"That's the stupidest password I've ever heard! That's the kind of thing an idiot puts on his luggage!”
Posted on 07/25/2013 3:49:38 PM PDT by Errant
The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.
If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.
"I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back."
(Excerpt) Read more at news.cnet.com ...
Great...
They both did.
Sort of a Renaissance version of Canada Bill Smith's Law, i.e. the game you're playing and are prepared for isn't the game your opponent is playing!
.
“Do not blame Caesar, blame the people of Rome who have so enthusiastically acclaimed and adored him and rejoiced in their loss of freedom and danced in his path and gave him triumphal processions. Blame the people who hail him when he speaks in the Forum of the ‘new, wonderful, good society’ which shall now be Rome’s”
-Marcus Tullius
.
I think I might know.
Which makes me wonder again. Why ask for the hash files if they can just get the passwords the old fashioned way?
I know, the INCONCEIVABLE part was the favorite of part of his character.
I knew Andre the Giant from back in his wrestling days in Atlanta in the 80’s. He really was a gentle giant.
Ask your representative about it when they go home next month and hold a community meeting in your area. Mine voted to defund it.
When I say the founding fathers would be shooting by now I am not joking. I fear before its all done there will be a massive bloodletting before we right this ship.
The number I've heard bandied about is yottabyte. A yottabyte is 1e24 bytes. The output of the SHA1 function is 20 bytes long.
If you allow all the printable ASCII (95 characters) in passwords, the number of 13-character passwords is 95**13, or 51334208327950511474609375. To store that many 20-byte hashes, you'd need over a thousand yottabytes. But, barring a major break-through in storage technology, I think it's be quite a while before Bluffedale holds even one full yottabyte.
Recently Brewster Kahle (the guy behind the Wayback Machine) estimated the cost of storing a year's worth of US phone audio at about $29m. The amount of storage needed? 272 petabytes. There are a billion petabytes in a yottabyte.
No no no!
This is the dummest thing the new American Reign of Terror Flying Monkeys can adopt.
After the criminal shenanigans of the State Dept, the CIA, IRS, Health and Human service and the State Department have pulled, any evidence that those flying Monkeys try to present in court, as a result of this abuse, won't be worth a bucketful of spit!
Bring
it
on!!
"Your Honor, this criminal internet post by the accused was NOT falsified by us; Trust us, your Honor!"
*snicker*
The point is, they don't need the user's password if they can lean on the service provider. And, if they do have the password, actually using it would be problematic because of the danger they'll alert the target accidentally.
You can bypass this easily when you grab the data directly from the DB with another application.
Of course. Which they can do, with the web provider's cooperation.
And you can even alter the DB logs if you have the proper levels and the right tools.
No need. The only reason to hack the logs would be if they had gained surreptitious access to the provider. But they don't need to do that, because they're the government.
Yup. That's one way to do a denial of service attack against specific individuals.
In many corporations, such DOS attacks against users is absolutely trivial to implement, as all it takes is 3 or 4 bad login attempts to lockout a user. Some even implement this in their webmail accounts that are tied to their user accounts. How hard is it for someone to go to a starbucks and lockout a whole series of executives just by killing (temporarily anyway) their current password, as the userIDs are so easy to guess.
That's what the article implied, that they were leaning on the providers. They big question as null and void mentioned, is what's the real reason they want peoples Pwds?
No need. The only reason to hack the logs would be if they had gained surreptitious access to the provider. But they don't need to do that, because they're the government.
The might need to do it if their intent was setting someone up.
Very true.
I would think careful federals would actually prefer not to learn the target's password, lest they be seen to have contaminated the chain of custody.
If the prosecution produces damning evidence gleaned from a provider's servers, a possible defense is to claim the defendant didn't put it there, that someone else logged into the account and added the incriminating stuff. The last thing they need is for the defense to claim that someone was a G-man!
For those of us who are somewhat knowledgeable, but not hackers, can you give us a real world made-up example so it can more easily be grasped?
The question is how many inputs would you need to store to generate all possible 20 byte hashes?
That is a far smaller number.
If I have a unique 20 byte hash, to get into the account I only need ONE of the 2x106 or so possible combinations that generates that particular 20 byte hash, I don't need ALL of them.
Suppose the hash was equal to the sum of the bytes in a given password.
If my password was 1111111111 my hash would be 10.
Anyone who puts in 1111111111 would get 10.
So would anyone who put in 22222, or 55, or 19 or 244, or 82, or 28 or...
"That's the stupidest password I've ever heard! That's the kind of thing an idiot puts on his luggage!”
I tried to keep it simple...
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.