Slashdot Mirror
Feds Allegedly Demanding User Passwords From Services
An anonymous reader writes "Following the /. story on the Feds demanding SSL keys, now comes news that the feds are demanding user passwords, and in some cases, the encryption algorithm and salt used. From the article: 'A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'" ... Some of the government orders demand not only a user's password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. ... Other orders demand the secret question codes often associated with user accounts.' I'm next expecting to see the regulation or law demanding that all users use plain text for all web transactions, to catch terrorists and for the children."
Coming up next, our newest feature: Things I wish surprised me, even a little.
I needed to switch providers during the whole SOPA debacle, and decided it was a primo opportunity to move to an overseas VPS. I made sure to pick one that has no presense in North America. And now I'm glad I did.
Can the government force me to make a public statement, attesting that it's true?
Because it seems to me that the government using my private keys to sign a packet that I didn't create is substantially similar.
... of which The Declaration of Independence, The US constitution and Bill or Rights are.
Most notably is The Declaration fo Independence that makes it clear it is not only our right but duty to put off bad government.
And that is all the response any Founder supporting company need supply any spying government agency.
Its time to show who is a real US Citizen.
and stupid has won.
I have supported the use of records and even following connections from a known terrorist, but this is insane. Pure insanity. No doubt this is because terrorists/spies have changed tactics, but still this is the wrong way to take solve this.
I prefer the "u" in honour as it seems to be missing these days.
I wonder how that really works out, in the long-run. What if you're an online start-up, with little legal know-how? Are you really going to resist demands from such a high level?
It's always confirmation bias!
It's a pretty pointless article if you don't name the company.
They can ask. All passwords are one-way hashed using a 16384 bit salt and run through 4,000 rounds of AES before being stored in the database. Over there in the corner is our custom-built core which does the password retrieval, comparison, and pass-fail out onto a RADIUS server. The network name is NSA_COCKBLOCK... feel free to have a copy of the algorithm and database.
#fuckbeta #iamslashdot #dicemustdie
How can I get a piece of this action - it's probably not impossible to impersonate the Fed to get companies to cough up their entire user credential stores... just a few large-bag hit and runs could net millions in CC#.
Make sure everyone's vote counts: Verified Voting
Come on, tell us who you are so we can not use you any more.
So now we're doing redundant text in a summary that references a redundant story that was an accidental dupe of another redundant story. It's slash-ception!
Was such a terrible idea.
Solution? Don't know your users' passwords. Store the hash, but send the salt to the user. Require both on log-in. Not sure how to ensure the salt stays secure en route, though. Require users have PGP? Send it snail mail in a sealed envelope?
Of course, this would have the side effect of limiting one's customer base.
Everybody, change your password to "Password" so that they think their algorithms don't work.
Type your password under this thread to have it on a "Do not collect" list.
Its okay, this thread will show it to you but not others. here's mine
***********
Names. Give us some names. I'd like to know who are these bureaucrats who ask for passwords? Then, I'd like to see them sweat over the possibility they might be censured, might lose their jobs.
Let them experience how thrilling it is to have their dark glasses taken away, feel what it's like not to be faceless anymore. Then, maybe they'd appreciate privacy a little more.
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
How is this different from perlustration of regular mail and bugging the phone wires? I did not like those either, but I don't see this new development as particularly illegal...
In Soviet Washington the swamp drains you.
1. A company shouldn't have my password stored anywhere in a form that they can decrypt it.
2. A company shouldn't have the answers to my security questions stored anywhere in a form that they can decrypt it.
That makes it very easy then: "We would gladly comply with your request, but sorry, we can't".
I'd just like to be there to see the blank stare.
Is it just my observation, or are there way too many stupid people in the world?
Those damn kids will be the death of us yet.
Its just not technically possible and not something that my company would ever do because it would destroy the integrity of audit logs.
If they really need to have access as a specific user we have an impersonation feature (for tech support) that allows one user to perform actions in the system with the rights of another, except that the logs still tell us who is actually doing stuff. Seems like a much better way to deal with this kind of request.
When are the Kardashians on?
This is all USAsians care about, anyway. Nobody gives a shit about what government does to them as long as they have their bread and circuses.
I would say we are Rome, but I have to believe that Rome actually fell before it got this bad.
Fuck you. I don't believe it then.. Or it's just better to assume the worst, that they all give up your info while putting up a show of 'resistance'.
Whatever... This is what you people voted for so maybe you should redirect your feeble outrage.
“He’s not deformed, he’s just drunk!”
I find myself wondering how much of this ( master keys, passwods, ect.. ) we'd be discussing NOW had it not be for Snowden having the balls ( if not the brains ) to leak what he's leaked.
Note to future leakers: Make sure you work out your living situation BEFORE pissing off one of the largest governments in the world.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Some kind of orbital strongbox that will act as the world's encryption key fob. Something that dodges around in an irregular orbit and explodes if anyone gets close to it.
Until Americans man up and accept the reality that Big Brother can't guarantee 100% security, they're going to keep doing this. I'm disheartened by how relatively low disapproval for these practices is. I think I heard only 56% against. In the US, I would expect those numbers to be astronomical.
I swear to God...I swear to God! That is NOT how you treat your human!
Just saying
Jack of all trades,master of none
About these penetrations. You would think there would be daily broadcasts from anonymous or somebody indicating which systems have been hacked by the government. Its like people arent talking about it much at all.
Something about a tree of liberty and tyrants, wasn't it?
You may not stop much terrorism with this kind of monitoring, but you sure could make a lot of money.
If you don't understand that, just wait.
Will no one rid us of this turbulent tyrrany aborning?
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
All my passwords will contain "blowmeO" in them from now on.
http://www.daybydaycartoon.com/2013/07/26/#007040
Corporatism != Free Market
How about being supportive instead of antagonistic?
Be honest with yourself: have you spent more time watching television or being politically active?
This is also a criticism I aim at myself, but the first step is to be honest about the situation. Americans are politically lazy, and we have the government we deserve. I don't think there has been a massive nationwide protest here since the 70s, with the possible exception of the anti-war protests before the invasion of Iraq.
The people who run the show aren't going to give it up because we're complaining about them on the internet. It's not difficult to convince yourself to hang on to millions of dollars and unchecked power when there is no real penalty from the populace.
Sir, there are two passions which have a powerful influence in the affairs of men. These are ambition and avarice -- the love of power and the love of money. Separately, each of these has great force in prompting men to action; but, when united in view of the same object, they have, in many minds, the most violent effects. Place before the eyes of such men a post of honor, that shall, at the same time, be a place of profit, and they will move heaven and earth to obtain it. The vast number of such places it is that renders the British government so tempestuous. The struggles for [profit] are the true source of all those factions which are perpetually dividing the nation, distracting its councils, hurrying it sometimes into fruitless and mischievous wars, and often compelling a submission to dishonorable terms of peace.
And of what kind are the men that will strive for this profitable preeminence, through all the bustle of cabal, the heat of contention, the infinite mutual abuse of parties, tearing to pieces the best of characters? It will not be the wise and moderate, the lovers of peace and good order, the men fittest for the trust. It will be the bold and the violent, the men of strong passions and indefatigable activity in their selfish pursuits. These will thrust themselves into your government and be your rulers. And these, too, will be mistaken in the expected happiness of their situation, for their vanquished competitors, of the same spirit, and from the same motives, will perpetually be endeavoring to distress their administration, thwart their measures, and render them odious to the people.
-- Benjamin Franklin, 1787
America, ignoring what America once stood for more and more every single motherfucking day
Give power, budget, and secrecy to a government agency and they will abuse them all.
Increase their power and/or budget and/or secrecy and they will abuse them more.
Like them or not, like their actions or not, the likes of Fabjqra and Znaavat may be our best hope by crippling the secrecy leg of the triad at least a little.
Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading
These are Obama's DOJ, NSA and (insert three letter agency here) doing these evil things. Not Bush's. Not Clinton's. Obama's. Mr. Transparancy and civil liberties. The man who has had five years to correct all the wrongs (legal or not) of his predecessor.
I know why the Republicans are not out in the street protesting (or at least a lot of them) but why are the Democrats not protesting? Why do progressives like Kos state publicly that they don't give a shit about the NSA?
I am disgusted to be an American and I am disgusted with my fellow Americans.
It might be time to consider working to defund much of the central government. The Democrats have expanded the Federal government by 5% since Obama took office and the national total of taxpayer funded jobs is 22 M. -- 1:7. By defunding the central government it increases diversity; competition among the states, and allows states to keep much of what they earned.
Who uses passwords?
if there was a serious suggestion to stop making our children into our society's sacred cows? We passed the Patriot Act because we couldn't stomach the thought of terrorists killing our children. We passed insanely restrictive sex offender laws because of the thought that a stranger might attack our children sexually. We tried to pass gun control in the wake of Newton. Every step we take down the slippery slope is in the name of improving security for our children.
At this point, I'm contemplating saying that I'd be willing to pay the price of seeing 32 1st graders wiped out every day by gunfire and pressure bombs going off once a day in crowded urban areas in exchange for being able to retain my privacy from the eyes of the government, and being able to determine how and with what means I will defend myself.
Here's to hot beer, cold women, and Glaswegian kisses for all.
Or just a corporate media powered applause machine with no real people actually agreeing.
So what would happen if thees bastards came to my company throwing their weight around, demanding all of this and that and I just said - - wait for it --
NO!
maybe a "go fuck yourself" for good measure.
What then?
No wonder Russia went back to typewritten documents for security purposes!
We have absolute government access to everything, random search points with no right to decline (licensed drivers allegedly operate under allowance not rights), as well as guilty until proven innocent despite the rhetoric otherwise, and let's not forget the most minimal legal action confronting the government costs 10-500x the average income of a citizen.
This IS a police state. Police killing citizens are "workplace injuries" not crimes. Plonk.
That said, I've also heard that storing hashes for passwords is a bad idea. Why would that be, if the hashes are long enough and salted?
Say you use userid + username + join_date as the salt. No matter what you use as the salt, a modern GPU can brute-force your hash by evaluating SHA256(salt + password) extremely fast for hundreds of common passwords in parallel. To defeat this, use a computationally harder hash than SHA256.
Wasn't that the whole point of the "Trayvon could have been me" thing? Obama clearly took the "Zimmerman shouldn't have been suspicious" narrative, and all the while he's the head of the NSA, TSA, etc. Why has nobody called him out on this???
9/11 has happened long ago enough that the knee-jerk reactions are dying down, and people are starting to question what we're doing in order to make sure 3000 people don't die over the course of a few years.
Yeah, but now people are in the position of having taken indefensible positions and must defend them or have to face up to the fact that they were wrong. People will not do that.
Just look at the debate over torture in this country. As in the fact that we even have a debate over torture. Only a quarter of Americans say that torture is never justifiable under any circumstances. A little under a fifth say that it's "often" justified to gain information from terror suspects. The rest are somewhere in the middle, with a strong partisan divide over the issue, but one that has weakened since Obama has failed to take substantive action on the issue except to nail whistleblowers to the wall -- all but tacit support for torture policies.
Partisan politics is the reason for this. Once "your guy" has made a decision, you must either find a rationale to support it or admit that you voted in the wrong guy. And for far too many people, the former is the natural instinct rather than the latter. Our political landscape for at least a generation or three has been forever shaped by the action of George W. Bush and the attempts of his party to rationalize them and then his successor Barack Obama's failure to do anything substantive to improve our war on terror policies and the attempts of his party to rationalize that too.
That's why poll numbers on support for torturing terror suspects show a slim majority now, whereas there was a 60-40% split against it for 2001-2008. Are you surprised that on questions of spying on Americans that the trend is not similar? Slim majorities were opposed to MAINWAY when it was exposed in 2006. Now slim majorities support PRISM and a growing majority wants to see Snowden punished for exposing it.
That's the tragedy of partisan democracies: If both sides do something terrible, all the sheep find themselves justifying no matter how bad it is.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
Hi: Everyone remembers the famous first version of Catch-22 about requesting medical leave for psychiatric illness. 'Anyone who wants to get out of combat duty isn't really crazy.' However, later in the novel when one of airmen, Dunbar, I believe, disappears when the Military Police is around, another version of Catch-22 is presented: 'They have the right to do to us anything we can't stop them from doing.' Of course, we think of this surreal comedy as WW2 novel because that is where the story is set. However, it was actually written years after the war during the red scare period.
---- The above post was generated by the Turing Institute. Maybe.
Answer that if no wrongdoing occurred! Give us a break instead of giving us more of your 'spin' and side dishes of bullshit: J. Edgar Hoover showed how feds operate blackmailing + targetting opponents long ago. "Lobbyists" (bribery and favors with another term designed') show the rest. Gonna "reinterpret' more laws in 'secret courts' too? Dems/Repubs = all the same. Same in lurking in the shadows big corporate or wealthy concerns back them and pull all of their strings. There's no "2 party system", there is 1 - the wealthy puppet master in the shadows.
How could this possibly be legal under our legal system? If you control the account there can be no chain of evidence. You could simply log in, plant any evidence you wanted, and then have your supervisor present when you later log back in and "discover" it.
We don't need privacy anymore after all we have President Obama as our President and of course the constitution is just a silly GOP thing.
"citizens killed by their own government on bogus pretexts"
If so, isn't essentially everyone on the planet is in some sense living under the USA government to some extent? And even if not, then certainly they are living under neoliberal capitalism to some extent. If so, then couldn't one argue that anyone killed anywhere in the globe by the USA was, to some extent, killed by his or her own de-facto government?
You might say, well they did not vote for the US president. But it used to be that black people, and natives, and women living in the USA could not vote for the US president either.
Maybe the global spread of neo-liberal economics has implicitly redefined what it means to be a global citizen? If global economics (including possible collapse or nuclear war) affects everyone's lives, then are we not, to some extent, all under that form of neo-liberal governance?
http://steadystaterevolution.org/neoliberalism-as-a-waterballoon/
Perhaps "Elysium" (a movie coming out next month) is *optimistic* in that sense, that there are still people around in a century?
http://www.nerdist.com/2013/04/elysium-takes-class-warfare-into-space/
In any case, my opinion is that if the internet is not used to "free" us all in some sense, and soon, then it will no-doubt likely be used to enslave us or worse.
http://pcast.ideascale.com/a/dtd/The-need-for-FOSS-intelligence-tools-for-sensemaking-etc./76207-8319
"Now, there are many people out there (including computer scientists) who may raise legitimate concerns about privacy or other important issues in regards to any system that can support the intelligence community (as well as civilian needs). As I see it, there is a race going on. The race is between two trends. On the one hand, the internet can be used to profile and round up dissenters to the scarcity-based economic status quo (thus legitimate worries about privacy and something like TIA). On the other hand, the internet can be used to change the status quo in various ways (better designs, better science, stronger social networks advocating for some healthy mix of a basic income, a gift economy, democratic resource-based planning, improved local subsistence, etc., all supported by better structured arguments like with the Genoa II approach) to the point where there is abundance for all and rounding up dissenters to mainstream economics is a non-issue because material abundance is everywhere. So, as Bucky Fuller said, whether is will be Utopia or Oblivion will be a touch-and-go relay race to the very end. While I can't guarantee success at the second option of using the internet for abundance for all, I can guarantee that if we do nothing, the first option of using the internet to round up dissenters (or really, anybody who is different, like was done using IBM [punched card equipment] in WWII Germany) will probably prevail. So, I feel the global public really needs access to these sorts of sensemaking tools in an open source way, and the way to use them is not so much to "fight back" as to "transform and/or transcend the system". As Bucky Fuller said, you never change thing by fighting the old paradigm directly; you change things by inventing a new way that makes the old paradigm obsolete."
A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
and for the love of God
At home. Pure and simple. Don't use the Internet for e-mail or storage. Familiarize yourself with foreign legislation and use the proxies of countries who care about privacy.
I live outside the USA were passwords are not required at all by the NSA. They simply take everything, rummage through it all scrutinize it thoroughly. Insert trade sanctions, mess with economy, or buyout any business that deemed of value. While all along insisting the rest of the world are terrorists. Yes, each and every living being outside the USA is a potential scumbag terrorist and deserve to be utterly dominated. Any resistance toward these mega companies that manipulate the giant puppet American government can be, and regularly is, met with death through the use of drone technology. I think there will, in the near future be rebellion...
Hello, plausible deniability.
If the man has all your authentication data, then anyone they give it to, leak it to, lose it to, might have done that nefarious interweb thing, posing as you.
This seems to be indistinguishabe from identity theft.
Not that that argument will get you anywhere in today's modern courthouse
--
then I went back to sleep and had the same nightmare again.
The best way to combat government monitoring, which I call Homeland terrorism, is for the internet to be split into public and private. The government may do what it wants with the public one, but the private one will be that. In the private net, companies will use a end-point security non-symmetric security model such that SSL will deliver encrypted data. That means double encryption -- your data, and the transmission system.
Of course they will try to shut down this second system, but at least, this second system would serve to protect legitmate industries from hackers, of which the fear-mongering governments are the worst.
There should be no bridge between the two networks.