US: Feds tell Web firms to turn over user account passwords
BartSimpson @ Thu Jul 25, 2013 4:10 pm
No shit! And some people wonder at why I don't trust my own government with all the power it wants. 
http://news.cnet.com/8301-13578_3-57595 ... passwords/
Excerpt: More at the link.
$1:
The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.
If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.
"I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back."
A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'"
Some of the government orders demand not only a user's password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts.
If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.
"I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back."
A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'"
Some of the government orders demand not only a user's password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts.
So pretty much the government could access someone's account, put child porn in it, and then prosecute that person for the child porn.
And the other thing here is that some of these US firms are not turning over the passwords of US citizens...but notice that they're silent about the passwords of non-US citizens?
saturn_656 @ Thu Jul 25, 2013 4:19 pm
The credibility of the major tech companies is spiralling the drain. They promise to safeguard your privacy, but hand off all your info to Uncle Sam on demand.
Post-Snowden, their assurances don't mean diddly squat.
DanSC @ Thu Jul 25, 2013 4:27 pm
Placing incriminating evidence online is much easier than placing crack in someone's car.
DrCaleb @ Fri Jul 26, 2013 6:36 am
They don't need passwords. They already have the encryption keys, so they can decrypt messages and live communication without the passwords.
http://news.cnet.com/8301-13578_3-57595 ... tion-keys/
desertdude @ Fri Jul 26, 2013 6:49 am
And the terrorists have won
Regina @ Fri Jul 26, 2013 6:50 am
DrCaleb DrCaleb:
They don't need passwords. They already have the encryption keys, so they can decrypt messages and live communication without the passwords.
http://news.cnet.com/8301-13578_3-57595 ... tion-keys/
http://news.cnet.com/8301-13578_3-57595 ... tion-keys/
That's what I thought too.
martin14 @ Fri Jul 26, 2013 7:35 am
DrCaleb DrCaleb:
They don't need passwords. They already have the encryption keys, so they can decrypt messages and live communication without the passwords.
http://news.cnet.com/8301-13578_3-57595 ... tion-keys/
http://news.cnet.com/8301-13578_3-57595 ... tion-keys/
So they would need the passwords, if they wanted to place something, instead
of just reading it.
Wonderful.
DrCaleb @ Fri Jul 26, 2013 8:07 am
martin14 martin14:
DrCaleb DrCaleb:
They don't need passwords. They already have the encryption keys, so they can decrypt messages and live communication without the passwords.
http://news.cnet.com/8301-13578_3-57595 ... tion-keys/
http://news.cnet.com/8301-13578_3-57595 ... tion-keys/
So they would need the passwords, if they wanted to place something, instead
of just reading it.
Wonderful.
No, the's already have them. If you have control of the server backend, you don't need no stinkin' user passwords. The encryption keys would give them access to the passwords being exchanged between an email server and the client. Something not even 'hackers' can do.
Psudo @ Wed Aug 07, 2013 8:33 am
What good would it do them to have the passwords?
I'm making a website right now. My password on that website is the same as for this one. It is stored (encrypted) as 98ff54b2fca624e0be776441333fb4a7. If the NSA or whoever demanded passwords from my website, that's all I would have available to give them. How does that information help you access my account? I'm a pretty pathetic amateur; any website bigger than 30 employees ought to have way better security than my personal hobby website.
There's no way to determine what I type into the password box from that mess of hexidecimal. Even with the encrypted version and the encryption method (md5, in my case), it takes supercomputers centuries to determine the salt (decrypted data).
It sounds to me like an utterly stupid and ineffectual plan by the government. Maybe they intend to scientifically study encryption cracking methods or somesuch thing, but I'm still skeptical that there's any value in collecting encrypted user passwords. And the companies don't actually have any decrypted user passwords (unless they were already intentionally violating your privacy anyway).
DrCaleb's article about SSL master keys is much more frightening, except that few (if any) are actually cooperating with the government on that point.
DrCaleb @ Wed Aug 07, 2013 9:19 am
Psudo Psudo:
What good would it do them to have the passwords?
I'm making a website right now. My password on that website is the same as for this one. It is stored (encrypted) as 98ff54b2fca624e0be776441333fb4a7. How does that information help you access my account?
There's no way to determine what I type into the password box from that mess of hexidecimal. Even with the encrypted version and the encryption method (md5, in my case), it takes supercomputers centuries to determine the salt (decrypted data).
I'm making a website right now. My password on that website is the same as for this one. It is stored (encrypted) as 98ff54b2fca624e0be776441333fb4a7. How does that information help you access my account?
There's no way to determine what I type into the password box from that mess of hexidecimal. Even with the encrypted version and the encryption method (md5, in my case), it takes supercomputers centuries to determine the salt (decrypted data).
Ok, here's a brief and inaccurate description of how encryption works, just for demonstration purposes:
Say you want an encryption key, "N". To get this key, you use a 'signing authority' key "O" to generate it, and using your 'salt' password "P" where N=O * P. Now, O is based on a huge prime number thats five thousand digits long, so guessing it does indeed take a computer thousands of years to go through all the possible numbers from zero to 10^500 or however many and trying to decrypt your message, by which time the message is irrelevant.
But your salt password is only 40 digits. So if the signing authority gives the government the 5000 digit encryption key, your salt password (P = N/O) is trivial to crack.
The password you cite is probabally encrypted with a one-way cipher, meaning that the encryption cannot be undone, like your website can be.
(note: your password as above and the password you use to salt the encryption key are probabally different, with different uses. One lets you in to adminster your website, the other is for your HTTPS:// encryption certificate. Although, they may be the same actual password.) But some industrious people have taken every dictionary word and put them through the same encryption, and published the results. And then they took every combination of every two dictionary words, and numbers and symbols and did the same. So many one-way encrypted passwords can be broken using a simple Google search. And those are just what's publicly available. What resources does the NSA have to break passwords?
Psudo Psudo:
It sounds to me like an utterly stupid and ineffectual plan by the government. Maybe they intend to scientifically study encryption cracking methods or somesuch thing, but I'm still skeptical.
I've been involved with a project that's been running for years, with the goal of breaking encryption for the sole purpose of making people use encryption that is actually secure.
http://www.distributed.net/Main_Page
A little fact emerged whenever a new project starts - it's faster to break encryption if the computers do absolutely nothing for 5 years. Absurd, I know! But over 5 years that the project runs, the speed more than doubles as computer technology improves. Waiting 5 years means the first 7 years work can be done in next 2 years!
http://cgi.distributed.net/speed/
http://stats.distributed.net/projects.php?project_id=26
Freakinoldguy @ Wed Aug 07, 2013 11:02 am
desertdude desertdude:
And the terrorists have won
It's sad but you just may be right and America is becoming more like the USSR daily when it comes to privacy and citizens rights.
Next stop black Mariah's picking up citizens in the middle of the night which will be okay though, because they'll be black.
Psudo @ Wed Aug 07, 2013 3:28 pm
DrCaleb DrCaleb:
Ok, here's a brief and inaccurate description of how encryption works, just for demonstration purposes:
Okay, I get how having the SSL key is a big deal. I expressed that understanding when I said, "DrCaleb's article about SSL master keys is much more frightening."But I was under the impression (mostly from the thread's title) they were requesting user passwords with one prong of their intervention and (from your article) SSL keys with another. The latter is obviously effective, but the former is a ridiculous, useless request (at least as far as I can tell). Was I wrong in my impression that this was a two-pronged approach?
Public_Domain @ Wed Aug 07, 2013 5:32 pm
Public_Domain @ Wed Aug 07, 2013 5:43 pm
herbie @ Wed Aug 07, 2013 8:40 pm
I will make it easier for them. All accounts will have a master password "dirtybombjihad".
Just enter it for all 1,000 users and see if you're next to be investigated sir.