Economics of Password Cracking in the GPU Era

Video thumbnail (Frame 0) Video thumbnail (Frame 11557) Video thumbnail (Frame 17608) Video thumbnail (Frame 29674) Video thumbnail (Frame 41740) Video thumbnail (Frame 49440) Video thumbnail (Frame 52601) Video thumbnail (Frame 57112) Video thumbnail (Frame 58092) Video thumbnail (Frame 61218) Video thumbnail (Frame 62349) Video thumbnail (Frame 64827) Video thumbnail (Frame 65796) Video thumbnail (Frame 66989) Video thumbnail (Frame 74229)
Video in TIB AV-Portal: Economics of Password Cracking in the GPU Era

Formal Metadata

Economics of Password Cracking in the GPU Era
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
As this shift to "General Computing" and working in the cloud has accelerated in the last 4 years, so has the ability to take advantage of these technologies from an Information Security vantage point. This could not be more apparent than with the sudden uptick in GPU based password cracking technologies. In this presentation we will explore where the current GPU cracking technologies are, what their cost are to implement, and how to deploy and execute them (with demo). Most importantly, we will demonstrate the "brute force calculator" which can assist with getting your monies worth. Finally, we will explore where the future lays for this medium and what that means for safe passwords moving into the next decade. Robert has been working in Information Security for over 12 years. In his travels he was one of the first to publicly demonstrate the downfalls of credit card security in merchant environments. Next, after 2 ? years of research, he demonstrated "whitelist" based IDPS technology embedded in within web based code to protect against and detect XSS and Injection Attacks in real-time. Later, he developed and implemented highly customized DNS logging integrated with real-time IDPS technology for protection against 0-day malware threats. He currently is working on a SV Hacker Space and various WiFi security shenanigans.
Logistic distribution Code Multiplication sign Open set Computer configuration Forest Single-precision floating-point format Arrow of time Office suite Hill differential equation Information security Physical system Graphics processing unit Area Software developer Memory card Token ring Data storage device Staff (military) Tower Telecommunication Chain Website Procedural programming Software cracking Information security Hacker (term) Fundamental theorem of algebra Asynchronous Transfer Mode Thomas Bayes Spacetime Point (geometry) Slide rule Server (computing) Software developer Dependent and independent variables Token ring Password Control flow Plastikkarte Number Wave packet Spreadsheet Internetworking Spacetime RSA (algorithm) Authentication Key (cryptography) Server (computing) Physical law Code Plastikkarte Basis <Mathematik> Word System on a chip Password Network topology RSA (algorithm)
Point (geometry) Ocean current Slide rule Observational study Distribution (mathematics) State of matter Multiplication sign Execution unit Coroutine Gene cluster Cloud computing Field programmable gate array Coprocessor Perspective (visual) Neuroinformatik Supercomputer Web 2.0 Computer hardware Core dump Operating system Elasticity (physics) Computing platform Software development kit Graphics processing unit Graphics processing unit Mapping Inheritance (object-oriented programming) Memory card Electronic mailing list Cloud computing Supercomputer Message passing Password MiniDisc Point cloud Right angle Digital signal processor
Group action Solid geometry Client (computing) Disk read-and-write head Computer programming Neuroinformatik Sign (mathematics) Benchmark Computer configuration Core dump Website Multiplication Mapping Software developer Memory card Keyboard shortcut Bit Message passing Process (computing) Hash function Figurate number Quicksort Writing Point (geometry) Slide rule Video card Computer file Cellular automaton Password Maxima and minima Streaming media Rule of inference Number Wave Googol Energy level Divisor Computer-assisted translation Computer architecture Authentication Wechselseitige Information Demo (music) Key (cryptography) Weight Plastikkarte Line (geometry) Directory service Integrated development environment Software Personal digital assistant Chord (peer-to-peer) Window Code Interior (topology) Multiplication sign 1 (number) Parameter (computer programming) PowerPC Mereology Semantics (computer science) Programmer (hardware) Software framework Series (mathematics) Logic gate Stability theory Graphics processing unit Algorithm Email Data storage device Streaming media Benchmark Data mining Googol Auditory masking Website Self-organization Right angle Smartphone Video game console Freeware Functional (mathematics) Server (computing) Mobile app Divisor Token ring Real number Floating point Repetition Plastikkarte Coprocessor Natural number Software MiniDisc Software development kit Graphics processing unit Multiplication Webcast Inheritance (object-oriented programming) Cellular automaton Forcing (mathematics) Backtracking Computer hardware Password Speech synthesis RSA (algorithm)
Touchscreen Distribution (mathematics) Multiplication sign Neuroinformatik Web 2.0 Web service Mathematics Peer-to-peer Different (Kate Ryan album) Semiconductor memory Single-precision floating-point format Cuboid Extension (kinesiology) Local ring Point cloud Electric generator Software developer Data storage device Bit Befehlsprozessor Hash function Screensaver Website Ocean current Trail Slide rule Product (business) Power (physics) 2 (number) Number Goodness of fit Authorization Computer-assisted translation Tunis Graphics processing unit Multiplication Demo (music) Key (cryptography) Weight Projective plane Line (geometry) Existence Single-precision floating-point format Graphical user interface Word Integrated development environment Software Lie group Password Point cloud Video game
Wage labour Open source Maxima and minima Perturbation theory Coma Berenices Inversion (music) Storage area network Supercomputer Neuroinformatik Power (physics) 2 (number) Wave Pointer (computer programming) Different (Kate Ryan album) Befehlsprozessor Software testing Drum memory Library (computing) Installable File System Graphics processing unit Graphics processing unit Execution unit Twin prime Software developer Forcing (mathematics) Memory card Electronic mailing list Menu (computing) Ripping System call Data mining Calculation Password Perpetual motion Convex hull Figurate number Ranking
System call Touchscreen Twin prime Image resolution Multiplication sign Password Storage area network Number Wave Sign (mathematics) Calculation Password Quadrilateral MiniDisc Website Convex hull MiniDisc Lipschitz-Stetigkeit Gamma function Force Scalable Coherent Interface
Point (geometry) Authentication Shift operator System call Divisor Keyboard shortcut 1 (number) Password Frequency Type theory Pointer (computer programming) Graphical user interface Googol Password Calculation Force
Point (geometry) Authentication Graphics processing unit Token ring Electronic mailing list Limit (category theory) Number Supercomputer Proof theory Message passing Password Right angle Gamma function Sinc function
Point (geometry) Execution unit Multiplication sign Keyboard shortcut Latin square Java applet Maxima and minima Inclusion map Sic Graphical user interface Intrusion detection system Landau theory Gamma function Simulation
Authentication Slide rule Graphics processing unit Multiplication sign Maxima and minima FLOPS Field (computer science) Number Neuroinformatik Supercomputer 2 (number) Quicksort Gamma function Formal grammar
Point (geometry) Complex (psychology) Slide rule Spezielle orthogonale Gruppe Divisor System administrator Demo (music) Password 2 (number) Supercomputer Web service Mathematics Integrated development environment Data conversion Lie group Quantum computer Information security Multiplication Domain name Authentication Demo (music) Key (cryptography) Prisoner's dilemma Memory card Electronic mailing list Plastikkarte Staff (military) Directory service System call Number Arithmetic mean Password Calculation Chief information officer Quantum Right angle Freeware Quantum computer
Trail Graphics processing unit Digital electronics Facebook Multiplication sign Field programmable gate array
hello welcome to economics of password cracking in the GPU area era this actually sounds more corporate than Def Con normally allows for but we'll get through this obviously i work at sandisk so i use their slide deck things so what
we're going to cover today so we're just going to do a quick introduction of who i am and why we're here and why you should stay in the talked for the entire duration we're going to cover GPU cracking like some fundamentals 101 stuff then we're going to get into the meat of it all the economics of it we're going to explain how fast and quick it is to deploy we're going to do like little lessons learned if you haven't noticed I'm pretty corporate and then we'll do a conclusion that's going to have some QA and some afterthoughts oh that there it is Q&A shameless plugs I love these these are all my sponsors so I used to work for a theros communications the CFO came to me one day and said here's a three-thousand-dollar budget and an Excel spreadsheet that's password protected break into it and let me know get back to me when you break into it so it cost me about 300 to break into his Excel spreadsheet but I still had a bunch of budget so I kept going forward so this talk is mostly because of them so thank you with arrows for giving me time even though they don't exist anymore it's Qualcomm now which brings me to my other one so atheros got bought out and I just cashed in all my stock options apparently Qualcomm already has a/c so so I didn't have any purpose over at the thorough sandisk needed once all Nam the cease over there so I'm a technical see so so you shouldn't get up and run away once you hear the word see so if you guys don't know what that means it's a chief information security officer so I actually do soup to nuts I actually do all the architectural or reviews two deployments all that other kind of stuff and all that boring stuff like policies and procedures and talking to sea level staff but they continued the funds on this and we're going to show you in a much bigger way than three thousand dollars later on people of Earth I definitely appreciate you guys I couldn't have done this talk if you didn't screw up on a consistent basis so I appreciate that thank you and electricity so like if we look at the laws of electricity there's two paths the least resistance and that kind of ties in with the people of Earth so thank you anyhoo oh yeah I gotta give mad greets to my crews Vegas two point oh that's the people that I associate with I don't have my lab coat on today because UPS really sucks don't believe the commercials they do not love logistics DC 949 you guys in all those crazy guys the party was pretty good last night until I got shut down in concert with all the other parties in the towers and the Cuckoo's Nest this is the private hackerspace up in the redwood hills it features 50 meg internet dual 50 meg internet and septic tanks so it's kind of like a Coogan con for those of you that note that's all about so thank you everybody for all your efforts in there making this happen and oh another shameless plug a word about RSA tokens so uh one of my lessons learned is you need to factor authentication and I was all geared up for that and then some assholes decided to like totally let their systems get pwned so I'm like well don't you're going to do to factor don't do RSA obviously because I didn't work out so what I have here is these a special key chains so I don't know if you can see very well but it helped it fits right side up so uh since I am the sea so when I had to redistribute 3,000 RSA tokens to all my users and that was a pain in the ass I collected all the original tokens for my users so they still generate numbers and I was like what the hell am I going to do with 3,000 RSA tokens that have no purpose because the Chinese have all of their seeds and then I saw on the internet on attrition somebody's superimposed a bottle opener to the side on one of these as a joke and I was like well screw photoshopping i'm just going to like actually attach bottle openers to all my dead RSA tokens so and you know normally i buy American and everything keep our economy going and all that but I figured since this was special I got all my bottle openers from China so every single bottle opener actually salesman and China on it so what you have here is an RSA bottle opener from China so I figured I'd throw some of these out to the audience I did have a hundred and eighty of them and apparently i'm down to eight leading up to the talk so i'll check these out they actually have some significance around 2am tonight so i won't tell you more than that that's i guess a big enough clue so if you have one of these and you're in the right place at 2am it'll be abuse otherwise just enjoy opening bottles of beer with your pointless RSA token some of these i think actually will go for the next five years so it'll still generate numbers for five years to nothing so unless you're Chinese and you actually have it use for it still so so I'll go ahead and check these out and then get started were you mad I don't want to hit you again oh one more any of you guys make it to the summit on Thursday night what a bunch of jerks so the summit was a eff fundraiser we gave out about 50 of these at the fundraiser as well so if you were there you got one already all right about me so why should you listen to what I'm saying in all this other crap so I got four years of credit card security you may remember me from Def Con 11 through 13 I did some talks on how to steal credit cards from merchants directly I felt that everybody was talking about the consumers and all the carters and then the world nobody is talking about the business is getting raped blind so I talked about that for about three years I developed IDPs technology into code so for website so websites that are self healing and they detect when people are doing evil stuff and go into an offensive mode for the Department of Energy which they loved it and let me research that for three years and then scrapped it so if you want a FOIA that it's actually some interesting stuff and for the last two years I've been doing a lot of GPGPU password cracking stuff all the suit-and-tie crap I've been doing a I T security for 12 years I've been in development roles research role soccer analyst roles Incident Response roles tactical red team Tiger Team red vs blue fill in the blank and a bunch of holistic crap like policies and procedures and training and yearly refreshers and all that other stupid junk that you don't care about here and the private hack space so we have trees and servers to muse over so it's in the middle of the redwood forest there's about 15 trees and about I think we're up to 48 terabytes of storage out there just doing cool stuff so if you're in the bay area and you want to go to this is crazy forest resort hack space just give me ring okay now that what you
actually came here for so sorry about all the same disc slide things so what is general computing so
there's a thing that people say they get confused with GPUs and general computing so general computing just means that you have a whole bunch of tools in your arsenal so that's where opencl comes in so opencl is supposed to say you can program for the platform so if you say okay do you have a GPU if yes I'm going to do stuff using your GPU if no do you have SSD to instructions if yes i'll use that and it'll just kind of keep going down and down but it looks for preferential devices so that way you don't have to sit there and like cuda really sucks because you can only do map mapping routines with cuda and nothing else you can't say I try and do s siii which is not as fast but it's still useful and that's why a lot of people are migrating from eight from Nvidia to ati cards and there's some other things involved with that what we'll get into that what is the current state of general computing in high-performance computing so the top 500 it turns out that of the hundred of the top 500 that top the list about 80 of those now top list because they have graphics processing units or general-purpose graphics processing units which are mostly the tesla 2050s so we're actually seeing that like every time that that list gets republished it just gets decimated with more GPUs so if anybody's wondering if GPUs are going to really stay or if they're just like a pass a thing or in vogue right now will be passed a later I don't think so I think everything is going to move over to GPUs another thing about GPU is that people don't understand and I always use every microphone I can to promote this if you know to DSP is a digital signal processor that's all a GPU really is it's just sample rates right something comes in and just keeps on checking checking checking checking over and over and over again like a really fast clock that's the core yeah somebody at Nvidia say it's a lot more than that but when you really think about it from a perspective or a CS perspective it's just like a really super crazy fpga or or DSP processor cloud computing so everybody is like hey you know every loves GPU so let's get into it so Amazon Web clusters and ec2 elastic cloud computing they were the first to come out with it with the actual GPUs the rest of these guys also have stuff so if you want to do this stuff on your own and if you look in the CD I have all the kit and everything you need to get started you can be cracking passwords on other people's hardware in no time or if you want to do bitcoins if that's still popular you can do it as well I think at one point before the bubble burst with bitcoins it was actually cheaper just to use an Amazon ec2 to mine bitcoins and even though you're paying per hour you're still getting more back once you're 50 coins came up but i think the bubble burst and now it's just stupid to do that it might come back if it is really a serious thing that people care about do I sound like I'm droning on yeah oh sorry I'll try not to oh yeah thank you that was gum okay um distributed technologies see gets distributed not in that folding at home study at home and bitcoins and according to the crack me if you can guys they're actually will be a distributed password cracking pretty soon I don't know if I'll supposed to say to this many people oops you'll get over it all they'll get over it but that's coming soon I think that's the crux like if we look at what we're doing with password cracking that to me is like the holy grail like once that happens like if you don't have to factor you're dead it's just not happening anymore so that's actually let's get into actual GPU cracking so the hardware
like I had to catch myself up on all this once he gave me three thousand dollars so this is the main ones out there if you want to if you want to buy the top of the line thing for your bitcoins or GPU password cracking on the nvidia side you want to use the gtx 590 all they really said was it's the same thing as the two gtx 250 series they said well we couldn't figure 2 60 thank you sir fort no no you don't even know what I'm talking about shut up so the 260s what they did was said we have a processor we don't know quite yet how to make it faster so let's just put two GPUs on one card and just say it's double the speed that's all the 590 is it's just 25 80s crammed onto one card so when they say ten twenty four chords it's really 5 12 cores per GPU so when you doin cracking it actually breaks it out you actually see two GPUs actually crunching your numbers not one so that's a little bit of a issue and so we have here it says times eight cells so it's just like the ps3 right they say that they have the cell processing so each core has eight cells it's the same technology because nvidia is the one that uses that for the ps3 so there's a real problem with this and we'll get into that later so even though you have 8192 streams will quote that it still doesn't compete with radeon HD 5870 which is 1600 cores and there's a 5970 which they did the same thing as the 590 did it said 1600 + 1600 so you just have to have a really big ass power supply to handle one card just check my notes to see if I missed something oh I guess I am supposed to talk about it here so why do why does everybody switch over we need think of bitcoins I'm just going to keep referring to that because everybody knows that they like money and they like to switch to stuff that works so Nvidia one out of the gate as far as cracking passwords and bitcoins and all these other things because they had the cuda and cuda is just as development environment they had a lot of examples a lot of free tech Nets a lot of webcasts all this stuff so I was able to hit the ground running and radeon or write down 80 I had this thing called stream kit and stream kit was just as gaudy kludgy piece of crap with not really good documentation so all the developers said well nvidia is pretty solid company and stable and cuda is pretty well-documented we're going to start doing that but when people found out later on especially when a TI started promoting opencl is that you actually get a lot more performance out of the radians the reason why is is it's the sisk versus risk argument right so sisk has all these pre-determined processes you just send it in like sse2 and all the other stuff and MMX so you just tell it to do one thing one instruction and that instruction knows to do 15 others that are pre-programmed radeon is just like what why already love to 68 k process around the PowerPC side for the longest time it was well as long as you're willing to code it it's going to be more efficient and faster and actually get better performance so when you look and you actually do a map function on a CUDA it's going to look at 512 cores and it's going to a map across 512 cores as if there were streams so you're not at you're only using one cell per core instead of all eight cells now just because you're not a good programmer or you just don't really don't understand CUDA now opencl said we don't care as long as it's a stream you can address it so now you're writing the same exact code and opencl and you're saying go across 1,600 cores and do 1600 process map functions simultaneously so that's a lot faster than 512 map functions so that's why it's important to kind of point that out of y ati and this is getting too like a really bits and bytes level y ati is better than nvidia not because their logo is red and the other one is green but that's why everybody's moving over and if envie de doesn't change their processes if they don't change their architecture they're going to lose this war and it's going to be a TI that's going to be the market leader save AMD for a little while so what else oh we just went over all that crap okay I should probably pay attention to my next light thing here okay cracking software what's out there so ocl hash cat I put it at the top because right now is a top contender IG hash cat which is I Gore from Russia he's got one and then the coup de multi for sure which is missing in action as of today are you bit weasel well what the websites been down forever dude uh well you know you would have been number one I they'll so a little background real quick i had this the first time I meeting this guy so I I actually partnered up with can you stand up for a second diesel so so so this is the so this is a funny story while I met atheros I am NOT a CUDA programmer and I need to find a crew with a programmer and I had the three thousand dollar budget so I call it bit weasel and I say if I just buy you a bunch of brand new cards can you do some exclusive programming or at least stave off the code to other people and just give it to me early he said sure no problem next you know I drop shipped a couple of video cards so that you can get the multi card thing going and everything's happy-go-lucky and then all of a sudden the website was missing for two months when I was making these slides and I'm like what happened a bit weasel apparently I don't you are on a drunken stupor or something so a server failure so you can write CUDA programming but he can't keep a server up and I see alright so as of right now you're in third place behind these guys as far as your efficiency in your algorithm so and I'm kind of an asshole that way I don't mind saying that right directly to you so so and actually my slides actually show you still ahead but I didn't revise them yet but well good maybe later on this weekend I can do some joint stuff with him and show you guys the most efficient code so CUDA multi force or Kim's prepackaged on backtrack four is it also on five is pure hate in the room are you auditing mine and seeing if I'm full of or not no I guess not oh oh speaking of which is f5 here or f9 please step to the front please that was redundant so she's part of the scavenger hunt and I'm supposed to give her a lot of otherwise the vehicle bust my balls so if you can just sit up here with me don't worry i put on deodorant this morning thank you anyways so kuda multi first this is the one i started off with and this is one I was able to actually crack a ton of passwords with so thank you for that bit weasel but right now ocl hash cat which is run by Adam something or other he's in the current lead because his ati card with the ocl which is the opengl framework so this is my buddy for the duration of the talk and there Mike asylum but she says I current benchmark so we're going to go over benchmarks they're all going to be based on ntlm Windows Active Directory md5 for the websites and small salt Bates passwords and this one's for you smart where'd you go where's Jackie anybody watch Epic Meal Time yeah salt-based passwords smart okay you guys in the audience get it that know that stuff so what's in a mask so okay let's talk about this this is what I really love about password cracking is how stupid humans are in the path of last resist least resistance so now that you guys know earlier in the year and i'm going to start picking this up faster because i think i'm way behind on my time and we have a special thing we
don't have a live demo but we have a consolation prize for you guys so don't get up and run away because the live demos down here if your dude or lesbian it's really worth it to you to stick around int into nudge nudge so uh so at my company sandisk or any other company and now apparently a docker because they got smart was hey you need an uppercase lowercase a number a special character has to be minimum eight characters right well this sounds all hunky-dory and dandy and even pure hate i'm kind of bite not his style a little bit because he got into this and bit wheels look kimball to custom a cracking a tool to help out with this where you said okay uppercase lowercase numbers what do humans do oh i got to do an uppercase you know what I'm gonna make that my first character it's going to be upper case just because I gotta remember that the first ones uppercase because they're make me do an uppercase well if ninety-nine percent of my organization and I don't work at the eros now I can tell you this ninety-nine percent of atheros start off with uppercase before I came in I was like guys I just cracked all your passwords in like two hours because you're a character password now went to a seven character because i only checked uppercase in the front and so we actually put in the gpo policy there you no longer can use an uppercase character that is required at the beginning of your password so doing something simple like that actually saves you a lot of grief it pisses off users because they're like Christ's now I have to start putting my password underneath my keyboard again so because they just can't think and we'll talk about what really means about that so that's what we say is what's in a mask so when you actually say okay I have a 10 character password it's really strong well yeah if it starts with an uppercase and ends with the number and then every nine ninety days when I make change it you your last character went from one to two to three or even the special characters in the keyboard you went from a pound to a gnat or bang to an ad to a pound to a dollar sign it's like okay I'm pretty sure the Chinese could figure that out you idiot so uh we actually had to put all these really specially crafted gpo rules in to kind of combat this kind of natural path of least resistance of users so that mask so you can say okay we're cracking passwords we're doing brute force yada yada yada it's taking forever eight characters takes 23 hours that's a long time you know you can start using masks and now seven characters takes an hour and 15 minutes especially and with the mask your mileage varies it may be about eight hours to get every mast seven character password but it'll get 75 percent of your passwords so if any of you are in the crack me if you can contest that's what we call in the business a clue okay so and they're probably like reeling over there like what an athlete is told like 200 people how to break into our whole contest but they'll get over it so that gets into the passphrase concept so a and interestingly enough i was in india for two weeks trying to convince them to use better passwords and they were scared that I was making them used 10 characters and I said well you know what think of a passphrase right I only eat tandoori chicken on Saturdays even when the wife complains yeah i used the first letter of all those things and you / mutate eyes for bang signs and a's for at signs and that sort of thing and remember to put a capital letter in there somewhere and suddenly you're just saying in your head i only eat tandoori chicken on saturdays even window wife complains and you have a really really complex password that you can just say in your heads use the first letter and make sure you have pretty mutations on some of those letters and all of a sudden that's a really freaking good idea you know so i think that's like the crux of everything you can probably leave right now if you want to miss out on the lesbian action that's really like the whole point of me being up on stage today to factor in you so you guys all got your cool passes to that thing at 2am if you didn't sorry oh and there's a giggle there we are talked about that so I'm mad props to Google I mean you can love them or hate them and maybe they're not doing evil and maybe they are doing evil who knows but there's the first email client that's public that gave away a free two-factor authentication option and i use it so even when i'm on my computers i use everyday i still use it just as a matter of course it's just a really freaking good idea you know especially if they're giving it to you for free so um even in our organization we're prepping everybody to do to factor and if you work at Qualcomm any Qualcomm employees here that want to admit you work for Qualcomm you guys all know that your VPN requires two factor and all your other and house requires two factor right nod your heads yeah they're nodding their heads because josh like just absolutely requires that over there and he's like hardcore about the two factor and it's just a good idea you know and there's we'll talk about why that matters right now actually god I've been drinking too much secure off this is actually our semantics VIPs so I don't talk about RSA anymore is a good to factor option just because like the Chinese just cut through them like butter and they're probably doing it again as we speak so semantic VIP that's the old verisign two-factor authentication that's saying you know it's on your phone so on your smart phones you can have a two factor here and the thing I always tell people is oh you don't like two factor authentication think about your smartphone all right how often do you lose this versus your car keys so go ahead just keep this around lose your car keys and you have your second factor so stop bitching about me making you carry around your phone that you already carrying so you can do that with symantec VIP you can do with RSA as well but it's our say so and my rep is going to get so mad at me if she's listening to this right now secure off secure off anybody have chase banking online you can omit it only one will admit that they use chase come on who had Washington Mutual you're all poor bastards in here I got Washington Mutual accounts or chase now so when you try and log into your account it says well you have your number on file can i text message you a four-digit code just make sure to you and that's what secure off does they're the ones that are bhai and that nuts and bolts on the chase you're going to start seeing a lot of other places usaa does it today so for all you former military and jerks that just used your parents military experience to get your usaa accounts they have to yeah that guy they have two factor authentication as well because they get it you know our military might could not get other things but they get two factor authentication for their retired employees for their active employees for USA everybody knows that usaa is right okay so for your foreigners that's the credit union that's exclusively given out to all of our military forces and their families and if you don't know what a credit union is that's a place that's not an evil bank they're all nonprofits they're not allowed to turn a profit for personal gain so which they happen to be the largest nonprofit their fortune ten company so but nonprofit fortune ten company so they you has they have two factor authentication that's just a really good idea and all these apps are free in the App Store in the blackberry store in the market the android market you can just download these apps and you can just demand of your employees or in of your companies and of your vendors that you use i need to factor paypal has to factor for free etrade has to factor for free usaa has to factor for free start pushing everybody else at sandisk what we do is say we have to factor and you're partnered with all your banks guess what the same token you're using to authenticate with us you can recycle that for your bank now I'm not carrying around like this freakin janitors key of RSA tokens for all your different things this is for my Wells Fargo this is for my porn site this is for my work you know you can do it all in one token alright I'm done pitching it to you
let's get into the economics how cheap is it to break passwords pretty cheap so a locally hosted box is my recommendation as long as you don't mind a slightly higher higher power bill and ends up being about fifteen dollars more a month for a typical resident here in the United States private clouds are also a really good idea we'll talk about that as well and local just distribution and that getting into the whole SETI at home thing where you can have all the computers in your environment especially if you're a development house like sandisk we have a lot of GPUs just laying around in all of our development boxes like we want the top of the line thing and we're not going to use that GPU ever I'm like well okay I'll use your spare cycles while you're having that box doing nothing okay and crack your own passwords congratulations you lose and so let's take yeah the custom screen savers and everything you know and love public clouds amazon i was going to have a demo for you but I don't have it ready oh here's my live demo I didn't have a live demo so I gave you guys girls pillow fighting I think that's DJ Jackalope there and that's beer Betty there oh you missed out on the lesbian part smart okay and there is there's your live demo of a girl's pillow fighting if you have those RSA tokens you'll see the Encore production at 2am somewhere in tune to nudge nudge Oh a word about last bit in elcomsoft it's a definitely pound equals so last bit is the exact same thing as al calm soft have you guys heard of these guys like I'm wired and arcsoft and all our arcsight and all them they did these expose Zhaan I'm about a 18 months ago and they said hey now you can pay somebody to do your password cracking with GPUs yeah hopefully they don't take me out back and shoot me because they are Russians but these are both the same exact company and it's the same guy and he like we'll just take your money and run I had to do chargebacks I used an American Express which has really good chargeback coverage so I was able to recover the money that I lost for my three thousand dollar budget because I was just trying anything I could I was like I just want to show this guy can crack his password so i tried buying the elcomsoft software didn't work you know I had a brand new GPU in there and says I don't see your GPU so if you're thinking about using these services i'm just going to go ahead and say that it's crap it's rubbish so if you're thinking about it or you already purchased it get your money back and if you're in the room guys sorry your stuff sucks so the best thing i suggest is like a local box you can do the Amazon Web cluster and this is how this works in my mind if you got 10 days on your hand to crack a password and three thousand dollars just by a local box if you don't have 10 days you needed to have it done today you do that vertical versus horizontal thing you know vertically it takes 10 days to crack a password or you can just spend the same 3,000 and go horizontal and just get a crap ton of gpus at amazon and have mall cracking simultaneously and you can have it done in about 23 hours it's going to be the same 23 thousand dollars or three thousand dollars the only difference is on a single box you did that once and you can keep doing it again and again and again it just takes 11 days 48 passwords as opposed to like I just have a project and I just need to crack something and move on with my life and I'll never crack a password again then I would say just use Amazon but if you're going to do it for you know checking the strength of your employees passwords like I have to you get a single box and we'll show you what my box looks like in just a minute and we said distributed non-existent well according to crack me if you can it will be existing pretty soon and I want to work with them to do a chrome / firefox extension so you can also do like distributed storage of crack passwords who I don't know about that there's a GPU cpu distributed pastor Crocker called dirt off I don't know d you are da mal okay bit weasel is questioning your authority on the subject I'm not aware of this does it actually still develop we'll talk about that offline don't forget there's a track one QA so I'm just droning out I'm sorry if you want to know more details we can get into that in the Q&A my thing says I'm
good on time but I'm still good on time where are you goon that supposed to be monitoring me 17 minutes okay oh here's like a really really I don't know how well you guys can see this up there I know it was like really scrunched and everything but what I went ahead and did with my budget after I cracked his password he gave me a bigger budget was bought a ton of GPUs just to see what the actual efficiency of every single one was against the coup de multi force or that bit weasel did and I also did some just basic crunching so if you look at this this is the slide is in your CD and you can actually go on to our website once it's up Cuckoo's Nest net it'll be live in two weeks you could actually get the live latest updates on this this actually tells you your bang for your buck so in the very bottom right corner there you can see those gold things that's your bang for buck for either keys versus dollars keys vs kaur keys versus memory and a key is is a password like we just refer to it as a key but that just means a password that we tried and it worked or it didn't work so over his second place and bronzes bronze third place so that's kind of how it breaks out and these numbers actually are always I tried to do bleeding edge these numbers change so frequently because newegg and Amazon and then fries are always competing and trying to keep the prices lower and things change dramatically but at the time of these slides made about four weeks ago this was the current dollar amounts for each of these gpus and the efficiency of each one so right now if you have the ati HD 5970 which i think is in shortage like a lot of people didn't have it anymore like everybody wanted them for Bitcoin generation that like they just ran out of GPUs so if you can find one that's actually the most efficient one the biggest bang for your buck with the ocl hash cat and maybe that'll change after I have an offline discussion with weasel over here and he's a working and opencl currently very good so we'll get back to that so
this is what sandisk is going to do this is what i submitted is my CIO has a good idea so what I told him was how would you like to have a computer on the top 100 of the top 500 supercomputers and he said what were you going to save me money somewhere else before I give you this budget so I ended up saving him about 225,000 dollars on our pen test by going with a boutique shop it was some personal friends of mine so he's like well you saved me two hundred thousand dollars that's clearly not two hundred thousand dollars you can have that money so hopefully by December will actually have this live in working and I'll actually be able to show you this live I'm gonna do a VPN in maybe from shmoocon or something like that and actually show you 80 GPUs cracking 150 trillion passwords per second for fifty two thousand dollars so uh so you have the GPU com is 40 but that doesn't it's actually a tea because like I said before the 59 or the gtx 590 sr two GPUs each so yeah so actually it's 130 6.8 trillion passwords per second is what we have but if I can work a bit weasel and get that more efficient maybe we can make that faster and it's actually going to be I know I just told you guys a TI is the best bet but it's going to be nvidia simply because we want to put this computer on the top 500 list just to be assholes and the way to do that is with linpack and linpack only sports CUDA GPUs which means you have to use nvidia unless somebody wants to write me in linpack for ati cards then i'll go with that that'll actually bring this cost from 52,000 down to 38 thousand dollars for a top 100 supercomputer i'll pay you if you can save me money i'll actually pay the difference just to make it happen oh I have no problem throwing money at problems okay remember did at if you were here for the beginning I am a seesaw so if I can't figure it out I'll throw money on either hire somebody or do outside development just to get it done so that's the problem you have when you have like a former black hat now running the show where if you can't figure out the answer he's gonna find somebody's gonna figure out and pay him well to do it so just keep that in mind if you have some gigs and you want to pitch something to me if it sound like a good idea and it makes sense for Santa's to do it I'll pay you to do it and you know you can take your credit but we're going to totally enjoy the fruits of your labor and then later we'll open source it because you know it's my call so so not to spend my own wheels but you guys do finally have one of your own and the Hang ranks of a fortune 500 company and I'm gonna abuse my power until they kick me out all right moving along uh so this is the brute force calculator so I'm going to do a switch over to the brute force
calculator here with my really awesome screen resolution so this is also on the
disc if it's not just asked me and I'll get you one and I have the latest
numbers here so this is what i did a cut-and-paste of but you can essentially
this is totally ripped off of some site that did this and I just retooled it for the latest numbers which you can say is I want an a character password what's my time to live if I decided use Nate
character password and it's 10 days so you have 10 days with a let me show you the current costs down here 2,000 it
was three thousand dollars now it's two
thousand dollars if you don't think your password is worth more than two thousand
dollars just have it be eight characters because it'll be cracked it doesn't matter what it is whether it's ntlm or md5 or sha-1 or even sha256 because it's just cracking passwords it takes about ten days and two thousand dollars if you have an a character password and like I said you can do it in 23 hours for three thousand dollars with Amazon Web cluster
but this is 92 character set so anything that's printable on your keyboard period is it the crazy ones where you do like an alt shift special character know who's doing that nobody okay point 0 1 % point 0 1 percent in congratulations you defeated my thing but for the rest of you jerks in the audience which is everybody else you're screwed if you're having it so think about your google password think about your paypal password if you got eight characters and you say well you know it's google it's paypal it's all these other people Gawker got hacked two years ago december january december 08 january 09 google admitted that they had a problem and some other gmail accounts got broken into that's why they have two factor authentication okay so if you think that all these places especially yahoo i know the new see so over there and let me tell you make sure it's over eight characters okay hey sorry Justin so just think about any of your passwords ten days that's what your passwords worked at eight characters it's done with now here's the surprising thing because this is a password calculator i can type whatever i want into it nine what does that work out to be anybody can guess is ten days 48 i got two months 1 year 10 days no surprisingly just adding one
character is two point six years this is not a linear thing this is an exponential thing so just adding just saying okay i can figure out one new character to memorize just saves your ass that much more so guess what at sandisk since i'm still trying to train people before we go to pass phrases everybody's required to have nine characters you know yeah it's one more than eight and everything sits superficial you know that proof is in the pudding 2.9 two point six years for two thousand dollars now of course if i throw more money at it you know like say i don't know fifty-two thousand dollars that number will go down right so let's
look at what that number goes down to 52 thousand dollars 18 days just to remind you guys the number two super computer on the top 500 list is a Chinese supercomputer with GPUs and let me articulate my voice a little a Chinese supercomputer is number two on the list as a two months ago was number one the Japanese took over so the Chinese are getting your eight characters and your nine characters supercomputer status in less than a minute so let's revisit that discussion about two-factor authentication right that's why we're here that's the whole point of my talk is I got yelled at at shmoocon during the panel that my answer to everything was to factor and they were saying it cost a lot of money let me remind you paypal does it for free USA does it for free Google does it for free your company already has it are they sharing your tokens with third-party vendors in a secure manner federated passwords right open ID all that stuff are they doing that to make it happen so that we all can move to to factor it's just in the age of chinese espionage you just have to have to factor that's just the way it is whether you work at a private company whether your work for the aclu you know whether you work somewhere else that they care about your stuff you know you just have to have to factor that's just the long and short of it anybody want to see what Mike with the Qualcomm
12 character looks like I think it
starts getting into galactic years so Qualcomm requires 12 characters old or do they require yet you two guys over there I know he was talking about it and I was like wow what a jerk 12 characters start inspecting people's keyboards now
so you see it's all pounded out here already right so it gets into point 01
galactic gears and yes for all those can curious galactic yours is a legitimate thing but yeah it takes twenty one thousand centuries that's a long time and how about those supercomputers in
China yeah for now you're okay haha but if you haven't noticed with GPUs in the high performance computing realm these days guess what you know like five years ago we are only doing one petabyte as the number one computer we're now at 320 petabytes or a petabyte Cepeda flops thank you petev we're at 120 pedo flops per second as the number one computer so in just five years we've just more than a hundred percent growth in that field so how long do you think that's going to last so we have to start thinking about things like better salt two-factor authentication that sort of thing I'm running really low on time if not out of it five minutes I don't know if how many more slides i have i'm just going to
buzz through these real quick yeah we
had a pillow fight instead of live demos
if you really want to know more about it Oh ntlm is dead if you haven't heard so if you're active directory domain administrators are still using ntlm to do federated pastors back and forth throw something heavy at them preferably a brick and and tell them to move over to curb o's so yeah and let's learn from Gawker Sony and others you know or how I got f'd in the a with the D right you know i mean that's like that's not even federal prison i mean that's like burrito up the ass mexican status right there so so I mean you gotta really think about it uh you know Gawker I mean the guys that just pwned everybody in Silicon Valley got pwned themselves so how many of you shared that password with all your other passwords and you don't have to raise your hand just think about it in your head out dumb you were okay so Sony you know we all had our PlayStation online accounts we can all admit it you know they said through credit cards weren't stolen they were stolen come on let's not joke ourselves your credit card wasn't stoned but you get one free year of credit monitoring service but don't worry it wasn't stolen okay and I do have some buddies over there and they can eat a bag of something a little sidebar on that like two-thirds of their security team actually got fired over that because when they came back online in like 30 seconds later they got repo and and they're like okay I get it you guys are all fired you know so so think about that when you guys got on for a minute change your password to the secure password that got pwned again that you use for all your more secure things you know so I mean that's really my big push for to factor so definitely like try and figure out multiple passwords and this gets into the thing of password safes use a really good password maybe even a two-factor authentication password for your iron key or other technologies that are out there and then you can have some unruly 32 character long special character thing that you can cut and paste somewhere else as long as you're not using that password to get your password safe for all this other stuff it makes a better sense to do that and if it gets pwned and then there's these public list that people can GPU password crack like Gawker and Sony you're not going to be that idiot that's got the eight character password right so no offense I keep on calling you guys idiots and you came to my talk and we just talked about that salting passwords I was going to do a woody call it Conan O'Brien the year two balls mmm there it is yeah I practiced that all year just to not do it so we will say as far as that's concerned uh like I said supercomputers are only as exponential as we're seeing what GPU password crack with the complexity of these passwords so really think about that as far as what your passwords are what your password policies are even if you're a ninja vidual contributor at your company you can still come back and say here's my password calculator don't listen to me cuz I'm just some Schmo that you don't care about this just doing all your grunt work listen to the calculator you know it doesn't tell any lies if you are a mover and shaker in your company make it happen you know start doing all these educational things she'll these slides to the people in your company and say no this is how your f'd in the a with the D you know and i'll be quite frank with you guys like this is a sandisk lied i had this conversation with the sea level staff there and i did not remove that out of this slide I told you know the CIO he's going to get f'd in the a with a d if he doesn't change his policies you know that's how serious I am about it and my point of coming up here and just babbling on to you guys is to kind of make you just as serious as I am a quantum computing when that happens we all can just pack it up and go home right so if you're not going to factor by then you're just f'd like seriously I don't even have like a clever witty thing to say for that you know I mean you're just gonna have just like a bukkake fest like 24 7 just like in and around your mouth ok so my fianc?'s just looking at me like you did not just do that so yeah so think about that and that's any second now right IBM and Toshiba and Samsung are like on the verge of quantum so think about that conclusion questions and answers I think
sorry I can take am I out of time already am ia jerk ok I can take one question then then remind you guys that there's a QA track one near here and you can ask me a bunch of more questions sorry that I just kind of carried on so who's got the first hand for a question that guy right there stand up what's your name ok his name is skunkworks apparently because he can't listen to me skunkworks what is your question application-specific integrated circuits you're talking about fpgas so integrated circuits is very similar to FPGAs it's the same thing as GPUs because you're making a purpose purpose built a embedded solution it's getting I think the cost right now are prohibitive for that but later on oh yeah thank you very much everybody