[19449] in bugtraq
Re: Nortel CES (3DES version) offers false sense of
daemon@ATHENA.MIT.EDU (Valdis Kletnieks)
Thu Mar 1 11:39:25 2001
Message-ID: <200103010616.f216Fxe05788@foo-bar-baz.cc.vt.edu>
Date: Thu, 1 Mar 2001 01:15:59 -0500
Reply-To: Valdis.Kletnieks@VT.EDU
From: Valdis Kletnieks <Valdis.Kletnieks@VT.EDU>
X-To: Crist Clark <crist.clark@GLOBALSTAR.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Wed, 28 Feb 2001 14:33:06 PST."
<3A9D7CA2.E4F5329E@globalstar.com>
On Wed, 28 Feb 2001 14:33:06 PST, Crist Clark <crist.clark@GLOBALSTAR.COM> said:
> The bottom line: Who friggin' cares? Unless you are a forgein government
> hiding data from NSA or one of its counterparts, no one who has the means
> cares enough to bust DES for your data, let alone two- or three-key 3DES.
Umm.. the entry level for a DES breaker is well under $250K, as the EFF
showed some time ago. This is *WELL* within most Fortune 500 company's
budgets for industrial espionage. Applying Moore's Law, it will be
under $100K very soon, if not already.
At that point, even things like supermarket chains might want to
buy into it.. I'm sure that Food Lion (one local chain in my area)
would *love* to get the data Kroger (another chain) has collected with their
'Kroger Plus' card (get discounts, they collect data on what you buy).
And I'm equally sure that Kroger would love to get Food Lion's data
from their 'VIP' program (same idea, different name). Both programs had
to cost at least $250K to start chain-wide, so the management of each
chain obviously thinks their data is worth at least $250K.
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
