Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Feds tell Web firms to turn over user account passwords
Cnet ^ | 25 July, 2013 | Declan McCullagh

Posted on 07/25/2013 3:49:38 PM PDT by Errant

The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.

"I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back."

(Excerpt) Read more at news.cnet.com ...


TOPICS: Constitution/Conservatism; Crime/Corruption; Extended News; Government
KEYWORDS: benghazi; computers; cyber; fastandfurious; impeachnow; irs; loadurgunsboys; nsa; passwords; security
Navigation: use the links below to view more comments.
first previous 1-20 ... 81-100101-120121-140 ... 181-184 next last
To: taxcontrol

unless those companies have been doing a man in the middle attack to obtain passwords as needed

and yes, i would expect they would dnload kiddie porn onto a targets machine in order to implicate him


101 posted on 07/25/2013 6:40:43 PM PDT by sten (fighting tyranny never goes out of style)
[ Post Reply | Private Reply | To 8 | View Replies]

To: COBOL2Java
Yes, these hash codes are ONE WAY. They do not go back. Comp Sci 101.

See post #99...

102 posted on 07/25/2013 6:42:17 PM PDT by null and void (You don't know what "cutting edge" means till you insult Mohammed.)
[ Post Reply | Private Reply | To 71 | View Replies]

To: Errant
I will say it...

Tar...

Feathers...

ROPE!

103 posted on 07/25/2013 6:43:54 PM PDT by Mad Dawgg (If you're going to deny my 1st Amendment rights then I must proceed to the 2nd one...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: cynwoody
You are making this way too complex. With a few lines of code, you can store the password entered online (before it's even hashed) into a accessible table and wrap things up by grabbing any information fields the agency wished to collect.

I have absolutely NO idea how "they've" planned or are doing it. Just sayin' that it's an easy way to collect passwords.

All of the other information concerning read, time accessed and etc. are information the front end writes. You can bypass this easily when you grab the data directly from the DB with another application. And you can even alter the DB logs if you have the proper levels and the right tools.

104 posted on 07/25/2013 6:47:20 PM PDT by Errant
[ Post Reply | Private Reply | To 97 | View Replies]

To: Errant
When you can demand the keys to the backdoor, you don't have to worry about going in the front. You can even have a side door built just for you.

That too.

Given how much hardware is made in China, I would be astonished if the PLA didn't have multiple doorways pre-built into the chips themselves, let alone any software holes.

105 posted on 07/25/2013 6:47:33 PM PDT by null and void (You don't know what "cutting edge" means till you insult Mohammed.)
[ Post Reply | Private Reply | To 77 | View Replies]

To: Myrddin

I figured it had already been done...


106 posted on 07/25/2013 6:49:04 PM PDT by null and void (You don't know what "cutting edge" means till you insult Mohammed.)
[ Post Reply | Private Reply | To 79 | View Replies]

To: null and void

See #104 on collecting user pwds.


107 posted on 07/25/2013 6:50:32 PM PDT by Errant
[ Post Reply | Private Reply | To 105 | View Replies]

To: cynwoody
To protect against features such as the above, a surveillance account would require special status. Able to roam through the target account without leaving any tracks or dead give-aways. A lot more than two lines of code.

But less than say 2 million? Something the full computational power a nation-state could do in the time it takes to have a baby?

108 posted on 07/25/2013 6:53:50 PM PDT by null and void (You don't know what "cutting edge" means till you insult Mohammed.)
[ Post Reply | Private Reply | To 97 | View Replies]

To: null and void
I would be astonished if the PLA didn't have multiple doorways pre-built into the chips themselves, let alone any software holes.

I would expect it.

109 posted on 07/25/2013 6:53:56 PM PDT by Errant
[ Post Reply | Private Reply | To 105 | View Replies]

To: Errant
NSA accesses users account. They impersonate him/her online. They post messages like the ones that got that other teen jailed. They then arrest the real user. Try him/her. Convict him/her. Sentence him/her to prison.

Or will it be a FEMA camp?

Good thing I don't use any such sites. Or is FR one of those sites?

110 posted on 07/25/2013 6:56:06 PM PDT by Bloody Sam Roberts (So Obama "inherited" a mess? Firemen "inherit" messes too. Ever see one put gasoline on it?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Errant

Given that the “an essay” already sops up every bit and byte that travels over copper, fiber or RF, why are they demanding passwords?


111 posted on 07/25/2013 6:58:00 PM PDT by null and void (You don't know what "cutting edge" means till you insult Mohammed.)
[ Post Reply | Private Reply | To 107 | View Replies]

To: Bloody Sam Roberts
Good thing I don't use any such sites.

Not as far as you know, anyway...

112 posted on 07/25/2013 6:59:01 PM PDT by null and void (You don't know what "cutting edge" means till you insult Mohammed.)
[ Post Reply | Private Reply | To 110 | View Replies]

To: null and void
just a look-up table that says if they give you this hash code, use this string as the password.

That would be a rather large look-up table. E.g., the standard hash function these days is SHA1. Here is what it returns for 'null and void' as a password:

>>> from sha import sha
>>> sha('null and void').hexdigest()
'd8d8e866fb92a6b275dee8890ec80ad0776e1306'
>>> int('d8d8e866fb92a6b275dee8890ec80ad0776e1306', 16)
1237979212554367229448322411207458778802755080966L
>>> int('d8d8e866fb92a6b275dee8890ec80ad0776e1306', 16)/1e12
1.2379792125543673e+36

Even after dividing it by a trillion, we're still looking at a number with 37 digits to the left of the decimal point.

It would be much more efficient to brute-force all the 13-character strings until we happen upon 'null and void', running the SHA algorithm in parallel in a rack full of GPUs.

113 posted on 07/25/2013 7:02:43 PM PDT by cynwoody
[ Post Reply | Private Reply | To 99 | View Replies]

To: All

Constitution is dead.

Destruction of search and seizure is complete.


114 posted on 07/25/2013 7:05:52 PM PDT by autumnraine (America how long will you be so deaf and dumb to thoe tumbril wheels carrying you to the guillotine?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: null and void

PERFECT GIF!!!!!!!!!


115 posted on 07/25/2013 7:06:37 PM PDT by autumnraine (America how long will you be so deaf and dumb to thoe tumbril wheels carrying you to the guillotine?)
[ Post Reply | Private Reply | To 17 | View Replies]

To: cynwoody

How big a look-up table can a facility larger than a major sports stadium hold?

The “an essay” has 7 such facilities, the one in Utah everyone talks about, and six more scattered across the land.


116 posted on 07/25/2013 7:07:50 PM PDT by null and void (You don't know what "cutting edge" means till you insult Mohammed.)
[ Post Reply | Private Reply | To 113 | View Replies]

To: Black Agnes
Man in the middle attacks are pretty simple. On a local Ethernet, a simple ARP cache poisoning can allow you to insert yourself between two parties. There are more sophisticated approaches to man in the middle for SSH sessions too. I've done all of those in SANS security classes. Why stop with a password? We actually stole an entire VMware VM as a class exercise. If you throw in a web site, you have a whole new set of attack surfaces. Javascript and SQL injection attacks. Click jacking. Remote path traversal. There are many more means of attack. Master them and take your exam as a Certified Ethical Hacker. It's a valid career path in today's world of cyber warfare.
117 posted on 07/25/2013 7:10:50 PM PDT by Myrddin
[ Post Reply | Private Reply | To 87 | View Replies]

To: Bloody Sam Roberts
Certain sources are hinting that user's keystrokes are being recorded. If true, then I'd guess it's either MS has some built in key logger or keystrokes are being recorded by certain websites you visit.

If MS OS has a built in key logger, then everything you type is being recorded, regardless of the sites you've visited.

Since FR doesn't use SSL (at least I haven't seen that option), its a simple matter to capture everything sent to or from its servers (i.e., it's ALL being recorded) through no fault of the FR staff. It's all intercepted in route.

FR does have great moderators though! ;)

118 posted on 07/25/2013 7:11:57 PM PDT by Errant
[ Post Reply | Private Reply | To 110 | View Replies]

To: null and void
why are they demanding passwords?

That my friend is a very good question and one I don't think the article fully answers.

119 posted on 07/25/2013 7:13:14 PM PDT by Errant
[ Post Reply | Private Reply | To 111 | View Replies]

To: Errant

Is our governemnt so inept they can’t hack the passwords? Hire a few Chinese school kids to do the job.


120 posted on 07/25/2013 7:13:19 PM PDT by SgtHooper (The last thing I want to do is hurt you. But it's still on the list.)
[ Post Reply | Private Reply | To 1 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-20 ... 81-100101-120121-140 ... 181-184 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson