 Hello, welcome to Economics of Password Cracking in the GPU area. This actually sounds more corporate than DEF CON normally allows for, but we'll get through this. Obviously I work at Sandisk, so I use their slide deck things. So what we're going to cover today, so we're just going to do a quick introduction of who I am and why we're here and why you should stay in the talk for the entire duration. We're going to cover GPU cracking, like some fundamentals 101 stuff. Then we're going to get into the meat of it, all the economics of it. We're going to explain how fast and quick it is to deploy. We're going to do like a little lessons learned. If you haven't noticed, I'm pretty corporate. And then we'll do a conclusion that's going to have some Q&A and some afterthoughts. Oh, that. There it is. Q&A. Shameless plugs. I love these. These are all my sponsors. So I used to work for Atheros Communications. The CFO came to me one day and said, here's a $3,000 budget and an Excel spreadsheet that's password protected break into it and let me know. Get back to me when you break into it. So it cost me about $300 to break into his Excel spreadsheet, but I still had a bunch of budget so I kept going forward. So this talk is mostly because of them. So thank you Atheros for giving me time, even though they don't exist anymore. It's Qualcomm now, which brings me to my other one. So Atheros got bought out and I just cashed in all my stock options. Apparently Qualcomm already has a CFO, so I didn't have any purpose over at Atheros, Sandisk needed one. So now I'm the CFO over there. So I'm a technical CFO, so you shouldn't get up and run away once you hear the word CFO. If you guys don't know what that means, it's a Chief Information Security Officer. So I actually do soup to nuts. I actually do all the architectural reviews, the deployments, all that other kind of stuff and all the boring stuff like policies and procedures and talking to C-level staff. But they continued the funds on this and we're going to show you in a much bigger way than $3,000 later on. People of Earth, I definitely appreciate you guys. I couldn't have done this talk if you didn't screw up on a consistent basis. So I appreciate that. Thank you. And electricity. So like if we look at the laws of electricity, there's the path of least resistance. And that kind of ties in with the people of Earth. So thank you. Anywho. Oh, yeah, I got to give mad greets to my crews. Vegas 2.0, that's the people that I associate with. I don't have my lab coat on today because UPS really sucks. Don't believe the commercials, they do not love logistics. DC949, you guys know all those crazy guys. The party was pretty good last night until it got shut down in concert with all the other parties in the towers. And the cuckoo's nest. This is the private hacker space up in the Redwood Hills. It features 50 meg internet, dual 50 meg internet and septic tanks. So it's kind of like a couging con for those of you that know what that's all about. So thank you everybody for all your efforts in there. Making this happen. Oh, another shameless plug, a word about RSA tokens. So one of my lessons learned is you need two factor authentication. And I was all geared up for that. And then some assholes decided to like totally let their systems get pwned. So I'm like, well, don't, if you're going to do two factor, don't do RSA obviously, because that didn't work out. So what I have here is these special key chains. So I don't know if you can see very well, but it'll help if it's right up. So since I am the CISO and I had to redistribute 3,000 RSA tokens to all my users, and that was a pain in the ass. I collected all the original tokens from my users. So they still generate numbers. And I was like, what the hell am I going to do with 3,000 RSA tokens that have no purpose because the Chinese have all of their seeds? And then I saw on the internet on attrition, somebody super imposed a bottle opener to the side of one of these as a joke. And I was like, well screw photoshopping, I'm just going to like actually attach bottle openers to all my dead RSA tokens. So and you know, normally I buy American and everything, keep our economy going and all that. But I figured since this was special, I got all my bottle openers from China. So every single bottle opener actually says men in China on it. So what you have here is an RSA bottle opener from China. So I figured I'd throw some of these out to the audience. I did have 180 of them and apparently I'm down to eight leading up to the talk. So I'll chuck these out. They actually have some significance around 2am tonight. So I won't tell you more than that. That's I guess a big enough clue. So if you have one of these and you're in the right place at 2am, it'll be of use. Otherwise just enjoy opening bottles of beer with your pointless RSA token. Some of these I think actually will go for the next five years. So it'll still generate numbers for five years to nothing. So unless you're Chinese and you actually have a use for it still. So I'll go ahead and chuck these out and then get started. Any of you guys make it to the summit on Thursday night? What a bunch of jerks. So the summit was a EFF fundraiser. We gave out about 50 of these at the fundraiser as well. So if you were there, you got one already. All right. About me. So why should you listen to what I'm saying and all this other crap? So I got four years of credit card security. You may remember me from DEF CON 11 through 13. I did some talks on how to steal credit cards for merchants directly. I felt that everybody was talking about the consumers and all the carders in the world and nobody was talking about the businesses getting raped blind. So I talked about that for about three years. I developed IDPS technology into code so for websites, so websites that are self healing and they detect when people are doing evil stuff and go into offensive mode for the Department of Energy, which they loved it and let me research that for three years and then scrapped it. So if you want to foyer that, it's actually some interesting stuff. And for the last two years, I've been doing a lot of GP, GPU, password cracking stuff. All the suit and tie crap, I've been doing IT security for 12 years. I've been in development roles, research roles, SOC analyst roles, incident response roles, tactical, red team, tiger team, red versus blue fill in the blank, and a bunch of holistic crap like policies and procedures and training and yearly refreshers and all that other stupid junk that you don't care about here. And the private hack space. So we have trees and servers to muse over. So it's in the middle of the Redwood forest. There's about 15 trees and about I think we're up to 48 terabytes of storage out there just doing cool stuff. So if you're in the Bay Area and you want to go to this crazy forest resort hack space, just give me a ring. Okay, now what you actually came here for. Sorry about all the sand disk slide things. So what is general computing? So there's a thing that people say they get confused with GPUs and general computing. So general computing just means that you have a whole bunch of tools in your arsenal. So that's where OpenCL comes in. So OpenCL is supposed to say you can program for the platform. So if you say, okay, do you have a GPU? If yes, I'm going to do stuff using your GPU. If no, do you have SSE2 instructions? If yes, I'll use that. And it'll just kind of keep going down and down. But it looks for preferential devices. So that way you don't have to sit there and like CUDA really sucks because you can only do mapping routines with CUDA and nothing else. You can't say try and do SSE3, which is not as fast but it's still useful. And that's why a lot of people are migrating from NVIDIA to ATI cards. And there's some other things involved with that. We'll get into that. What is the current state of general computing and high performance computing? So the top 500, it turns out that of the 100 of the top 500 that topped the list, about 80 of those now topped the list because they have graphics processing units or general purpose graphics processing units, which are mostly the Tesla 2050s. So we're actually seeing that like every time that that list gets republished, it just gets decimated with more GPUs. So if anybody's wondering if GPUs are going to really stay or if they're just like a passe thing or invoke right now, it'll be passe later. I don't think so. I think everything's going to move over to GPUs. Another thing about GPUs that people don't understand and I always use every microphone I can to promote this. If you know what a DSP is, a digital signal processor, that's all a GPU really is. It's just sample rates, right? Something comes in and just keeps on checking, checking, checking, over and over and over again. Like a really fast clock. That's the core. Yeah, somebody at NVIDIA will say it's a lot more than that, but when you really think about it from a EE perspective or a CS perspective, it's just like a really super crazy FPGA or DSP processor. Cloud computing. So everybody's like, hey, you know, everybody loves GPUs, so let's get into it. So Amazon web clusters and EC2 elastic cloud computing, they were the first to come out with it with actual GPUs. The rest of these guys also have stuff. So if you want to do this stuff on your own and if you look in the CD, I have all the kit and everything you need to get started, you can be cracking passwords on other people's hardware in no time or if you want to do bitcoins if that's still popular, you can do it as well. I think at one point before the bubble burst with bitcoins, it was actually cheaper just to use an Amazon EC2 to mine bitcoins and even though you're paying per hour, you're still getting more back once your 50 coins came up. But I think the bubble burst and now it's just stupid to do that. It might come back if it is really a serious thing that people care about. Do I sound like I'm droning on? Yeah, oh, sorry. I'll try not to. Oh yeah, thank you. That was dumb. Okay, distributed technologies. So you got distributed not in that folding at home, setting at home, and bitcoins. And according to the crack me if you can guys, there actually will be a distributed password cracking pretty soon. I don't know if I was supposed to say it to this many people. Oops, you'll get over it. Although they'll get over it, but that's coming soon. I think that's the crux. Like if we look at what we're doing with password cracking, that to me is like the holy grail. Like once that happens, like if you don't have toe factor, you're dead. It's just not happening anymore. So let's get into actual GPU cracking. So the hardware, like I had to catch myself up on all this once he gave me $3,000. So this is the main ones out there. If you want to buy the top of the line thing for your bitcoins or GPU password cracking, on the Nvidia side you want to use the GTX 590. All they really said was it's the same thing as the two GTX 250 series. They said, well we couldn't figure out. 260, thank you sir. No, no, no, you don't even know what I'm talking about. Shut up. So the 260s, what they did was said we have a processor and we don't know quite yet how to make it faster. So let's just put two GPUs on one card and just say it's double the speed. That's all the 590 is. It's just two 580s crammed onto one card. So when they say 1024 cores, it's really 512 cores per GPU. So when you do in cracking, it actually breaks it out. You actually see two GPUs actually crunching your numbers, not one. So that's a little bit of an issue. And so we have here, it says times eight cells. So it's just like the PS3, right? They say that they have the cell processing. So each core has eight cells. It's the same technology because Nvidia is the one that uses that for the PS3. So there's a real problem with this and we'll get into that later. So even though you have 8192 streams, we'll quote that. It still doesn't compete with Radeon's HD 5870, which is 1600 cores. And there's a 5970, which they did the same thing as the 590. It said 1600 plus 1600. So you just have to have a really big ass power supply to handle one card. Just checking my notes to see if I missed something. Oh, I guess I am supposed to talk about it here. So why do why does everybody switch over when you think of bitcoins? I'm just going to keep referring to that because everybody knows that they like money and they like to switch to stuff that works. So Nvidia won out of the gate as far as cracking passwords and bitcoins and all these other things because they had the CUDA and CUDA is just this development environment. They had a lot of examples, a lot of free tech nets, a lot of webcasts, all this stuff. So everybody was able to hit the ground running and Radeon or Radeon. Ati had this thing called Streamkit and Streamkit was just gaudy, klugey piece of crap with not really good documentation. So all the developers said well Nvidia is pretty solid company and stable and CUDA is pretty well documented. We're going to start doing that. But what people found out later on especially when Ati started promoting OpenCL is that you actually get a lot more performance out of the Radeons. The reason why is it's the CISC versus risk argument. So CISC has all these pre-determined processes. You just send it in like SSE2 and all this other stuff in MMX. So you just tell it to do one thing, one instruction and that instruction knows to do 15 others that are pre-programmed. Radeon is just like what why I really love the 68K processor on the power PC side for the longest time. It was well as long as you're willing to code it, it's going to be more efficient and faster and actually get better performance. So when you look and you actually do a map function on a CUDA, it's going to look at 512 cores and it's going to do a map across 512 cores as if there were streams. So you're not you're only using one cell per core instead of all eight cells. Now just because you're not a good programmer or you just really don't understand CUDA. Now OpenCL said we don't care as long as it's a stream you can address it. So now you're writing the same exact code in OpenCL and you're saying go across 1600 cores and do 1600 process map functions simultaneously. So that's a lot faster than 512 map functions. So that's why it's important to kind of point that out of why ATI and this is getting to like a really bits and bytes level. Why ATI is better than NVIDIA? Not because their logo is red and the other one is green but that's why everybody's moving over and if NVIDIA doesn't change their processes if they don't change their architecture they're going to lose this war and it's going to be ATI that's going to be the market leader and save AMD for a little while. So what else? Oh we just went over all that crap. Okay I should probably pay attention to my next slide thing here. Okay cracking software what's out there? So OCL Hashcat I put it on the top because right now it's a top contender. IG Hashcat which is Igor from Russia he's got one and then the CUDA multi-forcer which is missing in action as of today. Are you Bitweasel? Well your website's been down forever dude. Well you know you would have been number one. I saw a little background real quick. This is the first time I'm meeting this guy so I actually partnered up with can you stand up for a second Bitweasel? So this is a funny story. While I'm at Atheros I am not a CUDA programmer and I need to find a CUDA programmer and I had the $3,000 budget so I call it Bitweasel and I say if I just buy you a bunch of brand new cards can you do some exclusive programming or at least stave off the code to other people and just give it to me early? He said sure no problem. Next you know I drop shipped a couple of video cards so that you can get the multi-card thing going. And everything's happy go lucky and then all of a sudden the website was missing for two months when I was making these slides and I'm like what happened to Bitweasel? And apparently I don't know you are on a drunken stupor or something? So a server failure. So you can write CUDA programming but you can't keep a server up. Alright so as of right now you're in third place behind these guys as far as your efficiency in your algorithm. So and I'm kind of an asshole that way I don't mind saying that right directly to you. So and actually my slides actually show you still ahead but I didn't revise them yet. But well good maybe later on this weekend I can do some joint stuff with him and show you guys the most efficient code. So CUDA multi-forcer Kim's pre-packaged on backtrack four is it also on five? Is pure hate in the room? Are you auditing mine and seeing if I'm full of shit or not? No I guess not. Oh oh I'm speaking of which is F5 here or F9. Please step to the front please. That was redundant. So she's part of the scavenger hunt and I'm supposed to give her a lot of shit otherwise Civiac will bust my balls. So if you can just sit up here with me don't worry I put on deodorants this morning. Thank you. Anyways so CUDA multi-forcer this is the one I started off with and this is one I was able to actually crack a shit ton of passwords with so thank you for that bit weasel. But right now OCL hashcat which is run by Adam something or other he's in the current lead because his ATI card with the OCL which is the OpenGL framework. So this is my buddy for the duration of the talk and their mic is not on but she says hi. Current benchmarks so we're going to go over benchmarks they're all going to be based on NTLM Windows Active Directory MD5 for the websites and small salt-based passwords and this one's for you. Smart. Where'd she go? Where's Jackie? Anybody watch Epic Mealtime? Yeah salt-based passwords smart. Okay you guys in the audience get it that know that stuff. So what's in a mask? So okay let's talk about this this is what I really love about password cracking is how stupid humans are in the path of least resistance. So now that you guys know earlier in the year and I'm going to start picking this up faster because I think I'm way behind on my time and we have a special thing we don't have a live demo but we have a consolation prize for you guys so don't get up and run away because the live demo is not here if you're a dude or a lesbian it's really worth it to you to stick around. Intent nudge nudge. So at my company Sandisk or any other company and now apparently a docker because they got smart was hey you need an uppercase lowercase a number a special character has to be minimum eight characters right well this sounds all hunky dory and dandy and even pure hate I'm kind of biting on his style a little bit because he got into this and bitwheels came able to custom a cracking tool to help out with this where you said okay uppercase lowercase numbers what do humans do oh I gotta do an uppercase you know what I'm gonna make that my first character it's gonna be uppercase just because I got to remember that the first one's uppercase because they're make me do an uppercase well if 99 percent of my organization and I don't work at ethereals now I can tell you this 99 percent of ethereals started off with uppercase before I came in I was like guys I just cracked all your passwords in like two hours because your eight character password now went to a seven character because I only checked uppercase in the front and so we actually put in the gpo policy there you no longer can use an uppercase character that is required at the beginning of your password so doing something simple like that actually saves you a lot of grief it pisses off users because they're like Christ now I have to start putting my password underneath my keyboard again so because they just can't think and we'll talk about what really means about that so that's what we say is what's in a mask so when you actually say okay I have a 10 character password it's really strong well yeah if it starts with an uppercase and ends with a number and then every nine 90 days when I make you change it your last character went from one to two to three or even the special characters on the keyboard you went from a pound to an at or or bang to an at to a pound to a dollar sign it's like okay I'm pretty sure the Chinese could figure that out idiot so uh we actually had to put all these really specially crafted gpo rules in to kind of combat this kind of natural path of least resistance of users so that mask so you can say okay we're cracking passwords we're doing brute force yada yada yada it's taking forever eight characters takes 23 hours that's a long time you know you can start using masks and now seven characters takes an hour and 15 minutes especially and with the mask your mileage varies it may be about eight hours to get every masked seven character password but it'll get 75 percent of your passwords so if any of you are in the cracking if you can contest that's what we call in the business a clue okay so and they're probably like reeling over they're like what an asshole he just told like 200 people how to break into our whole contest but they'll get over it so that gets into the passphrase concept so um and interestingly enough I was in India for two weeks trying to convince them to use better passwords and they were scared that I was making them use 10 characters and I said well you know what think of a passphrase right I only eat tandoori chicken on Saturdays even when the wife complains yeah and I used the first letter of all those things and you permutate eyes for bank signs and A's for at signs and that sort of thing and remember to put a capital letter in there somewhere and suddenly you're just saying in your head I only eat tandoori chicken on Saturdays even when the wife complains and you have a really really complex password that you can just say in your head and use the first letter and make sure you have permutations on some of those letters and all of a sudden that's a really freaking good idea you know so I think that's like the crux of everything you can probably leave right now if you want to miss out on the lesbian action that's really like the whole point of me being up on stage today two factor in you so you guys all got your cool passes to that thing at 2am if you didn't sorry oh yeah there's a giggle there we already talked about that so I'm mad props to google I mean you can love them or hate them and maybe they're not doing evil and maybe they are doing evil who knows but they're the first email client that's public that gave away a free two factor authentication option and I use it so even when I'm on my computers I use every day I still use it just as a matter of course it's just a really freaking good idea you know especially if they're giving it to you for free so even in our organization we're prepping everybody to do two factor and if you work at qualcomm any qualcomm employees here that one I meant you work for qualcomm you guys all know that your VPN requires two factor and all your other shit in house requires two factor right nod your heads yeah they're nodding their heads because Josh like just absolutely requires that over there and he's like hardcore about the two factor and it's just a good idea you know and there's we'll talk about why that matters right now actually God I've been drinking too much secure off this is actually or semantic VIP so I don't talk about RSA anymore as a good two factor option just because like the Chinese just cut through them like butter and they're probably doing again as we speak so semantic VIP that's the old verisign two factor authentication that's saying you know it's on your phone so on your smartphones you can have a two factor here and the thing I always tell people is oh you don't like to factor our authentication think about your smartphone right how often do you lose this versus your car keys so go ahead just keep this around lose your car keys and you have your second factor so stop bitching about me making you carry around your phone that you're already carrying so you can do that with semantic VIP you can do with RSA as well but it's RSA so and my rep's going to get so mad at me if she's listening to this right now secure off secure off anybody have chase banking online you can admit it only one will admit that they use chase come on who had Washington Mutual you're all poor bastards in here they got Washington Mutual accounts or chase now so when you try and log into your account it says well you have your number on file can I text message you a four-digit code just to make sure to you and that's what secure off does they're the ones that are behind that not some bolts on the chase and you're going to start seeing it in a lot of other places USAA does it today so for all you former military and jerks that just used your parents military experience to get your USAA accounts they have to yeah that guy they have two factor authentication as well because they get it you know our military might not get other things but they get two factor authentication for their retired employees for or their active employees for USAA everybody knows that USAA is right okay so for your foreigners that's the credit union that's exclusively given out to all of our military forces and their families and if you don't know what a credit union is that's a place that's not an evil bank they're all non-profits they're not allowed to turn a profit for personal gain so which they happen to be the largest non-profit they're a fortune 10 company so but non-profit fortune 10 company so they have they have two factor authentication that's just a really good idea and all these apps are free in the app store in the Blackberry store in the market in the Android market you can just download these apps and you can just demand of your employees or of your companies and of your vendors that you use I need two factor PayPal has two factor for free eTrade has two factor for free USAA has two factor for free start pushing everybody else at Sandisk what we do is say we have two factor and you're partnered with all your banks guess what the same token you're using to authenticate with us you can recycle that for your bank not caring around like this freaking janitor's key of RSA tokens for all of your different things this is for my Wells Fargo this is for my porn site this is for my work you can do it all in one token all right I'm done pitching it to you let's get into the economics how cheap is it to break passwords pretty cheap so a locally hosted box is my recommendation as long as you don't mind a slightly higher power bill and it ends up being about $15 more a month for a typical resident here in the United States private clouds are also a really good idea we'll talk about that as well and local distribution and that's getting into the whole SETI at home thing where you can have all the computers in your environment especially if you're a development house like Sandisk we have a lot of GPUs just laying around in all of our development boxes they're like we want the top of the line thing and we're not going to use that GPU ever I'm like well okay I'll use your spare cycles while you're having that box doing nothing okay and crack your own passwords congratulations you lose and so that's like yeah the custom screensavers and everything you know and love public clouds Amazon I was going to have a demo for you but I don't have it ready oh here's my live demo I didn't have a live demo so I gave you guys girls pillow fighting I think that's DJ Jackalope there and that's beer Betty there oh you missed out on the lesbian part smart okay and there is your there's your live demo of a girls pillow fighting if you have those RSA tokens you'll see the Encore production at 2 a.m. somewhere Hint hint nudge nudge oh uh a word about last bit and Elkom soft it's uh definitely pound equals so um last bit is the exact same thing as Elkom soft have you guys heard of these guys like on Wired and uh Arcsoft and all or Arc site and all them they did these exposes on them about uh 18 months ago and they said hey now you can pay somebody to do your uh password cracking with GPUs yeah uh hopefully they don't take me out back and shoot me because they are Russians but um these are both the same exact company and it's the same guy and he like will just take your money and run and I had to do charge backs I used in American Express which has really good charge back coverage so I was able to recover the money that I lost for my $3,000 budget because I was just trying anything I could I was like I just want to show this guy I can crack his password so I tried buying the Elkom soft software didn't work you know I had a brand new GPU in there and says I don't see your GPU so if you're thinking about using these services I'm just going to go ahead and say that it's crap it's rubbish so if you're thinking about it or you already purchased it get your money back and if you're in the room guys sorry your stuff sucks so the best thing I suggest is like a local box you can do the Amazon web cluster and this is how this works in my mind if you got 10 days on your hand to crack a password and $3,000 just buy a local box if you don't have 10 days you need to have it done today you do that vertical versus horizontal thing you know vertically it takes 10 days to crack a password or you can just spend the same $3,000 and go horizontal and just get a crap ton of GPUs at Amazon and have them all cracking simultaneously and you can have it done in about 23 hours it's going to be the same $23,000 or $3,000 the only difference is on a single box you did that once and you can keep doing it again and again and again it just takes 11 days for eight passwords as opposed to like I just have a project and I just need to crack something and move on with my life and I'll never crack a password again then I would say just use Amazon but if you're going to do it for you know checking the strength of your employee's password like I have to you get a single box and we'll show you what my box looks like in just a minute and we said distributed non-existent well according to crack me if you can it will be existing pretty soon and I want to work with them to do a chrome slash firefox extension so you can also do like distributed storage of cracked passwords who I don't know about that there's a GPU CPU distributed password cockier called Durda I don't know d-u-r-d-a-n-e-o okay bit weasel is questioning your authority on this subject I'm not aware of this is it actually still developed we'll talk about that offline don't forget there's a track 1 Q&A so I'm just droning on I'm sorry if you want to know more details we can get into that in the Q&A my thing says I'm good on time but I'm still a good on time where are you goon that's supposed to be monitoring me 17 minutes okay oh here's like a really really I don't know how well you guys can see this up there I know it was like really scrunched and everything but what I went ahead and did with my budget after I cracked his password he gave me a bigger budget was bought a shit ton of GPUs just to see what the actually efficiency of every single one was against the CUDA multi-forcer that bit weasel did and I also did some just basic crunching so if you look at this this is this slide is in your cd and you can actually go on to our website once it's up cuckoo's nest.net it'll be live in two weeks you can actually get the live latest updates on this this actually tells you you're banged for your buck so in the very bottom right corner there you're going to see those gold things that's your banged for buck for either keys versus dollars keys versus core keys versus memory and all a key is is a password like we just referred to it as a key but that just means a password that we tried and it worked or it didn't work silver is second place and bronze is bronze third place so that's kind of how it breaks out and these numbers actually are always I tried to do bleeding edge these numbers change so frequently because new egg and Amazon and and fries are always competing and trying to keep the prices lower and things changed dramatically but at the time of these slides made about four weeks ago this was the current dollar amounts for each of these GPUs and the efficiency of each one so right now if you have the ati hd 59 70 which I think is in shortage like a lot of people didn't have it anymore like everybody wanted them for bitcoin generation that like they just ran out of GPUs so if you can find one that's actually the most efficient one the biggest bank for your buck with the OCL hashcat and maybe that'll change after I have an offline discussion with weasel over here and he's all working in open cl currently very good so we'll get back to that so this is what sandisk is going to do and this is what I submitted to my cio has a good idea so what I told them was how would you like to have a computer on the top 100 of the top 500 supercomputers and he said what were you going to save me money somewhere else before I give you this budget so I ended up saving him about $225,000 on our pen test by going with a boutique shop with some personal friends of mine so he's like well you save me $200,000 that's clearly not $200,000 you can have that money so hopefully by December we'll actually have this live and working and I'll actually be able to show you this live I'm going to do a VPN in maybe from Shmucon or something like that and actually show you 80 GPUs cracking 150 trillion passwords per second for $52,000 so yeah the GPU count is 40 but that doesn't it's actually 80 because like I said before the 59 or the GTX 590s are two GPUs each so yeah so actually it's 136.8 trillion passwords per second is what we have but if I can work with Bitweasel and get that more efficient maybe we can make that faster and it's actually going to be I know I just told you guys ATI is the best bet but it's going to be NVIDIA simply because we want to put this computer on the top 500 list just to be assholes and the way to do that is with LinPak and LinPak only supports CUDA GPUs which means you have to use NVIDIA unless somebody wants to write me on LinPak for ATI cards then I'll go with that that'll actually bring this cost from $52,000 down to $38,000 for a top 100 super computer I'll pay you if you can save me money I'll actually pay you the difference just to make it happen so I have no problem throwing money at problems okay remember if you were here for the beginning I am a CISO so if I can't figure it out I'll put money on it either hire somebody or do outside development just to get it done so that's the problem you have when you have like a former black cat now running the show where if he can't figure out the answer he's going to find somebody who's going to figure out and pay them well to do it so just keep that in mind if you have some gigs and you want to pitch something to me if it sounds like a good idea and it makes sense for Sandus to do it I'll pay you to do it and you know you can take your credit but we're going to totally enjoy the fruits of your labor and then later we'll open source it because you know it's my call so so not to spin my own wheels but you guys do finally have one of your own in the hiring ranks of a Fortune 500 company and I'm going to abuse my power until they kick me out all right moving along so this is the brute force calculator so I'm going to do a I'm going to switch over to the brute force calculator here with my really awesome screen resolution so this is also on the disc if it's not just ask me and I'll get you one and I have the latest numbers here so this is what I did a cut and paste of but you can essentially this is totally ripped off of some site that did this and I just retooled it for the latest numbers which you can say is I want an eight character password what's my time to live if I decide to use an eight character password and it's 10 days so you have 10 days with uh let me show you the current costs down here $2,000 it was $3,000 now it's $2,000 if you don't think your password is worth more than $2,000 just have it be eight characters because it'll be cracked it doesn't matter what it is whether it's ntlm or md5 or shaw one or even shaw 256 because it's just cracking passwords it takes about 10 days and $2,000 if you have an eight character password and like I said you can do it in 23 hours for $3,000 with amazon web cluster what? this is 92 character set so anything that's printable on your keyboard period is it the crazy ones where you do like an alt shift special character no who's doing that nobody okay 0.01 percent 0.01 percent and congratulations you defeated my thing but for the rest of you jerks in the audience which is everybody else you're screwed if you're having it so think about your google password think about your paypal password if you got eight characters and you say well you know it's google it's paypal it's all these other people gawker got hacked two years ago december january december 08 january 09 google admitted that they had a problem and some of their gmail accounts got broken into that's why they have two factor authentication okay so if you think that all these places especially yahoo i know the new ciso over there and let me tell you make sure it's over eight characters okay sorry justin so just think about any of your passwords 10 days that's what your password is worth at eight characters it's done with now here's the surprising thing because this is a password calculator i can type whatever i want into it nine what does that work out to be anybody can guess there's 10 days for eight i got two months one year 10 days no surprisingly just adding one character is 2.6 years this is not a linear thing this is an exponential thing so just adding just saying okay i can figure out one new character to rememberize just saves your ass that much more so guess what at sand discs since i'm still trying to train people before we go to passphrases everybody's required to have nine characters you know yeah it's one more than eight and everybody thinks it's superficial you know the proof is in the pudding 2.6 years for $2,000 now of course if i throw more money at it you know like say i don't know $52,000 that number will go down right so let's look at what that number goes down to $52,000 18 days just to remind you guys the number two supercomputer on the top 500 list is a Chinese supercomputer with GPUs and let me articulate my voice a little a Chinese supercomputer is number two on the list as of two months ago it was number one the Japanese took over so the Chinese are getting your eight characters and your nine characters supercomputer status in less than a minute so let's revisit that discussion about two-factor authentication right and that's why we're here that's the whole point of my talk is I got yelled at Schmucon during the panel that my answer to everything was two-factor and they were saying it cost a lot of money let me remind you PayPal does it for free USA does it for free Google does it for free your company already has it are they sharing your tokens with third party vendors in a secure manner federated passwords right open ID all that stuff are they doing that to make it happen so that we all can move to two-factor it's just in the age of Chinese espionage you just have to have two-factor that's just the way it is whether you work at a private company whether you work for the ACLU you know whether you work somewhere else that they care about your stuff you know you just have to have two-factor that's just the long and the short of it anybody want to see what my with Qualcomm's 12 character looks like I think it starts getting into galactic years so qualcomm requires 12 characters oh do they require it yet you two guys over there I know he was talking about it and I was like wow what a jerk 12 characters start inspecting people's keyboards now so you see it's all pounded out here already right so it gets into 0.01 galactic years and yes for all those concurious galactic years is a legitimate thing but yeah it takes 21,000 centuries that's a long time and how about those supercomputers in China for now you're okay but if you haven't noticed with GPUs in the high-performance computing realm these days guess what you know like five years ago we were only doing one petabyte as the number one computer we're now at 320 petabytes or not petabytes petaflops thank you peta- we're at 120 petaflops per second as the number one computer so in just five years we've just more than a hundred percent growth in that field so how long do you think that's gonna last so we have to start thinking about things like better salt two-factor authentication that sort of thing I'm running really low on time if not out of it five minutes I don't know if how many more slides I have I'm just gonna buzz through these real quick yeah we had a pillow fight instead of live demos if you really want to know more about it oh NTLM is dead if you haven't heard so if your active directory domain administrators are still using NTLM to do federated passers back and forth throw something heavy at them preferably a brick and tell them to move over to Kerbos so yeah and let's learn from Gawker, Sony and others you know or how I got F'd in the A with the D right you know I mean that's like that's not even federal prison I mean that's like burrito up the aspect Mexican status right there so um so I mean you gotta really think about it you know Gawker I mean the guys that just pwned everybody and Silicon Valley got pulling themselves so how many of you shared that password with all your other passwords and you don't have to raise your hand just think about it in your head how dumb you were okay so uh Sony you know we all had our PlayStation online accounts we can all admit it you know they said your credit cards weren't stolen they were stolen come on let's not joke ourselves your credit card wasn't stolen but you get one free year of credit monitoring service but don't worry it wasn't stolen okay and I do have some buddies over there and they can eat a bag of something a little sidebar on that like two-thirds of their security team actually got fired over that because when they came back online and like 30 seconds later they got repwned and they're like oh okay I get it you guys are all fired you know so so think about that when you guys got on for a minute change your password to the secure password that got poned again that you use for all your more secure things you know so I mean that's really my big push for two-factor so definitely like try and figure out multiple passwords and this gets into the thing of password safes use a really good password maybe even a two-factor authentication password for your iron key or other technologies that are out there and then you can have some unruly 32 character long special character thing that you can cut and pay somewhere else as long as you're not using that password to get into your password safe for all this other stuff it makes a better sense to do that and if it gets poned and then there's these public lists that people can GPU password crack like Gawker and Sony you're not gonna be that idiot that's got the eight character password right so no offense I keep on calling you guys idiots and you came to my talk and we just talked about that salting passwords I was gonna do a what do you call it Conan O'Brien there it is yeah I practice that all year just to not do it so we will say as far as that's concerned like I said supercomputers are only as exponential as we're seeing with GPU password crack with the the complexity of these passwords so really think about that as far as what your passwords are what your password policies are even if you're an individual contributor at your company you can still come back and say here's my password calculator don't listen to me because I'm just some schmo that you don't care about that's just doing all your current work listen to the calculator you know it doesn't tell any lies if you are a mover and a shaker in your company make it happen you know start doing all these educational things show all these slides to the people in your company and say no this is how you're F in the A with the D you know and I'll be quite frank with you guys like this is a Sandus Clyde I had this conversation with the C level staff there and I did not remove that out of this slide I told you know the CIO he's gonna get F in the A with the D if he doesn't change his policies you know that's how serious I am about it and my point of coming up here and just babbling onto you guys is to kind of make you just as serious as I am quantum computing when that happens we all can just pack it up and go home right so if you're not two-factor by then you're just F'd like seriously I don't even have like a clever witty thing to say for that you know I mean you're just gonna have just like a Bukaki Fest like 24-7 just like in and around your mouth okay so my fiancee is just looking at me like you did not just do that so yeah so think about that and that's any second now right IBM and Toshiba and Samsung are like on the verge of quantum so think about that conclusion questions and answers I think sorry I can take am I out of time already am I a jerk okay I can take one question and then remind you guys that there's a Q&A track one near here and you can ask me a bunch of more questions sorry that I just kind of carried on so who's got the first hand for a question that guy right there stand up what's your name okay his name is Skunkworks apparently because he can't listen to me Skunkworks what is your question application specific integrated circuits you're talking about FPGAs so integrated circuits is very similar to FPGAs it's the same thing as GPUs because you're making a purpose purpose built embedded solution it's getting I think the costs right now are prohibitive for that but later on oh yeah yeah thank you very much everybody