Feds Allegedly Demanding User Passwords From Services 339
An anonymous reader writes "Following the /. story on the Feds demanding SSL keys, now comes news that the feds are demanding user passwords, and in some cases, the encryption algorithm and salt used. From the article: 'A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'" ... Some of the government orders demand not only a user's password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. ... Other orders demand the secret question codes often associated with user accounts.' I'm next expecting to see the regulation or law demanding that all users use plain text for all web transactions, to catch terrorists and for the children."
Move your services. (Score:4, Informative)
I needed to switch providers during the whole SOPA debacle, and decided it was a primo opportunity to move to an overseas VPS. I made sure to pick one that has no presense in North America. And now I'm glad I did.
Re: Move your services. (Score:4, Informative)
Re:Time to send out the papers... (Score:5, Informative)
How about an Article V Convention [wikipedia.org] first? AKA, a broad slate of amendments that would create a new Constitution. It would literally be a New Republic. Larry Sabato from my alma mater wrote a book about this. I don't agree with very many of his proposals though. That's the problem with such a convention or a revolution. You never know what you're going to get. So. I think this has to fester a bit more. Let's try the Article V convention first though, before we reach for the musket. It's actually a fairly extreme parliamentary maneuver, and allegedly Congress has acted under the threat of article V before.
Re:Not surprised (Score:5, Informative)
The way salt works, there is no reason to keep it secret. You don't need to secure it from disclosure at all.
What you're describing is simply a shared secret. (That is, the same piece of data is held by both parties.) This is fundamentally no better than having a password and storing the password itself (in which case the password is a shared secret) -- the only difference is that it's not provided by the user, so it can be high-entropy.
Generally having a shared secret for authentication isn't nearly as secure as having a secret that you know but the other party can verify without storing that secret. For instance, the other party storing a hash of your password.
Incidentally, if you want to establish a shared secret between two parties, the way to do this is the Diffie-Hellman key-agreement protocol. It results in both parties ending up with the same shared secret by transmitting messages that are publicly-readable without giving anyone reading the messages enough information to construct the secret.
Re:Is this different from perlustrating mail? (Score:4, Informative)
NB: the second is why sysadmins don't log in as root and don't request user passwords. Logging in as their ordinary user and then su'ing to root leaves a record in the audit log of which sysadmin was doing what as root. And if we need to access your account as you, su'ing to root and then to your account leaves a record of which sysadmin was responsible for the access.
Re:Time to send out the papers... (Score:0, Informative)
Many people around here don't even know what those documents are. About 5 years ago our public schools removed the founding documents from the curriculum. They are no longer taught WHY the revolution was fought, except that it was because wealthy Americans didn't like paying taxes. Honest to God.
There is no mention of the Constitution, the Bill of Rights, the Declaration of Independence, nor the Federalist Papers. Students who bring them up and ask about them are told that it is not part of the curriculum and because of lack of funding they can't spend any time talking about them.
Way to go.
Re:Time to send out the papers... (Score:5, Informative)
While true, it leaves out the fun fact that this has been happening to many, many other organizations. See: http://www.npr.org/blogs/itsallpolitics/2013/06/25/195599362/Democrats-Want-Answers-On-Progressives-Targeted-By-IRS [npr.org]
So no, the IRS wasn't targeting those groups because they don't agree with the administration. It targeted those groups because claiming 501c(4) status while advertising politically charged terms is a red flag. Finally, the link you're including has nothing to do with the IRS, with participating in public discourse or even with political discrimination. These speeches are PR events. As such, they are fairly tightly controlled. And quite frankly, I'm rolling my eyes at the comment that "we just wanted to watch the speech". I'd like to hear this story from some non-GOP-propaganda outlet before I even look further into it.
Re:Companies shouldn't have this anyway (Score:4, Informative)
At some point, you have to know the user's password.
If you ever need to know what the user's password is, then you ask them for it. You run into that when you implement a different or stronger hashing algorithm. You can't just re-hash everyone's password, because it's already hashed and you don't know what the original was. So you store the version of the hashing algorithm for their current password, and any time they enter their password (on login or other places depending on the application) then after you authenticate them you compare their hash version with the current version, and if it's not the current version then you take their plain-text password that they just entered, hash it with the new algorithm, and update the hash and password version in the database. You can't update everyone's passwords unless the enter them. If you need their password, then you ask them for it.
Re:Sigh. (Score:4, Informative)
"Being from the US you probably don't see the xenophobia for what it is. I moved to the US in the late 70's and the common response to anything not American was that's communist."
What part of the U.S.?
I've met may people who immigrated to New York City and certain other large metropolitan areas, and their common reaction is "All of the U.S. is like this."
Methinks thou does protest too much.
Re:Standing up to the Feds (Score:4, Informative)
yes, it is. It is a right being violated. The violator is thus guilty of wrongdoing. Don't ever let them convince you that the right is non-existent.
The other case would be that it's not a right anymore and the government gets to say not a right so we're doing no wrong.
In other words, by violating a right (such as by denying it's existence), a government de-legitimizes itself.