I haven’t seen much coverage on this new exploit but according to unsakred.net it does exist (http://unsakred.net/2007/10/25/yahoo-chat-exploit/).
October 26, 2007
October 24, 2007
Yahoo! Messenger Author’s New Security Book
There’s not much meat or new content in this post but I did find it rather humorous. Richard Sinn is apparently the software security engineer for Yahoo! Messenger and he now has a new book out entitled Software Security Technologies: A Progammatic Approach (http://blog.messenger.yahoo.com/blog/2007/10/23/kudos-for-the-team/)(http://www.amazon.com/dp/142831945X?tag=open0f-20&camp=14573&creative=327641&linkCode=as1&creativeASIN=142831945X&adid=1435SV1WH79S425NG1ZF&). The price is high for a paperback at $87.95 USD but I may read it once the price drops or there are used copies. Some scholars say that you can’t understand a work of literary art until you know the person. In this case I don’t think you can truly understand the security of Messenger until you know the person designing it. In short I think the first user post sums it up:
“Richard Sinn, our resident software security guru on the Yahoo! Messenger team.
if he’s the guru,wat the hell wrong with all the bots and sam we get on messenger.think before u publish,omg wat a mess yahoo in”
October 22, 2007
CPUs and GPUs Unite to Attack Passwords
There is a new story on Slashdot (http://it.slashdot.org/it/07/10/22/1851226.shtml) today about an article (http://www.net-security.org/secworld.php?id=5567) that could possible speed up password cracking by a factor of 25. ElcomSoft (http://www.elcomsoft.com/) has filed for a patent for a technique that uses both the CPU and GPU (graphics card) in a modern computer. ElcomSoft is a known software company that has specialized in selling password cracking software for many years. I have personally bought their software for the purpose of discovering how Yahoo! Messenger stores its passwords. Password cracking is a very shady area but it appears that ElcomSoft can actually be trusted.
The idea of using the GPU is not particularly new. The idea has been thrown around for several years but to my knowledge this is the first wide-spread practical application that has bee proposed. The science of cryptography has always been similar to the virus-antivirus arena. It is a rat race to one up the other side. It will be interesting to see which algorithms are susceptible to this attack and how the crypto community will react.
