A call for aid in cracking a 1024-bit malware key
Ivan Krstić
krstic at solarsail.hcs.harvard.edu
Wed Jun 11 17:38:09 EDT 2008
On Jun 11, 2008, at 10:04 PM, Steven M. Bellovin wrote:
> Let's put it like this: suppose you wanted to use all of your
> cryptographic skills to do such a thing. Do you think it could be
> cracked? I don't...
Exactly right. After Storm, I don't think anyone reasonable still
believes that there's no talent in the black hat community. So even if
this particular piece of malware has implementation issues, the next
version won't. And then what?
Focusing on the crypto is just missing the point entirely, although I
suppose it grabs headlines. But the problem at hand has nothing to do
with crypto, and everything to do with the fact that our desktop
security systems are fundamentally broken[0]. There is _no_ _reason_
that a piece of malware executing silently in the background should
have access to the user's files without interaction or approval from
the user. And you can't maliciously encrypt files you can't access.
We know how to build systems that are both drastically more secure and
more usable than the ones in use today[1]. I wonder if a proliferation
of headline-grabbing threats like cryptographic ransomware will help
overcome the OS vendor inertia.
[0] See first half of <http://radian.org/~krstic/talks/2007/auscert/slides.pdf
>. Note: I'm no longer affiliated with OLPC.
[1] E.g. <http://en.wikipedia.org/wiki/CapDesk>, <http://en.wikipedia.org/wiki/Polaris_(computer_security)
>, <http://en.wikipedia.org/wiki/Bitfrost>
--
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | http://radian.org
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list