[Gllug] Distribution Pecking Order So far

Chris Ball chris at void.printf.net
Thu Oct 25 14:15:30 UTC 2001


On Thu, 2001-10-25 at 14:51, Alex Hudson wrote:
> Really... I suppose that's why all those Word/Excel 97/2k crackers run 
> dictionary attacks on the file... much more efficient than ignoring a flag.

First link from Google for 'excel password cracker' goes to
www.webdon.com.  They state "100% success guarantee!  No brute force!"
and "Using Guaranteed Recovery, you DON'T NEED to recover a password.
Using this feature, you can REMOVE a password at all!".

That said, there are brute force crackers out there as well.  In fact, I
think Elcomsoft (of Free Dmitry! fame) market one.

> > Furthermore, how do you propose
> > Microsoft exported RC4 from the US to the entire world?
> 
> I suspect they probably wrote the software, pressed it to CD-ROM, put it in a 
> box, and sent it to shops and warehouses. In much the same way as exporting 
> SSL, except without the download bit. But I may be wrong :P

You are.  Until recently, RC4 was classed as a munition, and forbidden
for export outside of the US without a license from the NSA; a license
which they'd be reluctant to give, given that I'd imagine they're fairly
happy about being able to read Office documents; way back in the day,
they wouldn't even let Lotus export a stupidly low keysize DES.  SSL
needs to be downloaded from an internet site without this ban on
exporting, which is why you find it in the non-us.debian.org repository
and not bundled with non-European Linux distributions.

Of course, there's also the fact that you'd see an RSA logo on the
Microsoft Office About.. screen it the algorithm was being used, and
there isn't one.  :)

> I can't think of a major cipher/system crack that wasn't known widely (within 
> the community) for a long time after it occured. If you crack something, you 
> make use of it (it's an advantage, after all). If you make use of it, people 
> will find you out.

I'm not talking about within the community; I was talking of Governments
and intelligence organisations - for example, the NSA, who have access
to all the cryptographic knowledge we do, and also most of the best
mathematicians alive.  If a cryptosystem is cracked, the last /thing/
that you want to do is let the people using it know that it's been
cracked, because then they'll stop using it.

As I said, it was an aside; I was talking generally, rather than
specific to this case and Excel/Staroffice.  Your statements of "I would
be surprised if they had broken rc4(?) encryption. I think we would have
heard about it by now.." seemed profoundly naive, which is why I
mentioned it.

~C.

-- 
$a="printf.net"; Chris Ball | chris at void.$a | www.$a | finger: chris@$a
         "In the beginning there was nothing, which exploded."          


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list