Federal officers are employing Playstation 3 game consoles to crack the password to digital files protected with encryption software.
To Catch A Predator – ICE C3
The operation is being spearheaded by the ICE, more specifically the C3 division/branch: U.S. Immigration and Customs Enforcement Cyber Crimes Center. The target? People traveling with child pornography. Although, I can see how this would be applied to other areas as well, seeing how C3 engages in the fight against the following:
- Possession, manufacture and distribution of child pornography.
- International money laundering and illegal cyber-banking.
- Illegal arms trafficking and illegal export of strategic/controlled commodities.
- Drug trafficking (including prohibited pharmaceuticals).
- Trafficking in stolen art and antiquities.
- Intellectual property rights violations (including music and software).
The above was taken from the ice.gov site. For example, if someone at the border thinks a passenger was a drug dealer, the suspect’s laptop could be taken and scanned for any encrypted files (such as locally saved e-mails) to see if there’s any incriminating evidence. (I think. I’m not a lawyer, so….but, if they scan for kiddie porn, why not do so for incriminating evidence as well?)
Why Crack Passwords?
The US Fourth Amendment prohibits the government from forcing suspects to give up passwords to encrypted data. So, if ICE wants to know what’s in a suspect’s computer–and the content happens to be secured with file encryption software–the only option is to guess the correct password (or pray for the suspect to just give up the password).
Because anything can be a password, ICE has to engage in “brute-force” guessing: trying as many passwords as possible to see what works. However, it’s easier said than done. As a forensic agent quoted by axcessnews.com remarked: “…the number of possible combinations in a six-digit password is 256 to the sixth power. In other words: 281,474,976,710,656 possibilities – that’s nearly 282 trillion.”
And that’s for 6-digit passwords only. It’s less for 5-digit passwords (109 billion) and much more for 7-digit ones (720 quadrillion), and even more so for 8-digits passwords…you get the idea.
The C3’s network of PS3 consoles, though, allow 4 million password tries per second. In other words, if they know a password is 6-digits long, it should only take them…815 days to go through all possible passwords.
Whoa. That’s a long time. Even going through half of the combos would take a year and three months!
People Use Weak Passwords
If you keep the above in mind, it almost sounds like it’s not worth it. After all, C3 probably has many suspects, and just breaking into 20 computers would take decades at the given rate.
What C3 does, however, is a little bit more intelligent than brute-forcing from alpha to omega. They employ the PS3s in what they call a “library attack,” more commonly known as a dictionary attack.
People tend to use words as their passwords, so if a suspect used a word that can be found in the dictionary, such as “pneumonoultramicroscopicsilicovolcanokoniosis,” well, it’s a long password…but it’s one out of less than 250,000 words used in the English language. With 4 million tries a second, the PS3s should be able to spit out the password in a blink of an eye.
Even if letters and numbers were added to the beginning or the end of such, people don’t put too much thought into it, and can be broken must sooner than in one year.
Does this mean that encryption does not work? Au contraire, mon fraire…it means that encryption works: note that they’re not even going after the encryption key, since it would take forever to break that one. But, it does mean that some thought has to be given to the use of encryption.
Any data protection tool has its weaknesses, and using simple passwords happens to be one of them.