Researcher Overcomes Legal Setback Over 'Cloud Cracking Suite'
Apparent mis-translation by a German newspaper of English-speaking reports on researcher's Amazon EC2-based password-cracking tool led to raid, frozen bank account
March 21, 2011
German researcher Thomas Roth got a phone call with some unsettling news the evening before he was to release a new hacking tool in his presentation at Black Hat DC: he had been served with an injunction for allegedly breaking anti-hacker laws in his country and law enforcement would be raiding his apartment back in Germany.
Roth, who had planned to release at the January conference his new open-source tool that uses Amazon's GPU processing services to crack SHA1-based passwords at high speeds, found himself in a legal quagmire that started with a German publication's mis-translation of English-speaking news reports on his research. The German newspaper incorrectly reported that Roth had said he would be turning a profit as a sort of hacker-for-hire. That led to a German telecommunications firm taking legal action against the researcher: "They misunderstood that I was getting money for doing this ... and illegally breaking into networks," says Roth, a researcher and consultant for Lanworks AG.
His bank account was frozen as a result, and Roth spent the past couple of months in a legal battle trying to clear his name and calling out the German newspaper article for its inaccurate translation of his research and the intent of his tool, which he describes as a quick way to brute-force hack weak, easily guessed passwords. Roth was able to crack 400,000 passwords per second using eight Amazon Nvidia GPU instances, and 45,000 to 50,000 passwords per second with just one GPU instance, he says. By contrast, two high-end Intel X5570 Quad-Core CPUs can crack about 7,000 passwords per second, he says. Strong passwords, which use a mix of letters in mixed cases, numbers, and symbols, are relatively safe from this type of cloud attack, he says.
The German telecommunications firm--which Roth says he does not want to name—alleged that Roth was in violation of Germany's so-called "Hackerparagraph," 202c StGB, which says that's illegal to use, distribute, or create tools for stealing or arranging the theft of data. The firm accused Roth of illegally breaking into wireless networks and planning to release rainbow tables to be used to hack into company networks.
But Roth had only created an open-source tool for testing for poorly secured wireless networks, he says. "I neither illegally broke into networks and [nor] also don't want to enable anyone to do so," Roth says. He maintains that the tool works on poorly secured wireless networks, which are already in danger of hacking, anyway.
The German newspaper apparently misconstrued English-speaking reports of how Amazon's GPGGPU instances make the relatively heavy computing resources needed to perform the password-hash cracking more accessible, and took a mention of the $2.10 per hour fee quoted for GPU instances needed for a typical high-performance computing project as the fee Roth was making in his alleged password-hacking service.
"They said I would make $2.10 per hour ... that I was going to sell this service where people could ask me to break into networks and I would do it at a really low rate. It was pure B.S.," Roth says. "It basically goes back to a failed translation by a German newspaper."
Roth, who had to jump through several hoops to unfreeze his bank account, also secured an injunction against the German newspaper in question.
The injunction since has been revoked, so Roth was able to release his so-called Cloud Cracking Suite on Friday at Black Hat Europe in Barcelona.
Meanwhile, Amazon has lifted the amount of GPU instances Roth can use, to 64, he says. "As long as I'm not doing anything illegal on their infrastructure or DDoS'ing ... so they don't really care. They are pretty glad someone was using this kind of [GPU] instance," he says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024