Joshua Platz Security Rants

Amazon has released their new G3 instances. Utilizing a Tesla M60 GPU platform ( http://www.nvidia.com/object/tesla-m60.html ) and scaling up to 4 GPU's. Along with this you also get 64 CPU's and almost half a TB of RAM. I figured it was time to crunch some numbers on Hashcat performance of the current AWS cloud options. For all the new G3 M60 GPU benchmarks, please visit ( https://gist.github.com/binary1985/881c2df6310659413102eaf5e349e999 ) Current state of GPU Hash Cracking I have been following GPU performance trends since it first became popular with bitcoin. A recent trend in the cloud has me optimistic that "some" day high intensity GPU work loads will make fiscal sense to run cloud based. The last time I checked the current state of AWS GPU Hashcat performance I was disappointed in the findings however since then 2 new lines of GPU instances have come into play. Lets take a look at the current top tier options, using on demand pricing structures. G

Update: A co-worker brought up this story which shows exactly how bad things can get by abusing IAM roles.  https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/ As a penetration tester, I often have to adapt and change according to the technologies that I am testing. However, sometimes the technology I am testing may be new to me and I have to perform research to truly understand the technology so that I can do a thorough job. Too often you will find that your penetration testers can get into a mode of scan and report. They will fire up the vulnerability scanner, identify some stuff for the client to fix, and move on. This often happens because testers can get complacent with what they are seeing in the industry. Then when they land a remote shell on a system, they are repeating what they did last time because, “Hey it worked last time”. What really makes a good penetration tester is one who not only looks at the technology being tested throu