One of the biggest selling point of cloud computing is its ability to scale up and down based on the resource needs. One of the most quoted stories by Cloud evangelists in the early days was the story of New York Times tapping into EC2 scaling capabilities for their needs.
Using Amazon Web Services, Hadoop and our own code, we ingested 405,000 very large TIFF images, 3.3 million articles in SGML and 405,000 xml files mapping articles to rectangular regions in the TIFF’s. This data was converted to a more web-friendly 810,000 PNG images (thumbnails and full images) and 405,000 JavaScript files — all of it ready to be assembled into a TimesMachine. By leveraging the power of AWS and Hadoop, we were able to utilize hundreds of machines concurrently and process all the data in less than 36 hours.
Since then the world has moved forward with many enterprises tapping into cloud for Cloudbursting. But, the ability to scale fast is still the important characteristic of cloud computing.
When we grew up in the world of Wifi, we were strongly encouraged to move away from the world of WEP into the world of WPA. Since WEP offered only a very weak protection and even your grandpa could crack it without much fuss, WPA was touted as a better option. In the case of WPA (I am discussing a home use scenario here), the encryption uses a 128 bit TKIP key which was them mixed with the MAC address of the wireless sender. This is once again mixed with 49 bit initialization vector to create a unique key that is used to encrypt one packet. The initialization vector used in WPA is twice as that of WEP. And, WPA also creates dynamic session keys, with
different keys per user, per session and per packet. The double length of Initialization Vector in WPA over WEP gave over 500 trillion possible key combinations, making it very difficult to crack. In fact, this was considered to be a strong security for most of the wifi uses as it will take several days for a dedicated cracker to break open the key. Everyone lived happily with a feel good factor, using their wifi for everything including banking transactions. This was our life when the only cloud we knew were the ones on the sky.
Enter cloud computing and the ability to scale fast as quoted in the NYT example above. If a cracker could tap EC2 like clouds for his/her cracking needs, he/she will be able to crack the WPA passwords in minutes. This makes everyday life vulnerable to many different digital thefts. Big enterprises have a full fledged security team to address this issue. However, home users and small businesses cannot afford to have a security team like these enterprises. The best they could do is to have a really strong WPA key that is not crackable using dictionary attacks. There are many ways to check the strength of the key used. One could download a dictionary attack based key cracking utility and run it on their desktops or local servers. This approach poses two different issues. One is the need to find a really exhaustive dictionary and the other is the tie up of a desktop/server for several days (weeks). Even though it is very easy for geeks to do from their home/dorm room, it is not so easy for those home folks and small business owners.
Enter WPACracker, a SaaS application that taps into a 400 server cluster and 135 million word dictionary to help users crack their WPA passwords in as little as 20 minutes. Well, this is not a free site put forward by a kiddie hacker for their own kick value. This is a serious business set up by a professional hacker, Moxie Marlinspike, to help anyone from home users to small businesses to even auditors auditing enterprise compliance. Depending on how fast you want to get the results, there are two plans available. One can pay USD $34 to use the entire 400 server cluster to find the password in 20 mins or use just half of it for USD $17 and get the password in 40 minutes. This is a convenient service delivered at a very low cost. You can check out the techmeme discussion here.
More than the service itself, what excites me most is the possibilities for the future. It is now possible to offer, using clouds, various security measures as a service at a low cost so that even small and medium businesses can take advantage of the tools that were only used by enterprises because they had the ability to hire security professionals. Cloud is really a game changer that empowers SME users, leveling the playing field with big enterprises.
What’s the malicious side of that equation? Could WPACracker be used against users and individuals?
I think they should be able to do it if they have the pcap file. I will see if I can get in touch with the person behind the app to dig more.