Posted on 07/25/2013 3:49:38 PM PDT by Errant
The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.
If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.
"I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back."
(Excerpt) Read more at news.cnet.com ...
If the feds learn my passwords, perhaps they can give them to me. I usually have my browser remember them for me.(The 90’s were such a blur.) I’m fairly certain I used the same one over and over.
Is it “impeachmuzzienow” ? Is it “billcaligula” ? “ihatethegovt”?
Have at it, NSA! Drop me a line when you figure it out.
(I’d give them my email address, but I’m fairly certain they already have it.)
All kidding aside, this is not good. We are watching our liberty disappear, and through it all, they still want our guns.
Wow.
Ah. The salt does complicate it to a great degree. I assume the salt is unique to each user, and can see that even if they disclose each user’s salt and the hash algorithm one would still need to check a bazillion possible passwords for each user, and any solution would only apply to that user with that password on that account, and only until the user changed passwords (and presumably the new password gets a new salt).
Effectively impossible.
So the password has to be obtained by other means. Social engineering, key logging, etc.
That brings us back to why are they asking for them in the first place?
(a) required end-to-end TLS encryption [The account is locked down. If the recipient cannot connect with a TLS secure channel after the handshake, then the delivered message is a notice that you must sign on securely to the escrow server to retrieve your encrypted message. The message is encrypted on the escrow server until accessed with a password];
(b) message headers are stripped, so that the message is shown as originating from the email service's servers. This requires a delay while the server strips and re-sends the message; and
(c) disclosure to governmental authorities must be pursuant to a court order obtained on an inter partes basis. An ex parte court order suffices only where the service's counsel is satisfied that there is an ongoing criminal investigation that would be compromised by disclosure of the action to the client.
I am not aware of a foreign-based service that meets these requirements.
The password, the hash, the encryption algorithm and the salt are all discussed in the article (though not the title). The government is not merely asking for a password in every case.
Wang... haven't thought about that in awhile. I did a ton of programming on a Wang minicomputer in the mid 70s. The thing I liked most were the built-in debugging tools. Really increased productivity.
Also worked on the IBM 5100 series and Basic 4 minicomputers during that time.
And what do you think that hash is?
If you are doing business with a company, and you forget your password, and their tech support line can actually give you your old password, run. Do not walk. Run away from them because they are absolutely violating very fundamental and elementary protocols.
Couldn't agree more. My point is and remains, a hashed password is still a password. The original poster failed to understand that.
The value of that hashed password to the Fed's is zero unless they're also given the algorithm that was used to generate the hashed password.
Giving the Fed's hashed passwords isn't my concern - turning over the hash key algorithm's is.
False.
I wouldn't be surprised at all if only so many bits of the password is included in the hash. This used to be the case in some unixes. The password "mypasswo" would work just as well as "mypassword" or "mypasswokjshgtkjhgfkjletkgjhg" because only the 1st 8 characters were included in the hash. (really dumb idea)
Probably because, despite it being a good design element, in assisting in the obfuscation of the hash, I'd be surprised if hardly any password databases used in web applications implement salts. You'll see salts in system-level password repositories. but most programmers are too lazy to implement them on their own. I could be wrong about that, but I kinda doubt that I am.
This discussion of password hashes and such has been fairly interesting (to me anyway). I figured it might be worthwhile to actually show what a valid password hash looks like on a modern OS. The following are the /etc/shadow entries for two users that have the exact same password. This is from a Linux box running Fedora 18. Good luck with these!
zeu:$6$icDIphdS2MkXXMZl$25pAcHxgzykCNoEe8Ozc8Co56/iIpu1GtveJO2xjLmyqKl/JJ8voHcqFYC4YWS0TlQk0wldG05tDhYCsdWdYw0:15912:0:99999:7::: zeugma:$6$OU18kF1IZUmO/OCY$PWsPpf8KyrZEPSg9PefIFfdfDUpqe5Yh/ft7pG2w/x0IniQzCrwX8PV8IQ.YKEcPAEhyYlWERzNvrrKewj/rV.:15912:0:99999:7:::
What about those “security questions “?
One needs not only the password, but also the correct 2 questions and the correct 2 answers.
Me too! I knew essentially nothing on the topic at this time yesterday!
Oh, and as to why they want the passwords? They don't particularly care one way or the other if the companies provide them.
We've been treating this as a technological problem. it's not.
The real goal isn't a bit of software, or an ability to decrypt a given data stream.
The goal is political power and control of a population.
Which is easier, collecting every scrap of data on everyone on earth, decrypting every bit and byte, collating, indexing, cross referencing, correlating and archiving it all -or- convincing your opponents that you know their every crime, petty and great, and can arrest them any time they displease you?
THEY WANT US TO BELIEVE THEY HAVE THE KEYS!
Our own fears and uncertainties will self-censor us more effectively than they ever could with a cop on every corner and lurking in every doorway.
One of the better explanations on hashes can be found here:
http://www.unixwiz.net/techtips/iguide-crypto-hashes.html
Actually I am very aware of rainbow tables and if you review my other posts, you will find that I also describe other ways one can obtain the password. I will point out that rainbow tables ARE NOT reversing the hash. A rainbow table is just a more educated brute force attack.
Many SANS classes are worth the money. However, I already have my CISSP and hold patents in cryptography so I’m not really interested in the majority of classes they offer.
According to the article, the feds want the answers to the security questions as well!
It's so they can better determine which box car to assign us.
The love of money is the “root” of evil. If the makers in this country would stop making for a period, the beast could better be caged. It’s not against the law to not work, at least not yet, as half of our fellow “citizens” already know. It’s only against the law to NOT pay a tribute for “making” money, which goes to ever grow this monster!
I've been a UNIX developer/sysadmin since 1983 with full source access from the Bell System days. It has been nice to see the source code base improve with the advent of the gcc/g++ compilers and better attention to secure coding practices. The early code worked, but more attention was paid to functionality than security.
I concur that a rainbow table is simply a brute force approach. It trades space and computational effort made in advance for a moderately fast look-up of a value. Disk space is cheap.
My recent SANS classes were aimed at the virtual environment and "defending the web". Both are hot priorities for my customers as they move off physical machines and convert to web oriented architectures.
Isn't someone's password considered private property, if they subscribe to an ISP and pay a monthly fee according to contractual terms of service?
So many lawsuits could result from complying with this illegal and unconstitutional request. What is the probable cause? What is the specific warrantable thing being searched for, and where is the search taking place?
-PJ
Where I think the security community could make great strides in an educational outreach is in the area of cloud security. There are a lot of gaps that need / should be addressed but have been largely left up to the cloud provider.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.