Fudzilla: Bulldozer performance figures are in

[Tuna-Fish]

Do people REALLY use AES encryption all that often to justify the new extension? I can understand FMA, but AES just seems a little meh for most.

After all those high-profile leaks of private data on lost laptops, the public sector and big companies are finally demanding full-disk encryption on work laptops. This means that all disk accesses are now always decryption.

Modern many-core laptops have enough cpu horsepower to do that decryption without help. This does, however, come with a cost -- turning on whole-disk encryption much reduces the useful battery life on devices without AES-NI. Luckily, AES adapts well to hardware implementations without such problems.

In the short term, I see much more real-world use for AES-NI than I see for FMA.

 

[Edrick]

8 core (AMD) vs 12 core (Intel): Intel with 50% more cores 4.2GHz (AMD) vs 3.4GHz (Intel): AMD 23.5% faster than Intel Scores seem to be a little give or take. This doesn't paint a favorable light in AMD's favor (if the benchmarks are true)?

8 core (AMD) vs 6 core + HT (Intel): HT only gives 10-30% performance increase. So this is only a slight advantage to Intel. Not even close to 50% as you claim.

 

[Idontcare]

After all those high-profile leaks of private data on lost laptops, the public sector and big companies are finally demanding full-disk encryption on work laptops. This means that all disk accesses are now always decryption.

Modern many-core laptops have enough cpu horsepower to do that decryption without help. This does, however, come with a cost -- turning on whole-disk encryption much reduces the useful battery life on devices without AES-NI. Luckily, AES adapts well to hardware implementations without such problems.

In the short term, I see much more real-world use for AES-NI than I see for FMA.

Yeah but all the encryption in the world is useless if the user password is 1111 or God or BigDick and so on.

I agree that I too see encryption being a big selling feature, both externally (Intel/Dell etc) and internally (the IT dept setting policies)...but its effectiveness will still be limited by the human.

Consider the type of individual that is likely to be careless enough to leave their laptop full of gov secrets or healthcare data or banking data out and about to be stolen in the first place...you think that type of an individual is going to be the guy that worries about security of their laptop to the point of going to trouble of picking a strong password in the first place?

 

[sviola]

Yeah but all the encryption in the world is useless if the user password is 1111 or God or BigDick and so on.

I agree that I too see encryption being a big selling feature, both externally (Intel/Dell etc) and internally (the IT dept setting policies)...but its effectiveness will still be limited by the human.

Consider the type of individual that is likely to be careless enough to leave their laptop full of gov secrets or healthcare data or banking data out and about to be stolen in the first place...you think that type of an individual is going to be the guy that worries about security of their laptop to the point of going to trouble of picking a strong password in the first place?

But wouldn't the human factor be mitigated by using more biometric access in laptops? After all, most corporate laptops nowadays come with fingerprint recognition hardware.

Edit: of course, IT departments have to provide support for the users (one of the companies I have worked for had fingerprint hardware on the thinkpads, but the IT department wouldn't give support, so it was disabled - actually unplugged from the motherboard).

 

[drizek]

Yeah but all the encryption in the world is useless if the user password is 1111 or God or BigDick and so on.

I agree that I too see encryption being a big selling feature, both externally (Intel/Dell etc) and internally (the IT dept setting policies)...but its effectiveness will still be limited by the human.

Consider the type of individual that is likely to be careless enough to leave their laptop full of gov secrets or healthcare data or banking data out and about to be stolen in the first place...you think that type of an individual is going to be the guy that worries about security of their laptop to the point of going to trouble of picking a strong password in the first place?

I had my laptop stolen out of a 5 star hotel room. It wasn't careless, shit happens. I'm glad it was an arrandale and was fully encrypted. I had a lot of personal info on the drive.

I have encrypted my MacBook air c2d and it slows it down a lot. It takes a lot longer to wake from sleep and is quite inconvenient. I'm going to be putting more sensitive information on my laptop in the future, so I'm going to sell it and replace it with an ivy bridge model next year, and aes-ni is a big part of the motivation.

 

[SlowSpyder]

Yeah but all the encryption in the world is useless if the user password is 1111 or God or BigDick and so on.

I agree that I too see encryption being a big selling feature, both externally (Intel/Dell etc) and internally (the IT dept setting policies)...but its effectiveness will still be limited by the human.

Consider the type of individual that is likely to be careless enough to leave their laptop full of gov secrets or healthcare data or banking data out and about to be stolen in the first place...you think that type of an individual is going to be the guy that worries about security of their laptop to the point of going to trouble of picking a strong password in the first place?

I work for a large healthcare company, we finally pushed out full disk encryption about a year ago. As you say, I don't know how helpful it really is seeing as probably 1/4 - 1/3 of the remote user laptops I see have passwords written on a sticky note or sticker on the laptop anyway. :/

 

[Mopetar]

Yeah but all the encryption in the world is useless if the user password is 1111 or God or BigDick and so on.

I agree that I too see encryption being a big selling feature, both externally (Intel/Dell etc) and internally (the IT dept setting policies)...but its effectiveness will still be limited by the human.

Consider the type of individual that is likely to be careless enough to leave their laptop full of gov secrets or healthcare data or banking data out and about to be stolen in the first place...you think that type of an individual is going to be the guy that worries about security of their laptop to the point of going to trouble of picking a strong password in the first place?

That's why using salting is so worthwhile. If you choose a salt such as "!4mb5L$x*CUr3&c0#nVt8" it doesn't really matter if some idiot picks a bad password. If you're going to pay for expensive security, you may as well make sure that it's hard for any old idiot to make it easy to circumvent.

 

[allies]

8 core (AMD) vs 6 core + HT (Intel): HT only gives 10-30% performance increase. So this is only a slight advantage to Intel. Not even close to 50% as you claim.

AHH right right. I've been out of the loop for a while and wasn't sure what the i7 990x was. Thanks!

 

[jhu]

I work for a large healthcare company, we finally pushed out full disk encryption about a year ago. As you say, I don't know how helpful it really is seeing as probably 1/4 - 1/3 of the remote user laptops I see have passwords written on a sticky note or sticker on the laptop anyway. :/

You know why? It's because IT wants us to change passwords so often that it's really hard to keep track. Not to mention all the other passwords we need to remember in our normal lives.

 

[SlowSpyder]

You know why? It's because IT wants us to change passwords so often that it's really hard to keep track. Not to mention all the other passwords we need to remember in our normal lives.

Our password changes are only once every 90 days and we finally have a single password for most things. But I hear you, before we got the single password thing through everything had a unique ID and password... there could be 10+ different systems the average person needed.

 

[formulav8]

One thing you can be sure of, BD will NOT be what many expect. Hows that for for a prediction. :sneaky:

 

[Voo]

That's why using salting is so worthwhile. If you choose a salt such as "!4mb5L$x*CUr3&c0#nVt8" it doesn't really matter if some idiot picks a bad password. If you're going to pay for expensive security, you may as well make sure that it's hard for any old idiot to make it easy to circumvent.

Any salt will have basically the same result as it makes rainbow tables basically uninteresting. Also note that for cracking a single weak password the only thing a salt buys you is, that you can't just use a rainbow table. A dictionary attack is still possible and not especially hindered by the salt..

 

[3DVagabond]

Just comparing Twofish results with what my Phenom II gets.THis test might not be representative of overall performance, but there is nothing in it that would suggest that AMD is any more competetive with Intel now clock for clock.

Just to reiterate, these are crippled engineering samples. They are in no way representative of the GPU that will be on sale to the public. We need to wait until we see retail samples before we know anything. Bulldozer might suck, Bulldozer might kick ass, we can't tell though from anything that's available to us right now, though.

 

[Abwx]

.

 

[Idontcare]

.

Why do you keep reposting the same OBR benchmarks that have been proved false? He even came out and admitted it.

 

[Abwx]

Why do you keep reposting the same OBR benchmarks that have been proved false? He even came out and admitted it.

Also fake ?...Well that s a fresh fake, then...

Anyway, since AMD is keeping mum , this will help kill
some time in the waiting , while being a future witness
about OBR s credibility or lack of...

 

[frozentundra123456]

Yeah but all the encryption in the world is useless if the user password is 1111 or God or BigDick and so on.

I agree that I too see encryption being a big selling feature, both externally (Intel/Dell etc) and internally (the IT dept setting policies)...but its effectiveness will still be limited by the human.

Consider the type of individual that is likely to be careless enough to leave their laptop full of gov secrets or healthcare data or banking data out and about to be stolen in the first place...you think that type of an individual is going to be the guy that worries about security of their laptop to the point of going to trouble of picking a strong password in the first place?

I used to work for the Veteran's Administration, and they are very conscious (overly so in my opinion) about computer security. They have requirements for the password to have a certain length, certain kinds of characters, etc. So you do have to make a reasonably strong password, otherwise the computer will not accept it. I assume most businesses and other public institutions are implementing similar requirements.

 

[Idontcare]

Also fake ?...Well that s a fresh fake, then...

Anyway, since AMD is keeping mum , this will help kill
some time in the waiting , while being a future witness
about OBR s credibility or lack of...

http://obrovsky.blogspot.com/2011/07/you-were-punkd.html

Of Course, all results was FAKEs even know it, ive faked Them Well, the real numbers before NDA These Were and many more. Today's advice: DONT trust everything on the internet! PUNKD Were you all!

He's made it a hobby to post totally fake benches on his blog just to see where they pop up in the rumor sites and media (and to see whether they give any credit to the "source").

You are so thirsty for an AMD victory here that you are willing to drink the sand that is forming the mirage in the desert.

 

[Idontcare]

I used to work for the Veteran's Administration, and they are very conscious (overly so in my opinion) about computer security. They have requirements for the password to have a certain length, certain kinds of characters, etc. So you do have to make a reasonably strong password, otherwise the computer will not accept it. I assume most businesses and other public institutions are implementing similar requirements.

Same here, which is why I LOL'ed at the comment above about people sticking post-it-notes with their password on the laptop because its true.

At TI we had an expiring password that lasted 90 days. We had to select a password out of a list of 20 that we were presented with.

After a few years with so many passwords having been committed to memory and then passed on, I could not remember up from down and started using the post-it-note strategy after seeing so many others do the same.

Strong passwords are great for preventing remote attacks. Counter-productive for preventing local ones.

I'm also not interested in having my cold dead retina worth more to a thief than it is to my employer. If they want to secure my work hardware with my biometric info then they better be ready to pay to secure me (as in physical security) as well. Not interested in having my fingers cut off and what not.

 

[Mopetar]

Any salt will have basically the same result as it makes rainbow tables basically uninteresting. Also note that for cracking a single weak password the only thing a salt buys you is, that you can't just use a rainbow table. A dictionary attack is still possible and not especially hindered by the salt..

Probably shouldn't use encryption software that will let someone try to enter several thousand passwords per second.

 

[Phynaz]

Probably shouldn't use encryption software that will let someone try to enter several thousand passwords per second.

You don't use the security software user interface when brute forcing. That's kinda the point.

 

[Mopetar]

You don't use the security software user interface when brute forcing. That's kinda the point.

If you're brute forcing, usually you just have the password hash. Assuming that you know the hash function, you can commence with a brute force dictionary attack. Alternatively, you can use rainbow tables to save time.

If the hash is the result of a strong salt and a weak password, it's much less susceptible to brute force attacks. The only time you could easily ignore the added security provided by salting is if you're tying to brute force some part of the security system that adds on the salt to whatever input you enter. Since we were generally talking about encryption on personal devices, the program that handles the encryption needs to accept user passwords, so if they tried to attack it that way, the salt doesn't provide additional security. Of course, no sanely designed program should allow the user to enter an incorrect password several thousand times in a row without locking them out for at least some amount of time.

 

[Cogman]

If you're brute forcing, usually you just have the password hash. Assuming that you know the hash function, you can commence with a brute force dictionary attack. Alternatively, you can use rainbow tables to save time.

If the hash is the result of a strong salt and a weak password, it's much less susceptible to brute force attacks. The only time you could easily ignore the added security provided by salting is if you're tying to brute force some part of the security system that adds on the salt to whatever input you enter. Since we were generally talking about encryption on personal devices, the program that handles the encryption needs to accept user passwords, so if they tried to attack it that way, the salt doesn't provide additional security. Of course, no sanely designed program should allow the user to enter an incorrect password several thousand times in a row without locking them out for at least some amount of time.

If someone has access to the password hashes, there is a VERY good chance they have access to the salt as well.

 

[Voo]

Probably shouldn't use encryption software that will let someone try to enter several thousand passwords per second.
[..]
Of course, no sanely designed program should allow the user to enter an incorrect password several thousand times in a row without locking them out for at least some amount of time

Yeah that encryption software will surely be capable of stopping us looking at the raw binary data stored on the disk. Any kind of software block is useless and will at most just annoy the legitimate user.

If you're brute forcing, usually you just have the password hash.

Uh goodness, no. You're mixing up completely, absolutely different things. If we know the hash we already have the header key at hand (after all how do you think that one is encoded?) and therefore get the master key and all is lost (that's how it works for truecrypt, but then the basic idea is always the same).

If the hash is the result of a strong salt and a weak password, it's much less susceptible to brute force attacks.

Yeah except that the salt isn't secret and for a bruteforce attack doesn't do anything more than make the hashing take a bit longer (you have to hash more bits). The cryptographic strength of the salt is completely irrelevant (apart from its length).


Sorry, but you really shouldn't be giving security tips

 

[Phynaz]

Of course, no sanely designed program should allow the user to enter an incorrect password several thousand times in a row without locking them out for at least some amount of time.

I'll say it again.

When you are doing password attacks you aren't calling the user interface and typing in passwords.