The gpcode virus has been making news of late. It’s ransom-ware that encrypted the infected machine’s files with a 1024 bit RSA key, demanding a monetary payment in exchange for the decryption key. Kaspersky labs announced that they would try to brute force the key if people would just loan them some spare CPU cycles. They took some flak for even trying this, including a rebuke from the master cryptographer himself, Bruce Schneier.

Now it appears they’ve found a solution. No, they haven’t cracked a 1024 bit RSA key this quickly, they’ve discovered that the files can be undeleted, and released a utility to assist in the endeavor. This is another example of Shamir’s third law of security. For those of you who don’t know, Adi Shamir, recipient of the turing award and the S in RSA once delivered his 3 laws of security:

1. Absolutely secure systems do not exist
2. To halve your vulnerability you need to double your expenditure
3. Cryptography is typically bypassed, not penetrated

This is about as good an example of law number three as I can think of. Kaspersky would have found it nearly impossible to break the key in a meaningful amount of time, however circumventing the cryptography proved itself to be much easier.

Has anyone ever stopped to ask themselves why they set password lockouts to 3 or 5? (The so-called “industry standard”). There are plenty of people who accidentally lock themselves out in 3 or 5 tried, and end up having to call the helpdesk (or equivalent) for a password reset. If the limits were raised to 10 or 20, it would probably greatly reduce those calls.

Generally passwords are much easier to obtain through human factors than brute force attacks. No additional security is gained by lowering the lockout from 20 to 3 as 20 attempts is still not enough to break in a brute force attack, and any password that can be guessed in 20 attempts can just as easily be guessed in 3.