Researcher Overcomes Legal Setback Over Cloud Cracking Suite

Apparent mis-translation by a German newspaper of English-speaking reports on researchers Amazon EC2-based password-cracking tool led to raid, frozen bank account

German researcher Thomas Roth got a phone call with some unsettling news the evening before he was to release a new hacking tool in his presentation at Black Hat DC: he had been served with an injunction for allegedly breaking anti-hacker laws in his country and law enforcement would be raiding his apartment back in Germany.
Roth, who
had planned to release at the January conference his new open-source tool that uses Amazons GPU processing services to crack SHA1-based passwords at high speeds
, found himself in a legal quagmire that started with a German publications mis-translation of English-speaking news reports on his research. The German newspaper incorrectly reported that Roth had said he would be turning a profit as a sort of hacker-for-hire. That led to a German telecommunications firm taking legal action against the researcher: They misunderstood that I was getting money for doing this ... and illegally breaking into networks, says Roth, a researcher and consultant for Lanworks AG.
His bank account was frozen as a result, and Roth spent the past couple of months in a legal battle trying to clear his name and calling out the German newspaper article for its inaccurate translation of his research and the intent of his tool, which he describes as a quick way to brute-force hack weak, easily guessed passwords. Roth was able to crack 400,000 passwords per second using eight Amazon Nvidia GPU instances, and 45,000 to 50,000 passwords per second with just one GPU instance, he says. By contrast, two high-end Intel X5570 Quad-Core CPUs can crack about 7,000 passwords per second, he says. Strong passwords, which use a mix of letters in mixed cases, numbers, and symbols, are relatively safe from this type of cloud attack, he says.
The German telecommunications firm--which Roth says he does not want to name—alleged that Roth was in violation of Germanys so-called Hackerparagraph, 202c StGB, which says thats illegal to use, distribute, or create tools for stealing or arranging the theft of data. The firm accused Roth of illegally breaking into wireless networks and planning to release rainbow tables to be used to hack into company networks.
But Roth had only created an open-source tool for testing for poorly secured wireless networks, he says. I neither illegally broke into networks and [nor] also dont want to enable anyone to do so, Roth says. He maintains that the tool works on poorly secured wireless networks, which are already in danger of hacking, anyway.
The German newspaper apparently misconstrued English-speaking reports of how Amazons GPGGPU instances make the relatively heavy computing resources needed to perform the password-hash cracking more accessible, and took a mention of the $2.10 per hour fee quoted for GPU instances needed for a typical high-performance computing project as the fee Roth was making in his alleged password-hacking service.
They said I would make $2.10 per hour ... that I was going to sell this service where people could ask me to break into networks and I would do it at a really low rate. It was pure B.S., Roth says. It basically goes back to a failed translation by a German newspaper.
Roth, who had to jump through several hoops to unfreeze his bank account, also secured an injunction against the German newspaper in question.
The injunction since has been revoked, so Roth was able to release his so-called Cloud Cracking Suite on Friday at Black Hat Europe in Barcelona.
Meanwhile, Amazon has lifted the amount of GPU instances Roth can use, to 64, he says. As long as Im not doing anything illegal on their infrastructure or DDoSing ... so they dont really care. They are pretty glad someone was using this kind of [GPU] instance, he says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Researcher Overcomes Legal Setback Over Cloud Cracking Suite