Date: Mon, 2 Apr 2012 20:01:40 +0400 From: Solar Designer <solar@...nwall.com> To: john-dev@...ts.openwall.com Subject: Re: distributed processing with untrusted machines On Mon, Apr 02, 2012 at 05:35:32PM +0200, Simon Marechal wrote: > On 02/04/2012 17:04, Solar Designer wrote: > > While I had these thoughts for years, I think that actually implementing > > this is still in a distant future for us (if we get there at all). We > > need to gain built-in distributed processing first (non-MPI), and only > > then worry about enhancing it. > > I am not sure the cost of implementing and using the countermeasures > will ever be worth it. I think that these things make sense for use by companies on their own password hashes, and by auditing/pentesting companies. As to whether this is worth it or not, this may be viewed as being part of a bigger question - are such audits worth it at all? I think that many are not (e.g., it may be better to re-configure systems than to detect weak passwords on poorly configured systems), but the demand is there anyway. > You mentionned some of the problems, but there > are probably whole other classes of them. For example, some attacks are > well suited to challenges, such as the fake worker Of course, for contests we also need to deal with sabotage (but we may not need to worry about leaks of the hashes). > (it just sleep()s). Such problems may also happen unintentionally, so they need to be detected and dealt with anyway. > The cracking job configuration could be private : mangling rules, > dictionary, training results for statistical password cracking. Yes, but I think this will be beyond scope. Either the nodes are semi-trusted or this kind of information is considered non-sensitive - well, or the risk of such leaks is considered justified. > Worse, > adding more code to interact with untrusted parties will lead to more bugs. Maybe, but since it should involve sanitization of inputs early on, it may also neutralize bugs in deeper layers. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.