Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Feds tell Web firms to turn over user account passwords
Cnet ^ | 25 July, 2013 | Declan McCullagh

Posted on 07/25/2013 3:49:38 PM PDT by Errant

The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.

"I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back."

(Excerpt) Read more at news.cnet.com ...


TOPICS: Constitution/Conservatism; Crime/Corruption; Extended News; Government
KEYWORDS: benghazi; computers; cyber; fastandfurious; impeachnow; irs; loadurgunsboys; nsa; passwords; security
Navigation: use the links below to view more comments.
first previous 1-20 ... 121-140141-160161-180181-184 next last
To: LucyT

If the feds learn my passwords, perhaps they can give them to me. I usually have my browser remember them for me.(The 90’s were such a blur.) I’m fairly certain I used the same one over and over.

Is it “impeachmuzzienow” ? Is it “billcaligula” ? “ihatethegovt”?

Have at it, NSA! Drop me a line when you figure it out.

(I’d give them my email address, but I’m fairly certain they already have it.)

All kidding aside, this is not good. We are watching our liberty disappear, and through it all, they still want our guns.

Wow.


161 posted on 07/25/2013 10:22:56 PM PDT by Absolutely Nobama (The Doomsday Clock is at 11:59:00......tick-tock, tick-tock, tick-tock.....)
[ Post Reply | Private Reply | To 86 | View Replies]

To: cynwoody

Ah. The salt does complicate it to a great degree. I assume the salt is unique to each user, and can see that even if they disclose each user’s salt and the hash algorithm one would still need to check a bazillion possible passwords for each user, and any solution would only apply to that user with that password on that account, and only until the user changed passwords (and presumably the new password gets a new salt).

Effectively impossible.

So the password has to be obtained by other means. Social engineering, key logging, etc.

That brings us back to why are they asking for them in the first place?


162 posted on 07/26/2013 12:15:56 AM PDT by null and void (You don't know what "cutting edge" means till you insult Mohammed.)
[ Post Reply | Private Reply | To 159 | View Replies]

To: Errant
The minimum criteria for an email service, IMO, are:

(a) required end-to-end TLS encryption [The account is locked down. If the recipient cannot connect with a TLS secure channel after the handshake, then the delivered message is a notice that you must sign on securely to the escrow server to retrieve your encrypted message. The message is encrypted on the escrow server until accessed with a password];

(b) message headers are stripped, so that the message is shown as originating from the email service's servers. This requires a delay while the server strips and re-sends the message; and

(c) disclosure to governmental authorities must be pursuant to a court order obtained on an inter partes basis. An ex parte court order suffices only where the service's counsel is satisfied that there is an ongoing criminal investigation that would be compromised by disclosure of the action to the client.

I am not aware of a foreign-based service that meets these requirements.

163 posted on 07/26/2013 12:51:24 AM PDT by Praxeologue
[ Post Reply | Private Reply | To 1 | View Replies]

To: null and void
That brings us back to why are they asking for them in the first place?

The password, the hash, the encryption algorithm and the salt are all discussed in the article (though not the title). The government is not merely asking for a password in every case.

164 posted on 07/26/2013 1:01:09 AM PDT by Praxeologue
[ Post Reply | Private Reply | To 162 | View Replies]

To: publius911
Wang and Olivetti come to mind.

Wang... haven't thought about that in awhile. I did a ton of programming on a Wang minicomputer in the mid 70s. The thing I liked most were the built-in debugging tools. Really increased productivity.

Also worked on the IBM 5100 series and Basic 4 minicomputers during that time.

165 posted on 07/26/2013 4:33:12 AM PDT by upchuck (To the faceless, jack-booted government bureaucrat who just scanned this post: SCREW YOU!)
[ Post Reply | Private Reply | To 145 | View Replies]

To: zeugma
No. It's not magic. It is a hash.

And what do you think that hash is?

If you are doing business with a company, and you forget your password, and their tech support line can actually give you your old password, run. Do not walk. Run away from them because they are absolutely violating very fundamental and elementary protocols.

Couldn't agree more. My point is and remains, a hashed password is still a password. The original poster failed to understand that.

The value of that hashed password to the Fed's is zero unless they're also given the algorithm that was used to generate the hashed password.

Giving the Fed's hashed passwords isn't my concern - turning over the hash key algorithm's is.

166 posted on 07/26/2013 5:20:03 AM PDT by usconservative (When The Ballot Box No Longer Counts, The Ammunition Box Does. (What's In Your Ammo Box?))
[ Post Reply | Private Reply | To 146 | View Replies]

To: null and void
See post #99...

False.

167 posted on 07/26/2013 5:35:47 AM PDT by COBOL2Java (I'm a Christian, pro-life, pro-gun, Reaganite. The GOP hates me. Why should I vote for them?)
[ Post Reply | Private Reply | To 102 | View Replies]

To: Errant
Any length password protected windows 7 box can be opened in about 30 mins if you have physical access.

I wouldn't be surprised at all if only so many bits of the password is included in the hash. This used to be the case in some unixes. The password "mypasswo" would work just as well as "mypassword" or "mypasswokjshgtkjhgfkjletkgjhg" because only the 1st 8 characters were included in the hash. (really dumb idea)

 

168 posted on 07/26/2013 6:14:59 AM PDT by zeugma (Be a truechimer, not a falseticker!)
[ Post Reply | Private Reply | To 158 | View Replies]

To: null and void; cynwoody
That brings us back to why are they asking for them in the first place?

Probably because, despite it being a good design element, in assisting in the obfuscation of the hash, I'd be surprised if hardly any password databases used in web applications implement salts.  You'll see salts in system-level password repositories. but most programmers are too lazy to implement them on their own. I could be wrong about that, but I kinda doubt that I am.

This discussion of password hashes and such has been fairly interesting (to me anyway). I figured it might be worthwhile to actually show what a valid password hash looks like on a modern OS. The following are the /etc/shadow entries for two users that have the exact same password. This is from a Linux box running Fedora 18. Good luck with these!

zeu:$6$icDIphdS2MkXXMZl$25pAcHxgzykCNoEe8Ozc8Co56/iIpu1GtveJO2xjLmyqKl/JJ8voHcqFYC4YWS0TlQk0wldG05tDhYCsdWdYw0:15912:0:99999:7:::
zeugma:$6$OU18kF1IZUmO/OCY$PWsPpf8KyrZEPSg9PefIFfdfDUpqe5Yh/ft7pG2w/x0IniQzCrwX8PV8IQ.YKEcPAEhyYlWERzNvrrKewj/rV.:15912:0:99999:7:::

 

169 posted on 07/26/2013 6:29:18 AM PDT by zeugma (Be a truechimer, not a falseticker!)
[ Post Reply | Private Reply | To 162 | View Replies]

To: Errant

What about those “security questions “?

One needs not only the password, but also the correct 2 questions and the correct 2 answers.


170 posted on 07/26/2013 8:54:05 AM PDT by WildHighlander57 ((WildHighlander57 returning after lurking since 2000))
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma
This discussion of password hashes and such has been fairly interesting (to me anyway).

Me too! I knew essentially nothing on the topic at this time yesterday!

Oh, and as to why they want the passwords? They don't particularly care one way or the other if the companies provide them.

We've been treating this as a technological problem. it's not.

The real goal isn't a bit of software, or an ability to decrypt a given data stream.

The goal is political power and control of a population.

Which is easier, collecting every scrap of data on everyone on earth, decrypting every bit and byte, collating, indexing, cross referencing, correlating and archiving it all -or- convincing your opponents that you know their every crime, petty and great, and can arrest them any time they displease you?

THEY WANT US TO BELIEVE THEY HAVE THE KEYS!

Our own fears and uncertainties will self-censor us more effectively than they ever could with a cop on every corner and lurking in every doorway.

171 posted on 07/26/2013 9:06:45 AM PDT by null and void (You don't know what "cutting edge" means till you insult Mohammed.)
[ Post Reply | Private Reply | To 169 | View Replies]

To: publius911

One of the better explanations on hashes can be found here:

http://www.unixwiz.net/techtips/iguide-crypto-hashes.html


172 posted on 07/26/2013 9:12:31 AM PDT by taxcontrol
[ Post Reply | Private Reply | To 136 | View Replies]

To: Myrddin

Actually I am very aware of rainbow tables and if you review my other posts, you will find that I also describe other ways one can obtain the password. I will point out that rainbow tables ARE NOT reversing the hash. A rainbow table is just a more educated brute force attack.

Many SANS classes are worth the money. However, I already have my CISSP and hold patents in cryptography so I’m not really interested in the majority of classes they offer.


173 posted on 07/26/2013 9:17:37 AM PDT by taxcontrol
[ Post Reply | Private Reply | To 79 | View Replies]

To: WildHighlander57
What about those “security questions “?

According to the article, the feds want the answers to the security questions as well!

174 posted on 07/26/2013 9:25:46 AM PDT by Errant
[ Post Reply | Private Reply | To 170 | View Replies]

To: Errant
No Comment... I'd be banned for life if I said what I'm thinking about our so-called "representatives" in "FREAKING" Washington DC who are letting this CRAP happen...

I'll say what I've been saying: I'm done with the GOP over stuff like this.

Not only did the Bush administration and Republicans in Congress enable the DHS stuff and the PATRIOT Act stuff, but then the Republicans under a Socialist like Obama are not trying to put an end to it.

There are a few Republicans in Congress here and there fighting against it, but after the vote this week on the NSA stuff, and the lack of action on similar issues, it's quite clear that we have a single party, some of whose members have an (D) next to their name, and some who have an (R) next to their name.

If the GOP won't defend American citizens in a time like this, they cannot be relied upon.
175 posted on 07/26/2013 9:37:03 AM PDT by af_vet_rr
[ Post Reply | Private Reply | To 1 | View Replies]

To: LucyT
Is this so they can remove steal remove steal money from our bank accounts anonymously?

It's so they can better determine which box car to assign us.

176 posted on 07/26/2013 10:19:39 AM PDT by bgill (This reply was mined before it was posted.)
[ Post Reply | Private Reply | To 86 | View Replies]

To: af_vet_rr

The love of money is the “root” of evil. If the makers in this country would stop making for a period, the beast could better be caged. It’s not against the law to not work, at least not yet, as half of our fellow “citizens” already know. It’s only against the law to NOT pay a tribute for “making” money, which goes to ever grow this monster!


177 posted on 07/26/2013 10:29:25 AM PDT by Errant
[ Post Reply | Private Reply | To 175 | View Replies]

To: taxcontrol
You have a marketable set of skills. My customers are trying to populate their contractor base with people holding security certs as an eligibility to bid factor.

I've been a UNIX developer/sysadmin since 1983 with full source access from the Bell System days. It has been nice to see the source code base improve with the advent of the gcc/g++ compilers and better attention to secure coding practices. The early code worked, but more attention was paid to functionality than security.

I concur that a rainbow table is simply a brute force approach. It trades space and computational effort made in advance for a moderately fast look-up of a value. Disk space is cheap.

My recent SANS classes were aimed at the virtual environment and "defending the web". Both are hot priorities for my customers as they move off physical machines and convert to web oriented architectures.

178 posted on 07/26/2013 3:27:28 PM PDT by Myrddin
[ Post Reply | Private Reply | To 173 | View Replies]

To: Errant
Let's just wholesale overturn terms of service and contract law. Obama already showed his willingness to do this with the General Motors bondholders.

Isn't someone's password considered private property, if they subscribe to an ISP and pay a monthly fee according to contractual terms of service?

So many lawsuits could result from complying with this illegal and unconstitutional request. What is the probable cause? What is the specific warrantable thing being searched for, and where is the search taking place?

-PJ

179 posted on 07/26/2013 3:31:52 PM PDT by Political Junkie Too (If you are the Posterity of We the People, then you are a Natural Born Citizen.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Myrddin

Where I think the security community could make great strides in an educational outreach is in the area of cloud security. There are a lot of gaps that need / should be addressed but have been largely left up to the cloud provider.


180 posted on 07/26/2013 4:54:27 PM PDT by taxcontrol
[ Post Reply | Private Reply | To 178 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-20 ... 121-140141-160161-180181-184 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson