitcoins, while pretending to crack passwords...

+1 lol

But why 'rogue'? :) If it crossed your mind, then maybe it crossed someone else's mind!

ab praeceptisMay 16, 2017 2:12 PM

Well we don't know *nothing*. We know about the nsa utah data center and we know about nsa longing for a quantum computer.

I was wondering since quite a while how nsa would actually make use of all the data stored in utah. windsor blue and green might quite well be answers to that. The timing would match, too.

I fully agree with Bruce, who worded it much more elegantly: That story is typical brainless, lots of names, asking each of those experts, adding some (very) little actual info blabla "scientific" soup. Impressive packaging but little more than water.

From what I see nsa's major pita is *massive* but not too high level encryption. They're collecting petabytes and they need *quick and easy* results re. all that Joe and Jane communications.

Why?

a) Their bet re. good PK hacking is quantum computers. Classical cores, no matter how optimized, wouldn't cut it anyway.
b) They already have petabytes of eavesdropped communication, much of which is in the range of rsa 512 - 1024.
c) they (also) need *massive* capacity (as opposed to high caliber targets) to avoid drowing in worthless Petabytes, to allow for compression, etc. etc.

As for the chip, I'm not at all worried. Classical problem: little per core memory. Which translates to "we *can* defend ourselves". Just think KDFs which allow us to quite arbitrarily drive up memory costs. The price for us, the individual user is low, say a delay of 0.25 sec; the price for nsa and their asic monster, however, is immense.

WinterMay 16, 2017 2:34 PM

Many people use passphrases that consist of "readable" words with additions. It all depends on how much these passphrases are worth.

I understood that dedicated hardware (128k cores?) could bruteforce a 92 bit strong passphrase in less than a year. And that was around 2010.

So, are there targets for such a brute force machine?

asdfMay 16, 2017 2:46 PM

>Whatever the details, this is exactly the sort of thing the NSA should be spending their money. Breaking the cryptography used by other nations is squarely in the NSA's mission.

So isn't that good reason for The Intercept to not publish the full documents right now?

WinterMay 16, 2017 3:02 PM

@asdf
"So isn't that good reason for The Intercept to not publish the full documents right now?"

The Free Press should publish what interests the readers. It is not their task to hide stuff from the public.

So, unless there is a direct risk to life and limb of people, they should publish.

Mr Impossible GuessMay 16, 2017 4:05 PM

So what you're saying is I need a 200+ digit passphrase... and to roll my own compiler...

If they're looking at you, they already know you pretty well. If you're worth siccing a trillion dollar establishment upon, you can be they've got a $5 wrench with your name on it before that point.

So really there's nothing to fear from a massive cracking supercomputer. Fear $5 wrenches and people who say "I have nothing to hide and therefore no one should."

Patriot COMSECMay 16, 2017 5:44 PM

The point about the story is not that the NSA breaks codes, but that they cannot keep their methods secret. Doubts about their professionalism continue to gnaw away at them.

So why can they not search for exposed documents on the websites of parties with whom they work? Apathy? Schmendrick-itis?

They know with whom they are working, right?

Z.LozinskiMay 17, 2017 4:44 AM

@Tony H. and @CallMeLateForSupper

> That struck me too. IBM Confidential is the second lowest of IBM's internal levels of document secrecy.

No. That security hierarchy is about 22 years out of date. It was rationalised by Lou Gerstner (then new CEO/Chairman) and Jerome York (new CFO) in 1995. Jerome simplified the security hierarchy from unclassified, IBM Internal Use Only, IBM Confidential, IBM Confidential-Restricted and Registered IBM Confidential to unclassified and IBM Confidential.

Associated Press article, from 04 April 1995:

http://www.apnewsarchive.com/1995/IBM-Staffers-Will-No-Longer-Send-Top-Top-Top-Top-Secret-Memos/id-27ddcc3c1a4b48b8bcd02165732ea238

> Even the marketing name for IBM's next mainframe is more secret than mere IBM Confidential.

You may be mis-remembering Adirondack. This was the IBM mainframe family whose design workbooks were the subject of a major corporate espionage program, exposed by the FBI in 1982. The public aspects of the affair are documented in the US Congressional Record (House of Representatives, July 12 1989, page H3666].

The 15+ volumes of Adirondack workbooks with the complete architecture, design and implementation of a new mainframe were highly classified.

It's an interesting window back on a time when corporate information was supposed to be protected in a very similar way to national security information.

Clive RobinsonMay 17, 2017 4:47 AM

The thing about the NSA people keep missing is they do not work on targeted attacks but mass attacks. They work in an industrialized way.

It's one of the reasons they "record everything" even when it appears to be hopeless to do so. Project VENONA [1] is the classic example, the Russian's were using OTP systems which we know are unbreakable provided certain rules are followed. The NSA knew as did GCHQ that OTPs whilst simple were at the time very very expensive in resources to produce. Thus the Russian's did something "human" they "erred" and reused some of the OTPs. The result was thay intel was gained that had implications twenty or thirty years down the line after the original messages were sent.

Many people here spend to much time thinking no further back than "last years technology" thus whilst those at the leading edge today might be using 8192bit RSA what were they using five to ten years ago? What about the rest of us that even bothered encrypting?

The NSA still has all those recordings to go through and break. And I suspect that much of the information they get will still have value today.

We tend to be ephemeral creatures living almost in the moment we don't expect our past to come back and haunt us now or in the future. That's not the way the IC think.

Thus we generally only think short term at best, they think long term.

Thus I suspect that machine will have a bigger pile waiting in it's "in tray" than it will ever be able to get through. Thus several machines will be needed.

[1] https://en.m.wikipedia.org/wiki/Venona_project

TatütataMay 17, 2017 7:34 AM

Wael, bedankt for the chuckle!

I mulled over this last night.

As I understand them, these password crackers fundamentally work by feeding a set of plausible inputs to a given function until its output matches a crib. The running time for a given problem can be anywhere from 0 to eternity, so you wouldn't see outright whether some or all processors are diverted to do something else, unless you include some kind of auditing function and error diagnostics in the system.

But you could combine fun and pleasure. If the test function is SHA256, then a condition could be included to see whether the current output satisfies the Bitcoin threshold. When the oracle yells "bingo", the combination would be added to Uncle Sam's wallet, and you would otherwise keep on cracking. The output of the trials would be uniformly distributed anyway, so there wouldn't be much difference to a "regular" mining operation.

I think you could detect whether this actually happens by looking at the ">Bitcoin difficulty chart, which IMO should show a temporary steepening followed by a new asymptote every time a large operator fires up a new machine, or simply look at the amount of new registrations.

TatütataMay 17, 2017 7:40 AM

It might also be practical for Uncle Sam could also mine for Bitcoins to finance unspeakable stuff of the "Iran-Contra" sort: no need to launder absolutely mint currency. No paper trail involved, no Olly North testifying with misty eyes and declaring "I did it for my country, Sir"... (We named a cat after him for her absolutely guiltless look whenever she soiled the carpet).

But nowadays, with every passing hour, there is less and less that could surprise the public anymore...

Bruce SchneierMay 17, 2017 8:23 AM

"I think that economics is what will protect me. It hopefully is to economically difficult to attack everyone at scale."

Yes, in the end that is what cryptography buys you against these sorts of state actors.

Bruce SchneierMay 17, 2017 8:25 AM

"'Breaking the cryptography used by other nations is squarely in the NSA's mission.' Of course. But is it still fair to assume that there aren't also domestic applications?"

Of course. Like every offensive government capability, law and policy is the only way to constrain the target.

Bruce SchneierMay 17, 2017 8:27 AM

"In other words, this (a) will only be helpful for either extremely targeted attacks, or in building out a gigantic hash map of sha256 sums or something, and (b) isn't this what the NSA normally does?"

Most cryptographic attacks have time/memory trade-offs, and it is reasonable to assume that the NSA performs massive general precomputations in order to make individual targeted cryptanalysis faster.

The document do not speak to the details of this, though.

Bruce SchneierMay 17, 2017 8:30 AM

"So isn't that good reason for The Intercept to not publish the full documents right now?"

Yes, and I was very surprised that The Intercept didn't publish more of the raw document. I hope that whoever provided it to them will post it somewhere else.

Nick PMay 17, 2017 10:31 AM

@ Bruce

It's actually natural to expect this. A number of us predicted it here. The reason is that there's a lot of weak crypto out there, esp due to bad implementations, that's within NSA's reach given substantial computing power. This is a combo of things that are easy to break but coming in a torrent of information that is best to stream over hundreds of thousands of cores. This also includes hard-to-break things they'll do selectively throwing many cores at one job. The hardware would have to be an ASIC since that's the best way to get high-performance on specific tasks, low unit price, low energy use, and massively-parallel. They could justify it since all their projects involve millions of dollars. Only thing weird to me was they did 32nm instead of lower node. Then, I recall IBM did lots of their designs on 32nm... maybe even their own fab. So, they're just triple dipping on profit: main system; ASIC design/licensing; fab run.

I disagree with you that this is what they should spend their money on. I think this specific system was a great investment given what I've already said. It should be at least *one* thing they're doing. However, subversion and code injection at lowest layers followed by rootkits are best for their SIGINT goal. The latter should be hard but it's not: just takes throwing labor at commercial and FOSS code that dominates without hardly any QA. So, the other programs throw tons of money at acquiring 0-days and building infrastructure for SIGINT activities. On subversion end, the FBI can just do secret orders here where the supplier builds the backdoor themselves. They also pay the market leaders domestically and overseas to do it. They can also bribe disgruntled employees in key positions who are a natural result of capitalist, dominating companies. Finally, they have infiltrators to deal with foreign firms that resist.

I'd say they're managing the situation quite well. Point of fact: they're winning across the board except for high-assurance security that almost everyone ignores. Including them. Which is why they lost on the leak mitigation thing they didn't care much about until it was too late. Their main mitigation is marketing to the insiders that control the budget. They saw those nice charts and numbers in the Snowden leaks before we did. That's why their budget keeps increasing. That means the prior activities I mentioned, a system for controlling systems world-wide, will be a vicious circle that keeps reinforcing its capabilities in a feedback loop of labor, money, and polishing what they have.

Cegfault McIrishMay 17, 2017 11:36 AM

@Nick P. >> It should be at least *one* thing they're doing.
Who is to say they won't use this for more than one thing? Getting a contractor to build them an ASIC for a singular purpose, while making specs to ensure it can be used for multiple purposes, seems very much like the thing the NSA would do. And that would be wise as well - don't let the left hand know what the right hand is doing.

Ross SniderMay 17, 2017 12:24 PM

@Bruce Schneier

It's true that this is the sort of thing you'd expect a signal intelligence agency to do (rather than, say, global mass surveillance).

It's NOT true that you would expect secret laboratories at Universities (NYU, etc) to be aiding in this endeavor. It's actually something that I've come to expect - it has become very obvious that research grants funded via the NSF and other venues are used to bolster military and intelligence objectives with the research of our top university specialists.

This is how I read the Intercept story. Or rather I read it being about both how our universities have become military and intelligence assets and how in this case the operational security of the university lab (civilian organization) betrayed the kinds of practices normally enforced by military organizations.

BearMay 17, 2017 1:13 PM


I think the target here is people who use poor passwords and implementations of crypto that derive keys directly from passwords or from passwords plus few unpredictable bits or small salts.

While the latter are growing rarer, they are still pretty common - engineers have heard by now that implementing your own crypto algorithms is bad, so they use off-the-shelf algorithms and implementations for the encryption. But then they fail to find "the basic obvious function they need" that converts passwords directly into keys, write it themselves, and don't realize they've introduced a major vulnerability. "Yeah, we didn't implement our own crypto. We just wrote an app that uses off-the-shelf crypto with standard, vetted implementations." The most convincing lie comes from someone who doesn't even know he's lying, and a lot of engineers still haven't heard that key management is where most crypto software fails in the real world.

Anyway, even in the modern world, most passwords that pass basic password checking are just old-fashioned bad passwords with a few characters tacked on the end to meet the requirements for "a capital, a number, and a punctuation character". Give somebody a computer 10K times faster (typical difference between ASIC and CPU for the same job) and 100K times bigger (basic asymmetry for hardware funding between major government and small band of insurgents) and they've got a 1G times advantage or so. With a 1G times advantage or so, and a knowledge that the "entropy" is typically focused in either the last few characters (usually) or the first few characters (frequently) you can build "rainbow tables" whose entries are Bloom filters and cover spaces 1G times as big. If you fill a modern RAID array with entries from that table you amplify the advantage again with the difference in storage space. For a lot of elderly snaggletoothed software using

So, yeah, short version of the story is, this machine is probably not useless for them, given the current state of crypto software and people picking their own passwords. They're facing encryption algorithms they probably can't break, almost everywhere. But key derivation functions and access passwords are an entirely more tractable problem.

I agree with Bruce though that *breaking* bad crypto software is exactly what they're supposed to be doing - especially when it's deployed by enemies of the US, given their mission. It is when they get into the business of *crippling* crypto software or deliberately creating *broken* crypto software that they are committing sabotage against the public.

BearMay 17, 2017 1:19 PM

Sorry, I used a "less than" character in my third paragraph above and it got chopped instead of transliterated into anything that would be visible in HTML.

Anyway, systems that use salts of less than 32 bits can still be found in the wild, and 4B of salt is easily within the range of rainbow tables when the table entries can cover 1G times as many keys.

ab praeceptisMay 17, 2017 1:27 PM

Nick P

there's a lot of weak crypto out there, esp due to bad implementations, that's within NSA's reach given substantial computing power. This is a combo of things that are easy to break but coming in a torrent of information that is best to stream over hundreds of thousands of cores.

Yes. Funny in a way how most people see the nsa. Maybe it would be helpful for many if we wrapped that point up in a nice and obvious way. Something like "A company with 100 PCs compared to a private Janes or Joes home PC is what nsa is to a 100 PC company".

Plus: A sigint agencies task is not to blindly grab whatever they can get ahold of. I is to extract the *relevant* information and make sense of what they grab. As the filtering and making sense part of it can't be easily done in 1 mio locations but only in a few rather big data processing facilities, nsa can't but grab immense and vast amounts of data - which in itself brings a lot of problems. A funny example might be backup. So, how do you backup PB or EB of data?

In other words: nsa in a way can indeed be seen as a mining operation and here like there the first step is to filter out all the worthless mud. Obviously processing capacity is of essence, hence specialized hardware.

The next operational layer is to process the outcome of the first filtering stage. Concerning this we tend to think too much in terms of high quality crypto when, in fact, there are vast amounts of data out there that are lousily encrypted. Just think of all the mobile communication which is rather weakly encrypted or, as you and others said, of all the older data collected which are still sym encrypted after RSA 1k or worse.

Only thing weird to me was they did 32nm instead of lower node.

Doesn't worry me at all; makes in fact lots of sense. For a start that program didn't start today; at the time it started 32 nm was still quite high end (and anyway an *immense* improvement over the 90 nm they had before). Moreover, ASICs are quite commonly produced in a step or two size behind the current optimum. Even today 14 nm and even 22 nm fabs are limited to a couple of top product lines. Plus ASICs are technically quite different from mass produced "crown jewel" chips.

And then the price. Just look at Risc-V or similar. Even 45 nm are considered top, 65 nm about standard and plenty of stuff still done in 90 to even 180 nm.
Sure, the nsa being the nsa and having very deep pockets could make a fab dance but at a very, very high price. After all, asking for a couple of wafers to be done isn't exactly exciting for a fab.
Finally we must keep in mind that that windsor stuff is designed to be run massively parallel. Having 32 nm ASICs running massively parallel is pretty much top of the top.


Nick PMay 17, 2017 10:22 PM

@ Cegfault McIrish

It's true you want more ROI out of your chips where possible. However, that's usually for general-purpose or wide-usage, special-purpose chips. Then there's narrowly-focused, special-usage chips. The Bitcoin mining comes to mind. In this case, they have either crypto engines or CPU's optimized for just common instructions in crypto. They're also likely to be optimized for massively-parallel MIMD on those specialized instructions. The more they specialize it, the more codes they break in a world where almost all their targets are using a small number of primitives and libraries that mostly reuse techniques internally.

Long story short: it probably isn't that general purpose. Just a codebreaking machine. They're fine with sinking money into one, though, since it's their favorite activity after backdoors. :)

@ ab praeceptis

Yeah, they've publicly described their basic method of filtering, middle-end processing, and dressing up for recipients. They did that pre-9/11 by the likes of Bamford. They were trying to make their image better after Enemy of the State. It worked for a while haha. The point about it being an older project leading to 32nm makes sense, too. There were a few older ones that did that. Most did 45nm or went straight to 28nm, though. So, it's an outlier a bit where I lean toward IBM increasing ROI if it wasn't about cost or maturity of the advanced process.

HivemindMay 18, 2017 9:37 AM

"BTW,it's OUR(taxpayers)money not theirs!"

You don't get how this works. You own NOTHING. EVERYTHING you think you own is actually owned by banks under the auspices of our governance. Tell me one thing you think you own and I'll dispel your fantasy. Even your own body isn't fully under your legal control in this country. Know this.

If you don't want your taxes being spent on NSA world-sucking, you have two choices :
Move, or die. Even in death you'll be paying taxes until forgotten/broke.

You WILL be assimilated.

Jiv5May 18, 2017 2:31 PM

Why not just come in the backdoor, like the FBI or any hacker would and set a thread to monitor processes for the presence of publicly available encryption strings. Then capture the key code and send it home. It is easy to monitor processes and dump their memory to a file. David hacked Goliath with a simple sling and stone. He then used the giants sword to dispatch him. The battle over Rule 41 has revealed to everyone the capabilities of the hackers to intrude on our systems, common programming knowledge lets us know what they can easily do once inside. Encryption needs to be performed outside the confines of the OS, unattached from any kind of internet link. Not even a memory stick for transfer can be used. Otherwise you are just giving them your key code to open your encrypted files. Tell we why I am mistaken.

bnmMay 18, 2017 4:28 PM

Ed Snowden famously told Laura Poitras in 2013 to "assume your adversary is capable of one trillion guesses per second" when protecting her PGP key with a passphrase. This was the fastest known statistic in the world at the time. Could he have been referring to WindsorBlue/Green or some other system?

The Intercept article says WindsorGreen "wouldn’t have been ready for use until 2014 at the earliest," a year after Snowden's leak. This suggests it wasn't WindsorGreen he was talking about, but possibly WindsorBlue. Unless the NSA has additional secret password-cracking supercomputers that surpass the performance of the Windsor ones, we're probably safe in assuming that Snowden was referring to WindsorBlue.

The article also quotes an overview that states "we expect to achieve at least twice the performance of the WindsorBlue ASIC" in the WindsorGreen. So if WindsorBlue could do 1 trillion guesses per second, this means WindsorGreen could achieve at least 2 trillion. And by now, WindsorGreen is probably fully operational.

ORWMay 18, 2017 7:02 PM

"Whatever the details, this is exactly the sort of thing the NSA should be spending their money. Breaking the cryptography used by other nations is squarely in the NSA's mission."

Bruce, I would be much less worried if I knew this particular machine, and above all the whole spying per se, would only serve to spy on some aggressive governments or terrorists, and not normal and mostly innocent citizens.

Yes, I'm a foreigner, and one who is not even living in the USA. Foreigners typically have very little if any protection from intrusive governments. (This may be true in respect to virtually all governments; yet, the USA are much more powerful than most other countries. For example, I do not think that the Danish government is spying half as much on Americans as much as the American governments is spying on the Danish.)

But even if I was an American, I would not feel safe at all, and I do not think there is actually a great difference - and in fact, Americans might be even worse off in the end. As former high-ranking CIA analyst Ray McGovern is putting it:

"Bottom line? Beware, those of you who think you have 'nothing to hide' when the NSA scoops up your personal information. You may think that the targets of these searches are just potential 'terrorists.' But the FBI, Internal Revenue Service, Drug Enforcement Administration and countless other law enforcement bodies are dipping their cursors into the huge pool of mass surveillance...After all, it’s altogether likely for a great majority of us that some dirt can be retrieved with the NSA’s voluminous files an inviting starting point. AT&T, for example, apparently has kept metadata about its customers, as well as all other traffic going through its switches, for the past 27 years...Even in recent decades, critics of government policies have ended up facing dredged-up, if not trumped-up, criminal charges over some past indiscretion or misdeed...Among the revelations over the past year was DEA’s definition of 'parallel construction' as 'the use of normal [read legal] investigative techniques to re-create the information received by DEA’s Special Ops Division' from NSA or other sources that can’t be acknowledged...So, in this way, the NSA’s warrantless surveillance can result in illegal law enforcement. And the FBI, the DEA and other organs of the deep state have become quite good at it, thank you very much."

And someone who must really know is quoted by McGovern, saying:

"It is the height of naivete to think that, once collected, this information won’t be used. This is the nature of secret government organizations. The only way to protect the people’s privacy is not to allow the government to collect their information in the first place."

https://consortiumnews.com/2017/05/18/how-nsa-can-secretly-aid-criminal-cases-2/

ElliotMay 19, 2017 11:00 PM

Delete your blog...

"Breaking the cryptography used by other nations..."

ElliotMay 19, 2017 11:05 PM

It's the only conventional way... And it has never worked and will never work. We're gonna have to get crazy like Seal...

"Of course. Like every offensive government capability, law and policy is the only way to constrain the target."

TJMay 21, 2017 7:36 AM

Thankfully everyone uses AES, Blowfish, Twofish, and ECC which are supposedly immune to the acres of such machines the NSA and CIA have had since the 70s..

thisisthenamefieldMay 23, 2017 6:09 AM

@ Bear

"Anyway, even in the modern world, most passwords that pass basic password checking..."

State of the art password guessing techniques with adequate hardware can guess most of the human-produced password (given a fast hash). Current, commercially available systems do 500 GH/s on NTLM (8 high-end graphics cards). Rainbow tables are obsolote.

I am only an enthusiast with a single mid-range graphics card, but even I managed to crack all but 2M of the Linkedin SHA1 dump (50+ million unique, ~177 million total passwords). That includes a lot of 20+ char passphrases in various languages.

ab praeceptisMay 23, 2017 6:42 AM

thisisthenamefield

Your game is very limited, mostly by passphrase length, complexity, and symbol set.
If most users use a passphrase of less than or equal to 10 Bytes and usual elements (names, words, birth dates, etc), you can have a test set of 100 bln elements to feed to your algorithm and to check its results against the pw db (which is well feasible).

Assuming only letters and digits are used and pw length is 6 you have to have about 1.2 bln permutations which can be significantly trimmed down if the pass phrases to test against are not random but "human". It seems realistic to me that you can work with a database tot crack a quite large part of 8 to 10 char pass phrases on current hard disks.

If, however, users use even just 15 char pass phrases, include chars outside letters and digits, and don't use normal language elements (in other words, if they don't use "SuperSecure051482" but ";_pT>3v>?-n RpR") then one gets into ranges of 10 to the 28 and higher, which is more than a billion TB and certainly lays beyond the capabilities of most nation states.

Which btw is just another reason to advise people to use complex pass phrases of no less than 15 characters. Simple reason: Many sites for various reasons still use very yesterdecade hashes (like md5) for their user databases. Which is computationally a ridiculous task to crack but can be thwarted by complex, non-"human", long pass phrases.

This is also worthy to be thought about because there are 2 sides involved, one of which (the site) the user can't control and which is often quite lousy.

Clive RobinsonMay 23, 2017 9:03 AM

@ thisisthenamefield,

State of the art password guessing techniques...

When I first heard about this machine, the thought did cross my mind that it might be designed to work on "human failings" via the likes certain statistical methods.

The simple fact is "human rememberable" pass word/phrases are realy quite weak. Even the XKCD "horse battery..." method is often weaker in use than it should be due to the human failings of "what looks random" and "What is memorable". Put simply they reduce the search space drasticaly by removing duplicate words and rearanging the word order to make it more memorable.

The last time I sat down to work out the statistics from known password lists the initial letter of a password/phrase had less than 4bits of entropy which rapidly dropped to less than 1.5bits by the seventh character, and dropping to a little over 1bit after ten characters.

The simple fact is computers are now faster and more adept at password cracking than humans can think up memorable ways to remember strings of information that to humans look random...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.