
NYU Accidentally Exposed Military Code-Breaking Computer - jbegley
https://theintercept.com/2017/05/11/nyu-accidentally-exposed-military-code-breaking-computer-project-to-entire-internet/
======
schoen
The greatest brute-force attack successes that we know of are generally
reversing password hashes, because the input spaces and/or effective input
spaces under some model of a password's structure are so small. People have
achieved very effective results with that, often using special hardware.

The most common attack model for this is "get ahold of a hashed password list,
try to reverse as many as possible, then try to see if any has re-used those
passwords on other systems". Spy agencies might be doing that too. By
contrast, as Bunnie says, modern algorithms have a very large safety margin so
brute-force against a random key is very implausible without some significant
new algorithmic insight.

So one question is, are there significant security-sensitive deployments that
are still out there of obsolete stuff with too short a keylength? 1024-bit
RSA, 1024-bit DH, DES, export ciphers?

If, on the other hand, it's really mostly about password hashes, where brute
force has been known to be so effective, are there any _other_ attack contexts
where the ability to reverse a password hash would be useful?

~~~
tptacek
This is off the top of my head and I'd welcome correction:

Large scale password cracking has a much clearer payoff than attacks on 1024
bit DH, which have to be targeted to individual (probably TLS) connections.
The RSA that most of the Internet depends on is brokered by CAs --- so,
problem 1, the USG already owns CAs and doesn't need supercomputers to get
valid certificates, problem 2, the most valuable "authentic" CA signatures are
2048 bit and far outside the capabilities of an IBM supercomputer, and problem
3, even after breaking that certificate you still have to target individual
TLS connections to use it.

On the other hand, you don't need the world's most powerful supercomputer to
effectively crack passwords.

It's not unlikely that the simplest explanation here is just "the NSA will do
whatever thing secures it the largest budget". That doesn't mean they won't
use those budget-enhancing projects in ways that will shock our conscience!

~~~
schoen
I suppose I'm also wondering if there's an authentication protocol where the
challenger actually tells the prover what hash it has to match. Does a
challenger ever effectively say "Please tell me the secret whose SHA256 is
equal to fcdf324499312efa027b5033513b0c0968f74ae7ba81a271ae62b3dda2cd4143 in
order to proceed"?

Maybe protocols where the attacker has access to a signature over some data,
but doesn't get access to the signed data in plaintext? Then the attacker
could try to brute-force values of the signed data using the hash that forms
the basis of the signature?

~~~
dsl
Think about any software updates you do (Windows Update, apt, yum, etc). All
these systems rely on distributing a cryptographic ally signed manifest of
what each files hash should be.

If you can forge the hash of a file, or the signature on that manifest, there
are hundreds of different ways you can easily replace one file for another in
transit over the internet.

~~~
tptacek
We're also not a supercomputer advance away from breaking SHA2. There are
hash-designing cryptographers who believe we may never break SHA2 with
conventional computers.

------
tptacek
This is malpractice:

 _Widespread modern encryption methods like RSA, named for the initials of the
cryptographers who developed it, rely on the use of hugely complex numbers
derived from prime numbers. Speaking very roughly, so long as those original
prime numbers remain secret, the integrity of the encoded data will remain
safe. But were someone able to factor the hugely complex number — a process
identical to the sort of math exercise children are taught to do on a
chalkboard, but on a massive scale — they would be able to decode the data on
their own. Luckily for those using encryption, the numbers in question are so
long that they can only be factored down to their prime numbers with an
extremely large amount of computing power. Unluckily for those using
encryption, government agencies in the U.S., Norway, and around the globe are
keenly interested in computers designed to excel at exactly this purpose._

The point of modern RSA is that we use a modulus that _can 't be factored by
any conceivable computer_, with limits derived from _the physics of
computation_ and projected far out into the future. We aren't a supercomputer
advance away from factoring 2048 bit moduli. The government's "keen interest"
in that problem is irrelevant.

We've known for coming up on 2 decades, at least (from Eran Tromer in
2001-2003) that 1024 bit moduli aren't safe. There's been speculation for
years that the NSA is standing up giant compute clusters in Utah to target
1024 bit discrete logs (it's speculation because it's hard to see how those
attacks make economic sense, even with advances in batch attacks). If we want
to suppose that IBM and NSA are mounting a supercomputing attack on weak
crypto, fine. The presumption that these attacks will get more viable is why,
for instance, the WebPKI is urgently scrubbing itself of 1024 bit keys and has
been for years.

But that's not what this article says. Instead, it puts forward a narrative
that the USG is collaborating with IBM to build supercomputers that would
break all of RSA. Not only is that not what's happening, but if it was, IBM
and the USG would be doing us a great service, because _we can 't rely on
cryptography that is a supercomputing advance away from being broken._

Needless to say, they're not really doing us a service, and they're not really
about to break RSA, and breaking RSA isn't a really big IBM purchase order
away from happening.

~~~
mapgrep
Sorry to see you conclude the piece, or that portion, is malpractice :-\

The paragraph you quote was intended to give an overview of one type of work a
machine like WindsorGreen might do, in broad terms. While it's true we mention
RSA as a very basic example of the sort of thing a government would be
/interested/ in breaking, we also specifically quote a security researcher
saying WindsorGreen “might also have applications for things like … breaking
older/weaker (1024 bit) RSA keys” and then quote another (bunnie) saying
"“Even if [WindsorGreen] gave a 100x advantage in cracking strength, it’s a
pittance compared to the additional strength conferred by going from say,
1024-bit RSA to 4096-bit RSA or going from SHA-1 to SHA-256.”

It's really not clear to me how the piece "puts forward a narrative that the
USG is collaborating with IBM to build supercomputers that would break all of
RSA" \-- indeed, it specifically says this would be of use primarily against
1024-bit RSA.

That said, I'm definitely curious how you think the piece could have framed
this more obviously for the lay reader.

(If it's not clear, I work at The Intercept.)

~~~
jackhack
"supercomputers" are archaic in a day when one can rent a 40,000 core GPU
system with 732GB of RAM for $14/hour, on demand, via Amazon Web Services.
Available whether you need one or a hundred (4 million cores crunching on a
problem with 20Gb/second throughput is still only $1400 per hour). edit: more
thorough response.

~~~
dman
Where are you getting the 40000 core number from?

~~~
jackhack
[https://aws.amazon.com/blogs/aws/new-p2-instance-type-for-
am...](https://aws.amazon.com/blogs/aws/new-p2-instance-type-for-amazon-
ec2-up-to-16-gpus/)

------
strictnein
The title here on HN misses a really important word: "Project"

The title at the Intercept is: "NYU ACCIDENTALLY EXPOSED MILITARY CODE-
BREAKING COMPUTER PROJECT TO ENTIRE INTERNET" (their caps)

The computer itself wasn't connected to the Internet, a backup drive was.

edit: title was updated

~~~
grzm
The title was likely shortened by the submitter due to the 80-char length
limit on HN. If you believe the submitted title is inappropriate for HN,
please contact the mods via the Contact link in the footer.

The _Intercept_ uses uppercase for all titles. This isn't emphasis, it's
style. No need to carry that forward here.

~~~
strictnein
Many people comment here without reading the article, based solely on the
title, so discussing the fact that it's inaccurate seems to be pretty
pertinent.

> The Intercept uses uppercase for all titles. This isn't emphasis, it's
> style. No need to carry that forward here.

I didn't say it should be. I was explaining why the text I had posted was in
all caps.

~~~
frandroid
Next time, just paste in an editor and lowercase it yourself instead of
putting this disclaimer...

------
pinewurst
This is interesting and remarkably incoherent at the same time. The article
seems to conflate the existence of a dedicated ASIC based cracking machine
with another more general purpose one (apparently a BlueGene relative).

------
Animats
Is this really about a "code-breaking computer", or just some big data
collection and analysis cluster? A code-breaking machine would look like a
Bitcoin mining farm - all ASICs, very little storage, not much I/O, no disks.
An collection and analysis machine looks like an ordinary data center.

Is this maybe the Cyrogenic Computer Complexity Program? [1] That's an attempt
to build a 10GHz machine running in liquid helium.

[1]
[https://www.fbo.gov/index?s=opportunity&mode=form&tab=core&i...](https://www.fbo.gov/index?s=opportunity&mode=form&tab=core&id=6d3f7e438bfa93586b21e87ca90009c5&_cview=1)

~~~
phicoh
Breaking an RSA public key consists of two phases. The first phase is
massively parallel and indeed doesn't require much storage.

However, the second phase requires solving a massive set of linear equations
and requires a more conventional big computer.

------
libeclipse
The very fact that the government invests substantially in brute-forcing
encryption means that there are enough weak implementations to make it
worthwhile.

Food for thought.

------
ethbro
Looks like someone needed more sticky notes. "This drive is a backup of a
secret government supercomputer. Do not mount as a share."

A la CERN: [https://upload.wikimedia.org/wikipedia/commons/3/37/CERN-
fir...](https://upload.wikimedia.org/wikipedia/commons/3/37/CERN-first-
server-p1030757.jpg)

------
dguido
Nothing in this article remotely qualifies as news. IBM builds computers, fast
ones, to crack passwords for the US DOD. They engage with academia to apply
research in building and programming them. Is that surprising? Even if it
were, there's not even a source document in the article. Snoozefest.

~~~
exhilaration
I think this is newsworthy:

Andrew "Bunnie" Huang: "My guess is this thing, compared to the TOP500
supercomputers at the time (and probably even today) pretty much wipes the
floor with them for anything crypto-related."

We've always guessed the NSA has some incredible resources, but to get a peek
like this into what they had _3 years ago_ is definitely newsworthy. It makes
the whole supercomputing race kind of a joke if governments have massively
more powerful machines hidden from public view.

~~~
schoen
Apparently the context suggests this particular machine had not been built and
delivered at the time the documents were written, so it doesn't show that NSA
had this exact machine at that time (though maybe they had other computers
that were this fancy or fancier).

~~~
yeukhon
Well. WinsorGreen is the successor design of WinsorBlur so I am assuming Blue
exists and it's just a matter of time to finish building Green.

~~~
schoen
I also guess the machine will be built in some form, just that the documents
probably don't reflect three-year-old computational capabilities, but might
reflect something more like present-day capabilities.

------
throwaway91111
So where are the documents? Not much of a story without them....

~~~
cavanasm
They're classified...if the guy who discovered they were publicly revealed on
accident had actually provided them to the Intercept, he would certainly have
lost his job, and likely ended up in prison.

~~~
schoen
The Intercept article says that they gave the documents to at least three
(named) experts to review in their entirety, suggested that the Intercept does
possess them but decided to publish only a small excerpt.

~~~
mapgrep
In terms of the prior commenters assertion about source protection, that was
not a factor as the source alerted various of the original parties directly
that their material was in public view (as we mention in the story).

In terms of the (admittedly) small volume of original documents we published,
all I feel comfortable saying at this point is that we were interested in
publishing more, but there were significant legal concerns.

------
asimpletune
It's really too bad the specifics of the machine weren't shared. I'm not
speaking from a national security perspective, where it should be mentioned
that other nations most likely already obtained this information, but rather
from an academic perspective. It seems that there are a lot of questions
regarding the machine, its purpose for instance, and such questions could best
be answered by public study.

~~~
asimpletune
Ps I loved the part where NYU mailed Adam a poster in recognition of not
sharing this.

------
MrMetlHed
So no one else had to open that Gif to find out the password?

NSACHDU0VSKYEP!CTHNDR

I guess Chudnovsky can't spell his own name (or is tricky with his passwords,)
and calls himself EPIC THUNDER

------
coldcode
It is also slightly nauseating that a US company finds it perfectly acceptable
to undermine US citizen's privacy for profit. I suppose money is attractive.

------
dsfyu404ed
I'm sure NYU will find someone without tenure to take the fall for this.

