Archive for April, 2009

What does “The only way to break into PGP” mean?

Thursday, April 30th, 2009

Note to PGP legal dept: I’m not going to put the ® sign every time when I mention PGP. I’m just tired; we already did that in our press release and on our web site, and I think it’s enough. No, really? Well, I’ll repeat one more time: all names like PGP are trademarks or registered trademarks of their respective owners in the UK, USA, Russia and probably somewhere else  e.g. in Albania. There are too many countries to mention, sorry :) . Why should I care about (R)? Keep reading, and you’ll see the reason.

Note to PGP executive and marketing depts: thanks again for helping our marketing people to spread a word about company and our software. We have received many calls from local and international media, a nice press coverage, and a lot of people coming to our booth at InfoSecurity. Well, and several good orders  mostly from forensic/investigation people.

Now an update to my previous post. It becomes more and more funny: PGP has wrote about our ‘conflict’ in their own blog. And the author is… Jon Callas, CTO of PGP. He called his blog entry Lies, Damned Lies, and Marketing – not bad, eh? But the contents is even better. Jon starts with the words about ElcomSoft: "The company who made this has a great product, and as I said then, it’s a very cool product." Thanks Jon, but we already knew that our software is "great" and "cool" – otherwise we would not get enough sales ;) . But Jon’s story continues with the following:

[ElcomSoft] booth said, “the only way to break into PGP®.” This is a lie, and a lie in two directions.

1.They’re not breaking into PGP, they’re doing password cracking. There’s a difference.
2.They’re not the only people who do it. As I’ve said before there are plenty of other password crackers, both commercial and open source.
In short, the sign was factually incorrect, and lies about PGP.

If we lie, please sue us. If we don’t, better be quiet, please. But PGP marketing people have selected the 3rd way: complained to Reed Exhibitions and asked to destroy [a part of] our booth. Well done.

About [1]: from my personal point of view, "breaking into PGP" can mean "password cracking" as well. Do we provide the tool to get access to password-protected PGP disk? Obviously we do. Did we say that it works in 100% cases, or that we cracked PGP encryption/algorithms? No we did not. Oh well, our English is definitely not perfect, but I think it is still better than your Russian, Jon ;)

About [2]: yes, there is a lot of password crackers around. But I’m aware of just a single one (except ours, of course) for PGP Disk – and it is commercial; supports old versions of PGP Disk only; moreover, it is distributed only as a part of very expensive commerial e-discovery package – and it is MUCH slower than ours (because it does not use GPU acceleration). Sorry, I will not mention the vendor name here, simply because it is our competitor – and it did not pay us for an advertisement :) . Jon, I’d appreciate if you can name the other ones (commercial or open-source). If you cannot, YOU lie. But I like your wording "as I’ve said before"; I think I should used it myself, too (e.g. "as I’ve said before, PGP is not secure and can be cracked" – without reference, for sure :) ).

I recall how I talked to PGP representative a year ago – on previous InfoSecurity UK. The first question he asked was: "Have you received an e-mail from our legal department?". I replied "Should I?"; he said "Yes", and explained the reason: there was no (R) sign (near "PGP") in our press release (Elcomsoft Distributed Password Recovery Unlocks PGP Protection). Well, see the note at the beginning of this post ;)

Another note: in fact, we were strictly prohibited (by Reed, but that’s definitely not their own initiative, but for sure PGP’s one) from printing anything about PGP on our booth. It’s a pity that I did not have a voice recorder handy. So if we wrote something like The only way to break PGP passwords, or The most cost-effective way to crack PGP passwords etc, such panel will be removed as well. We’ll probably try this next year. But we reserved the other place for InfoSecurity 2010 – not so close to PGP; I think it is a good idea anyway, because every half an hour they’re doing very loud (but not very smart) presentations telling people that PGP is #1 in this and that (nothing really interesting/technical/innovative).

Oh, I forgot to mention that we received a document from Reed explaining why they’ve removed our wall paper, finally – at the end of the first day, i.e. about 8 hours after removal. The official Regulations (sorry, I’m too lazy to scan it – but I will, if you wish) say that it should be done in advance (and no action can be made without prior notice in writing), but who cares? Anyway, for those who interested – here is how it looks like:

But I should also mention that Reed keeps their word: our panel has been replaced this morning (at their own cost). Have a look (the second panel from the right; the color is slightly different from the original one, but still better than nothing):

 

Lessons learned? You guess yourself. I would not say anything bad about PGP and/or Reed – they really helped us a lot. And I would NOT recommend PGP to send smarter people to the exhibition next year – so we’ll be able to save a significant part of our marketing budget ;)

After all… All of the above (as well as my other posts) is my personal view, and not an official position of ElcomSoft. Yeah, I’m the CEO of ElcomSoft, and I’m the person who approved the design of our booth (btw, only two days before the show: we were really busy doing technical stuff), but anyway.

Oh, almost forgot to share one more picture – with ElcomSoft people:

From left to right:

  • Andrey Belenko, IT Security Analyst (and an inventor of GPU acceleration; well-known person in ‘crypto’ world)
  • Olga Koksharova, Marketing Director (doing real and smart marketing and PR, much better than PGP’s one)
  • Vladimir Katalov, CEO/co-owner (me; ex-programmer – not a stupid ‘manager’ hired by expensive headhunters)

And finally, thanks to all who made the comments to my previous post. As you can see, our blog is NOT MODERATED – in contrary to PGP’s one (which is actually premoderated, try it yourself; we made some comments there, but they have not appeared – at least in about two hours after writing). Censored? ;)

On the Infosec once again

Thursday, April 30th, 2009

There is a lot of speculation about what has happened between Elcomsoft and PGP here on Infosecurity Europe 2009 in London, so I would like to share my own point of view which may or may not coincide with Elcomsoft’s.

First, I’d like to make it clear that I do respect PGP Corporation; those guys are making great software.

Now, I’d like to comment on Jon Callas (CTO of PGP) blog entry. There are some important factual errors which I suspect Jon is not aware and which I would like to correct. He writes:

We complained to the trade show that someone else was being factually incorrect about our product, and the trade show staff spoke to the company in question, and then took the sign down.

Well, I’m not sure if "to spoke to the company in question" means to try to remove wall paper in the absense of Elcomsoft staff 30 minutes before exhibition opening, and this is what has exactly happened. We’ve been approaching our stand when organizers were removing the wall paper. Nobody has even tried to contact us beforehand (they have mobile phones of every exhibitor, I guess), nor they gave us a chance to talk to PGP representative to explain anything. So that was not a really nice behavior, and pictures are only showing how ridiculous it was.

Marketing is a not something I feel comfortable with, but I suspect that if organizers remove every statemement which is not 100% true then we’ll see mostly white walls on most exhibitions. I can only see PGP’s request to remove our questionable (yes, I personally do admit this) marketing statement as a sign of inability and incompetence of their booth staff to expalain basics of password security to their (potential) customers.

Next, Jon writes:

1. They’re not breaking into PGP, they’re doing password cracking. There’s a difference.

2. They’re not the only people who do it. As I’ve said before there are plenty of other password crackers, both commercial and open source.

Breaking (into) something means breaking the weakest link. With PGP this is definitely the human being, not the technology. We did not say anything about breaking PGP encryption, so I don’t think we’re said something wrong here. Breaking password is usually sufficient to gain access to desired data and this is what often called breaking the system. And this is a slogan, not a technical paper.

We’re the only to provide hardware acceleration for PGP password recovery using commonly available hardware. This makes our product unique, so I believe word only can be here.  By the way, there are not "plenty" of products, maybe just one or two besides ours, and no open source PGP Disk and/or PGP Whole Disk Encryption password crackers that I am aware of.

Again, I do respect PGP Corporation. Today we do not have many security vendors who make source code available for review, and this is just one thing I respect PGP for. And I really hope we will resolve this situation to our best.

From InfoSecurity, “the number One in Europe”

Tuesday, April 28th, 2009

We never thought that our participation would bring such kind of trouble (or at least a disappointment).

Monday early morning we came to prepare our stand and apply our wallpapers (yes, we do it ourselves, sort of team building :) ). Practically, everything went smoothly, except for the fact that the organizers did not fix our company name board, electricity was not there and finally – we have got less space than we ordered (and paid for) because wall panels were not constructed properly. But after all, [almost] everything was fixed. Unfortunately, we have not made any pictures, but here is how it should look like (by design):

Click to enlarge

Next morning (the first day of the exhibition) we came to our booth in advance (about half an hour before the exhibition opens). And what we have seen? Two persons (from Reed Exhibitions, the organizers of this event) removing one of the wall papers from our booth – the one that said that we’re doing PGP password recovery. Moreover, we were not able to get the clear answer why they’re doing that, except the fact that “PGP Corporation complained”. And the reference to some “regulations” we still have not seen. We asked for some official paper (act?) about our “violation”, and still waiting for it. When (if?) we’ll get it, we’ll scan it and publish here.

Fortunately, we had the camera handy, and so made several photos of this “process” (removing our wall paper). Organizers (Reed) did not like that, too, and tried to hide their faces from the camera. But they failed, so you can see them now (and the whole “process”):

Click to enlarge

Click to enlarge

Click to enlarge

Click to enlarge

Click to enlarge

Click to enlarge

Click to enlarge

Click to enlarge

Click to enlarge

Cliick to enlarge

Click to enlarge

So we had to put the following note here (fortunately, on one panel only):

Click to enlarge

Click to enlarge

Only two hours later, they (Reed Exhibitions Group Event Director) came to our booth and asked to remove this note. Oops, sorry: not asked, just removed. Without explanation. Well, the explanation was: we have the right to do anything here.

What are they (PGP) scared about? I don’t have an answer. Do we say that PGP protection/encryption is not secure? No we don’t. But we DO say that PGP passwords can be cracked – if they are not selected carefully. But if PGP people cannot explain that to their clients – this is not our fault.

Update: see What does "The only way to break into PGP" mean?

GPU Assisted Password Cracking at Troopers 2009

Tuesday, April 28th, 2009

Last week a colleague of mine, Andrey Belenko, gave a speech at the Troopers conference in Munich. Olga wrote about it in this blog. All the talks at Troopers were awesome. Soon the videos and slide shows will be available for downloading on Troopers website.

If you have an opportunity, visit Andrey’s talk about green password recovery at Infosec, London. It’s on Wednesday, April 29th, at 15:20, at the Technical Theare. Also visit our booth K35 at Earls Court for free software trials.

 

NVIDIA about Intel

Tuesday, April 28th, 2009

Considering Intel Core i7? Read Nvidia Says Core i7 Isn’t Worth It and nVidia calls Core i7 a waste of money first. We’d agree that investing into GPU(s) is really a good idea, especially if you need to crack passwords.

Wardriving with NVIDIA

Tuesday, April 28th, 2009

17" screen, Intel Core 2 Extreme processor (four cores) plus NVIDIA GeForce GTX 260M — an excellent device not only for gaming, but also for wardriving. Get it from Sager, and just add Wireless Security Auditor.

One More Good Password Pattern Idea

Saturday, April 25th, 2009

 

There’s a great post in Hans Anderson’s blog on secure password patterns and how you can create one. There are at least two things I like about this entry. The first one is the statement that "No password you can remember is unbreakable", this means sooner or later it is broken. The second one is that Hans points out, you should never disclose your password pattern to anyone. I agree that password patterns are awesome but they are still vulnerable to social-engineering-based attacks. By the way, why not share your password pattern ideas in the comments? ;)

More cores, faster password cracking

Friday, April 24th, 2009

AMD revealed that its plans a 12-core Opteron processor in 2010, and a 16-core Opteron in 2011. Unfortunately, almost no further/technical details — more cores is definitely good, but we’d like to see whether AMD is able to implement SSE2 effectively. Right now, SSE2 instructions are executed much slower on AMD processors than on Intel ones, while they’re really important for SHA-1 (the most password checking routines are based on). Or may be SSE5 will give provide additional benefits for password cracking?

More on NVIDIA GT300

Thursday, April 23rd, 2009

Finally, nVidia’s GT300 specifications revealed! 512 cores (remember that GT200 has only 240), which means about 3 TFLOPS — can you imagine that? We’re also expecting the new generation of Tesla supercomputers based on those GPUs. GT300 also gives direct hardware access for CUDA 3.0, DirectX 11, OpenGL 3.1 and OpenCL.

Dangerously Easy Password Recovery

Thursday, April 23rd, 2009

There is only one way to break through PGP® encryption – GPU accelerated brute force – and that one is too many. New Elcomsoft Distributed Password Recovery v. 2.80.206 crunches PGP® passwords 200 times faster using graphic chips.

EDPR is all for cutting unnecessary costs, saving time and energy. Just using video cads you have at hand can result in excellent performance. In the graph you can see a huge leap in speed since graphic cards came into action.

 

EDPR Benchmarks (PGP® Disk/WDE)