Slashdot Mirror
Feds Allegedly Demanding User Passwords From Services
An anonymous reader writes "Following the /. story on the Feds demanding SSL keys, now comes news that the feds are demanding user passwords, and in some cases, the encryption algorithm and salt used. From the article: 'A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'" ... Some of the government orders demand not only a user's password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. ... Other orders demand the secret question codes often associated with user accounts.' I'm next expecting to see the regulation or law demanding that all users use plain text for all web transactions, to catch terrorists and for the children."
How about an Article V Convention first? AKA, a broad slate of amendments that would create a new Constitution. It would literally be a New Republic. Larry Sabato from my alma mater wrote a book about this. I don't agree with very many of his proposals though. That's the problem with such a convention or a revolution. You never know what you're going to get. So. I think this has to fester a bit more. Let's try the Article V convention first though, before we reach for the musket. It's actually a fairly extreme parliamentary maneuver, and allegedly Congress has acted under the threat of article V before.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
The way salt works, there is no reason to keep it secret. You don't need to secure it from disclosure at all.
What you're describing is simply a shared secret. (That is, the same piece of data is held by both parties.) This is fundamentally no better than having a password and storing the password itself (in which case the password is a shared secret) -- the only difference is that it's not provided by the user, so it can be high-entropy.
Generally having a shared secret for authentication isn't nearly as secure as having a secret that you know but the other party can verify without storing that secret. For instance, the other party storing a hash of your password.
Incidentally, if you want to establish a shared secret between two parties, the way to do this is the Diffie-Hellman key-agreement protocol. It results in both parties ending up with the same shared secret by transmitting messages that are publicly-readable without giving anyone reading the messages enough information to construct the secret.
While true, it leaves out the fun fact that this has been happening to many, many other organizations. See: http://www.npr.org/blogs/itsallpolitics/2013/06/25/195599362/Democrats-Want-Answers-On-Progressives-Targeted-By-IRS
So no, the IRS wasn't targeting those groups because they don't agree with the administration. It targeted those groups because claiming 501c(4) status while advertising politically charged terms is a red flag. Finally, the link you're including has nothing to do with the IRS, with participating in public discourse or even with political discrimination. These speeches are PR events. As such, they are fairly tightly controlled. And quite frankly, I'm rolling my eyes at the comment that "we just wanted to watch the speech". I'd like to hear this story from some non-GOP-propaganda outlet before I even look further into it.
Those who can, do. Those who can't, sue.