The media and its misunderstanding technology

[touch]

Or just use online rainbow tables much faster.

Also can take a long time just to generate many billions or trillions of passwords and it also needs many terabytes of storage.

Anyway they would be salted and use many layers of encryption so unless you have a spare million years or so and a lot of money for the electricity bill then forget it.

The messages are not encrypted using the password. Each message has it's own unique encryption key. You'd need to crack the encryption key individually for each message and password-cracking rainbow tables won't be any use to you.

(Assuming he had message encryption turned on)

 

[jsmoke]

[

The messages are not encrypted using the password. Each message has it's own unique encryption key. You'd need to crack the encryption key individually for each message and password-cracking rainbow tables won't be any use to you.

(Assuming he had message encryption turned on)

How do you know that, considering fb will have many millions of requests a day your saying that each message stream has to be decrypted every time?

We have to separate network encryption E2EE with back end storage encryption. I highly doubt the back end is encrypted as it would require a ridiculous amount of CPU power and energy to do it for billions of requests a day.

 

[touch]

considering fb will have many millions of requests a day

Millions of requests for what? Law enforcement access to messages? I doubt that.

your saying that each message stream has to be decrypted every time?

No, not each message stream. Each individual message. And no, they dont decrypt them. They can't decrypt them, as people keep pointing out to you, it's not (feasibly) possible to crack the encryption.

edit: I'll add a note to this post as I did to all the others that this only applies to encrypted messages. It's easy to choose to encrypt facebook messages but we havn't been told if it was or wasn't used in this case

 

[MrRoper]

Password hashes are crackable. You have to account for people using simple passwords.

Brute force can be pre-calculated and looked up in a database. So... you set an algorithm generating passwords and hashing them, then a month later you have a database containing several billion of them.

You enter the hash of the password and if it's one of the simplier ones you generated the look up takes on seconds.

Just google "password hash cracker" you'll be spoilt for choice.

Try your own password hash, you might be shocked if it's simple enough.

Note however this only really works for simple hashes. A lot of password systems use what is called "salted hashes". Works like this:

HASH_SALT="AB123123FE14423CCD242345F"
PASSWORD="Password123"
SALTED=PASSWORD | HASH_SALT // You can use ors, ands, nors or just concatenation.
HASHED_PASSWORD=md5_hash( SALTED )

Hopefully no one these days is using MD5 to hash passwords!

Also, Please stop calling this encryption. hashing is NOT encryption!

 

[MrRoper]

[


How do you know that, considering fb will have many millions of requests a day your saying that each message stream has to be decrypted every time?

We have to separate network encryption E2EE with back end storage encryption. I highly doubt the back end is encrypted as it would require a ridiculous amount of CPU power and energy to do it for billions of requests a day.

Encryption at rest is available "out of the box" in MS Sql

https://docs.microsoft.com/en-us/sq...nsparent-data-encryption?view=sql-server-2017

 

[touch]

I highly doubt the back end is encrypted as it would require a ridiculous amount of CPU power and energy to do it for billions of requests a day.

You're still not understanding how it works. Here is a link to facebook's technical info on the processes used.

The messages dont get decrypted on a facebook server - they are decrypted on an end user's device. So there is plenty of CPU power available but it's distributed between the millions of devices being used, not in a data center somewhere.

 

[jsmoke]

Well in that case what is this backdoor fb are referring too, they have some kind of skeleton key. Technically even they should not be able to access any encrypted messages in plain text?

I've also read that Facebook can and have send the nsa content from users as it's easy to do so.

https://bgr.com/2018/05/04/facebook-profile-backdoor-account/

 

[PaulCa]

Hopefully no one these days is using MD5 to hash passwords!

Also, Please stop calling this encryption. hashing is NOT encryption!

1. Why not? (I'm just testing you here)
2. When did I refer to it as encryption?

Besides both are examples of cryptography and arguing these points is pedantic and useless in the current audience and context.

 

[MrRoper]

1. Why not? (I'm just testing you here)
2. When did I refer to it as encryption?

Besides both are examples of cryptography and arguing these points is pedantic and useless in the current audience and context.

I will bite....

Hashing algorithms used for passwords should be purposely slow, such as bcrypt or scrypt, whilst MD5 is great for hashing a value, it is quick and so makes brute force attacks much easier.

Sorry, I wasn't directing that at you...its just a bugbear of mine

 

[PaulCa]

Nice copy pasta from SE/SO.

Now if you have a 32 character base 64 salt, there are 2.1x10^96 combinations. How many GPUs does that take to brute force the hash? (Rhetorical)

 

[MrRoper]

A lot! Which is fine if you are attacking through the "front door". However once you have access to the DB and Salt it doesn`t really matter how big the salt is.

 

[jpaul]

the, todays, announced british airways hack with complete credit card details exposure sounds like a case in point,
the MD (was it?) on R4 today affirmed the encryption had not been broken () but was unable to explain how they had been compromised.

[

this was an interesting similar article discussing electricity supply that would be required for any RSA factorization/cracking

Can an attacker actually carry out 280 or 290 or 2100 operations? Here are some back-of-the-envelope numbers that help put attack possibilities into perspective. Mass-market GPUs use state-of-the-art chip technology, are optimized for floating-point operations, and perform about 258 floating-point multiplications per watt-year. The number of floating-point multiplications that the attacker can carry out in a year with this technology is limited by the number of watts available:

• 226 watts (284 mults/year): the power substation for one of NSA's computer centers.
• 230 watts (288 mults/year): the power available to a botnet that has broken into millions of computers around the Internet.
• 244 watts (2102 mults/year): the power actually used by the human race at this instant.
• 256 watts (2114 mults/year): the power that the Earth's surface receives from the Sun.
• 257 watts (2115 mults/year): the power that the Earth's atmosphere receives from the Sun.

exponentiation symbol lost
]

edit : plausible frontback door theory from register

Sounds like a very bad hack.
Zero mention of the word encrypted so clearly the information was stolen as it was inputted. This can only therefore be rogue code in BA's website, or a compromised third party hosted JavaScript library.
Given the stolen information was only personal and payment information it sounds like a compromised third party script used during the booking process and nowhere else.
Otherwise if you had access to add rogue code to the website, why would you stop at personal information and not travel or passport details.
We've seen third-party hosted library attacks a few times recently, and it is one of the reasons I dislike relying on third-party hosted content
....
Now, if the *developer* was to go to jail for errant and grossly negligent practices (i.e. using off-the-shelf code and libraries, externally hosted or not, with zero understanding or care of the potential implications), then perhaps these *ups wouldn't happen at all. As it stands we have an IT market flooded with polyglot morons who think plugging frameworks and libraries together like lego bricks is actually worthy of £600/day, before they run off to their next contract and leave the steaming pile of non-performant and insecure crap behind them..