[cryptography] Non-governmental exploitation of crypto flaws?
smb at cs.columbia.edu
Fri Dec 2 18:15:22 EST 2011
On Dec 2, 2011, at 5:26 27PM, Jeffrey Walton wrote:
> On Sun, Nov 27, 2011 at 3:10 PM, Steven Bellovin <smb at cs.columbia.edu> wrote:
>> Does anyone know of any (verifiable) examples of non-government enemies
>> exploiting flaws in cryptography? I'm looking for real-world attacks on
>> short key lengths, bad ciphers, faulty protocols, etc., by parties other
>> than governments and militaries. I'm not interested in academic attacks
>> -- I want to be able to give real-world advice -- nor am I looking for
>> yet another long thread on the evils and frailties of PKI.
> "In July 2009, Benjamin Moody, a United-TI forum user, published the
> factors of a 512-bit RSA key used to sign the TI-83+ series graphing
Right. I have five examples. Apart from that one, there is:
The (alleged) factoring of 512-bit keys in code-signing certificates
The apparent use of WEP-cracking by the Gonzalez gang. While we don't
know for sure that they did that, the Canadian Privacy Commissioner's
report said that TJX used WEP, and one of the indictments said that
Christopher Scott broke in to their wireless net.
The GSM interceptor. I'm not using that one because the products I see
are (nominally) aimed at government use, and while I'm sure many have
been diverted I don't have any documented cases of them being used by
the private sector. (For all of the reports about phone hacking by
Murdoch's companies, I've seen no reports of cell phone eavesdropping to
get the modern equivalent of, say, http://en.wikipedia.org/wiki/Squidgygate
someone who *really* wanted revenge on his neighbors. Given that his
offenses were discovered to include child pornography, he was sentenced
to 18 years.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
More information about the cryptography