NOW!!!!

disproves this story. I have my doubts too and even if true these people are true sleazeballs, but it seems possible if not probable.

We'd also see the networks going insane over this if it were true, too.

It just screams BS to me.

It says they were sent to the Democratic county office. And they were encrypted.

I think it's very likely BS but the story holds up.

I still don't buy the story. The variation that appeared on that satirical site I posted is also why I doubt it. Plus I think the media would be scrambling over this.

Also, do you think that the media or political parties can't decrypt it? Do you think they can't get their own hackers just as smart as anonymous? 1 million dollar blackmail? Seriously?

Sorry, I just don't buy this for one second. I'd love for it to be true, but I don't think it is.

If I'm wrong, I will declare it happily and loudly.

AES is rock solid and there have been extremely few successful attempts to crack it. Do I think they can't get their own hackers just as smart as anonymous? Well, even if they could, it's entirely a moot point. It's far, far, far easier to encrypt data than it is to decrypt it. I'm only moderately educated on decryption/encryption standards, yet I could encrypt data so that 99.999% of the world's most elite hackers couldn't touch it even given several years time.

The vulnerabilities are such that it still requires a great amount of computing time and power, but it's not 100% fail safe as of now.

http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Known_attacks

the techniques discussed in that "known attacks" section are simply ways to reduce the needed brute force. They would still take a ridiculous amount of time and resources.

I don't think the side channel attacks are relevant here.

Not that I think there's anything to this story, but I don't know of any show-stopping objections other than the sheer hollywood caper flavor of the whole thing coupled with the total lack of evidence so far.

As it is, using brute force to crack AES 256 is simply impossible. The computing power and time simply isn't there, even using massive parallel computing. However, using some of these vulnerabilities. the cracking of lesser versions, such as AES 128 are technically feasible given massive amounts of time and resources.

And being granted access to a local resource? By far the easiest method.

but I doubt that anyone's going to able to talk the key out of whoever did this (in the unlikely case they did actually do it).

I do. I've seen worse happen. I'd be pleased to privately offer my credentials via PM if you will.

but I don't get your point. Are you saying that someone could use social engineering to decrypt these files (assuming they exist)?

or TFlops has rendered brute forcing of some encryption methods trivial. AES-256? No, but with the ability of teraflops of calculations with the parallel processing capabilities of modern graphics cards, not out of reach at all.

Encryption could be anything from incredibly simple character substitution to AES-256 and beyond. But it's not like AES-256 encryption is terribly difficult to obtain. I think it's going to be quite some time before we see any chinks in its armor. I don't care how powerful these GPUs are, unless you have about 2^30 of them, it's not going to touch AES-256.

And considering the operations to recover AES-256 encryption is around 2^250+, I don't see that being done anytime in the near future, no matter how much hardware is simultaneously running it. As for the NSA claim, I'd need to see that to believe it. As it is right now, I don't believe we have anywhere near the brute force capability to do such a thing.

As for rumors, here's one site discussing them - he's skeptical, but doesn't think it's impossible. Feel free to google.

But keep in mind we're not talking about CPU cycles, or even GPU cycles.

We're talking about custom-built chips resembling FPGAs that are built to do the brute force attack a few million times faster than a general purpose CPU. Such devices are theoretical in our world, but people with lots of cash could build them.

It's mathematically possible with a whole lot of such devices to brute force AES-256 in a reasonable time (months if you don't get lucky).

And a few million times faster wouldn't cut it at all. It would need to be a few trillion, trillion, trillion, trillion times faster if it were to make a dent in AES256. I don't think you understand the absolutely mind boggling numbers we're talking about here. We're talking 2^250 here. That's nothing like the 64^16 or so that's the max that hardware based solutions can run through now. That's many, many, MANY magnitudes of order more. In case you're having a hard time imagining 2^250, imagine a 2 followed by 75 zeros. That's the numbers we're talking about here. That's NOTHING like the toy like encryption that most websites use. It is, for all intents and purposes, uncrackable.

You're still thinking of this as a single process running on a single desktop computer.

That chip I describe is one chip. You put a few hundred in box. You then get a shitload of those boxes. You use other sources and techniques to reduce the key space. Ta-da! It's now doable.

Fuck a few hundred, let's have billions of the world fastest supercomputers (the IBM Sequoia) running in parallel. If that were the case, it would only take about a billion years to crack AES256 rather than thousands of trillions of years. Do you understand what type of numbers we're talking about here? I said that for all intents and purposes, it's uncrackable. That is an undeniable truth. It's not impossible, it would just take literally billions of billions of years. Is that clear enough for you? Do you understand how insanely large 2^250 is?

I suppose nothing is truly impossible. But given current technology, the likelihood of AES256 being broken by brute force is far less likely than monkeys flying out of my ass.

significantly reduces such time. Just saying.

Not to mention that even if you use a salt, you have to pass it through said algorithm. Do you really think that router authorization devices have been around for 16+ years, and the salt hasn't been partially cracked? Rainbow tables, my friend.

hours to work properly. I have seen absolutely zero evidence that AES256 has come close to being cracked. I've heard tons of rumors that NSA can do it almost on the fly, but I don't buy that for one second. Until I see at least a smidgen of evidence, I won't believe differently.

And I will assume that you believe 100% that this is an operation to discredit Democrats by making them believe something that they already know to be true due to experience in said industry.

"You are lying, you Democrat, because I fooled you into believing that you are lying" isn't a particularly compelling defense. It smells.

Because you seem to be reading words that I haven't even come close to writing.

I have no idea whether this is genuine or not, that's not even what I commented on. My initial entering of this OP was to correct some naive notion that if Anonymous was able to encrypt this data that surely there are plenty of people who could decrypt it. That's simply not the case and that's what I was responding to. I'm not exactly sure what it is you're accusing me of, but it's certainly nothing that I've said.

That this isn't necessarily "Anonymous" the group, and is just a bunch of anonymous people. That was my point.

"My initial entering of this OP was to correct some naive notion that if Anonymous was able to encrypt this data that surely there are plenty of people who could decrypt it. That's simply not the case"

I think you need to wait a few days and see if that is the case or not, because you may be proven wrong.

I never said who this group was or what their motivation is. I simply said that it's VERY easy for people with a modicum of knowledge to encrypt data so that it's effectively uncrackable. Certainly nothing is impossible, but the resources required to crack high level encryption without a key makes it pretty much so.

Not that you would. Braggadocio has no place in the security field, but some seem to think it is their meat and drink.

This is your first response to me since you accused me of threatening you. Now you're accusing me of being a braggart? I suggest either laying off on cybercrime novels or perhaps reading a bit more thoroughly before responding in the future.

I await your magnificent credentials and wide variety of experience with hardware and software to discredit my statements, EOTE.

You are from Maryland, and I assume an Obama supporter, which I respect. But don't assume that with nothing more than insults I will cave on my assessments and experience.

You accuse me of threatening you when I've done absolutely nothing of the sort.

I've got 17 years in the industry, but that's only because I couldn't start my first real IT job until I turned 16. I guarantee you that I know of which I speak. I said that with today's technology, AES256 is for all intents and purposes impenetrable. That is a fact. You disagreed with that and I asked to hear what made you disagree with my statement. That's when you went on a fairly unbalanced tangent accusing me of threatening you. If that's what you got out of my comment, then you probably need meds. If you DO have anything to contribute that would suggest that what I say is incorrect, please provide it. Otherwise, it just seems like you're posting one paranoid rant after another.

how it was not impenetrable, particularly using parallel processing GPU's and intelligent algorithms.

That is also fact, and the fact that you evade such usage of technology to paint a picture of incompetence proves that you truly are out of your depth.

In the end, though, this is neither here nor there. Let's wait a few days and see if the hackers got anything of worth before we get egos in an uproar and sling insults like you are doing.

And several thousand computers running in parallel.

What you're describing is like using a bucket to empty out an ocean rather than a teaspoon. It will save you lots of time, won't it? Sure, you'll empty out the ocean in a few million years rather than a few billion.

What you've presented is not a fact, it's just fairly random information. Do you not think that people have access to all the things that you've mentioned? Do you still not realize that AES256 STILL hasn't been cracked? Do you think that NSA is saying to themselves "Damn, if we'd only thought of that!". You've illustrated nothing of substance.

Then you are less educated on current hardware and protocols to make use of said hardware.

All I'm asking you is to provide one little shred of evidence that AES256 has been compromised. You said I was wrong when I said that it hadn't been, so surely you'd be able to provide some information to that extent. But I'm certain that won't happen. Rather, you're going to throw out some buzz terms that you know very little of and say that proves your case. To say you're making an irrational argument would be kind.

to you, because at this point, you have proven to know nothing of the subject you are attempting to discuss and arguing with you is pointless. I say this with kindness.

That's somewhat laughable after accusing me of threatening you for asking a simple question.

So now you say you're offering me nothing because I've proven I know nothing of the subject? OK, let's go with that for one minute. So what was your reason for offering me nothing the previous 6 times I asked? Did I know too much then? Listen, I know egos can be fragile things, but honesty is always the best policy. Yeah, you're not offering me anything because I won't understand it. Gotcha chief.

Let's end this here and now, because it isn't going anywhere good other than bumping this thread. You and I disagree.

You seem to deal only with your very active imagination. I think the sky is blue, you think it's green, yet you seem utterly incapable of providing even so much as a link (from even the most disreputable source) that says the sky is green. So I'll continue to believe it's blue, thanks.

As of last year the best public attacks on standard AES were about three orders of magnitude less than brute force. (PDF from MS Research) Still on the order of billion-billions of years on Sequoia for 128, let alone 256. I know that GPUs are insanely fast at embarrassingly parallel jobs like key searches but I haven't heard anything about a 16+ petaflop GPU network anywhere. Not saying a secret machine might not exist, but even so it wouldn't be practically any more useful than the NNSA/ASCP systems - even if it were quite literally a million times faster.

As for these super-duper "intelligent algorithms" you claim knowledge of, you should really give the NSA a call - sounds like something you could make a VERY good living dealing with them on.

I could provide you my CV, but internet credentials are meaningless anyway. I prefer to deal with actual substance, something that you've been avoiding this conversation. If you have any actual information to suggest that AES256 has even come close to being compromised, you should be able to provide it easily. If you don't, then you're simply being contrary to be contrary.

by offering scenarios that prove I know my subject. I'm sure you would delight in some pissing match where the junior league engages the senior and somehow proves them wrong, but I don't have time for that, and if you were a true professional, neither would you.

While providing nothing of substance. Once again I'll ask you, do you have ANY information that suggests that AES256 has even come close to being compromised? If you don't (and it's quite clear that you don't by now), then you're offering up nothing but being contrary for the sake of being contrary. I think what you're demonstrating here is that a little knowledge can be a dangerous thing.

LMAO. If you thought those were buzzwords...

While having very little idea as to what they mean. If you did know what they mean, you'd know that they offer some assistance in doing what is for now an impossible task. Yes, those things will hasten the ability to decrypt AES256, in that they'd take a job requiring perhaps trillions of computer hours and lessen that to mere hundreds of billions. Either way, it's simply not happening. That you don't recognize that shows how little you know of the subject.

You have no idea what I am talking about, and that's why you call them "buzzwords" as opposed to fundamental concepts of internet security. If you can teach what you have learned you know it.

You said I was wrong when I called AES256 uncrackable with current technology. I asked you to provide at least a shred of evidence to support your position. You have been utterly unable to do that. Mentioning current tools used to hasten decryption says absolutely nothing to the fact that AES256 has never been cracked. That's like me saying "It's impossible for anything to travel faster than the speed of light" and you responding "No it's not, rocket boosters!". You see, you need to mention more than simply tools used to accomplish something, you'd need to provide an actual practical application that's been used. If you believe that AES256 has been cracked, surely you should be able to provide some evidence of such. Anyone who could successfully crack AES256 would be hailed as a hero of all heroes amongst the hacking community. BUT IT HAS NEVER HAPPENED. Are you really so dense as to not understand that?

Do you think these GPU powered password recovery tools could even come close to cracking AES256? Really? So you're able to churn out a few hundred thousand combos per second and you've only got 2^250 to deal with. Awesome!! If you have a few billion years that method is absolutely perfect! You really can't be serious, are you?

On edit: Sorry, make that a few quadrillion years.

If it makes you happy to think AES256 is that solid and secure, you go with it. You win. It is completely solid and cannot be cracked.

And it certainly cannot be cracked under Linux.

Some of us are completely capable of writing and compiling our own, but we bow to this cannot be done instead of wondering, gee, what can I do?

You could do so with a simple link. Rather, I'm guessing you're more likely to say:

Band saw, sledge hammer, pick axe. See, I told you AES256 can be cracked.


The one link you've provided utterly proves my point for me. Using typical GPGPU decryption to even crack something as simple as 8 character ASCII would take more than a thousand years and AES256 is MANY magnitudes of order more complex. What about this don't you understand?

Sorry, I've had enough of banging my head against the wall for one night.

of banging your head against the wall trying to convince a person that knows better that they don't.

I don't think you particularly understand low level programming, particularly low level GPU programming as well as you think you do. Visit www.beyond3d.com You will find people that excel at hardware programming as well as utilizing software at an abstraction layer, but mostly, you will learn that when you can program at a hardware level, things are extremely efficient.

http://forum.beyond3d.com/showthread.php?t=62286

It will require some high school math, so pay attention.

First of all, thanks for providing that link because it just reenforces what I've been saying from the get go, which is that cracking AES256 is utterly impossible using current technology.

Now, if you had read your own article that you so thoughtfully provided, you'd see that the type of passwords they're cracking there are typically 8 characters with about 64 (6 bit) unique possible characters per slot. 8 characters might be on the low side for this hardware/software, so let's take the absolute most rosy scenario that this article provides and let's say that 16 character passwords are routinely cracked by this (it's not at all, but let's pretend). So, that would mean that in order to crack such a password, you'd need to go through around 64^16 (or 2^96) possible permutations. Now, that's a staggeringly high number indeed, but it's insanely, microscopically tiny compared to the amount of permutations required to crack an AES256 key. AES256 on the other hand has ~2^250 permutations required to crack. Do you know how much larger the second number is compared to the first? It's around a trillion, trillion, trillion, trillion times larger. That's a very big number, isn't it? To better illustrate this, take a look at the chart that you so kindly provided in your article:



This is what's called the "exponential wall of brute force cracking". Do you see how ungodly steep those curves are? Do you see how even using the Amazon EC2 with the combined power of 1000 powerful GPUs that after 8 characters the time involved becomes astronomically high? Now, you can only see a small fraction of the time curve because it becomes unwieldy very quickly. After 14 characters, you're talking years if not more, even using the EC2. After that, we're talking decades, centuries and millenia. AES256 encryption uses the equivalent of around 32 8-bit characters. Even assuming that these characters are words that are typically used, things like rainbow tables and massively parallel GPU computing would only make a tiny, tiny dent in the amount of time required to crack such a thing. You need to not only familiarize yourself with what's going on with the hardware and software here, but you really need to familiarize yourself with the scope of the numbers we're dealing with. AES256 is nothing like the toy-like encryption these websites use, NOTHING. Until you're able to even have the slightest grasp of the numbers we're dealing with, you're not going to understand why this is impossible. Now go on and explain to me how REAL modern technology is several trillion, trillion, trillion times more powerful than the article you provided says.

Some engineers at Microsoft figured out a theoretical way to crack AES 3 to 5 times faster, but it would still take a couple billion years

IDG News Service - Researchers from Microsoft and Belgian Katholieke Universiteit Leuven have discovered a way to break the widely used Advanced Encryption Standard (AES), the encryption algorithm used to secure most all online transactions and wireless communications.

Their attack can recover an AES secret key from three to five times faster than previously thought possible, reported the Katholieke Universiteit Leuven, a research university based in Belgium.

The researchers caution that the attack is complex is nature, and so can not be easily carried out using existing technologies. In practice, the methodology used by the researchers would take billions of years of computer time to break the AES algorithm, they noted.

But the work, the result of a long-term cryptanalysis project, could be the first chink in the armor of the AES standard, previously considered unbreakable. When an encryption standard is evaluated for vital jobs such as securing financial transactions, security experts judge the algorithm's ability to withstand even the most extreme attacks. Today's seemingly secure encryption method could be more easily broken by tomorrow's faster computers, or by new techniques in number crunching.

http://www.computerworld.com/s/article/9219297/AES_proved_vulnerable_by_Microsoft_researchers

Please tell me more about your efficient algorithms which are trillions upon trillions of times more efficient than ones currently known. You're really going to disparage my knowledge? Really? I was willing to believe that you were truly qualified before this conversation began (if extremely misinformed on this subject). But you've proven how extremely little you know about this subject. You belong nowhere near anything security related.

There's an "engineer" at my work across the street in telecom for 30+ years and he is still a fucking idiot LOL


My question is how come all these big customers ask about TLS all the time with one of our VoIP products but never actually order it

Sequoia simply isn't trying hard enough if it can't crack AES256 in less than a trillion years. I think if it was really trying and had the proper motivation, it could do it in a few hours. You're simply not thinking like someone with more than two decades in the business.

but that would involve waterboarding and some other actions I can't mention here to the person who actually knew the passcode

AES *has* been "broken"...but "[f]or cryptographers, a cryptographic "break" is anything faster than a brute force—performing one trial decryption for each key (see Cryptanalysis)." - teh wikiz

The best known attack against the weakest version of standard-compliant 128-bit AES (there are faster attacks, but they're against ciphers with below-specified rounds) has a computational complexity of 2^126.1 (1) - using 100% of the capacity of the world's fastest supercomputer, at a ridiculously optimistic 1000 operations per check, would take 3.6 TRILLION years. Just for poops and giggles, the best AES-256 (which AFAIK is pretty much the only version utilities use anymore) attack is 2^254.4, for a runtime of....wait for it...37.6 billion trillion years!

Incidentally, those numbers are what makes me kind of think this might NOT be a hoax - the public at large would believe that records can be "hacked" off of the IRS or PwC's systems, but I'd wager a year's pay all that data is quite well encrypted; barring a leak of the keys, there's zero chance of getting the data off the servers. Physical access to paper records is far far more plausible in the real world.

A person with a 60 IQ could use a number of modern encryption formats and have their data be damned near 100% safe if the decrypters lack the decryption key. This has nothing to do with how smart the people are.

I don't believe anything is impenetrable.

As I said earlier, if this story turns out to be true I will happily and loudly apologize.

And that's with most likely millions of man hours attempting to crack it. So yeah, I don't think that anyone has anything to worry about if they've encrypted using a modern encryption standard. Sure, AES 256 isn't impenetrable, just impenetrable given the technology that we'll have for the next several decades.

as a serious threat. Not that I am a hacker, just stating reality.

I assume you can tell me of AES256 being compromised in an even semi-effective manner? Go ahead, I'm listening. I don't buy it for a second now, but my mind is opened if you happen to have any evidence to sway me.

And thought to voice it...

Go fuck yourself. There are plenty of people that understand security and work in security and are not intimidated by some person coming along saying "Oh, you must be a traitor if you understand this technology".

I threatened you? Just how exactly? I asked if you could tell me specifically why you believe that AES256 had been compromised. If you took that as a threat, that's your problem, not mine. Go fuck myself? Because I asked a question? I think you need some help.

I understand security fine, thanks. That's part of my job.

ever utilized rainbow tables to discover the salt. Not ever.

Salt is specifically a defense against rainbow tables. Your statement is completely nonsensical; thirty seconds with Google and teh Wiki would have at least given you the information to say "Not that anyone ever discovered the salt and then used a rainbow table".

http://en.wikipedia.org/wiki/Salt_(cryptography)
http://en.wikipedia.org/wiki/Rainbow_table
http://www.codinghorror.com/blog/2007/09/rainbow-hash-cracking.html
http://www.healthypasswords.com/content.What_are_hashes_and_Rainbow_Tables.html

asking for ransom for material like this are criminals. Sounds like extortion to me, rather than providing the public with information. If anyone were to pay them for that info, they would be engaging in a crime also. Sounds like a weak attempt to entrap Democrats into engaging in criminal activity. I am sure they are smarter than that.

This is not the MO of Anonymous.

Some people socially engineered getting Romney's tax returns, said they were going to release them on Sept. 28, and let the firestorm ensue. Anonymous MO

The second post was that they demanded money, but no one so far has come forward demanding money except for post No. 2, which wants Bitcoins regulated (reportedly). Not Anonymous MO.

Republicans are pissing in their pants at this point.

I can over here from Meta for the geek war.
I have degrees in Math (BA) and Computer Science (MS) and encryption was one of my hobbies.
I think you have the right of it, with the exception (theoretically) of 100%.
Anybody that does crypto professionally, feel free to correct me as needed.

The only theoretically uncrackable code is the one-time pad, last time I heard. All the mathematical encryption methods are all based on computations that are "easy" with the key (one or more of the terms of the computation) and infeasible without it. "Infeasible" means theoretically possible with known and usually "easy" algorithms, but of very high computational order, i.e. you will never finish unless the problem is very small. The usual thing is based on factorization of very large composite integers.

AES is considered "weak" and is out of fashion, though I quite agree it is good enough for most purposes, and yet I would not bet on it being invulnerable to the spooks. But the various free encryption packages out there now I would expect could be made good enough even for that, I don't know that, but that is how I would bet.

In ALL of the mathematical methods, it is EASY to make the problem bigger, if AES256 is cracked, you can go to AES512 or AES1024 and so on, so while it is theoretically feasible to crack these methods (not 100% uncrackable) it is also theoreticaly very easy to make the problem much much harder when that happens, if you care to.

There are about a gazillion encryption methods out there now, it's a very active field.

Edit: nothing more to add.

I think this story is likely BS, but unbreakable encryption DOES exist and anyone, you and I included, can make use of it with freely downloadable software. My degree is in computer science and I know what I'm talking about. Breaking it is not a matter of hacking. Reality is not like the movies.

But I have 22+ years experience. Algorithms, salts and parallel processing.

then our financial system would have collapsed by now due to all of the successful attacks against electronic money transfers. That doesn't seem to have happened.

but that satire story is completely different from the one in the OP.

In one we have them getting the tax records from the accounting firm and the other they broke into the IRS. Not the same story.

I wouldn't give much credence to this - if you're going to blackmail, why send it to the Democrats without anyone even paying for it first?

The sulphurous smell of the ghost of Rove is still in the room.

the drives they've sent out are encrypted and they're threatening to release the key if they're not paid (or if they are paid by Romney's opposition). Presumably the one sent to PWC is unencrypted as proof that they actually have the data (since they stole if from PWC to start with, sending it to them reveals nothing).

I'm skeptical of the story, but I guess we'll see how it plays out.

Actually, I'm skeptical. It'll be interesting to see how this plays out.

They could easily be full of crap but hoping that someone will pay anyway. I assume, if this is for real, that the drive they sent to PWC is unencrypted so that this can be verified. The Romney campaign is probably already in contact with PWC to see if there's any truth to this.

even if it isn't true. The idea that we could have a president so open to blackmail is a bit scary.

But first, we have to find out if this is real or not. I hope PWC got an unencrypted version to verify that it is true.

poor mitt is a victim!

They're not a serious group. They're full of shit.

They are claiming to have references that only PWC would have so that they would know it isn't a fake.

Just go arrest Dr. Evil - problem solved.

The article says that a copy was sent to PWC but I don't see any mention of that in the actual document.

I wonder what their source is?

On a sidenote: Just the idea that something like this may (but probably did not) happen is absolutely delicious.

Now if such reports were indeed made?.............oh dear.

according to the article, they gained access from the third floor by asking a fine gentleman to let them in and then
proceed to the second floor where the company is located, unless I'm mistaken, but that's from the article.

Unless these people were so careful that they left everything exactly the way they found it.

Correcting because they mentioned the flash drives..............there will be a digital record on whatever machine they used to access the records. I'm positive of that.

"the Democratic office in the county"

Written by someone with a poor sense of American politics... tonally reminiscent of Nigerian Treasury Minister email scams.

A distasteful hoax.

I would think Romney would pay far more to prevent his returns being released. Makes me think the story is a hoax.

Hahaha!!!
No shit!

but maybe larger amounts just wouldn't work?

Plus, bitcoin addresses are disposable and fairly anonymous. It could be a scam to drive the value of bitcoins up but that's due to happen soon anyway.

There's a hard limit of no more than 21 million Bitcoins to prevent devaluation.

http://en.wikipedia.org/wiki/Bitcoin

it's outside the realm of possibility.