A peek inside the Secret Service’s brute force hacking

Posted on by Jeff Porten

Interesting article in the Washington Post on how the Secret Service uses distributed computing to break encryption.

Of course, I can’t let this pass without saying a few words.

“[C]riminals who use encryption usually are higher profile and higher value targets for us because it means from an evidentiary standpoint they have more to hide.”

That’s an improvement over the common misconception that the set of all people who use encryption are likely to be criminals. But it also doesn’t make much sense — what is the correlation between “having things to hide” and “knowing how to properly hide things”? If there is a connection, the interesting corollary is that criminals are by-and-large smarter than corporate America.

“Most people don’t pick a random password even though they should, and that’s why projects like this work against a lot of keys,” Schneier said. “Lots of people — even the bad guys — are really sloppy about choosing good passwords.”

There’s a very decent random password generator in Mac OS X, but it’s “hidden” in the usual sense — buried in subfolders, not immediately obvious in the UI, and completely unadvertised. (Find it in Applications > Utilities > Keychain Access.) But I’d love to hear someone tell me how to overcome the problem that my nonrandom passwords are in my muscle memory, and I fear the switch will be as difficult and annoying as converting to Dvorak was.

Ultimately, the agency hopes to build the network out across all 22 federal agencies that comprise the Department of Homeland Security: It currently holds a license to deploy the network out to 100,000 systems.

Prediction: look for an article in November sometime about how compromised Windows machines in DHS are exposing this code to unforeseen intrusions. You can’t do much against a distributed codebase, but you can certainly gum up the works.

In the meantime, the agency is looking to partner with companies in the private sector that may have computer-processing power to spare, though Lewis declined to say which companies the Secret Service was approaching.

Okay, sooner than November. Oy.

Leave a Reply

Your email address will not be published. Required fields are marked *