Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 2 Apr 2012 20:01:40 +0400
From: Solar Designer <solar@...nwall.com>
To: john-dev@...ts.openwall.com
Subject: Re: distributed processing with untrusted machines

On Mon, Apr 02, 2012 at 05:35:32PM +0200, Simon Marechal wrote:
> On 02/04/2012 17:04, Solar Designer wrote:
> > While I had these thoughts for years, I think that actually implementing
> > this is still in a distant future for us (if we get there at all).  We
> > need to gain built-in distributed processing first (non-MPI), and only
> > then worry about enhancing it.
> 
> I am not sure the cost of implementing and using the countermeasures
> will ever be worth it.

I think that these things make sense for use by companies on their own
password hashes, and by auditing/pentesting companies.

As to whether this is worth it or not, this may be viewed as being part
of a bigger question - are such audits worth it at all?  I think that
many are not (e.g., it may be better to re-configure systems than to
detect weak passwords on poorly configured systems), but the demand is
there anyway.

> You mentionned some of the problems, but there
> are probably whole other classes of them. For example, some attacks are
> well suited to challenges, such as the fake worker

Of course, for contests we also need to deal with sabotage (but we may
not need to worry about leaks of the hashes).

> (it just sleep()s).

Such problems may also happen unintentionally, so they need to be
detected and dealt with anyway.

> The cracking job configuration could be private : mangling rules,
> dictionary, training results for statistical password cracking.

Yes, but I think this will be beyond scope.  Either the nodes are
semi-trusted or this kind of information is considered non-sensitive -
well, or the risk of such leaks is considered justified.

> Worse,
> adding more code to interact with untrusted parties will lead to more bugs.

Maybe, but since it should involve sanitization of inputs early on, it
may also neutralize bugs in deeper layers.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.