At Don’t Spy on Us’ Day of Action, I attended the seminar/panel “Changing the Law to uphold our privacy”. Amongst the speakers were Ross Anderson, Claude Moraes and Mark Stephens. Ross Anderson works at the University of Cambridge, where he is Professor of Security Engineering. He blogs at “Light Blue Touchpaper”. To me the most memorable contribution, was from Anderson, where he shared his views developed while researching and writing his paper, “Privacy versus government surveillance: where network effects meet public choice”.
He argues that network economics of scale apply to both spying and privacy. He quotes the example of India, who in the latter half of the 20th Century chose to buy its military weapons from the Soviet Union, but today shares intelligence with the US and the NSA. The paper explores a number of interesting economic and technology issues, but his statements about economies of scale provoked some thoughts I had been developing.
One of principles of IT Security defence is that ‘brute force’ attacks will always work. You just need a big enough key. The defenders need to make the time or money cost of the attack prohibitive. The state of technology, specifically CPU architecture futures and distributed computing platform design is such that the current advantage is with the attackers. A brute force attack seeks to guess all the possible passwords; and this is a ‘scale out’ or parallel algorithm and works well if you apply two or even more computers to the problem. The current innovation path of microprocessor architecture is to ‘shrink’ what was once a single CPU (or system) onto the silicon chip which is what multi-core CPUs are. A modern basic multi-core system comes with about 12 cores although such a core count is uncommon on Laptops and these can be configured to work in a grid with hundreds or thousands of cores. Modern grids can perform billions of guesses per/second and the code to generate and perform the guesses is freely available. (See this article by Nate Anderson at Arstechnica.) This might seem to be odd, but one of the principles of IT security defence is Kerckhoff’s principle which according to Wikipedia states that,
A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.
Although since this is trying to guess keys, it’d be interesting to see what the law would think of this. It would be illegal to use these discovered passwords without permission; but any attempt to prohibit or control the use of the software would be a continuation of the worrying trend of criminalising IT security research, which will disproportionately impact IT security defence more than the spies, criminals and hackers. (Guess why that would be?)
Once it’s just a question of how many computers you can deploy to perform the attack, it becomes a question of money, unless you steal the cycles or get people to share theirs.
Brute force attacks can be enhanced or targeted depending on what is known about the defending systems, for instance, is the password setter an English language speaker, or if the defending system uses random numbers, has the random number generator been compromised? There are statistical techniques to accelerate the speed at which passwords can be discovered. I end with two thoughts.
Brute force attacks are expensive, only the rich can afford them.
Have we though, returned to a world where, State actions, as in the 20th Century economics, state funded public works and market operations, make a difference.