Feds tell Web firms to turn over user account passwords

Cnet ^ | 25 July, 2013 | Declan McCullagh

[Errant]

The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.

"I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back."

[sten]

unless those companies have been doing a man in the middle attack to obtain passwords as needed

and yes, i would expect they would dnload kiddie porn onto a targets machine in order to implicate him

[null and void]

Yes, these hash codes are ONE WAY. They do not go back. Comp Sci 101.

See post #99...

[Mad Dawgg]

I will say it...

Tar...

Feathers...

ROPE!

[Errant]

You are making this way too complex. With a few lines of code, you can store the password entered online (before it's even hashed) into a accessible table and wrap things up by grabbing any information fields the agency wished to collect.

I have absolutely NO idea how "they've" planned or are doing it. Just sayin' that it's an easy way to collect passwords.

All of the other information concerning read, time accessed and etc. are information the front end writes. You can bypass this easily when you grab the data directly from the DB with another application. And you can even alter the DB logs if you have the proper levels and the right tools.

[null and void]

When you can demand the keys to the backdoor, you don't have to worry about going in the front. You can even have a side door built just for you.

That too.

Given how much hardware is made in China, I would be astonished if the PLA didn't have multiple doorways pre-built into the chips themselves, let alone any software holes.

[null and void]

I figured it had already been done...

[Errant]

See #104 on collecting user pwds.

[null and void]

To protect against features such as the above, a surveillance account would require special status. Able to roam through the target account without leaving any tracks or dead give-aways. A lot more than two lines of code.

But less than say 2 million? Something the full computational power a nation-state could do in the time it takes to have a baby?

[Errant]

I would be astonished if the PLA didn't have multiple doorways pre-built into the chips themselves, let alone any software holes.

I would expect it.

[Bloody Sam Roberts]

NSA accesses users account. They impersonate him/her online. They post messages like the ones that got that other teen jailed. They then arrest the real user. Try him/her. Convict him/her. Sentence him/her to prison.

Or will it be a FEMA camp?

Good thing I don't use any such sites. Or is FR one of those sites?

[null and void]

Given that the “an essay” already sops up every bit and byte that travels over copper, fiber or RF, why are they demanding passwords?

[null and void]

Good thing I don't use any such sites.

Not as far as you know, anyway...

[cynwoody]

just a look-up table that says if they give you this hash code, use this string as the password.

That would be a rather large look-up table. E.g., the standard hash function these days is SHA1. Here is what it returns for 'null and void' as a password:

>>> from sha import sha
>>> sha('null and void').hexdigest()
'd8d8e866fb92a6b275dee8890ec80ad0776e1306'
>>> int('d8d8e866fb92a6b275dee8890ec80ad0776e1306', 16)
1237979212554367229448322411207458778802755080966L
>>> int('d8d8e866fb92a6b275dee8890ec80ad0776e1306', 16)/1e12
1.2379792125543673e+36

Even after dividing it by a trillion, we're still looking at a number with 37 digits to the left of the decimal point.

It would be much more efficient to brute-force all the 13-character strings until we happen upon 'null and void', running the SHA algorithm in parallel in a rack full of GPUs.

[autumnraine]

Constitution is dead.

Destruction of search and seizure is complete.

[autumnraine]

PERFECT GIF!!!!!!!!!

[null and void]

How big a look-up table can a facility larger than a major sports stadium hold?

The “an essay” has 7 such facilities, the one in Utah everyone talks about, and six more scattered across the land.

[Myrddin]

Man in the middle attacks are pretty simple. On a local Ethernet, a simple ARP cache poisoning can allow you to insert yourself between two parties. There are more sophisticated approaches to man in the middle for SSH sessions too. I've done all of those in SANS security classes. Why stop with a password? We actually stole an entire VMware VM as a class exercise. If you throw in a web site, you have a whole new set of attack surfaces. Javascript and SQL injection attacks. Click jacking. Remote path traversal. There are many more means of attack. Master them and take your exam as a Certified Ethical Hacker. It's a valid career path in today's world of cyber warfare.

[Errant]

Certain sources are hinting that user's keystrokes are being recorded. If true, then I'd guess it's either MS has some built in key logger or keystrokes are being recorded by certain websites you visit.

If MS OS has a built in key logger, then everything you type is being recorded, regardless of the sites you've visited.

Since FR doesn't use SSL (at least I haven't seen that option), its a simple matter to capture everything sent to or from its servers (i.e., it's ALL being recorded) through no fault of the FR staff. It's all intercepted in route.

FR does have great moderators though! ;)

[Errant]

why are they demanding passwords?

That my friend is a very good question and one I don't think the article fully answers.

[SgtHooper]

Is our governemnt so inept they can’t hack the passwords? Hire a few Chinese school kids to do the job.