Hi again, folks. This is a sort fo follow-up to the Syleham gathering, since as I started to drive home after the meeting a programme "Hacked to Pieces" had just started on Radio 4.
It is about computer crime, and how vulnerable most people are because of naivety about security.
The programme can be found at 17:00 on
http://www.bbc.co.uk/radio4/programmes/schedules/fm
for today Sunday 3 May (in case you're reading this later). If you click on the link "N days left to listen" you can hear it.
The bit that raised my eyebrows starts at 5min 30sec into the programme, where the presenter (Jolyon Jenkins) takes his laptop to be hacked into by Peter Wood of First Base Technologies (who provide a "hack your computer, guv?" service to companies who want to check their security). It lasts to 7min 40sec into the programme.
In particular, I transcribed the following short extract:
JJ: I was genuinely suprised by, in fact, how vulnerable I turned out to be.
PW: The first thing I'll do is an easy check to see whether I can get a nice little automated tool to cough up your password straight away so I can log on as you.
JJ: I'm fairly confident you're not going the get my password, because it's not a natural language word.
PW: This isn't dependent on any dictionary-based word, it's just trying every permutation of letters and numbers up to 14 characters long.
JJ: Ah, I'm feeling less confident because ...
PW: Ah! There's your password
JJ: Oh!
PW: That took two hundred and ninety seconds of computational time.
Well, my jaw would drop if I believed it! Even if the password is case-insensitive, that's 36 letters+numbers to try every "permutation" of. There are 36^14 different 14-character strings where each character can independently be any letter or number. And that's just the full 14-character string -- there's also all the shorter strings as well.
Now, 36^14 is about 10^22, or 10^13 billion, or 10,000 billion billion.
A 1-GHz CPU would take 10,000 billion seconds to execute that number of CPU cycles, or about 300,000 years. So there's no way the guy's password hacker is going to do what he said it would do.
It's not too plausible when it comes to searching for shorter passwords either. An 8-character password (case-insensitive) still potentially requires 36^8 or about 3*10^12 tries; so (based on the previous calculation) that's 3,000 seconds or 0.83hr to execute 3*10^12 CPU cycles. Then you have to multiply that by the number of CPU cycles needed to work through each try, which is presumably not a small number.
And it's worse if passwords are case-insensitive, since then there are 46^8 approx = 2*10^13, or 20,000 billion tries for an 8-character password, and it's 5.6 hours to execute that number of CPU cycles on a 1 GHz CPU.
So the "outcome" of that little experiment strikes me a implausible, and I susepct that it was "rigged" in order to sex up the story. (Maybe JJ used a shortish password -- 46^6 is only 9.5 billion).
This sort of thing is supposed to take place in the context of people (e.g. attending meetings/conferences) leaving their laptops unattended for say half an hour, thus allowing the hacker physical access. (And, by the way, it seems they're thinking of Windows machines).
I'd be interested to hear if any of you folks have comments on the above!
Ted.
-------------------------------------------------------------------- E-Mail: (Ted Harding) Ted.Harding@manchester.ac.uk Fax-to-email: +44 (0)870 094 0861 Date: 03-May-09 Time: 22:41:30 ------------------------------ XFMail ------------------------------