Forgot your password?
typodupeerror
Privacy United States Your Rights Online

Feds Allegedly Demanding User Passwords From Services 339

Posted by Unknown Lamer
from the trust-no-one dept.
An anonymous reader writes "Following the /. story on the Feds demanding SSL keys, now comes news that the feds are demanding user passwords, and in some cases, the encryption algorithm and salt used. From the article: 'A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'" ... Some of the government orders demand not only a user's password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. ... Other orders demand the secret question codes often associated with user accounts.' I'm next expecting to see the regulation or law demanding that all users use plain text for all web transactions, to catch terrorists and for the children."
This discussion has been archived. No new comments can be posted.

Feds Allegedly Demanding User Passwords From Services

Comments Filter:
  • Sigh. (Score:5, Insightful)

    by Aerokii (1001189) on Friday July 26, 2013 @11:04AM (#44391655)
    Coming up next, our newest feature: Things I wish surprised me, even a little.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Aye, as if it wasn't already easy enough for them to frame someone.

    • Re:Sigh. (Score:5, Interesting)

      by NeutronCowboy (896098) on Friday July 26, 2013 @11:14AM (#44391737)

      As sad as it is, I have to agree. This doesn't surprise me one bit. I mean, investigating is hard! Can't have criminals hide behind things like strong encryption! Ergo, no one can use encryption.

      That said, I'm hoping we're slowly getting to a tipping point on the entire privacy vs security discussion. 9/11 has happened long ago enough that the knee-jerk reactions are dying down, and people are starting to question what we're doing in order to make sure 3000 people don't die over the course of a few years.

      • Re:Sigh. (Score:4, Insightful)

        by Anonymous Coward on Friday July 26, 2013 @11:37AM (#44391989)

        Don't worry, there will be another false flag 9/11-style event. People will give up more freedom and privacy. You can be guaranteed of that.

      • Re:Sigh. (Score:5, Insightful)

        by Anonymous Coward on Friday July 26, 2013 @11:52AM (#44392157)

        It's not just 9/11, the fear of foreigners and the entire "it's us vs the world" attitude has become so ingrained into the American psyche that it'll take several generations to de-program them. Even now those Americans who are raising questions are only protesting against spying on American citizens, as if American citizens are more special than the rest of us humans.

        As long as the American people, and not just the government, continue their xenophobia they will just keep shooting themselves in the foot. None of us in the rest of the world want to have anything against USA, but the Americans keep doing everything they possible can to make the world hate their guts.

      • by Hatta (162192)

        We are getting to a tipping point in the privacy vs security discussion. Insecurity is winning.

      • Re:Sigh. (Score:5, Insightful)

        by hairyfeet (841228) <.bassbeast1968. .at. .gmail.com.> on Friday July 26, 2013 @12:29PM (#44392555) Journal

        It won't matter friend as the PTB has learned they have another "mother may I" magic word that works even better than terrorist, and that is pedo. If you think the whole "peed on a bush and became a sex offender" bit is bad you should look at the CP laws and how vaguely they have been written. According to a friend that works in the state crime lab you could draw a stick figure and stick a label under it saying "nekkid 10 year old" and be looking at several years in prison and otherwise sane people will happily let the feds have ANY power they ask for just by invoking the "for the children" meme, hell we've seen otherwise rational people on this very site willing to ignore any and all violations of privacy if it was "to stop teh pedos".

        So I'm convinced we'll see more of our privacy wiped off the map and what is more the crowds will cheer when it happens because the feds will say the magic word. Hell we have at least 2 guys in prison right now for thoughtcrime by using the magic word, the guy who supposedly wrote the "pro pedo" book and a guy who was writing any disturbing thoughts he had in a diary by order of his therapist of all people, and in BOTH cases the ONLY thing they did was what I am doing right now and put their thoughts on a page, that's it, that's ALL they did.

        Now if that doesn't scare the hell out of you while illustrating just how powerful a word they have on their side? Well I don't know what will, I know it scares the hell out of me.

        • Re:Sigh. (Score:4, Interesting)

          by eth1 (94901) on Friday July 26, 2013 @01:06PM (#44392973)

          It won't matter friend as the PTB has learned they have another "mother may I" magic word that works even better than terrorist, and that is pedo. If you think the whole "peed on a bush and became a sex offender" bit is bad you should look at the CP laws and how vaguely they have been written. According to a friend that works in the state crime lab you could draw a stick figure and stick a label under it saying "nekkid 10 year old" and be looking at several years in prison and otherwise sane people will happily let the feds have ANY power they ask for just by invoking the "for the children" meme, hell we've seen otherwise rational people on this very site willing to ignore any and all violations of privacy if it was "to stop teh pedos".

          Exactly... My tinfoil hat says that this would be really useful for dealing with people like Snowden. Can't find a woman that will claim he raped her? No problem, just use his credentials to post child porn somewhere. Congrats! You now have a blank check to do anything you want, and remove all public support for them in the process.

        • Or just a corporate media powered applause machine with no real people actually agreeing.

      • Re:Sigh. (Score:4, Insightful)

        by SuperTechnoNerd (964528) on Friday July 26, 2013 @01:32PM (#44393263)
        9/11 was nothing more that excuse to do the level of spying which they have been wanting to do (and have done) forever. 9/11 gives them a rational reason that the people will understand so they can do thees things blatantly and unfettered.
  • Move your services. (Score:4, Informative)

    by snarfies (115214) on Friday July 26, 2013 @11:06AM (#44391673) Homepage

    I needed to switch providers during the whole SOPA debacle, and decided it was a primo opportunity to move to an overseas VPS. I made sure to pick one that has no presense in North America. And now I'm glad I did.

  • by DoofusOfDeath (636671) on Friday July 26, 2013 @11:08AM (#44391689)

    Can the government force me to make a public statement, attesting that it's true?

    Because it seems to me that the government using my private keys to sign a packet that I didn't create is substantially similar.

    • by egamma (572162)

      Can the government force me to make a public statement, attesting that it's true?

      Because it seems to me that the government using my private keys to sign a packet that I didn't create is substantially similar.

      Bull. It's no different than the government forging your signature. They aren't compelling speech, they are forging a document.

    • Re: (Score:3, Insightful)

      I would agree in principle. Though if the government is able to obtain said keys from someone other than yourself, they weren't really "private", were they?

  • by 3seas (184403) on Friday July 26, 2013 @11:08AM (#44391693) Journal

    ... of which The Declaration of Independence, The US constitution and Bill or Rights are.

    Most notably is The Declaration fo Independence that makes it clear it is not only our right but duty to put off bad government.

    And that is all the response any Founder supporting company need supply any spying government agency.

    Its time to show who is a real US Citizen.

    • by SJHillman (1966756) on Friday July 26, 2013 @11:15AM (#44391741)

      Just start emailing copies of those documents to people on a regular basis and see how long before the government calls you a terrorist and arrests you for inciting revolt.

      • by hedwards (940851) on Friday July 26, 2013 @11:40AM (#44392027)

        Considering that the Tea Party hasn't been declared as such and that there has yet to be even one sedition trial for those numb nuts in congress that signed that fealty pledge to Grover Norquist, I think that it's rather unlikely that they'll charge you for sending people those documents.

    • by istartedi (132515) on Friday July 26, 2013 @11:41AM (#44392037) Journal

      How about an Article V Convention [wikipedia.org] first? AKA, a broad slate of amendments that would create a new Constitution. It would literally be a New Republic. Larry Sabato from my alma mater wrote a book about this. I don't agree with very many of his proposals though. That's the problem with such a convention or a revolution. You never know what you're going to get. So. I think this has to fester a bit more. Let's try the Article V convention first though, before we reach for the musket. It's actually a fairly extreme parliamentary maneuver, and allegedly Congress has acted under the threat of article V before.

  • the war is over (Score:3, Insightful)

    by Anonymous Coward on Friday July 26, 2013 @11:09AM (#44391701)

    and stupid has won.

    • Re:the war is over (Score:5, Insightful)

      by s.petry (762400) on Friday July 26, 2013 @02:07PM (#44393595)

      You can not blame it on stupid, when people are intentionally kept ignorant. For a minimum of 10 years, you are subjected to a program that creates servitude and removes people's ability to think. When people start to wake up, it's a rather alarming process. Not just because of the cognitive dissonance, but because there are numerous sources of fiction to frighten them back into a stupor.

      If you pick 5 people and start trying to teach them to think, you will be lucky to have made progress within 6 months. That however should be the goal of anyone that can see clearly. As people learn to think and can see for themselves it is imperative for you to ask them to do the same thing (go get 5 students).

      An enlightened society is something the people in power fear. They hated Socrates because he advocated an intellectual society, and countless others that came after him calling for the same thing. If you want to rankle the hairs of the established, start teaching people to think. Ad hominem and mockery are what they expect and adore.

  • I have supported the use of records and even following connections from a known terrorist, but this is insane. Pure insanity. No doubt this is because terrorists/spies have changed tactics, but still this is the wrong way to take solve this.
  • "There's a lot of 'over my dead body.'"

    I wonder how that really works out, in the long-run. What if you're an online start-up, with little legal know-how? Are you really going to resist demands from such a high level?

    • by sjwt (161428)

      More to the point how many "over my dead body" statements last longer than a night in lockup, let alone awaiting a trial.

    • I absolutely would, especially as a start-up. Buckle when you're small and you'll lose what customers you have and go out of business.

      • by blackraven14250 (902843) on Friday July 26, 2013 @11:26AM (#44391879)
        Considering that the vast majority of people, up until now, would've never known for sure that you buckled to government pressure, you're thinking in a far more optimistic plane than reality. In reality, you, as a small business owner, would buckle, nobody using your service would know about it unless you announced it outright, and it would affect your business in absolutely no way at all.
    • by dougmc (70836) <dougmc+slashdot@frenzied.us> on Friday July 26, 2013 @11:41AM (#44392039) Homepage

      What if you're an online start-up, with little legal know-how? Are you really going to resist demands from such a high level?

      If you have little legal know-how and are confronted with an important legal issue that could have serious ramifications if you screw it up, you consult with a lawyer.

      If you are smart, this is always the case, be you a startup, a large company or an individual.

      A small company probably won't have a lawyer on payroll, but certainly, they can still pick up the phone and call one. It'll cost some money, yes, but even small businesses need lawyers for lots of things, so the concept should not be foreign to them.

      Now, if you're saying that "legal know-how" means knowing when an issue is important and could have serious ramifications, well, that doesn't require much skill. If you receive a demand from the government of any sort and it's not something you're familiar with, a quick consultation with a lawyer would be prudent. Especially if it just plain sounds wrong.

      Now, your lawyer may very well advise you to just give them what they want, but still, asking him was the right thing to do.

      A bigger problem is the gag orders that tend to come with these orders, where you can't even tell somebody that you received them. You can generally still consult with a lawyer, but even so, they really do fly in the face of the rights we used to think we have.

    • What if you're an online start-up, with little legal know-how? Are you really going to resist demands from such a high level?

      Sort of depends on your ethics and principles, doesn't it? If it's important to you to defend the constitution and your rights, then yeah I hope that you would resist those demands. It's about principles, if the reason you're doing business in the US is to make money, then you probably don't care. If the reason you're doing business in the US is because you like the US and what the founders stand for, then hopefully you'll grow a spine and stand up for your principles, with the knowledge that they might

  • Hmmm... (Score:5, Funny)

    by girlintraining (1395911) on Friday July 26, 2013 @11:14AM (#44391735)

    They can ask. All passwords are one-way hashed using a 16384 bit salt and run through 4,000 rounds of AES before being stored in the database. Over there in the corner is our custom-built core which does the password retrieval, comparison, and pass-fail out onto a RADIUS server. The network name is NSA_COCKBLOCK... feel free to have a copy of the algorithm and database.

  • by rsborg (111459) on Friday July 26, 2013 @11:15AM (#44391743) Homepage

    How can I get a piece of this action - it's probably not impossible to impersonate the Fed to get companies to cough up their entire user credential stores... just a few large-bag hit and runs could net millions in CC#.

    • by ebno-10db (1459097) on Friday July 26, 2013 @11:21AM (#44391825)

      just a few large-bag hit and runs could net millions in CC#.

      Credit cards? You think small. How about getting access to the Federal Reserve? Considering all the money they give away to bail out financial institutions that should be in receivership, you could probably take a few billion and it would be dismissed as a rounding error.

    • I've always wondered... what stops people from issuing fake FISA orders? I mean, if anyone challenges them, you just say they don't have the clearance. FISA *IS* catch-22.

      You can't even go after someone issuing such an order with "impersonating a federal officer" -- as unless you're the President of the US, /how would you know/?

      I imagine a terror group could make a pretty quick job of any public works under the guise of FISA.

      • by Entropius (188861)

        There are so many things a terror group could do if they really wanted to. They called out the Department of Homeland Security yesterday because someone left a Chinese takeout box on a Metrobus, for fuck's sake. It would be very, very easy to create a DoS condition among the anti-"terrorism" agencies...

      • by gl4ss (559668)

        I've always wondered... what stops people from issuing fake FISA orders? I mean, if anyone challenges them, you just say they don't have the clearance. FISA *IS* catch-22.

        You can't even go after someone issuing such an order with "impersonating a federal officer" -- as unless you're the President of the US, /how would you know/?

        I imagine a terror group could make a pretty quick job of any public works under the guise of FISA.

        well, exactly that is the real problem with non-transparent society. checking if they're real is illegal, asking for advice is illegal.

  • So now we're doing redundant text in a summary that references a redundant story that was an accidental dupe of another redundant story. It's slash-ception!
  • by bzipitidoo (647217) <bzipitidoo@yahoo.com> on Friday July 26, 2013 @11:23AM (#44391839) Journal

    Names. Give us some names. I'd like to know who are these bureaucrats who ask for passwords? Then, I'd like to see them sweat over the possibility they might be censured, might lose their jobs.

    Let them experience how thrilling it is to have their dark glasses taken away, feel what it's like not to be faceless anymore. Then, maybe they'd appreciate privacy a little more.

    • by ArcadeX (866171)
      bureaucrats are protected, it's the agency pukes that are making the request and only the 'secret court' knows which bureaucrats are involved, and that's a national security issue... even if it weren't, crooks get re-elected on a regular basis and jonh q public doesn't care about evil technology issues... THINK OF THE CHILDRENS!
  • How is this different from perlustration of regular mail and bugging the phone wires? I did not like those either, but I don't see this new development as particularly illegal...
    • by Todd Knarr (15451) on Friday July 26, 2013 @11:44AM (#44392085) Homepage
      • Both of those require a specific warrant and justification of the need for the intercept. Neither gives unlimited access to things other than the mail or phone calls. Having my password, by comparison, gives them unlimited access to everything on that account whether it's related to their investigation or not.
      • Neither of those give the police unlimited ability to impersonate me. Having my password, by comparison, allows the police to change anything on my account and add new things if they want, and every record and audit trail will show that I did those things.

      NB: the second is why sysadmins don't log in as root and don't request user passwords. Logging in as their ordinary user and then su'ing to root leaves a record in the audit log of which sysadmin was doing what as root. And if we need to access your account as you, su'ing to root and then to your account leaves a record of which sysadmin was responsible for the access.

  • by gnasher719 (869701) on Friday July 26, 2013 @11:27AM (#44391891)
    1. A company shouldn't have my password stored anywhere in a form that they can decrypt it.
    2. A company shouldn't have the answers to my security questions stored anywhere in a form that they can decrypt it.

    That makes it very easy then: "We would gladly comply with your request, but sorry, we can't".
    • This. Anything security related needs to be encrypted. And plaintext sensitive information is just wrong. Every time a service emails me my password instead of requiring me to set a new one, I cringe, and when possible, send an email to the admin or owner of the service before deleting my account.
  • I'd just like to be there to see the blank stare.

    • by ArcadeX (866171)
      Sign up for a new account under the name 'snowden' and i bet spideroak will be 'under new management' in less than 24 hrs, with all traffic being 'verified' be a new server complex...
  • by Yaur (1069446)
    Its just not technically possible and not something that my company would ever do because it would destroy the integrity of audit logs.
    If they really need to have access as a specific user we have an impersonation feature (for tech support) that allows one user to perform actions in the system with the rights of another, except that the logs still tell us who is actually doing stuff. Seems like a much better way to deal with this kind of request.
    • by omglolbah (731566)

      Unless you're impersonating user A to get users B, C and D to do something stupid, or share something important.

      And of course you do not want to leave anything in audit logs to prove that you did, because the only legal protection you have impersonating user A is that nobody knows how your agency is interpreting the law. Until they do, you act in good faith that what you are doing is legal...

      Or some bullshit reason like that.... I do not agree, but I see how it tends to be explained away these days *sigh*

  • by grasshoppa (657393) <skennedy@tp n o - c o .org> on Friday July 26, 2013 @11:40AM (#44392023) Homepage

    I find myself wondering how much of this ( master keys, passwods, ect.. ) we'd be discussing NOW had it not be for Snowden having the balls ( if not the brains ) to leak what he's leaked.

    Note to future leakers: Make sure you work out your living situation BEFORE pissing off one of the largest governments in the world.

  • Some kind of orbital strongbox that will act as the world's encryption key fob. Something that dodges around in an irregular orbit and explodes if anyone gets close to it.

  • Until Americans man up and accept the reality that Big Brother can't guarantee 100% security, they're going to keep doing this. I'm disheartened by how relatively low disapproval for these practices is. I think I heard only 56% against. In the US, I would expect those numbers to be astronomical.

  • by Marrow (195242) on Friday July 26, 2013 @12:02PM (#44392269)

    About these penetrations. You would think there would be daily broadcasts from anonymous or somebody indicating which systems have been hacked by the government. Its like people arent talking about it much at all.

Can't open /usr/fortunes. Lid stuck on cookie jar.

Working...