Slashdot Mirror

← Back to Stories (view on slashdot.org)

Feds Allegedly Demanding User Passwords From Services

Posted by Unknown on from the trust-no-one dept.

An anonymous reader writes "Following the /. story on the Feds demanding SSL keys, now comes news that the feds are demanding user passwords, and in some cases, the encryption algorithm and salt used. From the article: 'A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'" ... Some of the government orders demand not only a user's password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. ... Other orders demand the secret question codes often associated with user accounts.' I'm next expecting to see the regulation or law demanding that all users use plain text for all web transactions, to catch terrorists and for the children."

26 of 339 comments (clear)

  1. Sigh. by Aerokii · · Score: 5, Insightful

    Coming up next, our newest feature: Things I wish surprised me, even a little.

    1. Re:Sigh. by NeutronCowboy · · Score: 4, Interesting

      As sad as it is, I have to agree. This doesn't surprise me one bit. I mean, investigating is hard! Can't have criminals hide behind things like strong encryption! Ergo, no one can use encryption.

      That said, I'm hoping we're slowly getting to a tipping point on the entire privacy vs security discussion. 9/11 has happened long ago enough that the knee-jerk reactions are dying down, and people are starting to question what we're doing in order to make sure 3000 people don't die over the course of a few years.

      --
      Those who can, do. Those who can't, sue.
    2. Re:Sigh. by Anonymous Coward · · Score: 4, Insightful

      Don't worry, there will be another false flag 9/11-style event. People will give up more freedom and privacy. You can be guaranteed of that.

    3. Re:Sigh. by Anonymous Coward · · Score: 5, Insightful

      It's not just 9/11, the fear of foreigners and the entire "it's us vs the world" attitude has become so ingrained into the American psyche that it'll take several generations to de-program them. Even now those Americans who are raising questions are only protesting against spying on American citizens, as if American citizens are more special than the rest of us humans.

      As long as the American people, and not just the government, continue their xenophobia they will just keep shooting themselves in the foot. None of us in the rest of the world want to have anything against USA, but the Americans keep doing everything they possible can to make the world hate their guts.

    4. Re:Sigh. by hairyfeet · · Score: 5, Insightful

      It won't matter friend as the PTB has learned they have another "mother may I" magic word that works even better than terrorist, and that is pedo. If you think the whole "peed on a bush and became a sex offender" bit is bad you should look at the CP laws and how vaguely they have been written. According to a friend that works in the state crime lab you could draw a stick figure and stick a label under it saying "nekkid 10 year old" and be looking at several years in prison and otherwise sane people will happily let the feds have ANY power they ask for just by invoking the "for the children" meme, hell we've seen otherwise rational people on this very site willing to ignore any and all violations of privacy if it was "to stop teh pedos".

      So I'm convinced we'll see more of our privacy wiped off the map and what is more the crowds will cheer when it happens because the feds will say the magic word. Hell we have at least 2 guys in prison right now for thoughtcrime by using the magic word, the guy who supposedly wrote the "pro pedo" book and a guy who was writing any disturbing thoughts he had in a diary by order of his therapist of all people, and in BOTH cases the ONLY thing they did was what I am doing right now and put their thoughts on a page, that's it, that's ALL they did.

      Now if that doesn't scare the hell out of you while illustrating just how powerful a word they have on their side? Well I don't know what will, I know it scares the hell out of me.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    5. Re:Sigh. by techsimian · · Score: 4, Insightful

      Supportive of what exactly?

      Being from the US you probably don't see the xenophobia for what it is. I moved to the US in the late 70's and the common response to anything not American was that's communist. Now it's probably more along the lines of that's socialist, but the vibe is the same. I see it as fueled partly by fear (of the unknown) and ignorance with a dash of idiotic national pride.

      Consider taking a stand against that sort of stupidity and acknowledging your detractors might have a point. It isn't a sign of weakness to admit fault.

  2. compelled speech and/or perjury? by DoofusOfDeath · · Score: 5, Insightful

    Can the government force me to make a public statement, attesting that it's true?

    Because it seems to me that the government using my private keys to sign a packet that I didn't create is substantially similar.

  3. Time to send out the papers... by 3seas · · Score: 4, Interesting

    ... of which The Declaration of Independence, The US constitution and Bill or Rights are.

    Most notably is The Declaration fo Independence that makes it clear it is not only our right but duty to put off bad government.

    And that is all the response any Founder supporting company need supply any spying government agency.

    Its time to show who is a real US Citizen.

    1. Re:Time to send out the papers... by SJHillman · · Score: 4, Insightful

      Just start emailing copies of those documents to people on a regular basis and see how long before the government calls you a terrorist and arrests you for inciting revolt.

    2. Re:Time to send out the papers... by hedwards · · Score: 5, Insightful

      Considering that the Tea Party hasn't been declared as such and that there has yet to be even one sedition trial for those numb nuts in congress that signed that fealty pledge to Grover Norquist, I think that it's rather unlikely that they'll charge you for sending people those documents.

    3. Re:Time to send out the papers... by istartedi · · Score: 4, Informative

      How about an Article V Convention first? AKA, a broad slate of amendments that would create a new Constitution. It would literally be a New Republic. Larry Sabato from my alma mater wrote a book about this. I don't agree with very many of his proposals though. That's the problem with such a convention or a revolution. You never know what you're going to get. So. I think this has to fester a bit more. Let's try the Article V convention first though, before we reach for the musket. It's actually a fairly extreme parliamentary maneuver, and allegedly Congress has acted under the threat of article V before.

      --
      For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
    4. Re:Time to send out the papers... by NeutronCowboy · · Score: 5, Informative

      While true, it leaves out the fun fact that this has been happening to many, many other organizations. See: http://www.npr.org/blogs/itsallpolitics/2013/06/25/195599362/Democrats-Want-Answers-On-Progressives-Targeted-By-IRS

      So no, the IRS wasn't targeting those groups because they don't agree with the administration. It targeted those groups because claiming 501c(4) status while advertising politically charged terms is a red flag. Finally, the link you're including has nothing to do with the IRS, with participating in public discourse or even with political discrimination. These speeches are PR events. As such, they are fairly tightly controlled. And quite frankly, I'm rolling my eyes at the comment that "we just wanted to watch the speech". I'd like to hear this story from some non-GOP-propaganda outlet before I even look further into it.

      --
      Those who can, do. Those who can't, sue.
  4. Hmmm... by girlintraining · · Score: 5, Funny

    They can ask. All passwords are one-way hashed using a 16384 bit salt and run through 4,000 rounds of AES before being stored in the database. Over there in the corner is our custom-built core which does the password retrieval, comparison, and pass-fail out onto a RADIUS server. The network name is NSA_COCKBLOCK... feel free to have a copy of the algorithm and database.

    --
    #fuckbeta #iamslashdot #dicemustdie
  5. Re:Name and Shame by Saethan · · Score: 5, Insightful

    TFA says the companies resisted - the shame here belongs on the US Government

  6. Re:wow. we keep going more and more insane. by ebno-10db · · Score: 5, Insightful

    No doubt this is because terrorists/spies have changed tactics

    Or simply because the Feds can get away with it. KGB wannabees are like any other power hungry bastards - give them an inch and they'll take a mile. They want more because they want more. There may be some excuses they use to justify it, but the real reason is simply that they want more.

  7. Re:Black Hat hears, and thinks... by ebno-10db · · Score: 4, Funny

    just a few large-bag hit and runs could net millions in CC#.

    Credit cards? You think small. How about getting access to the Federal Reserve? Considering all the money they give away to bail out financial institutions that should be in receivership, you could probably take a few billion and it would be dismissed as a rounding error.

  8. how to make bureaucrats value privacy by bzipitidoo · · Score: 5, Insightful

    Names. Give us some names. I'd like to know who are these bureaucrats who ask for passwords? Then, I'd like to see them sweat over the possibility they might be censured, might lose their jobs.

    Let them experience how thrilling it is to have their dark glasses taken away, feel what it's like not to be faceless anymore. Then, maybe they'd appreciate privacy a little more.

    --
    Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
  9. Companies shouldn't have this anyway by gnasher719 · · Score: 4, Interesting

    1. A company shouldn't have my password stored anywhere in a form that they can decrypt it.
    2. A company shouldn't have the answers to my security questions stored anywhere in a form that they can decrypt it.

    That makes it very easy then: "We would gladly comply with your request, but sorry, we can't".

  10. Re:wow. we keep going more and more insane. by aeranvar · · Score: 4, Insightful

    The terrorists/spies have definitely changed tactics. They're putting on government uniforms now.

  11. How this relates to Snowden by grasshoppa · · Score: 4, Insightful

    I find myself wondering how much of this ( master keys, passwods, ect.. ) we'd be discussing NOW had it not be for Snowden having the balls ( if not the brains ) to leak what he's leaked.

    Note to future leakers: Make sure you work out your living situation BEFORE pissing off one of the largest governments in the world.

    --
    Mod me down with all of your hatred and your journey towards the dark side will be complete!
  12. Re:Standing up to the Feds by dougmc · · Score: 5, Insightful

    What if you're an online start-up, with little legal know-how? Are you really going to resist demands from such a high level?

    If you have little legal know-how and are confronted with an important legal issue that could have serious ramifications if you screw it up, you consult with a lawyer.

    If you are smart, this is always the case, be you a startup, a large company or an individual.

    A small company probably won't have a lawyer on payroll, but certainly, they can still pick up the phone and call one. It'll cost some money, yes, but even small businesses need lawyers for lots of things, so the concept should not be foreign to them.

    Now, if you're saying that "legal know-how" means knowing when an issue is important and could have serious ramifications, well, that doesn't require much skill. If you receive a demand from the government of any sort and it's not something you're familiar with, a quick consultation with a lawyer would be prudent. Especially if it just plain sounds wrong.

    Now, your lawyer may very well advise you to just give them what they want, but still, asking him was the right thing to do.

    A bigger problem is the gag orders that tend to come with these orders, where you can't even tell somebody that you received them. You can generally still consult with a lawyer, but even so, they really do fly in the face of the rights we used to think we have.

  13. Re:Not surprised by blueg3 · · Score: 4, Informative

    The way salt works, there is no reason to keep it secret. You don't need to secure it from disclosure at all.

    What you're describing is simply a shared secret. (That is, the same piece of data is held by both parties.) This is fundamentally no better than having a password and storing the password itself (in which case the password is a shared secret) -- the only difference is that it's not provided by the user, so it can be high-entropy.

    Generally having a shared secret for authentication isn't nearly as secure as having a secret that you know but the other party can verify without storing that secret. For instance, the other party storing a hash of your password.

    Incidentally, if you want to establish a shared secret between two parties, the way to do this is the Diffie-Hellman key-agreement protocol. It results in both parties ending up with the same shared secret by transmitting messages that are publicly-readable without giving anyone reading the messages enough information to construct the secret.

  14. Re:Black Hat hears, and thinks... by Em+Adespoton · · Score: 5, Interesting

    I've always wondered... what stops people from issuing fake FISA orders? I mean, if anyone challenges them, you just say they don't have the clearance. FISA *IS* catch-22.

    You can't even go after someone issuing such an order with "impersonating a federal officer" -- as unless you're the President of the US, /how would you know/?

    I imagine a terror group could make a pretty quick job of any public works under the guise of FISA.

  15. Surprising there isnt more sub channel news by Marrow · · Score: 4, Interesting

    About these penetrations. You would think there would be daily broadcasts from anonymous or somebody indicating which systems have been hacked by the government. Its like people arent talking about it much at all.

  16. Supportive of what? by deanklear · · Score: 4, Insightful

    How about being supportive instead of antagonistic?

    Be honest with yourself: have you spent more time watching television or being politically active?

    This is also a criticism I aim at myself, but the first step is to be honest about the situation. Americans are politically lazy, and we have the government we deserve. I don't think there has been a massive nationwide protest here since the 70s, with the possible exception of the anti-war protests before the invasion of Iraq.

    The people who run the show aren't going to give it up because we're complaining about them on the internet. It's not difficult to convince yourself to hang on to millions of dollars and unchecked power when there is no real penalty from the populace.

    Sir, there are two passions which have a powerful influence in the affairs of men. These are ambition and avarice -- the love of power and the love of money. Separately, each of these has great force in prompting men to action; but, when united in view of the same object, they have, in many minds, the most violent effects. Place before the eyes of such men a post of honor, that shall, at the same time, be a place of profit, and they will move heaven and earth to obtain it. The vast number of such places it is that renders the British government so tempestuous. The struggles for [profit] are the true source of all those factions which are perpetually dividing the nation, distracting its councils, hurrying it sometimes into fruitless and mischievous wars, and often compelling a submission to dishonorable terms of peace.
        And of what kind are the men that will strive for this profitable preeminence, through all the bustle of cabal, the heat of contention, the infinite mutual abuse of parties, tearing to pieces the best of characters? It will not be the wise and moderate, the lovers of peace and good order, the men fittest for the trust. It will be the bold and the violent, the men of strong passions and indefatigable activity in their selfish pursuits. These will thrust themselves into your government and be your rulers. And these, too, will be mistaken in the expected happiness of their situation, for their vanquished competitors, of the same spirit, and from the same motives, will perpetually be endeavoring to distress their administration, thwart their measures, and render them odious to the people.

    -- Benjamin Franklin, 1787

  17. Re:the war is over by s.petry · · Score: 5, Insightful

    You can not blame it on stupid, when people are intentionally kept ignorant. For a minimum of 10 years, you are subjected to a program that creates servitude and removes people's ability to think. When people start to wake up, it's a rather alarming process. Not just because of the cognitive dissonance, but because there are numerous sources of fiction to frighten them back into a stupor.

    If you pick 5 people and start trying to teach them to think, you will be lucky to have made progress within 6 months. That however should be the goal of anyone that can see clearly. As people learn to think and can see for themselves it is imperative for you to ask them to do the same thing (go get 5 students).

    An enlightened society is something the people in power fear. They hated Socrates because he advocated an intellectual society, and countless others that came after him calling for the same thing. If you want to rankle the hairs of the established, start teaching people to think. Ad hominem and mockery are what they expect and adore.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.