Slashdot Mirror
Feds Allegedly Demanding User Passwords From Services
An anonymous reader writes "Following the /. story on the Feds demanding SSL keys, now comes news that the feds are demanding user passwords, and in some cases, the encryption algorithm and salt used. From the article: 'A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'" ... Some of the government orders demand not only a user's password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. ... Other orders demand the secret question codes often associated with user accounts.' I'm next expecting to see the regulation or law demanding that all users use plain text for all web transactions, to catch terrorists and for the children."
Coming up next, our newest feature: Things I wish surprised me, even a little.
I needed to switch providers during the whole SOPA debacle, and decided it was a primo opportunity to move to an overseas VPS. I made sure to pick one that has no presense in North America. And now I'm glad I did.
Can the government force me to make a public statement, attesting that it's true?
Because it seems to me that the government using my private keys to sign a packet that I didn't create is substantially similar.
... of which The Declaration of Independence, The US constitution and Bill or Rights are.
Most notably is The Declaration fo Independence that makes it clear it is not only our right but duty to put off bad government.
And that is all the response any Founder supporting company need supply any spying government agency.
Its time to show who is a real US Citizen.
and stupid has won.
I have supported the use of records and even following connections from a known terrorist, but this is insane. Pure insanity. No doubt this is because terrorists/spies have changed tactics, but still this is the wrong way to take solve this.
I prefer the "u" in honour as it seems to be missing these days.
I wonder how that really works out, in the long-run. What if you're an online start-up, with little legal know-how? Are you really going to resist demands from such a high level?
It's always confirmation bias!
It's a pretty pointless article if you don't name the company.
They can ask. All passwords are one-way hashed using a 16384 bit salt and run through 4,000 rounds of AES before being stored in the database. Over there in the corner is our custom-built core which does the password retrieval, comparison, and pass-fail out onto a RADIUS server. The network name is NSA_COCKBLOCK... feel free to have a copy of the algorithm and database.
#fuckbeta #iamslashdot #dicemustdie
How can I get a piece of this action - it's probably not impossible to impersonate the Fed to get companies to cough up their entire user credential stores... just a few large-bag hit and runs could net millions in CC#.
Make sure everyone's vote counts: Verified Voting
So now we're doing redundant text in a summary that references a redundant story that was an accidental dupe of another redundant story. It's slash-ception!
Names. Give us some names. I'd like to know who are these bureaucrats who ask for passwords? Then, I'd like to see them sweat over the possibility they might be censured, might lose their jobs.
Let them experience how thrilling it is to have their dark glasses taken away, feel what it's like not to be faceless anymore. Then, maybe they'd appreciate privacy a little more.
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
How is this different from perlustration of regular mail and bugging the phone wires? I did not like those either, but I don't see this new development as particularly illegal...
In Soviet Washington the swamp drains you.
1. A company shouldn't have my password stored anywhere in a form that they can decrypt it.
2. A company shouldn't have the answers to my security questions stored anywhere in a form that they can decrypt it.
That makes it very easy then: "We would gladly comply with your request, but sorry, we can't".
I'd just like to be there to see the blank stare.
Is it just my observation, or are there way too many stupid people in the world?
Those damn kids will be the death of us yet.
Its just not technically possible and not something that my company would ever do because it would destroy the integrity of audit logs.
If they really need to have access as a specific user we have an impersonation feature (for tech support) that allows one user to perform actions in the system with the rights of another, except that the logs still tell us who is actually doing stuff. Seems like a much better way to deal with this kind of request.
Fuck you. I don't believe it then.. Or it's just better to assume the worst, that they all give up your info while putting up a show of 'resistance'.
Whatever... This is what you people voted for so maybe you should redirect your feeble outrage.
“He’s not deformed, he’s just drunk!”
I find myself wondering how much of this ( master keys, passwods, ect.. ) we'd be discussing NOW had it not be for Snowden having the balls ( if not the brains ) to leak what he's leaked.
Note to future leakers: Make sure you work out your living situation BEFORE pissing off one of the largest governments in the world.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
The way salt works, there is no reason to keep it secret. You don't need to secure it from disclosure at all.
What you're describing is simply a shared secret. (That is, the same piece of data is held by both parties.) This is fundamentally no better than having a password and storing the password itself (in which case the password is a shared secret) -- the only difference is that it's not provided by the user, so it can be high-entropy.
Generally having a shared secret for authentication isn't nearly as secure as having a secret that you know but the other party can verify without storing that secret. For instance, the other party storing a hash of your password.
Incidentally, if you want to establish a shared secret between two parties, the way to do this is the Diffie-Hellman key-agreement protocol. It results in both parties ending up with the same shared secret by transmitting messages that are publicly-readable without giving anyone reading the messages enough information to construct the secret.
the purpose of the salt is so that if 2 users have the same password they the salt is combined with it when it is encrypted so that the encrypted hash comes out different for both users.
that way if the attacker gets ahold of the DB containing all the encrypted passwords and they happen to figure out what one of the passwords are, they can't just search the db for someone else that has the same encrypted hash and then know that user also used the same password.
I do something similar to this. The salt is actually a 3 part key. The middle bit is a "preset" key generated per deployment, the bits on each end are the username and password, respectively. Then I run it through a round of Whirlpool.
Bits of code, random ramblings: jakimfett.com
change your password to "aeb30d1be48a8ed9" and store it in plaintext :D You could add some salt, I guess, but that'll leave them guessing either way....
Some kind of orbital strongbox that will act as the world's encryption key fob. Something that dodges around in an irregular orbit and explodes if anyone gets close to it.
All of my passwords look like that. Randomly generated with special characters. Typically 25 chars long.
They are in a password manager. I don't have to remember them at all. It's easier than having passwords I can remember but are easier to guess/can be found by rainbow table.
--
BMO
Until Americans man up and accept the reality that Big Brother can't guarantee 100% security, they're going to keep doing this. I'm disheartened by how relatively low disapproval for these practices is. I think I heard only 56% against. In the US, I would expect those numbers to be astronomical.
I swear to God...I swear to God! That is NOT how you treat your human!
Just saying
Jack of all trades,master of none
About these penetrations. You would think there would be daily broadcasts from anonymous or somebody indicating which systems have been hacked by the government. Its like people arent talking about it much at all.
You don't seem to understand what is a hash or a salt.
Come on, tell us who you are so we can not use you any more.
Don't you also want to know the names of the other companies that just quietly and politely handed over what was asked for?
I am not a crackpot.
All of my passwords look like that. Randomly generated with special characters. Typically 25 chars long.
They are in a password manager. I don't have to remember them at all...
So basically, you've got all your securely designed passwords stored in one keyring that if one person get the code to, they could use to gain access to all of your passwords. Much more secure storage area than your brain I'm sure.
Will no one rid us of this turbulent tyrrany aborning?
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Hmm, sounds like a good idea. Here's mine: absdXGH4420078jkl!@gy
Dang. So I was just trying to continue the joke, but apparently if you type the asterisk symbol enough times, it actually writes your password out. Weird...
All my passwords will contain "blowmeO" in them from now on.
http://www.daybydaycartoon.com/2013/07/26/#007040
Corporatism != Free Market
How about being supportive instead of antagonistic?
Be honest with yourself: have you spent more time watching television or being politically active?
This is also a criticism I aim at myself, but the first step is to be honest about the situation. Americans are politically lazy, and we have the government we deserve. I don't think there has been a massive nationwide protest here since the 70s, with the possible exception of the anti-war protests before the invasion of Iraq.
The people who run the show aren't going to give it up because we're complaining about them on the internet. It's not difficult to convince yourself to hang on to millions of dollars and unchecked power when there is no real penalty from the populace.
Sir, there are two passions which have a powerful influence in the affairs of men. These are ambition and avarice -- the love of power and the love of money. Separately, each of these has great force in prompting men to action; but, when united in view of the same object, they have, in many minds, the most violent effects. Place before the eyes of such men a post of honor, that shall, at the same time, be a place of profit, and they will move heaven and earth to obtain it. The vast number of such places it is that renders the British government so tempestuous. The struggles for [profit] are the true source of all those factions which are perpetually dividing the nation, distracting its councils, hurrying it sometimes into fruitless and mischievous wars, and often compelling a submission to dishonorable terms of peace.
And of what kind are the men that will strive for this profitable preeminence, through all the bustle of cabal, the heat of contention, the infinite mutual abuse of parties, tearing to pieces the best of characters? It will not be the wise and moderate, the lovers of peace and good order, the men fittest for the trust. It will be the bold and the violent, the men of strong passions and indefatigable activity in their selfish pursuits. These will thrust themselves into your government and be your rulers. And these, too, will be mistaken in the expected happiness of their situation, for their vanquished competitors, of the same spirit, and from the same motives, will perpetually be endeavoring to distress their administration, thwart their measures, and render them odious to the people.
-- Benjamin Franklin, 1787
I would say we are Rome, but I have to believe that Rome actually fell before it got this bad.
You need to read more Roman history then. After all the phrase "bread and circuses" was coined or popularized back in the 2nd century, 200-300 years before Rome's "fall." The circuses themselves as a means of appeasing the people go back at least to the fallout from the assassination of Julius Caesar, right at the beginning of the Empire, when Marcus Brutus attempted to defray public anger over Caesar's death. (It didn't work, because Octavius turned around an held games in honor of Caesar's memory a couple of weeks later.)
Plus, it's hotly debated whether Rome ever actually "fell" or just withered away.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
Give power, budget, and secrecy to a government agency and they will abuse them all.
Increase their power and/or budget and/or secrecy and they will abuse them more.
Like them or not, like their actions or not, the likes of Fabjqra and Znaavat may be our best hope by crippling the secrecy leg of the triad at least a little.
Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading
if there was a serious suggestion to stop making our children into our society's sacred cows? We passed the Patriot Act because we couldn't stomach the thought of terrorists killing our children. We passed insanely restrictive sex offender laws because of the thought that a stranger might attack our children sexually. We tried to pass gun control in the wake of Newton. Every step we take down the slippery slope is in the name of improving security for our children.
At this point, I'm contemplating saying that I'd be willing to pay the price of seeing 32 1st graders wiped out every day by gunfire and pressure bombs going off once a day in crowded urban areas in exchange for being able to retain my privacy from the eyes of the government, and being able to determine how and with what means I will defend myself.
Here's to hot beer, cold women, and Glaswegian kisses for all.
So could one use the user ID as a salt? My thinking is that Hash( [UserID] + [Password] ) would be different even when the password is the same.
That said, I've also heard that storing hashes for passwords is a bad idea. Why would that be, if the hashes are long enough and salted?
(I'm not sure this level of security even existed when I was at uni.)
Or just a corporate media powered applause machine with no real people actually agreeing.
So what would happen if thees bastards came to my company throwing their weight around, demanding all of this and that and I just said - - wait for it --
NO!
maybe a "go fuck yourself" for good measure.
What then?
All of my passwords look like that. Randomly generated with special characters. Typically 25 chars long.
They are in a password manager. I don't have to remember them at all. It's easier than having passwords I can remember but are easier to guess/can be found by rainbow table.
--
BMO
I guess you didn't get what I did: that's the crypt hash for "Password". Found at the top of most hash tables.
Stop being an American.
No, I don't mean move. I mean stop identifying with a collective defined by their acceptance of enslavement to a particular group of thugs and sociopaths who call themselves the U.S. government.
I was born in the region known as America. I live in the region known as America. I'm no fucking American. I'm a person, and my name is Ofer.
Because you could memorize 10+ strings of completely random, 16+-characters? And presumably you'd want to change them all once a month, right?
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
That said, I've also heard that storing hashes for passwords is a bad idea. Why would that be, if the hashes are long enough and salted?
Say you use userid + username + join_date as the salt. No matter what you use as the salt, a modern GPU can brute-force your hash by evaluating SHA256(salt + password) extremely fast for hundreds of common passwords in parallel. To defeat this, use a computationally harder hash than SHA256.
Wasn't that the whole point of the "Trayvon could have been me" thing? Obama clearly took the "Zimmerman shouldn't have been suspicious" narrative, and all the while he's the head of the NSA, TSA, etc. Why has nobody called him out on this???
9/11 has happened long ago enough that the knee-jerk reactions are dying down, and people are starting to question what we're doing in order to make sure 3000 people don't die over the course of a few years.
Yeah, but now people are in the position of having taken indefensible positions and must defend them or have to face up to the fact that they were wrong. People will not do that.
Just look at the debate over torture in this country. As in the fact that we even have a debate over torture. Only a quarter of Americans say that torture is never justifiable under any circumstances. A little under a fifth say that it's "often" justified to gain information from terror suspects. The rest are somewhere in the middle, with a strong partisan divide over the issue, but one that has weakened since Obama has failed to take substantive action on the issue except to nail whistleblowers to the wall -- all but tacit support for torture policies.
Partisan politics is the reason for this. Once "your guy" has made a decision, you must either find a rationale to support it or admit that you voted in the wrong guy. And for far too many people, the former is the natural instinct rather than the latter. Our political landscape for at least a generation or three has been forever shaped by the action of George W. Bush and the attempts of his party to rationalize them and then his successor Barack Obama's failure to do anything substantive to improve our war on terror policies and the attempts of his party to rationalize that too.
That's why poll numbers on support for torturing terror suspects show a slim majority now, whereas there was a 60-40% split against it for 2001-2008. Are you surprised that on questions of spying on Americans that the trend is not similar? Slim majorities were opposed to MAINWAY when it was exposed in 2006. Now slim majorities support PRISM and a growing majority wants to see Snowden punished for exposing it.
That's the tragedy of partisan democracies: If both sides do something terrible, all the sheep find themselves justifying no matter how bad it is.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
Hi: Everyone remembers the famous first version of Catch-22 about requesting medical leave for psychiatric illness. 'Anyone who wants to get out of combat duty isn't really crazy.' However, later in the novel when one of airmen, Dunbar, I believe, disappears when the Military Police is around, another version of Catch-22 is presented: 'They have the right to do to us anything we can't stop them from doing.' Of course, we think of this surreal comedy as WW2 novel because that is where the story is set. However, it was actually written years after the war during the red scare period.
---- The above post was generated by the Turing Institute. Maybe.
Unless you're accessing all your services via SSH, you probably have passwords somewhere; SSH keys are only going to be a defense against access to the boxes you only SSH to. If you use any web application or service you don't self-host and authenticate only through SSH, revealed passwords are going to be an issue.
Yet another argument to move toward 2-factor auth....
We may not imagine how our lives could be more frustrating and complex—but Congress can. – Cullen Hightower
Just use a reference pad based on a book you own. Don't mention what book on the pad.
It can even reference multiple books on your bookshelf.
If you use e-books, you can even keep them on your handheld device for quick reference, in case you need your passwords when away from the home. Using Project Gutenberg as a pad reference resource sounds really interesting now that I think of it....
"citizens killed by their own government on bogus pretexts"
If so, isn't essentially everyone on the planet is in some sense living under the USA government to some extent? And even if not, then certainly they are living under neoliberal capitalism to some extent. If so, then couldn't one argue that anyone killed anywhere in the globe by the USA was, to some extent, killed by his or her own de-facto government?
You might say, well they did not vote for the US president. But it used to be that black people, and natives, and women living in the USA could not vote for the US president either.
Maybe the global spread of neo-liberal economics has implicitly redefined what it means to be a global citizen? If global economics (including possible collapse or nuclear war) affects everyone's lives, then are we not, to some extent, all under that form of neo-liberal governance?
http://steadystaterevolution.org/neoliberalism-as-a-waterballoon/
Perhaps "Elysium" (a movie coming out next month) is *optimistic* in that sense, that there are still people around in a century?
http://www.nerdist.com/2013/04/elysium-takes-class-warfare-into-space/
In any case, my opinion is that if the internet is not used to "free" us all in some sense, and soon, then it will no-doubt likely be used to enslave us or worse.
http://pcast.ideascale.com/a/dtd/The-need-for-FOSS-intelligence-tools-for-sensemaking-etc./76207-8319
"Now, there are many people out there (including computer scientists) who may raise legitimate concerns about privacy or other important issues in regards to any system that can support the intelligence community (as well as civilian needs). As I see it, there is a race going on. The race is between two trends. On the one hand, the internet can be used to profile and round up dissenters to the scarcity-based economic status quo (thus legitimate worries about privacy and something like TIA). On the other hand, the internet can be used to change the status quo in various ways (better designs, better science, stronger social networks advocating for some healthy mix of a basic income, a gift economy, democratic resource-based planning, improved local subsistence, etc., all supported by better structured arguments like with the Genoa II approach) to the point where there is abundance for all and rounding up dissenters to mainstream economics is a non-issue because material abundance is everywhere. So, as Bucky Fuller said, whether is will be Utopia or Oblivion will be a touch-and-go relay race to the very end. While I can't guarantee success at the second option of using the internet for abundance for all, I can guarantee that if we do nothing, the first option of using the internet to round up dissenters (or really, anybody who is different, like was done using IBM [punched card equipment] in WWII Germany) will probably prevail. So, I feel the global public really needs access to these sorts of sensemaking tools in an open source way, and the way to use them is not so much to "fight back" as to "transform and/or transcend the system". As Bucky Fuller said, you never change thing by fighting the old paradigm directly; you change things by inventing a new way that makes the old paradigm obsolete."
A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
At home. Pure and simple. Don't use the Internet for e-mail or storage. Familiarize yourself with foreign legislation and use the proxies of countries who care about privacy.
I live outside the USA were passwords are not required at all by the NSA. They simply take everything, rummage through it all scrutinize it thoroughly. Insert trade sanctions, mess with economy, or buyout any business that deemed of value. While all along insisting the rest of the world are terrorists. Yes, each and every living being outside the USA is a potential scumbag terrorist and deserve to be utterly dominated. Any resistance toward these mega companies that manipulate the giant puppet American government can be, and regularly is, met with death through the use of drone technology. I think there will, in the near future be rebellion...
Hello, plausible deniability.
If the man has all your authentication data, then anyone they give it to, leak it to, lose it to, might have done that nefarious interweb thing, posing as you.
This seems to be indistinguishabe from identity theft.
Not that that argument will get you anywhere in today's modern courthouse
--
then I went back to sleep and had the same nightmare again.