200 PS3's used to hack SSL

[xtop]

http://www.engadget.com/2008/12/30/h...h-less-secure/

Quote:

Between the juvenile delinquent hordes of PlayStation Home and some lackluster holiday figures, the PlayStation has been sort of a bummer lately, for reasons that have nothing to do with its raison d'etre -- gaming. That doesn't mean that the machine is anything less than a powerhouse -- as was made clear today when a group of hackers announced that they'd beaten SSL, using a cluster of 200 PS3s. By exploiting a flaw in the MD5 cryptographic algorithm (used in certain digital signatures and certificates), the group managed to create a rogue Certification Authority (CA) which allows them to create their own SSL certificates -- meaning those authenticated web sites you're visiting could be counterfeit, and you'd have no way of knowing. Sure, this is all pretty obscure stuff, and the kids who managed the hack said it would take others at least six months to replicate the procedure, but eventually vendors are going to have to upgrade all their CAs to use a more robust algorithm. It is assumed that the Wii could perform the operation just as well, if the hackers had enough room to spread out all their Balance Boards.

anyone got 200 to start stealing money online?

[Rike255]

Wow, that's pretty amazing. Time to get away from MD5 encryption I'd say.
Linux/UNIX is on the ball with that, I think Windows Server is still lagging behind though.

[ps3andlovinit]

Quote:

Originally Posted by xtop

http://www.engadget.com/2008/12/30/h...h-less-secure/

Cryptography was one of the key uses targeted/of interest .. to IBM in particular .. for the Cell. So this is not surprising at all .. in fact I remember reading something a few years ago that they were expecting this kind of hacking to accelerate because of the Cell and it's easy/cheap availability.

Quote:

Originally Posted by xtop

anyone got 200 to start stealing money online?

I've got 3 to contribute

[Rike255]

Heh, we should make a cluster with all our PS3's. Then we can rule the world!!

[Marquoz]

Quote:

Originally Posted by Rike255

Heh, we should make a cluster with all our PS3's. Then we can rule the world!!

That's the basic premise behind @Home. I wonder when somebody will figure a way to send a virus to PS3s to harness it's idle power when people leave them online and connected for things like this.

[neos_peace]

Quote:

Originally Posted by Marquoz

That's the basic premise behind @Home. I wonder when somebody will figure a way to send a virus to PS3s to harness it's idle power when people leave them online and connected for things like this.

thats sorta a scary thought now isn't it.

[Sonny]

That's some crazy sh!t!!!!! I hope I don't get "dooped"....

[quexos]

Now we finally have proof that the Cell Processor is indeed synergistic. Sony was right all along ...

[The Don]

Quote:

Originally Posted by Marquoz

That's the basic premise behind @Home. I wonder when somebody will figure a way to send a virus to PS3s to harness it's idle power when people leave them online and connected for things like this.

if the PS3 had to turn on because of this, I would know pretty quick...

and then I'd flip the switch in the back or just unplug my PS3 ...

[SlmShdy1]

What is SSL?

[Rike255]

Stands for Secure Socket Layer I believe. Basically it's just a secure way of communicating between two "clients". That's at the most simple form.

[Papi4baby]

You know, i am not going to read all that.

But here are my assumptions.

It sounds like they didn't really brake it, just that they could make dummy sites offering fake security. And even then im assuming they were working on a older version of the SSL and not and online version. I bet SSL release updates every other week or so to prevent this sort of stuff, kind of like rolling the keys on blu.

SSL is nothing to scoff at, it would take alot of power to really brake that algorithym. Dont drink the cool aid guys.

Just like slysoft, every othe week say they broke this and that, and guess what bam no you didn't.

[Marquoz]

Quote:

Originally Posted by Papi4baby

You know, i am not going to read all that.

But here are my assumptions.

It sounds like they didn't really brake it, just that they could make dummy sites offering fake security. And even then im assuming they were working on a older version of the SSL and not and online version. I bet SSL release updates every other week or so to prevent this sort of stuff, kind of like rolling the keys on blu.

SSL is nothing to scoff at, it would take alot of power to really brake that algorithym. Dont drink the cool aid guys.

Just like slysoft, every othe week say they broke this and that, and guess what bam no you didn't.

From what I understood they are using the IP redirect bug to re-direct traffic to a created certificate authority and then creating their own certificates. It actually sounds like a very basic and easy hack that didn't require the PS3s. I could be completely misunderstanding it though! It didn't sound like anything was brute forced.

[Papi4baby]

Quote:

Originally Posted by Marquoz

From what I understood they are using the IP redirect bug to re-direct traffic to a created certificate authority and then creating their own certificates. It actually sounds like a very basic and easy hack that didn't require the PS3s. I could be completely misunderstanding it though! It didn't sound like anything was brute forced.

That's what i understood also.

Actually trying to break SSL encryption, let's just say that with what available today we would all most likely be dead by the time is over.

[Rike255]

They had to crack the MD5 encryption so they could create the fake certificate though, that's the point of the PS3's. Lots of processing power needed for that.

[Jamoctopus]

O.O