By "scalably factor", I was referring to their ability to take arbitrary 1024 bit public keys as they appeared in random TLS sessions on the Internet and factor them on demand.
NSA can virtually certainly target a specific, hardcoded 1024 bit key and break it. In fact, leaving out the cost and difficulty of recruiting the team to actually put the pieces together, the typical California venture capital firm has the resources to build a machine to do that today. Eran Tromer put the cost of such a machine in the single-digit millions, many years ago.
Apropos nothing: the gap between a 1024 bit key and a 2048 bit key is enormous. The thing that allows the NSA to meaningfully attack a 2048 bit key is likely to take RSA out altogether (and with it probably multiplicative finite field --- ie, "conventional" --- Diffie Hellman).
Watson Ladd has pointed out that since breaking authentication 10 years after it's been deprecated does not let you retroactively MITM someone but breaking key exchange 10 years after it's been deprecated allows decryption of stored intercepts, KEX should be stronger than certificates. So make sure your TLS server with 1024 bit key uses ECDHE or 2048 bit DHE, not plain RSA KEX.
NSA can virtually certainly target a specific, hardcoded 1024 bit key and break it. In fact, leaving out the cost and difficulty of recruiting the team to actually put the pieces together, the typical California venture capital firm has the resources to build a machine to do that today. Eran Tromer put the cost of such a machine in the single-digit millions, many years ago.
Apropos nothing: the gap between a 1024 bit key and a 2048 bit key is enormous. The thing that allows the NSA to meaningfully attack a 2048 bit key is likely to take RSA out altogether (and with it probably multiplicative finite field --- ie, "conventional" --- Diffie Hellman).