Slashdot Mirror
Feds Allegedly Demanding User Passwords From Services
An anonymous reader writes "Following the /. story on the Feds demanding SSL keys, now comes news that the feds are demanding user passwords, and in some cases, the encryption algorithm and salt used. From the article: 'A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'" ... Some of the government orders demand not only a user's password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. ... Other orders demand the secret question codes often associated with user accounts.' I'm next expecting to see the regulation or law demanding that all users use plain text for all web transactions, to catch terrorists and for the children."
Coming up next, our newest feature: Things I wish surprised me, even a little.
I needed to switch providers during the whole SOPA debacle, and decided it was a primo opportunity to move to an overseas VPS. I made sure to pick one that has no presense in North America. And now I'm glad I did.
Can the government force me to make a public statement, attesting that it's true?
Because it seems to me that the government using my private keys to sign a packet that I didn't create is substantially similar.
... of which The Declaration of Independence, The US constitution and Bill or Rights are.
Most notably is The Declaration fo Independence that makes it clear it is not only our right but duty to put off bad government.
And that is all the response any Founder supporting company need supply any spying government agency.
Its time to show who is a real US Citizen.
and stupid has won.
They can ask. All passwords are one-way hashed using a 16384 bit salt and run through 4,000 rounds of AES before being stored in the database. Over there in the corner is our custom-built core which does the password retrieval, comparison, and pass-fail out onto a RADIUS server. The network name is NSA_COCKBLOCK... feel free to have a copy of the algorithm and database.
#fuckbeta #iamslashdot #dicemustdie
TFA says the companies resisted - the shame here belongs on the US Government
No doubt this is because terrorists/spies have changed tactics
Or simply because the Feds can get away with it. KGB wannabees are like any other power hungry bastards - give them an inch and they'll take a mile. They want more because they want more. There may be some excuses they use to justify it, but the real reason is simply that they want more.
just a few large-bag hit and runs could net millions in CC#.
Credit cards? You think small. How about getting access to the Federal Reserve? Considering all the money they give away to bail out financial institutions that should be in receivership, you could probably take a few billion and it would be dismissed as a rounding error.
Names. Give us some names. I'd like to know who are these bureaucrats who ask for passwords? Then, I'd like to see them sweat over the possibility they might be censured, might lose their jobs.
Let them experience how thrilling it is to have their dark glasses taken away, feel what it's like not to be faceless anymore. Then, maybe they'd appreciate privacy a little more.
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
Considering that the vast majority of people, up until now, would've never known for sure that you buckled to government pressure, you're thinking in a far more optimistic plane than reality. In reality, you, as a small business owner, would buckle, nobody using your service would know about it unless you announced it outright, and it would affect your business in absolutely no way at all.
1. A company shouldn't have my password stored anywhere in a form that they can decrypt it.
2. A company shouldn't have the answers to my security questions stored anywhere in a form that they can decrypt it.
That makes it very easy then: "We would gladly comply with your request, but sorry, we can't".
The terrorists/spies have definitely changed tactics. They're putting on government uniforms now.
I find myself wondering how much of this ( master keys, passwods, ect.. ) we'd be discussing NOW had it not be for Snowden having the balls ( if not the brains ) to leak what he's leaked.
Note to future leakers: Make sure you work out your living situation BEFORE pissing off one of the largest governments in the world.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
What if you're an online start-up, with little legal know-how? Are you really going to resist demands from such a high level?
If you have little legal know-how and are confronted with an important legal issue that could have serious ramifications if you screw it up, you consult with a lawyer.
If you are smart, this is always the case, be you a startup, a large company or an individual.
A small company probably won't have a lawyer on payroll, but certainly, they can still pick up the phone and call one. It'll cost some money, yes, but even small businesses need lawyers for lots of things, so the concept should not be foreign to them.
Now, if you're saying that "legal know-how" means knowing when an issue is important and could have serious ramifications, well, that doesn't require much skill. If you receive a demand from the government of any sort and it's not something you're familiar with, a quick consultation with a lawyer would be prudent. Especially if it just plain sounds wrong.
Now, your lawyer may very well advise you to just give them what they want, but still, asking him was the right thing to do.
A bigger problem is the gag orders that tend to come with these orders, where you can't even tell somebody that you received them. You can generally still consult with a lawyer, but even so, they really do fly in the face of the rights we used to think we have.
The way salt works, there is no reason to keep it secret. You don't need to secure it from disclosure at all.
What you're describing is simply a shared secret. (That is, the same piece of data is held by both parties.) This is fundamentally no better than having a password and storing the password itself (in which case the password is a shared secret) -- the only difference is that it's not provided by the user, so it can be high-entropy.
Generally having a shared secret for authentication isn't nearly as secure as having a secret that you know but the other party can verify without storing that secret. For instance, the other party storing a hash of your password.
Incidentally, if you want to establish a shared secret between two parties, the way to do this is the Diffie-Hellman key-agreement protocol. It results in both parties ending up with the same shared secret by transmitting messages that are publicly-readable without giving anyone reading the messages enough information to construct the secret.
Assuming you knew. In practice the worst of this is done under gag order so that nobody knows which services are engaged in this sort of illegal spying. And thanks to the numb nuts that W had installed on Supreme Court, it's even harder to get the constitution enforced than it used to be. Damned activist judges.
NB: the second is why sysadmins don't log in as root and don't request user passwords. Logging in as their ordinary user and then su'ing to root leaves a record in the audit log of which sysadmin was doing what as root. And if we need to access your account as you, su'ing to root and then to your account leaves a record of which sysadmin was responsible for the access.
I've always wondered... what stops people from issuing fake FISA orders? I mean, if anyone challenges them, you just say they don't have the clearance. FISA *IS* catch-22.
You can't even go after someone issuing such an order with "impersonating a federal officer" -- as unless you're the President of the US, /how would you know/?
I imagine a terror group could make a pretty quick job of any public works under the guise of FISA.
About these penetrations. You would think there would be daily broadcasts from anonymous or somebody indicating which systems have been hacked by the government. Its like people arent talking about it much at all.
I have supported the use of records and even following connections from a known terrorist, but this is insane. Pure insanity.
No doubt this is because terrorists/spies have changed tactics, but still this is the wrong way to take solve this.
Terrorist haven't changed tactics. Look at the Boston Bombers, the NSA had been spying on us for years at that point.
Did they know about it? NO.
Did they stop it? NO.
So them spying on everyone is a waste of time if they can't catch any terrorist with it. In fact, they are being the terrorist against their own population by this and other actions they have been doing.
Be seeing you...
TFA says the companies resisted - the shame here belongs on the US Government
More interesting would be to know the names of the companies who didn't resist and thus didn't make any noise at all . . .
I am not a crackpot.
Minor correction, we STILL have those rights, they're just being trampled.
How about being supportive instead of antagonistic?
Be honest with yourself: have you spent more time watching television or being politically active?
This is also a criticism I aim at myself, but the first step is to be honest about the situation. Americans are politically lazy, and we have the government we deserve. I don't think there has been a massive nationwide protest here since the 70s, with the possible exception of the anti-war protests before the invasion of Iraq.
The people who run the show aren't going to give it up because we're complaining about them on the internet. It's not difficult to convince yourself to hang on to millions of dollars and unchecked power when there is no real penalty from the populace.
Sir, there are two passions which have a powerful influence in the affairs of men. These are ambition and avarice -- the love of power and the love of money. Separately, each of these has great force in prompting men to action; but, when united in view of the same object, they have, in many minds, the most violent effects. Place before the eyes of such men a post of honor, that shall, at the same time, be a place of profit, and they will move heaven and earth to obtain it. The vast number of such places it is that renders the British government so tempestuous. The struggles for [profit] are the true source of all those factions which are perpetually dividing the nation, distracting its councils, hurrying it sometimes into fruitless and mischievous wars, and often compelling a submission to dishonorable terms of peace.
And of what kind are the men that will strive for this profitable preeminence, through all the bustle of cabal, the heat of contention, the infinite mutual abuse of parties, tearing to pieces the best of characters? It will not be the wise and moderate, the lovers of peace and good order, the men fittest for the trust. It will be the bold and the violent, the men of strong passions and indefatigable activity in their selfish pursuits. These will thrust themselves into your government and be your rulers. And these, too, will be mistaken in the expected happiness of their situation, for their vanquished competitors, of the same spirit, and from the same motives, will perpetually be endeavoring to distress their administration, thwart their measures, and render them odious to the people.
-- Benjamin Franklin, 1787
yes, it is. It is a right being violated. The violator is thus guilty of wrongdoing. Don't ever let them convince you that the right is non-existent.
The other case would be that it's not a right anymore and the government gets to say not a right so we're doing no wrong.
In other words, by violating a right (such as by denying it's existence), a government de-legitimizes itself.