On Fri, Jun 25, 1999 at 01:34:22PM -0700, Tom Weinstein wrote:
> I think your view only makes sense if you are only interested in
> protecting yourself against entities who have $100,000 (or $50,000,
> or whatever) to build a DES cracking machine. If, on the other
> hand, you're also worried about 12 year old kids who pass around
> lists of credit card numbers, then exportable crypto is useful to
> you. While the first group may be more scary to you, most people
> only care about the second group. Which is not to say that you're
> wrong about your priorities, but other people, rightly or wrongly,
> have different ones.
I did some calculations on this. When I tracked the cracker scene
back in 1992 or so, an account collector would typically have accounts
on 1000 to 2000 different systems, sustained. I would be surprised if
the kiddies of today have much less. This is a large enough number of
systems to make attacking 40-bit encryption *very* feasible. For a
relatively small site taking credit card orders, it is enough to make
it feasible to attack *all* transactions.
Not that I would worry overmuch about it - it is also trivial to
calculate the check digits on a credit card, and most of them are
given out in series. It is also trivial to get hold of the exiry date
- just call up a credit card charger the 24 required times, keying in
the next two years worth of expiry dates and a small charge.
Eivind.
