For reasons relating to a bit of reverse engineering I was doing today (er, yesterday now... sleep schedule isn't going too well), I got thinking about how long it would take to crack a single DES key on commodity hardware today. While I was thinking, I hit on a novel idea. Distributed computing using javascript piggybacking on unsuspecting browsers.<p>It occurred to me that a site like youtube, if they parcelled out the DES key space to their browsers in leisurely 10,000 key increments such that you could check them in the background while watching a 1 minute video without making a dent in the CPU, could crack a DES key in something like 3 years in the average case (assuming a zero growth rate in audience.)<p>I going to have to think about how to manage the key space such that I don't chew more CPU doing that than I would checking the keys personally, however I think I'm going to implement this little experiment in distributed computing and see if I can attract people to paste some javascript on their personal blogs and suchlike.<p>Anyone interested in joining in, either as a developer or eventual cracker?
It's been done (but for SETI, not password cracking):<p><a href="http://ajaxian.com/archives/massively-parallel-crowd-sourced-javascript-app-server-seti-for-js" rel="nofollow">http://ajaxian.com/archives/massively-parallel-crowd-sourced...</a><p>However, this requires the client have Gears installed, which is basically no one. There's no reason you couldn't do it in the main thread, as long as the task were easily split up into multiple chunks and you were careful not to use too much CPU time.<p>The hard part is getting it widely distributed. The big traffic sites like YouTube would never do something like this. If you're unscrupulous you could inject the JavaScript in any site you can hack (WordPress blogs, etc...)<p>A MapReduce type implementation would be very very cool. Make it generic, such that you could submit bits of JavaScript code and the URLs of the data to operate on, and the location to post the results too.<p>It would surprise me if botnet owners hadn't already done something like this. Of course they can run whatever native code they want.